nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

* Posts by Ken Hagan

5980 posts • joined 14 Jun 2007

For goodness sake, stop the plod using facial recog, London mayor told

Ken Hagan
Gold badge

Aren't we talking about public places here and haven't amateur photographers been trying to persuade police that taking pictures of things that are in public is OK? That would mean we are arguing about whether it is OK to automate something that is perfectly legal to do manually (and whether the automated version is more or less reliable than the manual version).

As the US Constitution acknowledges, there are reasons to worry about, and limit, the power of the state more than we worry about the same powers in the hands of lesser actors, but we should be clear that *this* is our objection rather than a Luddite objection to the economies of scale.

3
1

Windows Update borks elderly printers in typical Patch Tuesday style

Ken Hagan
Gold badge

See https://blogs.technet.microsoft.com/windowsitpro/2017/07/27/waas-simplified-and-aligned/

Microsoft's current position is that they have four versions of Windows on the go: Insider, Targetted, Semi-Annual and LTS. The last of these is only available if you are an enterprise customer and I'd be surprised if the average SME is so I'll ignore it.

The Semi-Annual was formerly known as Current Branch for Business and is what you ought to be running (even if you are a home user, IMO). *Someone* in your organisation should have a few machines on the Targetted channel, to try to flush out issues like this. (That said, where the issue is a cock-up rather than an intentional withdrawal of a feature, it isn't obvious whether the more stable channel is actually a safer bet.) Microsoft themselves also recommend that any developers in your organisation should have a few machines on the Insider channel, to get even more advance warning of crap to come.

You *could* start looking at whether your software requirements could be met by a platform that wasn't so incredibly user-hostile, but I think we all know the issues there. The bottom line is that if you *have* to use Windows, then you *ought* to be jumping through the above hoops.

6
2

Prosecute driverless car devs for software snafus, say Brit cyclists

Ken Hagan
Gold badge

Re: Fair enough, but...

"Perhaps it's also time they were required to carry insurance?"

The case for compulsory insurance is that motorists can and do kill people when it goes pear-shaped. That's also the reason that only third-party insurance is compulsory.

Cyclists tend not to kill people when they get it wrong, in the same way that pedestrians don't. I'm sure you can find counter-examples of both, but the numbers are so insignificant that society doesn't feel there is a problem to be addressed.

7
5

It's 2017 – and your Windows PC can be forced to run malware-stuffed Excel macros

Ken Hagan
Gold badge

Re: IE and Edge CVEs ????

"Edge was supposed to be the secure and rewritten new browser, without the tons of bloat IE was affected with."

Dunno where you got that idea from. My recollection is that MS described Edge as "IE but with all of the compatibility code taken out, so it *only* handles pages written to the HTML5 standard". I'm not sure if that was actually true, but it was a fairly plausible thing to try and Edge certainly didn't include support for a lot of old stuff like ActiveX and MHTML so I've no reason to doubt it.

0
0
Ken Hagan
Gold badge

Re: WTF?

"I've yet to see a mathematical proof that useful features of programming languages are necessarily also undesirable, but experience suggests a strong correlation."

Perhaps I can help. It's not strictly mathematical, but I can offer a good reason for this.

Nearly all language designers have opinions about good practice and their languages reflect that, making it easy to do the right thing and hard to do the wrong thing. Many languages make it extremely hard to do the wrong thing. (Google for "bondage and discipline", but in the context of languages rather than sex.)

However, language design is not a science and so eventually there is a real-world need for some sort of get-out-of-jail-free card to let you get the job done. Fortran has its COMMON blocks. C has its unions. C++ has its C-compatible base. Assembly language has self-modifying code. Pascal has ... linker compatibility with libraries written in a proper language.

Any sufficiently large programming project will end up playing this card.

2
0

Universal basic income is a great idea, which is also why it won't happen

Ken Hagan
Gold badge

"If you're living in the west, _you_ are part of the 1%."

Interesting take on basic arithmetic you have there. At least half a billion people live in Western Europe and North America, which is nearer 7% of the world population. This is without adding in places like Japan which are not geographically "west" but certainly belong to the western economic model.

The converse is not true either. Quite a few of the world's 1% are despotic scum who have screwed their respective countries for decades.

6
0

Munich council: To hell with Linux, we're going full Windows in 2020

Ken Hagan
Gold badge

Re: Politics is nothing to do with it.

