* Posts by streaky

1743 publicly visible posts • joined 5 Jul 2010

Lawyers harrumph at TalkTalk's 'no obligation to encrypt' blurt

streaky

As I was saying to somebody earlier, my understanding is one of the main rules of PR is you shouldn't try to pass yourself off as a lawyer. She did and failed miserably.

The law isn't clear - but one would assume the test would be what a reasonable (competent) person would do; if they're found wanting they could be up shit creek.

Crypto or otherwise - a reasonable developer wouldn't have SQL injection flaws everywhere (they're a bit 2006) and a reasonable person may set their systems up with crypto for various aspects of their data. Even if they're about as useful as a paper bag and don't fully secure you and maybe wouldn't have kept customer data safe because a reasonable competent person would have done it you could end up being liable under the law.

Snowden, Schrems, safe harbor ... it's time to rethink privacy policies, says FTC commish

streaky

Re: you've got to be kidding

Well, it'd take several changes to the US constitution and best case that will probably take decades given compliant states and legislators and neither of those things are true.

It could easily take 50 years before it's legal in the EU to ship private data concerning EU citizens to US companies.

So yes, the FCC has no power to fix this - and neither does the EU - it's a fundamental question of the Charter guaranteed right to protection of private data that the US and companies in it can't deliver; you'd have an easier time pushing private data to Russia or China. Also it shouldn't have taken Snowden to get movement on this.

Let's talk about that NSA Diffie-Hellman crack

streaky

Well, if the observations are accurate - he has. It's not that they can just break any crypto they feel like (unreasonable) it's that implementations are screwy and that leads to an open door on a one-time investment (completely reasonable).

If

Course if they can do it Russia, China and who knows who else can do it so why the NSA/NIST et al don't do their job and alert people is a whole different question.

Temperature of Hell drops a few degrees – Microsoft emits SSH-for-Windows source code

streaky

Windows Crypto API

Leverage Windows crypto api’s instead of OpenSSL/LibreSSL and run as Windows Service

Backdoor it more? How about keep it OpenSSL so people can at least pretend it's secure?

Reg reader escapes four-month lightning-struck Windows Vista farm nightmare

streaky

Re: But the MD knows everything and is always right

Seriously, sounds like a micro business that's expanded but never grown up.

I once worked at a company that shall remain nameless - but if you made a list of the top 100 companies by revenues in the world it'd be on there - which operated this way.

Management people are like this no matter what. Tends to be younger managers that are capable of trust, in my experience. Why's this 25 year old (I'm not 25 now but I was back then) telling me the 55 year old with all these years mgmt experience that I'm wrong? Who does he think he is? Why did we hire him? What are HR doing?

This is why I like working for younger companies, they tend to take it on faith that they hired you for a reason.

And yeah; new IT = less dividends, in their mind.

Microsoft offers to PAY YOU to trade in your old computer for a Windows 10 device

streaky

Re: Now you know how much your privacy is worth

"subscription fee for Windows cannot be eliminated as a possibility somewhere down the road"

Neither can Linux. You're making assumptions based on faulty data. One where Microsoft sees consumer desktop OS sales as part of it's revenue stream. It doesn't and it's debatable if it really ever has - and if it chooses to going forwards there is competition out there for people who don't want it.

Internet daddy Vint Cerf blasts FCC's plan to ban Wi-Fi router code mods

streaky

Does it matter?

The companies who make the routers in the first place don't like you doing it and take a long list of measures to stop it. Net effect? Status quo - who cares really?

Faked NatWest, Halifax bank sites score REAL security certs

streaky

None of this helps with the actual issue. And DNSSEC can be compromised by (specific) state actors - it actually makes the problem it's supposed to fix more exploitable. That's why we have CAs - in theory for massive liabilities and somebody to pay the insurance premiums.

The whole system is set up so if (when) it goes wrong there's an underwriter to pay out for the damage.

But again none of this fixes any actual real world problems.

streaky

The problem is people are expecting SSL certs to do too much - EV or otherwise. All of these scams are obvious if people are paying any attention at all and THAT is where the education needs to be.

And yes on the other HTTPS thing - it's simply not possible for the issuers to go through every single request and decide if the domain is a scam, for one because of the number of languages on the planet and the number of banks somebody doing such a thing would have never heard of.

They don't even apply tests like that to EV certs - you can set up a company which is remarkably easy in many countries including the UK, get an EV cert and scam away and nobody will know the difference. Only now we get OH IT'S GREEN SO IT'S SAFE.

