nav search
Data Centre Software Security DevOps Business Personal Tech Science Emergent Tech Bootnotes
BOFH
Lectures

* Posts by Adam 1

2432 posts • joined 7 May 2012

SQLite creator crucified after code of conduct warns devs to love God, and not kill, commit adultery, steal, curse...

Adam 1
Silver badge

There's always Oracle

if you would rather align yourself with the antichrist.

1
0

Can't get pranked by your team if nobody in the world can log on

Adam 1
Silver badge
0
0

Scanning an Exchange server for a virus that spreads via email? What could go wrong?

Adam 1
Silver badge

Re: Sweet memories...

> For example, the idea that a washing machine might, on 01/01/00, think it was 1900, and, that as it hadn't been invented yet, it ought to shake itself to bits and then spontaneously combust.

... And I would have gotten away with it if not for you pesky kids.

2
0
Adam 1
Silver badge

Re: "by sandblasting all the paint off, and then re-painting ;)"

> ... if you have a corpse in the trunk, after the sandblasting and repainting, you will still have a corpse in the trunk...

Asking for a friend?

3
0

AI's next battlefield is literally the battlefield: In 20 years, bots will fight our wars – Army boffin

Adam 1
Silver badge

> in 20 years there could be largely autonomous drones. But replacing the grunts on the ground with machines will require some currently unimagined breakthrough in energy storage (or micro-generation)

20 years and breakthrough energy generation required, hey. Hmmmm. I guess it's lucky that fusion power is only 20 years away*.

*As it has been for the past 50 years or so.

4
0

Microsoft yanks the document-destroying Windows 10 October 2018 Update

Adam 1
Silver badge

> So perhaps Debian should teach them how to implement Debian Stable

I think they've started by studying systemd.

6
0

Oracle? On my server? I must have been hacked! *Penny drops* Oh sh-

Adam 1
Silver badge

Re: 1200 baud down, 75 baud up

> Oh you had it good didn't you!

>

> 300 baud we were stuck with in the 80's. And they only gave us 0's. We had to make 1's by hammering a few 0's flat!

Well lah-de-dar. Look at me and my hammer owning workplace.

6
0

It's over 9,000! Boffin-baffling microquasar has power that makes the LHC look like a kid's toy

Adam 1
Silver badge

Re: LHC = 27Km circle

> It's just for reference. It's like saying Jupiter is a gas giant: it can fit 1,300 Earths.

How many Olympic Sized swimming pools is that?

3
0

What could be more embarrassing for a Russian spy: Their info splashed online – or that they drive a Lada?

Adam 1
Silver badge

> I imagine people who pull this kind of stunt when the Kremliin doesn't want them to, are running considerable risks that have nothing to do with the courts.

Quite. Especially when the folks that you've outed have just been caught attempting to kill a former spy with a chemical weapon visiting cathedrals with historically interesting spires.

9
0

SAP bug beatdowns, Apple gets nasty with Mac repairs, Struts woe, and more from infosec

Adam 1
Silver badge

I respectfully submit that any attempt to use such a "feature" in Australia will find things a tad awkward under the Australian Consumer Guarantees.

Let me quote from page 1.

"Products must also:

......

* come with full title and ownership

* not carry any hidden debts or extra charges

* come with undisturbed possession, so no one has a right to take the goods away or prevent you from using them"

Also, you don't need to deal with Apple to make a claim under this guarantee. It is your choice as to whether you talk to the retailer or the manufacturer or the importer.

2
0

Dutch cheesed off with Russians, expel four suspects over chemical weapons Wi-Fi spying

Adam 1
Silver badge

Re: Not GRU

Yes. The church is famous for its large octagonal tower with a baroque style dome and lantern, crowned by a cross.

6
0
Adam 1
Silver badge

Wait. Did AC just admit to hacking a previous chemical weapons investigation?

Clearly I have the perfect solution to these shenanigans. We'll simply demand their phone passwords and fine them 60K if they don't tell us.

11
0

What do Zuck, Sergey, @Jack and Bezos have in common? They don't want encryption broken

Adam 1
Silver badge

Re: Dabbb

"Retarded" down voter here. What you presented was a false dichotomy. Not believing in government fairy-math doesn't make me support the farcebooks and slurps of the world.

The legislation they are trying to ram through makes noises about companies not being permitted to weaken encryption but simultaneously holds them to have capabilities to decrypt them. This is a mathematical impossibility. Not that one cannot choose elliptic curves that generate random numbers in a predictable way to the designers, or that the encryption key cannot be put in some escrow or thata message could not be intercepted at a point where it isn't yet encrypted. That will work but it will significantly increase other security vulnerabilities.

