* Posts by NullReference Exception

90 publicly visible posts • joined 10 Oct 2010

Page:

American ISPs fined $75,000 for fuzzing airport's weather radar by stealing spectrum

NullReference Exception

Re: If I recall ...

My understanding is that the weather radar is not in the ISM band (5.725-5.875 GHz as per the linked Wikipedia page). Rather, the radar uses frequencies immediately below the ISM band. Wireless network devices in the US are allowed to use idle weather radar frequencies, but they must listen before transmitting and employ dynamic frequency selection (DFS) to automatically find unused channels. DFS, in practice, is unusable as devices periodically drop offline for extended periods of time when they see anything that "might" be a radar signal.

Wireless network gear sold for the US market enforces DFS, but wireless network gear for the international market does not and is readily available through Amazon and other sources. Aside from not enforcing DFS, international gear often lets you choose any channel supported by the hardware regardless of whether it is allowed in your region. This option can be very tempting for wireless ISPs trying to punch through crowded spectrum, but that doesn't make it legal.

Truth, Justice, and the American Huawei: Chinese tech giant tries to convince US court ban is unconstitutional

NullReference Exception

Re: So only Huawei is a Chinese spy ?

The law as written specifically names ZTE, Hytera, Hikvision, and Dahua in addition to Huawei. It also covers any telecommunications equipment "produced or provided by an entity that the Secretary of Defense... reasonably believes to be an entity owned or controlled by, or otherwise connected to, the government of a covered foreign country". The only "covered foreign country" is China.

OK, Google: Why does Chromecast clobber Wi-Fi connections?

NullReference Exception

Sounds like the behavior of Java's Timer.scheduleAtFixedRate() and/or ScheduledExecutorService.scheduleAtFixedRate(). It fails horribly in this exact manner any time the system clock jumps (due to the system going to sleep, the time being set, etc.). Been burned by that too many times to count.

Knowing that Google uses Java heavily, I'd wager this is the culprit.

US voter info stored on wide-open cloud box, thanks to bungling Republican contractor

NullReference Exception

Voter registration data is not confidential

Voter registration data in the US is already quasipublic - states won't give it out to all and sundry (for obvious reasons), but any organization with a legitimate interest in it - campaigns, advocacy groups, etc - can obtain it. Somewhere, I have a CD left over from an old project that contains my state's voter data from about 10 years ago. It has the obvious name and address info, but also lists what elections people have voted in (an indicator of political engagement) and some other interesting stuff.

The interesting bit here is the loss of the profiling data - anyone who wants the voter registration data probably has it already.

HPE to staff: 'We are permanently clipping your costs'

NullReference Exception

Re: Screwed by the cloud?

Old LaserJet 4's develop problems with the exit rollers and will eventually start jamming on every single page. Might have to find a LaserJet III...

We're 90 per cent sure the FCC's robocall kill plan won't have the slightest impact

NullReference Exception

Re: Spoofing ?

Call forwarding.

Example: I have a VOIP system that, under certain conditions, will forward incoming calls to my cellphone. To forward the call, the VOIP system places a new outbound call to the cellphone and connects the incoming call to the new call. When it places the call to the cellphone, it uses the caller ID from the original incoming call (which, to the provider, is indistinguishable from spoofing.) This causes the caller ID of the original call to show up on the cellphone when it rings. Without the ability to "spoof" the caller ID when placing the call to the cellphone, all forwarded calls would show up on the cellphone as coming from the VOIP line, which would be... unhelpful. (No screening calls, no automatic lookup of the caller in your address book, no call history, etc.)

Pretty sure that all call forwarding works in a similar manner.

Being able to stop caller ID spoofing while still allowing calls to be forwarded with their original caller ID information would require a non-trivial amount of changes to infrastructure. (It's a similar situation as with SPF and email forwarding.)

Chinese electronics biz recalls webcams at heart of botnet DDoS woes

NullReference Exception

Then things will have come full circle to where we were in 1967: only [Bell] approved devices may be connected to the [telephone] network. Connection of unapproved devices may result in network damage and is strictly prohibited...

Press Backspace 28 times to own unlucky Grub-by Linux boxes

NullReference Exception

Re: I Don't Think This Feature is Used Much

It could be an issue for kiosk setups, where the computer itself is locked up in a cabinet (so the ports are inaccessible) but people can get to the keyboard. It could also be an issue in schools. I used to volunteer at a school where they would set BIOS passwords to lock the boot order and then put a padlock on the case to make it more difficult to get to the clear-CMOS jumper. Sure, you could break the dinky little padlock, but that attracts attention. Hitting backspace at the boot prompt doesn't.

