* Posts by streaky

1743 publicly visible posts • joined 5 Jul 2010

EE Business Broadband digital transformation: Portal offline until July

streaky

Yup.

Showing across EE's entire business honestly.

Los Angeles police tell drivers not to trust navigation apps as wildfires engulf area

streaky

Re: Don't drive into a raging wildfire...

This is the point. It isn't don't trust your GPS system, it's open your fucking eyes and look where you're going. Literally just occurred to me though, this could get interesting if self-driving cars ever become the norm and you're napping in the back and your car drives you into a wild fire and says fuckit you're on your own friend.

Quentin Tarantino in talks to make Star Trek movie

streaky

Re: Well Discovery has the occasional swearing

an insult to Gene Roddenberry's Legacy

BPLZ.

streaky

Re: Well Discovery has the occasional swearing

I'm told hardcore Trekkies hate it

Nope, we love it.

Check reddit trek nerdville for double confirmation. It is, as a matter of fact, epic.

Only people who hate it are pretenders, people who have probably never even seen it.

Why does no one want to invest in full fibre broadband, wails UK.gov

streaky

Re: All aboard the gravy train…

I disagree, although I totally see your point.

Certainly at the bare minimum when BT is replacing cable anyway and when new housing is being built (and especially in this case) BT should be specifying that house builders lay fibre to people's houses, at the very minimum so it can be upgraded in future.

streaky

Re: All aboard the gravy train…

They're pushing towards, regardless you don't have to rip up pavements to do a national FTTP roll-out - seems like one of those mythological ideas people have about the way things work. Regardless if HO can do it locally with no government help and be a viable business it can be done nationally by BT with the government help that they are getting. There's plenty of this going on in the rest of the world if you want other examples.

None of this would be so bad if BT didn't know exactly how to do it.

streaky

Re: All aboard the gravy train…

the timeframe for return on capital is unsuitable for the private sector

Explain Hyperoptic and peers.

The actual reason is BT are happy getting free taxpayer funds to *not* do it thank you very much, one of the fundamental reasons why current government strategy is broken.

Net neutrality nonsense: Can we, please, just not all lose our minds?

streaky

Re: What's really going on..

If Netflix had to pay its fair share of overall internet backbone support costs as a percentage of IP packet traffic, their business model likely would fail. Ditto Youtube.

Pretty sure this is my point.

You don't just magic a service into existence and expect everybody else to pick up the tab just so you can be viable, for much the same reason as I don't ask 'reg readers to buy me a new McLaren every year. i.e. the world doesn't work like that.

streaky

What's really going on..

Netflix and a few others have managed to do something Russia could never do - bend the entire psyche of the planet to their will with zero blowback. What's relevant here is Netflix don't want to pay for infrastructure to carry all the bandwidth their service uses caused, ultimately, by no peers taking traffic off them because there's no mutual benefit. Never was, never will be. It really is quite impressive how their PR machine has completely deluded millennials into thinking it's about them. It isn't.

There are solutions to this that won't cost netflix huge sums of money to deliver content, they're already using some of them - as much as I like stranger things and mr robot if these services aren't viable at a price point with the infrastructure we have and without netflix, amazon, google et al (to be fair to amazon they do have mutually beneficial traffic arrangements, google too to a lesser degree, it's mostly netflix causing the problems) et al investing then they're simply not viable.

Huawei's Honor 9: The only mobe of its spec asking 'why blow £500?'

streaky

Re: huawei and honor updates...

Can't speak for this range specifically but I've found Chinese devices to suffer with this issue badly, it's an area where Chinese tech companies need to put a bit more effort into keeping up with the Joneses. I'm always wary of more expensive items from China specifically because of this.

China plots new Great Leap Forward: to IPv6

streaky

Re: RFC 2460..

128 bit addresses don't fit in any standard data type

Define standard. Use a math lib. GUIDs are 128 bit ints too and they're everywhere. "hard" and "i can't be bothered" aren't the same thing.

Also IPv4 and IPv6 coexist happily if people stop listening to consultants who sell them stupid ways to migrate their networks. You're doing it wrong, coexistence was solved many many years ago, there's a solution for every problem and your problem might not really be a problem.

streaky

Re: RFC 2460..

