2466 posts • joined 7 May 2012
Wow, what a lovely early Christmas present for Australians: A crypto-busting super-snoop law passes just in time
Re: "Ship! Come back!"
WhatsApp is a closed source app that implements an open source protocol (signal).
If they add the capability to generate a new group key-pair whenever requested by the server without authorisation within the app, then a systemic weakness had just been included that anyone who manages to pwn WhatsApp servers can now exploit.
You might as well just let the server manage the session keys.
And if you have ever run a Java decompiler (I have but for the record, not on WhatsApp or any other application for which I did not have permission to do so), you would struggle to hide "if (request.Guid==magicGuid) return true;" inside the method responsible for collecting user's consent. The bad guys would have that line NO-OPd within minutes of it being discovered, or they will just move onto whatever other app that implements the signal protocol but is based in whoknowswhere.
Re: "Ship! Come back!"
They can update the app, but egress traffic from each participant cannot be avoided without fundamentally changing the protocol.
And I'm not sure what you mean by ignore the keys. These are public keys of each participant for the new participant that allow them to decrypt the messages you send and allow you to decrypt messages that they are trying to send you. Ignore them, and they cannot understand you or vice versa.
Re: "Ship! Come back!"
@Mark, the signal protocol used by WhatsApp requires each participant to push their group key to the new user. Whilst Signal/WhatsApp can BCC all comms to 5eyes, they are not in possession of the encryption keys used by the group conversation. If they tried to push an invite out to 5eyes, then each device could notice that the administrator has pushed an invitation to a new member.
Without weakening the security by adding a vulnerability to permit the servers to manage the session key, they cannot comply. They must either weaken security for all or refuse to comply.
Thanks very much Labor for supporting the laws of fairy math. I had held hope that you had understood what the experts were all, without exception, telling you. History will judge you poorly for supporting such a dangerous law.
Re: Value added installer
I once had to handle a complaint about system responsiveness. The client application had to wait for a bunch of data from the server, but given that the penny pinchers had, er, purchased network kit and internet connections that one could make a case were more suited to a small household than a business, occasionally these responses would time-out/retry or just take absurdly long to complete.
For reasons that largely boil down to historic cries of "just push it out, we promised it two weeks ago" from the PHB, the calls themselves locked up the UI thread which as anyone with an ounce of foresight can see was going to make the application appear unresponsive.
I couldn't magic up better performance given the data required and network conditions, but it's amazing how the complaint disappeared as soon as I included an animated gif progress bar and demonstrated how much faster the new version was.
Printer test page, missed a trick there
Directive to all service staff - Beer O'clock Super Special Tuesday
From this Tuesday afternoon, we will be commencing our new Super Tuesday initiative. We value our regular patrons, so whenever an order is placed for a craft beer, the first one is on the house.
> Who uses a pencil to cast their vote? Use a pen!!!! You can't rub out a pen.
If you are planning to subvert an election by changing the votes, do you:
(A) Open up the ballot box, pull out an eraser, carefully rub off all the marks, then renumber them according to your evil plans; or
(B) Print out new ballot forms and then number them according to your evil plans;
(In both cases you need to figure out how to stuff those faked ballots into the box).
As someone who strongly advocated against the government's mathematically illiterate magic fairy unbreakable but yet somehow still possible to assist in breaking when receiving a magical signed order, can I express relief that at least on this proposal they managed to see what a stupid idea it is.
Warning: Malware, rogue users can spy on some apps' HTTPS crypto – by whipping them with a CAT o' nine TLS
Re: It's time to start over
I saw a lecture by "Uncle Bob" once, and he made an interesting observation about the rate of growth of programmers. Broadly speaking, since about the '60s, the number of programmers has doubled every 5 years. Or another way to word that is that half the monkeys bashing keyboards today have had less than 5 years experience in the profession. I personally think that this explains quite a lot.
Re: Er, so this TypeScript is not a language
> Er, so this TypeScript is not a language just a C-stylee preprocessor ?
Only in the sense that c# is an MSIL preprocessor, or that c is an assembler preprocessor.