Virtualisation blog 'of interest to Interpol'

streaky

Re: This is..

You do have the full set of rights granted to any other person in the land

Except you're not generally in the land which is how you can be in a airport and stateless. You have some rights and once you get back there may or may not be hell to pay and expensive lawyers are great, but it's not useful if they prise keys out of you or similar and nobody knows and the damage is done.

Airports aren't worth the risk imho.

If one had rights one surely couldn't be on some secret security list where one didn't have any right of reply nor even be told why they were stopped and thrown in a cell in the first place.

streaky

This is..

Essentially why I don't fly anywhere, especially to the USA.

There are large databases of technical people who they think might have access to interesting things and it's been proven the likes of GCHQ are directly targeting them so you're basically unsafe flying through any airport due to that's where governments have essentially carte blanche over you and your gear; and you have essentially no rights (even in your own country's airports)

And no I don't know the solution to any of this.

Google uses humans as Matrix-style ‘data batteries’ – Open Xchange CEO

streaky

"It isn’t perfect, Laguna acknowledged, because the private key is stored at the server. But it’s “ten thousand times more secure” than what we use today"

This doesn't actually fix the problem.

There's two things here that need fixing - crypto between servers and client to server is something that already happens. There's nothing stopping google adopting this and we're still in exactly the same position. It's not that it isn't perfect it's that it's the same solution in different clothes.

Anyways, two things:

The end user pgp stuff needs to just be "better" - better UIs, more support, probably default support from moz, ms et al for what we consider secure today - be that mime or PGP. If the email client supports pgp natively it can guide people through creating keys when they first set up their account - the more people who use it the more secure everybody is, even if it's breakable it's still a question cost/benefit of decryting everybody's mail.

The second thing is protecting email in transit, via probably wrapping emails inside multiple layers of crypto - so your server only needs to see what domain you're sending to and only the recipient server can actually see what user it should be delivered to. This obviously has connotations for server side spam control etc but it's a price worth paying. This is easily deliverable with domains publishing pgp keys in dns or in one of the standard directories. This also neatly ties up the matter of jurisdictional control to make it only possible at the recipient side.

It is amazing that we still take risks with email that we'd never take with something like shopping on the internet. In reality we could fix it immediately by just dropping the RFCs that allow sending and receiving email in plain text and then they have to go to the provider to get access rather than just trawling the pipes which gets us some of the way there.

DDoS defences spiked by CloudPiercer tool - paper

streaky

Re: DDoS FTL

Just in case anybody gets the wrong end of the stick - the moral hazard is they make more money if you're getting DDoSed because you're using more traffic - it doesn't hurt them in any way - and it's easy for them to fix by only pushing traffic that is coming from IPs that actually belong to their customers or contractually requiring BCP38 and similar and punishing customers who flout the ingrained insecurities for gain.

The problem tends to be confined to what you'd politely describe as "non-western" datacenters but most of the traffic is pushed by companies with major US/European operations.

streaky

Re: DDoS FTL

The irony is they're really easy to *prevent* by good procedure on the part of the carriers and exchanges - but there's significant moral hazard preventing any of them doing anything about it.

White House 'deeply disappointed' by Europe outlawing Silicon Valley

streaky

Re: Tantrum coming in 3, 2, 1...

Here's a novel idea: How about abiding by the laws of the countries that you do business in?

Here's a novel idea: how about making US constitutional law apply to non-US citizens living outside the US, or more specifically the 1st and 4th Amendment - and this all goes away.

Damn right it's protectionism.

thousands of US and EU businesses that have complied in good faith with the Safe Harbor

US businesses are in no position to act in good faith because of the above. The key word here is 'reciprocity'.

US tries one last time to sway EU court on data-slurping deal

streaky

"Open Source is a bridge too far for most, so I can't see that solved easily"

The problem at hand isn't using MSFT/Apple et al's software, it's shipping data transatlantic with zero protection for EU citizens in US law.

That being said EU corps (and governments - believe it or not) are capable of learning to swim when they're pushed into the canal.

'White hats don't want to work for us' moans understaffed FBI

streaky

Re: Definition Required

Somebody that applies the scientific method to computery stuff one would think?

NSA? Illegal spying? EU top lawyer is talking out of his Bot – US gov

streaky

Re: The usual

It's one of those things where I class it as "if it isn't illegal it should be".

Also until the US starts covering non-US citizens outside the US under their constitution they can swivel frankly. Also Germany needs a good cattle prodding in the backside on the same note. Oh and the laws covering GCHQ with immunity over damage the might cause - if they're so freaking awesome they shouldn't need immunity.

So how do Google's super-smart security folk protect their data?

streaky

Re: Hmmm

Ahead.

I mean, really, this. Bet it wasn't mentioned nor was it stated any steps to get them out their data.

You don't need to be ahead when people are passing data around in the clear.

streaky

Re: Yes, password manager

More universal - I mean really everybody should be getting behind U2F. The devices are cheap and easy to use and the principle is sound. Still strong passwords though.

Vodafone sales dip, waits for fixed broadband to kick in

streaky

12% Drop in Germany

No doubt this has nothing to do with Voda passing data on to GHCQ. No doubt.

GCHQ wants to set your passwords. In a good way

streaky

Re: Dooesn't quite work for me

Considering you can now do hardware 2FA for less than £30 a head for the lifetime of a key or even less with soft tokens on a mobile device, their time should be better devoted advocating 2FA rather than massaging the stinking corpse of password security.

Yes this - you can actually do it for £12.99 or even as low as £4.99 if you want something less (physically) strong that you can snap in half in an emergency - and if they actually gave a toss they'd be advocating it.

Rate limiting in web apps the way it's generally implemented generally is quite harmful to usability and it's no replacement for people using fairly strong passwords regardless.

‘Dumb pipe’ Twitter should sell up and quit, says tech banking chap

streaky

Twitter numbers.

It's 2015 and we've got into this position where it's all about user-base growth and revenues. Nobody anywhere interested in the actual huge pile of cash they burn everywhere. Twitter's main problem is it has no plan in place where it figures out how it's going to make actual money to offset it's costs, just accepts that world+dog is going to jump on the hype train of old like tulip mania.

This is the stuff market crashes and pension fund derp-ups are made of.

Amazon, GoDaddy get sueball for hosting Ashley Madison data

streaky

Intentional.

Even in a US court you'd have a time proving that Amazon intentionally went out their way to cause you emotional harm to the already low standards of a civil court.

Usual lawyers preying on the vulnerable stuff.

Ed Snowden crocked cloud, says VMware CEO Pat Gelsinger

streaky

Re: "The solution to this particular technical problem is a legal one"

I said it's a legal problem not that it needs new law. It needs civilian oversight and courts willing and capable of enforcing the existing law. Neither of those are true today.

The US has a separate problem in which none of it's legal protections apply to non-US citizens outside the US - even if that changes we're a long way from them acknowledging that's even a problem (and killing their tech sector by not using it is probably an way to start clearing that up).

streaky

Re: Full encryption, all the time - possible, but hard

Homomorphic Encryption is absurd - it isn't computationally useful unless you like pretending it's the 1940's on extremely powerful and expensive hardware; and it will likely always be thus (nobody can see a path through the quagmire and it's not like it's going to magically appear and even if it does it's decades away).

The solution to this particular technical problem is a legal one; and that looks decades away too.

streaky

Re: Snowden? Or the NSA/GCHQ/etc

100% not Snowden. Snowden just told us what we all feared anyway.

The problem for "cloud" is there's no technical solution to the problem minus not putting data in certain regions.

So, was it really the Commies that caused the early 20th Century inequality collapse?

streaky

Re: A bit simplistic

The problem is they're not actually discredited per se. Communist governments work like other governments; they're magnets for corruption and incompetence - this is what is actually discredited but we've known this for a long time and it's still happening if you're capitalist, communist or anarchist.

The directed economies generally can work as long as you assume that government is capable of actually planning ahead. In a perfect system (which I'm not suggesting can actually exist for a second) there's nothing preventing a government reacting to reality and also correctly planning ahead. China didn't come out of bouts of mass starvation because it embraced capitalism (frankly, it still hasn't; it's embraced other people's capitalism) - it happened because it's directed economy was directed towards the tech sector and making enough food to feed themselves and because they allowed people to do things like buy cars.

Their directed economy is running round the world happily swapping natural resources for infrastructure and weaponry, then eating those resources and spitting out phones and computers to the rest of us. If the UK's economy was directed it'd be way more broad-based than it is and it'd still be worth getting a job in mechanical engineering.

NASA dismisses asteroid apocalypse threat

streaky

Don't encourage these people is usually the best thing. NASA responding in this way is absurd.

You just ask why they know exactly where it's going to hit but not when "sometime between 15 and 28 September" - 12 hours earlier even on the same track it hits china, another 12 and it misses the planet completely; and why is it always the US in imminent danger anyway.

NSA-resistant email service Lavaboom goes BOOM! (we think)

streaky

Can't Exist in a Bubble..

The whole reason these services are doomed to fail is that they exist inside a little bubble. Focus should be on getting everybody using secured email by making it both stronger and easier for normal people to attain. Lava* services never did this (they mostly only appeal to people who already know how to secure their communications anyway) so even if nobody turns up with a warrant they're inevitably doomed to failure in the long-run.

streaky

Re: Shit out a bucket of kittens

Maybe you're the disinformation station making us all think that crypto doesn't work so we don't even bother. Ever thought of THAT?

No kidding even arguing over this stuff is absurd, I imagine they can break a lot of stuff but we have a fair idea what's relatively weak and what's relatively strong. No doubt the NSA (and GCHQ) have smart people working for them but if they could break everything everywhere their capabilities (Snowden et al) wouldn't be such a shit-show around this stuff and the wouldn't be so focused on breaking into things and rootkitting things.

Anti-privacy unkillable super-cookies spreading around the world – study

streaky

Re: There are other options

in which case you will need to add some other digital trickery

They'd have to break through the crypto to touch it so yes it is effective. Indeed it's why mobile VPN services are progressively becoming fairly big business.

Regardless, it has the air of wake up and smell the lawsuit about it. Companies found doing this to their customers (and it's not exactly hard to test) will end up on the bad end of all sorts of privacy laws around the globe so on the off-chance any were reading this I'd tell them to how about stop.

Rise up against Oracle class stupidity and join the infosec strike

streaky

Re: First, I stand for TLS, not SSL.

SSL is dead! Long live SSL!

I usually find it's easier just to call everything TLS and not support any SSL versions, there's been good computational reasons to do this since long before POODLE et al which is why I was having a good chuckle at rest of world when it happened.

I've seen Kaspersky slap his staff with a walrus penis – and even I doubt the false-positive claims

streaky

Re: White hats, Black hats, and Grey hats...

Need no hats, will stick to Linux

Linux: no hats here. Cept Red ones.

Oh god run for the hills Linux has exactly the same issues as windows and bsd and osx and os-freaking-two. Humans aren't perfect, the end. Microsoft is extremely competent at hiring some of the best developers in the industry; their issue more relates to management being dumb and having no idea who they're selling to.

I hope that Kaspersky has significant credit for investigating Stuxnet and the Equation Group (NSA?). For that reason it wouldn't surprise if many people recommend Kaspersky to friends simply to support the company.

Most people use Kaspersky (product) because it generally tests the best. This is in spite of Kaspersky (the guy) and his machinations.

Even if the claims are 100% true and I stated why I think it's nonsense on the other article - it's a technical problem with a technical solution that's there for other vendors to find - personally I'd look at it as battle hardening or an indication that the way our software works is broken and do something about it. This is probably why the other vendors at worst have replied with a "meh".

Assange™ is 'upset' that he WON'T be prosecuted for rape, giggles lawyer

streaky

Re: "Ego-stroking myth has been discredited"

they don't have to say it until the moment he walks outside the door of the Ecuadorian Embassy and the moment they do the extradition treaty would take effect

But there's no situation where any of this makes any difference to his legal issues with Sweden. He's guaranteed the US has decided what to do or not to do with with him now so even if Sweden says "nah fuckit" which is unlikely considering the victims would probably turn up at some high level court the next day - he's still royally screwed. If he had any sense at this point he'd be hoping the US wants him and to walk out the door. Sooner whatever sentence he gets starts the sooner he gets out. If he hangs around for another 10 years he's just going to start his sentencing later. I mean it's all completely nonsense anyway but he obviously is incapable of applying logic to his situation if he really believes what he's claiming.

The US has "renditioned" for less than what he's been accused of

The UK has sent special forces into buildings for less than he's accused of, nay, has done. To see he's being treated with the utmost respect and total kid gloves is a HUGE understatement.

streaky

Re: WTF?

something has smelled fishy since the Swedish charges were levied

Only thing smelling fishy is Assange.

If the US wants him they'll ask the UK government not the Swedish one. The UK and US have one of the world's most comprehensive extradition treaties - it's asymmetrical (the bad way for Assange) but you can be assured it exists.

Kaspersky Lab denies tricking AV rivals into nuking harmless files

streaky

Kaspersky trained at the KGB's hacking school thing, so you know, yes, I guess?

