* Posts by Charles 9

16605 publicly visible posts • joined 10 Jun 2009

Adblock Plus blocks Facebook's ad-blocker buster: It's a block party!

Charles 9

HDMI can already detect when the TV attached to the box is on or off, and a little electrical magic can achieve the same for analog plugs (thus auto-sensing TVs), so that's sorted.

Charles 9

Re: arms race

"Not quite the only way. You can... call them. They generally appreciate a call more than a "like" anyway."

Nope. Their reception is spotty, meaning you don't know when they're in reach.

Charles 9

Re: arms race

"Actually AdBlock Plus Element Hiding Helper can do regexps."

But how does that help when (1) the name's different every time and (2) the legit images have the same scheme? The only way around it now is to block ALL images. And that does nothing for inline TEXT ads. And for those who think people will be turned off by them, they do it on television and people haven't unplugged en masse yet, so I don't think an inline text ad is going to make much of a difference. Some sites do it right now...successfully.

Charles 9

Well, that's what's going to happen. It already happens on television with inline ads. Ad companies are pressured to get to you one way or another, so they're motivated to find ways you can't avoid short of going Luddite.

Charles 9

Re: arms race

There are ways to make ads unblockable.

Text ads get baked inline with the article. The only way to block the ad would be to block the article, making it a pyrrhic victory and defeating the purpose of the ad blocker (you want to block just the ad, not the whole page).

Graphical ads can be given a hash name so that it's different every time, making blacklist useless from the whack-an-ad shenanigans. Furthermore, ads can be programmatically baked into images genuinely to do with the article the way product placement and ads are now baked into TV shows so that you can't skip them without skipping the program.

The nuclear option would be a clickwall, and the loading of ads (especially in-house ads) can be detected by the server without any scripting, especially if the filenames are hashed (and thus tagged per session).

Yes, I know the nuclear countermeasure would be to abandon Facebook, but for many it's the only way to keep up with remote family (because where they live Internet, including e-mail, is a premium while Facebook is gratis) or other reasons that make ignoring Facebook "Walking on the Sun."

If you use ‘smart’ Bluetooth locks, you're asking to be burgled

Charles 9

Re: I use a whitetooth packet sniffer for security

"If your dog isn't a TRAINED guard dog, his loyalty and silence can easily be bought for the price of a juicy steak or other shank of meat from the nearest supermarket."

Trained or simply xenophobic. If your dog's the type that tends to charge and bark at any newcomer to the house, there may not be time for the bribe. Dog socialization can be quite specific to a family since dogs think in terms of packs.

Charles 9

It's what the customers want, so what are you going to do?

Bungling Microsoft singlehandedly proves that golden backdoor keys are a terrible idea

Charles 9

Re: "Security of Everyone" - WTF?

"There are worse things that malware can do than install spyware/trojans into the bootsector, frankly..."

Like WHAT? The bootsector basically comes third in line after BIOS/EFI (basically State territory there; you're essentially screwed if it's in there) and the MBR (essentially the primary boot sector).

Getting malware into the bootsector essentially executes a pre-emptive attack. It gets the malware ahead of just about any software security measure you can throw at it, making it a useful attack against 64-bit OS's that have a higher degree of code signing. What can be worse than getting ahead of even the kernel?

Charles 9

Re: What's the alternative?

"Having a "sign anything" key was simply a terrible decision on Microsoft's part. Sure, it makes testing easier, but how hard is it to have your build system automatically pass the binary to your signing system? If they had the devices "phone home" on a daily basis checking for key revocations, like browsers do, that would have reduced it to the number of devices that haven't been connected to the public internet since the key compromise became known."

What if it's destined to be an OFFLINE system, meaning it'll have no network access? You usually don't want TEST systems on the open net; there's a risk of collateral damage.

Charles 9

Re: Securer boot

"Now whether OEMs wish to limit the capabilities and thus the sales potential of their kit..."

Now whether OEMs with to defy Microsoft and lose their deep loyalty discounts which may be the only things keeping their computers profitable...