Something is obsolete when the purpose it serves is better served by something more modern. Not just because it's old.

Yeah alright I may have not considered that people might assume that I meant it's old is the only reason. It's still usable but now we have new information there's technical reasons why it would be obsoleted given half a chance.

Anyway, IPv6, just do it.

streaky

RFC 2460..

Technically speaking IPv6 is RFC 1883 - it was named IPv6 and used 128 bit address space so this is arguably true - and was written in 1995. Of course they're not exactly the same spec but it's important to note how disgusting it is that a protocol that was designed so long ago that it is arguably obsolete (wall time) is hardly deployed by anybody, everybody looks like an idiot in this scenario.

IPv6 deployment is *easy* and we should stop pretending it's difficult and just get it done.

Dark fibre arts: Ofcom is determined to open up BT's network

streaky

Seperation..

despite the legal separation of Openreach

I take issue with this. Despite the fanfare Openreach is "separated" from BT like Youtube is separate from Google, i.e. in name only, and not really even that. As long as we pretend they're actually distinct companies when they're not nothing will change.

Mythical broadband speeds to plummet in crackdown on ISP ads

streaky

Re: Well...

The problem is VM are really an amalgamation of lots of different networks. Some were good, some were bad and they've done nothing to improve the situation. So in some parts of the country you get advertised speeds and in other parts you get massive contention and frequent kit failures.

Worse than that there was a time when they flogged ADSL gear on BT's network branded as virgin product which did them massive reputational damage. Whoever came up with that one was a moron and should have faced the firing squad.

Abolish the Telly Tax? Fat chance, say MPs at non-binding debate

streaky

Re: "Least worst option"

To be fair they did take the head of the BBC out to the woodshed not that long back. The MPs know full well there are better options, just the kind of people who read the guardian would set their hair on fire so they're scared of pulling the trigger. Maybe after we leave the EU so they're not doing what they do best and tying up the country in court cases without merit.

streaky

Re: Threatogram received from Crapita today

I dropped them a 1 line email containing my house number, postcode and a few words stating I don't watch TV. Suddenly the letters and threats stopped..

This does work... for a time.. then it starts again. Eventually they stop reading your emails/letters and decide that you can't possibly be not watching TV because nobody does that. I usually just wait for them to show up and tell them to go fuck themselves, they normally get the message.

SSL spy boxes on your network getting you down? But wait, here's an IETF draft to fix that

streaky

Re: "it works by essentially not trusting said equipment."

Lets pretend that RIPA/ICR is supreme to the ECHR if the ECJ decides they're incompatible.

Untested and legal are not at all the same thing. It's best to just not do if you don't have an ethical sounding lawful excuse. Don't want data escaping? Restrict it to as few people as possible and do due diligence on people and not for nothing - don't allow people to connect to whatever they like. Way more reasonable and reliable than intercepting private comms and worse it's a bit bolting the door after the horse has fucked off with your customer db; who even has time to audit that much data?

If you let me have access to data and you let me connect to things if I really want to there's nothing stopping me asset stripping that data and you'd never know. Why? Because I'm competent. I don't care how good your systems are so, yeah, what's the use of your system?

streaky

Re: I don't get it.

It really is a solution looking for a problem. It's also not a solution.

streaky

Re: "it works by essentially not trusting said equipment."

a government will very much struggle to insert a CA into every citizen's device

It's not that difficult really, literally any root exploit would allow it, or they can force keys onto systems when they pass through customs. I'd assume just as likely they'd force a CA to miss-issue in controlled (targetted) numbers and nobody would notice which is what things like that HPKP are (were - RIP) for and what Expect-CT does absolutely nothing to prevent.

One assumes in China for example there's a lot of extra root CA keys nobody can explain in operating systems. We've literally had cases of this getting out and hitting the wider world and it taking a long time for anybody to notice.

Vlad the blockader: Russia's anti-VPN law comes into effect

streaky

Re: Western democracies would do this if they could get away with it

And yet here we are with no great firewall blocking out vpns and access to the actual internet.