The example of the + meaning between string concatenation and addition depending on data is right but on its own really doesn't explain the problem in a significant enough way to get why you'd bother. It becomes a lot more helpful when you can't accidentally pass a complex model in error and allows intellisence to better guess what you're trying to pass. It's the benefits that any typed language provides.
as a left ditchian
Just a heads up that if our government actually troubles itself to sit for more than a week in the next 6 months, they are trying to pass laws that will force Australian vendors to break encryption in their products if they are directed to by the government of the day through their law enforcement arms. Pretty much the same thing everyone is hung up about Huawei on. So be careful when sourcing Aussie kit.
Check your repos... Crypto-coin-stealing code sneaks into fairly popular NPM lib (2m downloads per week)
Re: Build time internet dependencies are garbage
> even though they need an external trim function written by someone else
Whilst I take your broader point, trim is exactly the sort of function that makes sense as a framework provided function. If you think it's trivial, then I'd chance that you really haven't understood its problem domain and what it counts as a character and what doesn't (and expectations in right to left languages) once you step outside the safe world of ANSI. And to implement it efficiently requires a good understanding of how your framework and runtime implement strings.
> The only obvious process error is that the original developer handed the package to the malware developer
Nope. I mean it isn't impossible but my money is on the new broom adding a dependency without considering the integrity of the flatmap-stream package.
Also, I wouldn't be so quick to assume that the new maintainer had a clue that this malware had been introduced. It is of course possible that s/he was in cahoots with the other account, but with the way that NPM works, half the web can break because some random Dev throws their toys out of the cot. Leaving asides the question as to whether his actions were justified, it showed that thousands (and that isa generously small number) of projects find themselves with unrealised dependencies.
This is both the greatest strength and Achilles heel of npm.
20 years from now .....
* Hey guys, remember when cameras only had a dozen sensors? A dozen sensors!? Luxury! We used to dream of a dozen sensors ... (Four Yorkshire Men memes will still be funny)
* These 4 MegaSensor claims are really misleading. If it was really 4MS, it would have 4,194,304 sensors, not 4,000,000. We're being ripped off here by nearly 200,000 sensors.
And apparently the most popular language is markdown, with all those readme.md source code files all over GitHub.
Re: Who writes the damn matching algorithms???
Shirley it would be
Select distinct c.*
From Company victim
Inner join Company oldvictim
On victim.CategoryId=oldvictim.Category and victim.Id<>oldvictim.Id
Inner join CandidateHistory ch
Inner join Candidate c
And (c.LastPlacementDate>DateAdd(Month, -6, GETDATE()) or c.LastPlacementDate is null)
If at first or second you don't succeed, you may be Microsoft: Hold off installing re-released Windows Oct Update
> That stunning Redmond Q&A at work again, we guess.
I am old enough to remember before the abbreviation of Quality Assurance had an ampersand in it.
I thought it was simples enough
"Obviously life outside its mob just doesn't compare"
Re: Killing a database?
> Consider: 80 characters per card (72 for data in my example). 2000 cards per box. Maybe ten boxes on my handtruck. That's 1,440,000 bytes of data.
Wow. That'd almost hold the minified js files that a typical modern web app needs to launch.
Samsung 'reveals' what looks like a tablet that folds into a phone, but otherwise we're quite literally left in the dark
You're folding it wrong!?
/I'll grab my coat
Mummy Cheese do do do-do-do
Mummy Cheese do do do-do-do
Mummy Cheese do do do-do-do
Re: My boss was demonstrating the instrusion sensors on our building
Re: percussive maintenance
A large number of years ago, our former office space was turned into an unworkable wall of noise due to an alarm in the neighbouring suite. It was triggered by who knows what, blasted for 15 minutes, then turned off .... for maybe 5 before repeating the process.
After the fourth or fifth cycle of this, and with no tenant in sight for the adjacent suite, a former colleague pushed his chair away from the desk with resolve, stood up, grabbed a screwdriver of the workbench and disappeared into the service corridor. He must have found the tenant because the alarm went quiet a minute or two later. And the tenant must have got that issue fixed because I don't recall it happening again after that. I can imagine no other method by which the peace we experienced after that time could have occurred.
