Posts by David Hicks 1235 publicly visible posts • joined 22 Apr 2008
Also can we please make it a decent version of the book? There are so many terrible adaptations.
For instance - everyone involved in "I, Robot" and the Tom Cruise version of "War of the Worlds" needs to be taken out back and put down like a lame racehorse. Either that or just barred from making more movies, you know...
Might very well not have been? Might very well not have been?
Why the hell would you think that people hacking their hardware would be in any way involved in this in the first place?
Seriously, are you that warped in the head that you equate people gaining control over their own hardware with stealing millions of user details and (potentially) credit card details for the purposes of fraud?
Hell, even the most pirate-y of console hackers isn't interested in massive data theft and fraud.
Sony failed to secure their systems. The fact that passwords were even stored on their systems (instead of secure, salted hash values) is a huge failure in itself.
The ability to penetrate and compromise Sony's server infrastructure is entirely separate to breaking client-side security, it is also unambiguously criminal. This is absolutely nothing to do with custom firmware, homebrew or piracy.
Sony are not sure at present if CC details have been compromised. Other info certainly has. When someone has your -
username
password
real name
email address
street address
credit card details
Would you not agree there's a lot of scope for negative effects? If this were just your username and password then it wouldn't be as big of a problem.
Also - good luck logging in to change those.
"In either of the last two cases, having Firefox bitch about self-signed certificates is less than helpful."
Then you don't understand the technical side of it. Without an authority you have no idea who you're talking to. In a public setting MITM is really quite easy, so without the third party vouching for you, I have no idea who you are. What use is encryption if I'm only encrypted as far as your MITM-bot?
Setting up a local CA for an intranet is pretty trivial, not a serious issue at all, and firefox's 'bitching' is there for a damn good reason.
The public trust apparatus and certification authorities are broken. Lessening the importance of trust and authentication in secure comms is not a very good way to address this.
The scary message is there for a reason. MITM is actually pretty trivial in a lot of settings, especially on public networks (look up ARP poisoning amongst other things, moxie's sslsniff does this along with a bunch of other tricks), so a self-signed certificate doesn't offer much to me in the way of security as it's absent any authentication.
Is it better than nothing?
I'm not sure. Maybe after the first time, if the browser stores the certificate and checks it's getting the same one every time.
I trust my immediate friends. Well, some of them anyway. I may extend trust to their friends. But a tenuous link to parties beyond that, by the vouching for and of people I don't know well if at all... I may well be missing a deep understanding of the workings of a web of trust, so if anyone wants to enlighten me then that would be great, but I don't trust it.
Don't get me wrong, the CA infrastucture and https are both pretty broken, but WoT does not inspire me.
I still trust a few (not all) CAs more than I trust your PGP signature I'm afraid. Besides which your scheme still needs some way of having a protected comms channel with a WoT PGP sig verification service, a way that isn't vulnerable to MITM or other attacks... so we're back at square 1!
So it seems that most of the problems here are either as a result of -
1. Sloppy string validation in Common Names and URL bars
2. Massive proliferation of "trusted" entities who may or may not have good security practises or even be trustworthy at all
3. Broken revocation methods
4. Un-revoked certificates using obsolete hashing or encryption methods
I've been working with SSL/TLS for a bunch of years now and 2, 3 and 4 have been obvious for a LONG time. 1 is more interesting because you would have thought you'd be extra, extra careful in a security application, if only because the programmers are working on security systems!
Apart from CN validation though, the problems here are HTTPS problems, not SSL or TLS problems. SSL has many wider applications than securing the web. These frequently do not involve any public authority trust at all, have manual revocation methods, cipher suite restrictions and no plaintext-to-encrypted bridge.
The fundamental difficulty here is that the problem is almost impossible to completely solve. A little like DRM (which can be summed up as "how do I give the content and the key to someone, but prevent them using the two together in ways I dislike?"), the trust problem comes down to "How do we establish a relationship of trust between two parties that have never met?". The solution we have been using so far is to involve a third party that the user has never met either. When there were only a handful of these third parties it was perhaps not too much of a stretch; now I look at firefox and there at least 50 "authorities" each with a couple or more root certificates. I know several of them have issued bad certificates in the past and others have been compromised. But if I get rid of them I lose the ability to 'secure' a lot of comms, though secure is the wrong word. Tricky.
tl;dr - The HTTPS infrastructure is in need of a lot of work. SSL/TLS itself less so.
None of that would be an issue if this was just a case of sex party volunteers lobbying to be able to put posters up in a place of worship.
When that place of worship is also the polling place for an election, and the church is paid for that service, it becomes an entirely different matter. It becomes the church interfering in the democratic process.
