* Posts by Michael Wojcik

12132 publicly visible posts • joined 21 Dec 2007

We checked and yup, it's no longer 2001. And yet you can pwn a Windows box via Notepad.exe

Michael Wojcik Silver badge

not without using a browser exploit first anyway

Well, problem solved! Or not. (Of course, with many users running browsers with elevated privileges in the first place, once that browser exploit is available there's no need to elevate.)

In any case, this "the attacker has to be able to run unprivileged code first" mitigation is not nearly as useful as some people seem to think. It provides no defense against insider attacks. It provides none against social engineering. Against malware in the software supply chain. And so on.

Michael Wojcik Silver badge

Re: Over Confidence

Shame they dissolved the Trustworthy Computing Initiative team before they ran a modern source code vulnerability scanner over ALL the code that goes into shipping versions of windows

Yes. Such as Microsoft's own static-analysis scanner, which is a near-state-of-the-art hybrid of simulated execution and symbolic analysis. (There was a good paper on it from Microsoft Research in CACM a few years back.) Data tainting and data flow analysis find this sort of thing easily in cases like this, where, as Ormandy wrote, there's simply no validation.

They have the technology. They have the resources. They just don't have the will.

US insurers face SEC probe over web-access bungle that exposed 'up to 885 million' files

Michael Wojcik Silver badge

Alas, it was originally 14 and is now 32, somewhat spoiling the joke.

It's still a great example of the Big Lie, though. Someone at First American has balls.

Michael Wojcik Silver badge

Re: 885 million

That's bureaucracy for you, I suppose.

Personally, I confess I stop reading after the first few thousand, and just sign the rest on faith.

Header aches in Firefox, Tor, Brave and Chrome as HTTP opens new security holes

Michael Wojcik Silver badge

For the love of...

So, RFC 7838 explains (implicitly) how this is different from a simple HTTP redirect. It's transparent to the client. It's transparent to TLS - the alternative service has to provide a certificate that's valid for the original origin server. It's transparent to the request - the Host header doesn't change, for example.

What it doesn't say is why. Why is any of that desirable? The ostensible aims of Alternative Services, as explicitly detailed in the RFC, are all satisfied by HTTP redirects. (For that matter, some of them are satisfied by reverse proxies for many use cases, or by periodically terminating persistent connections and forcing clients to reconnect, the overhead of which amortized over many requests is negligible.)

I haven't tried to trawl through the discussion archives for the I-D to figure out what justification the authors1 came up with for this. Anyone know offhand?

1Incidentally, and while I don't mind the Google-bashing above (which is well-deserved in general; QUIC and the like are a pox), the authors of 7838 are from Akamai, Mozilla, and greenbytes. (The last, of course, is Julian Reschke, author of a number of HTTP features.) So usual suspects, in other words, but not directly the usual suspects of Google.

Web body mulls halving HTTPS cert lifetimes. That screaming in the distance is HTTPS cert sellers fearing orgs will bail for Let's Encrypt

Michael Wojcik Silver badge

Re: An issue of Google's own making ...

In particular, it's trivial to inject Javascript malware into an HTTP connection. People who run NoScript and the like have some defense against that, but for most users it's a gimme. Everybody using unencrypted WiFi at a coffeeshop or the like is an easy target. Attackers can run cryptomining or try popular CSRF targets, etc.

Michael Wojcik Silver badge

Re: DV's only

EV certs are dead, since Chrome and Safari stopped displaying them, because users ignored them

Possibly overly optimistic. While browser manufacturers scorn EV certs, the CA/BF loves them. Their Code Signing Working Group mandated EV certs for code signing (as if that wouldn't be a fucking nightmare) in their draft spec, and - as some may remember - Microsoft briefly adopted that position, before backing down in the face of ISVs waving torches and pitchforks. It wouldn't surprise me if the CA/BF keeps pushing EV certificates for years to come, even with the browsers ignoring the distinction. And they'll try to wedge them into more non-TLS applications.

I agree that EV certificates are largely pointless - the additional cost doesn't buy much, considering that CAs have a record of not performing the additional verification properly (or at all, in some cases), and the HSM requirement for key management is not universally enforced and was poorly written in the first place. (FIPS 140-2 L2 security on the HSM isn't worth a damn, and prevents people from using inexpensive hardware with open-source drivers.) But CAs and the CA/BF will try to find ways to keep the EV cash cow alive for a while yet.

