* Posts by Velv

2756 publicly visible posts • joined 21 Jan 2010

IT contractors raise alarm over HMRC mulling 'one-month' nudge onto payrolls

Velv
Boffin

Re: Long overdue

"bring a nice boost to the coffers"

Impossible to tell until anything official is announced. Rule changes could result in a substantial reduction in spend by businesses, thus reducing the market and subsequently increasing unemployment.

Freelance workers are used by business as it is economical from the business perspective, not because they're trying to reduce money flowing into the treasury. If the cost of doing business rises, money into the treasury will fall.

TalkTalk to swallow £35m ‘financial impact’ after attack

Velv
Coat

T&Cs that people are tied in for 12 months. I suspect Dido is about to find out just how easy it is to get rid of people without waiting the full 12 months...

Velv

Re: Contracts?

Haven't been able to check the TT T&Cs, so can't validate if it's still the case, but most of the fixed line operators had a condition that after the initial 12 month contract, you transferred onto another 12 month contract, not a monthly rolling contract.

There was a stooshie about it a couple of years ago for BT, but I doubt it was properly resolved, so most long term TT customers are probably on yearly rolling contracts (as I say, I wasn't able to verify, hence my suspicion it's still the case).

What the Investigatory Powers Bill will mean for your internet use

Velv

Re: Can my ISP determine which of us at home is accessing a certain site?

Far simpler than that. A simple profiling of the websites visited is likely to indicate which users are online from a single IP, as most of us multitask in a repetitive fashion. Who visited Peppa Pig website and who visited the Bullingdon Club website are likely to be two different members of the family...

DC judge rips into the NSA over mass surveillance

Velv
Terminator

Just as the US is getting its provisions slapped down, the UK is pushing to bring them in.

LOOK AND LEARN PEOPLE (politicians). The people won't allow it. You are not defending them, you are subjugating them. It will end badly. You will be out of a job, and no longer under the spying protections you are trying to enforce (Wilson).

Judge bins Apple Store end-of-shift shakedown lawsuit

Velv

There's all sorts of reasons people may need to take a bag to work. Half the population might want to bring something to work discretely roughly on a monthly basis, and there's all sorts of medical or other personal reasons someone might bring a bag.

Apple needs to take note. Pay the staff for the time, expedite any search, or provide a secure bag storage location outside the "shop" areas. Apple's right to take a search line against thefts, but it can still be done with respect.

Flying drug mule crashes in Manchester prison

Velv
Big Brother

Clearly we need a law banning the ownership of flying devices except under strict license from the Government. All existing devices must be registered, and the license must be produced for all new acquisitions.

</KneeJerkReaction>

Just wondering when this will be proposed in Parliament. I'm predicting before the end of 2016.

Trident test-shot startles West Coast Americans

Velv
Boffin

"tests are classified prior to launch"

But NOTAMs by their very nature are not. So some people knew something was happening, as they don't close the airspace that often.

Velv
Alien

Re: A likely story...

"now, can you please just look at this little red light".

Drones are dropping drugs into prisons and the US govt just doesn't know what to do

Velv
Joke

Re: Easy! Just ask the guys over at Marriot

Or just move the prisoners into the Marriott. Do them good to suffer from some hardship for a change!

(Yes, yes, Merkin prisons are not the hotels UK prisons are, it's a joke)

Read the Economist last weekend? You may have fetched more than just articles (yup, malware)

Velv
Joke

"Malware disguised as an Adobe update"

So that would be malware then...

Apple's iBackDoor: Dodgy ad network code menaces iOS apps

Velv
Facepalm

" they must affirmatively bypass Gatekeeper"

So the walled garden has a gate that anyone can open as long as they're responsible and close it behind them?

TalkTalk claims 157,000 customers were victims of security breach

Velv
Facepalm

Re: grrr

Given their inability to get anything right to date, what's the confidence factor in them getting the right statement to the right people safely...

