Posts by Daniel B.

Re: PGP is not security

A certain amount of metadata has to be in the clear, otherwise how does a public mail server know how to route your email? It at the very least needs to know what domain to send it to. So maybe metadata encrypted with a public key for that domain, then the server in that domain can route it to the appropriate user.

It can be hidden right now, with current tech, but both the sending and receiving MTAs have to support TLS.

Sender sends his email via SMTP to his outbound SMTP server. He does so via TLS.

Sending SMTP server initiates connection to receiving SMTP server, via TLS.

Send email over secure channel.

Receiving person check inbox via IMAP, using TLS.

The thing is, this will probably leak information in the sense that you will see a something sent to sending smtp, then a something of similar size being sent to the destination, so you can still infer who is getting the email even if you can't read the metadata.

Re: Take a good look

Illegal drugs lead to Mexico's cartel system. A legalised system doesn't - quite the opposite; it leads to pots (haha) of money for the state.

This. Is. So. Very. True.

Most former Mexican presidents have ended up arguing that legalization is very much needed to curb the cartel violence in Mexico. And it is probably the only way we're going to see the cartels go down. Unfortunately, the solution would require both Mexico and the US to legalize drugs.

Re: Anonymous network developed by the US government compromised.

Less surprised these days. Would've been surprised if this had been discovered before the Snowden affair and the Silk Road and Freedom Hosting shutdown. And even then, I was still wary on blindly trusting that hidden services are going to be 100% untraceable...

Re: "Can you survive without support?"

It's about being able to actually get some help from Microsoft when it all goes pear-shaped.

Support is a good thing to have ... when it is actually good support. In my experience:

- IBM Support: Send Business Partner to fix. If it requires more people, IBM sends 'em.

- Sun Support: Send BP to fix. If issue not solved after X time, send local Sun engineer. If it still hasn't been fixed, fly in someone from Silicon Valley that will fix it.

- Microsoft Support: Get sent to some Indian dude who will ask for logs and stuff, then answer 5 days later "don't know what happened!"

Want support? Go UNIX. Or Linux. Or even BSD and have your IT department fix stuff up by themselves!

Oh yes...

Doom scared the willies out of me playing late at night in a dark room.

A Demon, in Command Center's dark maze, with a Rocket Launcher!!!!

That pretty much sums up the first time Doom actually scared me. I had selected the rocket launcher, was navigating through a maze in E1M4 when I started hearing growling noises behind me. I turn and find a Demon right in front of me. I panicked and shot the thing. At point blank range. With a freaking Rocket Launcher. Fortunately, I survived that with 11% Health. It also didn't help that the next level after that was the horribly dark Phobos Lab.

Jagwyre

The El Reg / Apple love hate thing goes waaay back. That said, El Reg basically mocks every single IT outfit. Remember the Itanic? They really abide by their motto: Biting the hand that feeds IT.

Re: One party state

Welp, you guys decided to give the Tories an absolute majority (though a weak one). You're just getting to reap what you sow real fast. :/

Re: Will VM work

Win 10 looks so bad that I am seriously considering running a Macbook with VM so I can still use Visio, Autoroute and Microsoft Money which are the only reasons I still use Win 7. Anybody got any better ideas?

You're late into the game. I did exactly that in December 2012. My Win7 VM is rarely used these days, as I bought Office 2011 for Mac (it still has menus so you aren't forced to use Ribbon only) and Win7 is mostly used for Windows-only games or the few 2 or 3 programs that aren't available on Mac.

But yes, it's probably the best bet: you don't have to pay the MS tax, you keep an OS that does get commercial software, but also get a Unix OS underneath for other stuff. And you can run any other OS under VMs if you want to.

Re: Great.

"And Javascript - which I see is still fully supported in Chrome 42...."

I really hope you are joking and not that stupid?

I don't think he's stupid. He's probably right: the only way to have a truly secure browser is to disable all client-side running code. If code can run in your client, it can be theoretically exploited.

Most stuff that downloads and runs code from the 'net should have some kind of sandbox, or at least a way to verify if the code you're going to run is safe. Some schemes do either sandboxes, code authentication, or both. But not all of 'em. So we usually get from the most secure schemes (Java does both), to the shitty security ones (Javascript does sandbox, but no code auth), to nonexistant (Oh, it seems you have an ActiveX object! I'll run it! Full access to everything! Oh no I's been pwned!!!)