"The facts are as stated - the software they need mostly doesn't exist on Linux"

Whilst I would agree with your point that it isn't *their* job to evangelise Linux but rather to get their work done, I would draw your attention to this bit in the article:

"mail servers, for instance, eventually wound up migrating to Microsoft Exchange"

Really? Bluntly, if you can't even get an email server running, either nobody is trying or there are people in your organisation working behind the scenes to sabotage the whole endeavour. It seems unlikely that no-one in an organisation that large had the skills necessary to get a server up and running, so the only reasonable conclusion is a fifth column.

34
3

The day I almost pinned my tushie as a Google Maps landmark

Ken Hagan
Gold badge

"In what way is this functionally different to uploading the photo to Farcebook and letting them hash it?"

You can't reconstruct the photo from the hash, so if FB only get the hash, they can't "lose" the photo.

7
0

Metal 3D printing at 100 times the speed and a twentieth of the cost

Ken Hagan
Gold badge

Re: er....

"So how long before we see graphene printing instead of metal? "

Using this kind of technology, you're just waiting for a kind of graphene that melts without losing its extended 3D structure. Umm ... don't hold your breath.

6
0

Intel's super-secret Management Engine firmware now glimpsed, fingered via USB

Ken Hagan
Gold badge

Re: Everybody switch over to AMD

I imagine that there *are* people (say, in Russia or China) who *are* now asking whether there is a trusted source of x86-compatible CPUs. And if not, whether there ought to be.

If these people *aren't* asking that question, they aren't doing their job properly.

3
0
Ken Hagan
Gold badge

Re: Tanenbaum?

"The book that half source code."

But his source code was far more interesting than most authors' prose.

5
0
Ken Hagan
Gold badge

At least Java was designed to be sandbox-able.

0
2

Bitcoin drops SegWit2x hard fork after community objects

Ken Hagan
Gold badge

The arrival of significant transaction fees may be a sign that the scheme has now entered its "cashing out" phase, with the transaction fees being the source of real money that the original scammers need to milk before everyone else notices that Bitcoin per se is actually worthless.

7
0

Official US govt Twitter accounts caught tweeting in Russian, now mysteriously axed

Ken Hagan
Gold badge

Re: "Official Government Twitter Accounts"

"They think you must have something to hide."

I'd think of it as an early warning system for "crap employers". They can look for my social media presence if they like, but I wouldn't want to work for them if they are bothered by its absence.

2
0

It's 2017 and you can still pwn Android gear with Wi-Fi packets – so get patching now

Ken Hagan
Gold badge

Re: Dear Motorola

Amazon will sell you a used Samsung S5 in good nick for considerably less than 200 quid. (Other tat-vendors are available...) The S5 is one of the most widely used phones with Lineage (https://www.lineageoslog.com/statistics) so it won't just be you if something goes wrong. You don't have to root the phone (https://wiki.lineageos.org/devices/klte/install). If you are particularly doubtful of the procedure, you could try it on an even older phone. The S4 Mini is about a third of the price and also works OK.

I'm citing these two Samsungs because I've actually done it with them. (I haven't looked back.) It shouldn't be taken as an endorsement of Samsung. (I put Lineage on because Samsung's support was so crap.) A glance at the stats will show that other brands also have thousands of users out there and your current handset may even be among them.

Edit: If you do switch, give some thought to how you will transfer things like address books and saved media/messages/etc. Mostly these aren't terribly difficult as long as you plan ahead but are obviously nigh-on impossible after you've nuked the old contents of your storage. :)

0
0

Seldom used 'i' mangled by baffling autocorrect bug in Apple's iOS 11

Ken Hagan
Gold badge

Re: So Apple can't code a simple function?

Throw the code together, No testing or ignored testing. Ship it.

It makes economic sense, right up to the point where your customers, en masse, decide that you are taking the piss with the $1000 price tag and decide to Switch Brand, at which point your company has its Ratner Moment.

So, yeah, consider this a *big* heads-up for shareholders: a computer that can't spell its own name.

5
0

El Reg assesses crypto of UK banks: Who gets to wear the dunce cap?

Ken Hagan
Gold badge

Re: Dunce Cap tip

To enlarge on Alan's comment, where a system asks for both a complete password (which can be hashed and salted) and a few characters from a second set (which probably can't) the point of the second line of defence is that you will be asked for a different selection the next time you log in. This hardens the system against keyloggers on the customer's device because for any reasonable length of the second set, it will be quite a while before the same three are asked for.

