Posts by Loyal Commenter

Re: Diode

Does a noisy diode give you a truly random stream of 1s and 0s though?

Statistically, if a bit stream is truly random, there is no way of predicting what the next bit will be, or even how likely it is to be a 1 or a 0.

I suspect a noisy diode may not be truly random (but random enough for many applications). For example, if you are sampling at a known interval, you may be more likely to get a series of the same bit than not (for example 0000 or 1111 may be more likely than 0101 or 1010, whereas with a true random distribution, each of these sequences should be equally likely), or if looking at the time between flipping between 1 and 0, the distribution may not be random, or may change over time, or with temperature, so that it cannot be normalised against a known distribution, which would bias the distribution towards more 1s or more 0s.

For most applications, where you probably just want a bit of randomness, but it's not critical that it's truly random, this isn't important. For cryptographic purposes, it is very important. For instance, if it is known that a source of randomness frequently gives long sequences of the same bit, this could drastically reduce the expected time to brute-force a key, by focusing on keys with repeated bits in first. Ditto for if it is known to give 60% 1s and 40% 0s.

Re: Dogfood

I have Adblock Plus running as well, they are probably cookies from the adverts that aren't being loaded. As far as I am concerned, ads are nothing more than malware vectors.

Re: Not quite true

Plus, of course, there's no way of knowing whether the site in question is passing any or all of that tracking information onto other companies through the back-end; this only applies to things they try to load into your browser, which, as you correctly point out, anyone with any sense is blocking already.

Re: Dogfood

NoScript is currently blocking the following on this site:

doubleclick.net (ad spewer)

google-analytics.com (creepy tracker)

googletagmanager.com (also creepy tracker)

As far as the number of things to block to avoid tracking, El Reg is by no means the worst of the news sites. The Independent, for example, has a good two dozen various domains it pulls things from, some of which are obvious advertisers/trackers (there's not a lot of difference between the two any more), some are more opaque.

As a rule, I have everything blocked by default, and then if the web site doesn't work, I allow domains one-by-one. If it won't work without me allowing a domain I have previously explicitly blocked (such as doubleclick), then it's pretty obvious that the purpose of the site is to get advertising revenue, and not to provide any useful information, and I go elsewhere. The same goes for any site that has an "ad-blocker" popup. If it can't be easily removed by hitting F12 and setting the display attribute to none, then I'll go elsewhere.

I'm certainly not going to let any scripts run from such dubious sites as the Daily Heil, the Scum, or the Ex-press, so if something directs me to one of them, I figure I can find the actual information elsewhere anyway, without having to read past the right-wing editorial and interpretation of the facts.

Re: The scams will continue until things change....

Registering as a director of a company whilst banned should be a criminal offence, as is, for instance, driving whilst banned. Arguably, it's just as dangerous to the public, if not more so.

Re: The scams will continue until things change....

Well, the ICO did also essentially say that they probably won't bother to use those powers, so carry on, as you were...

Re: The scams will continue until things change....

...the company went bust in March 2020, owing approximately 250K to HMRC + other creditors ... It looks like the company actually went bust properly,

Or perhaps the sole director paid himself a nice salary, ran up debts in the name of the company in order to pay that salary, and then had the company file for bankruptcy, keeping the proceeds. À la Donald Trump.

I spent about £150 on a couple of USB "miners", a hub and Raspberry Pi in around 2014 as a curiosity and set them to mining in a pool (the odds even then of actually mining a block yourself were tiny). I turned them off some time in 2016 when the cheapo 5V power supply I was using for the RaspPi popped a capacitor, at which point it was taking several months to get a single "share" of 0.001 BTC on the mining pool.

I ended up with slightly under 0.01 BTC in total, at the time it was worth about half of what I had "invested", not counting electricity costs, but was interesting as a curiosity.

It's currently worth a little over £3K. With the way the price is bounding about, tomorrow it could be £5K, or equally well £1K.

As a serious investment, it is far too risky, and I haven't yet found a safe and convenient way to actually sell my "holdings". Maybe if the price continues to rise as it has done in the last year, regulators might start to take notice, banks might take it seriously, and I won't have to take a risk with some random "cryptocurrency exchange" that might disappear overnight in order to cash out.

If the price continues to rise, it might get to a point where I can sell a small amount for whatever the lower limit is for Capital Gains Tax and treat it as an annuity. It might be at that level in 5 years time. It might also be at 0. It all depends on what people are prepared to pay for it, and whether it eventually collapses...

Re: Confession

I always knew them as Motherf**kers International. Probably just my puerile mind though.

Re: Good read

What amuses me is the idea that sticking another gov on top with its own gross incompetence makes things any better? Are you one of those remainers who thinks we should have joined the EU procurement plan for ventilators and vaccine? Or are you glad we have some?