Charles 9

Re: Actually it doesn't make much difference security wise on a laptop

Have you ever read Nineteen Eighty-Four. The pods had the capability to reproduce any cookies you tried to make. They probably also have ways of prevent your sense wires from tripping.

Charles 9

Re: Accidental leaking of golden backdoor keys

Ever locked yourself out of your own house? That's why.

Charles 9

Re: When is something insecure ?

Or unless it's locked until the time of purchase which is what Apple Pay and Android Pay both do. And if you play the Evil Pad card, I'll counter that that can successfully attach Chips, meaning NOTHING is safe at that point meaning it's back to barter.

Charles 9

But then the bigger question is can you really trust ANYONE...even YOURSELF?

Google Chrome will beat Flash to death with a shovel: Why... won't... you... just... die!

Charles 9

Two words: Flash EXPLOITS. At least with HTML5 the standard can be hardened against malware because it's more open and the browser makers can be motivated to compete on security grounds.

Face it. You're not going to get rid of multimedia web pages. It's what the masses want, and they outnumber you, so unless you become Dictator of the World, you don't have the power to change that. You can either brace yourself and join the ride or bail out of everything and go hide in the mountains somewhere.

Charles 9

Re: Last refugee of Flash?

No, given we haven't gotten there yet. Very expensive equipment tends to be a long-term investment: intended to stay put for a couple decades or so. And if you'll recall, it took a long time for the original crew to finally retire.

Charles 9

Re: Google Chrome 55 will effectively make all Flash content click-to-play by default

Sorry. Not Edsels, Pintos. Think gas tank fires.

So you're saying it doesn't matter if you die of CO poisoning on the driveway, as long as you get there it's still a success. Sounds pretty messed up if you ask me. That's like saying jumping off a skyscraper is a surefire way to get back to street level. You get there, yes, but not in one piece. Getting there SAFELY is an AUTOMATIC requirement of ANYTHING used by man. Otherwise, what's the bloody point? Risk is tied to effectiveness, as it describes the chance of a failure of some sort. And failures usually mean the job didn't get done: implying an effectiveness of zero.

Charles 9

Re: Google Chrome 55 will effectively make all Flash content click-to-play by default

But it has to get you there SAFELY, or it's better by far not to go. Better stranded alive than burned to death in the next Edsel. And since you can't fix stupid and get sued if you take the Darwin route, you're FORCED to coddle to keep the lawyers at bay.

Charles 9

Re: Dear Google,

"Don't download software from dodgy websites ... easy..."

Three words: DRIVE BY HACKS. They attack the mainstream sites.

Charles 9

Re: One down many to go

Not while content providers demand DRM or no content. Flash and Silverlight are the chief middlemen for DRM enforcement.

Charles 9

Re: BBC support html5 fully - just not on desktop

Even BBC News? I read lots of complaints that the Agent hack doesn't work there and the site, even on iPad, demands Flash without exception.

Charles 9

Re: Google Chrome 55 will effectively make all Flash content click-to-play by default

Let me put it this way. If the average web goer had to choose between security and flying cat videos, the flying cat video wins 9 times out of 10.

They outnumber you by about 100 to 1.

Guess to whom the browser makers are going to cater.

Charles 9

You'd be right, actually. Since 2001, ALL Olympic content originates on the Olympics' own television network: Olympic Broadcasting Services. Those official graphics you see all come from that, not the second-source TV networks like NBC and the BBC.

Charles 9

Re: Education...

" in fact it's only the Google devs who continue to update (patch) the linux release of Flash player, Adobe canned it a couple of years ago."

And ONLY by way of an exclusivity contract Google signed with Adobe in order to get the rights to do the job.

Charles 9

Re: Last refugee of Flash?

Nope. The Enterprise world is stuck with it in the form of control modules for very expensive equipment built to require Flash with no possible replacement unless the company is in the mood to plunk down for NEW very expensive equipment.

Hilton hotels' email so much like phishing it fooled its own techies

Charles 9

Re: Protection

"Education about the evils possible in an email helps, but it can take years to pound that through some people's thick skulls. Eventually, though, most of them will realize email isn't a happy utopia of rainbows and unicorn farts where everybody loves each other, but a dark, gritty place full of greed and malice. Mostly greed. It can take decades, though."