UK's internet spy law: £250m in costs could balloon to £2 BILLION

Velv
Big Brother

So just what are they storing?

The claim is that "it's like an itemised phone bill", so each individual call is logged to the target number.

So sticking with that analogy, they are going to need to record the metadata for every fetch of an item on every page visited. Since a single page may fetch from several different sites there's going to be a lot of metadata to store.

And big brother watch, they may only be recording the site and not the full url, however since each page often pulls content from other sites, a fingerprint database of distinct pages is highly likely to be created, thus just by the pattern it will be possible to determine which page each user visited, not just the site.

How much do containers thrash VMs in power usage? Thiiiis much

Velv
Boffin

So what happens when your host running containerised apps is itself a VM?

TalkTalk offers customer £30.20 'final settlement' after crims nick £3,500

Velv
Childcatcher

Presumably now TalkTalk have identified which 157,000 customer had their details stolen they will know if this customer was one of them.

Perhaps the theft was unrelated to the TT breach (doesn't excuse it though)

But don't let the truth get in the way of a good headline...

GCHQ 'smart collection' would protect MPs from spies, says NSA expert

Velv
Big Brother

"...ensure that constituents and whistle-blowers can contact parliamentarians without fear of being spied upon".

without fear of being legally spied upon - fixed it for you

MPs launch 'TalkTalk' inquiry over security of personal data online

Velv

MPs to examine how ISPs store personal and sensitive data, on the day it's proposed to make it law for ISPs to store more personal and sensitive data.

Oh, the irony!

Licence to snoop: Ipso facto, crypto embargo? Draft Investigatory Powers bill lands

Velv
Big Brother

Sounds like a good week to be a non-EU based provider of VPN services to start selling your services in the UK

At Microsoft 'unlimited cloud storage' really means one terabyte

Velv
Boffin

Re: PR Disaster Looming

In fairness, Unlimited was unlimited, but now they're stopping offering an unlimited service and only offering a limited service.

Agree it sucks if you've stored more than 1TB and need to find a new home for it, but it's not the same marketing push from Unlimited* mobile services (*subject to any arbitrary restriction we want to limit you with)

Vodafone UK blocks 1,800 accounts after 'external source' accesses accounts

Velv
FAIL

Re: CC last 4 digits?

If valid credentials are used to access the account then there is nothing wrong with the last four digits of the CC being presented, or the phone number.

You do expect to be able to see your own phone number when you login to your account don't you?

And PAN masking according to PCI DSS permits certain blocks to be presented for validation. Doesn't mean the full PAN is available.

Have a Plan A, and Plan B – just don't go down with the ship

Velv
Boffin

Don't forget about the less obviiois mandatory items: People need to eat, sleep and poop.

What facilities are available for your staff while they dig you out of a hole.

How do they get to the site, is there public transport or parking? Have they got cars? Do you need to hire cars, or run busses from somewhere else? Do you need to provide nearby accommodation? Is there food on site or nearby? Is it open 24/7? Do you need to go to Tesco every day and buy 2 dozen mixed sandwiches? Is there somewhere away from the work environment they can chill for 10 minutes? And are there enough toilets? Sounds crazy to consider, but if you turn up at your DR site with a dozen techies and there's only one outdoor portaloo, things are going to get messy.

Time Lords set for three-week battle over leap seconds

Velv
Headmaster

Re: Why stop there?

"Napolean tried. Noone took any notice of that half pint (or .5 litre)."

.284Litre. .5litre is (nearenuff) a pint

Get James Bond in here: 13 million account passwords plundered from 000webhost

Velv

Please go and read Troy Hunts blog about the formation, build and maintenance of haveibeenpawned. Since he gets paid for his knowledge of IT Security he does know a thing or two. I'm not suggesting it's perfect, but it does layers properly.

DEFCON 1 to DEFCON GONE: One of NORAD's spy blimps goes missing

Velv
Gimp

Austen Powers

Please tell me Mike Myers is making another Austin Powers movie and they set it free for the euphemism scene.

