* Posts by Alister

4259 publicly visible posts • joined 19 May 2010

Euro Patent Office ignores ruling and refuses entry to vindicated judge

Alister

Re: New challenge

The UN could appoint him to bring peace and harmony to the Middle East.

They could crown him King of Jerusalem, that should go down well with all parties.

Yes, Britain has an urban-rural 4G schism. This is what it looks like

Alister

Surprisingly, Hutchison’s Three bests O2 for average 4G download speed in every region

But that graph doesn't tell the whole story, whilst Three may be faster than O2 where it is available, its overall coverage is still poor, in my experience. Certainly in the East Midlands region, you'll be lucky to get any signal on Three outside of urban areas, whereas O2 coverage is much more evenly spread.

Opportunity rover survives Martian winter for eighth time

Alister

Re: Image scale

Could someone suggest an idea of the size of the rocks in that photo, wrt to Opportunity?

Yuge!

Mailsploit: It's 2017, and you can spoof the 'from' in email to fool filters

Alister

@Doctor Syntax

There seems to be a view in some comments that being able to spoof From: is a Good Thing.

I challenge that. It facilitates all sorts of crime and what's possibly worse is that business who "legitimately" make use of this are training their correspondents to be phished.

You seem to be under the impression that this is a technique only used for marketing emails. This is absolutely not the case. Lots and lots of businesses don't want to, or cannot, run their own email server, but do have their own domains which they wish to use.

Like Charlie Clark above, I run SMTP servers providing email services for multiple businesses, on multiple domains. I don't do mass-marketing, or newsletters, just normal everyday emails.

If I was unable to spoof the from address, I would have to set up an individual mail server for each and every domain I host. This is patently not a sustainable solution.

Alister

Re: I dunno

And no one is able to fix that.

Fixing it, as you put it, would break a lot of things. It's there by design, it's not a bug.

Removing the ability to spoof the from address would stop third party companies handling mail on someone else's behalf; a very common thing in business nowadays.

♫ Storage falling, all around me... Snowflake, Komprise... Paragon ♬

Alister

So many puns,

...so little time...

Oh and love NAND understanding should win a prize.

Lauri Love appeal: 'If he's dead, no victim's going to get anything'

Alister

In earlier, more enlightened times,

A prison sentence was meant to protect the public from dangerous criminals, and to deter them from re-offending.

Nowadays, it would appear that any false ideals are stripped away, and the prison sentence is punishment to "make him pay" for what he did.

Fitzgerald added "If he's dead, putting it bluntly, no victims are going to get anything from a trial."

Some would consider his death sufficient punishment, it would appear.

Watchkeeper drones cost taxpayers £1bn

Alister

Re: Good value

@Zog,

I did in fact pause before posting it, I was going to Google it to make sure I'd quoted it correctly, but thought that might be a bad idea.

It's a sad state of affairs when you have to wonder whether looking up a bit of poetry on the Internet might mark you as a terrorist.

Alister

Re: Good value

"Come friendly bombs and fall on Slough! It isn't fit for humans now"

Elon Musk says he's not Satoshi Nakamoto and is pretty rubbish at Bitcoin

Alister
Thumb Up

Re: Ok, ok, fine

Thumbs up for having the gall to register just for this story :)

Alister

El Reg staff

but our plans to hack society remain secret for now for reasons we cannot divulge.

Yes, it's embarrassing when your secret villainous volcanic lair suddenly goes public and starts spitting LIQUID HOT MAGMA, isn't it?

Accused hacker Lauri Love's extradition appeal begins

Alister

Re: I am an Aspie. I don't hack stuff and then cry like a baby.

@AC

Personally, I hope he gets told to grow up and gets shipped off to supermax.

I understand your frustration at how having Aspergers is used to justify this sort of hacking, but honestly, you really think 99 years in jail is a fair and just sentence for what he did?

Rolls-Royce, Airbus, Siemens tease electric flight engine project

Alister

@Christoph

That's not what they are proposing, the electrical fan will be powered by an onboard gas-turbine generator.

2001: A Stob Odyssey

Alister

Re: I wonder if anyone with a lisp..

"...theveral theditiouth thcribth from Thaetharea,"

Alister

Yay, Stob!

"How's your LISP"

Hahahahahaha.

Three useless UK.gov 'catapults' put in Last Chance Saloon

Alister

Re: I wonder how many

There's a certain irony in that the associated phrase in the nursery rhyme for the Bells of Shoreditch is "When I grow rich"

Don't shame idiots about their idiotically weak passwords

Alister

Aha! so your password is SW, D, G, H, S, B, S, D

See if you recognise this one:

P, P, B McG, C, D, G.

Vanity, thy name is: M1SCO company car reg plates for sale

Alister

Unless someone's name is (improbably) Misco, or someone is planning to set up a new company with the same name, I'm not sure that the personalised plate is going to attract much interest.

Maybe they should attach it to the "ride-along floor sweeper" as a combined lot?

