* Posts by Chronos

1246 publicly visible posts • joined 21 Oct 2007

Oh Smeg! Hacked white goods maker resurfaces after system shutdown

Chronos

Re: We are down to cat milk

No bugger would drink it.

Chronos

It's a state of the art sarny.

Holly: "It's the state of the floor that worries me."

Linux kernel's Torvalds: 'I am truly sorry' for my 'unprofessional' rants, I need a break to get help

Chronos

Re: Don't let the namby-pambys run the Kernel, Linus!

@jake: This. A thousand times this. The last thing we need is some touchy-feely commune with yurts, natural fibres and tofu-based nutritional snacks where nothing gets done but ever so politely and ecologically.

While I do feel that profanity should be more seasoning than sauce, the result of cooking without seasoning isn't exactly something you'd want to eat.

US govt concedes that you can indeed f**k Nazis online: Domain-name swear ban lifted

Chronos

Re: Bottom hidden by fog

There's a Bluebell End in Cheshire. Not sure what happened there but it sounds painful.

Microsoft: You don't want to use Edge? Are you sure? Really sure?

Chronos
Stop

The plot.

"I'm sure I left it here. I just had it a moment ago. Can you check your pockets again?"

Any tenuous grasp they had on reality has slipped away. As any reasonably experienced driver will tell you, this is what happens when you blindly follow the SatNad.

Brit armed forces still don't have enough techies, thunder MPs

Chronos
Devil

Re: Simple answer.

You're right. Or possibly low places. One or two of them must be in league with Old Nick just for the kickbacks...

Chronos

Simple answer.

Why aren't more people lining up to fight with a mouse, keyboard and gun?

Perhaps because anyone smart enough to wield the first two is smart enough to know our leaders are about as batshit crazy as it is physically possible to get without being sectioned.

PPI pushers now need consent to cold-call you

Chronos
Flame

Too late

The whole PPI scam collapses next year anyway. They'll then move on to something else to continuously mither you with at mealtimes.

Bastards. Thank $DEITY for Asterisk.

Vodafone hounds Czech customers for bills after they were brute-forced with Voda-issued PINs

Chronos
Joke

Surely...

...at least an identity Czech?

Icon. And not a very good one, sadly.

Nope, the NSA isn't sitting in front of a supercomputer hooked up to a terrorist’s hard drive

Chronos

Re: Clipper ? - Intel ME

I used to love Compaq's ILO boards. Thing with ILO was you could remove them and, even if you didn't, they were under your direct control.There is only one logical reason why this technology has been adopted by both USian processor manufacturers and that reason certainly does not have your best interests at heart.

What I object to with all of this is that it fundamentally undermines the assumption of innocence and the concept of mens rea. We already have RIPA over here doing much the same thing. The situation in the UK is so bad that it is now possible to lock anyone up at whim. Just take their smart phone, encrypt it with a random key, fabricate a reason to require decryption and lock 'em up when they can't.

Chronos

Re: Clipper ? - Intel ME

Agreed, with the little addendum that AMD also has a Judas-puter in the form of PSP. Right now, nothing in the current x86 line-up is trustworthy. Not a problem, you may think, just run older kit? Well, many of the services you connect to are also running Xeon/EPYC. It really doesn't matter which end of the pipe gives up the unencrypted data as long as one of them does.

Thousands of misconfigured 3D printers on interwebz run risk of sabotage

Chronos

Re: Why

Precisely this. It's not as if you're going to be able to do anything about it if the Octoprint camera shows filament spewing out in a big rats' nest that is going to jam the whole thing up imminently while you're miles away watching it over your mobe apart from hitting the reset button and hoping that it doesn't ignore the Z stop - again.

Besides which, 3D printers shouldn't really be left unattended. Forcing plastic through a nozzle heated to ~200 degrees? What could possibly go wrong?

Disclaimer: Mine has a WiFi connected serial port for use with Pronterface, which saves me having to bugger about with cables. Its MAC is firewalled off at the router and it gets a bogus default gateway. Security onion and all that...

If you weren't rich enough to buy a Surface before, you may as well let that dream die

Chronos
Windows

Searching...

Nope, not a single fornication to give. Right out of excrement quanta, too.

TSB goes TITSUP: Total Inability To Surprise Users, Probably

Chronos
Stop

After 20 minutes on the phone they sent her a new link what cause her not only to reset her password but her security questions

Do they still do that? They need to go away and write 200 lines "Most e-mail is transferred in the clear; e-mail is not secure."

Any old munchkin could have intercepted that link and no, SMS isn't much better.

Chronos
FAIL

Someone at TSB doing the work of two men...