Re: Francis Bacon
Wow, well you just brought an ICBM to a knife fight. I mean all of these other suggestions have merit, but you cannot compare them with Bacon. Bacon is the best thing since sliced bread with bacon on it.
Re: Shifting old keyboards?
I'm pretty sure that even old keyboards have specific buttons when you want to shift them.
Re: Identifying the original owners...
No. I'm Password123
How did this e-rag manage to get an invite to an Apple launch?
Re: why all the fuss over a headphone socket?
My Bluetooth headphones still work when the battery is flat if you plug the 3.5mm cable in. It's nice to have the option, and no manufacturer has really been able to put forward a good case as to why it needs to go.
> In a rare public speech, ASD boss Mike Burgess said “a potential threat anywhere in the network is a threat to the whole network”. It's “paramount” that Australia gets critical infrastructure security right, he said.
Entirely agree. We should make sure that anywhere that we source key infrastructure hasn't legislated that their companies build in backdoors into the security layers of their products.
Re: "Quality" is a structural attribute, not a bolt-on
I'm going to disagree with you on that. There is nothing fundamentally wrong with agile development. It does not permit untested work. TDD (which if you're doing agile correctly is kinda mandatory) means that you should have your tests written before you start
copy pasting from stackoverflowwriting code. If you are doing things properly, you are getting input from QA before you design the tests in the first place. It was never about removing QA from the process. Everything about it is to remove the distance between the subject matter expert and the code monkey so that misunderstandings can be discovered and rectified much sooner.
Of course, you are probably thinking about that other definition of agile favoured by PHBs the world over, where any form of analysis is disregarded because agile, any form of planning ahead can be forgotten because agile, and any form of QA can be ignored because we once showed the devs how to install nunit. That is of course bollocks.
Quality is derived from culture. You need a culture that is ashamed of breaking things, ashamed when their test case design fails to detect a breaking change, is proud about coverage (real, not by fooling the tools), hates when something slips through to QA and really hates when a customer suffers a bug.
Companies that only value story point velocity, that don't invest in reducing technical debt inevitably find themselves producing code which is a quick hack around some work around ona half designed proof of concept which resists even basic enhancements, which then hurts the velocity, so no time for paying back that technical debt and the QA cycle needs to be cut to make deadline. Sigh, I guess some people cannot learn.
Re: I stopped right here...
And to be fair, as an enterprise customer, I can think of several places where the breakdancing poo emoji may come in handy.
SQLite creator crucified after code of conduct warns devs to love God, and not kill, commit adultery, steal, curse...
There's always Oracle
if you would rather align yourself with the antichrist.
Re: Sweet memories...
> For example, the idea that a washing machine might, on 01/01/00, think it was 1900, and, that as it hadn't been invented yet, it ought to shake itself to bits and then spontaneously combust.
... And I would have gotten away with it if not for you pesky kids.
Re: "by sandblasting all the paint off, and then re-painting ;)"
> ... if you have a corpse in the trunk, after the sandblasting and repainting, you will still have a corpse in the trunk...
Asking for a friend?
AI's next battlefield is literally the battlefield: In 20 years, bots will fight our wars – Army boffin
> in 20 years there could be largely autonomous drones. But replacing the grunts on the ground with machines will require some currently unimagined breakthrough in energy storage (or micro-generation)
20 years and breakthrough energy generation required, hey. Hmmmm. I guess it's lucky that fusion power is only 20 years away*.
*As it has been for the past 50 years or so.
> So perhaps Debian should teach them how to implement Debian Stable
I think they've started by studying systemd.
Re: 1200 baud down, 75 baud up
> Oh you had it good didn't you!
> 300 baud we were stuck with in the 80's. And they only gave us 0's. We had to make 1's by hammering a few 0's flat!
Well lah-de-dar. Look at me and my hammer owning workplace.
Re: LHC = 27Km circle
> It's just for reference. It's like saying Jupiter is a gas giant: it can fit 1,300 Earths.
How many Olympic Sized swimming pools is that?
What could be more embarrassing for a Russian spy: Their info splashed online – or that they drive a Lada?