And the sex party isn't about being promiscuous, it's about protecting people's rights to keep the government and religions out of their bedrooms and marriages.
... I could just buy the case, for a reasonable amount, because it looks to me like it houses a standard mini-ITX motherboard, and you can get some (pretty cheap) mini-ITX boards that will take much better processors than that.
With a right-angle or flexible PCIe extender, you may even be able to cram in a decent graphics card too.
Also props to Lottie, that is an absolutely awesome idea.
I have a 3d tv - I was in the market for a new telly and thought I may as well - but so far I'm not seeing the compelling content. I haven't used 3D mode in months.
AFAICT there were a few demo/launch games hastily adapted for it by Sony, a couple of animated films reworked for it and.... that's it.
I quite like the technology, but there's no way to use it much at present
Geohot and graf didn't violate the terms of the psn, as neither of them cared about it or used it. Sony are still trying to prove Hotz had a PSN account *at all* but it looks like he didn't.
And there are no terms of use for a ps3 that you own. Seriously, you own it, it's yours. I didn't sign a lease agreement when I bought mine, did you?
Geo is in trouble for all sorts of stuff. The metldr key hasn't even turned out to be all that useful AFAICT. Sony are suing him for everything from DMCA violation to extortion. Yes, extortion. He jokingly said that if MS, Sony or Nintendo wanted to secure the next console generation, maybe they should give him a job. Sony included that as evidence of threats to continue breaking systems unless he was paid, rather than a half-joking offer to work as a security consultant.
As for what geo and graf want... Geo seems to want fame and Graf wants to learn and share, gaining full control of the system in doing so. Neither of these things is a crime.
And as for your wonderful weaselly excuse about OtherOS not really being removed... really, you can stop white-knighting for the huge multinational now, they don't need you and they aren't going to give you any free stuff.
Moving from London to Perth, I was shocked. I thought I'd been living in one of the most expensive places on the planet. It turns out that almost everything in Oz is incredibly pricey. Despite a ~50% rise in salary when I came across, and lower income taxes, I feel like I have less purchasing power.
Stuff is expensive here. Buying it in from the US or Asia is often cheaper by far more than 10%
Which is weird, because you would have thought that getting stuff in bulk would reduce shipping and unit costs. Either the stores are ripping off the public, or the suppliers are ripping off the stores. I suspect it's a bit of both.
I hear that it's common practice to have a legally enforced "sole importer/distributor" agreement here, which would explain quite a lot. That people use the internet to buy from abroad is not a surprise. What is a surprise is that it's not illegal yet, because the history of globalisation has shown us that it's fine to pick and choose where your raw materials and workforce are if you're a manufacturer, but try it as a consumer or retailer and you'll get the smackdown.
Steve Jobs Icon because I just checked the iPad2 prices and they're withing the bounds of reason compared to the US. In fact the 32Gb Wifi model is actually cheaper here!
A scoff at the implication that all the cool kids use Mac. Now give me a moment to wipe the crumbs from my cheetos stained mouth with my cheetos stained fingers...
On a more serious note, do you really think that many people use Mac that would have used linux otherwise? I know of some I suppose, but the majority would seem to be windows defectors.
And facebook, much as I dislike the privacy abuses, provides a useful service and a troll-free oasis. Trolls can be entertaining, but a place without them makes for a nice change of pace.
I don't know many people that still love Nokia that much. A few years ago, sure. But a few years ago was when Nokia should have been changing the game by introducing smart, capable, modern smartphones. Instead they let themselves be usurped by new entrants to the game.
What's left of Nokia's reputation (solid devices, not that up to date, not sexy) could be completely ruined by a bungled or unstable Win Phone launch.
Even if it goes perfectly I don't see it making a difference. They missed the boat a while ago. Right now they're trying to figure out what to do about that. Waiting another year, while the boat disappears off into the distance before finally, weakly shouting "Hey, Come back!" is not going to help.
They should have grabbed Maemo by the balls when they were ahead.
Err... no.
Much as I enjoyed the two miniseries, especially the second one, they only covered three books. Pretty sure the second miniseries covered "Messiah" and "Children"
Also, there are six books!
It's just that the end of "Children" is a good place to stop because there's a break of 5000 years or so between there and the story of "God Emperor".
You musty be having a laugh!
I moved over here from London last year. Trust me when I say the Aussies have no idea what "traffic" really means. Besides which, the only transport problems they really have are people commuting about inside cities, as going from one city to another is a serious undertaking so most of the roads elsewhere are deserted most of the time.
Frankly a focus on suburban public transport improvement would likely help more.
with evince. It's nice having an N900.
On the main content - so you finally bought into the semantic web idea then?