And for those who STILL can't get it? Especially those who happen to carry the immunity of an executive position?

And BTW, if you're forced to coddle to stupid all the time, how do you get things done?

Charles 9

Re: We can do better.....

And if it turns out to be someone over IT's head?

McAfee outs malware dev firm with scores of Download.com installs

Charles 9

Re: Interesting

Download.com IS a CNET site. IIRC the whole works is owned by CBS Interactive.

Facebook to forcefeed you web ads, whether you like it or not: Ad blocker? Get the Zuck out!

Charles 9

Re: FB force feeding ads?

Thank you. Facebook now probably has enough information to identify you. You probably haven't ID ALL of Facebook's domains, and they probably share some with legit sites so you can't block them without collateral damage. Next thing you know they'll have a fast-flux system so you end up playing whack-a-domain trying to stop them.

Basically, the only way to stop them tracking you (whether you go to their site or not) is to get off the Internet. And who knows? Maybe they'll start tracking you through the post...

Charles 9

"I guess next step in the ad-block wars would be to use randomly named page elements but I've not seen anyone try that yet."

I've already seen them: hashed elements so they're unique for each visit (and each visit can be traced). It reaches a point where you can't block one element without blocking ALL elements, INCLUDING the content itself which is kept in a separate frame.

Charles 9

""cold calls" reported for calling a TPS line - fines incoming"

Call comes from an international number: sovereignty kicks in and the fine is unenforceable.

""billboards" very few here - it's rural area - and easily ignored"

Except probably on the trunk roads which are your key ways in and out. Can you say "chokepoint"? It's certainly true in America.

""and junk mail" goes back into the post box - I don't care whether it's the advertisers or their side-kicks, the Royal Mail who pay for return to sender, they're all the same to me."

Except it's the people who pay for the mail ultimately, through postage fees and stamp rates. Keep doing that and you can expect the rates to go up, meaning the people STILL foot the bill.

Charles 9

Re: How does it work?

Well, they use feature phones for the most part, live in conditions where power isn't a certainty, AND they outvote you.

Charles 9

Re: Diaspora

Not gonna work. It's like with yacy and freenet. You get hit in the bandwidth costs. AFAIK, efficient decentralized (and possibly anonymous) networking is a physical impossibility because efficiency necessarily creates identifiable traces.

Charles 9

"You guys can go back to writing your own content on A4 paper?"

Last I checked, we don't have matter transporters yet and not everyone has a facsimile machine, so instant global communication that isn't point to point raises issues.

"Or you could start a movement so that everyone pays for access to sites!"

Unless your content is both high-demand and exclusive, paywalls tend to be a downvote for you, history has proven.

"By blocking ads surely your just making this worse?"

Worse to the point they have to make a leap of faith: either go all in or check out.

"You chose to use an ad blocker rather than avoid a site so i doubt that."

Wanna BET? For many, they think the Internet is becoming a cesspit and are checking out of the Internet...COMPLETELY. At least back in reality they just have to deal with cold calls, billboards, and junk mail.

Charles 9

Re: How does it work?

And if the former, meaning blocking the ads blocks the content, meaning you can't get in touch with family overseas where Facebook practically IS the Internet (just go to third-world Asia and see; I have)?

Charles 9

Re: A disaster in the making...

"So yeah, the moment a website tries to force me to remove my adblocker then the effect is very simple: said website will be removed from my favorites list(s) instead. There are tons more websites which can provide me with the same experience, thank you very much."

So you say, but after Kickass went down, no viable alternative appears. If there's only ONE source for the same experience, is it "Walking on the Sun" time?

"But back to my initial comment: this is a disaster just waiting to happen. Because what's going to happen when FB's advertising source gets compromised and its proven that FB has (indirectly) started spreading malware and other junk?"

The option has been open for a long time now: just have Facebook itself and the world's your digital oyster.

Charles 9

Re: How are they going to do this exactly?

