* Posts by Adrian 4

2288 publicly visible posts • joined 18 Jul 2009

Unbreakable smart lock devastated to discover screwdrivers exist

Adrian 4

tamper-proof screws aren't

Not sure I can blame them for using philips screws. There are various screwheads around that are claimed to be tamperproof, but really they're just mildly inconvenient.

Many of them have drivers available in a kit from your nearest poundshop (where available) and those that don't can usually be defeated by hitting a cheap chinesium screwdriver so it moulds itself to the screwhead.

In short, they're worthless : tamperable by anyone over the age of 2 and most certainly by someone with an inclination towards overcoming locks.

Meet the Frenchman masterminding a Google-free Android

Adrian 4

Re: Banks

@DougS

You're missing the point. There is, perhaps, a statistical possibility that a rooted phone is more likely to have malware. But it's not certain, and the opposite could also be true (phones more likely to be rooted by people with a clue). I suggest figures, rather than supposition, are desirable here.

But the real point is : an unrooted phone isn't free of malware. NO phone is guaranteed free of malware. If the app isn't secure when running in a rooted environment then it isn't secure running in an unrooted environment either, and assuming that it is, is just painfully shortsighted.

The app has to do its own security. Any reduction in security created by the owner giving himself root privs is lost in the noise.

Adrian 4

Re: Pipe dream

Good thing the people who built Open Street Map weren't as short-sighted as you.

Adrian 4

Re: Banks

Why would you want to detect rooting ?

Any app that relies on the OS security to protect itself is insecure by design. The OS can't be trusted, because there's no way to know whether some other malware has found a way under it.

If you consider that an app can't be built that is only secure on a secure OS, you may well be right (as in the old mantra of 'physical access is game over'), but that doesn't make any difference. There is no such thing as a secure OS, and rooting most certainly isn't a reliable indicator of insecurity.

If your bank insists on non-rooted phones to run their apps, they are incompetent. Don't use those apps even on non-rooted hardware, let alone rooted.

Adrian 4

I don't think keeping up the standard is so hard. I'm finding Gmail less and less reliable : it gets stuck, crashes, is harder to use.

The bar is falling, not rising.

Universal Credit has never delivered bang for buck, but now there's no turning back – watchdog

Adrian 4

Re: hmm

You forgot cheaper. It would be cheaper to just hand out money than it is to mismanage the attempts to control it.

Adrian 4

Re: The government position:

Oddly enough, they already do run the rail systems. After a fashion.

The 'raiI minister' who cut all the high-speed commuter services from my local (thameslink) line, but fucked up and didn't provide even approximate replacement services has had another go. And fucked it up some more.

Visa Europe fscks up Friday night with other GDPR: 'God Dammit, Payment Refused'

Adrian 4

Re: Cashless society

Simultaneous identical ( or complementary) hardware failure on all their backups ? Wow.

Bad luck's a bugger. Really hurts when it hits, eh ?

Obviously there wouldn't be a single point of failure or a domino crash in a professionally-engineered system. So maybe it was done by amateurs, or worse, accountants.

Smart bulbs turn dumb: Lights out for Philips as Hue API goes dark

Adrian 4

Insecure

I've discovered a huge vulnerability in TV sets from almost every manufacturer. Apparently they use an unencrypted, openly known (and often documented) broadcast method to control them.

You could be subject to sniffing attacks that determine your choice of TV viewing, traffic and content analysis that determines which of your family is near that TV, remote command attacks that could change channel and influence you politically or present a fake channel instead of one you thought you chose. Selection of paid content while you're not present. Denial of service.

All this with just line-of-sight access to your window : no need to tap infrastructure, you can do it from a van in the road,. a handheld appliance from across the street, or a laser from the next block of flats.Cost of entry is low using arduino-level hardware. Cheap products have been on the market for years to facilitate some attacks. For extra fun and on-topicness, I can imagine a remote attack via a compromised light bulb. PoC needed.

ps. I don't watch TV any more and never leave it in standby if my partner uses it. So I don't care. Perhaps you don't either. I made this post because you don't have to be on the internet to be a victim of remote control device takeover. Moaning about IoT failures like they're a new thing and the result of people using unnecessary technology is valid, but 50 years too late.

Adrian 4

You can even do that with a gas or oil lamp. No need for pesky unreliable mains services.Get orff my lawn.

Everyone has their own choice of a tradeoff between convenience, complexity and risk. You make yours and I'll make mine. Fwiw, that means mechanical switches for me too at the moment too, but there are some cases where I'd be glad of a different method provided it met various criteria.