I remember that was the 'next big thing' back when I was a lowly student and you were moaning about how half the new intake didn't know how to use ftp from the command line any more...
Plus ca change etc.
Genuinely surprised to see your face peering out at me from the front page this morning though, nearly spat-up coffee all over the keyboard!
D.
dec.com is vaguely still in use by HP.
Octopus.com is up for sale, auctioning having reached almost 50,000 dollars before the auction was suspended a couple of weeks ago because someone started a domain ownership dispute with ICANN.
Mentat.com is just not there, looks like it's owned by someone that's most likely waiting for a cash-in. That's the tragedy with most of the decent single-word domains in the world, some 'investor' (I use that word layered with the most sarcastic venom I possibly can) has usually bought them up, slapped a cheapass portal and some ads on them and a big banner "domain for sale". So now nobody can use them. Bastards.
As usual - change the law to make many more people criminals either by inventing new offences or shifting them into the criminal rather than civil code. Classic police-state dystopia type of move that. Then you can justify more budget for your investigators and if you can muddy the waters between "criminal" and "terrorist" whilst you're at it then all the better, copyright infringers are now enemies of the state and your corporate sponsors are happy!
And this is supposed to be good enough for use in court? Holy hell...
With a false positive rate of 20% on such a small sample it's next to useless for picking people out of the general population, surely? All you could hope to get is "this guy we already suspect writes in a similar style to the release", which has got to qualify for pretty weak circumstantial evidence at best.
It's not about whether the cookies themselves contain identifiable information.
It's about tracking. It can be a random number in the cookie itself, but when half the internet brings in something from doubleclick or google-analytics then google and the other ad networks can track your browsing habits and get a good picture of everything you do online.
Some people have a problem with this.
An online shop for instance, could not track until someone clicks an "add to cart" button, or a buy button. Then they say "we need cookies to carry on or the site won't work" and the prospective buyer then makes the decision.
I'm not sure anything more than session cookies are required even then.
A forum site which remembers the user via cookies could survive with session cookies if it made people log in every time, and be login-free if the user agrees to persistent cookies.
There are many ways to minimise cookie use, and there are many ways the user can be told (or asked) "cookies or no site for you".
Now think about the average website. That facebook 'like' button is a script brought in from facebook that can set and read cookies, regardless of whether you have a facebook account, they can track you across anywhere with such a button.
A lot of pages bring in stuff from google-analytics, and that gets to set/read a cookie also.
And then there are the ad networks, and the bigger ones will have content across millions of sites. Hell, this very 'reply to post' page brings in scripts from doubleclick (google now, I believe).
So it's not as simple as cookies only being set for the site you're on, it's cookies being set for hundreds of sites you never visited explicitly but were brought in anyway.
Take a look in your cookie dialogue in your browser. There will be hundreds. This is why I recommend use of the "Cookie Monster" extension with firefox, it lets you control this stuff and switch off third party cookies while allowing the first-party ones you need to make the sites you actually visit work correctly.
That the browsers are now putting in place.
Or you could, you know, not track anyone until/unless they actually log in to your site having clicked through your terms of use. Casual browsers should not be tracked by default.
Why does everything need a session? And why is it a problem to have a session in the URL for most online activites in which any sort of session security is secondary?
... and who are the bad guys in this situation, shoot yourself now.
A hacker group, variously called script kiddies, a great hope for the future, youthful activists or just plain terrorists is demanding - get this - that the US government treat a prisoner awaiting trial as a human being.
And yet some people will have a problem with this, somehow. Despite the history of 'innocent until proven guilty', despite the prohibitions on 'cruel and unusual punishment', we saw that those running the show had no regard for human rights when guantanamo bay was set up. We saw that nothign had changed when Obama forgot to close it down. This is just another in a growing set of things that ought to be making any true patriots of the USA scream bloody murder. Except those that wave flags and crow about how great the US is are more likely to side with the military because Manning is perceived as the enemy. Not a US citizen, not a soldier (that they claim to venerate) but the enemy. And the enemy deserves no rights, is not human, for some reason.
Corporate genitalia aside, the crapware subsidises the OS cost, or the full machine cost. It's one of the reasons the likes of Dell can sell windows machines cheaper than they can linux machines (volume and support costs being the other reasons of course).
Either PC makers will 'get' this and PCs go up in price but come comparatively crapware-free, or 'signature' just becomes a premium windows PC branding and almost nobody buys it because it's more expensive.
OTOH, is it that hard to run "PC Decrapifier" or similar on a new box?
It's what I've always done.
And I wonder how many actual unique customers there are, because I account for three of those 60 mil PSPs due to theft or damage.
There is a world of difference between a $2 causal game a decent handheld game. The question though is not whether there is a difference, it's whether anybody cares.
