* Posts by Charles 9

16605 publicly visible posts • joined 10 Jun 2009

Mandatory HTTP 2.0 encryption proposal sparks hot debate

Charles 9

Re: TLS needs to be fixed first

Like I said, ANY form of trust system (Trent, even the Web of Trust) can be subverted by a determined government agency (Gene). A large enough government can create a determined key-signing effort and subvert or compromise some of the identities.

To defeat two-factor authentication, first you have to assume the party has a second factor at all (if the conversation is international, that's iffy). Second, if one party is a company, then Gene has a single point to subvert: MITM the line people would call to get the second factor.

Similarly, for you Amazon web example, Gene can MITM all the public key displays, substituting their keys in the ads and relabeling their packages (remember, states have some of the biggest resources available in the name of security). OR they could use an insider to infiltrate and obtain Amazon's private key (some companies HAVE had their private keys compromised--that's how some signed malware slips through the radar).

Charles 9

Re: TLS needs to be fixed first

But at the same time you NEED the Certificate Authority to act as Trent in the Alice-Bob trust problem. Otherwise, they have NO way of knowing each is really who they claim to be. I think if Gene can target THIS Trent, they can basically target ANY Trent (even a peer-based Trent system by way of tactics similar to search engine gaming). Which takes us back to the problem: IS there a Trent that can't be beholden to this or any other Gene?

Charles 9

Re: 20 years late, but better than never

"I do wonder how many billions, if not trillions, of dollars/pounds/euros/renminbi/slips of Gold Pressed Latinum have been lost by unlawful interception of cleartext packets containing valuable information, whether by Governments, Criminals, Competing Businesses, or anyone else who has a vested interest in fraud or theft, when it could have been prevented in the first place by defaulting to HTTPS."

Probably not as much as you think as the spooks/malcontents already know how to pwn the endpoints where the encryption, by definition, has been removed. Since content must be plaintext to be useable, they just wait for that point.

Furthermore, the subversion of CA's has demonstrated that secure communications between relative strangers is pretty much impossible as security theory can show. Alice and Bob can't trust each other because they've never met, so they need an intermediary, Trent, to vouch for each one. Gene therefore targets Trent instead. If we're not in a world of "Don't Trust Anyone," we're close.

'Only nuclear power can save humanity', say Global Warming high priests

Charles 9

Re: Nuclear energy is expensive

Since only a few kilos are needed for your average nuclear reactor, compared to TONS for coal you're talking a reduction of mining, refining, etc. on the level of an order of magnitude. And that's Uranium. Thorium's ALREADY mined due its proximity to rare earths (which BTW are mined for the wind turbines). Just need to fit in an additional step to get the Thorium out and work from there. And let's not begin with the petroleum industry which has had accidents and disasters of a whole different sort.

So, even WITH all the steps involved, is it one of the safest things human beings do? Given the alternatives, I can think of worse.

Charles 9

Re: "Got any other immediate options besides fission reactors?"

But most of the energy in the world is used by INDUSTRY, not residential or commercial interests. Take aluminium smelting. Electricity (and lots of it) is the only practical way to separate it from alumina, and demand for the stuff is rising due to its light weight (making it the best material for long-distance power lines, among other things). Then you take into consideration things like arc welders and so on that are basically driven by electricity. They're not going to to away anytime soon, and due to how they use the electricity, odds are you won't be able to make them any more efficient than they are now.

But back to people. China and India are rising nations, each with over a BILLION people. Even with high-efficiency appliances, sheer weight of numbers will add up.

Charles 9

Re: Nuclear gets my vote

Then as the saying goes, they're playing with fire, though it depends on the composition of the coal. Thing is, coal can naturally emit hydrogen gas as well as methane and propane. All three of these can combust under the wrong conditions, causing the coal pile to ignite. Indeed, this has occasionally happened in the coal MINES (they're the primary components of firedamp--it and coal dust are the two main agents in coal mine explosions).

Charles 9

Re: How much money is seriously spent on renewable research?

That's good in California when the highest demand is in the summer. But what about up north where it's the reverse (highest demand is heating--at NIGHT--in the WINTER when the sun is weakest)? Also, the biggest solar-thermal system about to come online (if not already) is slated to power about 100,000 homes. California is America's most populous state. Last census counted about 12 MILLION homes. We're talking an order of magnitude difference between what's being produced and what is needed. And this is just the United States. Let's not start with India or China, which are are at least TWICE (China at least THRICE) as populous and with their own demands and legal hoops.

