Posts by streaky

Re: The problem is...

Well look at the track record. Skype has end to end encryption, but they happily share the encryption keys with everyone claiming to have something like a warrant.

Most of these cases are fairly well documented. I don't think it's ethical for skype to exist in that environment - you take your chances, it does economic damage or it doesn't.

You can't back-door OpenSSL, you can't back-door PGP, you can't back-door TOR. PFS destroys the usefulness of handing over keys. They can do what they want but we get no more security for active and significant (financial and actual due to security weakness) harm to UK (and considering your link) US business - people can go elsewhere and not have this problem. The inability to validate Microsoft's crypto stack is doing them actual harm right now, today - same Apple; imagine what it would be like if people knew for a fact there was an issue with say Microsoft's RNG as opposed to conjecture - good luck share price. If they could somehow manage to tame Linux (and given most distros are moving towards reproducible binaries - good luck) people would just push untamed sources. Cat, meet bag.

Re: If my memory serves me right...

This isn't SteamOS it's the Linux Steam Client, they aren't the same thing.

Re: BT Fibre

I see the reg forums are frequented by BT/OFCOM/ASA employees. Hiya fellas - learn what a fibre connection looks like - mine's GigE up/down; how's yours?

Re: I loved the top down GTA Games

So what are the "driver's countries"? Not Italy or Germany then?

I've never driven in Italy but I've experienced the roads.. I'm going with no.

They make nice cars but..

https://www.youtube.com/watch?v=s0MDY9fl-IA

Re: Risk vs benefit

@Jim 59

Yeah neither the internet nor crypto have anything to do with terrorism. If there was somehow some way to stop all internet terrorist activity they'd just switch to sending letters around or the ever classic two tins and a long piece of string or better still meet in a bar once a week.

For damaging the security of crypto (which is so disgustingly outside the realms of the UK security services capability I've lost my earlier sense of humour on the subject) you trash the UK's economy and arguably the world because all banking, shopping, trading etc transactions have to stop while we come up with something new.

VPNs, your connection with Amazon, banking trades, TOR etc work off the same protocols which is precisely what confers security on them in the first place - they all look the same to anybody who doesn't have the right private keys.

"Would we rather give up all privacy and possibly have a few less terrorist attacks or put up with the CURRENT LEVEL of attacks and keep all of our encryption."

If the level of attacks increased (much as I've been ridiculing Donald Trump over this issue) we should probably look at revisiting the relevant laws for defensive weapons before we break our entire way of life and economic system.

Re: Push-to-talk latency

"I understood it and am carrying out any orders contained within it"

Roger doesn't confer that, it means "message was received". The other word I mentioned "wilco" means that.

Re: Indeed

Just to be clear I'm not saying that they shouldn't be using more "traditional" forms of threat assessment, what I'm saying is that they need a parallel system that can tell them if they're maybe missing people or mis-allocating resources - Bin Laden FWIW isn't as big an actual direct threat as the Hamza al-Ghamdi type; Bin Laden confers threat status on Hamza al-Ghamdi, not the other way round - yet who were the resources being thrown at. That's what I mean.

Strictly speaking the way a human plays is an irrelevance. Solving a game means you have a fair idea that you're going to win totally regardless of what another human does.

Now, when you do play poker - and this is the great thing about poker, and why it isn't just pure luck and I imagine what you're alluding to - a human opponent can maximise their wins and minimise their losses and if they're any good still monetarily beat you even if they're statistically (hands won at showdown whatever) losing.

Without having actually looked at the way their system works and I assume it doesn't do this but you can look at the system's degree of confidence about a hand and decide to bully people off the pot or call large all-ins. It would be absolutely fascinating to see it play against both pro and not pro players. There is a piece of software they could plug it into that will actually play hands for them at various poker sites based on their strategy. The trouble with a "please don't bully me off the pot strategy" is if somebody suspects that you'll generally fold large bets thrown at you unless you have say AA/AK preflop or some such is they'll just keep throwing huge bets at you which in heads-up is the end of the game essentially.