Michael Wojcik Silver badge

Re: IoT

Look, kid. In my day we had to use wood-burning computers, but we made do.

Michael Wojcik Silver badge

Re: Shakedown time

You'll miss out on new intermediates (and the rare new root) from CAs you trust. And you may re-import compromised intermediates (or roots) that have been removed by the browser manufacturer.

Properly maintaining a list of trust anchors is difficult.

Michael Wojcik Silver badge

Re: I still wait for Let's Authenticate...

In a sense, the only half is authentication - if you can't authenticate, the encryption is useless because you may simply be talking to a MITM or other ne'er-do-well.

For that matter, now that RSA is deprecated for key exchange by pretty much everyone, and the world is shifting to ECDH and other Kx protocols with forward secrecy, X.509 certificates often don't play any part in encryption regardless. In modern TLS (which is not the only, but by far the most common, use of X.509) certificates are primarily for authentication.

Michael Wojcik Silver badge

Re: equates to 31 December 9999

Feature. If we're still using ASN.1 in 9999 we don't deserve TLS.

Our hero returns home £500 richer thanks to senior dev's appalling security hygiene

Michael Wojcik Silver badge

Re: Ahhh passwords...

There are other problems with these "partial password" schemes. They're really not a good idea.

LibreOffice handlers defend suite's security after 'unfortunately partial' patch

Michael Wojcik Silver badge

Re: logo?

It is when you're trying to teach Joe Stupid to extend the functionality of their office suite when things need to get done that the suite foesn't do out of the box.

I'm not sure what "things [that] need to get done" in an office suite are best done with a moderately-obscure1 LISP variant with turtle graphics.

VBA may be (is) absymal, but Logo is really not a good choice as an alternative. I don't see any good justification for including the package in LO.

1And, yes, I've used Logo. Had a copy of DR Logo for the IBM PC back in the day.

Fed-up graphic design outfit dangles cash to anyone who can free infosec of hoodie pics

Michael Wojcik Silver badge

Re: Funny thing

pretty much everyone in IT uses at least two monitors if they can these days

Bah. I outgrew the multiple-monitor configuration in the mid-1990s.

Michael Wojcik Silver badge

Re: Wish I would wear a hoodie at work

I quite like a tie myself. But I also work from home, and it's really not worth the effort if no one's there to see it.

Michael Wojcik Silver badge

Re: Some research is indicated

I think the first published version of the JF / HD, for some interpretation of "published", was the first edition of The New Hacker's Dictionary. ESR's preface to the second edition says the first was published in 1983. The second edition is copyright 1993.

So around 36 years ago. The Jargon File itself of course is older, but I don't know offhand when it started circulating informally.

Meet ELIoT – the EU project that wants to commercialize Internet-over-lightbulb

Michael Wojcik Silver badge

Re: Dumb reg readers

A bit of research suggests LiFi developers are also using, or working on, at least WDM and OFDM as well.

And pretty much by definition LiFi uses spatial multiplexiing, since it's confined to line-of-sight. Every room is its own segment.

But that's the thing with multiplexing: you start with dividing in one domain, and pretty soon you're dividing in half a dozen. It's just too much fun.

Michael Wojcik Silver badge

Re: So what happens when 2 people in the same room want to use the internet?

This interface was common on 90s laptops

And very popular on the Palm Pilot, which for a short time was nearly ubiquitous among gadget fans in the US. I recall family get-togethers where groups of cousins would be cheerfully beaming contact details at one another.

I still have a Palm Pilot Titanium lying around somewhere (I may see if I can get it working for a little retrocomputing fun one of these days), and I believe I still have at least one working laptop with an IrDa interface.

New UK Home Sec invokes infosec nerd rage by calling for an end to end-to-end encryption

Michael Wojcik Silver badge

Re: Priti Patels Brain

There's a nice bit in Ruthann Robson's Cecile where the narrator - a lesbian raising a son with her eponymous partner, back when that was rather less common in the US - somewhat acidly points out that being a woman doesn't automatically make someone her ally. It's a lesson that some people seem to have trouble grasping.

