EU to Ban Russia Today (RT)

I’ve just heard Ursula von der Leyen (President of the European Commission) announce to the European Parliament that Kremlin propaganda network Russia Today (now restyled RT) is to have its license to operates revoked (i.e. it’s being banned). This is a terrible idea.

There are many media organisations committed to undermining the western “establishment” using a heavily slanted narrative. However, allowing them to exist is what makes us different from Putin’s Russia. By banning one of them we’d be playing the same game as Putin, the CPC and every other repressive regime around the world.

Putin won’t invade Ukraine

Putin’s Russia isn’t about to invade Ukraine, and neither will China be marching in to Taiwan. They’ll be doing nothing until the Winter Olympics are over.

It’s not complicated. Putin wants to assert Russian influence over the former Soviet Union and has no intention of allowing one of the Ukrainian factions to take the country in the direction of Poland and other Warsaw Pact allies. This has nothing to do with Russia’s security – to believe otherwise you’d have to think the West had designs for an invasion of Russia. This is nonsense. Putin probably isn’t paranoid.

Western media paints the Ukrainian situation as a noble government in Kiev and a bunch of evil separatists. It’s not. It’s an ongoing nasty civil war, with no end in sight. Because of the geopolitical situation, no one is doing anything about it.

Some factions in Ukraine, which is a big place, have neo Nazi roots. They’re not the separatists. The Russians have a history with the Ukrainian Nazis, and seeing them on the streets of Kiev is going to have an effect of their thinking. The President, government and most Ukrainians are certainly not Nazi sympathisers, of course – far from it.

My guess would be that Putin has had enough of the instability on his boarders and plans to do something about it. This would be logical, but it will be the people of the region that suffer if this takes the form of military action. I fear that it will, but after the sport is over.

Note to history

When this was written, the BBC was reporting that Russia was pulling its troops and tanks back from the border and Putin’s insistence that he had no plans to invade. The headline is mocking the BBC and other media outlets. As predicted, Russia declared the pro Russian areas of Ukraine independent of Kiev the day after the Olympics ended, and at time of writing, is believed to have sent (more) troops in to “defend” them – i.e invaded Ukraine.

Nothing new with Intel SDSi

Intel’s latest wheeze for its CPUs is Software Defined Silicone (SDSi). The deal is that you buy the CPU at one price and then pay extra for a license to enable more stuff.

If you want the geeky stuff about how it’s supposed to work in Linux, see here. https://github.com/intel/intel-sdsi

Basically, the CPU has an interface that you can access if you have an Authentication Key Certificate (AKC) and have purchased a Capability Activation Payload (CAP) code. This will then enable extra stuff that was previously disabled. Quite what the extra stuff is remains to be seen – it could be extra instructions or enabling extra cores on a multi-core chip, or enabling more of the cache. In other words, you buy extra hardware that’s disabled, and pay extra to use it. What’s even more chilling is that you could be continuously paying licenses for the hardware you’ve bought or it’ll stop working.

It’s not actually defining the silicone in software like a FPGA, as you’d expect from euphemistic name. Software Defined Uncrippling would be more honest, but a harder sell.

But this is nothing new. I remember IBM doing this with disk drives in the 1970’s. If you upgraded your drive to double the capacity an IBM tech turned up and removed a jumper, enabling the remaining cylinders. Their justification was that double the capacity meant double the support risk – and this stuff was leased.

Fast forward 20 years to Intel CPUS. Before the Intel 80486 chips you could provide whatever input clock you wanted to your 80386, just choosing how fast it went. Intel would guarantee the chip to run at a certain speed, but that was the only limiting factor. Exceed this speed at your own risk.

The thing was that the fast and slow CPUs were theoretically identical. It’s often the case with electronic components. However, manufacturing tolerances mean that not all components end up being the same, so they’re batch tested when the come off the line. Those that pass the toughest test get stamped with a higher speed and go in the fast bucket, where they’re sold for more. Those that work just fine at a lower speed go into the slower bucket and sell for less. Fair enough. Except…

It’s also the nature of chip manufacture that the process improves over time, so more of the output meets the higher test – eventually every chip is a winner. You don’t get any of the early-run slow chips, but you’re contracted to sell them anyway. The answer is to throw some of the fast chips into the slow bucket and sell them cheap, whilst selling others at premium price to maintain your margins.

