* Posts by Ken Hagan

8139 publicly visible posts • joined 14 Jun 2007

Intel's super-secret Management Engine firmware now glimpsed, fingered via USB

Ken Hagan Gold badge

Re: Everybody switch over to AMD

I imagine that there *are* people (say, in Russia or China) who *are* now asking whether there is a trusted source of x86-compatible CPUs. And if not, whether there ought to be.

If these people *aren't* asking that question, they aren't doing their job properly.

Ken Hagan Gold badge

Re: Tanenbaum?

"The book that half source code."

But his source code was far more interesting than most authors' prose.

Ken Hagan Gold badge

At least Java was designed to be sandbox-able.

Bitcoin drops SegWit2x hard fork after community objects

Ken Hagan Gold badge

The arrival of significant transaction fees may be a sign that the scheme has now entered its "cashing out" phase, with the transaction fees being the source of real money that the original scammers need to milk before everyone else notices that Bitcoin per se is actually worthless.

Official US govt Twitter accounts caught tweeting in Russian, now mysteriously axed

Ken Hagan Gold badge

Re: "Official Government Twitter Accounts"

"They think you must have something to hide."

I'd think of it as an early warning system for "crap employers". They can look for my social media presence if they like, but I wouldn't want to work for them if they are bothered by its absence.

It's 2017 and you can still pwn Android gear with Wi-Fi packets – so get patching now

Ken Hagan Gold badge

Re: Dear Motorola

Amazon will sell you a used Samsung S5 in good nick for considerably less than 200 quid. (Other tat-vendors are available...) The S5 is one of the most widely used phones with Lineage (https://www.lineageoslog.com/statistics) so it won't just be you if something goes wrong. You don't have to root the phone (https://wiki.lineageos.org/devices/klte/install). If you are particularly doubtful of the procedure, you could try it on an even older phone. The S4 Mini is about a third of the price and also works OK.

I'm citing these two Samsungs because I've actually done it with them. (I haven't looked back.) It shouldn't be taken as an endorsement of Samsung. (I put Lineage on because Samsung's support was so crap.) A glance at the stats will show that other brands also have thousands of users out there and your current handset may even be among them.

Edit: If you do switch, give some thought to how you will transfer things like address books and saved media/messages/etc. Mostly these aren't terribly difficult as long as you plan ahead but are obviously nigh-on impossible after you've nuked the old contents of your storage. :)

Seldom used 'i' mangled by baffling autocorrect bug in Apple's iOS 11

Ken Hagan Gold badge

Re: So Apple can't code a simple function?

Throw the code together, No testing or ignored testing. Ship it.

It makes economic sense, right up to the point where your customers, en masse, decide that you are taking the piss with the $1000 price tag and decide to Switch Brand, at which point your company has its Ratner Moment.

So, yeah, consider this a *big* heads-up for shareholders: a computer that can't spell its own name.

El Reg assesses crypto of UK banks: Who gets to wear the dunce cap?

Ken Hagan Gold badge

Re: Dunce Cap tip

To enlarge on Alan's comment, where a system asks for both a complete password (which can be hashed and salted) and a few characters from a second set (which probably can't) the point of the second line of defence is that you will be asked for a different selection the next time you log in. This hardens the system against keyloggers on the customer's device because for any reasonable length of the second set, it will be quite a while before the same three are asked for.

Black Horse Down: Lloyds Banking Group goes TITSUP*

Ken Hagan Gold badge

Re: There may be trouble ahead

"Well, you are allowed to choose a bank which isn't HBODGE."

Are you? Please identify the bank that hasn't outsourced any of its core competencies.

Official: Perl the most hated programming language, say devs

Ken Hagan Gold badge
Coffee/keyboard

Re: APL?

Is that Indus Valley script? Or the Disc of Phaestos?

Icon: I'd need a new one to even begin to type that.

Ken Hagan Gold badge

Re: Forth

"My reason was that you could fit the whole system into ~6KBytes (6809) including (simple) disk i/o."

