Posts by Paul Crawford 5665 publicly visible posts • joined 15 Mar 2007
"The thing that is important is entropy"
The things that are important are entropy and rate limiting on brute forces trials.
High entropy means more attempts on average to guess it, rate limiting stops them from doing it quickly. However to most likely password cracking scenario is when they have already compromised a web site and can brute-force the database.
"For the really clueless it will take personal friends or family dying at the hands of terrorists before they wake up and smell the coffee."
So what? In the week or so since the Paris attacks more folk have been killed and injured on the roads of Europe than in the attacks. Should we all give up our own privacy and security to stamp out cars the next bogeyman?
Tell it like it is!
I often wondered why the GUI muppets at Gnome, Firefox, Google, MS, etc, all seem to go down the same route of removing functionality and discoverability. They need a course in GUI design which consists of taking the odd granny/granddad or two off the street and giving them a simple task to do on the device. If they can't work it out in under 2 minutes the designers get beaten with rubber hoses until the elderly folk succeed.
A couple of lessons and I am sure designs would be so much more usable...
The "snooper's charter" is going far more than that, demanding all of your (and everyone's) internet access to be stored for a year and searchable, and also has various weasel-worded sections about who can access said data. That is blanket survalence.
What was proposed above was targeted - yes, you have some ability to scan all traffic, but it is used to pull out certain web sites that are known to be ISIS or similar, and then just look at that. A massive decrease in data gathering. Then you start to look for patterns, not just the odd link-following by someone who didn't know what the site was, but repeated visits and/or visits to sites related to that ideology.
Again, a big decrease in who you are looking at and then you are down to the levels where you can start to analyses what they are up to and see if they merit some human survalence and intelligence-gathering.
That was my thoughts on the article, it will come down to a bidding "war" where you offer money for services and you don't get a cast iron guarantee of delivery, just a position in the scheduler based on who else is bidding for it and how much they are willing to pay.
What, you really need it to work? Maybe just buy your own server then...
Usually devotion needs some sort of special dream, fantasy, or belief that out-weighs common sense. Given that MS is the dancing-dad of technology, and that few end users or sysadmins ever get up in the morning looking forward to engaging with MS' software, its going to be a long and tough sell...
Maybe he should have spoken about how all of your data is encrypted by your own password before it hits MS' servers, and they don't have any access to it as a result.
Oh wait, that was a pipe dream resulting from me drinking too much port in a storm.
Its a good point, Google is a master at whoring your from advertiser to advertiser.
MS used to offer a paid for OS that respected your privacy, but from XP's "product activation" through Vista's intrusive and bloated DRM aspects, and then finally to Win10's forced updates, weasel-worded upgrade pushes and and default-on telemetry, you have to ask: "Why pay for this shit?"
"the man had deleted all of his Facebook data. A huge pain and shame"
Indeed, the shame being he should have deleted it himself!
Even if keeping on FB then please delete and create a new profile with a new disposable email every year or so. It limits what FB can easily gather on you and evidence of past indiscretions, and a perfect excuse to dump those "friends" who are sufficiently important not to appear to single out for un-friending, but that you really did not want watching your every post.
Edited to add: And don't give FB your email log-in password or mobile number, mkay?
Really if you depend on time being accurate for security then your organisation should have a couple of NTP servers (for redundancy) that are fully patched and set up to use ntpd on multiple external sources (at least 5 and even their own GPS) so they can detect "false tickers" and reject them. Then all of your internal machines should only talk to those trust-worthy time servers.
The only times I have seen ntpdate depended upon for time is (a) on boot or network change to get time roughyl right, and (b) in VMs that suck so badly for time-keeping using the "internal clock" that ntpd gives up on its clock regulation approach.
£3,571 *per f@%kin' camera* !!!
Is about right, given that a lot are analogue so you are talking networking, HDD recorders, etc, and labour to visit each camera point and do the work, possibly with a cherry-picker.
To achieve exactly what?
Aye, there is the rub. Just how helpful are these cameras? Have we got evidence that they will save more than £10m in reduced crime?
The gov is not asking for *ALL* data to be stored, only some woolly-defined meta-data like the URL of each site accessed. I'm guessing his figure is based on the proportion of data seen in such a link.
Of course, if most folk run browser plug-ins to randomly poke sites every few seconds that could go up massively...
Lets face it the main advantage of Google maps is it is "free" (in return for bending you over and lubing you for privacy violations).