I dare say any reasonably-experienced adult (and most children) will have encountered fools and villains from their own demographics, however partitioned. No group is free of them. The struggle for equality is not assisted by pretending otherwise. Indeed, as you suggested, it's rather the opposite. Women and people of color have just as much a right to be idiots, and to be called out for their idiocy, as white men do.

Omni(box)shambles? Google takes aim at worldwide web yet again

Michael Wojcik Silver badge

Re: I reckon the proper term is 'institutional stupidity'

You wouldn't really want in searching a, potentially, slow DNS to see if there is a result before running your search queries.

Yes, I would. But even more than that I'd want a proper UI with proper functional separation, which is one reason why I don't use Chrome.

Software written for lazy fools is rarely worth using, in my experience. Chrome is not an exception.

Michael Wojcik Silver badge

Re: I reckon the proper term is 'institutional stupidity'

With the exception of Windows I don't think any other OS (worth mentioning) mandates the use of the file extension to indicate file type

Apparently the default filesystem for VxWorks does, and VxWorks is very widely used.

Just because it's not used on general-purpose end-user and server machines doesn't mean it's not important.

Michael Wojcik Silver badge

Re: I reckon the proper term is 'institutional stupidity'

How is the UNIX magic-number scheme less portable than the filename-extension scheme?

Frankly, I find the portability argument of dubious value anyway, but in this case I don't even think it's well-founded.

Michael Wojcik Silver badge

Re: I reckon the proper term is 'institutional stupidity'

No, it uses #! to tell it where to find the shell that's going to interpret this text file.

While this is true, the #! is still the magic number. It identifies the file to the exec(2) family as an "interpreter file", and the code for handling interpreter files then parses the remainder of the initial line of the file.

The UNIX magic number system is a hack. It's a hack that has in practice worked quite well - better, in my opinion, than the filename-extension hack (which was also used by CP/M and MS-DOS, of course, and if memory serves VSM, though with a tighter format).

Some other OSes took other routes. IBM's venerable CMS (created at the Cambridge Scientific Center) put file-type information in a separate piece of metadata alongside the filename, rather than making it part of the filename proper. OS/360 and its successors up through z/OS put some file metadata in the catalog and some elsewhere, such as in the member directory entries in a PDS. No doubt there were other schemes.

Official: Microsoft will take an axe to Skype for Business Online. Teams is your new normal

Michael Wojcik Silver badge

Re: "Fall Creators Update"

Hell, it's a single call in the Standard C Library (ISO 9899-1999 7.23.3.5). You can do it portably in any program that supports calling the C library.

It's a single method invocation in standard Javascript, too (ECMA 262 5.1 15.9.5.6).

There's no excuse for Teams not formatting dates according to the current locale. It's either complete incompetence or utter arrogance.

Michael Wojcik Silver badge

Re: Out of the frying pan into the fire

The browser version of Teams doesn't do conference calls, and in a properly-secured browser it won't render some types of content.

Of course these can be seen as features, but it does mean that Teams victims may occasionally have to run the standalone client.

Lync / SfB was pretty dreadful, but Teams - with its myriad awkwardnesses, its abysmal performance, its agonizingly horrible aesthetics - is worse, I think. We've been using it for months and I have yet to find a single thing I like about it.

The teams I'm in moved from RocketChat (which wasn't great, but was usable) to Teams, and chat traffic dropped precipitously and shows no signs of recovering, so it doesn't appear I'm alone in that evaluation. In fact, if you ignore traffic from bots (CI results and the like), I'd guess it's dropped by at least an order of magnitude.

Cambridge Analytica didn't perform work for Leave.EU? Uh, not so fast, says whistleblower

Michael Wojcik Silver badge

Re: No One Cares

People who use the term 'Whataboutery' automatically lose.

Oh yeah? What about people who use the term "tu quoque"?

Watch as 10 cops with guns and military camo storm suspected Capital One hacker's house…

Michael Wojcik Silver badge

Re: A little sensationalism?

In this case, the homeowner does live there, and it's not beyond the realm of possibility that the police knew that.

I'm strongly opposed to police militarization and the excessive use of force by the police. This case looks like Yet Another excessive use of force to me, even given the "but wait" details in the latter half of the article. But I also think it's both foolish and counterproductive to split hairs about what the police might or might not have known in this case. It was excessive - full stop.

Michael Wojcik Silver badge

Re: You're wrong.