You're confusing I don't like who won with it's not a democracy.

Easy to do when you're hiding behind AC though.

streaky
Holmes

Re: Western democracies would do this if they could get away with it

Western democracies would do this if they could get away with it

"if they could get away with it" .. "democracies"

You see the problem with your argument right?

Sure of course they would but they can't so what's your point?

streaky

Re: I bet Trump......

Can't pull this stuff in the west because it'll end the economic system as we know it. I literally couldn't do my job.. They either want tax revenues or they don't and if they don't they should let me know so I can get paid in a tax haven like Branson.

Oh, Google. You really are spoiling us: Docs block cockup chalks up yet another apology

streaky

Re: Double negative

The potential for intelligence agencies must be vast.

If you build it, they will come: with subpoenas. Just because you can build it doesn't mean you should.

Completely anecdotally funny how when I have private discussions with people with my phone in the room I suddenly get adverts for that thing popping up on my phone. Funny how a lot of other people say exactly the same.

Funny how a few days ago I forwarded my Imax tickets for Thor Ragnarok to my third party email client on my phone and 2 seconds later Android is showing me Thor related adverts. Mysterious right?

Not only do they (apparently) listen in the room to *everything* being said, they also (one assumes) either read data being passed to third party apps or more likely read content from notifications from third party apps. This is of course all done surreptitiously with no way to disable it.

Donald, YOU'RE FIRED: Rogue Twitter worker quits, deletes President Trump's account

streaky

That court case would be a media circus. Twitter and Trump would probably want to stay clear. Also yeah, Twitter's own ToS and internal guidance probably validate the action.

If I was twitter I'd have workflow in place that prevents accounts of a certain size or type from being deleted without a cosign from somebody in management.

streaky

Twitter didn't say that deleted accounts aren't recoverable. They said that tweets (content) deleted by account holders are *generally* not recoverable. Doesn't seem absurd based on observations and semi-sensible engineering decisions.

Firstly - it seems like they don't delete things in real time, something comes along an jettisons things; but they're just hidden until that happens. Secondly when you "delete" a whole account it probably gets archived so it can be reactivated, even after that point. There's sensible evidence of this. If you wanted to kill all Trumps tweets you'd have to delete his actual tweets, and they'd probably live for a short period.

On top of that I wouldn't be surprised if Twitter make extra effort to back up accounts of people with large follower accounts - in case something happens. I know I would.

Jupiter flashes pulsating southern pole, boffins understandably baffled

streaky
Alien

ALIENS

Just saying, called it, prove me wrong snowflakes!

:D

RIP HPKP: Google abandons public key pinning

streaky

Re: Still waiting for DANE

It's worse than that, one of the strongest perceived threats to crypto security is state actors (well, it's not perceived, it's a fact) - and state actors in most cases will have far more ability to screw with DNS than anything else.

There's a moral hazard here though - securing PKI this way calls PKI's existence into question. If a domain owner can specify keys for sites it operates and DNS is cryptographically secured in terms of data content (records signed by domain controller, as opposed to the DNS provider) then PKI providers will probably face questions about the necessity of them continuing to exist. Security of DNS record would be the prime concern of domain registrars and DNS providers but when DNS is secured properly and you can specify any key and it's equally secure as PKI infrastructure would otherwise be (and arguably more so) then they're going to have an issue. That's why expect never to actually see a secure DNS system; because it's not in the cert authorities best interest to secure it.

streaky

Problem with PKP

Basically if you had a problem with your cert and needed to drop it you were up shit creek with a conventional cert deployment, PKP makes sense only if it's long-lived so you had to maintain two (or more) separate certs for every domain and ensure those digests are both being sent to clients, it's not a cost issue it's a complexity/maintenance issue. Without a backup cert if you year-long your PKP header and your cert is compromised or similar in the first few months any client that connected in that first months won't be able to connect to your server. Your backup cert can't be near production servers either because if your main cert is compromised your backup one probably would be too so how do you digest it to clients? It's a nightmare to maintain that sort of set up.