It works well if you have a good data link, but outside of 3G+ areas, or in cities when your chosen supplier is shit at times (looking at you Tesco mobile), the result is crap. I use it occasionally and sure it is nice to have, but if I had to depend on something for daily use would not be Google's offering.
Here, hear!
In my simplistic view, you have two major factors:
1) having a clear, fixed and agreed idea of exactly what is needed.
2) having the resources (i.e. people, tools) to deliver #1
Most failures I have seen come down to at least one of these aspects. I have pulled out of work requests that I could see was a train wreak coming because foolish decisions had been made already due to not understanding #1, and then they were needing me for #2 when it was already an impossible task.
You forget that GCHQ, like most agencies, is not a simple creature with a single goal.
What they should be doing is protecting the UK: that means defence, business and private lives, as they are all inter-related.
On one hand that means stopping The Bad Guys(tm) from having access, and that means encouraging properly used encryption to make sure that information goes where it should and not in to the wrong hands. On the other hand it means having to break encryption to spy or assist the police for what should be the same goal, and there is an obvious conflict of interests there.
Most will realise that both goals are justified, but given the evidence of past lying and political machinations bending of the rules, there is a serious mistrust of either goal. This is made so much worse by the clueless fuckwits calibre of politician we seem to get in charge of the situation.
Technically - yes
Financially - no
Basically VHS have multiple suppliers and soon was the only one that rental stores (remember them?) bothered keeping much range in. The rest is obvious history...sadly for Sony, they didn't learn and tried with Minidisk and memory sticks that no other used, both were business failures really.
That was my thought: like SELinux or AppArmour, but internal to the program.
I can see how this helps mitigate bugs inside the software and hence possible future exploits, but I can't help thinking that having an external rule set (like SELinux, etc) is a good idea in case someone tries to replace/modify-in-place a program/daemon with a Trojan version. The external rules also help you know what a program is allowed to do without delving inside it.
How do you stop mobile phones from not operating anywhere within, say, 15km of a satellite ground terminal?
Sharing sat comms band with fixed point-point links is feasible because you know where they are and they don't go for a wander.
How are you going to control mobiles? Have them drop C-band based on a GPS map of potential hazards? Who pays up if some phones and/or software updates starts to cause problems? How do you force out updates to all such phones if/when the licensing for sat comms changes, or is this just a land-grab to force others to pay to change equipment in order that GSMA members can profit?
In most countries we live with typically a 10 to 100 times greater risk of being killed on the roads than by a murder. Even in that case its something like 90% are not unknown psycos doing the deed, but "friends", partners, business associates, etc.
Add to the in the USA something like 90k gun deaths per year (OK, only about 30% of those are crimes, as opposed to stupidity in gun handling, or suicide) versus a few k in the twin towers terrorist event and just how big is this risk? Yes, I know people are dumb and can't evaluate risks, etc, but it hardly seems that bad guys having encrypted phones is your biggest risk.
It is not just the problem of how Alice and Bob know they are not talking through Eve, but the fact that any one of hundreds of buggers can issue a certificate to Eve matching Alice and/or Bob. It only takes one of those to fail and the trust link is useless.
Just think of a RAID-0 strip with 600 flaky disks...
Most of the broken phones I know of were folk who didn't put them in a cover. Perhaps images is more important than risk looking like and old fart, but this old fart has not broken a phone glass in the last 15 years in spite of several drops due to having them in a gimp mask leather-effect cover.
Oh yes, and the recent rend of having the glass right to the edge is not helping either, as less of the phone body to absorb the impact on a corner impact.
Go for VM use. Unless you have specific hardware needs, or are dedicated to gaming on a bare-metal installation of Windows, running in a VM has so many advantages: Never-changing hardware, ease of creating a copy/snapshot if you want to monkey with it, can be moved across hardware and host OS, and often malware won't run under virtualisation to protect its secrets so another bonus!
"with proper convergence in to NT in w7 we almost got there"
What are you talking about? The 16-bit DOS era kernels ended (badly) with Windows ME. With the relese of XP MS dropped 16-bit kernels and moved the "consumer" market to the 32-bit path started with NT.
XP was the direct successor to W2000 in terms of code/release, and that was the direct successor to NT4. You might argue about the goals of NT being better reached by Win7, but that has absolutely nothing to do with code convergence.
"Stable, AD, direct x, good driver support, backwards compatibility, etc etc"
In my case the only difference I saw was USB support. I had less stability issues under w2k, never used AD anyway, and never had driver problems or PnP issues on any of the machines I installed w2k upon. Maybe XP was more stable for some users/program combinations, but for me the only advantage was USB (plus longer support for patches, of course)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