Re: Yeah...

The "evidence" strongly suggests the FBI might be terminally retarded. There's literally no politer way to put it.

They're just dumb and incompetent.

Re: They arent a serious party..

The UK needs immigration, nobody with any sense (including Farage) has denied that. UK membership of the EU allows any low hanging fruit that decides to just show up to take a chunk of the wealth the country has accumulated and walk away. Doesn't apply to everybody but to call people asking the question either racist or "extreme right" is utterly absurd; it's the centrist position on immigration in the UK, today. That isn't healthy in any way shape or form either economically or politically - it pretty *clearly* sows seeds of discontent, which could easily turn into who knows what.

The UK should be able to control its immigration, be it wide open or essentially closed borders, based on the needs and wants of the country and the people who live there. Anything less can only lead to people quoting Powell, as we have seen.

"I don't know about you, but I hear very few people talking about this"

I live in London but I'm from the north and any time I return it's basically *all* I hear about.

No it only works because it's a rich city-state with wealth based in international trade rather than actually having to work where all the kids are healthy and well educated. Give them a healthy dose of obesity and scale it up to 250 million people and it'll collapse pretty catastrophically.

"Silly person has laptop that decrypts everything on desktop login" - it's reasonably newsworthy when you consider the field this person works in.

Re: worse

@OP

Couldn't agree more. Not only what you said but assuming what you said is true why are we throwing so much money at them [NSA/GCHQ].

It's all going to end badly because as time goes on more things are going to be crypto-by-default (http/2 is a pefect example) and it's going to speed up adoption of stronger ciphers and bring about the faster demise of the weaker stuff (see: Google's jihad against sha-1).

When all this comes to pass what do NSA/GCHQ do? Nothing - they effectively cease to exist because they have no real-world capability and all the money has to go where it should be going anyway, into humint.

Re: I don't see why not.

"If one is worried that they'll code in some backdoors, then don't hire them"

I probably wouldn't due them them likely having no perusable development history, which prevents all kinds of checks and balances, never mind fear of backdoors; see this recomended reading on a directly related subject.

"Code reviews will mitigate the injection of backdoors. In my current workplace, no change gets committed to the working codebase until it has been peer-reviewed by someone competent"

Yeah because it's always really easy to see when lets say an RNG is backdoored, given there's no standard test for it unless it's compromised *very* obviously, if the Linux RNG was backdoored today, right now, even with the source code available it'd probably be very difficult to do. Which is to say that your assertion depends on the nature of the work. Given you're specifically talking about ex-sigint folks you're probably talking about specialist algos in the first place as opposed to cheapo facebook clone perl devs you can find on any rent a coder type sites.

Re: Seriously, he actually believed the advertised PHP version on the server?

I loosely know Anthony aka ircmaxell in an IRC context, if he wasn't hiding I'd be saying this:

Backports, backports, no seriously, backports...

The methodology is sketchy at best in the context of most people will be running distro-installed versions with security fixes backported into what are at face value older "insecure" versions - and there's no reliable way to measure this, which is why one doesn't ordinarily bother. Don't get me wrong there's probably a lot of insecure PHP installs but the version doesn't have to be misreported for the secure/not secure data and drawn conclusions to be *wildly* incorrect.

Re: I Think

SLS is the way to go frankly. The materials used are simply a question of laser power - if you're wanting to print plastic a lower power model will do you fine, if you want to move to metals you just need to upgrade the laser. You end up with effectively a sponge - if you're happy you can dip the object in an epoxy and away you go.

There are projects around but there's a question of size/cost but these will inevitably come down.

Re: So, Crony Capitalism doesn't work!