4
0

Black Horse Down: Lloyds Banking Group goes TITSUP*

Ken Hagan
Gold badge

Re: There may be trouble ahead

"Well, you are allowed to choose a bank which isn't HBODGE."

Are you? Please identify the bank that hasn't outsourced any of its core competencies.

7
0

Official: Perl the most hated programming language, say devs

Ken Hagan
Gold badge
Coffee/keyboard

Re: APL?

Is that Indus Valley script? Or the Disc of Phaestos?

Icon: I'd need a new one to even begin to type that.

2
0
Ken Hagan
Gold badge

Re: Forth

"My reason was that you could fit the whole system into ~6KBytes (6809) including (simple) disk i/o."

That would make it a fine language to compile into. It says nothing about whether human beings should be forced to write in that language to begin with.

I've used several languages (Forth and the wretched NSIS setup scripting lingo spring to mind) that would have benefitted from an afternoon's work with yacc/lex to put a pleasant syntax on the front. The same goes, incidentally for some command-line tools I could name, whose options take about 20 screenfuls of man-page to describe.

0
0

Car trouble: Keyless and lockless is no match for brainless

Ken Hagan
Gold badge

Re: Door or boot not shut

"Door or boot not shut => car will not lock"

FTFY. The rest is left as an exercise for the reader.

5
0

Watership downtime: BadRabbit encrypts Russian media, Ukraine transport hub PCs

Ken Hagan
Gold badge

Re: Ransom demands in BitCoin again

"No big deal. Leaving aside Bitcoin, there are another 1194 (at the last count) other cryptocurrencies."

That's the *easiest* possible loophole for them to close if you point it out, though.

1
0
Ken Hagan
Gold badge

Ransom demands in BitCoin again

How long before the authorities decide that BitCoin's main use is in laundering the proceeds of crime and that anyone accepting BitCoin payments is an accessory?

(Note for would-be downvoters: This is a genuine question and not a rhetorical device.)

33
3

Please activate the anti-ransomware protection in your Windows 10 Fall Creators Update PC. Ta

Ken Hagan
Gold badge

Re: Great feature!

No. You are the kind of doofus that the feature is designed to obstruct. A computer wiz would have provided sufficient evidence to their sysadmin that the handy little photo editor was legit and should be added to the whitelist.

In the meantime, you've created a nice little sandbox called Documents2 and when you next download some ransomware it will only be that sandbox that gets toasted. "Documents" will be fine.

5
3
Ken Hagan
Gold badge

Re: Doh !

Doh? Really?

Personally I'm delighted that MS didn't just whitelist everything from their own stable. It seems entirely proper that this decision should be made by the end-users (or their admins).

1
0
Ken Hagan
Gold badge

How difficult could it be for you to see the number of false positives this might throw up?

4
0
Ken Hagan
Gold badge

Re: Riiiiiiight....

This is the stuff that Dave Cutler brought to the party, 25 years ago. I've seen various ways of getting the configuration wrong, but I've never seen the configuration not being enforced properly.

If you are a big fan of the original UNIX model then you can stick to that subset, although UNIX doesn't anymore so perhaps it wasn't quite so great.

5
1
Ken Hagan
Gold badge

Re: Colour me stupid but...

I don't know, but if I were asked to implement such a feature then here's how I'd do it.

Windows access control already understands the notion of high, medium and low "integrity". That is, whether a piece of code (rather than the user) is trustworthy. This is how they implement UAC. So, on each of the directories that you want to protect, you add a access control entry (ACE) denying write access to some lowly level of integrity.

Window Defender then hooks into the module loader and arranges that each new process has that lowly level of integrity (in its process token) unless it was whitelisted. It also hooks DLL loading so that adding an untrusted DLL to a trusted process changes the integrity level. (Small loophole there: if you've opened a file and then load the library, you probably still have access via that handle. Perhaps someone at MS has written the additional code required to close that loophole.)

The result is that most processes only have read access to Desktop and Documents (or wherever) but a few whitelisted processed have write access. Enforcement is via the tried and trusted (for 25 years) mechanism of validating access of tokens against lists of ACEs.

Update: I should probably state explicitly that although the usual situation is for all processes that run "as you" to have "your" credentials, the Windows kernel is quite happy to juggle with different versions of "you" and access control is actually done based on the identity (token) of each process.

0
0
Ken Hagan
Gold badge

Re: So the next evolution of ransomware

"Will hijack your browser or Outlook or some other whitelisted application and use it to encrypt your folders. "

You have posted this in reply to a comment that Outlook wasn't one of the whitelisted apps.