New gear needed to capture net connection records, say ISPs

NullReference Exception

Re: How exactly does this work

The full URL is encrypted, but the hostname part is sent in the clear as part of the connection setup process (it's in the certificate the server sends to the client, and it's also sent to the server by recent browsers to allow the server to select the correct certificate when multiple sites are on the same IP.) So hostnames for HTTPS can be easily monitored and logged without having to defeat the encryption or otherwise "break" the protocol.

Also, recording the TCP details doesn't help when multiple sites are hosted on the same IP address...

Chrome devs hatch plan to mark all HTTP traffic insecure

NullReference Exception

Time to buy stock in VeriSign/Symantec

I'm sure the CA's love this idea. Cha-ching.

Yes, Obama has got some things wrong on the internet. But so has the GOP

NullReference Exception

Re: Amazon will start lobbying for online taxes

Unless that craft shop only takes Bitcoin, they are already dealing with a third-party payment processor of some sort - Paypal, Google Wallet, Visa, etc. Said payment processor almost certainly has the resources and information needed to calculate and handle the sales taxes for you, and would be happy to provide the service (for a small additional fee, of course.)

Microsoft forks .NET and WHOMP! Here comes .NET Core app dev stack

NullReference Exception

Re: Er? Excuse me....

Microsoft tried this approach ten years ago with the GDI+ graphics library... instead of rolling it into the OS or the C++ runtime, they required that developers build it into their installer and deploy it with their application. (Never mind that the name makes it sound like an OS component - GDI without the plus is a core part of the Windows API.) Then someone found a nasty vulnerability in the GDI+ jpeg parser. Microsoft released a patch that updated the GDI+ libraries used by Microsoft applications, but left it to the third party software developers to replace the GDI+ libraries used by other applications. Needless to say, most developers viewed this as Microsoft's problem and didn't ship an update. Microsoft eventually had to release a new patch that attempted to find and update all copies of GDI+ on the system. It didn't work very well, and vulnerable copies kept sneaking back on the system as software was reinstalled.

Another example of how this approach can go terribly, horribly wrong is Java applications that install their own, private, ancient versions of the JRE - and won't work with any other version.

Those who do not remember history are doomed to repeat it... what a mess.

Microsoft to bring back beloved 1990s super-hit BATTLETOADS!?*

NullReference Exception

Re: That hoverbike level!

Look at the bright side - by getting stuck at the Hoverbike Level, you were spared the pain of the Snake Pit Level, the Rat Race Level and the (buggy) Unicycle Level!

Want a more fuel efficient car? Then redesign it – here's how

NullReference Exception

Re: you can barely turn the undriven wheels by hand

I don't know about Torque specifically, but a lot of similar tools/apps/devices calculate their mileage estimates based only on speed and the airflow through the engine as registered by the MAF sensor (always assuming an ideal air-fuel mixture.) There will always be some air flow through the engine even if fuel gets cut off, and your app may or may not be taking this into account. If Torque will show you injector pulse width, check that - if it goes to zero, you aren't burning any fuel.

Android's Cyanogenmod open to MitM attacks

NullReference Exception

Re: Inadequate CA CSR review partly to blame

The cheap/free certificate providers I've used (StartSSL, GoDaddy, Comodo) do NOT let you specify arbitrary values for certificate fields - they ignore pretty much everything in the CSR except for the key and fill out the rest of the cert with hardcoded values (either blank fields or fixed strings like "Domain Control Validated".) Can't speak for more expensive cert providers as I've never had occasion to use one.

What the 4K: High-def DisplayPort vid meets reversible USB Type C

NullReference Exception

Re: 100W? Isn't the copper a bit thin for that??

The USB Power Delivery spec accounts for this - there is a presence detection & handshake process that makes sure the connected device and cable can support the required voltages and currents before the power is actually switched on. If the handshake doesn't happen, you just get the standard 5 volts/500mA. This handshake process also allows for the power to flow "backwards" (i.e. from target to host), so that when you plug your laptop into a USBPD-enabled monitor, the monitor will be able to provide power to the laptop.

CNN 'tech analyst' on NAKED CELEBS: WHO IS this mystery '4chan' PERSON?