That would make it a fine language to compile into. It says nothing about whether human beings should be forced to write in that language to begin with.

I've used several languages (Forth and the wretched NSIS setup scripting lingo spring to mind) that would have benefitted from an afternoon's work with yacc/lex to put a pleasant syntax on the front. The same goes, incidentally for some command-line tools I could name, whose options take about 20 screenfuls of man-page to describe.

Car trouble: Keyless and lockless is no match for brainless

Ken Hagan Gold badge

Re: Door or boot not shut

"Door or boot not shut => car will not lock"

FTFY. The rest is left as an exercise for the reader.

Watership downtime: BadRabbit encrypts Russian media, Ukraine transport hub PCs

Ken Hagan Gold badge

Re: Ransom demands in BitCoin again

"No big deal. Leaving aside Bitcoin, there are another 1194 (at the last count) other cryptocurrencies."

That's the *easiest* possible loophole for them to close if you point it out, though.

Ken Hagan Gold badge

Ransom demands in BitCoin again

How long before the authorities decide that BitCoin's main use is in laundering the proceeds of crime and that anyone accepting BitCoin payments is an accessory?

(Note for would-be downvoters: This is a genuine question and not a rhetorical device.)

Please activate the anti-ransomware protection in your Windows 10 Fall Creators Update PC. Ta

Ken Hagan Gold badge

Re: Great feature!

No. You are the kind of doofus that the feature is designed to obstruct. A computer wiz would have provided sufficient evidence to their sysadmin that the handy little photo editor was legit and should be added to the whitelist.

In the meantime, you've created a nice little sandbox called Documents2 and when you next download some ransomware it will only be that sandbox that gets toasted. "Documents" will be fine.

Ken Hagan Gold badge

Re: Doh !

Doh? Really?

Personally I'm delighted that MS didn't just whitelist everything from their own stable. It seems entirely proper that this decision should be made by the end-users (or their admins).

Ken Hagan Gold badge

How difficult could it be for you to see the number of false positives this might throw up?

Ken Hagan Gold badge

Re: Riiiiiiight....

This is the stuff that Dave Cutler brought to the party, 25 years ago. I've seen various ways of getting the configuration wrong, but I've never seen the configuration not being enforced properly.

If you are a big fan of the original UNIX model then you can stick to that subset, although UNIX doesn't anymore so perhaps it wasn't quite so great.

Ken Hagan Gold badge

Re: Colour me stupid but...

I don't know, but if I were asked to implement such a feature then here's how I'd do it.

Windows access control already understands the notion of high, medium and low "integrity". That is, whether a piece of code (rather than the user) is trustworthy. This is how they implement UAC. So, on each of the directories that you want to protect, you add a access control entry (ACE) denying write access to some lowly level of integrity.

Window Defender then hooks into the module loader and arranges that each new process has that lowly level of integrity (in its process token) unless it was whitelisted. It also hooks DLL loading so that adding an untrusted DLL to a trusted process changes the integrity level. (Small loophole there: if you've opened a file and then load the library, you probably still have access via that handle. Perhaps someone at MS has written the additional code required to close that loophole.)

The result is that most processes only have read access to Desktop and Documents (or wherever) but a few whitelisted processed have write access. Enforcement is via the tried and trusted (for 25 years) mechanism of validating access of tokens against lists of ACEs.

Update: I should probably state explicitly that although the usual situation is for all processes that run "as you" to have "your" credentials, the Windows kernel is quite happy to juggle with different versions of "you" and access control is actually done based on the identity (token) of each process.

Ken Hagan Gold badge

Re: So the next evolution of ransomware

"Will hijack your browser or Outlook or some other whitelisted application and use it to encrypt your folders. "

You have posted this in reply to a comment that Outlook wasn't one of the whitelisted apps.

Presumably the whitelisted apps have to be digitally signed and will lose their white-listing if they import DLLs that aren't also approved. There's no reason why this can't be made watertight. It doesn't look to be using anything that hasn't been part of the Windows kernel for about a decade. Having said that, I will grant you that whether it is actually effective is another matter.