Presumably the whitelisted apps have to be digitally signed and will lose their white-listing if they import DLLs that aren't also approved. There's no reason why this can't be made watertight. It doesn't look to be using anything that hasn't been part of the Windows kernel for about a decade. Having said that, I will grant you that whether it is actually effective is another matter.

4
0

Europol cops lean on phone networks, ISPs to dump CGNAT walls that 'hide' cyber-crooks

Ken Hagan
Gold badge

"in an ideal world I should be thinking sure, if someone has committed a crime and a warrant exists from a court then why not be able to identify them."

Why does your ideal world contain people who commit crimes, or courts to issue warrants against them?

0
0
Ken Hagan
Gold badge

Re: v7 needed

"If what you say is true then there must be some other reason that nobody bothers with it."

There is another reason. In Western Europe and North America there was, until recently, no problem with only offering IPv4, so ISPs did that, so home users didn't have a choice, so equipment vendors had no incentive to switch on the capability in their device stacks (despite it basically being there for free), so anybody who even started to try the new tech quickly ran into the near-brick-wall that no-one else was running it apart from a few geeks.

I believe that in the Far East, the IPv4 address space was so puny that the economic arguments went the other way and, there being no technical problem with IPv6, there are parts of that region with near-universal IPv6 adoption. Of course, they tend not to contribute to English-speaking forums so we rarely ever hear from them.

1
1
Ken Hagan
Gold badge

Re: Police mandated v6 deployment

You omitted to point out that, once they've been v6-ed and are using privacy-protected addresses that change "every so often", plod will find them even harder to track. OK, perhaps that's obvious to most El Reg readers, but just in case it isn't...

2
0

You're doing open source wrong, Microsoft tsk-tsk-tsks at Google: Chrome security fixes made public too early

Ken Hagan
Gold badge

Re: So MS think...

"If they can discover the bug then so can someone else."

Like, Google ... who wrote the original software and might reasonably be expected to have gone to the trouble of trying the commonly available techniques.

And yet they didn't find it, which kinda suggests that even though futzing is not unknown outside of MS there is still a fair chance that this bug was not widely known. Consequently, splashing the fix all over the internet three days before you splashed the fix almost certainly increases the risk of this bug being widely used.

0
0
Ken Hagan
Gold badge

Re: who fixes the fixes

"its foolish to presume that you're the only people that know of a bug. imho."

It is also foolish to assume that you are the *last* person to know of a bug. Premature disclosure will always widen the risks to some extent. You might estimate the relative obscurity of a given bug by considering how much time elapsed between you adding it and some kind person telling you about it. The more obscure, the greater the risk in disclosing it before you have a fix.

0
0
Ken Hagan
Gold badge

Re: This is a real issue ...

"In order to make a release, we need to push out release candidates. "

That's your problem then. You've imposed a process on yourself that makes it impossible to deploy fixes before disclosing the bug. Your process has a race condition between "disclosure" and "fix".

Whilst you might get away with that for an app that isn't network-facing, in the same way that you might get away with real race conditions on a uniprocessor box, you can't get away with it in a web browser.

0
0
Ken Hagan
Gold badge

Re: Does Microsoft's approach not imply...

"However, this prevents the timely cascading of source into other projects..."

I fail to see why you've used the words "However" or "timely". Some of the other projects in this case are malware and preventing the cascading of exploits into malware before the fix cascades onto the machines of potential victims was the whole fucking point of waiting just three days.

0
0

MEPs vote to update 'cookie law' despite ad industry pressure

Ken Hagan
Gold badge

Re: "Content that must be given away for nothing will ultimately end up being worth nothing."

I'm paying what they're asking, except that I'm blocking the ads because they make my laptop unusable. (No, really, I had them whitelisted for ages but eventually it was taking 30 seconds or more to open each page and I just thought "Fuck this for a game of solidiers!" and de-listed them.)

As soon as advertisers wake up to the fact that people smart enough to have money to spend are people smart enough to use an ad-blocker, the whole bubble will go pop and the internet will die simply move to an alternative funding model.

18
0

Google faces $10k-a-day fines if it defies court order to hand over folks' private overseas email

Ken Hagan
Gold badge

Re: Cost of doing business

Good luck defending that country against the US. Good luck persuading the majority of UN members (who have plenty of their bolshy citizens) to recognise the country and thereby set a precedent that a bolshy citizen can just up-sticks and declare independence.