NullReference Exception

Re: Passpattern

Be careful... some of the more common keyboard patterns have found their way into password brute-force dictionaries. The folks at SANS recently started monitoring the passwords used during SSH brute-force scanning attacks. The top two are of course "admin" and "password", but you don't have to go very far down the list before you start seeing things like "1qaz2wsx" and "123qwe!@#". See https://isc.sans.edu/ssh.html

Time to ditch HTTP – govt malware injection kit thrust into spotlight

NullReference Exception

Re: SSL is a good thing

StartSSL has recently started to reject requests for Class 1 certs for any website that looks even remotely commercial, claiming that their free product is not intended for commercial use. (They appear to be manually checking sites.) They do have a pay product, but unless you plan to issue multiple certificates for a single domain it's priced higher than most of the competition.

The ultimate solution here is to distribute certificates via DNSSEC and cut the CA's out of the loop entirely, but that's a long way off. And the domain registrars will probably find some way of charging for it anyway, seeing as how many of them are also in the CA business.

Indie ISP to Netflix: Give it a rest about 'net neutrality' – and get your checkbook out

NullReference Exception

Re: ...

The post office charges you per letter, the taxi company charges you per mile, the restaurant charges you per dish (even the all you can eat buffet gets mad if you leave food on your plate), and the cinema charges you per film. But the Internet provider charges a flat rate whether you push 500 KB a month or 500 GB, simply because it's always been that way. The "solution" to this problem, unfortunately, may turn out to be metered pricing (and no, I'm not looking forward to it either.)

Microsoft thumbs nose at NSA, hardens crypto for Outlook, OneDrive

NullReference Exception

Re: So?

TLS (Transport Layer Security) - even with PFS - only encrypts the connection that transfers messages from the sender's mail server to the recipient's mail server. It does not address encryption of messages while they are stored on the server. Unless additional measures not discussed in the article are in place (such as S/MIME with appropriate key management), an adversary with access to the mail provider's systems and/or cooperation from the provider can still read people's messages regardless of whether TLS was used to transfer them.

You need a list of specific unknowns we may encounter? Huh?

NullReference Exception

It's probably slightly worse in the Army due to the leadership positions all being on ~3 year rotations. The new guy comes in and decides the previous guy was doing it Wrong and he's going to throw it out and do it Right. Three years later, when you're halfway through the new project, the process repeats. Meanwhile, the Beltway bandit support contractors are laughing all the way to the bank...

Verizon threatens Netflix in video lag blame game

NullReference Exception

Re: A simpel Ping+TraceRoute solves it.

Alternatively, they could give maximum priority to ICMP so that the pings look great even if the network is otherwise totally hosed. Or you could get really clever and send them over a different route entirely. You can't really take ping results at face value anymore (if you ever could.)

tcptraceroute is a better option, but even that can be detected and messed with.

FCC seeks $48K fine from mobile phone-jamming driver

NullReference Exception

Re: On a separate note...

These things can be purchased direct from suppliers in China. If customs catches it they will throw it out and send you a nastygram, but it's hard to catch everything. On the other hand, I remember DealXtreme used to sell cell and GPS jammers but no longer seems to carry them - a search for "jammer" returns no results. This would imply that someone, somewhere, is indeed trying to get them off the market.

NullReference Exception

Re: Decision time?

Disabling the radio in a phone moving over 30kph would prevent the phone from being used on the bus/train/etc. I imagine a large number of people would complain about that.

There has been some noise made by the US Transportation Department about technologies that could disable a phone only when it is located near the driver's seat of a vehicle. This is, in theory, a better idea (assuming the technologies actually exist and work) but could be easily circumvented as well - throw the phone on the passenger seat and use the speakerphone or a headset.

No easy answers...

US Supreme Court Justices hear arguments in game-changing software IP case

NullReference Exception

Re: A thought experiment

Fair enough. But the "exact form of the carefully arranged sand" is actually protected by copyright (technically "mask work rights", which is almost but not quite the same as copyright - shorter terms, for one thing.) A patent, should we deem the Verilog-program-expressed-as-sand to be patentable, would also protect similar arrangements of sand that do the same thing. So it's still hairy.

NullReference Exception

A thought experiment

Suppose I have an algorithm. Instead of coding up that algorithm in C or JavaScript or some other traditional language, I code it up in Verilog. Verilog is Turing-complete, so I can use it to code up any algorithm. I can then take that Verilog program and run it on a computer. I can also take the program and build an FPGA netlist from it, or (if I have more money than sense) send it to a fab and have them stamp out some chips that implement it. Is this software or hardware? Is it both? Is it patentable?

The line between "software" and "hardware" is becoming blurrier every day, so this sort of thing could become quite hairy.

OkCupid falls out of love with 'anti-gay' Firefox, tells people to see other browsers

NullReference Exception
Trollface

I notice that *no one* is calling for a boycott of JavaScript. Oh well, we can always dream...