Laurel and bloody Hardy.

Microsoft gives Windows 10 a name, throws folks a bone

Chronos
Devil

Re: Obviously...

A lot of excel stuff doesn't work at all.

Indeed. It usually goes like this:

"This has a pivot table in it."

"Why did you need to use a pivot table? Was selecting a subset of cells for that line graph too difficult?"

"..."

Because they know "I wanted to be able to say 'pivot table' in meetings" isn't a good reason.

Chronos
Joke

Re: Crashy McCrashface?

Ah yes, blanket surveillance :-)

Chronos

Crashy McCrashface?

More like Snoopy McSpyface. Actually, why don't they just ask for permission to use Mr Schulz' beagle as their mascot?

AI sucks at stopping online trolls spewing toxic comments

Chronos
Stop

AI sucks

You should have just stopped there. No article necessary.

Hello 'WOS': Windows on Arm now has a price

Chronos

Plus ca change...

most legacy applications were so deeply reliant on x86 quirks that only a subset could run, and customers didn't want a subset. Windows RT was short-lived.

So what's changed? That is still the situation and Windows' ecosystem is still heavily legacy-encumbered. *aaS hasn't significantly altered the situation.

Now, if one could, say, recompile code to the architecture of choice, then that would be fantastic. It's a shame there's no way to do that. Oh, wait...

Of course, you'd have to ditch Redmondware, which is a catch-22 situation if you're moaning about 20+ year-old applications not running. The problem, as always, is the users; you can't really blame them for wanting stability and a familiar working environment but it's causing all manner of crap upstream. The irony is that if you build out your workstations from scratch and have /home sitting on networked storage, you can have interface stability for as long as you like. The trick is to wean the users off of Windows just that one time.

Mozilla changes Firefox policy from ‘do not track’ to ‘will not track’

Chronos

Re: It's about time

Firefox looks and feels like Chromium (and probably contains a lot of its internals these days).

Nope. Different rendering engines. The Chromium clones all use Webkit, as does Safari. Firefox is (currently, on my machine using ESR) Gecko, which can trace its ancestry back to Navigator and is really the daddy of them all.

It may well be that Fx uses similar mechanisms to do certain things but not direct copy/paste or #include bit_of_chrome.h. It wouldn't surprise me to hear that Chromium contains many Fx-inspired bits rather than the other way around. The "chrome" in your profile directory means "shiny shit that isn't structural" - and pre-dates Chrome by years - rather than "Google's browser."

After all that positivity, which is well out of character for me, let me just issue Moz with a warning: I will not accept inserted ads on new tab pages or Safebrowsing¹ potentially reporting my every URL to Google. Find a way to make the latter opt-in or host the definitions anywhere else but Ogle and leave the former out behind the barn with a bullet in its head.

¹ I know this is supposed to protect lusers from themselves but should it really be necessary to do about:config and mangle the URL to disable it completely?

Android data slurping measured and monitored

Chronos

Re: 'The nature of some data may also surprise. App developers receive your age and gender'

You'll never convince the prescriptivists of that, though. They live in a fantasy world where the gods hand down immutable rules of English usage that none may question.

Oh, I'm fine with evolution. My aversion to LaaV (leverage as a verb) is simple. Let me say the same thing twice:

"We're going to use our experience in this field to produce something decent that people will want to buy. Keep me and the rest of the team informed of progress and problems, please."

"We must leverage core competencies and utilise our core IP to produce an innovative product that will obsolete the current paradigm, incentivise our clients and increase our market share. The core team will touch base often and will ensure that hurdles become opportunities."

Guess which of these is spoken by someone who knows what she's doing and will result in something that isn't a complete and utter dog's breakfast, shoddy to the point of worthless and impossible to support...

Chronos

Re: Blessed are the poor

Now, it they could get the health data too... that's something poor people could contribute... "the nearest compatible organ donor is ...."

Ah, so that's what William Gibson meant by being rolled in Chiba for parts. All becomes clear.

Chronos

Re: 'The nature of some data may also surprise. App developers receive your age and gender'

>"Leverage" is not a bleedin' verb.

https://www.dictionary.com/browse/leverage?s=t

verb (used with object), lev·er·aged, lev·er·ag·ing.

to use (a quality or advantage) to obtain a desired effect or result:

She was able to leverage her travel experience and her gift for languages to get a job as a translator.

So leverage IS a verb (a transitive verb, to be specific), and if I have to, I'll look up OED, too.

The defence would like to place on record this,, which describes the act as being "very sensual" when, in fact, it's nothing of the bloody sort - it actually reminds me of the time one of my dogs accidentally ate some elastic from a piece of meat. Citing this source as authoritative is probably not a good idea.