If the government actually spent more than 8 seconds per submission they received in considering the feedback, they might actually learn something. Yes. Literally 8 seconds.

I'll credit the shadow minister with making the right noise about those risks, but she should remember that it was her side's underpants head that first tried to bring in the mandatory metadata retention laws we are now saddled with. Colour me a tad skeptical that they remember their opposition logic when they are surrounded by the groupthink that pervades their advisers in government. I do wish our media would at least try to elicit a commitment from the opposition to reverse these laws if they win the election in a few months.

But you may want to reflect on why you think that calling someone retarded is an insult.

12
0

New Zealand border cops warn travelers that without handing over electronic passwords 'You shall not pass!'

Adam 1
Silver badge

Re: Have fun!

> Seriously, I've never seen so much fuss made about a provision that - by current international standards - is still incredibly mild (by which I mean, you're subject to way more intrusive searches if you fly into, say, the USA or Australia, where they will simply seize your device - indefinitely - if you refuse to unlock it on demand). What the hey do some of you people keep on your phones, anyway?

I guess if you have nothing to say, there is nothing to hide. Listen, if it's not too much trouble, please send us a nightly report of whomever you associated with that day, your exact location by the minute, a copy of any photo you took (remember to tick the box so we get the location with it please).

25
0

TLS proxies? Nah. Truthfully Less Secure 'n' poxy, say Canadian infosec researchers

Adam 1
Silver badge

Re: Unfortunately, there can be some good reasons for this.

Do you honestly believe that nation states are the only ones who MitM? The hardware to MitM an open WiFi access point is in the order of $100-$200, complete with YouTube instructions. Injecting coinhive.js into any HTTP delivered page is beyond simple. Runs on batteries and is small enough to be discretely hidden in your bag, some even in your pocket (depends on the range you want as to how big the antenna is). In terms of complexity, this is "interview question for a junior info sec position" complexity level. As in, not even a theoretical test but rather here is a device, do it,

And coinhive is at the lighter end of a criminal payload.

But even taking your example of browsing some online brochure which you deem to be perfectly adequate over http. When you click the buy it link, I'm sure that you would agree that it should jump to Https. The site may even put the redirect in for you, so that's nice. Unfortunately, as the page was delivered in an insecure fashion, the MitM can intercept that page and replace the form submit target. Awkward.

4
1

NSA dev in the clink for 5.5 years after letting Kaspersky, allegedly Russia slurp US exploits

Adam 1
Silver badge

> It would later surface that Pho had been taking his highly classified work home with him for roughly five years prior to the incident, and had amassed what US prosecutors called "massive troves" of classified information.

---

But don't worry about those "our spooks need to crack at will but somehow, magically, isn't going to reduce security of encryption laws". There is just no way for those skeleton keys to find their way into an adversary's hands, and even if they did, it's not like they would have them for halfa decade with no-one noticing.

2
0

Oz government rushes its anti-crypto legislation into parliament

Adam 1
Silver badge

Ok, we've just run this through our Enigma.io system. It says

{"messages":[

{"text":"Can we have another go at repealing 18C?"},

{"text":"QUOTA'S BAD!!1!! Hurumph"},

{"text":"Right, so our new energy plan is to ban wind and just burn non-Adani coal, then subsidise it so it's no more expensive than solar. Sounds good to me. Can someone just run it past Alan?"},{"text":"Got half a billion here to spend on the reef. Anyone know a small charity stacked with petrochemical board members we can grant it to?"},

{"text":"Hey man, know it's a Sunday, but need to call in a favour about my au pair."},

{"text":"Don't worry mate, you've got my full support."}

]}

Crazy talk there, glad we could help. Some folk are really messed up. I can't imagine how I'd sleep if someone sent me the last one.

3
0
Adam 1
Silver badge

Dear el Reg,

Please name names after the vote. No-one can possibly argue that a week is sufficient to consider the far reaching implications of this potential law. So some of our (supposed) representatives are being negligent in their duties if they wave it through. This is a hard area of law. But that means a large effort is needed to be on top of the many consequences. My ballot paper sometime between now and May wants to take it into account.

32
0
Adam 1
Silver badge

Re: I had to read this twice

Shouldn't it be daft law?

12
0

Just 13 – no, er, make that 3,200 punters hit in Oz's Perth Mint hack

Adam 1
Silver badge

Re: It's times like these you need

Minties make me sad. Very delicious, but I think I've paid the lease for enough of my dentists' Audis.