I'm getting bored with the anti-ioters. Nobody makes you use the things. Some of them (most of them ?) have flaws. So what ? Fix them, or ditch them, or push for something better and move on. But don't tell me what I should think. I can do that myself, thank you.

Adrian 4

Re: What A Time To Be Alive

It's partially good design in having local control (does Nest have that ? I''m not sure). But it's bad (read : venal, customer always comes last) to tie the remote service into a single point of failure.

Of course, most customers want it in a box and no thinking. I'm sure Philip's have done a reasonable job on that or they'd be on the remainder shelves already. And they're not : I tried to get one in the Maplin firesale but they all went before they'd dropped to retail price. So they're an attractive item, for whatever reason.

A reasonably professional IoT device though would have :

1. Default fully-local control (not set it up on the net then fallback to local. Full.)

2. A provisioned service from the manufacturer, secure, reasonably reliable, easy to use. 'Free', paid, whatever as long as it's clear upfront. Points off for 'free for the first year'.

3. The option to move the remote control from the manufacturers' service to another, whether your own or a 3rd party. Documented, secure, no opt-out cost. Possible even if the manufacturer's servers fall offline one day and never return.

I don't honestly know whether Phipps or Nest offer that (I wanted a bargain offer to find out!) but anything less than that is just junk or, worse, a scam that deserves the full scorn of the anti-IoT peanut gallery.

There have been a few people doing studies of IoT devices with an interest in security. They don't generally do a good job of also evaluating threat models, they're more interested in the publicity of 'I found a hole'. But it seems to me that such a review should also examine business models.

Update : just saw MartinB105's post. Philips appear to be pretty close to the above. ++

Softbank's 'Pepper' robot is a security joke

Adrian 4

Re: too much security

You've made a big assumption there. That the toy is on the other end of a routable internet connection. Sure, if that's the case you deserve everything you get.

Clue : Having an IP address doesn't mean you're open to the internet, any more than having your bedroom door open means you're welcoming the public in.

Why on earth would you put an unknown device on your internal network without firewalling it off ? Security belongs at the borders. That's why you don't need to care about the internal security of these devices - because if your network allows them incoming or outgoing access you've lost.

Expecting any vendor - especially malicious ones - to do your security at the device level is silly. A toy isn't going to be as hardened (or as trustworthy) as a gateway router so why even waste your time testing it ? Put the security where it's under your control, not the toy manufacturer's.

Adrian 4

Re: Password == root???!!!

Better still, a completely random password

Adrian 4

too much security

I'm starting to get the impression that some of these 'security researchers' are just making a mountain out of a molehill for the sake of publicity.

Not EVERYTHING has to be secure by design. Especially things that are toys, or research tools.

I've got a drawerful of sharp knives in my kitchen. Someone could easily break a window, climb in and kill me with them.

I've got a garage full of tools to help them break in. A gas pipe full of gas to set a fire with. A water tap that could be used to construct a DoS moat. A piggy bank that can be robbed just by dropping it and stealing the £5 that falls out.

Get a grip folks. If you're going to pick faults in things that don't actually need to be secure, at least write up a decent abuse scenario and risk management strategy. So we can decide if we actually give a ff.

As Tesla hits speed bump after speed bump, Elon Musk loses his mind in anti-media rant

Adrian 4

look at the great log in youir own eye ..

You do know that's pretty much how the rest of the world sees journalists / media etc., don't you ?

They're only no longer at the bottom of the pile because politicians, estate agents and lawyers have been doing their damnedest to get lower.

We do remember the occasional journalist who did something useful so there's kind of a hope that you'll beat down the Daily Wail element and drag yourselves up by your bootstraps.

But get on with it, k ?

President Trump broke US Constitution with Twitter bans – judge

Adrian 4

Imagination

Awesome imagination you've got there, Kieran.

Hope it's not disappointed.

Adrian 4

Re: A ruling full of holes that will go nowhere

It's a decision by a judge. Generally given their post by noting that they're intelligent and knowledgable about the law.

Unlike POTUS, which is mostly about being newsworthy enough to attract votes.

If the decision fails to stand, it won't be because it's stupid. It'll be because politics doesn't respect justice.

Astronaut took camera on spacewalk, but forgot SD memory card

Adrian 4

Re: The man is 53, for god's sake!

Regardless of his age / senility etc. - it's unlikely he expected to have to check out the camera before using it. Would have been just a piece of kit supplied by NASA - while it might be familiar, you wouldn't expect him to check and maintain every bit of crap. He's supposed to use it in accordance with the mission plan. If the plan doesn't say 'check batteries, SD card' then he's got no reason to do that.