Put it this way. Unless green tech can produce a YOTTAwatt of power in fifty years time, we're going to need something else. And nuclear is the only one of the rest of the lot that's at least carbon-neutral.

Charles 9

Re: Nuclear energy is expensive

Chernobyl no problem, 56 dead people? You gotta be kidding.

Ask the people of Buffalo Creek, West Virginia and Stava, Italy. Two towns who lost well over 56 people each due to tailings dam failures. Tailings dams are a pretty-much-standard feature of coal mines.

"On the i5 next to LA right on the coast, there is a nuclear power plan that has been shut down by the government.

How come?"

You must be referring to the San Onofre Plant, which was shut down due to shoddy maintenance (a human factor). Thankfully, the American standards on inspections and so on are pretty tight. They CAUGHT the shoddy maintenance before serious problems emerged (also, the initial shutdown came as per protocol after a leak was detected--as per design). Nuclear is risky, yes, but good oversight is helping to MITIGATE the risk. We can further mitigate the risk by using better reactor designs that take such risks into consideration.

"Nuclear energy still has to be developed quite a bit."

So do wind and solar. Neither are ready for prime time. At least with nuclear, we have deployable designs that CAN fulfil current and near-future energy needs.

"There are new concepts like the TWR and others but they are far away."

Only due to regulatory foot-dragging. What's needed is political pressure to let the new designs go ahead.

"Fusion energy could be a great source of energy, once it does work. There are new scientific findings that may help plasma physics finding ways to control the fusion process much better and make sure the fusion process does not break down*. Maybe fusion one day is a great solution. Fission still is an unsolved problem."

It's more solved than fusion. We have viable reactors already in active use and plenty of new designs in the works. That's a whole lot more developed than ITER, and even if that works out (it's only .5GWT, your average fission plant runs several GWT), it'll be plenty of years before they're rolled out commercially. We need an answer RIGHT BLANKING NOW. And the answer needs to keep us going for about a half-century or so (and according to estimates, global electricity usage in 50 years will approach a YOTTAwatt). Got any other immediate options besides fission reactors?

Charles 9

Re: Mistake to use nuclear power

"Being chemically distinct from uranium and other fission byproducts, even contaminated plutonium has more potential for being made "weapons grade" than uranium does. Just because "breeder" reactors are a better plutonium source doesn't make plutonium from other reactors useless for weapons."

But a point of diminishing returns kicks in due to the costs involved getting the plutonium out of the toxic waste. Otherwise, Thorium wouldn't be considered safe, either, as one of ITS byproducts is Uranium-233, which CAN be weaponized.

Charles 9

Re: Let's include the insurance cost!

First, last I checked, most nuclear plants ARE insured. Second, since NO private company is willing to underwrite said insurance, government had to step in. It's easy enough to say you need private insurance, but what happens when none are to be found...at any price?

Charles 9

Re: Mistake to use nuclear power

So you're saying a Thorium reactor produces plutonium?

Anyway, while most uranium reactors do produce plutonium as a byproduct, most of it is too contaminated to be of use. The plutonium in weapons comes from purpose-built "breeder" reactors.

Charles 9

Re: controllable?

Except Generation IV reactors are built with fail-safety in mind. Many designs are containerized, meaning anything that goes wrong stays in the container and can be replaced (it also means a simpler concept of "changing out" reactors after specific duty cycles of a few decades).

Charles 9

Re: Marketing Change?

The same thing happened to the tomato as well (because it's related to nightshade). Thing was, poor Italians had little choice, so necessity taught them that, hey, you can eat tomatoes, and the rest was history. That's what's needed for nuclear to be pushed forward again: a whole lot of NECESSITY.

Web giants cry foul over US gov's refusal to budge on NSA spy gag orders

Charles 9

Re: StartMail Beta

To each point, I challenge:

- Who keeps the keys to the user vault? You and you alone? Remember, a master key was what nailed Lavabit.

- Neither forward secrecy nor TLS can do much against cryptanalysis: attacks on the PROTOCOLS using side-channel techniques. That's what led to BEAST and all the other secure-channel attacks.

