From Newsgroup: comp.lang.ada

On 2024-07-21 12:19, Dmitry A. Kazakov wrote:

On 2024-07-21 10:00, Niklas Holsti wrote:

On 2024-07-21 10:22, Dmitry A. Kazakov wrote:

On 2024-07-21 03:04, Lawrence D'Oliveiro wrote:

On Sat, 20 Jul 2024 11:08:47 +0200, Dmitry A. Kazakov wrote:

On 2024-07-20 09:43, Lawrence D'Oliveiro wrote:

On Sat, 20 Jul 2024 09:23:11 +0200, Dmitry A. Kazakov wrote:

It is about the fundamental principle that security cannot be
added on
top of an insecure system.

Actually, it can. Notice how the Internet itself is horribly
insecure,
yet we are capable of running secure applications and protocols on >>>>>> top
of it.

Why on earth do we need security updates?

Because computer systems are complex, and new bugs keep being
discovered
all the time.

This does not make sense. You can create a very complex system out of
screwdrivers and still each screwdriver would require no update.

Systems consist of computers and computers of software modules. There
is nothing inherently complex about making a module safe and bug
free. Security interactions are primitive and 100% functional. There
is no difficult issues with non-functional stuff like real-time
problems.

Well, several recent attacks use variations in execution timing as a
side-channel to exfiltrate secrets such as crypto keys. The crypto
code can be functionally perfect and bug-free, but it may still be
open to attack by such methods.

It is always a tradeoff between the value of the information and costs
of breaking the protection. I doubt that timing attack are much more feasible in that respect than brute force.

Security researchers and crypto implementers seem to take timing attacks
quite seriously, putting a lot of effort into making the crucial crypto
steps run in constant time.

But certainly, most attacks on SW have used functional bugs such as
buffer overflows.

Exactly. Non-functional attacks are hypothetical at best. They rely on internal knowledge which is another problem.

As I understand it, the "internal knowledge" needed for timing attacks
is mostly what is easily discoverable from the open source-code of the
SW that is attacked.


--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.lang.ada

On 2024-07-21 13:31, Niklas Holsti wrote:

Security researchers and crypto implementers seem to take timing attacks quite seriously, putting a lot of effort into making the crucial crypto steps run in constant time.

Cynically: they certainly know how to butter their bread...

As I understand it, the "internal knowledge" needed for timing attacks
is mostly what is easily discoverable from the open source-code of the
SW that is attacked.

Considering many many layers of software to predict timing from code in uncontrolled environment would be a challenge.
--
Regards,
Dmitry A. Kazakov
http://www.dmitry-kazakov.de

--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.lang.ada

On Sun, 21 Jul 2024 09:22:06 +0200, Dmitry A. Kazakov wrote:

On 2024-07-21 03:04, Lawrence D'Oliveiro wrote:

On Sat, 20 Jul 2024 11:08:47 +0200, Dmitry A. Kazakov wrote:

Why on earth do we need security updates?

Because computer systems are complex, and new bugs keep being
discovered all the time.

This does not make sense. You can create a very complex system out of screwdrivers and still each screwdriver would require no update.

There is an old engineering adage, that the complexity of a system arises,
not so much from the number of individual components, as from the number
of potential interactions between them.

If you have a box full of screwdrivers, then all you have is a box full of screwdrivers.

If you have a computer system made up of a bunch of modules interacting
with each other, then you could have, potentially, quite a complex system indeed.

Look up the term “combinatorial explosion” to learn more.
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.lang.ada

On Sun, 21 Jul 2024 11:10:06 +0200, J-P. Rosen wrote:

Le 21/07/2024 à 10:00, Niklas Holsti a écrit :

But certainly, most attacks on SW have used functional bugs such as
buffer overflows.

A problem that has been solved since 1983, and even before (Pascal had
bounds checking). Sigh...

Pascal had no checking for memory leaks or double-frees.

Rust certainly seems to be a next-generation solution to these sorts of
memory problems.
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.lang.ada

On Sun, 21 Jul 2024 18:49:27 +0200, Dmitry A. Kazakov wrote:

Considering many many layers of software to predict timing from code in uncontrolled environment would be a challenge.