If NASA wanted him to take it outside and take pictures, they should have prepared it to do that. I very much doubt the astronauts have a supply of SD cards for putting in various things.

Of course, he MIGHT have ignored the instructions, thinking it was just a gopro and he knew how to use it. In which case he's probably not going to survive many more missions. I very much doubt that happened.

Blood spilled from another US high school shooting has yet to dry – and video games are already being blamed

Adrian 4

Re: Early information

Regulate ammunition supplies.

For personal protection,. you don't need more than one reload. If it takes more than that you've lost.

For agriculture (most likely a shotgun), licences and appropriate storage can handle it.

For target shooting, the shooting range can control it.

For gun-nuts with a huge cache 'because' - prosecute.

Avoid a rampager having a big enough cache to shoot more than a few rounds and the problem will be less.

IP freely? What a wind-up! If only Trevor Baylis had patent protections inventors enjoy today

Adrian 4

Patents

I would have more sympathy for the patent system if it was usable from both sides.

It should be simple to register a patent and defend it successfully against infringement.

It should be simple to determine whether an invention infringes an existing patent.

At present, I think it's weighted toward defence - although that can still be costly. But I don't think it adequately allows for searching, and can be abused to make it specifically difficult to find a relevant existing patent.

Shining lasers at planes in the UK could now get you up to 5 years in jail

Adrian 4

Re: RE: Dodgy Geezer

Fit corner reflectors around the cockpit.

Make masses carry their mobes, suggests wig in not-at-all-creepy speech

Adrian 4

Re: ID Cards and enforced bio-metrics

The objection to them is the idea that $authority would demand 'papers please'. If there are no papers, there can be no demand.

Robo-callers, robo-cops, robo-runners, robo-car crashes, and more

Adrian 4

AI journalist

Did AI write the article ? Or just someone very tired and emotional ?

Adrian 4

Re: Atlas

Or stride / leap over instead of stopping and jumping.

But tbf, a five-year-old human would do just the same.

Glibc 'abortion joke' diff tiff leaves Richard Stallman miffed

Adrian 4

Re: Stallman

@itfoobar

You forfeit your right to contribute to this debate due to your error.

https://en.wikipedia.org/wiki/Ad_hominem

Adrian 4

I can agree with that.

But before we ban something on the grounds that we don't want to try to upset anyone, perhaps we should determine whether, in fact, it does upset them.

Adrian 4

Re: Shouldn’t quality and professionalism be the issue?

@CheesyTheClown

Where I come from, clowns are supposed to be funny.

So I assume your ridiculous and unhuman opinion is a troll.

Password re-use is dangerous, right? So what about stopping it with password-sharing?

Adrian 4

Re: Bad Idea

You've got it the wrong way round.

If you want to be protected from prosecution, don't try to prevent other people posting as you. Positively encourage it. Then the host of dodgy characters can unwittingly claim to be Spartacus.

Adrian 4

Re: too much effort...

Hardly a problem if password theft is common.

In fact, using the password 'password' is probably a good way to claim reasonable doubt of your identity.

Adrian 4

Re: Password Managers?

I agree about being unusable.

But secure ? Why would you believe putting all your eggs in one unregulated basket is secure ?

If you use them only occasionally as a backup reference like the gentleman upthread, why use an application of unknown quality when you can merely encrypt a text file using some well-verified algorithm ?

Google Pay heads for the desktop... and, we fear, an inevitable flop

Adrian 4

I think downvotes are mostly like/unlike substitutes. They're used when someone objects to your whole stance, as against racists. Or because you got upvotes, and they didn't.

You're more likely to get a comment when the response is thoughtful (and perhaps corrective) rather than just argumentative.

Personally, I think downvotes should be allowed only with a comment to justify them. Upvotes are ok, because they're just 'me, too's.

Adrian 4

Similarly, I find getting a card to the reader is easier. Carrying a card is lighter and less prone to battery failure than a phone. A card is completely waterproof. I carry a phone in a trouser pocket or backpack, and being bigger than my wallet it takes longer to extract.

I do find NFC payment very much faster than chip-and-pin, which can take up to a minute, I presume because it's using dialup in some form while NFC is perhaps always online. This may be more of the reason for your satisfaction with apple pay than the terminal-to-card comms : the backend is on a faster infrastructure.

Not arguing that you're wrong : just that different habits and lifestyle can make one or the other better for someone. No person's opinion is everything.

Adrian 4

Re: As for mobile wallets...