That said it's not exactly an unusual story in the industry.

streaky

Re: I'm not buying this..

It doesn't *sound* right at all from a technical perspective. If it was happening people using alternative products would be making noise about it that's for sure. The core malware samples that engines use to classify code will be guaranteed to be actual malware or the system fails; I can't see this working any other way - why would any vendor trust crapware just because it's uploaded to VT anyway? They wouldn't that's why.

It might well be true Kaspersky tried it; what is highly suspicious are any potential claims it actually worked.

Intel left a fascinating security flaw in its chips for 16 years – here's how to exploit it

streaky

Re: Require root or administrator access ...

"requires root" when you're talking about exploiting systems isn't any sort of barrier. Now one assumes on systems with not unreasonably old CPUs if you get rooted then your hardware is junked. You have no way of finding or removing something put there with this so why wouldn't you make that assumption.

System compromises tend to chain a bunch of exploits together (for example web app -> shell unpriv -> root), now they can add a little something extra to the end; and that something is a pretty nasty kick in the hardware teeth.

Do you own a dedicated server hosting business? How do you know your systems aren't compromised with this? Oh, yeah, you don't.

streaky

Re: a ha ha ha ha ha :(

F00F was easily fixed at the OS level though.

streaky

Re: a ha ha ha ha ha :(

To a general air of "when has a chip ever had a bug ?"

Those people are crazy, they happen all the time. I think the issue is more when has a chip had a security bug that somebody found and it hasn't been possible to mitigate it with a microcode update. I don't think it's ever happened before.

Given the timing of the introduction and precisely where this bug is in the CPU one has to start asking themselves rationally if it was intentionally introduced and if Intel should be doing a product recall; that's the major issue here.

Random numbers aren't, says infosec boffin

streaky

If you pool a huge volume of supposedly random data used for crypto you create entirely different challenges. The issue isn't creating volumes of it anyways, the main issue is PRNGs are notoriously hard to both prove and disprove the validity of, unless they're extremely broken.

ROBO-TENTACLE with mind of its own wields deadly electrical power – turns on Tesla car

streaky

There are of course a lot of things to consider before such a charger could be added to your house:

Is "Why are you not buying a hydrogen car?" one of them?

Major web template flaw lets miscreants break out of sandboxes

streaky

Did you know

If you add all your users to sudoers and let them use compilers, bad things can happen..

Contractors who used Employee Beneficiary Trusts are in HMRC's sights

streaky

Re: Pay your tax like everyone else

I wonder how many people in the middle east have been killed as a result of people voting labour.

Roughly zero pretty much any way you look at it? I don't see either John Major or Hague responding any different to 9/11 nor Hussain's nonsense down the road of that's your argument.

Not for nothing but back on topic nothing about being a contractor (and self-employed) is intended to stop people paying their fair share of tax or to make it easier to avoid or evade tax. Yes it's riskier, but nothing about the tax system is there to reduce that risk: everybody is under some risk of not working next week; it's the decision you make.

streaky

Re: @Rol Pay your tax like everyone else

"Should HMG decide to disallow any of these, should HMRC be able to go back x years and claim unpaid tax?"

It is somewhat the cost of doing business, tax systems work like this - I don't know if they should or not but they do. Just be happy you live in a country where you can't be jailed for it; directly.

Also by the way the rules on retrospection only apply in criminal law.

streaky

Re: Pay your tax like everyone else

"Contractors have none of that and that's why businesses pay high rates - because they know they can get rid of them at the drop of a hat"

And they have to pay tax on those earnings. Many contractors do at the standard rates. I don't know enough about the specific scheme to be able to comment directly on it but given the HMRC think they're getting money it's fair to assume they think it was obviously bullshit.

Also the HMRC doing idiotic - nay, arguably criminally corrupt - deals with the likes of Voda and many others doesn't negate your requirement to pay tax on your earnings (and yes it sucks). If everybody paid their fair share (i.e. what most other people pay) then no doubt the tax rates could come down generally; rather than the bullshit situation we've dug ourselves into.

W3C's bright idea turned your battery into a SNITCH for websites

streaky

Re: Solution?

Add some randomness to make it fuzzy or round it to the nearest 10% probably? That said it probably doesn't work very well as a tracking tool anyways..

HP insists 'we don't have a global dress code' – while deleting one from its website

streaky

Re: Not sure what the fuss is about...

Clothes that show to much flesh (short shorts, crop tops etc) are a no-no as are clothes with rude words or offensive logos

I know what we need. Burkas for everybody!