Except I believe Facebook paid ABP to get whitelisted.

Charles 9

Re: They seem to be under the impression

One problem: ABP is ALSO an ad-slinger, as they WHITELIST certain companies who pay them.

Charles 9

Re: Simple solution...

"They claimed that we were slurping data about our users, while I tried to point out that all they were picking up was our users' account names, which were linked to nothing about their actual real identities. He still didn't accept that N0458301942@our.company.co.uk didn't tell anyone anything about the person who the username belonged to, since it wasn't linked to their real name, address, age, sex, political affliation...in short nothing worthwhile."

That's what YOU think. But the beauty about DE-anonymization is that they can build relationships between two seemingly unimportant pieces of data...which in turn get linked to other bits of data UNTIL one of them is linked to an important piece of data. All of a sudden, the entire chain of bits gets connected.

Charles 9

Re: Just one

Facebook is the biggest fad of the Internet at this point. And when it comes to ignoring fads, to quote the Smash Mouth hit, "You might as well be Walking on the Sun."

Charles 9

Re: I'm wondering

"As long as the ads follow a pattern, they can be blocked. FB can use anti-adblock javascript. Stubborn users can use m.facebook.com with JS disabled. FB can make the mobile site JS-mandatory. Users can rebel against JS... on and on it goes..."

Simple. Ads can be text-based in nature and served inline to the content. No way to block it without blocking the content, too. Image-based ads can be baked into legit pictures from the article, again making it all-or-nothing. Using randomly-generated tags ensures (a) the visit can be traced, and (b) the ads can't be easily blocked because the content has a similar tag. No JavaScript or external content necessary, and the content's loading can be detected server-side, meaning there's no way to avoid it without at least downloading the content, wasting your bandwidth, and triggering the demographics.

Charles 9

How do they block an element that's in the same domain as the page itself without blocking actual content?

US Politicians tell DEF CON it'll take Congress ages to sort out how to regulate crypto

Charles 9

Re: Trust!

"Ochlocracy, a word I discovered listening to this interesting discussion about Xenophon"

In other words, mob rule, which inevitably degenerates into anarchy as people within the mob vie for power at everyone else's expense.

Charles 9

Re: "If you don't trust government...

""People should not be afraid of their governments. Governments should be afraid of the people""

Thing is, the government has nukes, and someone desperate enough will USE them, too.

Charles 9

Re: @Charles 9

"All are possible and known spy/surveillance technologies and I don't worry too much about that because it is expensive and time-consuming to do, that alone means it has to be targeted at important stuff."

No, the costs are FALLING because it's a whole lot easier than investing vast computing power into cracking encryption algorithms. That's a job best left to sovereign powers for whom money is less an object.

Internet of Car...rikey what the hell just happened to my car?

Charles 9

Re: It's our own fault

In other words, Security hurts sales which is why the only industries that do it regularly are those where it's a prerequisite (such as military industrial). And since there's a sliding scale between security and ease of use, not even laws or insurance pressure can help (because who cares about laws or insurance premiums if your sales tank and you can't stay in business).

Charles 9

Re: KITT is screwed, then.

"...fired when parked in a mid-floor of a multi-story..."

If you'll recall, KITT's heavily reinforced. I think it's managed to pull off escapes using techniques similar to what you describe, although I'll have to consult my KR collection to be sure.

Charles 9

Re: Standard

No, because it's the custom stuff (that makers will insist on for the sake of identity, otherwise why bother with more than one make) that will be the problem. All you do is move the target.

Latest Androids have 'god mode' hack hole, thanks to Qualcomm

Charles 9

Re: Towelroot refresh?

"There are ways to hide the root status from individual apps - I've used one with flawless success. Get xposed and you won't regret it!"

How when SafetyNet checks itself with an encrypted connection back to Google AND can upgrade itself through that same connection? We don't know Google's private key. SafetyNet can even detect /system-less root now.

Charles 9

Re: Towelroot refresh?

No, because thanks to SafetyNet, more apps are becoming root-aware. Rooting now has more risks than before, as apps you used before could balk.