The first Android I bought had NFC. As did a Nexus tablet. The two subsequent ones didn't. No phone cost more than £120. I'm assuming it hasn't really caught on except in the 'do everything' phones in the upper part of the market. Which means it's far from essential and probably always will be.

Is your gadget using secondhand memory? Predictable senility allows boffins to spot recycled NAND chips

Adrian 4

Bathtub curve

Perhaps it will also help weed out the chips that haven't been properly tested past their infant mortality phase.

Fork it! Microsoft adds .NET Core 3.0 including Windows Desktop apps

Adrian 4

Re: What a mess

In the foot ?

Head, more like.

News of its demise has only recently reached the feet.

Zombie Cambridge Analytica told 'death' can't save it from the law

Adrian 4

Re: Pass out the torches and pitchforks!

"Once again, that was an OPEN REQUEST to invite FB friends into activities. Which has been pointed out to you every time you bring that one up. CA has been found to have been quite a bit less open about its doings."

Yes, but Mr. BJ is an american rightwinger. (yes, the extreme leftwingers are pretty much as bad).

He's not interested in the truth. He's only interested in being right (in both senses).

He assumes that if he keeps repeating something it becomes true.

In a more reasonable culture where people don't get excited about mere politics, he just marks himself out as a loonie and is ignored.

Admin needed server fast, skipped factory config … then bricked it

Adrian 4

I remember filing a 25-way D socket down to fit the 23-way plug that was the Amiga's video outpot.

FCC shifts its $8bn pot of gold, sparks fears of corporate money grab

Adrian 4

Re: Surprise

Are you still taking the dried frog pills ?

Sir Clive Sinclair dragged into ZX Spectrum reboot battle

Adrian 4

Re: Build your own

Build-your-own sounds much more fun than buying a faked-up copy of something that wasn't very good in the first place and will look even poorer in the context of current technology.

I can totally understand the desire to collect retro technology. I myself have an unfeasibly large range of 1980s calculators. But I don't understand the desire to own a copy - neither original nor up to date.

Pentagon in uproar: 'China's lasers' make US pilots shake in Djibouti

Adrian 4

Re: auto-darkening lenses

Perhaps because the danger is overstated ?

Pilots may well be frightened by seeing a laser flash but it would have to have an awful lot of power - far more than a laser pointer - to contain eye-damaging brightness after a few hundred meters of divergence and, especially, diffraction through the curved windscreen.

Temporary bright spot on the retina, maybe. Perhaps even enough to seriously affect the landing, so certainly not safe.

Actual permanent retina damage, no. A flare, strobe, photo flash or spotlight likely to be just as dangerous. Where do you stop with the banning ?

Adrian 4

Re: Binding Protocol?

@Malcolm Weir

Pretty sure a C-130 can carry enough to 'rain' almost anything.

Even a C-130 full of rainbow ponies wouldn't leave much alive underneath.

IT systems still in limbo as UK.gov departments await Brexit policy – MPs

Adrian 4

Re: Te plan is...

Who was it proudly proclaiming there was no Plan B recently ?

And is May attempting to outdo it by having no Plan A ?

Adrian 4

Re: Shock

A majority of voters did indeed vote brexit.

For some (unknown) value of brexit.

Even Teflon May makes fun of it with her recursive definition as she slips and slides whichever way the wind seems to be blowing.

Adrian 4

Re: How much

Yea, but we'll be saving 350 billion euros a day ! So it's cheap !

Adrian 4

Re: Excuses Excuses.........

Hey, downvoters - think again. Did Nano nano's sarcasm go over your head ?

And nano, you're not supposed to stack prefixes like that. The word you want for 10^-18 is 'atto'.

Adrian 4

Re: Excuses Excuses.........

They admitted to a fuck-up (really ? or perhaps an intentional but unjustifiable campaign against a sector of our own nation ?) only when it became impossible to continue to lie so blatantly.

This is the stuff our politicians are made of.

Adrian 4

Re: Who smashed up the house?

Yes. though Gordon Brown is far too recent a watermark (and possibly a poor one - his main fault seems to have been that he didn't handle the media well).

I can't remember a competent minister in my entire life, and I'm not far off retirement age. Perhaps I missed one pre-thatcher, I wasn't really aware of their faults before she dispelled my parent's belief in the conservatives. But although there may be a few competent MPs, they're all culled before they reach newsworthiness.

Windows Subsystem for Linux is coming to Windows Server

Adrian 4

Re: Obvious outcome

And once you spend all your time in a windows-hosted linux container, what's the benefit of keeping the windows host ? It's redundant.

Adrian 4

How do you invoke it from bash ?