So basically, if you're agreeing with Google killing Java, you should be asking for Google to kill JavaScript as well. Because its security model is shittier.

Re: What an ass clown

Cisco gear does have graphical interfaces. But any competent sysadmin can and must be able to manage stuff using CLIs. In fact, the lack of CLI on certain products is a larger problem than lack of kiddie GUIs on stuff that is only managed by competent IT folks.

Re: Rather interesting @martinusher

Yes, I'm very annoyed that H1B is basically "the Indian visa" these days. I've been offered a couple of jobs in the US, but it seems that these are offered via the TN-2 visa mostly because H1Bs run out real quick. TN sucks in the sense that you're locked to the same employer, if you quit or are fired you have to leave the country ASAP. No grace period, no looking for another job. H1-Bs are better for some of these cases.

But then there's even more reasons for immigration reform. Fix it so that both immigrants (and non-immigrants, as H1-B is a nonimmigrant visa) and US citizens aren't shafted by US corporations.

Re: As someone from the con / geek community

As you see more and more busy body wannabe tech feminists (as opposed to women with actual skills) enter the tech circles... you'll see more and more of this.

It has even infested DEFCON. The one last year had Hacker Jeopardy get PG-ified as Vanna Vinyl didn't strip down on that edition, due to insistence of the feminazis. (Note: "feminazis" and "feminists" aren't the same thing. "Feminazis" are the radical zealot subgroup within the feminist movement, but not representative of feminism as a whole.)

I might get RSA banning booth babes, but DEFCON? That's just ruining the fun in an event that isn't meant to be business-oriented or PC at all. Reading this thread pretty much talks for itself.

Re: Bork IE<9

The Freakattack site says that it is still vulnerable, is that because it just checks for IE 11, or because even with these settings (AFAIK TLS 1.1 is still secure) IE 11 is vulnerable and can be forced to use a weaker protocol?

Yes, unfortunately TLS 1.x doesn't mean that EXPORT ciphers are disabled at all. I've tested a couple of sites, and TLS still can negotiate EXP-RC4-MD5, which makes cryptographers' eyes bleed. The problem is that EXPORT should have been removed from the default set of ciphers at least a decade ago.

Re: Never made it to civilisation.

Here in the civilized world we have Nespresso which really is an environmental disaster as the composite aluminium and custom plastics are prohibitively expensive to re-cycle.

The Nespresso is the Nescafé-branded version of those awful things. And no real coffee lover would be seen even close to drinking Nescafé. Yeech!

Re: keyword: either

OpenSSL, out of the box, is not suitable for use by developers and administrators who don't want to be bothered learning anything about SSL/TLS.

Pretty much any crypto API is not suitable for use by anyone who hasn't at least read something about SSL/TLS. I'm really surprised about the amount of devs, webmasters and sysadmins that had no idea about the existance of EXPORT ciphers at all. This is something they should know because a lot of them actually worked with the "international browser" versions from the late 90's which had the stupid 40-bit restriction hobbling SSL.

There's also a very high amount of developers who use self-signed certs in production enviroments. Another good bunch that outright disable SSL certificate validation to get their stuff to work, basically opening up their security infrastructure to MITM attacks within the organizational network. You've probably noticed that this sounds a lot like how SuperFish does SSL ... well, this is why those devs thought it was normal. They're used to doing this.

Oh well, at least some security-related products will have some kind of FIPS mode available. It's probably worth flipping that switch on as it will disable all EXPORT and LOW ciphers by default, including 3DES which is probably bound to be cracked in the near future.

I'd rather have a slow I/O OS that lets me do my job quickly, than a fast I/O OS that makes me spend 3x the time doing my daily work.

Of course, I chose neither: I jumped to OSX when all laptops turned into "Windows 8 or bust". Well played MS, I chose bust.

If a phone finds a wifi signal it can connect to, that could also trigger a self-destruct.

Only if the phone had WiFi activated when it was taken away, and even then only if the phone can find a WiFi network that was previously added to its list of known WiFi networks.