Yeah, but look how quickly Equifax was driven out of ... oh, wait.

Michael Wojcik Silver badge

Re: Darwin Award Contender

What if someone else had a copy of her CV and faked that?

In this case, there's quite a lot of evidence incriminating her, from different sources. (Other details have been reported elsewhere. Finding those reports has been left as an exercise for the reader.) It's conceivable it's all fake, but at this point that doesn't seem terribly likely.

Scientist, war hero and gay icon Alan Turing is new face of the £50 note

Michael Wojcik Silver badge

Re: "The theory" is a bit too strong

However well it was said, it's a meaningless claim. Without some coherent theory of mind to support it, it's pure obscurantism. The GP's argument is "only a living thing can feel, and feeling is a prerequisite for thinking". GP fails to support either premise, or define "living". His or her argument is vapid bullshit.

It's Prime Minister Boris Johnson: Tech industry speaks its brains on Brexit-monger's victory

Michael Wojcik Silver badge

Re: Disaster

Huh. This one got two thumbs down. I though it was relatively uncontroversial, as my posts go. Interesting.

Michael Wojcik Silver badge

Re: Disaster

Two brothers?

We've had two President Bushes. The first had two brothers (Jonathan and William, aka "Bucky"), making - let me know if I'm going to fast here - three in total. Bush the Elder was not what you'd call a good president, but he wasn't an "idiot".

One of his sons became the second President Bush. He's no intellectual, but compared to Twitler, he has a certain cunning and low wit; I don't think "idiot" is justified, if only because we want to save that for the present sometimes occupant of the Oval Office.

Bush the Younger has three brothers: Jeb, former governor of Florida; Neil, famous for his role in the US S&L scandal; and Marvin, who apparently has managed to behave like a responsible human being and thus mostly escape media attention.

It's been said [citation needed] that the Bush family plan was to get Jeb, the "smart one", into the White House, but Jeb lost his first run for Florida in '94. That put him in the mansion for 1998-2006, meaning he wasn't available to run for President in 2000. Meanwhile George the Lesser had made it to Governor of Texas in '94, so he was on schedule for the big leagues in 2000.

But you're right that George's presidency was something of an obstacle to Jeb's candidacy for that position. Didn't stop Jeb from running against the Incoherent Cheeto and the rest of the shitstorm that was the 2016 Republican field, but the anti-incumbency, anti-dynasty political winds were against him.

Somebody is working on a $600m data center in Lincoln, Nebraska, could rhyme with schmoogle

Michael Wojcik Silver badge

When your business is hoarding information, you tend to hoard information.

Michael Wojcik Silver badge

Re: The USDA is forcing 500 of its people to move there

no one wants to live in Lincoln, Ne

There are worse places. Wayne, Nebraska, for example.

Actually, while I don't want to live in Nebraska again, I think I'd take Lincoln over, oh, most of California. Or most of the Southeast. Or D.C. And Omaha is in many ways better than Lincoln (more diversity, more services, more cultural resources) and it's only an hour away, which in many parts of the country would constitute a short commute.

Michael Wojcik Silver badge

Re: It might be hard finding employees in Lincoln

the cost of living is really low

It's certainly low relative to the coasts, but it's no better, and in some cases worse, than much of the middle. Our CoL was somewhat higher in Lincoln than it is in the Lansing area. For one thing, you can get by without air conditioning in Lansing, but Lincoln is miserable in the summer. And in the winter. (Spring and fall aren't great either, unless you really like wind.)

I have no idea if the university has a good computer science or computer engineering program though

Ranked 75th by US News, FWIW. Tied with Colorado State, U New Mexico, Tennessee Knoxville, Tufts, Washington State, etc. Basically above the median, but not remarkable. (The USN report covers 188 schools, but there are a lot of ties due to the rubric they use. Also pretty much everyone takes issue with their methodology, but this is a highly subjective question anyway.)

But do data centers have a lot of staff anyway? And Omaha is only an hour away, not to mention the teeming metropoles of Nebraska City, Beatrice, and the like. The data center's going to be on US 77, so easily accessible to commuters. Though a traffic jam in Lincoln, at least when I lived there, was generally "eh, I didn't make it through the traffic light on that cycle".