Europol cops lean on phone networks, ISPs to dump CGNAT walls that 'hide' cyber-crooks

Ken Hagan Gold badge

"in an ideal world I should be thinking sure, if someone has committed a crime and a warrant exists from a court then why not be able to identify them."

Why does your ideal world contain people who commit crimes, or courts to issue warrants against them?

Ken Hagan Gold badge

Re: v7 needed

"If what you say is true then there must be some other reason that nobody bothers with it."

There is another reason. In Western Europe and North America there was, until recently, no problem with only offering IPv4, so ISPs did that, so home users didn't have a choice, so equipment vendors had no incentive to switch on the capability in their device stacks (despite it basically being there for free), so anybody who even started to try the new tech quickly ran into the near-brick-wall that no-one else was running it apart from a few geeks.

I believe that in the Far East, the IPv4 address space was so puny that the economic arguments went the other way and, there being no technical problem with IPv6, there are parts of that region with near-universal IPv6 adoption. Of course, they tend not to contribute to English-speaking forums so we rarely ever hear from them.

Ken Hagan Gold badge

Re: Police mandated v6 deployment

You omitted to point out that, once they've been v6-ed and are using privacy-protected addresses that change "every so often", plod will find them even harder to track. OK, perhaps that's obvious to most El Reg readers, but just in case it isn't...

You're doing open source wrong, Microsoft tsk-tsk-tsks at Google: Chrome security fixes made public too early

Ken Hagan Gold badge

Re: So MS think...

"If they can discover the bug then so can someone else."

Like, Google ... who wrote the original software and might reasonably be expected to have gone to the trouble of trying the commonly available techniques.

And yet they didn't find it, which kinda suggests that even though futzing is not unknown outside of MS there is still a fair chance that this bug was not widely known. Consequently, splashing the fix all over the internet three days before you splashed the fix almost certainly increases the risk of this bug being widely used.

Ken Hagan Gold badge

Re: who fixes the fixes

"its foolish to presume that you're the only people that know of a bug. imho."

It is also foolish to assume that you are the *last* person to know of a bug. Premature disclosure will always widen the risks to some extent. You might estimate the relative obscurity of a given bug by considering how much time elapsed between you adding it and some kind person telling you about it. The more obscure, the greater the risk in disclosing it before you have a fix.

Ken Hagan Gold badge

Re: This is a real issue ...

"In order to make a release, we need to push out release candidates. "

That's your problem then. You've imposed a process on yourself that makes it impossible to deploy fixes before disclosing the bug. Your process has a race condition between "disclosure" and "fix".

Whilst you might get away with that for an app that isn't network-facing, in the same way that you might get away with real race conditions on a uniprocessor box, you can't get away with it in a web browser.

Ken Hagan Gold badge

Re: Does Microsoft's approach not imply...

"However, this prevents the timely cascading of source into other projects..."

I fail to see why you've used the words "However" or "timely". Some of the other projects in this case are malware and preventing the cascading of exploits into malware before the fix cascades onto the machines of potential victims was the whole fucking point of waiting just three days.

MEPs vote to update 'cookie law' despite ad industry pressure

Ken Hagan Gold badge

Re: "Content that must be given away for nothing will ultimately end up being worth nothing."

I'm paying what they're asking, except that I'm blocking the ads because they make my laptop unusable. (No, really, I had them whitelisted for ages but eventually it was taking 30 seconds or more to open each page and I just thought "Fuck this for a game of solidiers!" and de-listed them.)

As soon as advertisers wake up to the fact that people smart enough to have money to spend are people smart enough to use an ad-blocker, the whole bubble will go pop and the internet will die simply move to an alternative funding model.