- Again, the spooks are targeting the protocols, not the keys. IOW, they're not trying to get a key to copy; they're trying to secretly cut a way through the wall.

- May not be good enough. As noted, the NSA can already possess international shared-secret agreements with other nations. That can include the EU at large, of which the Netherlands is a member. Either that or the NSA can compromise those countries even against their wishes. I'm inclined to think the ONLY countries the NSA can't tap in some way are countries that are in turn beholden to ANOTHER, anti-Western state spook authority like the Russians or the Chinese.

Charles 9

Re: Clash of the titans

Well, the Internet is basically "Bend Over" territory. If neither of them are doing it, it's someone else like the Chinese.

NO! Radio broadcasters snub 'end of FM' DAB radio changeover

Charles 9

Re: DAB is pointless @Ben

I stand corrected.

Charles 9

To say nothing of the US which isn't even trying and is instead using a different scheme (HD Radio) which works IN the FM band.

That said, takeup has been slow here, too (you can retrofit an HD radio receiver into your car, but the demand just isn't there, and let's not start with portables), but at least they're not doing anything to the FM radio band anytime soon.

Bitcopocalypse! Top cryptocurrency can be hijacked, warn boffins

Charles 9

Re: Electricity is free is you steal it

"Sure, 10k slave machines would do some good. But what are the odds of the infection going unnoticed, when it is gobbling 100% of the CPU power, turning the computer in a home heater?"

If it finds slaves with viable GPUs, the malware can use the OpenCL cores to make these slaves increase the MHash output. Just a few hundred slaves with GPUs within three generations of present could even the stakes. Plus smart trojans can wait for low activity or nightfall to do its dirty work, making it less likely to be noticed.

As for the "other dirty work," it doesn't have to be either/or. Do that on the side as well. Malware diversification.

Charles 9

Re: Electricity is free is you steal it

I think some like Coinbase are still around because they play above the board (Coinbase works WITH the banks). If the US comes calling for tax information, they'd probably provide it, keeping them in the clear. I used it to basically check out of Bitcoin and I personally noticed things were getting too dicey.

Google patent: THROAT TATTOO with lie-detecting mobe microphone built-in

Charles 9

It's hard to carry on a clear conversation using a mobile phone EVEN IN A QUIET ENVIRONMENT. Wind and breath, for starters. That's why throat mics. They're immune to wind and resistant to ambient noise, which was why they were used in World War 2 in tanks.

"Don't mess around with my body. Period." Well, don't put the bloody thing on. It's not like it's going to be permanently grafted under your skin. It's just a stick-on throat mic (the "tattoo" is actually temporary, like the kiddy "tattoos").

Charles 9

Re: How good are throat microphones?

Well, Panzer commanders used them to great effect in WW2. Allowed them to be heard over the noise of their tanks. The thing about throat mics is that even though your mouth shapes the soundforms, the whole waveform echoes through your skull and back down your throat.

A similar technique, IIRC, is used in the artificial larynx, used by people who have lost their natural larynx through disease or injury.

Forget invisible kittens, now TANKS draped in INVISIBILITY CLOAK

Charles 9

Re: El Reg, you got played

Besides, last I checked, radar tech is starting to move to multistatic installations, which can work more passively (meaning destroying the transmitter doesn't necessarily degrade the efficiency of the receivers) and actually turns current stealth tech against itself (because they normally work by deflecting radio waves--such craft would stick out like a sore thumb in a multistatic radar reading because they'll be blocking expected signals).

Acer suffers terrible let-down after unexpected withdrawal of Wang

Charles 9

Re: They should cut the bad quality and/or unsupported lines

I know people keep ribbing about netbooks, but I rather like the Aspire One I have, especially now with a triple-capacity battery on it. It's computing on the quick when I need it while not being too big to lug around all over the place the way a full-sized notebook would. I may switch over the OS in future, but for now, it's a case of something that isn't really broken--finicky at times (the resolution, mostly) but not broken.

Charles 9

According to my research, Acer trades on the Taiwan Stock Exchange, and this is their specific limit. Most trading markets have what are called "curbs" meant to prevent runaway activity (and note, the curbs usually apply in BOTH directions). These are applied across the board so are applicable to ALL stocks in a given market. It's not meant as a protection so much as a brake or a circuit breaker. If a stock really is behaving that bad, it will just continue to trade down in the next session, but if it's the victim of a fluke event or something they can remedy, the curb provides a little breathing room to let cooler heads prevail.