Ex-Microsoft craft ale buffs rattle tankard for desktop brewery

Velv
IT Angle

Just another "kit" on the market with two tenuous IT links, (ex-Microsoft and Kickstarter).

El Reg should be ashamed of this dreadful story. You can only redeem yourself by supplying beer, I'll be in the Cask And Barrel down the road from 3...

Mutant space germs threaten International Space Station

Velv
Childcatcher

Sounds like some scientist is laying the ground work for their forthcoming sci-if horror novel

Google lifts app price ceiling to US$400

Velv

Re: Why should there be any limit ?

"However, for app developers, there is another route: Require the user to buy a license key. For those few apps which need it, particularly business apps, it wouldn't be enough of a hassle to put users off, and they could do volume licensing deals etc. Also, Google wouldn't be taking their cut."

Your last sentence hits the nail on the head. Google (and Apple) aren't getting their cut. I know Apple specifically excludes external payments, I guess Google wants a similar profit.

TalkTalk attack: UK digi minister recommends security badges for websites

Velv
Boffin

"You mean those same supporters of "verified by visa" where (in a web page that behaves like a xss vector) you have to enter characters 2,4 and 7 (or some other combination) of characters of your password.

Which means password not stored as hash."

It is possible to encrypt and hash the individual values of each character and store those for later comparison of an encrypted result with the need to decrypt. With a limited set of single values it is possible to brute force each value if you can get directly to the service interface, so you still need to secure against brute force attempts on a users password values.

'iOS 9 ate my mobile broadband plan'

Velv
Boffin

Re: Doesn't pass the smell test

Burned through 2GB at £15 payg in a week for me. With over 100 million iOS9 capable devices in the wild I'd suggest $5m is on the low side of what could have been used.

Velv
FAIL

"Apart from 3G/LTE replacing the WiFi signal is in the status bar..."

Which WiFi Assist doesn't do, since the LTE is used to supplement the wifi packets so you still show as "on wifi"

Lawyers harrumph at TalkTalk's 'no obligation to encrypt' blurt

Velv

Re: Change the law then?

Encryption only protects agains certain types of loss, and anyone with the right credentials can export the data. Taking "sufficient measures to protect data" therefore might include encryption, but requires other measures to also be implemented. Making encryption a legal requirement would make companies believe that's all they need to do.

Velv
Boffin

Security is hard. It's hard because there is no single solution and it must be implemented in layers.

Encryption is completely useless against a straightforward extract using the correct credentials. A bulk export to clear text is a (relatively) trivial query, which is where other layers of protection are required. And since we don't yet know what has been taken or how, there is no way of knowing if encryption would have made any difference.

But you're right, encryption is one of the simple and powerful layers to implement and there's no excuse for not doing it.

TalkTalk attack: 'No legal obligation to encrypt customer bank details', says chief

Velv
Facepalm

Interesting. Talk Talk don't feel the need to encrypt customer data. They're advising customers to provide all the same personal data to third party Noddle to monitor for suspicious activity.

I wonder if Noddle thinks it necessary to encrypt the data they're entrusted with? (And have Noddle told Talk Talk this...)

So what's the internet community doing about the NSA cracking VPN, HTTPS encryption?

Velv
Headmaster

Re: Questions

@ John H Woods

"For 2048 bits you'd be looking at > 10^600!"

Pedant alert - having done all the nice mathsie bits, you kinda spoiled it by putting an exclamation mark on the end. (n! Factorial)

tee hee

Velv
Black Helicopters

Don't know why you've been down voted, so have an upvote.

You cannot prove a negative. The "unsinkable" titanic sank, "unlimited" broadband isn't unlimited, safes are designed to make it difficult and time consuming for criminals to rob you, but ultimately with time and resources criminals do break in to most safes.

And no encryption is "uncrackable". If you believe the uncrackable nirvana exists, be prepared for a surprise.