2
0

Boffins bash Google Translate for sexism

Adam 1
Silver badge

Re: English non-gender pronouns

English "they" doesn't communicate whether you mean singular or plural whereas s/he implies singular*

Singular:

I was speaking with a former colleague. "They" couldn't deal with that stupid manglement for another day.

Plural:

Those school kids on the train were so noisy. Why can't "they" stare at their mobile screens quietly like other normal people.

Notice how my second sentence doesn't on its own explain whether I mean one or many? So you've fixed one problem and introduced a new one.

In many cases, you don't need the additional gendered information, either because it has already been communicated and is therefore redundant or because whilst not communicated, it bears no relevance to your point.

*Doubtless someone will find some sentence which breaks my point.

0
0

By gum: Supermicro's Samsung storage ruler server uses secret SSD

Adam 1
Silver badge

if you have to ask....

you probably aren't their target market.

5
0

A boss pinching pennies may have cost his firm many, many pounds

Adam 1
Silver badge

Re: Developer PC

> was so slow that compiling (building) the application literally took 10 minutes.

I had no idea that the node stack had been around for such a long time.

/Only half joking, doing a clean checkout of 10 quadrillion 1KB js files is, er, not the fastest thing in the world.

2
0
Adam 1
Silver badge

Re: Imagine...

> And this isn't counting nefarious teenagers breaking the chain by unplugging one of the BNC connectors...

Yeah, sorry bout doing that, er, on behalf of a good mate of a mate.

11
0

Official: Google Chrome 69 kills off the World Wide Web (in URLs)

Adam 1
Silver badge

don't go there Google. it's turtles all the way down

A user agent filter with a 302 redirect to www.www.example.com.

Then bind these to the same site.

3
0

How to nab a HTTPS cert for a stranger's website: Step one, shatter those DNS queries...

Adam 1
Silver badge

Re: Paranoid AF

How secure are we? Our key space is 374144419156711147060143317175368453031918731001856 times larger than that 88 bit key.

Also worth noting that enigma wasn't cracked by manually brute forcing on the 309485009821345068724781056 possible keys. At 100 billion guesses per second, this would take on average ~50 million years to search.

Rather they used some systemic weaknesses like how it wasn't possible for a character to encipher to itself, pattern analysis to guess how many teeth were on the cogs, tricking the originator into resending the same message with multiple keys, stealing codebooks when the opportunity arose, and automating the scanning of that substantially reduced possible key surface. The weakest link of course was and still is the meat sack not following process.

If I was $EvilGovernment$, I wouldn't even bother attacking AES directly. It doesn't have those weaknesses inherent to enigma. Much easier task to compromise the random number generator so that keys are poorly chosen, or even easier would be to exploit vulnerabilities in the system holding the keys, or trick those systems into revealing their key to an imposter.

8
0

Benchmark smartphone drama: We wouldn't call it cheating, says Huawei, but look, everyone's at it

Adam 1
Silver badge

Re: VW

So why the down votes? Peer reviewed journals use too many big words for you? Or have you got some paper showing how a fake CPU mark score is causing deaths? Both are wrong, but your moral compass is pretty screwed up if you can't understand why one is not a few orders of magnitude worse.

3
0
Adam 1
Silver badge

Re: How did they ever think they'd get Huawei with it!?

Where would the Honor be in that?

5
0
Adam 1
Silver badge

Re: VW

> So it's like the VW thing which they all probably do anyway.

Yes, except I doubt that the synthetic benchmark faking will lead to thousands of deaths p.a.

4
3

Archive.org's Wayback Machine is legit legal evidence, US appeals court judges rule

Adam 1
Silver badge

finally a proper use case for Blockchain

Having a distributed ledger that proves that the hash of the archived page has not been modified since collection could certainly add such trust. Of course it can only prove that WBM faithfully kept a copy of the same thing that was delivered to them originally. It cannot prove whether or not:

* WBM was served a custom version of the page different to what another visitor would see

* Whether any doctoring occurred between what was served and when that block was added to the chain

9
4

Strewth! Aussie ISP gets eye-watering IPv4 bill, shifts to IPv6 addresses

Adam 1
Silver badge

Re: Not el Reg

Took me longer to figure out what you were on about than I care to admit.

8
1

Anon man suing Google wants crim conviction to be forgotten

Adam 1
Silver badge

> The Particulars [case papers] complain that the continued publication by the Defendant of the news report referring to his conviction has prevented him from pursuing his ventures, causing him and his businesses to suffer substantial losses,

No. The loss was caused by the crime that this man committed. As long as the reporting doesn't imply that it is a more recent offense than it was, then what exactly is the complaint?