Also this.

The defence rests its case, m'lud.

Chronos

Re: 'The nature of some data may also surprise. App developers receive your age and gender'

I had one whose answer to people getting root and stripping out system traitorware was to deliberately corrupt the ext4 filesystem on /system so that mount -o rw,remount /system failed back to read only. I did manage to reset the onerror flag to continue and disinfect but they're not worth the time, effort or rage to get them working properly - usually because they never will.

Stick with Qualcomm. How much longer that would have been my advice had they been Borged by bloody Broadcom is left to the imagination.

Chronos

Re: 'The nature of some data may also surprise. App developers receive your age and gender'

Correction : The only way to successfully avoid that is not to have bought a phone with Googles Android on it in the first place.

In an ideal world, yes. However, you try getting something with the screen, processing power, ancillaries and connectivity of an Android device without the Trojan horse OS for reasonable money. Far better to take advantage of their "kindness" and gut it of its traitorware.

This isn't blind trust. I run multiple utilities on the device itself via root adb shell to ensure I haven't missed anything any time there's a major change. I even strip out bits of Lineage that I don't trust such as the Jelly browser, e-mail, messaging and their update and feedback apps. In their place is Firefox Mobile, K9Mail, Silence and sod all because I'll track changelogs myself. Gone is anything Googly-syncable and in its place is DAVDroid and a self-hosted Nextcloud backend.

Not for everyone, I admit, yet for those of us for whom messing with builds is more fun than chore, it works. We're not going to change the world for Joe Public this way, though.

Andoid devices have been a Trojan for Google to get inside your walls almost since they first came out.

Agreed. My first 'droid device was an Orange SanFran simply because that was the first reasonably priced handset that was a doddle to unlock, CMify and disinfect right out of the box. Its stock OS lasted just long enough to remove the SIMlock.

Chronos
Flame

Re: 'The nature of some data may also surprise. App developers receive your age and gender'

I was with you until the second word of the second paragraph. "Leverage" is not a bleedin' verb.

The truth is that Android is a system to turn a smartphone owner into a product. The only way to successfully avoid that is to strip out Google services framework completely which, in essence, means running a custom build of AOSP/LineageOS/AOKP/Omni without the final flash of gapps. Then add F-Droid, YALP¹ et al.

Even then, you have to be bloody careful. aGPS will quite happily talk to Google's SUPL server and quite literally hand them your coarse location along with device specific information. If you have a Mediatek device², their proprietary GPS core will also talk to their server. All of this is before the networks get involved.

As for Android being open source, the first time you build your own derivative you'll realise just how much of it isn't. Even Qualcomm based devices, the vendor most likely to play nicely with your *droid freedom project, is chock-full of binary blobs from the obvious RIL/modem (pretty much expected as raw access to this can be used for all manner of nefarious things) down to simple peripheral access.

It's a shame the Replicant project was such an epic fail but that was to be expected. The smartphone environment deliberately doesn't support full freedom as most devices are simply loss-leaders which enable access to the real product: You.

¹ Take no notice of apps that declare they're GSF dependent. Parts of them may be, yet they're usually deep down betrayal bits that don't affect core functionality. Of course, if you're installing even one closed-source app from GP through YALP, all your hard work deGoogling your device has gone out of the window anyway.

² Avoid at all costs. They almost always turn out to be landfill devices.

No D'oh! DNS-over-HTTPS passes Mozilla performance test

Chronos

The elephant in the room is farting...

...and still nobody notices the damned thing. While SNI is still sent in the clear, you can obfuscate your DNS queries all you like, they're still going to log and store that first header. TLS1.3 should have dealt with this but, as usual, it's just too difficult to re-implement SNI over a secure channel now world+dog's httpd is happily using the current SNI implementation. It would require something like a DNS fingerprint of the hosting IP's default virtual and then a process to get the wanted certificate fingerprint for the domain after the request is transmitted over a secure channel to the host httpd. Not an easy task and adds a lot to the initial handshake where TLS1.3's focus was on trimming that down.

While this is still an issue, DoH is still a false sense of security.

BTW, DNSSEC != encryption. DNSSEC is simply a hierarchical method of verifying the records haven't been intercepted and changed. The data is still sent in the clear.

Who is your favourite world leader?

Chronos

Chancellor Martok

...because he's fictional, fights his own bloody wars instead of sending someone else to do it, would be a few hundred light years away on his own world of Qo'noS if he weren't fictional and he's got one eye rather than no eye, dear.

Qapla'!