Alleged Peeping Tom claims First Amendment right to upskirt

Charles 9

Re: "up-Skirt" a general term?

For the record, a covert upskirt photo in a flat public setting almost always means a shoe camera (as in a camera fitted into a shoe looking out a hole in the top of the shoe) positioned between the subject's legs and probably in video mode to (1) prevent any clicking sounds and (2) improve the chance of a good shot.

This is generally regarded as voyeurism (as in attempting to gain an indecent view beyond barriers--such as doors, privacy windows, and in this case a dress--meant to safeguard privacy and not protected by the first amendment. Sounds to me like the voyeur is challenging basically on these grounds:

1. The restriction on laws prohibiting the freedom of speech states no exceptions.

2. So where does Congress get the authority (for that matter, where does Congress get the authority to prohibit "Fire in a Crowded Theater")?

Charles 9

Put it this way. If no nudity at all means you're fully clothed, and full nudity means complete exposure, then partial nudity means something that would be necessary for what we call "decency" is missing...but NOT ALL of it. A woman wearing only a bikini bottom, for example, is partially nude.

Charles 9

Re: Plead guilty, case closed.

The thing is the amount of exposure is at the person's discretion. If a woman feels bold enough to wear a bikini, then she doesn't care too much about showing leg. On the other hand, a woman in a full-length skirt or other very covering attire is basically setting the limits on what she wants seen. The choice of clothing suggests a person's attitude about exposure; should we not respect that?

Charles 9

Interesting angle, invoking rights clash. If this is pursued, it will be up to the judge to draw the line since although the photographer has rights, so does the subject. And unless engaged in mundane activity, precedent establishes that art with a human subject (photography is considered art in this case) requires consent on both sides: an artistic subject can request the work not be published.

---

"Yes, this is the kind of thing we spend our time on these days.....never mind all those other minor "things" going on in the world....Hunger, poverty, environmental disasters both natural and man made...."

Because most of these are not within the purview of courts. These kinds of things usually require legislatures. Good luck getting legislatures to take the long view.

Watch out spooks: STANDARDS GROUPS are COMING AFTER YOU

Charles 9

Re: Plenty of standards...

But you can't use a physical analogue in a virtual setting. For one thing, the adversary need only copy the ciphertext to lock it in a particular state of protection (which, according to your analogy, they'd then be able to whittle down). You basically only have one shot to get your communique through versus a resourceful and patient adversary, which means your message has to be able to withstand BOTH immediate AND prolonged assaults.

Charles 9

Re: Plenty of standards...

But how do ANY of these work against a state-level adversary who can get an inside track on the transport layer? They can learn almost as much from the routing itself as they can from the message: encrypted or not.

Charles 9

Re: The problem with email encryption

But what happens if Mallory or Gene have the inside track on one of the domains along the way. They can pick out the traffic BETWEEN encryptions that way.

Charles 9

But then you run into a security-vs-ease-of-use divide. Creating a turnkey solution that is nonetheless very secure has been hounding security researchers since before your average forum site required its own password. And that doesn't alleviate the issue of trust in the case of the security elements being subverted during the production stage. If we're really in DTA mode, how can a universal standard be established that everyone can use yet is not subject to corruption?

Lavabit, secure email? Hardly, says infosec wizard Moxie Marlinspike

Charles 9

Re: Trust and Security

"You have to trust, but that needn't be a single entity. Security can be spread across multiple entities such that they *all* have to defect before your secret is known."

The thing about going against a STATE is that they could have the resources to subvert ALL of them. And even if one or more of them are foreign and outside that state's control, what about THE OTHER states? How can you establish any kind of trust when your environment has basically become DTA?

Charles 9

Re: Trust and Security

The problem arises when one of the parties is a "stranger" to the other. With no prior experience, there is ABSOLUTELY no way to prove Bob is Bob to Alice because there can't be a chain of trust without an anchor. That means Mallory or Gene can pretend to be Bob and Alice has no way of knowing the difference.

Well, that's part of the problem with the Internet. It makes it very easy to talk to strangers, and in fact a lot of e-commerce takes place between what we could qualify as strangers.