One thing Lincoln does have going for it is decent food, if you avoid the big restaurants. It's a mission resettlement city, so there are lots of immigrants running hole-in-the-wall joints with authentic recipes. I have fond memories of a Salvadoran place, and a Ukranian sandwich shop, and some great Chinese places. Even some of the fast food chains are distinctly regional (ah, Runza).

IT outages in the financial sector: Legacy banks playing tech catch-up risk more outages, UK MPs told

Michael Wojcik Silver badge

The stupid is strong with this one

Members of the public would probably be alarmed to learn that some of their financial institutions are running on systems that are possibly 50 years old

Perhaps they'd be even more alarmed to learn that some of the buildings that house their financial institutions are even older!

Honestly, what an astoundingly stupid thing to say.

Certainly there are problems with legacy IT systems, at financial institutions and elsewhere. Often organizations have exercised poor software hygiene and housekeeping over the decades, and have only a vague understanding of what binaries they're running, what sources correspond to those binaries, how those sources implement business rules, and so forth. But that's a solvable problem. There are software packages to assist in source and binary analysis and inventory, and firms that offer consulting services to help clean up the mess; and an organization that wants to make the effort can do it in-house, too.

The use of COBOL, PL/I, assembler, and other out-of-favor languages isn't the problem. Neither is the use of z and other mainframe architectures and their OSes. The problem is financial institutions unwilling to invest areas that need investment, and grasping at the new shiny in the hope of avoiding paying the price. And ignorant ninnies like some of the people quoted in the article are contributing to that problem.

Michael Wojcik Silver badge

Indeed. Claims like this one:

He noted not many programmers are left who can use COBOL.

are both wildly erroneous and completely irrelevant. Any competent programmer can learn to maintain COBOL source, and - as anyone who's dealt with real-world applications knows - so can a great many incompetent ones.

The only labor issue with COBOL source code is employers' reluctance to hire the people who already know the language (generally because they're older and want a decent wage), or to pay callow youths enough to learn it.

If at first you don't succeed, Fold? Nope. Samsung redesigns bendy screen for fresh launch in September

Michael Wojcik Silver badge

Re: Another solution...

Even millennials will grow up eventually.

When Strauss and Howe coined the demonym "millennial", they defined the cohort's birth years as starting around 1982. There are plenty of millennials who have grown up, and there are millennials with age-related presbyopia.

Phuck off, phishers! JPMorgan Chase crafts AI to sniff out malware menacing staff networks

Michael Wojcik Silver badge

Re: Arms race

So what? It's always an arms race. Everyone (competent) working in IT security knows that.

Also, URL pattern matching in the JPM system is primarily done using the heuristics described in the paper, not with ML. It's only one of several components of the system. (You did read the paper, right?)

For non-targeted campaigns, it will probably be a long while before most malware campaigns attempt to evade those sorts of heuristics, because sophisticated CKC systems like the one described in the paper are not yet widely used. Non-targeted campaigns are broad and aim for success against a lot of poorly-defended targets. The rate of return for upgrading them to attack well-defended ones is poor.

The JPM system and similar are of the "don't run faster than the bear; run faster than the other guy" variety. You increase the work factor for attacking your system so it's above the median, and so become less interesting to the broad-spectrum attackers. That frees (some of) your IT security resources to concentrate on building defenses against more-sophisticated targeted attacks on your organization.

And since the researchers who build these systems are well aware that attacks get better, the components of those systems which are ML-based are specifically designed to continue learning and adapting. That's why the system incorporates a Cyber Data Lake, which the paper discusses at length.

And, finally, the article had a sidebar link to another Reg piece on precisely the topic you raised.

Michael Wojcik Silver badge

Re: Where's it from

And none of that is relevant to what the system described in the paper does.

Michael Wojcik Silver badge

Re: Where's it from

Perhaps you should take five minutes and read the paper rather than asking irrelevant, sophomoric questions.

Google pays out $13m to make Wi-Spy scandal go away: Bung goes to peeps and privacy orgs

Michael Wojcik Silver badge

Re: Not enough

Google as a corporation has a strange interpretation of the phrase "Don't be evil."

Strange, perhaps, but very straightforward, when you understand that it's applied under the axiom that whatever is good for Google is an absolute good.

Equifax to world+dog: If we give you this $700m, can you pleeeeease stop suing us about that mega-hack thing?