Tax the tech giants and ISPs until the bits squeak – Corbyn

Chronos
Mushroom

Sod off, Corbyn

Taxation by the back door. You know that this will be passed on to end users, so as much as your "reduce the licence fee for poorer households" looks appealing, it is, in reality, complete bollocks. In fact, you can also stuff the regressive TV licence up yer arse along with that red flag.

"Compete with Netflix et al" by giving the Beeb an unfair advantage over and above the one they already have? What you're actually doing, rather unsurprisingly given your confessed inspirational heroes, is creating the British version of TASS.

Use Debian? Want Intel's latest CPU patch? Small print sparks big problem

Chronos
Mushroom

Re: Finally

Cozy? Perhaps. Mined in a random pattern? Damned right.

I just hope RISC-V isn't just another good idea poorly executed, if you'll pardon the pun.

Icon -> I trod on an IME. Give me your bayonet, Jones.

Chronos

In this very specific case, you're ignoring the fact that this is mitigation of a flaw in the workmanship of a product that was sold already, i.e. you really don't have any choice but to use the microcode, especially if it creeps in via a firmware update. This licence change is highly unlikely to be binding on people who already owned Intel chippery before the flaw came to light. I don't know of any jurisdiction in the EU that allows such unilateral contract changes.

IANAL, YMMV etc.

If it doesn't need to be connected, don't: Nurse prescribes meds for sickly hospital infosec

Chronos
Thumb Up

Re: "If it doesn't need to be connected, don't"

This. It applies everywhere, not just healthcare.

Security MadLibs: Your IoT electrical outlet can now pwn your smart TV

Chronos

Re: ::hrrumpf::

What are you going to do when you need to replace your current appliances, and the only available replacements are all "smart"?

Lobotomise the buggers by connecting them to a fake AP. I already have an ESP8266 pretending to be an access point with nothing but 3V3 connected to it for such devices.

Chronos
Mushroom

Re: It's Christmas!

Now that's smart :-)

Not exactly the adjective I would have chosen. It does begin with "S," though.

Perhaps tie it in with isitchristmas.com's public API? For the authentic feel, have it randomly turn the lights off until you fiddle with the fuse bulb...

Microsoft: We busted Russian Fancy Bear disinfo websites

Chronos

Russia, SatNad era MS or Conservatism?

One really doesn't know who to cheer for, does one? Perhaps "none of them" is the correct answer.

Connected car data handover headache: There's no quick fix... and it's NOT just Land Rovers

Chronos

Re: Why?

Connecting the infotainment system to the ECU means that the radio can automatically turn up the volume as the speed increases

Oh, for pity's sake! What a feeble excuse for introducing more complexity into a system that is, when you get right down to the basics, safety of life. Lose the engine, you lose the servo vacuum. Lose the servo vacuum you lose the brake assist. You also lose the power steering assist on older vehicles. Besides, I could do that by just feeding the road speed and RPM pulses into a dedicated port, which means the bloody radio can't piss about with the ECU as it's a one-way flow. Or, you know, set the volume manually like a normal human being?

the CAN bus

This is yet another bugbear. CAN monitoring of ancillaries is making drivers forget their responsibilities. When was the last time you did a tyre check, including the inside sidewall for flaws?

All this automatic monitoring down to and including the bloody brake light bulbs is breeding complacency.

Chronos
Coat

Re: Good news!

Re: the title, I thought you were going to tell us about a new Dacia Sandero.

Anyway... :-)

Chronos
Facepalm

Why?

Give me one good reason why cars need to be Internet of Shite on wheels. Good reasons do not include unlocking the car without use of the key or being able to start it because you have (ooh, matron!) a dongle in your pocket.

Trackers should be separate devices and, ideally, under the control of the owner alone. Whoever thought connecting the infotainment system to the ECU was a good idea needs shooting. Likewise, OTA firmware upgrades need to die in a fire (but not in the car). The ECU has one job: To keep the engine running as efficiently and reliably as possible.

All of this crap began with remote central locking. Being able to open the car without using a manual lock which is oh, so difficult was seen as essential, never mind the 433MHz receiver with a front end as wide as a barn door which dies at the mere whiff of a rent-a-cop's transceiver at a shopping centre, 24 bit codes which were vulnerable to replay attacks or just plain shoddy technology which didn't work such as Rover's "windows up" crap which got itself confused more times than not thinking the windows were still down and refusing to lock.

Lazy bastards are causing more security headaches than all the script kiddies who ever slimed their way onto the Internet. Worse, the eventual beneficiary of all this will be Big Data Fetishist types who want every single piece of technology you "own" to spy on and betray you. Eric Blair thought it would be kids and neighbours dobbing you in for wanting freedom. Turns out it was the only thing he got wrong.