Google faces $10k-a-day fines if it defies court order to hand over folks' private overseas email

Ken Hagan Gold badge

Re: Cost of doing business

Good luck defending that country against the US. Good luck persuading the majority of UN members (who have plenty of their bolshy citizens) to recognise the country and thereby set a precedent that a bolshy citizen can just up-sticks and declare independence.

Maybe move to Catalonia?

Ken Hagan Gold badge

Re: Maybe the company should relocate

"Any large US company would be totally above the law."

Where "large" = "big enough to pay a few euros to a "service provider" outside the US.

If this were legal then in next to no time there would be an industry providing the service at prices that just about anyone could afford.

IBM broke its cloud by letting three domain names expire

Ken Hagan Gold badge

Redundancy?

So they were relying on a set of domain names and they are *all* renewed together, so that they all expire at once if someone forgets.

Can we add this one to the RAID-is-not-a-backup list?

Hate to break it to you, but billions of people can see Uranus tonight

Ken Hagan Gold badge
Facepalm

Re: Blue-green Uranus from Methane

Who needs dead dinosaurs?

It's Uranus. It's 50,000 km across. Of course it's made of fart gas.

No, the FCC can't shut down TV stations just because Donald Trump is mad at the news

Ken Hagan Gold badge

Re: Actually

"Really? Have you ever given a thought..."

I think your thinking of a different Abrahamic religion. There are several. (In fairness, until recently they were all deeply suspicious of each other. Trump is merely a century or two behind the times.)

Australian senator Pauline Hanson wants devilish scam calls to flash '666'

Ken Hagan Gold badge

Re: I propose another use for 666.

"I suspect Pauline Hanson has D-K"

Hmm ... https://en.wikipedia.org/wiki/DK ...

Dorling-Kindersley

Donkey Kong

Denmark

...but nothing seems to fit. (Googles instead for for "psychology D-K" ...) Aha!

https://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect

"In the field of psychology, the Dunning–Kruger effect is a cognitive bias wherein people of low ability suffer from illusory superiority, mistakenly assessing their cognitive ability as greater than it is."

So she's too stupid to realise she's an idiot. OK. That fits.

Ken Hagan Gold badge

Re: I propose another use for 666.

"The Android dialer has..."

I'm not sure that Android has the edge over land lines, this week.

Boffins suggest UK needs an 'AI council' but regulation is for squares

Ken Hagan Gold badge

If we did set up a council, it's first task should be to ban the use of the term AI until at least we have an objective definition of what the "I" actually means and way of measuring it. Only then would it actually be possible to prosecute someone in court for making or using an artificial one improperly.

WPA2 KRACK attack smacks Wi-Fi security: Fundamental crypto crapto

Ken Hagan Gold badge

Android, and the big names were informed privately a few months ago, so the fix should be available today. Whether it is available for your phone, of course, depends on your hardware vendor (and in some cases also on your ISP).

Ken Hagan Gold badge

Re: Why does anyone care about wifi security?

"My router is wide open to all comers. Who cares?"

Whoever pays your broadband bill, I would guess. (Unless they are made of money.) Starbucks are betting that the profit on the coffee far exceeds the cost of the bandwidth you can consume on their connection.

Ken Hagan Gold badge

Re: 4 Years ago in a land far far away.

"thus as people upgrade the exploit will disappear."

Such naivety disappeared from the desktop about two decades ago. Yes, the automatic update mechanisms on the average OS do not have a 100% record, but for the average user who can't manage much beyond plugging it in and turning it on, they are almost certainly the only way to ensure that patches are deployed in the field.

It is scandalous that people sell network-connected devices without any automatic update mechanism. With society's increasing dependence on such things, such omissions are almost in the league of "not fit for purpose" under consumer legislation. It wouldn't even be hard, since these devices are all based on stripped-down Linux distros and those all have the facility. Yes, have an off-switch for the power users if you must, but don't just leave it out.

Ken Hagan Gold badge

Re: OpenBSD

"silently due to embargo"

I think that is actually "silently despite the embargo" since publishing a patch to FOSS cannot be done without implicitly disclosing that a particular area of code is considered buggy. Therefore, more than one person reckons that OpenBSD kinda broke the embargo and they will therefore be placed on the naughty step for next time.

