Posts by Robert Carnegie

Re: Turing -> von Neumann -> Intel et al

Make sure that the compiler doesn't optimise your key value to 000000000000 ;-)

Re: Turing -> von Neumann -> Intel et al

The theoretical Turing machine has only one form of storage, an infinitely long tape.

I may get a lot of this wrong, but I think it's been proved that any computing task and computing hardware is logically equivalent to one Turing machine with enough tape.

Now... hypothetically, a more elaborate Turing machine, with a tape for programs and another tape for user data, would not have this security problem.

But it also would be logically equivalent to a basic Turing machine with one tape. So that actually can be secure... theoretically. I leave details to be worked out by the student. :-)

Nothing seen on my phone, I may have slept through it and/or it disappears after a time. I'm in Scotland and on Pay When You Go.

I suppose that remembering words instead of numbers is not a helpful suggestion.

Boris (5), Johnson (7), 4, 1, 7.

Re: What?

It seems from the description that you are to plug in the security key only when prompted for it. Software can't really do that. On the other hand, ... I started that sentence yesterday, and I've forgotten what was on the other hand. Does anything come to mind?

Ah - probably that I may as well mention how tiresome it is when a USB port or plug wears out, and so what a good idea it is to use a detachable hub on your PC or laptop, so you are mainly wearing out the ports on the hub, which is cheaper to replace.

And yet... that undermines my first point, but to not help bots out, I won't say why. And if you see it... the same should apply. Thank you.

Anyway, I assume that Cloudy tells the web site that you're a human, but not which human. And possibly most of your internet access goes through Cloudflare already, so they are able to have a pretty good idea of who you are if they want to. But why would they want to?

Re: Hardware dongles?

I could be talking nonsense but I thought I read that the typical CAPTCHA just puts up one box to say "I'm not a robot" and watches mouse movements until you click on it, humanly. Only if that's doubtful does it start to ask for more proof. But I am tapping on a touchscreen tablet. It still usually works, though. Maybe it watches for you typing like a human, too.

I don't know what a deaf and blind user uses for computing on, but I expect that that device identifies itself as what it is. A catch would be if a billion hackers run a simulation of the same type of device.

An alternative is user password as authentication, but that has its own issues.

Re: What's old is new again

For each horse or carthorse whose owner used to get very drunk at the pub and then let the beast take him home without direction from him, there's one that got startled by a rustly newspaper and killed someone.

I gather there is a driver-present sensor and I gather it can be defeated, if committing suicide and claiming your life insurance (if you see what I mean, and, hypothetically and for instance), is your plan. Didn't some researchers manage it the other day, not these ones I hope... A sack of potatoes in the driving seat would be suspicious... but there are some trick crime fiction stories where the suspicious object is made of ice... how about an ice mannequin?

Re: I did something similar

I mostly see "Nigerian Prince" e-mails where my contribution is to be used to bribe people to divert money our way - in other words, to commit a crime myself apparently. I suspect this is to discourage me from going public when I realise I was the sucker.

Of course when you've been warned or you have seen more than a couple of these messages where you are the one person from a million that they chose to invite, then you don't fall for it anyway.

Re: "They all still think that the attacks have poor grammar and spelling"

You'd be all right with us. We get our "internal" invite to security training sent from companyname@penetration-education.co.uk and our regular staff satisfaction census from Pollcat.com. Absolutely no effort to make them look like genuine communications from management, which apparently they are.

Meanwhile, an online retailer's third party hosted customer survey received my impressions of the service, positive until that point, but did not receive my name and address for an alleged chance to win a substantial shopping voucher.

Re: Unfortunately,

BBC's "Moneybox" has been covering recently that fraudsters can fake the caller ID number. As most of us knew already.

Re: Don't click external links...unless they're ours

Phish them back. Nothing too malicious, just direct them to a web site that plays the Monty Python music at top volume and can't be closed. Explain this specifically in the boring bit of the e-mail that they won't read, so they were given notice.

Re: But isn't this what (real) criminals would do?

If your CEO's password to the web mail portal is "number1ceo" then it's perfectly possible for e-mail from her actual account to be spam or spearphishing.

My work e-mail is text only - my choice - and I mousepoint at any URL in it to be shown where it really goes. But that can be disguised, too - funny character sets and do forth. So mainly I let someone else try first...

Re: "run vaccine checks on the status of random people with no authentication"

You could have done a lovely picture with your thumb in the front.

Re: There is no UK vaccine booking website

That's what it says now. But it also refers to "Jane Brit". Anyway people cross the border... or, used to.

However, it is only an issue if you go in without your NHS patient number. Unless that is equally open.

It doesn't know about me. I checked.

I got an NHS Scotland letter in a blue envelope which provided me with a secure-ish login code - name and PIN basically. However, using this online (vs by phone) entailed working out which Health Board area I am in, which is often a bit difficult. I suppose I could have shopped around.

I understand also that after telling everyone to expect their blue envelope, it turned out that the blue envelopes weren't ready... nobody's perfect.