They've not only competing with iPhone though are they, they're trying to compete with the handheld gaming king - Nintendo - who have led the pack since the original gameboy days. And this time around they have the 3DS, which is out now and has 3D and everything so it must be great!
And the Sony model will be a lot more pricey than the Nintendo offerings. And they let the last handheld platform just kinda languish for a few years. And there's quite a bit of bad-will towards them anyway.
Going to be tricky to pull of a huge success.
I'm happier about my move to Australia.
No, it's not exactly a shining beacon of freedom and has it's own problems but they don't seem to be quite as stupid as the UK, and I'm not quite as familiar with (and contemptuous of) the political system here yet
...when I logged in the other day, asking me if I'd like to share my phone number and address. And then I noticed on the sidebar that it was offering to find more friends for me if it could just have my email address and email account password please? We won't keep hold of it! Honest!
How about no.
I'm not surprised that the less savvy end up giving ever more data to the beast. I am surprised we haven't seen more fallout from that yet.
I don't care who got there first. I din't give a rats arse.
Stop trying to divide off and claim parts of our language you miserable corporate bastards. If you want to trademark and claim words as yours then at least have the decency to make up some new ones.
Tux, because linux had app stores before either party. And they're free...
Like what happened with the banned versions of Manhunt 2 etc?
Personally I enjoyed manhunt. Playing it on a projector but otherwise in the dark was a genuinely dark, brooding and scary experience. But people just focus on the fact you could kill bad guys with a shopping bag...
Let's see...
Maemo is/was debian based. That's a phone OS, by the way. Pretty embedded. And then there was the hacked around debian that came on my NAS, the WD Sharespace, and what came with the sheevaplug which was ubuntu. You could run debian on the Openmoko. You can run it on the Playstation 3.
As far as I can tell, RHEL doesn't even support ARM or MIPS, only x86/64, Itanium and POWER variants, so it would have to be very hacked around for a lot of embedded use.
Maybe in your line of work you only see RHEL based systems. I'm guessing that's because you mostly work with Power chips then?
I speak as a software developer, not your granny and what she can use, so please read with that in mind. Debian, for me, has *just worked* for a number of years now, in a way windows hasn't and ubuntu hasn't either.
The install process was not quite as polished or painless as either of those, but the end result was I didn't have to spend days tracking down third party drivers (windows!) nor did I have to rebuild alsa from source every time the OS gets upgraded because the one that ships with the OS doesn't recognise the headphone port (ubuntu!).
I've run debian on everything from a 266MHz arm NAS device to a z series mainframe. Awesome, solid, OS.
... of the average business in Aus is not wuite up to what I expected, coming from the UK.
You get used to it pretty quick though, and I quite like actually going to the shops now. it would be nice if the price of stuff came down though. It seems that nearly every imported good is ridiculously pricey because some distributor has an exclusive deal and can't be worked around, or the law protects 'official' import channels and makes all others illegal. This seems to apply to everything from books to computer equipment and is justified under some misguided notion that it protects Australian businesses.
When something can be ordered online and shipped to you for 50% of the price in the shops here, something isn't right, and it sure as hell doesn't put Australian business at an adantage.
I guess I got one of the good ones, that boots up reasonably quickly, takes decent pictures, works well as a GPS, does flash fine, if a little slowly (yours doesn't?), and works brilliantly not only as a net device on its own but also as a 3G wireless modem for my linux machines.
I'll agree that the manufacturer totally lost it though.
Instead of incrementally developing the OS, adding stuff, making improvements and fixes and delivering them (the usual linux model), and then delivering improved hardware as and when they could, they ended up doing the same thing that killed Openmoko - "Oooh! Shiny! Let's ditch it all and start again!". So you end up with two years of no real progress, no released devices and no income. In the meantime the managers who weren't directly responsible for screwing up the maemo unit were busy screwing up the rest of the company and whoops, suddenly the 'next big thing' doesn't have the time to mature, despite the fact it's 7 years old.
It's Sony's right to ban whoever they want from their servers. Absolutely true.
Doesn't mean they aren't arseholes for doing it.
Remember kids, just because something is within the law doesn't make it good, nice or proper. A lot of people feel that they own the ps3, that linux and the network were advertised features, and that, hell, if they want to run non-approved software on it then whose business is that. Same as with the iPhone, same as anything else.
As for the cheating - PC game services somehow survive and prosper with in an open system, why not the PS3?
You still needed a way to install it, that's not provided by the default firmware and needed to be unlocked.
And that wasn't quite all, don't know the specifics, but there were still one or two keys to be found when the lawsuit kicked off, and all has gone relatively quiet since then.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