Charles 9

Re: Secure email

But then what do you do when the recipient has to be anonymous? How do you send an email with a blank envelope?

While the BBC drools over Twitter, look what UK's up to: Hospital superbug breakthrough

Charles 9

Re: More science less Twitter

Maybe that's because El Reg covered the phage research previously.

"Bacteria-chomping phages could kill off HOSPITAL SUPERBUGS"

Mobe-makers' BLOATWARE is Android's Achilles heel

Charles 9

Re: Bloatware

Probably more data than code. Odds are it's mostly an offline comparison database. It grows because more devices keep getting added.

iPad Air peels off in racy pics for wide-eyed geeks, reveals 'worst battery ever

Charles 9

For the phone, most would point to USB battery bricks, which can hold more charge than any phone can and has the additional advantage of being hot-pluggable.

Charles 9

Re: Regardless of the facts...

I don't know. At least you can replace the battery on these things. Plus they have memory card slots.

Want to go to billionaire Sun kingpin's beach? Hope you're a strong swimmer

Charles 9

Re: Undermine his claim

Two problems.

One, most land grants also grant anything UNDER the ground, which means tunnels need rights of way from the property owner. Mining leases have the same issue: they need permission from the property owner.

Two, we're on the coast. That typically means a low water table. When you gotta keep water out, tunneling becomes that much tricker, which is why many underwater tunnels were built above ground, then towed to the site and SUNK into place.

FIERY DEATH awaits all who stroke mobes mid-flight? Nope, says FAA

Charles 9

Re: Always wondered how many *actual* incidents started this BS

But recall that most planes and ship have hulls...METAL hulls. These hulls can act as electromagnetic shields to protect against EMI.

But they're worth sod all against interference from INSIDE, and that's been the issue with the planes, especially the OLDER ones built before cell phones and the like existed, let alone were commonplace. As noted, placing a GSM phone against a running loudspeaker as it receives a call DOES produce noticeable clicks and like, a clear sign of some RFI, and there has been a number of anecdotal stories about instrument wackiness being distinctly dependent on the function of a passenger's phone.

As noted, until recently, the FAA wanted to act with an overabundance of caution, but it ended up taking much too much flak for it, thus the about-face.

Charles 9

Re: Electronics can interfere with radio comms

That's one reason CALLS still aren't allowed. It's the GSM frequencies at issue. Meanwhile, most of the WiFi comms are well out of range in the 2.4GHz or 5GHz range. In addition, especially after 9/11, the cockpit partition should be metal, which should shunt any signals from the cabin. Plus the situation could be eased further with the installation of a picocell to steer calls (or at least phones) to a particular set of frequencies.

Charles 9

Re: Europe?

Yes, they loosened up some years ahead of the Americans.

Charles 9

Re: What's the new relaxed rules then?

The basic rules have become: "You know what, there aren't really any rules anymore." Basically, apart from cell calls (which have logistics issues outside of interference), you're free to use your devices whenever you want. Just remember your priorities and pay attention to the flight attendants. Their word is still "law" on the plane, but at least they won't pester you about turning off your devices unless they're annoying others or they need your attention for something.

Charles 9

I think the problem's not as bad as people make it out. The thing with being that high up is that you're going to get LOTS of signals...and not all of them in different frequencies. The tower frequencies IINM are carefully juggled for ground use, such that two towers that cross each others' ranges don't use the same frequencies. Thing is, when you're in the air, you'll get towers from so far away that you'll inevitably run into a bunch on the same frequency, meaning crosstalk. Odds are the GSM spectrum that high up is so jumbled from all the crosstalk as to be unusable.

Charles 9

Re: @Henry Wertz 1

I don't recall the hotspots having picocells in them as well, though I will admit it's not outside the realm of possibility. The trick would be relaying the calls, as satellite (which IINM is used for the WiFi) has a very long round trip.

We'll build Elon Musk's Hyperloop ... if you lob us ONE-MEELLION dollars

Charles 9

There is something to be said about SPEED, though. Getting from A to B faster than a train but with less hassle than a plane would a boon much as the automobile ("horseless carriage") gained fans when it started appearing at the turn of the last century.

Charles 9

Don't think so. HST (hyperspatial tube), maybe.

Charles 9

Re: Fast horizontal elevator?

Except you can pretty much say the same thing about a TRAIN, and the ride's longer.