I can well appreciate that someone who was reported to be "charged" with an offence may want the record set straight if they were found not guilty but an old article implies a cloud over them. Doesn't seem like the case here though.

13
0

Spies still super upset they can't get at your encrypted comms data

Adam 1
Silver badge

Re: "No homebrew" is NOT elitist

> I have DREAMT integer register programming.

You're only human. Don't beat yourself up.

3
0

No D'oh! DNS-over-HTTPS passes Mozilla performance test

Adam 1
Silver badge

Re: Doesn't this...

Yes. In the slip of paper where you have printed the AP name and the password for the day, you print the Uri that the guest must visit to sign in.

0
1
Adam 1
Silver badge

Re: Something Fundamentally Wrong with the Argument?

The real elephant for... No that's not fair. It certainly improves the level of privacy and reduces the attack surface. The real reason for why DoH is no silver bullet for domain name resolution is noted in the IETF draft.

"HTTPS connection provides transport security for the interaction between the DoH server and client, but does not provide the response integrity of DNS data provided by DNSSEC. DNSSEC and DoH are independent and fully compatible protocols, each solving different problems. The use of one does not diminish the need nor the usefulness of the other."

0
0

Vodafone, TPG propose 'merger of equals'

Adam 1
Silver badge

At the retail side, I personally think it's not too bad. They don't really swim in each others' pool, so merging isn't likely to reduce either mobile or ISP competition. TPGs more recent acquisitions of iinet etc would be more worrying than this.

The bigger questions for the ACCC or whatever other toothless tiger would be things like whether they should be permitted to hold whatever 5G frequencies as one company.

/IANAL etc etc

1
0

Voting machine maker claims vote machine hack-fests a 'green light' for foreign hackers

Adam 1
Silver badge

Re: Which machines, where?

They may well have reasonable physical security, but that is only one threat model, but only the most ridiculously poorly thought out attacks would seriously adjust voter intention on a particular way. There are much more effective ways, including

1. Suppressing small numbers of votes from polling booths that are known to lean to the unfavorable side and injecting votes in the booths which tend to vote toward the favourable side.

2. Adjusting votes to lower preference (in preferential systems) which may be enough to push someone over the required quota.

And you and I so far have only addressed the machine level attack vector. The data must be aggregated across thousands of polling booths. That means that these memory cartridges need to be transported. It also means some other opaque system then claims to read what is written to it. This is very hard to externally validate. Everything from the device driver through to the application code must be inspected. Then you have the build chain of those pieces of software. Can you prove that the code that you reviewed is the exact code that was compiled? This is hard enough without malicious actors trying to deliberately add some hole. Can you prove that the compiler itself doesn't inject malicious code even if you can inspect it? Can you prove that the version that you reviewed is the same as the version that was deployed during the actual count? Can you trust the output of the crypto libs in that machine to not lie about the hash of the deployed files?

These are a bunch of really hard problems. It is completely inappropriate to permit a counting tool to be used where the vendor won't permit full inspection.

2
0

No, eight characters, some capital letters and numbers is not a good password policy

Adam 1
Silver badge

> I still think that capital letters and special characters are more trouble then they're worth. I haven't trawled through any big password dump files, but I'd be willing to bet that the majority of number/special character requirements are fulfilled by adding a 1 and/or ! to the end of a "normal" or easily guessable password

So much true that hashcat even does this (and a=>@, l=>!, s=>5 style substitutions) and their permutations.

At the end of the day, size matters. A 12 character password consisting solely of lower case a-z has more entropy than an 8 character password consisting of any character (upper and lower), symbol, digit and whitespace.

Those in a position to influence password system design should consider flat out blacklisting terrible passwords. I'd personally consider integrating with pwnd passwords either directly or by just downloading the list and rolling your own.

19
0

Ah, um, let's see. Yup... Fortnite CEO is still mad at Google for revealing security hole early

Adam 1
Silver badge

Re: I learned something

I'm not sure who you're suggesting people go with. Apple store is also 30% (plus another call it 100pa for the account). At the low end of the market, paying 30c to Google or Apple for vetting, indexing, distribution and push of upgrades isn't too bad, but once you start hitting the the expensive apps, you can't really justify it.

If enough of these sorts of companies separately distribute their wares, the app stores will smarten up.

15
1

Muslim American woman sues US border cops: Gimme back my seized iPhone's data!