Shuttleworth: Firmware is the universal Trojan

NullReference Exception

Re: But then we'd need hardware standards

And those with a *really* serious financial interest in getting the secrets can (literally) disassemble and analyze your hardware... the fact it's not software isn't going to stop them.

Seattle pops a cap in Uber and Lyft: Rideshare bizs get 150-driver limit

NullReference Exception

Re: Never quite so black and white

If Uber/Lyft had asked for legal clearance first, the answer would have been "Heck no" and they wouldn't have a business. By not asking, they got to fly under the radar for a while and build up a customer base (which becomes an asset during the inevitable regulatory fights - the customers want the company to stay around, and they vote.) It's ALWAYS easier to beg forgiveness than to ask permission.

Google slams Play Store password window shut after sueball hits

NullReference Exception

Gift cards

While requiring a password will certainly help, in my mind the right way to deal with this is not to use a credit card at all. Instead, fund your kid's phone with Google Play/iTunes gift cards (conveniently available at your local supermarket.) Let your kid buy the cards themselves with their allowance money. They will quickly learn that those in-game powerups cost real money and they won't break the bank doing so. This also avoids the risk of the app store password getting shoulder-surfed.

Even HTTPS can leak your PRIVATE browsing

NullReference Exception

Or your ISP and their "partners", or the wifi access point at the local coffee shop...

How a Facebook post by blabbermouth daughter cost her parents $80,000

NullReference Exception

Re: The real problem isn't that she revealed they'd got money.

Except that the gag "order" in this case was voluntarily agreed to by the father as part of the settlement. Had he chosen to go to trial, he'd be free to talk about the case as much as he wanted. (But he might not have gotten his $80K.)

What's up with that WhatsApp $19bn price tag? Answer: Voice calls

NullReference Exception

Re: I think that we may see the mother of all cage fights in the US market.

Except that most U.S. carriers now include unlimited talk & text in their plans but have data quotas with overage charges. (A few years ago it was the other way around.) So, at least as far as domestic usage is concerned, the "problem" may solve itself. International calls are a different matter.

On the other hand, on 4G/LTE networks, "voice calls" are internally implemented as VoIP. Could get interesting...

MtGox MELTDOWN: Quits Bitcoin Foundation board, deletes Twitter

NullReference Exception

Banking regulation

Can't live with it, can't live without it.

Collective SSL FAIL a symptom of software's cultural malaise

NullReference Exception

Re: Goto

Not to mention, if you use the do { /* stuff */ } while (false); construct and have two break statements where there should be one (instead of two goto statements where there should be one) you have the exact same bug...

Cut-price Linode competitor spins up Singapore bit barn

NullReference Exception

What you pay for

Rackspace has a phone number.

Linode has a phone number.

DigitalOcean has a contact form.

Now, admittedly, 98% of people don't really care (I use DigitalOcean myself for some stuff) but support is one of those things you don't miss until the time you really, really need it...

Verizon: Us throttling AWS and Netflix? Not likely

NullReference Exception

Verizon technical support...

... once tried to tell me that my computer could get a virus while it was powered off and disconnected. I wouldn't take anything they say at face value.

The other end of the telescope: Intel’s Galileo developer board

NullReference Exception

And if you need power, programmability, and the time of day, you get a Galileo.

Seriously, am I the only one in the world excited that someone is FINALLY making a low-cost Linux dev board with a battery-backed hardware clock?

Candy Crush King went 'too far' when it candy crushed my app – dev

NullReference Exception

The thing you had on your PDA in 2004 was probably Same Game, which Wikipedia says has been around since 1985... so yeah.

Almost everyone read the Verizon v FCC net neutrality verdict WRONG

NullReference Exception

Re: Nice straw man

Your comment hints at a bigger problem: there are many things that could cause Netflix service to be "degraded" on Company X's network besides intentional interference on X's part. If the links between Netflix's datacenters and X's network are all at capacity, then X's customers will have problems accessing Netflix. Who is at fault here? More to the point, the only way to fix this is to install a bigger connection between X's network and Netflix (or install some Netflix caching servers directly on X's network) - and neither Netflix nor X are really going to want to pay for this. Furthermore, since the servers supporting X's VOD service are already on X's network, they won't be affected by this congestion and the quality of service will be better. Note that there is no "intentional" degradation of service involved here!

The bottom line is that network neutrality laws and regulations are going to prove very troublesome to enforce, because "degradation" can be percieved in many ways. In the good old days when most sites were producers as well as consumers of data and traffic between networks was more or less symmetric, congestion was everybody's problem and fixing it benefitted all involved. But now that the Internet has evolved into a distribution system for YouTube and Netflix, things are a lot less symmetric and congestion therefore becomes a very thorny issue.