@veti -

"That's what deposit guarantee schemes are for. In the UK, you're covered up to 85,000 pounds per banking license. So as long as you don't have more than that amount deposited with any one banking license, you're literally as safe as if the money were in the Bank of England itself"

You're right - but who pays for it. Oh, yeah. Taxpayers do - and again there's no chance of recovering it, and the state would probably have to borrow to cover it. End result huge black hole versus sellable assets.

"To really "break even", the shares would have to reach around £10 (by the end of next year - and as more time goes by, the breakeven point only goes up)."

It does - but not by *that much*. Remember that interest rates are effectively negative. You actually make money by not keeping it in a bank but by spending/borrowing. There's a cuttoff sure, that cuttoff does move but not by the amount you're suggesting. It could but it hasn't.

The reality is if they were sold today the taxpayer would make a loss but nowhere near as significant as the loss on burning all the accounts, compensating everybody and the admin costs of stripping the bank apart.

Re: SSL private keys

Yeah that's probably most egregious of the nonsense points in the article. CA attests your signing request, it never sees your private key. If it did then PKI would be even more fundamentally broken that it actually is and nobody would use it because it'd have been replaced by a system that works more like PKI actually does decades ago. Yes PKI is broken, no, not that way.

Just no.

Even the CA handing over their [root/intermediate] keys would only allow them to create new certs pretending to be you but the thumbprints wouldn't match and that CA would go out of business 3 days later because their root certs would be revoked left, right, center and on mars so no court (secret or otherwise) would ever do it because it'd be the end of a significant number of large US tech companies which the NSA, CIA and other alphabets would full well know.

Re: Why not have the server automatically shut down

"Not handing over encryption keys when law enforcement asks for them is a serious crime in the UK, punishable by up to five years imprisonment"

In criminal cases yes. Couple of things - there are reasons to pop people's servers (legally and otherwise) when there is no criminal case pending against the server owner. If it's any kind of secret service alphabet from anywhere in the world they won't ask they'll just pop it open and rootkit it which is why elsewhere I suggested to kill the data on the servers and start afresh.

Other potential adversaries are organised crime and a civil suit directed at the servers via a warrant that could potentially be executed without even talking to the owners of the servers (happens all the time) and no such law exists in civil cases.

As for the actual law itself in criminal cases I still don't believe it's been tested properly due to the lack of controls and the fact I don't believe that crypto keys have "an existence independent of the will of the suspect" (Saunders v UK) - there's no case law AFAIK that says they do - any more than a memory of what somebody was doing at some time on some date or "how many drinks sir has had tonight". If you write it down on the other hand..

As I stated at the time it's a fairly obvious case of misconduct in public office - we can't have the police be directed by private companies like this running around doing their bidding.

If they have an issue and they think the chap is in contempt of court (and he plainly isn't/wasn't) they should be taking civil action and the CoLP should have said as much. It isn't by any stretch a criminal matter and the CoLP should/will know this.

Re: Abandon SMTP

Just to add to what I said here, the disabling of STARTTLS is fairly well covered by the extension RFC - the issue is avoidable with a secure client and/or server configuration:

If the client receives the 454 response, the client must decide whether or not to continue the SMTP session. Such a decision is based on local policy. For instance, if TLS was being used for client authentication, the client might try to continue the session, in case the server allows it even with no authentication. However, if TLS was being negotiated for encryption, a client that gets a 454 response needs to decide whether to send the message anyway with no TLS encryption, whether to wait and try again later, or whether to give up and notify the sender of the error.

[..]

A SMTP server that is not publicly referenced may choose to require that the client perform a TLS negotiation before accepting any commands. In this case, the server SHOULD return the reply code:

530 Must issue a STARTTLS command first

The docs are pretty clear about what do if STARTTLS is dropped.

Re: El Reg Plz..

I took the article as a whole - it reads like you're saying that because they're not splashing around info about security measures it's entirely possible they don't really exist; which is a pretty big leap. They've given as much information as I'd be happy for them to give if I was personally involved.