Adam 1
Silver badge

Maybe it did, but unless it was material to a warrant, then Shirley this sits in the none of their damn business category.

8
2

MyHealth Record privacy legislation published

Adam 1
Silver badge

Re: What time is it now?

@Phil, whilst I don't know you from a bar of soap, you can't be much worse than those on offer. Whilst JB might be ok in the job, she lacks a penis so they won't promote her.

3
1

TLS developers should ditch 'pseudo constant time' crypto processing

Adam 1
Silver badge

Re: Obviously, their code 'Review and Approval' processes need some work...

> The article notes the code was formally verified. What does that say?

That it is a hard problem that even a reviewer or 10 can miss.

Imagine an ancient city under seige. The defender must cut off each and every attack against their stronghold. Be they through the city gates, over the walls, under the walls, earthworks outside to cause a collapse in those walls, every vector, every time. If they fail once, the city is at risk of capture.

Now imagine the attacking army. They get to choose how to attack. Whether to try and sneak one person through to sabotage the defences, or whether to block off the water supply and wait for surrender. They may notice a piece of wall that is not visible from the defensive ramparts to start digging or climbing. They may observe a pattern of those sentry guards and learn when they have 30 minutes of time.

That's the equation here too. One step wrong and you are exposed. If it's not a timing attack then it could be some other vector to act as an oracle. It's serious, sure. But let's be realistic.

2
0

SuperProf gets schooled after assigning weak passwords to tutors

Adam 1
Silver badge

Re: SuperProf

Maybe they should get one of their "star" tutors.

4
1
Adam 1
Silver badge

Re: At Superprof we take security seriously and know how key it is to the running of our business

> "I apologise if any offence was caused"

> (no admission that I was the one who caused it)

Shirley that would be "We apologise if anyone took offence"

(We didn't cause it, it's your own fault if you got offended. Mumble mumble mumble nanny state mumble PC gone nuts mumble. Suck it up princess.)

4
0

Mozilla-endorsed security plug-in accused of tracking users

Adam 1
Silver badge

Re: Bloom filters

> the more elements that are added to the set, the larger the probability of false positives

Yes, it is mathematics, not magic. The laws in information theory are not violated. The probability of false positives can also be lowered by using a bigger file. It's a bang for your buck argument.

And if you keep reading that Wikipedia page, you'll read about how Google Chrome uses this exact technique to flag pages as malicious.

You need to remember that larger is a comparator, not an absolute size. In the same way that 0.0000033% chance is larger than 0.0000032%, but both are still rather unlikely.

0
0
Adam 1
Silver badge

It is no doubt unimaginably huge. A list is the wrong data structure to be using for this use case. Other structures like bloom filters let you trade off between storage size and false positive rate.

It doesn't really matter if your bloom blocks a page wrongly once every hundred thousand tests if that drops the download size from multiple GB to a handful of MB. They could even hash the Uri that was blocked and send for further analysis without the privacy complaints apparent from uploading every address you visit.

But that is why you don't push down a list of URIs

4
1
Adam 1
Silver badge

so

We've not heard about bloom filters then?

5
2

Google risks mega-fine in EU over location 'stalking'

Adam 1
Silver badge

> Google was defiant in a canned statement sent to The Register this week that "Location History" is "entirely opt in"

I think they may need to reflect upon the term "in" in the phrase "opt-in". It means that the default behaviour is to avoid collecting and tracking it unless the user explicitly acts to enable it.

33
0

When's a backdoor not a backdoor? When the Oz government says it isn't

Adam 1
Silver badge

Maybe it would help to understand if you substitute USA where you see Australia and, geez, pick any law, but let's go with DMCA, or EU and GDPR.

Our collective Muppets-in-charge can not get their head around the limits of their legislative powers.

You can ignore this unless:

(a) you planning to visit our fine shores; or

(b) you starting up a local company presence; or

(c) Some trade agreement where your own country has agreed to limit you in this area; or

(d) Your customer is subject to these laws and requires that you agree to the technical assistance measures to the extent that your law permits you to. (You are of course free to not accept such customers).

TL;DR, if you're the cow on the hill, feel free to ignore Yertle bellowing from the pond.

2
0
Adam 1
Silver badge

Re: The Holy Trinity

> They make the legislation apparently quite definite. Then subsequently they gradually widen the scope of interpretations of "terrorists, paedophiles and organised crime".

It already covers "protecting the public revenue", so add to that library/parking/dog shat on the footpath fines as technically meeting the criteria.

5
0

The Register - Independent news and views for the tech community. Part of Situation Publishing