In the early 1990’s I wrote several articles about how to take advantage of this in PCW, after real-world testing of many CPUs. It later became known as overclocking. I also took the matter up with Intel at the time, and they explained that their pricing had nothing to do with manufacturing costs, and everything to do with supply and demand. Fair enough – they were honest about it. This is why AMD gives you more bang-per-buck – they choose to make things slightly better and cheaper because that maximises their profits too.

With the introduction of the 80486, the CPU clock speed was set in the package so the chip would only run at the speed you paid for. SDSi is similar, except you can adjust the setting by paying more at a later date. It also makes technical sense – producing large quantities of just one chip has huge economies of scale. The yield improves, and you just keep the fab working. In order to have a product range you simply knobble some chips to make them less desirable. And using software to knobble them is the ultimate, as you can decide at the very last minute how much you want to sell the chip for, long after it’s packaged and has left the factory.

All good? Well not by me. This only works if you’re in a near monopoly position in the first place. Microsoft scalps its customers with licenses and residual income, and Intel wants in on that game. It’s nothing about being best, it’s about holding your customers to ransom for buying into your tech in the first place. This hasn’t hurt Microsoft’s bottom line, and I doubt it’ll hurt Intel’s either.

STARTTLS is not a protocol

As regular readers will know, I’m not a fan of STARTTLS but today I realised that some people are confused as to what it even means. And there’s a perfectly good reason for this – some graphical email software is actually listing STARTTLS as a protocol for talking to mail servers and people are jumping to conclusions.

So what is STARTTLS all about if you go back to basics?

Originally, when only nice people had access to computers, network traffic was unencrypted. If you had physical access to the network you could pretty much read anything you wanted to, as everything connected to the same network saw the same data. This isn’t true now, but encryption you data is a good idea just in case it can be intercepted – and if it’s going over the Internet that’s definitely the case.

In the mid 1990s, the original mass-market web browser, Netscape, decided to do something about it and they (or more specifically their chief scientist Taher Elgamal, invented a protocol called Secure Sockets Layer (SSL) to protect HTTP (web) traffic. Actually, several times as the first couple of attempts weren’t very secure at all.

SSL didn’t really fit in with the OSI model; it runs on top of the transport protocol (usually TCP) but under the presentation layer, which would logically handle encryption but doesn’t usually. To use it you need an SSL layer added to the stack to transparently do the deed on a particular port.

But, as a solution to the encryption problem, SSL took off and pretty much every major protocol has an SSL port along with its original cleartext one. So clear HTTP is on port 80, HTTPS is on port 443. Clear POP3 is on port 110, encrypted on 995. Clear IMAP is on port 143, encrypted on 993.

As is the way of genius ideas in cybersecurity, even the third version of SSL was found to be full of holes. SSL version 3.1, which was renamed TLS, continued plugging the leaks and by TLS 1.2 it’s considered pretty much secure now. TLS 1.3, which interoperates with TLS 1.2, simply deprecates certain cyphers and hashes on the suspicion they might be insecure; although anyone into cybersecurity should tell you that everything is secure only until it’s broken.

Unfortunately, because different levels of TLS use different cyphers and reject others, TLS levels are by no means interoperable. And neither is it the case that a newer version is more secure; bugs have been introduced and later fixed. This’d be fine if everything and everyone used the same version of TLS, but in the real world this isn’t practical – old hardware, in particular, bakes in old versions of SSL or TLS and if you decided to deprecate older cyphers and not work with them, you loose the ability to talk to your hardware.

But apart from this, things were going along pretty well; and then someone had the bright idea of operating encrypted and unencrypted connections on the same port by hacking it at the application layer instead. This was achieved by modifying the application protocol to include a STARTTLS command. If this is received, the application then negotiates a TLS connection. If the receiving host didn’t understand what STARTTLS meant it’d send back and error, and things could continue unencrypted.

In other words, if you’re implementing an SMTP server with STARTTLS, this keyword is added to the protocol and the SMTP server does something about it when it sees it.

What could go wrong?

Well quite a lot of things, actually. Because TLS doesn’t fit in to the OSI model, it’s actually very difficult to deal with the situation where a TLS connection is requested and agreed to but the TLS layer fails to agree on a cypher with an older or newer version on the other end. There’s no mechanism for passing this to the application to say “okay, let’s revert to Plan A”, and the connection tends to hang.

There’s also a problem with name-based virtual servers must all use the same host certificate because the TLS connection must be established before the application layer headers are transferred.

But perhaps my biggest gripe is that enabling STARTTLS makes encryption optional. You’re not enforcing encryption when you need to, and even if you think you are, STARTTLS connection are obviously vulnerable to a man-in-the-middle attack. You have no idea how many times TLS has been turned on and off between the two endpoints.

You might be tempted to think that optional encryption is better than none at all, but in reality it means you don’t care – and if you don’t care, don’t bother. It just leads to a false sense of security. And it can lead to interoperability problems. My advice is to use “always TLS” ports for sensitive data and turn off the old port.

No talk from TalkTalk 2

Hardly a week goes by without someone contacting me about a problem with their email. Pretty much every time they’re just doing something wrong.

“Your message bounced back because you spelled your friends name wrong.”

I’ve learned to say it without sounding judgemental; or I think I have. Everyone’s done it, after all. It’d be nice if people checked before blaming the mail server, but so would world peace and I’m not hopeful I’ll see either.

But last week was a bit different. Someone got a bounce-back after emailing someone@talktalk.net, but the address in the bounce was someone@www.talktalk.co.uk. I know what you’re thinking; same as me. Someone had manage to type their address wrong in their iPad and the replies were to somewhere silly. (Why’s it always Apple users)

Not so this time. After more complaints I checked TalkTalk’s email server. First thing to check is the MX records. Hang on, there aren’t any!

An domain MX record simply tells other mail servers where to send email for that domain. In the absence of an MX record, a mail server is supposed to send email for a domain to it’s IP address (A record). Not everyone knows. this. As a final roll of the dice, it’s allowed to send it to a domain name’s alias (CNAME).

It turns out that talktalk.net lacks an a record, and it’s CNAME is www.talktalk.co.uk. This kinda makes sense – anyone going to the obsolete talktalk.net web site will end up at www.talktalk.co.uk. Great for web users, but it also means that all the email going to talktalk.net customers will be directed to their mail server. Not cool. Unsurprisingly their web server didn’t know what to make of it.

Was this something weird with my DNS? Nope. I tried it multiple DNS servers on several networks, and Google’s 8.8.8.8 service with exactly the same results. Definitely wrong; and it was a Saturday so there was no one at the company to TalkTalk to. I sent an email to the address their tech support suggested, and got a snotty “we’re not talking to you because you’re not a customer” response. Er, no. At this stage it was on behalf on an ISP trying to resolve a serious problem for their customers. How dumb can you get?

Now TalkTalk is an interesting company. It’s basically a mishmash of many ISPs purchased over time by Charles Dunstone’s Carphone Warehouse. These include Opal, Pipex, Nildram, and OneTel, AOL, Virgin’s ADSL business. The group has not been without its problems, including being slammed by the ASA and Ofcom for not delivering what it promised, and let’s not forget the famous 2015 data heist, malware infected home routers, slamming, and customer privacy concerns (Phorm, URL harvesting with Huawei and so on).

However, a big worry is how these disparate ISPs have been on-boarded to the TalkTalk communication bemouth. The answer is probably “badly”, and woe betide anyone on a legacy service such as an @talktalk.net email address. We had the same problem a year or so ago with @onetel.co.uk emails; TalkTalk had kindly left the service running but had no way of known which customers had left and who was using it for free. It was twenty years before they decided to pull the plug on it and see who squealed.

Naturally I phone around about the talktalk.net MX records to see what other were experiencing, and the consensus was that they’d decide to pull the plug on these legacy accounts too.

Of course, having bad/no MX records in your DNS doesn’t cause an overnight meltdown. DNS entries are often cached, and drop off senders’ servers over time. To add to the confusion, many high volume providers trying to save a few quid don’t even bother to check MX records when sending – they simply use the last known good destination server and “do something” when it fails to connect for a period. Freemail users may not have noticed a problem corresponding with their chums on TalkTalk.net – at least not for a while.

So what did I do? The user was convinced they were infected with malware (as they do) so for a quiet life I faked up the last known good talktalk.net zone in a local DNS server and sat back waiting for the actual server to be turned off. But a week later they’d fixed it; so that’s alright then. For now. I guess legacy customers of the worst domestic broadband provider in the UK (consistently, along with Virgin Media and Plusnet and Vodafone, according to Which? Surveys and Ofcom rankings for customer service) aren’t going to heed any warnings about shifting their email service elsewhere before it’s too late.

Graph showing trend data on residential consumer complaints received by Ofcom across fixed broadband by communications provider.   It shows the fixed broadband complaints per 100,000 subscribers for the Q2 2019 – Q1 2021 period.   Virgin Media generated the highest volume of fixed broadband complaints (at 33) in Q1 2021 followed by Vodafone at 24.    EE and Sky generated the lowest volume of fixed broadband complaints with both at 7.


Chip crisis? What chip crisis?

We’ve all seen the mass media going on about a chip shortage – or “crisis” as everything seems to be called these days. Silicon chips are unobtainable, apparently. And industry leaders are blaming their inability to meet demand for products on the “chip shortage”. But does this mean we should believe them?

Industry leaders are brilliant at blaming their mistakes on outside factors. Chips, and IT in general, is an obvious scapegoat.

It’s important to differentiate between a “chip shortage” and demand outstripping supply for particular ICs. Cryptocurrency mining is soaking up GPUs like there’s no tomorrow, so you could say there’s a GPU supply crisis. The the boyz will have to make do with plain old HD murder simulators for a while.

The automotive sector always had an interesting supply chain. They beat the price down to the last penny and order “just enough” semiconductors ahead of time meet their anticipated demand – if they guess wrong then it’s on them, and in a pandemic they’re going to lose their nerve and order less.

And then there are the usual “flood/fire/zombie invasion” stories on silicon foundries that accompany every supply crisis. I’m not having it.

The facts (remember “facts” from the old days?) tell a different story when you look at the units shipped. Okay, this lumps in NVidia GPUs with 741 op-amps but it still paints a picture.

The fact is that the supply of semiconductors continues to go up year on year. The latest predictions for 2021 are suggesting there’s been a 27% increase over 2020, and that was a significant increase over 2019. Business is booming.

So, if there’s a semiconductor supply crisis, please tell me which semiconductors are actually out of stock? Automotive manufacturers who failed to pre-order enough to meet demand of their particular custom chips are going to have to wait. And they might find that having beaten the price down, they’re not top of the list when it comes to rushing through a special order fast unless they pay a bit more.

Australia bites back

Well known conspiracy theorist and tennis player Novak Djokovic appears to have gained entry to Australia without the covid-19 vaccination that he and his wife Jelena oppose, even though it’s a requirement for everyone else.

Jelena Djokovic is on record as believing that 5G mobile phones are the real cause of Covid-19.

It appears Djokovic obtained this exception on a technicality – that he’d tested positive for Covid19 in the last six months. Normally exemptions are granted by an independent (and blind) panel to people with documented medical conditions (usually cardiac) that would make vaccination risky. Immunity through past infection makes the matter less urgent. Does Djokovic really have a dicky ticker? You wouldn’t think so to look at him.

Now the Australian Prime Minister, Scott Morrison, has said he could be on the next plane home because of another technicality – his visa was completed incorrectly.

You’ve got to admire the Australian way of doing things. However, I’d be surprised if the wealth of the rich and famous doesn’t prevail. But whilst I have no interest in watching tennis, I must say this is the shaping up to be the best soap opera coming out of the country since neighbours.

Meanwhile, in France, their controversial but entertaining president has made it clear his strategy is to “piss off” the vaccine dodgers, rather than forcing them to be vaccinated by law.

« Moi, je ne suis pas pour emmerder les Français », confie-t-il tout d’abord. Mais « je peste toute la journée contre l’administration quand elle les bloque. Eh bien, là, les non-vaccinés, j’ai très envie de les emmerder. Et donc, on va continuer de le faire, jusqu’au bout. C’est ça, la stratégie ». Source: Le Parisien

To put this in to context, the UK has been playing softly with the anti-vaxxers, but other European countries are gearing up for compulsory vaccination – starting with Austria, with Italy and Germany not far behind.

Has Macron gone mad? Politicians on the left and right have condemned his language, and the admission of his strategy. However, with 90% of France vaccinated, I suspect he’s gambling that the majority have lost patience with the needle-phobic 10% playing Jacques, and he’s basically asking people to side with him or them. Media politicians have been tricked into knee-jerk siding siding with “them”.

How to really add a plugin to WordPress manually

You’d have thought that a google search for “manually add plugin to WordPress” would turn up lots of articles on how to do this, but, er, no. They all seem to tell you to log in to the site and do this or that on the GUI. That’s not doing it manually – it’s using the GUI. If the GUI doesn’t work, then you need to do it manually. Here’s how:

The method is actually simple if you remember it. You download the plugin from the site (e.g. https://wordpress.org/plugins/) and you’ll end up with a DOS/Windows .ZIP file. Unpack this any way you wish and you’ll get a directory with some file in it. As a sanity check, one of these files will have the same name as the directory, but ending in .php.

Take this whole directory and copy it to /wp-content/plugins. That’s the directory – not the files in the directory.

That’s it. You’re done. It’ll appear in the plugins dashboard.

Wicked Parents let Kid Survive on Walkers Crisp Diet!

If the parents have done anything wrong it’s going public, putting themselves in the firing line for abuse from the ignorant. This may seem a simple case of bad parenting to people who know very little about mental illness or children.

The fact is that when a child (or adult) has it in their head that they’ll only accept certain things as food you have no choice but to give it to them. No choice apart from force feeding, that is. And force feeding someone in that condition isn’t going to cure them off it; make them worse more likely.

And while we’re at it, don’t think of blaming the parents for allowing their child to get into this mental state. It happens in the “best” of families and in otherwise perfectly normal adults.

Sometimes we call a firmly held belief in something that isn’t true, based on available evidence, psychosis. But we’re not consistent. In fact, certain groups see such beliefs as virtuous. A believer in the existence of a supreme being is described as pious. Fringe political group work on conspiracy theory too, sometimes breaking their nonsense into mainstream thought. We know communism doesn’t work, but some will keep the red flag flying based on all sorts of excuses that it just hasn’t been done right before.

Meanwhile another group have convinced themselves that Covid-19 is some kind of hoax. It’s a widespread problem, and not just in uneducated communities; a quick look at the evidence is all you need to prove otherwise, but using selection they can make a case that’s good enough for them.

If your misplaced belief has an appropriate number of adherents it becomes a religion or political movement, and gets equal air time on the BBC. People use the idea that if others agree with them, they must be right and no contrary evidence is considered. It was probably made up by those seeking to undermine the “truth” anyway.

If, however, you alone believe there are aliens living in the house next door, you have a psychotic disorder.

So, before we jump to conclusions about mental illness, and in particular psychotic beliefs, perhaps we should first evaluate what we believe against the evidence.

Christmas Come Early for Scammers – Thanks Microsoft

As a reminder that Microsoft never lets security considerations get in the way of a Good Idea, it’s emailed 50,000 gift cards to random addresses it has on file. To quote:

To help spread holiday cheer, Microsoft Store has surprised a total of 50,000 U.S. customers with virtual gift cards via email. 25,000 customers will receive a $100 Microsoft Gift Card while 25,000 others will receive a $10 Microsoft Gift Card ahead of this holiday season. These randomly selected recipients can redeem their gift card on Microsoft Store through December 31, 2021 and spend it within 90 days of redemption

Publications in the US are advising punters to check their spam folder in case they’ve got an e-voucher for free Microsoft goodies. Presumably these email address are of lusers with a Microsoft account of some kind.

With the media coverage starting to appear in the US, anyone phishing for Microsoft account credentials now has the perfect social engineering exploit, available between now and the New Year. Nice one Microsoft.