I think you have, as ever, missed the point of the EU. It's not there as "another gov on top", it is a mechanism for the governments of the member nations to cooperate, because if they don't cooperate, what you get is nationalism, and nationalism is the height of stupidity and leads to wars.

I'm not going to claim that the EU parliament always gets it right, but its workings mean that more often than not, cooperation is needed between nations for anything to happen, unlike our parliament, which has an unelected second house that cannot enforce amendment or oversight of policies dictated by the majority party in the commons.

Moving onto your second point, I'll not argue that EU procurement has been perfect either. However, I reckon we would have done well to have joined in with the PPE procurment which was offered to us and our arrogant leaders chose to ignore and pretend they hadn't got the emails. In case your memory doesn't stretch back more than a few months, last spring, our government was giving our PPE contracts to mates of mates, pest control firms, and some dodgy suppliers in Turkey, where whole shipments of unsafe PPE had to be scrapped at huge costs to the taxpayer. If you think the EU procurement was worse than ours, or indeed anywhere near as bad, then your spectacles truly are rose-tinted.

Re: Good read

You must be squinting pretty hard to see that through the miasma of gross incompetence our own government is radiating. The only thing they have got even half-right in the last year is the vaccination programme. If there ever was a place to go to see "spite, general incompetence and ignorance", it's our current government under the control of ignorant brexiters.

Re: The UK is in Europe!

Lucky indeed, as they tended to get the ones that are so bad they can't even get elected as MPs here, seven times. I really despair of my fellow countrymen, when so many thought it would be a grand idea to vote Nigel Farage into a job he didn't even bother to turn up to most of the time.

Re: We are still in "Europe"

To me, .eu means being in the EU. Wikipedia has this to say on the subject:

.eu is the country code top-level domain (ccTLD) for the European Union (EU). Launched on 7 December 2005, the domain is available for any person, company or organization based in the European Union. This was extended to the European Economic Area in 2014, after the regulation was incorporated into the EEA Agreement, and hence is also available for any person, company or organization based in Iceland, Liechtenstein and Norway.

I'm pretty sure we could have asked to be included as well, in our amazing brexit deal, but, as with arranging visa-free travel for touring musicians, which was on offer, our shitty government went for the "leave means leave" attitude and fucked it off.

Also, you might need to check where Sinn Féin are based; last time I walked past it, their headquarters was in Dublin, which very much is within the EU.

Toxic and moribund people, such as leave.eu, perhaps?

The UI may have allowed the entry of those numbers, but I seriously doubt the dosing system would get anywhere near that before it topped out. I also doubt the feedstock would last very long if it could. After all, if they need to add a small amount.

Assuming the 100ppm is by molar amount, not weight, that works out as about 45g per tonne of water (1,000 L, or one cubic metre) - Lets say this is a processing plant for 10,000 people (apparently the population of Oldsmar is about 14,000), and the average US person apparently uses 0.4 m³ of water a day, so the daily usage for that level of water treatment would be 180kg.

Up that by a factor of 1000, and that's 180 tonnes. Let's surmise that this starts with a hopper containing pelleted NaOH, which might contain 1 tonne, or enough for about 5 1/2 days. It's presumably someone's job to keep that topped up. I'd guess at the start of their shift, they check the level and top it up. It's going to empty well before the concentration gets anywhere near 100,000 ppm, and no doubt there would be alarms going off everywhere, from pH monitors, feedstock level indicators, flow measurement, et al.

Re: Lye?

It will be a word familiar to anyone who has read the Gashlycrumb Tinies.

J is for James Who Took Lye by Mistake

Re: Internet of Shit

I think the probable result, if it hadn't been caught would be the entire stock of NaOH being emptied into the supply, and swiftly running out. Because it's nasty corrosive stuff, they're not going to be having a huge mountain of the stuff, and they'll probably only have enough for a week or month at a time. The mechanism for pumping it into the water supply probably wouldn't have been capable of pumping 10,000 at times the normal rate, and I'd be amazed if there aren't also sensors to check the resulting pH downstream, with alarms and cut-offs. It's not like such systems could be prone to failure of a more prosaic nature (such as mechanical), and would therefore have fail-safes.

The net result, if it hadn't been noticed would probably have been the dumping of a few hundred litres of NaOH solution into a processing tank, and then the pump shutting off as it tries to pump air, followed by another pump shutting off when that gets a short distance downstream, a cut-over to a secondary system and a very brief dip in the town's water pressure.

The biggest risk would probably be from the fact that diluting NaOH is exothermic, and thus you'd potentially end up with a whole load of dilute warm NaOH to dispose of, and a load of processing infrastructure that needs a good scrub down before it can be brought back online.