Re: But aren't they required by EU law?

Ah, that does make sense. Thank you for taking the time to explain. You now have an up vote. ;-)

I suppose that for "legal" reasons, if your stuff is public although not looking for attention, then you may want to have another disclaimer anyway, like "This information isn't guaranteed. If you rely on it and it goes wrong, too bad for you. ;-)" I get stuff wrong...

Re: But aren't they required by EU law?

I downvoted because you didn't give a reason to have adverts on a web site that apparently only you use, intentionally. As for consent, since it is your web site, presumably you already consent to everything that it does.

I suppose that I could find your web site, accidentally, if Google knows about it. If it is a hosted Wiki, for instance.

Then you would have to have consent control on any feature of it that amounts to me providing information to the web site, instead of the other way around.

Otherwise, I suppose that "Authorized users only" and a login or PIN prompt as the front page would be enough to legally keep me out and let you in.

That just leaves that (1) running a web site may be not your main job or skill set and some of this stuff can be hard, and (2) what if you are temporarily working at the hardware key logger factory in the testing department.

For (2) you could create a separate account in your web site, stevie_when_at_keyloggers when you log in from that job.

For (1) you could just put all the data for your personal use onto Facebook and let them do the admin. But then using that in the workplace may be frowned on.

Re: I don't care about cookie warnings

Is that the "I don't care who in the entire world knows everything that I do on my computer" version?

Re: This.

I think you'll find, all the cookies are pre-allowed unless you select to choose what to allow. Even when choosing offers you then Yes, No, and No by default.

And I read those carefully just in case it is No to Necessary cookies and Yes to All the targeted advertising. Or in case they have a new name for it like "Facilitated communications" that turns out to mean "We sell your browsing history to criminal transplant organ dealers".

Re: This.

A site could assume no consent if you are not clicking from one page to another, and not bother the user. They choose not to do that. (I'm thinking once you use an internal link on the web site, that would be the time that you discuss the relationship.)

A site could install rootkit software on your computer and capture everything that you see and do from then on. It is very illegal to do that, but they could.

They could fill your computer with cookies but that's also illegal in the EU, and presumably in the UK for now.

They can refuse service to EU users. That happens.

A broadly standard design offers "Cookie me lots" and "I have reservations" buttons. Click on "I have reservations" and you may get a small list of yes/no options to set, an "I've decided" button, and "Cookie me lots" is still there too, which isn't fair. I've even seen over 100 buttons to select or reject each of a web site's advertisers. That is usually enough for me to leave. You can almost guarantee that some of the 100 buttons no longer work.

Sites where I refused consent often ask me again some time later. A cookie nominally has a defined lifespan, expiry date, and presumably, refusing consent puts a "Refused" cookie in my browser, until it expires. I haven't examined that, but I think it may be a month lifetime, or less. And of course I also get the prompt in a different browser or a different PC. They could make it fifty years, but they don't. Maybe it's fifty years when you say Yes.

The Opera browser, which I use, has a mode since 2019, happily optional, to consent automatically to these cookie requests. Yes to everything, unless I misunderstood the announcement. Vida Vivaldi, though I'm sticking with Opera for now.

Re: New PlusNet router

I use alphanumeric symbols in passwords ... that's OK as long as you use enough. I think I recall that you can use an arbitrary length English characters phrase for wifi security and it gets hashed. So you could use this paragraph. Not now, of course.

If a service insists that funny characters ARE added, then I reach for fullstop . or exclamation !

After an upgrade to an e-mail service I use, I was notified that while my password remained the same, now I must type it lower case. Hmm.

Re: Lies, damned lies, and statistics...

It's puzzling and the research or the article may be simply wrong, but a reading that makes more sense is that if God had made Her mind up and made it known, then the matter would be decided.

Which way is still unclear; the God of Jerusalem wants all nations to come together there (which historically hasn't worked out well), the God of Babel wants us to be divided and uncooperative.

Re: expanding the readership

I keep wanting to find out what Northern Ireland thinks of Orange Catholicism.

One or more of Arthur C. Clarke's futuristic novels featured a religion called Chrislam, which sounds like a bad idea by the second syllable. I think it used virtual reality indoctrination, you could visit heaven, like being inside a Jehovah's Witness magazine. And they were either against space travel generally, or against stopping colossal asteroids crashing into the Earth and killing everyone, specifically.

The spirit of Prince Philip reportedly has gone back to the South Seas. They covered it in BBC World Service documentary series "Heart and Soul". Good luck praying for his bountiful return to our cold, wet, windy island instead of the nice warm sunny ones he gets to preside over.

Re: Religion in the UK?

The article carefully distinguishes between Churchgoers (mostly Remain) and Anglicans (mostly Leave). Churchgoing Anglicans appear to be a contradiction in terms and, obviously, a minority.

That Boris Johnson is a bit of a Henry the Eighth, isn't he? Bastards. He's got lots of them. No one knows how many. He also has several illegitimate children.