UK MPs have right old whinge about ‘defunct’ Wilson Doctrine

Velv
Black Helicopters

Re: Snail Mail

Snail mail is equally susceptible to interception, with added disadvantage of the delay between sending and reading. Even tamper evident seals are easily replaced with the right resources behind you.

Encrypting snail mail is possible but could be popped at either end if the security services really wanted to.

WIN a 6TB Western Digital Black hard drive with El Reg

Velv

OK, I accepted it when they told my I was "holding it wrong", but now they're just taking the mickey!

Virgin Media filters are still eating our email – Ntlworlders

Velv
Flame

Why should they get another email service? Virgin are meant to be providing a service and are charging for it.

Agreed you "could" vote with your feet and move, but similarly Virgin "could" pay compensation (or at least reduce bills) for failing to provide the service they have contracted to provide.

Cisco shipped UCS servers with rotten RAID settings

Velv
Facepalm

Re: Engineers forgot to update the installation script

Why employ an expensive QA team when the customer will test it for you.

"It's not working? Oh, yeah, my bad. Here Mr Customer, just change these settings and reinstall and everything will be fine"

Perhaps if Cisco was required to send an engineer to every installation to fix it they might take a different attitude to QA...

Internet daddy Vint Cerf blasts FCC's plan to ban Wi-Fi router code mods

Velv
FAIL

Re: Does it matter?

And your proof the companies don't like it?

Some manufacturers market models that specifically encourage the loading of custom firmware, and it's in no manufacturers benefit to block you, you modify at your own risk and they sell tin they no longer need to support.

Daily Mail caught on hooks of Angler exploit kit

Velv
Joke

Daily Mail website serving up Malware. How is that different from any other day?

Internet Architecture Board defends users' rights to mod Wi-Fi kit

Velv
Happy

Ah, so my "hate" may not come over as intended. I love openWRT and similar, and my "hate" is directed at the FCC who seem intent on solving a problem that does not exist, namely a tiny tiny tiny number of devices that may in extreme circumstances end up "off band" in a very short range communication.

Keeping stuff out of landfill is great. Something is only obsolete when it no longer does the job required. Keep using it until that point.

However, mandating vendor only firmware does restrict the potential for NSA blocking open source option...

Velv
FAIL

"is particularly concerned that a ban on non-vendor firmware will leave stranded users with orphan devices that no longer get manufacturer support."

BULLSHIT!

There are billions of devices in the wild which no longer have vendor support. Apple's recent iOS9 left older models out of support, and Android in its various guises could be viewed as worse given there are many smaller vendors who customise the OS with their own mods and orphan models more regularly.

Or are the FCC going to force all vendors of radio equipment to support for life?

GCHQ can and will spy on politicos, rules tribunal

Velv
Big Brother

MPs: "The security services must have the ability to covertly obtain intelligence by monitoring communications. But not our communications"

Fucking hypocrites!

EMC+Dell: Firm made a $2bn bed-hopping proposal

Velv
Coat

Only by paying 10x the value.

Oh, wait...

Playmobil cops broadside for 'racist' pirate slave

Velv
Pirate

Re: Its ok

"The stupid woman has clearly been beaten around the head with a large twatspanner."

She's a Merkin. Two immediate thoughts go through every Merkins head in everything:

1. how has this injured me; and

2. how much compensation can I claim

(Point to note for any Merkins reading. I know you now feel offended, tough, I have no money so don't even try)

Adobe to brick eight Acrobat, Reader flaws next Tuesday

Velv
Joke

Brick over the holes?

Can we not just tie Adobe to the bricks and let them swim with the fishes?

Mozilla to boot all plugins from Firefox … except Flash

Velv
FAIL

Extensions vs Plugins

Please go back and rate the article if it caused confusion ...

Oh, wait, that features been removed.

Disk boxes, security tools, etc: What Amazon announced at its AWS shindig on Wednesday

Velv
Trollface

People mock the fervour with which Apple Fanbois clamour for new shiny shiny, but 15,000 people PAID to attend Amazon's sales pitch. Good business to be in...