Behaviour of browsers with regards to what happens on revoke with PKP isn't well defined and behaviour of CA's themselves with regards to cert revocation itself isn't well defined - and that's ignoring misconfiguration giving people completely unusable domains for year-plus periods - and all this has obviously led to poor uptake of the technology.

That being said the principle of the domain owner/admin being able to specify precisely which certificates are allowed to serve the domain is a very powerful tool when clients respect it. It's just not clear if there's another way to offer the same level of protection (cert transparency doesn't, although it potentially has a wider appeal and may or may not be "enough" protection). This is one of the reasons we need to do a better job of securing zones - which DNSSEC equally isn't up to the task of. Once we have a secure DNS system we can tag keys to domains in a more reliable and secure way and tools like PKP and cert transparency will be completely unnecessary.

The EU is sooo 2016. We're all about the US now, say Brit scaleups

streaky

However I don't see how Not having access to the EU talent pool will help compete against US companies

This is where your post goes off all half-cocked. We're not talking about nobody will ever cross the channel ever again. We're talking about leaving the EU. We're talking about ending the no questions asked, no validation needed, no case need be made immigration system and replacing it with one fit for purpose. How effective it'll be is a question for another day but once we have a government that is allowed to tailor the system to fit we can boot them out if they're getting it wrong and opt for another choice.

The only way to make this work is for the UK to leave the EU, so that's what we have to do.

My bet is that the UK will not do better trade deals on its own simply because "There is strength in numbers"... and I don't see what leverage the UK will have when negotiating with larger economies

Dunno, what leverage does Switzerland have? What leverage does Singapore have? We know we can be more competitive and operate fairer terms with most of the world's economies than the EU allows its trading partners so I don't really see the issue. The other leverage is that because we're not massive with a massive complicated pile of interplay issues - and one voice and nobody to need to horse trade with - the deals themselves don't have to be nor will be massively complicated. The EU's size is a barrier to trade deals, that's why the EU is still negotiating with China about negotiating to have talks. The supposed Japan deal will never get off the ground and neither will the EU's fabled merging of EU and NAFTA.

streaky

About half the immigrants are from outside the EU and the UK has always had full control over them.

Whilst *technically* true isn't *functionally* true. For every carrot picker we bring in from Poland we lose space for a high skill employee doing something of high economic value. It's just the reality of the world. Government needs to be seen to not be trying to replace the native population wholesale and to do that needs to curb immigration from outside the EU. Not to say everybody coming from the EU is low skilled but it's a more than significant proportion. Not to say that low skilled immigration isn't often useful - but there's absolutely no way to control it, and that isn't healthy when those people's costs and expectations of living standards are different to the native population's.

if you want to become totally dependent on imports for food - not something that sounds v sensible

Not *totally* but at the same time there's no reason or the UK to grow a lot of food that we do. We should stick to what we're good at and has value and import the rest. Get a bit of peace and prosperity going in Africa (I could talk about the effect the CAP has on the economy of Africa and why it causes the mass immigration and frankly civil war that everybody is tearing their hair out about in Europe without looking at the actual root cause of for days) by helping them grow things that grow well there, buying things that grow well in other places from there. The economics of this are well documented and known to the EU but they refuse, pointedly, to take action on it because they don't want French farmers spraying shit up the side of the EU buildings in Brussels, which is apparently a good excuse(?!).

Of course, you can import your strawberries from the Netherlands, but that's going to increase the cost to consumers.

We import strawberries from all over the world anyway, best I've had in recent years not from PYO were from California and Israel (not in the EU). Most UK grown strawberries are left for PYO, not a whole lot go to supermarket - the main bulk in supermarkets are from Spain and North Africa (Morocco et al - also not in the EU).

Also yes, fwiw, we absolutely shouldn't have a problem with importing food from other countries. We do it anyway so what's the point in haggling over percentages?

streaky

Please give an example of such a roadblock which limits your opportunity to export.

Didn't say export, I said trade. Both ways, and including costs of operating as business. But now you mention it - the EU's unnecessary trade war with China making it difficult to import goods into the EU at a fair price so instead we have to buy overpriced German equivalents in markets like I don't know, solar panels, which are a fairly big deal in the UK at the moment so we're having to ultimately pay more for our energy than we otherwise would because unlike Germany our energy market isn't trying to be as polluting as is absolutely possible?