WPA2 security in trouble as KRACK Belgian boffins tease key reinstallation bug

Ken Hagan Gold badge

Yes. And if your client is something that can be plugged into the router with a cable then it (the client) will almost certainly be patched this week.

Ken Hagan Gold badge

Re: Should you really care.

"If you are not concerned with QoS then follow the guidance of OpenWireless.org and run a fully open wireless network"

Only two problems with that as far as I can see. Firstly, I'm paying for the traffic. Secondly, Amber Fudd would then blame me for all the porn that passers-by downloaded over my link.

Ken Hagan Gold badge

No. There is (now) a rather good summary near the top of this thread. It is fixable in software, so for most OSes you can expect a fix in the next day or two. the vendors were all warned in advance and should have something ready. It also attacks the clients rather than the access point, so your router is not a problem unless you've chained a few together to extend your range.

The biggest problem I can see is that Android (and Linux in general) can be persuaded to use a null encryption key with this attack. That's "drop trousers and bend over" time for *lots* of mobile phones until such time as phone vendors (and any ISPs who might be cock-blocking the update channel) decide that these "existing customers" are worth some attention.

Sounds painful: Audio code bug lets users, apps get root on Linux

Ken Hagan Gold badge

Huh?

I realise this is all pre-publication, so the lack of detail isn't surprising, but I'm struggling to understand how this works. If the attacking thread is in the same process as the victim, how can it be a privilege elevation and why wouldn't it just create its own port and then attack that? If, on the other hand, it is in a different process, then presumably ALSA has placed some kind of security mechanism around its ports. (If it hasn't, that's a hideous design error, but presumably it would have been spotted yonks ago.)

US Congress mulls first 'hack back' revenge law. And yup, you can guess what it'll let people do

Ken Hagan Gold badge

Re: erm isn't this what law enforcement is for?

It's not even the same as arming children. /That/ would ensure that the children can shoot back at the time of the attack. /This/ law would still require you to collect evidence to prove who did it, check with law enforcement and compare notes, and then retaliate after everyone is dead.

If we assume that the police will respond to convincing evidence that one US citizen has committed a crime against another, on US soil, we can conclude that this new law would provide no new tools for the victims. Indeed, the lack of a response by the police could be the basis of a case by the accused that there was *not* sufficient evidence and that the so-called victim is the actual criminal here.

Totally fucking bonkers.

I love disruptive computer jargon. It's so very William Burroughs

Ken Hagan Gold badge

Re: Of course it's pronounced 'Jif'...

Why would anyone want to interchange a giraffe? Is that even legal?

Ken Hagan Gold badge

"We tend to stop after a certain number of syllables, but German seems to prefer long words."

I'm not sure that we do (stop). We tend to write the resulting mess as separate words but that's a cosmetic detail. The big exception here is when we are glueing Latin or Greek roots together, in which case we join them up, presumably because the parts aren't recognisable words on their own.

Either way, in the spoken language the stream of sounds is much the same. I imagine that in the mind of a listener these compounds are just as separable (or not) in either language.

It's Patch Blues-day: Bad October Windows updates trigger BSODs

Ken Hagan Gold badge

"MS is REALLY getting worse."

Yes. They've been getting worse for a number of years. It's been pointed out to them. At times, they've even accepted it. They haven't been able to change. That's the story here. It will rumble on for another 5-10 years and then it won't matter because MS won't be a significant player in the industry anymore.

I only hope that Bill's managed to philanthropize all his billions before they disappear.

'We think autonomous coding is a very real thing' – GitHub CEO imagines a future without programmers

Ken Hagan Gold badge

Re: Aircraft? Never get off the ground...

Aircraft were never a seemingly dumb idea. There are these things called birds.

Autonomous coding, on the other hand, is a seemingly dumb idea because we aren't even sure how people do it, and we *are* people.