A certain millennial turned 30 recently: Welcome to middle age, Microsoft Excel v2

Alister

Shameful confession

Whilst pouring scorn on everybody else for inappropriate use of Excel (all the usual suspects like writing documents in it, creating databases in it, etc, etc) I must admit that I find it incredibly useful for managing scripts and log files, 'cos if you dump a text file into Excel using spaces as the delimiter you can manipulate stuff by columns, which is great, not just for ordering the data, but doing find / replace on a single column and leaving the rest untouched.

Alister

Eh, memories, memories.

I've still got, (mouldering in a corner somewhere) a boxed set of Visicalc floppies (5 1/4, naturally) with instruction manuals, in a very nice blue vinyl covered case, if I remember correctly.

Pokémon GO caused hundreds of deaths, increased crashes

Alister

Re: Headline

Okay, mea culpa. Not enough coffee yet this morning, I apologise to El Reg.

Alister

Headline

I know El Reg is prone to a bit of artistic licence, not to say exaggeration, but how do you get from 2 fatalities to "hundreds of deaths"?

'Water on Mars' re-classified as just 'sand on Mars'

Alister

Re: Water on Mars turns out to be damp squib

Damp squid. It's damp squid.

No it bloody isn't, it's damp squib.

Squib n a small firework or explosive device.

A damp squib is therefore one that doesn't go off - more generally, something that doesn't live up to expectations.

Alister
Facepalm

I recall at the time, posting on the original story, that whilst the headline, widely reported, was "Liquid Water Found On Mars" the reality was a bit more prosaic: "Strong evidence pointing to the presence of liquid water in the past, found on Mars".

And now, not even that is true.

Mythical broadband speeds to plummet in crackdown on ISP ads

Alister

CAP's sister body, the Advertising Standards Authority, also today ruled that it is not materially misleading to describe broadband services that use fibre-optic cables for only part of the connection as "fibre broadband"

Great, so anything that uses a fibre trunk to the exchange, and copper to the subscriber, can be fibre broadband?

Sheesh!

Permissionless data slurping: Why Google's latest bombshell matters

Alister

Re: So, if I want the benefits of a smartphone, without the (opaque) slurping....

@Jason Hindle:

My Google Nexus 5X is pretty much everything. It''s my plane ticket, train ticket, bus ticket, tram ticket, taxi ride and method of paying for most transactions < £30 (and many other things).

Have you ever heard the phrase "single point of failure"?

It sounds to me as though, if your phone breaks, you're basically screwed.

Royal Bank of Scotland website goes TITSUP*

Alister

I reckon they've just implemented HSTS.

It's very secure now - nobody can get in.

See, it works!

It was El Reg wot won it: Bing banishes bogus Brit bank banner ad

Alister

Re: ‘Check car tax on’ Google

Interesting how personalised search works.

If I Google "check car tax" I get the top five results all starting with "https://www.gov.uk/"

Alister

Re: Follow the money ...

are Microsoft following the money that paid for the ad?

No, why would they?

Microsoft would have to pay it back, then.

Container ship loading plans are 'easily hackable'

Alister
Joke

AVAST BEHIND

I thought it was a comment on my generous posterior...

Yew Bastud!

:)

Alister
Pirate

Container ships don't have rowlocks in their gunwales, me hearty. Shiver me girders.

ICO probes universities accused of using private data to target donation campaigns

Alister

Re: spending millions on poor kids

Everyone pays the fee's through student loans

Greengrocer's University education?

How is 55 Cancri e like a Sisters of Mercy gig? Astroboffins: It has atmosphere

Alister

How is 55 Cancri e like a Sisters Of Mercy gig?

'why may a caudled fillhorse be deemed the brother to a hiren candle in the night?'

Car tax evasion has soared since paper discs scrapped

Alister
Facepalm

What they should do is introduce some sort of token that car owners have to display on the vehicle, which proves that they have paid their VED.

You could print the date on it, and perhaps make it different colours every year, so an out of date one would be obvious.

What do you think? would it work?

The Reg parts ways with imagineer and thought pathfinder Steve Bong

Alister

America doesn't have a functional extradition treaty with the UK - well not in the USA ->> UK direction, anyway, maybe My Lord Bong could interestify Donald into imagineering a whole new paradigm?

Does UK high street banks' crappy crypto actually matter?

Alister

@Dan55

Thank you for the non-downvote. :)

As far as I know, what you propose would have to mean hosting the main site on one server, and the banking site on a different server, as you cannot assign different cipher suites on a per site basis, only at server level.

Now this is not a bad idea at all, but it does mean that again, anyone connecting to the banking site would be required to have a browser and operating system that supported the latest ciphers, or the connection would fail. So really no different in outcome to what we have already.

Alister

The problem is that banks force your connection to use weaker encryption than your device is capable of.

No, they don't.

Alister

Get some perspective.

A lot of the commentards here seem to be misunderstanding the issues raised in the article, abetted, it has to be said by some editorial misdirection.

Firstly, to describe the HSTS header as "Cryptographic Technology" is a gross exaggeration.

It is an HTTP Header, which when read by a client browser, ensures that the browser only uses HTTPS to connect to the domain it is served from. That's all it is, nothing else, and certainly not cryptographic technology.

Secondly, the article is written in such a way as to suggest that banks have downgraded their cryptographic cyphers to the lowest common denominator, and therefore endanger everybody's security.