Will small biz get a bite of mega UK.gov IT pie? Yes: if it can pass the bulls**t sniff test

NullReference Exception

Re: Not so fast.

Agile or no, the government tends to have trouble getting past the "big picture" stage. Never mind the details...

Curiosity keeps on trucking despite government shutdown

NullReference Exception

Re: Surely this is a joke

Most of the U.S. government is funded on a year-to-year basis, with the fiscal year ending 30 September. Congress is supposed to pass funding bills for the next fiscal year before the end of the current fiscal year. If that doesn't happen, by law, the parts of the government that did not get funded are shut down until new appropriations bills are passed. (Someone, somewhere, thought this was a good idea.)

There are exceptions for functions that are essential to the protection of life and property (the definition of which seems to be left as an exercise for the reader,) so the Weather Service, air traffic controllers, half of the Defense Department, etc are still on the job. Also, things that are funded through user fees or other mechanisms that don't expire at the end of the year are still open. This includes things like the mail, courts, passport processing, Amtrak, the Patent Office, some benefits programs, and the like.

There were a bunch of shutdowns in the 1970s and 1980s as well as a couple in the mid-90s. So this is not without precedent, but it hasn't happened anytime in recent memory.

Bill Gates: Yes, Ctrl-Alt-Del salute was a MISTAKE

NullReference Exception

Re: "Oops. Did hitting that mess something up for you?"

The original Apple ][ and ][+ had a "RESET" key on the top right of the keyboard, right above the Return (i.e. Enter) key. It was very easy to hit it by mistake and lose all your work. Many users would make it harder to hit RESET by putting rubber washers under the keycap or using various other tricks. Eventually, someone at Apple realized that single-key RESET was NOT a good idea, and from the Apple //e onwards the design was changed so you had to press Ctrl+RESET to do a reset.

Bill & Co used to write stuff for the Apple... guess he forgot about this!

Boffins debate killing leap seconds to help sysadmins

NullReference Exception

Re: Unix time

Except the GPS system already broadcasts the offset between GPS time and UTC time (i.e. the leap second count since the GPS epoch)...

Chap unrolls 'USB condom' to protect against viruses

NullReference Exception
Mushroom

No

Fast chargers signal their presence by tying the data lines *to each other*, not power. Tying the data lines to the power would produce amusing results. (Well... amusing to a bystander, anyway. Maybe not so amusing to the owner of the device.)

On the other hand, a USB cable with the power lines connected but the data lines open (not connected to anything) will usually result in the device not charging at all.

KVM kings unveil 'cloud operating system'

NullReference Exception

Re: Yes, But...

Actually, it reminds me of IBM's VM/CMS (dumb OS running on a smart hypervisor.) I've often wondered what mainframe graybeards think about everyone's newfound fondness for virtualization...

Tesla cars 'hackable' says Dell engineer

NullReference Exception

Kids these days

When I was your age, the only API that my car had was a steering wheel and a gas pedal. And we liked it!

Apple erects measures to stop app-happy kids splurging parents' dosh

NullReference Exception

The game is using the iTunes/App Store payment functionality, so it uses the credit card already on file with the iTunes account. It doesn't prompt for credit card details. That's what makes this particularly nasty.

Besides passwords, another option is to not associate a credit card with the iTunes account and to fund it with iTunes gift cards instead (conveniently available in your grocery store's checkout line, at least around here.) Better yet, give your kids an allowance and make them pay for the iTunes gift cards with their allowance money. That should make it pretty darn clear that those virtual smurfberries are being bought with cold, hard, real-world cash.

Amazon founder Bezos snaps up Washington Post

NullReference Exception

Re: Debt and pension liability

Bezos isn't getting the real estate - it all remains with the Company Formerly Known As The Washington Post Co. (along with the Kaplan University distance learning and test-prep business, which is quite profitable, and a few other odds and ends including some rural cable systems.) Bezos isn't even getting the Post's office building. He's just getting the newspaper business.

All of the other businesses that are part of the deal are connected in some way with the paper - Robinson Terminal is the Post's newsprint warehouse, and I think Comprint prints the Post's regional papers.

Going to be interesting to see how this pans out.

Ultimate Radio Deathmatch: US Navy missile-defence radar vs 4G mobile mast

NullReference Exception
Black Helicopters

Re: Call me stupid

Something tells me they are a lot more concerned about the cell system potentially causing false radar returns than they are about any temporary disruptions in phone service...

Page: