nav search
Data Centre Software Security DevOps Business Personal Tech Science Emergent Tech Bootnotes
BOFH
Lectures

* Posts by Adam 1

2466 posts • joined 7 May 2012

Wow, what a lovely early Christmas present for Australians: A crypto-busting super-snoop law passes just in time

Adam 1
Silver badge

Re: "Ship! Come back!"

WhatsApp is a closed source app that implements an open source protocol (signal).

If they add the capability to generate a new group key-pair whenever requested by the server without authorisation within the app, then a systemic weakness had just been included that anyone who manages to pwn WhatsApp servers can now exploit.

You might as well just let the server manage the session keys.

And if you have ever run a Java decompiler (I have but for the record, not on WhatsApp or any other application for which I did not have permission to do so), you would struggle to hide "if (request.Guid==magicGuid) return true;" inside the method responsible for collecting user's consent. The bad guys would have that line NO-OPd within minutes of it being discovered, or they will just move onto whatever other app that implements the signal protocol but is based in whoknowswhere.

0
0
Adam 1
Silver badge

Re: "Ship! Come back!"

They can update the app, but egress traffic from each participant cannot be avoided without fundamentally changing the protocol.

And I'm not sure what you mean by ignore the keys. These are public keys of each participant for the new participant that allow them to decrypt the messages you send and allow you to decrypt messages that they are trying to send you. Ignore them, and they cannot understand you or vice versa.

2
1
Adam 1
Silver badge

Re: "Ship! Come back!"

@Mark, the signal protocol used by WhatsApp requires each participant to push their group key to the new user. Whilst Signal/WhatsApp can BCC all comms to 5eyes, they are not in possession of the encryption keys used by the group conversation. If they tried to push an invite out to 5eyes, then each device could notice that the administrator has pushed an invitation to a new member.

Without weakening the security by adding a vulnerability to permit the servers to manage the session key, they cannot comply. They must either weaken security for all or refuse to comply.

Thanks very much Labor for supporting the laws of fairy math. I had held hope that you had understood what the experts were all, without exception, telling you. History will judge you poorly for supporting such a dangerous law.

17
0

College PRIMOS prankster wreaks havoc with sysadmin manuals

Adam 1
Silver badge

Re: Value added installer

I once had to handle a complaint about system responsiveness. The client application had to wait for a bunch of data from the server, but given that the penny pinchers had, er, purchased network kit and internet connections that one could make a case were more suited to a small household than a business, occasionally these responses would time-out/retry or just take absurdly long to complete.

For reasons that largely boil down to historic cries of "just push it out, we promised it two weeks ago" from the PHB, the calls themselves locked up the UI thread which as anyone with an ounce of foresight can see was going to make the application appear unresponsive.

I couldn't magic up better performance given the data required and network conditions, but it's amazing how the complaint disappeared as soon as I included an animated gif progress bar and demonstrated how much faster the new version was.

1
0
Adam 1
Silver badge

Printer test page, missed a trick there

[Company Logo]

Memo

Directive to all service staff - Beer O'clock Super Special Tuesday

From this Tuesday afternoon, we will be commencing our new Super Tuesday initiative. We value our regular patrons, so whenever an order is placed for a craft beer, the first one is on the house.

Cheers

Management

3
0

Pencil manufacturers rejoice: Oz government doesn't like e-voting

Adam 1
Silver badge

> Who uses a pencil to cast their vote? Use a pen!!!! You can't rub out a pen.

If you are planning to subvert an election by changing the votes, do you:

(A) Open up the ballot box, pull out an eraser, carefully rub off all the marks, then renumber them according to your evil plans; or

(B) Print out new ballot forms and then number them according to your evil plans;

(In both cases you need to figure out how to stuff those faked ballots into the box).

0
0
Adam 1
Silver badge

As someone who strongly advocated against the government's mathematically illiterate magic fairy unbreakable but yet somehow still possible to assist in breaking when receiving a magical signed order, can I express relief that at least on this proposal they managed to see what a stupid idea it is.

15
0

Warning: Malware, rogue users can spy on some apps' HTTPS crypto – by whipping them with a CAT o' nine TLS

Adam 1
Silver badge

Re: It's time to start over

I saw a lecture by "Uncle Bob" once, and he made an interesting observation about the rate of growth of programmers. Broadly speaking, since about the '60s, the number of programmers has doubled every 5 years. Or another way to word that is that half the monkeys bashing keyboards today have had less than 5 years experience in the profession. I personally think that this explains quite a lot.

0
0

Fresh releases of TypeScript and Visual Studio 2017 for Mac round out November

Adam 1
Silver badge

Re: Er, so this TypeScript is not a language

> Er, so this TypeScript is not a language just a C-stylee preprocessor ?

Only in the sense that c# is an MSIL preprocessor, or that c is an assembler preprocessor.

It is perhaps more helpful to think of JavaScript the way that you think about MSIL; a set of instructions that the runtime can execute.

The example of the + meaning between string concatenation and addition depending on data is right but on its own really doesn't explain the problem in a significant enough way to get why you'd bother. It becomes a lot more helpful when you can't accidentally pass a complex model in error and allows intellisence to better guess what you're trying to pass. It's the benefits that any typed language provides.

2
0

Huawei gets the Kiwi 'yeah nah'* as NZ joins the Chinese kit-ban club

Adam 1
Silver badge

as a left ditchian

Just a heads up that if our government actually troubles itself to sit for more than a week in the next 6 months, they are trying to pass laws that will force Australian vendors to break encryption in their products if they are directed to by the government of the day through their law enforcement arms. Pretty much the same thing everyone is hung up about Huawei on. So be careful when sourcing Aussie kit.

1
0

Check your repos... Crypto-coin-stealing code sneaks into fairly popular NPM lib (2m downloads per week)

Adam 1
Silver badge

Re: Build time internet dependencies are garbage

> even though they need an external trim function written by someone else

Whilst I take your broader point, trim is exactly the sort of function that makes sense as a framework provided function. If you think it's trivial, then I'd chance that you really haven't understood its problem domain and what it counts as a character and what doesn't (and expectations in right to left languages) once you step outside the safe world of ANSI. And to implement it efficiently requires a good understanding of how your framework and runtime implement strings.

0
0
Adam 1
Silver badge

Re: Javascript

> The only obvious process error is that the original developer handed the package to the malware developer

Nope. I mean it isn't impossible but my money is on the new broom adding a dependency without considering the integrity of the flatmap-stream package.

7
0
Adam 1
Silver badge

Web of Trust, you mean that plugin that was caught with its fingers in the cookie jar a few years back? Maybe not.

Also, I wouldn't be so quick to assume that the new maintainer had a clue that this malware had been introduced. It is of course possible that s/he was in cahoots with the other account, but with the way that NPM works, half the web can break because some random Dev throws their toys out of the cot. Leaving asides the question as to whether his actions were justified, it showed that thousands (and that isa generously small number) of projects find themselves with unrealised dependencies.

This is both the greatest strength and Achilles heel of npm.

12
1

LG: Fsck everything, we're doing 16 lenses in smartphones (probably)

Adam 1
Silver badge

20 years from now .....

* Hey guys, remember when cameras only had a dozen sensors? A dozen sensors!? Luxury! We used to dream of a dozen sensors ... (Four Yorkshire Men memes will still be funny)

* These 4 MegaSensor claims are really misleading. If it was really 4MS, it would have 4,194,304 sensors, not 4,000,000. We're being ripped off here by nearly 200,000 sensors.

5
0

Behold, the world's most popular programming language – and it is...wait, er, YAML?!?

Adam 1
Silver badge

And apparently the most popular language is markdown, with all those readme.md source code files all over GitHub.

28
0

Microsoft sysadmin hired for fake NetWare skills keeps job despite twitchy trigger finger

Adam 1
Silver badge

Re: Who writes the damn matching algorithms???

Shirley it would be

Select distinct c.*

From Company victim

Inner join Company oldvictim

On victim.CategoryId=oldvictim.Category and victim.Id<>oldvictim.Id

Inner join CandidateHistory ch

On ch.CompanyId=oldvictim.Id

Inner join Candidate c

On c.id=ch.CandidateId

Where victim.Name='FooCorp'

And (c.LastPlacementDate>DateAdd(Month, -6, GETDATE()) or c.LastPlacementDate is null)

0
0

If at first or second you don't succeed, you may be Microsoft: Hold off installing re-released Windows Oct Update

Adam 1
Silver badge

> That stunning Redmond Q&A at work again, we guess.

I am old enough to remember before the abbreviation of Quality Assurance had an ampersand in it.

55
0

Oz lad 'fell in love with' baby meerkat, nicked it from zoo, took it out for a romantic Big Mac

Adam 1
Silver badge

I thought it was simples enough

1
1
Adam 1
Silver badge

"Obviously life outside its mob just doesn't compare"

Bravo

1
1

Junior dev decides to clear space for brewing boss, doesn't know what 'LDF' is, sooo...

Adam 1
Silver badge

Re: Killing a database?

> Consider: 80 characters per card (72 for data in my example). 2000 cards per box. Maybe ten boxes on my handtruck. That's 1,440,000 bytes of data.

Wow. That'd almost hold the minified js files that a typical modern web app needs to launch.

5
0

Samsung 'reveals' what looks like a tablet that folds into a phone, but otherwise we're quite literally left in the dark

Adam 1
Silver badge

You're folding it wrong!?

/I'll grab my coat

6
0

Stairway to edam: Swiss bloke blasts roquefort his cheese, thinks Led Zep might make it tastier

Adam 1
Silver badge

Mummy Cheese do do do-do-do

Mummy Cheese do do do-do-do

Mummy Cheese do do do-do-do

Mummy Cheese.

4
0

Solid state of fear: Euro boffins bust open SSD, Bitlocker encryption (it's really, really dumb)

Adam 1
Silver badge

Re: This explains it

> They also have the software that puts up 'HACKING PASSWORD' in 196 point red letters.

There is some pretty amazing software available on the internet these days. A lot easier than in days of old.

2
0

DBA drifts into legend after inventive server convo leaves colleagues fearing for their lives

Adam 1
Silver badge

Re: My boss was demonstrating the instrusion sensors on our building

Re: percussive maintenance

A large number of years ago, our former office space was turned into an unworkable wall of noise due to an alarm in the neighbouring suite. It was triggered by who knows what, blasted for 15 minutes, then turned off .... for maybe 5 before repeating the process.

After the fourth or fifth cycle of this, and with no tenant in sight for the adjacent suite, a former colleague pushed his chair away from the desk with resolve, stood up, grabbed a screwdriver of the workbench and disappeared into the service corridor. He must have found the tenant because the alarm went quiet a minute or two later. And the tenant must have got that issue fixed because I don't recall it happening again after that. I can imagine no other method by which the peace we experienced after that time could have occurred.

12
0

Which scientist should be on the new £50 note? El Reg weighs in – and you should vote, too

Adam 1
Silver badge

Re: Francis Bacon

Wow, well you just brought an ICBM to a knife fight. I mean all of these other suggestions have merit, but you cannot compare them with Bacon. Bacon is the best thing since sliced bread with bacon on it.

3
0
Adam 1
Silver badge

Re: How about Claude Shannon?

Obligatory

5
0

Shift-work: Keyboards heaped in a field push North Yorks council's fly-tipping buttons

Adam 1
Silver badge

Re: Shifting old keyboards?

I'm pretty sure that even old keyboards have specific buttons when you want to shift them.

1
0
Adam 1
Silver badge

Re: Identifying the original owners...

No. I'm Password123

0
0

Apple's launch confirms one thing: It's determined to kill off the laptop for iPads

Adam 1
Silver badge

wait how!?

How did this e-rag manage to get an invite to an Apple launch?

20
0

With the 6T, OnePlus hopes to shed 'cheeky upstart' tag and launch assault on flagships

Adam 1
Silver badge

Re: why all the fuss over a headphone socket?

My Bluetooth headphones still work when the battery is flat if you plug the 3.5mm cable in. It's nice to have the option, and no manufacturer has really been able to put forward a good case as to why it needs to go.

10
0

Oz spy boss defends 'high risk vendor' ban

Adam 1
Silver badge

> In a rare public speech, ASD boss Mike Burgess said “a potential threat anywhere in the network is a threat to the whole network”. It's “paramount” that Australia gets critical infrastructure security right, he said.

Entirely agree. We should make sure that anywhere that we source key infrastructure hasn't legislated that their companies build in backdoors into the security layers of their products.

16
0

Memo to Microsoft: Windows 10 is broken, and the fixes can't wait

Adam 1
Silver badge

Re: "Quality" is a structural attribute, not a bolt-on

I'm going to disagree with you on that. There is nothing fundamentally wrong with agile development. It does not permit untested work. TDD (which if you're doing agile correctly is kinda mandatory) means that you should have your tests written before you start copy pasting from stackoverflowwriting code. If you are doing things properly, you are getting input from QA before you design the tests in the first place. It was never about removing QA from the process. Everything about it is to remove the distance between the subject matter expert and the code monkey so that misunderstandings can be discovered and rectified much sooner.

Of course, you are probably thinking about that other definition of agile favoured by PHBs the world over, where any form of analysis is disregarded because agile, any form of planning ahead can be forgotten because agile, and any form of QA can be ignored because we once showed the devs how to install nunit. That is of course bollocks.

Quality is derived from culture. You need a culture that is ashamed of breaking things, ashamed when their test case design fails to detect a breaking change, is proud about coverage (real, not by fooling the tools), hates when something slips through to QA and really hates when a customer suffers a bug.

Companies that only value story point velocity, that don't invest in reducing technical debt inevitably find themselves producing code which is a quick hack around some work around ona half designed proof of concept which resists even basic enhancements, which then hurts the velocity, so no time for paying back that technical debt and the QA cycle needs to be cut to make deadline. Sigh, I guess some people cannot learn.

11
3
Adam 1
Silver badge

Re: I stopped right here...

And to be fair, as an enterprise customer, I can think of several places where the breakdancing poo emoji may come in handy.

37
0

SQLite creator crucified after code of conduct warns devs to love God, and not kill, commit adultery, steal, curse...

Adam 1
Silver badge

There's always Oracle

if you would rather align yourself with the antichrist.

5
0

Can't get pranked by your team if nobody in the world can log on

Adam 1
Silver badge
3
0

Scanning an Exchange server for a virus that spreads via email? What could go wrong?

Adam 1
Silver badge

Re: Sweet memories...

> For example, the idea that a washing machine might, on 01/01/00, think it was 1900, and, that as it hadn't been invented yet, it ought to shake itself to bits and then spontaneously combust.

... And I would have gotten away with it if not for you pesky kids.

2
0
Adam 1
Silver badge

Re: "by sandblasting all the paint off, and then re-painting ;)"

> ... if you have a corpse in the trunk, after the sandblasting and repainting, you will still have a corpse in the trunk...

Asking for a friend?

3
0

AI's next battlefield is literally the battlefield: In 20 years, bots will fight our wars – Army boffin

Adam 1
Silver badge

> in 20 years there could be largely autonomous drones. But replacing the grunts on the ground with machines will require some currently unimagined breakthrough in energy storage (or micro-generation)

20 years and breakthrough energy generation required, hey. Hmmmm. I guess it's lucky that fusion power is only 20 years away*.

*As it has been for the past 50 years or so.

4
0

Microsoft yanks the document-destroying Windows 10 October 2018 Update

Adam 1
Silver badge

> So perhaps Debian should teach them how to implement Debian Stable

I think they've started by studying systemd.

6
0

Oracle? On my server? I must have been hacked! *Penny drops* Oh sh-

Adam 1
Silver badge

Re: 1200 baud down, 75 baud up

> Oh you had it good didn't you!

>

> 300 baud we were stuck with in the 80's. And they only gave us 0's. We had to make 1's by hammering a few 0's flat!

Well lah-de-dar. Look at me and my hammer owning workplace.

6
0

It's over 9,000! Boffin-baffling microquasar has power that makes the LHC look like a kid's toy

Adam 1
Silver badge

Re: LHC = 27Km circle

> It's just for reference. It's like saying Jupiter is a gas giant: it can fit 1,300 Earths.

How many Olympic Sized swimming pools is that?

3
0

What could be more embarrassing for a Russian spy: Their info splashed online – or that they drive a Lada?

Adam 1
Silver badge

> I imagine people who pull this kind of stunt when the Kremliin doesn't want them to, are running considerable risks that have nothing to do with the courts.

Quite. Especially when the folks that you've outed have just been caught attempting to kill a former spy with a chemical weapon visiting cathedrals with historically interesting spires.

9
0

SAP bug beatdowns, Apple gets nasty with Mac repairs, Struts woe, and more from infosec

Adam 1
Silver badge

I respectfully submit that any attempt to use such a "feature" in Australia will find things a tad awkward under the Australian Consumer Guarantees.

Let me quote from page 1.

"Products must also:

......

* come with full title and ownership

* not carry any hidden debts or extra charges

* come with undisturbed possession, so no one has a right to take the goods away or prevent you from using them"

Also, you don't need to deal with Apple to make a claim under this guarantee. It is your choice as to whether you talk to the retailer or the manufacturer or the importer.

2
0

Dutch cheesed off with Russians, expel four suspects over chemical weapons Wi-Fi spying

Adam 1
Silver badge

Re: Not GRU

Yes. The church is famous for its large octagonal tower with a baroque style dome and lantern, crowned by a cross.

6
0
Adam 1
Silver badge

Wait. Did AC just admit to hacking a previous chemical weapons investigation?

Clearly I have the perfect solution to these shenanigans. We'll simply demand their phone passwords and fine them 60K if they don't tell us.

11
0

What do Zuck, Sergey, @Jack and Bezos have in common? They don't want encryption broken

Adam 1
Silver badge

Re: Dabbb

"Retarded" down voter here. What you presented was a false dichotomy. Not believing in government fairy-math doesn't make me support the farcebooks and slurps of the world.

The legislation they are trying to ram through makes noises about companies not being permitted to weaken encryption but simultaneously holds them to have capabilities to decrypt them. This is a mathematical impossibility. Not that one cannot choose elliptic curves that generate random numbers in a predictable way to the designers, or that the encryption key cannot be put in some escrow or thata message could not be intercepted at a point where it isn't yet encrypted. That will work but it will significantly increase other security vulnerabilities.

If the government actually spent more than 8 seconds per submission they received in considering the feedback, they might actually learn something. Yes. Literally 8 seconds.

I'll credit the shadow minister with making the right noise about those risks, but she should remember that it was her side's underpants head that first tried to bring in the mandatory metadata retention laws we are now saddled with. Colour me a tad skeptical that they remember their opposition logic when they are surrounded by the groupthink that pervades their advisers in government. I do wish our media would at least try to elicit a commitment from the opposition to reverse these laws if they win the election in a few months.

But you may want to reflect on why you think that calling someone retarded is an insult.

12
0

New Zealand border cops warn travelers that without handing over electronic passwords 'You shall not pass!'

Adam 1
Silver badge

Re: Have fun!

> Seriously, I've never seen so much fuss made about a provision that - by current international standards - is still incredibly mild (by which I mean, you're subject to way more intrusive searches if you fly into, say, the USA or Australia, where they will simply seize your device - indefinitely - if you refuse to unlock it on demand). What the hey do some of you people keep on your phones, anyway?

I guess if you have nothing to say, there is nothing to hide. Listen, if it's not too much trouble, please send us a nightly report of whomever you associated with that day, your exact location by the minute, a copy of any photo you took (remember to tick the box so we get the location with it please).

25
0

TLS proxies? Nah. Truthfully Less Secure 'n' poxy, say Canadian infosec researchers

Adam 1
Silver badge

Re: Unfortunately, there can be some good reasons for this.

Do you honestly believe that nation states are the only ones who MitM? The hardware to MitM an open WiFi access point is in the order of $100-$200, complete with YouTube instructions. Injecting coinhive.js into any HTTP delivered page is beyond simple. Runs on batteries and is small enough to be discretely hidden in your bag, some even in your pocket (depends on the range you want as to how big the antenna is). In terms of complexity, this is "interview question for a junior info sec position" complexity level. As in, not even a theoretical test but rather here is a device, do it,

And coinhive is at the lighter end of a criminal payload.

But even taking your example of browsing some online brochure which you deem to be perfectly adequate over http. When you click the buy it link, I'm sure that you would agree that it should jump to Https. The site may even put the redirect in for you, so that's nice. Unfortunately, as the page was delivered in an insecure fashion, the MitM can intercept that page and replace the form submit target. Awkward.

4
1

NSA dev in the clink for 5.5 years after letting Kaspersky, allegedly Russia slurp US exploits

Adam 1
Silver badge

> It would later surface that Pho had been taking his highly classified work home with him for roughly five years prior to the incident, and had amassed what US prosecutors called "massive troves" of classified information.

---

But don't worry about those "our spooks need to crack at will but somehow, magically, isn't going to reduce security of encryption laws". There is just no way for those skeleton keys to find their way into an adversary's hands, and even if they did, it's not like they would have them for halfa decade with no-one noticing.

2
0

The Register - Independent news and views for the tech community. Part of Situation Publishing