Michael Wojcik Silver badge

Re: Passing the loss to the shareholders is fine

many times employees of the corporation are forced to invest into it for their retirement plan

Is this actually all that common? Apparently (according to various online sources of varying dubiousness) many 401(k) plans include an employer-stock option, and of course many firms offer ESPPs or similar. But those are options - employees are not forced to use them. How common is it for corporations, particularly large ones, to offer only investments in their own stock for retirement plans? Is that even legal?

Michael Wojcik Silver badge

Re: Passing the loss to the shareholders is fine

it isn't like the market cap of a stock is a bank account, you can't "down the value" by a specific amount

No, but in theory (and ignoring the fact that there's no legal precedent for this, and quite likely no legal foundation for doing it), some authority could implement a fine by attaching an additional tax penalty to transactions in Equifax stock and dividends issued for same. That would make it less attractive and increase Equifax's cost of capital.

Probably that would have to be implemented by passing a law creating a new classes of short-term and long-term capital gains with a higher tax rate, and giving some branch of the executive the power to assign shares of stock issued by particular corporations to those classes. It would be a bit of a bureaucratic mess, but in the world of tax law that'd hardly be noticeable.

Israel's NSO Group: Our malware? Slurp your cloud backups plus phone data? They've misunderstood

Michael Wojcik Silver badge

Re: Unlicensed Pegasus

NSO don't seem to be all that fussy about which governments they sell to.

Indeed. There's significant evidence that they're perfectly happy to deal with a wide range of repressive regimes. If the people at NSO Group have any ethics whatsoever, they done a damn good job of hiding it.

A denial by NSO Group is meaningless.

France seeks science-fiction writers to help futureproof its military against science-fact

Michael Wojcik Silver badge

Re: Also War Writers won't have a lot of War Stories to write

and wearable things

I was just following orders. Orders from my pants.

Michael Wojcik Silver badge

Re: looking to recruit four or five sci-fi writers and futurologists

Sure. Boulle too. But I think they're looking for living novelists.

Wikipedia and other sites list a good number of French SF authors, though it looks like relatively few have been translated into English. I only recognized a few names.

Arrested development: Cops dump Amazon's facial-recognition API after struggling to make the thing work properly

Michael Wojcik Silver badge

Cameras pointing at tops of heads.

Next week: Amazon announces hair-print database.

Elon Musk's new idea is to hook your noggin up to an AI – but is he just insane about the brain?

Michael Wojcik Silver badge

Re: Too small...

Given his obvious inspiration from Iain M Banks' Culture novels - I'm sure he's also working on drug glands though

Is it obvious? BMIs, and for that matter "drug glands", are old hat in science fiction, as the article points out.

Here's one data point: The first of Banks' Culture novels was published in 1987. George Alec Effinger's novel When Gravity Fails contains both BMIs and drug glads, and was published in ... 1987.

Probably the most famous use of BMI in popular culture, outside that mass embarrassment The Matrix, is in Gibson's various "cyberpunk" novels, which received attention in the media and popular culture wildly disproportionate to their popularity and innovation. Neuromancer was published in 1984.

Poul Anderson's "Call Me Joe" featured a BMI; it was published in 1957.

And so on.

You ain't getting around UK data laws on a technicality, top judge tells Google

Michael Wojcik Silver badge

I've mentioned before that I actually like the advertisements I get on my Kindle "with special offers". They're unobtrusive and several times have pointed me toward books that I very likely wouldn't have found otherwise, and which I enjoyed.

Of course, there's no shortage of things to read, and I had no problems finding plenty of books before Amazon was a gleam in Jeff Bezos' eye. I still browse in and buy from physical bookshops, or pick up books from friends, or on a few memorable occasions from those books that people scatter about rental homes and the like. (Got into Kate Atkinson that way.) But there have been a few novels in particular that I'm quite glad Amazon put in front of me, such as Hawkins' The Library at Mount Char.

The advertising model worked just fine for many years in print media, because the advertisements were usually more-or-less audience-appropriate, and they were usually unobtrusive.

Of course, none of that excuses at all Google's deliberate subverting of a privacy measure. Frankly, I'd like to see both company officers and the development team that created and shipped the "Safari Hack" brought personally to account for that. It's inexcusable. (And, no, I'm not a Safari or Apple device user.)