I've just reviewed the SSL Labs results for each of the banks tested, and I can unequivocally state that this is not true.

In all the tested cases, the banks offer the latest ECDHE_RSA_AES ciphers, and therefore modern browsers will connect using TLS1.2 using those ciphers.

However, all of the banks tested, even Santander, the highest scoring, also offer, to a greater or lesser extent, older weaker ciphers to allow older browsers and operating systems to connect. Some of them, RBS and Natwest for example, offer really old, weak ciphers, and they should consider removing those.

It is pointed out that none of the tested banks offer PFS (Forward Secrecy). This is probably something which should be done, but relies on the correct ordering of the cipher suites offered, amongst other things, and is easy to get wrong.

So to sum up, none of the banks tested are endangering your security by only allowing weak cryptographic ciphers and HSTS is not some magic security feature.

Alister

If people are using outdated browsers, redirect them to a page explaining why you must insist that they upgrade, and explain how

It's not technically possible to do that without providing ciphers that the out of date browsers support, unfortunately. The TLS session must be established before you can carry out any redirection.

Yes you could do this for a while, before turning the ciphers off, and this is often what is done in practice.

Alister

@Amos

Possibly this is the difference between e-banking and e-commerce?

A short summary breakdown of our connections shows:

Windows 7 with IE 8, 9 or 10 requires TLS1.0 by default, the client can turn on TLS1.2 but rarely does

Windows Vista with IE 7 or 8 requires TLS1.0

Windows XP with IE7 or 8 requires TLS1.0 - IE6 protocol mismatch, can't connect.

Windows Mobile 8.0 requires TLS1.0

Android versions older than 4.4 require TLS1.0

OSX 10.8 requires TLS1.0

Safari 6 or older requires TLS1.0

Anything using OPenSSL 0.9 or earlier require TLS1.0

Anything written in Java 7u25 or earlier require TLS1.0

In addition to direct browser connections, we also provide an API to various external web sites, and by far the majority of those sites use software written in older versions of Java which require TLS1.0 to access our services. (Including, I might add, ATOS Worldline, who have so far refused to update their stack).

The running total as of today is 38.7% of all connections to us use TLS1.0

Alister

Re: IT security enforcement

It's about time there was an IT security equivalent to environmental health...

There is, it's called PCI-DSS

Alister

@Iglethal.

No, that's not the case, the article is rather disingenuous about the report.

If you run a report yourself on HSBC for instance:

https://www.ssllabs.com/ssltest/analyze.html?d=www.security.hsbc.co.uk&hideResults=on

You can see that they do support the latest SSL ciphers (ECDHE_RSA) but that they also support various ciphers which are now considered to be weak.

What Scott Helme is claiming - that they don't implement HSTS headers - is NOT a major issue despite his claims, all that the HSTS header does is to tell the browser to always use HTTPS to connect to the site, but it doesn't specify the ciphers to be used on the connection, and most if not all the bank sites will only accept connections over HTTPS anyway.

Alister

@iron

Crooks being able to steal MY money from the bank because some clueless user is still using IE6 and the bank want to be compatible is completely unacceptable.

That's a nonsensical strawman.

If you use the latest and greatest browser, then your connection will use the highest available encryption, so is not at risk.

If the bank / business also allows connections using weaker encryption for people with older browsers, that doesn't compromise your connection.

Alister

The TLS 1.1 requirement is currently June 2018, however that has been delayed many times.

As it should be, because:

"Customers not being able to access online banking because the bank stubbornly insists on strong crypto is a far bigger concern than the crypto being broken," Grooten said. "And rightly so."

I'm not involved with banking, but do manage various eticketing and retail solutions. If we were to turn off TLS1.1, we would lose up to 40% of our customer base.

That's potentially 40% less revenue.

No sensible business can afford to do that.

Help desk declared code PEBCAK and therefore refused to help!

Alister

Re: Memory Issues

We used to have one when I was in the Ambulance service, I've never seen it anywhere else:

PENCIL: Patient Exists, Not Considered Intelligent Life

and the more common one:

NFN: Normal For Norfolk

Yes, I took Putin's roubles to undermine Western democracy. This is my story

Alister

Re: I don't get it?

Can anybody explain this "article"?

Google the word "satire"

Alister
Thumb Up

Thumbs up for "technology trebuchets"...

Many successful launches...

Slack apologises to Europe for TITSUP* services

Alister

and the news room now has all sorts of excuses to go down the pub

Here's a journalistic tip...

Don't print that in a story the Editor is going to see!

Belgian court says Skype must provide interception facilities

Alister
Coat

Microsoft classified as a telco, so told to cough up. It may gaufre an appeal

Don't know what you are waffling on about...

Pastry in a manger: We're soz, Greggs man said

Alister
Headmaster

Grammar!

substituting Baby Jesus for a sausage roll

Does nobody know how to write English anymore? What you wrote above means that you replaced a sausage roll with Baby Jesus.

What you should have said is either:

substituting Baby Jesus with a sausage roll

(which is poor construction in itself)

or: substituting a sausage roll for Baby Jesus.

Hmmmph!