Re: Air-gap

Do you know anyone who drives a car made by a UK owned car company? One that is still UK owned? I don't think I know anyone at all who owns a Morgan, McClaren, or Caterham, and I know a few people who are actual classic car collectors (one tried to offload a Ford Model T ambulance on me, I wasn't biting!)

Re: Whilst the Judges seem to have overthought this but so has El Reg

The Stasi Museum in Berlin is situated in the former headquarters, which the citizens of East Berlin had the foresight to seize early on and preserve. This meant that many of the records were not destroyed. Interesting things of note were the equipment used to intercept, open and reseal all mail, and the "bread van" which was used to disappear people.

The offices are so well preserved that they were used in the filming of the series, "Deutschland 83". If you look closely, the only inauthentic thing in those scenes is the modern strip lighting on the ceiling. At the time the building was preserved, those offices were already pretty anachronistic, with the furnishings dating from the '50s and '60s.

All in all, an absolutely fascinating place, and a timely reminder that the cost of liberty is eternal vigilance.

Re: In storage...or in transit....

You are Bruce Schneier AICMFP.

Re: 2B pencil

I get the sense that the MiTM attack in question in this case would have been against the update mechanism for either the EncroChat app itself, or the phone's OS, to install a compromised version of such, and thus allow the capture of the unencrypted messages without the user's knowledge.

If the messaging app uses decent encryption and is hard to break, use a side-channel attack to circumvent that encryption entirely.

I've no problem with this approach, as long as it is targeted against a specific user, and has proper oversight (i.e. a warrant, and not one that is so broad it allows "fishing expeditions").

Re: Quantum Message

But you couldn't know whether it had been served or not, without destroying the contents of the message.

Re: I can never use data again

It's a known problem. See, for example, .Net's SecureString which goes some way towards addressing the problem, but still leaves a window where the contents must be decrypted for use, at which point they can be "snooped".

Re: Android or IoS

It's probably a bit more complicated than that and involves the police deliberately back-dooring the device, which is what they would need the warrant for in the first place.

There are probably a number of ways of doing this, and the net result would be a silent update to either the target's phone's OS, or to the app in question. Off the top of my head, this could be done either by intercepting the requests to check for software updates via the OS app store, with help from the makers of the OS, or at a network level by using a so-called "stingray" mobile base station to target and intercept traffic from a phone with a specific IMEI. The exact mechanisms for doing so are no doubt kept tightly secret, because the same techniques would also be used by intelligence agencies as well as law enforcement.

Re: Whilst the Judges seem to have overthought this but so has El Reg

No. I'd suggest taking a look at the former East Berlin, if you want to see what an actual police state looks like. The infrastructure and organisational structures needed to pull it off are pretty obvious.

Re: Whilst the Judges seem to have overthought this but so has El Reg

From what little I've heard about the EncroChat cases, it is organised crime they are targeting. Involving drug smuggling, people trafficking, modern slavery, and quite possibly child prostitution as well. All the sorts of things that nasty people like the Ndragheta get up to. Whilst it is all too easy to go "full Daily Mail" and wail about paedos, it's also possible to go too far the other way and minimise the very real problem of serious and organised crime.

Of course, there is a balance to be struck with the freedom vs safety debate. Perfect freedom allows the strongest to subjugate the weak with no recourse, whilst perfect safety constrains personal freedom to intolerable levels. On the one hand, you wouldn't want to live in a war-torn anarchy ruled over by despots, on the other hand, you also wouldn't want to live in a police state where your every move is monitored. Logic leads us to a sensible middle ground, where the police have the tools to tackle organised crime, but are limited in their reach by oversight. In this case, an appropriate warrant, and the Court of Appeals decided that the warrant they had was appropriate.

Re: Filth

Just because they got to the letter before it was put in the envelope doesn't mean that the letter wasn't in the process of being sent.

I think it's more akin to watching through the window with binoculars as you write that letter and taking a note of the contents before you put it in the envelope and send it. At this point, the letter isn't in the process of being sent any more than a cake is in the oven being baked when you're weighing out the ingredients.

I have to say, much as I hate Apple*, one thing they do get pretty much right is security.

*This dates back to being forced to use the old "Macintosh" machines, before they decided to call them "Macs", which were horrible beige boxes with a one-button mouse that was shaped like a shoe box. At the time, I had a Win98 PC at home, for which the UI was much more intuitive and responsive. Which idiot thought that the best idiom for ejecting a disk would be to drag the icon for it to the waste bin? This, plus every single advert they put out is so aggravating it makes me want to throw the TV out of the window.

Re: No punchhole please

To be fair, it's in the "status bar" area at the top of the phone, and if my Redmi Note 9 is anything to go by, the screen area on running apps starts below that.

In other words, you don't even notice it's there.