Now this is the part where you say China is dumping solar panels on the market and not selling them at market price - but here's the thing that will blow your mind: the market price isn't what the European Commission says it is - it's their price... on the market.. Cheap solar panels is a good thing, it's a position to be abused to get cleaner energy at a lower cost, but we can't have nice things because of Germany and Spain. If China wants to subsidise the European energy market with no strings attached we should let them - in fact we should beg them to do it.

Here's another: GDPR creating unnecessary rules regarding the handling of data that will turn the entire EU into the digital third world by making handing EU citizens data far more expensive than it needs to be but not in any way more secure and nobody will want to do business with them who has a business that requires handling personal data to function and is willing to follow the rules.

I could keep listing these but suffice it to say being in the EU makes operating more expensive for any country/business who follows the rules. Now if you want to play a game of Germany not playing by the rules at the expense of everybody else I could make a list of that too but you're all brainwashed so I'm fully aware that truth upsets people.

streaky

I'm yet to see any tangible upsides to leaving the EU for the UK

Because we can trade with the rest of the world without the EU throwing up roadblocks every 30 seconds? Because we can get an immigration system that's fit for the economy we want as opposed to an immigration system fit for an economy with loads of people doing the kinds of work the UK has no business doing like, I don't know, labour-intensive low-value farming?

I could go on for days listing reasons but suffice it to say there's a huge list of upsides and absolutely no downsides.

streaky

I don't recall a single British company improving anything upon entering any market in the EU

Really.

Some people are in for a shock.

EU: No encryption backdoors but, eh, let's help each other crack that crypto, oui? Ja?

streaky

Re: The utter fools

We don't need backdoors, but we'll do our best to help our neighbours create them so we keep our hand clean politically.

Wouldn't worry about it, this [capability] is so secretly guarded as state secrets it doesn't even pass around Five Eyes, there's no chance the Germans (who are most capable in this field in the remaining states when the UK leaves) are going to help the French or the Spaniards or whatever to break crypto that's protecting their own security services and as an afterthought citizens. Hell will freeze over first.

Commission doing what it does best and wasting everybody's time.

Europol cops lean on phone networks, ISPs to dump CGNAT walls that 'hide' cyber-crooks

streaky

Re: Hiding activity?

Amusing downvote.

I do enjoy the idea that the system isn't built to rectify impossible car journeys though, carry on.

streaky

Re: Hiding activity?

What's that Skippy? They already do? But the crims ignore the ban?

Pretty readily caught too. Try it yourself, see what happens. No? Exactly.

Russia tweaks Telegram with tiny fine for decryption denial

streaky

Re: But..

It is not dissimilar to the UK where magistrate courts do not set precedent while a jury one does.

This case would be nowhere near a magistrate in the UK.

streaky

But..

does seem to entrench the principle that the Federal Security Service of the Russian Federation (FSB) can demand decryption

It also entrenches the principle that the Russian legal system isn't competent. Here's where this takes a turn for the silly:

The governments in most western nations like to talk a good game on crypto, they like to engage in hacking via security services. They like to sabre rattle about backdoors. A case like this wouldn't pass the laugh test in a western court room.

Why? Because western courts acknowledge the difference between choosing not to do something and not being able to do something. It's simply not possible (they could maybe ask Snowden for advice, given how much he trusts it) for telegram to decrypt user messages. Not without being backdoored anyway. It certainly isn't in the realms of possibility to do it retroactively, and that's why it wouldn't get through a court.

And that kids, is why Russia will always be regarded as a banana republic.

Ex-Autonomy CFO begs court to toss out US fraud allegations

streaky

Never been a better time, we're finding out who our friends and more importantly enemies are.

streaky

Except..

fails to allege any action taken by Mr Hussain 'in connection with' US-listed securities

I have no love for the way the US nor HP has behaved in this case but it *is* directly affecting a US-listed security. HP's. The allegation is HP were defrauded, I don't really see how that's a defence.