How's that encryption coming, buddy? DNS requests routinely spied on, boffins claim

Chronos

Re: whatismydnsresolver.com

To me, if my ISP is intercepting my DNS requests, well I don't see that I can do anything about it and I fail to see why I should care, as long as I get to the web page I'm expecting to get to.

Because logging DNS is yet another trove of information on your interests. It's quite feasible to build up a profile of your interests from that alone.

Naturally, until the FQDN is no longer sent in the TLS handshake SNI field in the clear, it's all a bit pointless as they're going to capture that too. Unless you use a decent VPN, of course.

On the subject of the little detection page, Stubby seems to kill it dead. Just sits there, looking confused :-)

Self-driving cars will be safe, we're testing them in a massive AI Sim

Chronos
Facepalm

Looking forward

Hopefully the time will come when "Guys, I have a really good idea!" is immediately met with "How many people will it piss off, inconvenience, kill, maim, cost money, disenfranchise or dispossess?"

Driverless jalopies, electric cars with sodding batteries, systemd, Big Data, smart metering, outsourcing, zero hours, gig economy, Brexit, every single one of these could have been examined under who-gets-fucked criteria and at least modified to limit collateral damage.

Distro inferno: Debian's still rocking at 25

Chronos
Flame

Re: It should never have come to that but legacy lives on.

I just hope the buggers responsible are then kept well away from the *BSD codebases after they've finished screwing up Linux.

The problem there has already begun. pkg was the turning point for me, although I was already rather fed up with fixing ports with many dependencies updated without a care for their dependants and scant regard for whether the upgrade was security or even feature focused rather than just another mundane minor version number race to the bottom. Also the many changes to ports.mk and friends which screwed up my tinderbox without mercy on a regular basis had me steaming from the ears.

The road to hell is paved with good intentions. I had hoped POLA would insulate us from these pet-project mongers but it was just words.

Chronos

Re: Devuan +1

One last server to migrate, due to it having some pretty odd processes¹ running on it for which I threw together unit files and haven't got around to writing rc scripts. It doesn't help that the server in question is armhf rather than x86-64.

Everything else is Devuan and has been since my main workstation crapped itself and I found that systemd's logging leaves very much to be desired when Things Go Bad.

¹ A background process that listens for XM ipcamera motion alarms and translates these into MQTT topics, then several subscribed processes that record directly from the relevant RTSP stream when they're triggered, bypassing all the insecure crap these modules have built in. I have to dissect what the hell I did to get this house of cards to stay up and ensure sysv init can keep it rollin'...

Home Office seeks Brexit tech boss – but doesn't splash the cash

Chronos
Coat

Re: They had hiyigh hopes......

Woad is blue, isn't it? Just bring back the woad fund licence...

Foreshadow and Intel SGX software attestation: 'The whole trust model collapses'

Chronos
Unhappy

Re: SGX = ?

I keep getting it confused with SGI click on the articles in the vain hope that we're getting some new funky-coloured workstations...

Chronos
Thumb Up

Finally

One of their attempts to make your machine disobey you bites them on the arse. About time too. Now maybe we can put to bed this stupid idea of trusted executables, signed bootloaders and so forth and get back to general purpose computing.

TSB takes on 250 complaint-wranglers to absorb £200m outage fallout

Chronos

They're going to need more...

...if this is the same Trustee Savings Bank Bank who told a mate of mine they "can't just cancel a direct debit" despite the words "cancel [...] at any time" appearing verbatim in the DD guarantee. I'm pretty sure "any time" includes the moment he asked and advised him to telephone them again and say exactly that.

I believe we need a new collective term for bankers. "Wunch" would be my suggestion.

Prank 'Give me a raise!' email nearly lands sysadmin with dismissal

Chronos

Did the CEO get a fit because his email was spoofed or because someone dared to ask for a raise? My CEO would fall for the latter category.

Or perhaps because his name was taken in vain instead of being treated like that of a deity despite being a fat, balding, Lexus-driving golfist with all the charm, wit and character of putrefying road-kill.

Pure conjecture, of course.

Google Spectre whizz kicked out of Caesars, blocked from DEF CON over hack 'attack' tweet

Chronos
Facepalm

Top Gear top tips

1) Yes, you can have a laugh if you're a security wonk and

2) Don't go to America.

And, on that bombshell...

Brain brainiacs figure out what turns folks into El Reg journos, readers

Chronos

Re: I need my pessimism

The LART stick, the Etherkiller and the blackmail fileshare are not to be mentioned to HR. Or at all, in fact, just like Fight Club.