> I imagine people who pull this kind of stunt when the Kremliin doesn't want them to, are running considerable risks that have nothing to do with the courts.
Quite. Especially when the folks that you've outed have just been caught
attempting to kill a former spy with a chemical weapon visiting cathedrals with historically interesting spires.
I respectfully submit that any attempt to use such a "feature" in Australia will find things a tad awkward under the Australian Consumer Guarantees.
Let me quote from page 1.
"Products must also:
* come with full title and ownership
* not carry any hidden debts or extra charges
* come with undisturbed possession, so no one has a right to take the goods away or prevent you from using them"
Also, you don't need to deal with Apple to make a claim under this guarantee. It is your choice as to whether you talk to the retailer or the manufacturer or the importer.
Re: Not GRU
Yes. The church is famous for its large octagonal tower with a baroque style dome and lantern, crowned by a cross.
Wait. Did AC just admit to hacking a previous chemical weapons investigation?
Clearly I have the perfect solution to these shenanigans. We'll simply demand their phone passwords and fine them 60K if they don't tell us.
"Retarded" down voter here. What you presented was a false dichotomy. Not believing in government fairy-math doesn't make me support the farcebooks and slurps of the world.
The legislation they are trying to ram through makes noises about companies not being permitted to weaken encryption but simultaneously holds them to have capabilities to decrypt them. This is a mathematical impossibility. Not that one cannot choose elliptic curves that generate random numbers in a predictable way to the designers, or that the encryption key cannot be put in some escrow or thata message could not be intercepted at a point where it isn't yet encrypted. That will work but it will significantly increase other security vulnerabilities.
If the government actually spent more than 8 seconds per submission they received in considering the feedback, they might actually learn something. Yes. Literally 8 seconds.
I'll credit the shadow minister with making the right noise about those risks, but she should remember that it was her side's underpants head that first tried to bring in the mandatory metadata retention laws we are now saddled with. Colour me a tad skeptical that they remember their opposition logic when they are surrounded by the groupthink that pervades their advisers in government. I do wish our media would at least try to elicit a commitment from the opposition to reverse these laws if they win the election in a few months.
But you may want to reflect on why you think that calling someone retarded is an insult.
New Zealand border cops warn travelers that without handing over electronic passwords 'You shall not pass!'
Re: Have fun!
> Seriously, I've never seen so much fuss made about a provision that - by current international standards - is still incredibly mild (by which I mean, you're subject to way more intrusive searches if you fly into, say, the USA or Australia, where they will simply seize your device - indefinitely - if you refuse to unlock it on demand). What the hey do some of you people keep on your phones, anyway?
I guess if you have nothing to say, there is nothing to hide. Listen, if it's not too much trouble, please send us a nightly report of whomever you associated with that day, your exact location by the minute, a copy of any photo you took (remember to tick the box so we get the location with it please).
Re: Unfortunately, there can be some good reasons for this.
Do you honestly believe that nation states are the only ones who MitM? The hardware to MitM an open WiFi access point is in the order of $100-$200, complete with YouTube instructions. Injecting coinhive.js into any HTTP delivered page is beyond simple. Runs on batteries and is small enough to be discretely hidden in your bag, some even in your pocket (depends on the range you want as to how big the antenna is). In terms of complexity, this is "interview question for a junior info sec position" complexity level. As in, not even a theoretical test but rather here is a device, do it,
And coinhive is at the lighter end of a criminal payload.
But even taking your example of browsing some online brochure which you deem to be perfectly adequate over http. When you click the buy it link, I'm sure that you would agree that it should jump to Https. The site may even put the redirect in for you, so that's nice. Unfortunately, as the page was delivered in an insecure fashion, the MitM can intercept that page and replace the form submit target. Awkward.
> It would later surface that Pho had been taking his highly classified work home with him for roughly five years prior to the incident, and had amassed what US prosecutors called "massive troves" of classified information.
But don't worry about those "our spooks need to crack at will but somehow, magically, isn't going to reduce security of encryption laws". There is just no way for those skeleton keys to find their way into an adversary's hands, and even if they did, it's not like they would have them for halfa decade with no-one noticing.