What is a defence is it would appear that HP are full of shit and didn't appear to do effective due-diligence. If anybody should be prosecuted it's HP's former CEO, which is why HP settled their case with shareholders, they know full well who is at fault.

1,000 jobs on the line at BAE Systems' Lancashire plants – reports

streaky

Re: How to solve Brexit.

The UK is at technical 100% employment, doubt workers such as these will have too many issues finding jobs.

If you want to feel bad for somebody feel bad for the poorly educated populace of the country who can't compete with at and below minimum wage workers imported by a country of business that doesn't want to invest in the native population's education and training nor pay appropriate wages for somebody settled here for the long haul.

Also it clearly has nothing to do with brexit, BAE Systems are firing on all cylinders.

Foiled again! Brit military minds splash cash on killing satellites with... food wrapping?

streaky

It is remote and flat enough that Musk could land one of his rockets on it.

Not about landing.

UK has no interest in rocketry, once again we're leading the world in aviation technology only this time we won't have to give it away to buy the US into a world war.

The equator argument involves invalid suppositions about what's happening here. We don't need to save fuel because we're not leaving the atmosphere the silly way. By the way you know you can fly to the equator and then burn fuel into space right?

Sole Equifax security worker at fault for failed patch, says former CEO

streaky

So..

1. Run Nessus

2. ????

3. Profit!!!

This can't possibly be how a fortune 1000 company and one of the world's largest holders of critically private personal information secures data. Where's your fucking red team?

Shit is cultural from the CEO down.

HPE coughed up source code for Pentagon's IT defenses to ... Russia

streaky

Re: Did I understand this right?

had been deployed in the wild for several years before someone noticed it.

Of course, but it's the wrong argument. The question is security of what's deployed. Who knows what monsters are in closed source code. The reason that HB lasted so long is that it's a difficult one to spot even when you have the source code in front of you.

You can't pick on Heartbleed or nor can you actually pick on Microsoft and say "these are reference examples useful for statistical analysis". I'm not saying Open Source code is more secure, I'm saying it's impossible to determine which is more secure without doing something like who has more unpatched critical exploits against their systems, who's making it hard for sysadmins to get those patches out to their servers. Neither of those things are actual identifiers of underlying code quality though - the key question is if you have a closed source system and a hostile actor sees the code how deep is the doodoo you're swimming in, is it just above your head or not..

streaky

Re: Did I understand this right?

It's not hard to build a system that can give you sane assurances about this all the way down to the hardware level. That's the joy of reproducible cross compiles. You can take two completely independent systems like say for example a KOMDIV-64 built in Russia with MIPS arch and cross compile to x86_64 binaries on linux, take a core i7 and compile and compare the binaries. If they match then it's impossible to assert that any of the architectures themselves are compromised in respect of compiling things. That's beyond the fact it isn't really worth anybody's time. There's an ongoing cross-compile project with Debian that could disprove (or indeed prove) the assertion accidentally that an arch is compromised in this respect.

The real issue (threat) is compromise of the source itself. Even large open source projects aren't super difficult to infiltrate if you're a competent developer; somebody who had done that could potentially drop something in to a tool chain and maybe nobody spots it. That's the real sideways threat that Heartbleed actually did allude to, but yes you can prove binary sanity throughout a system - by using another system that's built completely independently; even better by using one that's built in a country that's deeply paranoid about the one you're testing.

streaky

Re: Did I understand this right?

when it comes to security, open source isn't much better

Not entirely sure what you're trying to claim here but you're missing key facts. First heartbleed was Open Source working like it's supposed to. Security researcher discovers flaw by analysing the code. Security researcher notifies the developer, it's patched and fixes are pushed. When that's all sorted a public information campaign takes place to alert sysadmins that there's a critical vulnerability and people shouldn't screw around with it. If people don't patch their systems in that environment that isn't a flaw of the open source model, it's a flaw of sysadminery.

You simply can't do comparative analysis of open source versus closed source, there's no data to know how many new vulnerabilities in closed source systems there would be were a comparable number of researchers were given access to closed source systems code. What we know is people have absolutely no problem finding critical flaws in say the windows code, basically constantly.