Maybe move to Catalonia?

2
0
Ken Hagan
Gold badge

Re: Maybe the company should relocate

"Any large US company would be totally above the law."

Where "large" = "big enough to pay a few euros to a "service provider" outside the US.

If this were legal then in next to no time there would be an industry providing the service at prices that just about anyone could afford.

3
0

IBM broke its cloud by letting three domain names expire

Ken Hagan
Gold badge

Redundancy?

So they were relying on a set of domain names and they are *all* renewed together, so that they all expire at once if someone forgets.

Can we add this one to the RAID-is-not-a-backup list?

19
0

Hate to break it to you, but billions of people can see Uranus tonight

Ken Hagan
Gold badge
Facepalm

Re: Blue-green Uranus from Methane

Who needs dead dinosaurs?

It's Uranus. It's 50,000 km across. Of course it's made of fart gas.

13
1

No, the FCC can't shut down TV stations just because Donald Trump is mad at the news

Ken Hagan
Gold badge

Re: Actually

"Really? Have you ever given a thought..."

I think your thinking of a different Abrahamic religion. There are several. (In fairness, until recently they were all deeply suspicious of each other. Trump is merely a century or two behind the times.)

38
0

Australian senator Pauline Hanson wants devilish scam calls to flash '666'

Ken Hagan
Gold badge

Re: I propose another use for 666.

"I suspect Pauline Hanson has D-K"

Hmm ... https://en.wikipedia.org/wiki/DK ...

Dorling-Kindersley

Donkey Kong

Denmark

...but nothing seems to fit. (Googles instead for for "psychology D-K" ...) Aha!

https://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect

"In the field of psychology, the Dunning–Kruger effect is a cognitive bias wherein people of low ability suffer from illusory superiority, mistakenly assessing their cognitive ability as greater than it is."

So she's too stupid to realise she's an idiot. OK. That fits.

6
1
Ken Hagan
Gold badge

Re: I propose another use for 666.

"The Android dialer has..."

I'm not sure that Android has the edge over land lines, this week.

5
0

Boffins suggest UK needs an 'AI council' but regulation is for squares

Ken Hagan
Gold badge

If we did set up a council, it's first task should be to ban the use of the term AI until at least we have an objective definition of what the "I" actually means and way of measuring it. Only then would it actually be possible to prosecute someone in court for making or using an artificial one improperly.

2
0

WPA2 KRACK attack smacks Wi-Fi security: Fundamental crypto crapto

Ken Hagan
Gold badge

Android, and the big names were informed privately a few months ago, so the fix should be available today. Whether it is available for your phone, of course, depends on your hardware vendor (and in some cases also on your ISP).

2
0
Ken Hagan
Gold badge

Re: Why does anyone care about wifi security?

"My router is wide open to all comers. Who cares?"

Whoever pays your broadband bill, I would guess. (Unless they are made of money.) Starbucks are betting that the profit on the coffee far exceeds the cost of the bandwidth you can consume on their connection.

6
0
Ken Hagan
Gold badge

Re: 4 Years ago in a land far far away.

"thus as people upgrade the exploit will disappear."

Such naivety disappeared from the desktop about two decades ago. Yes, the automatic update mechanisms on the average OS do not have a 100% record, but for the average user who can't manage much beyond plugging it in and turning it on, they are almost certainly the only way to ensure that patches are deployed in the field.

It is scandalous that people sell network-connected devices without any automatic update mechanism. With society's increasing dependence on such things, such omissions are almost in the league of "not fit for purpose" under consumer legislation. It wouldn't even be hard, since these devices are all based on stripped-down Linux distros and those all have the facility. Yes, have an off-switch for the power users if you must, but don't just leave it out.

3
1
Ken Hagan
Gold badge

Re: OpenBSD

"silently due to embargo"

I think that is actually "silently despite the embargo" since publishing a patch to FOSS cannot be done without implicitly disclosing that a particular area of code is considered buggy. Therefore, more than one person reckons that OpenBSD kinda broke the embargo and they will therefore be placed on the naughty step for next time.

4
0

WPA2 security in trouble as KRACK Belgian boffins tease key reinstallation bug

Ken Hagan
Gold badge

Yes. And if your client is something that can be plugged into the router with a cable then it (the client) will almost certainly be patched this week.

2
0

The Register - Independent news and views for the tech community. Part of Situation Publishing