And yet it has been successfully done on the hardware itself, right down
under all those layers of software (cf Spectre/Meltdown).
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.lang.ada

Le 21/07/2024 à 23:53, Lawrence D'Oliveiro a écrit :

On Sun, 21 Jul 2024 11:10:06 +0200, J-P. Rosen wrote:

Le 21/07/2024 à 10:00, Niklas Holsti a écrit :

But certainly, most attacks on SW have used functional bugs such as
buffer overflows.

A problem that has been solved since 1983, and even before (Pascal had
bounds checking). Sigh...

Pascal had no checking for memory leaks or double-frees.

Rust certainly seems to be a next-generation solution to these sorts of memory problems.

We were talking about bounds checking, that Pascal had.
Nowadays, you should not use pointers directly, but containers. Pointers
are necessary only for writing containers, thanks to Ada's features not
found in other languages, like allocating dynamically sized arrays on
the stack.

Note that in Rust, containers are written using unsafe Rust, therefore
Rust is not better than Ada on that aspect, it is a complicated solution
to a problem that Ada doesn't have.
--
J-P. Rosen
Adalog
2 rue du Docteur Lombard, 92441 Issy-les-Moulineaux CEDEX
https://www.adalog.fr https://www.adacontrol.fr

--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.lang.ada

On 2024-07-21 23:52, Lawrence D'Oliveiro wrote:

On Sun, 21 Jul 2024 09:22:06 +0200, Dmitry A. Kazakov wrote:

If you have a box full of screwdrivers, then all you have is a box full of screwdrivers.

If you have a computer system made up of a bunch of modules interacting
with each other, then you could have, potentially, quite a complex system indeed.

Tight coupling = bad design. No difference to screwdrivers. However you
can take integer arithmetic if you dislike screwdrivers. However complex system you build, there is no need to update integers.

Look up the term “combinatorial explosion” to learn more.

Bad design leads to explosion of non-trivial unanticipated system states making it unpredictable. This is what happens when you add security on
top. You patch holes drilling new ones to fix the patches.
--
Regards,
Dmitry A. Kazakov
http://www.dmitry-kazakov.de

--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.lang.ada

On Mon, 22 Jul 2024 08:36:08 +0200, J-P. Rosen wrote:

Le 21/07/2024 à 23:53, Lawrence D'Oliveiro a écrit :

On Sun, 21 Jul 2024 11:10:06 +0200, J-P. Rosen wrote:

Le 21/07/2024 à 10:00, Niklas Holsti a écrit :

But certainly, most attacks on SW have used functional bugs such as
buffer overflows.

A problem that has been solved since 1983, and even before (Pascal had
bounds checking). Sigh...

Pascal had no checking for memory leaks or double-frees.

Rust certainly seems to be a next-generation solution to these sorts of
memory problems.

We were talking about bounds checking, that Pascal had.

Which is only one potential pitfall for bugs with security implications.
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.lang.ada

On Mon, 22 Jul 2024 09:16:09 +0200, Dmitry A. Kazakov wrote:

On 2024-07-21 23:52, Lawrence D'Oliveiro wrote:

On Sun, 21 Jul 2024 09:22:06 +0200, Dmitry A. Kazakov wrote:

If you have a box full of screwdrivers, then all you have is a box full
of screwdrivers.

If you have a computer system made up of a bunch of modules interacting
with each other, then you could have, potentially, quite a complex
system indeed.

Tight coupling = bad design.

And yet you are relying on those systems right now. Do you do online payments/banking? You depend on those systems crucially for that.
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.lang.ada

On 2024-07-23 03:49, Lawrence D'Oliveiro wrote:

On Mon, 22 Jul 2024 09:16:09 +0200, Dmitry A. Kazakov wrote:

On 2024-07-21 23:52, Lawrence D'Oliveiro wrote:

On Sun, 21 Jul 2024 09:22:06 +0200, Dmitry A. Kazakov wrote:

If you have a box full of screwdrivers, then all you have is a box full
of screwdrivers.

If you have a computer system made up of a bunch of modules interacting
with each other, then you could have, potentially, quite a complex
system indeed.

Tight coupling = bad design.

And yet you are relying on those systems right now. Do you do online payments/banking? You depend on those systems crucially for that.

I don't understand your point. Should I bubble with joy each time it
crashes or gets compromised?
--
Regards,
Dmitry A. Kazakov
http://www.dmitry-kazakov.de

--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.lang.ada

On Tue, 23 Jul 2024 09:06:26 +0200, Dmitry A. Kazakov wrote:

On 2024-07-23 03:49, Lawrence D'Oliveiro wrote:

On Mon, 22 Jul 2024 09:16:09 +0200, Dmitry A. Kazakov wrote:

On 2024-07-21 23:52, Lawrence D'Oliveiro wrote:

On Sun, 21 Jul 2024 09:22:06 +0200, Dmitry A. Kazakov wrote:

If you have a box full of screwdrivers, then all you have is a box
full of screwdrivers.

If you have a computer system made up of a bunch of modules
interacting with each other, then you could have, potentially, quite
a complex system indeed.

Tight coupling = bad design.

And yet you are relying on those systems right now. Do you do online
payments/banking? You depend on those systems crucially for that.

I don't understand your point. Should I bubble with joy each time it
crashes or gets compromised?

You seem to say one thing and do another, is my point.
--- Synchronet 3.20a-Linux NewsLink 1.114

From Newsgroup: comp.lang.ada

On Sat, 20 Jul 2024 (1 year + 1 week ago), Dmitry A. Kazakov wrote:
"That is the whole idea of the scam. Why on earth do we need
security updates? Do you update your screwdriver each week?"

Channel 4+1 on TV in the British Isles broadcast shortly before 10:14p.m. tonight that a "fake" "security" "update" tricked users of an encrypted application to disclose messages which they used to encrypt. This TV documentary is called "Operation Dark Phone Murder by Text".
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: comp.lang.ada

This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.

--708268602-755466351-1760995858=:1297455
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: QUOTED-PRINTABLE

"Amazon says underlying problems fixed, now the blame game begins
published at 19:23
19:23

Lily Jamali
North America technology correspondent

[. . .]

Even after CrowdStrike had fixed the issue, the airline said it had to=20 manually reset 40,000 servers, leading to major flight delays over=20
several days."
said HTTPS://WWW.BBC.com/news/live/c5y8k7k6v1rt?post=3Dasset%3Ada98b850-c4f9-4fc= 4-8cdd-0e76d1fc6bb9


"Amazon Web Services outages reported in the last 24 hours
Possibly related to issues at Amazon Web Services
9628 [i.e. a peak on a chart's Y axis]"
said
HTTPS://Downdetector.com/status/aws-amazon-web-services
today.

Amazon did not fix the underlying problem of replacing known old solutions=
=20
with newly added mistakes.

I remember that applications used not need the Internet. I remember that=20 applications used to not crash, even when the Internet would not be=20 satisfactory.

I remember that most websites used not be unreliably concentrated in three=
=20
companies which many a person objects to. Instead I remember that the=20
number that is three used to be important for good old triply modular=20 redundancy!

"Amazon says underlying problems fixed, now the blame game begins
published at 19:23
19:23

Lily Jamali
North America technology correspondent

[. . .]

Given how integrated these systems are, determining fault isn't always=20 straightforward."

Tight coupling is straightforwardly intrepretable as a fault! Cf. HTTPS://DL.ACM.org/action/doSearch?AllField=3D%22tight+coupling%22+%22code+= smell%22

"Major AWS outage took down Fortnite, Alexa, Snapchat, and more
The cause of the AWS outage is currently unclear.

by=20
Jess Weatherbed


Updated Oct 20, 2025, 5:41 PM GMT+1

[. . .]

The AWS dashboard first reported issues affecting the US-EAST-1 Region=20
at 3:11AM ET, and eventually said that =E2=80=9CThe underlying DNS issue ha=
s been=20
fully mitigated.=E2=80=9D"

I remember having basically no problem when a DNS crashed as I could use=20
IP addresses. Those were the days!
--708268602-755466351-1760995858=:1297455--
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: comp.lang.ada

This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.

--708268602-406777022-1761302423=:3696493
Content-Type: text/plain; CHARSET=UTF-8; format=flowed Content-Transfer-Encoding: QUOTED-PRINTABLE
Content-ID: <363aea2c-44fd-97cb-c0d8-8a38cbf5192b@insomnia247.nl>

On Mon, 20 Oct 2025, I wrote:
"[. . .]

"Major AWS outage took down Fortnite, Alexa, Snapchat, and more
The cause of the AWS outage is currently unclear.

by=20
Jess Weatherbed


Updated Oct 20, 2025, 5:41 PM GMT+1

[. . .]

The AWS dashboard first reported issues affecting the US-EAST-1 Region=20
at 3:11AM ET, and eventually said that =E2=80=9CThe underlying DNS issue ha=
s been=20
fully mitigated.=E2=80=9D"
[said HTTPS://WWW.TheVerge.com/news/802486/aws-outage-alexa-fortnite-snapchat-off= line

=2E . .]"

Today, HTTPS://WWW.EireBheo.Ie/news/nuacht/1923658/beidh-diospoireacht-uachtaranac= hta-deiridh-a-reachtail-ag-rte-agus-iarrthoiri-ag-teacht-salach-ar-a-cheile= -faoi-thuairimi-iosmheid-nua.html
is showing an advertisement.

"Build for success,
at any scale.

Industry-best AWS AI infrastructure
grows with you.

[. . .]

Unleash scalable computing power for your
business
AWS Compute offers scalable and flexible
computing resources to power your business...
Amazon Web Services (AWS) | Sponsored"
says this advertisement.
--708268602-406777022-1761302423=:3696493--
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: comp.lang.ada

This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.

--708268602-1615610594-1761813058=:3572777
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: QUOTED-PRINTABLE

I wrote: |--------------------------------------------------------------------------=
|
|"I remember that applications used not need the Internet. I remember that =
|
|applications used to not crash, even when the Internet would not be =
|
|satisfactory. =
|
| =
|
|I remember that most websites used not be unreliably concentrated in three=
|
|companies which many a person objects to. Instead I remember that the =
|
|number that is three used to be important for good old triply modular =
|
|redundancy!" =
|
|--------------------------------------------------------------------------=
|

A few seconds ago,
HTTPS://Downdetector.com/status/windows-azure
published:
"User reports indicate possible problems at Microsoft Azure
Microsoft Azure is a cloud computing platform operated by Microsoft. Azure=
=20
offers both 'platform as a service' (PaaS) and 'infrastructure as a=20
service' cloud solutions.
[. . .]
Microsoft Azure outages reported in the last 24 hours
[A peak of 18,506 at 4:16p.m. yesterday . . .]
This chart shows a view of problem reports submitted in the past 24 hours=
=20
compared to the typical volume of reports by time of day. It is common for=
=20
some problems to be reported throughout the day. Downdetector only reports=
=20
an incident when the number of problem reports is significantly higher=20
than the typical volume for that time of day. Visit the Downdetector=20 Methodology page to learn more about how Downdetector collects status=20 information and detects problems.
[. . .]
Prateek Dubey
16 hours ago
This outage is unbelievable=E2=80=94it=E2=80=99s impacting far more than ju=
st a single=20
Azure Availability Zone or Region. I=E2=80=99m seriously starting to consid= er=20
moving back to on-premises or hybrid cloud solutions. Events like this=20
make you realize how critical it is to have alternatives when even the=20 biggest cloud platforms face such widespread disruptions.

5Press the down arrow key to see users who liked this
0Press the down arrow key to see users who disliked this
Reply
=E2=88=92
Avatar for spiritamokk
spiritamokk=20
21 days ago
Most of the Microsoft services including Azure, Teams, Office365 in=20
Eastern US are completely down. This is very bad

5Press the down arrow key to see users who liked this
0Press the down arrow key to see users who disliked this
Reply
=E2=88=92

I
Irish Celtic=20
15 hours ago
Everyone is surprised? What do you expect when you put thousands of=20
systems into one platform. This entire cloud idea is going back to the=20 mainframe structure that failed and this will fail again for the same=20 reasons.

4Press the down arrow key to see users who liked this
0Press the down arrow key to see users who disliked this
Reply"

The International Criminal Court uses Microsoft Azure. Perverts! Idiots!=20 This subventions fraudster professes Azure engineering. --708268602-1615610594-1761813058=:3572777--
--- Synchronet 3.21a-Linux NewsLink 1.2