Posts by Adam 1 2545 publicly visible posts • joined 7 May 2012
I just hope that there is a dissertation published as part of someone's post doctorate. I just want to know that somewhere out there some university big wig in a ridiculous robe has to read out the abstract.
"A comparative study into the rate of decay of multi kilogauss strength magnetic fields at low temperatures between alive and deceased cockroaches."
To be honest, the robes are weirder.
> (#) * Back of package disclaimer reads: "All-American Style Mustard. Made in China. Allergy Advice: Manufactured in a factory that may also produce melamine."
I call "fake news" on that. The real disclaimer would have included the phrase "Caution: Contents may be hot"
> Classifying batteries based on hazards, and not chemistry type.
Well knock me over with a feather. A sensible way to write regulations so they don't become obsolete 3 months after taking effect.
What is the risk of an unplanned energy discharge event? How easy is such a fire contained and put out? How toxic is the smoke (compared to other furnishings; none is going to be great for your health). If the unit gets physically damaged, what is the risk to health and property of anything that might leak out and how can a damaged unit be safely discharged. Once you know those answers, then you can specify the appropriate installation environment.
For cars we have urban and extra urban fuel economy figures listed separately. Let the ISPs list a peak and non peak figure and make them refund any days charges where the peak speed is not met during peak times or non peak speeds in non peak times. They can quote their big headline speed number for off peak and users can get a realistic expectation of likely performance of the connections they are considering.
Even back in dial up days we used to be able to ask how many subscribers per phone line they had and what the session limit was so you would know which ISPs you could get through to and which would just be engaged the whole time.
> Spotify has proven the model works even if not perfect.....
I think the pluralsight model could work well if the rights holders had more than 2 years foresight. Basically your monthly fee gets divided into two buckets. The first (small) bucket keeps the lights on for the service. The second (relatively large) bucket gets distributed to the content producers in proportion to the amount of time you spend consuming each. So if you spend your whole month watching some David Attenborough miniseries and then flick on frozen for the kids, most of that second bucket would get paid to BBC and the rest to Disney.
Sell plans by the hour if you like, it's fair, easy to track, transparent and solves the content monopoly problems where a consumer literally can't afford to purchase all the services they like because of exclusive arrangements.
> El Reg asked Future for some comment on the breach and the reason why the passwords were stored in plaintext and not encrypted. In accordance with FileSilo's security policy, we sent the request in plaintext.
>
> We have not heard back. ®
Let's not be too cocky. Until rather recently, certain other sites used to force credentials and session cookies to be submitted in clear text. Glad to see they saw the error of their ways though...
The difficulty I see is that even a minor breach can have associated consequences.
Consider for example a sporting club with an online portal for court bookings or classes etc. There is nothing confidential in there, it's all printed out on the noticeboard anyhow. But their server remained unpatched for years as they can't afford an IT BOFH and now their mysql backup files are popped.
OK, so nothing confidential had been exposed, and the passwords are all at least hashed, even though it is unsalted md5 (which we knew not to use even 10 years ago *cough* Yahoo! *cough*) but by my reading this would definitely be a minor breach.
The problem?
* Any common md5 password can literally be cracked by googling the hash. Or hashcat will find it very quickly if less than 8 characters.
* Most people use the same password for multiple services.
So now someone has their email account popped and from there password resets on other services.
I don't think what I'm proposing would be required to break your suggestion is at all beyond the skillsets of anyone who reads a tech news site.
1. Buy the applicable hardware.
(Eg https://wifipineapple.com/ )
2. Create a self signed certificate for website.org
(Eg https://technet.microsoft.com/en-us/library/cc753127(v=ws.10).aspx )
3. Look for a location likely to have free wi-fi but who fail to use HTTPS
(Eg https://t.co/6Bu4v9f5Qn )
4. Redirect any form submit action to a Uri under your control
(I won't detail that step RTFM)
5. Profit
Alternatively, pick a café/library/train station/hotel and call you fake AP "Free McDonald's WiFi", hijack the first HTTP page they request, put the McDonald's logo on top and say "Sign in with Facebook", put the f logo on it and many people will just connect to it and type in their credentials.
CAs are imperfect. Diginotar and Wosign stand out, but I couldn't characterise them giving me a fake cert as "easy". Having the right political connections to get them to make a fake cert for you is much less of a threat for most people than what I have described above.
CAs are like democracy. The worst form of government, except for all the other forms we have tried from time to time.
It *is* insecure. Whether that matters to you or not is another thing, but a http link allows a MitM to:
1. Read and manipulate any content the site sends to you, removing anything they don't like and adding any they want. This may be as simple as ad substitution or could directly implement an exploit.
2. Read and manipulate any content that you submit to the site.
What is wrong with letting people know?
And your self signing signature idea doesn't have legs because I can create a self signed signature for website.org and then MitM you. A CA needs to validate you control the domain. For example, letsencrypt will request you to host a file in a certain location to prove that the domain is under your control.
It's all about understanding your threat model. What is the bigger threat? A misdose by a fat fingered health professional (or medical researcher) or by some lone wolf with a laser pointer on the roof of an adjacent building? The attack vector is interesting and I'd definitely watch the next Bourne if they used it as part of the plotline. There are plenty of IoT health device security issues with real world risk from default passwords to blindly trusting unencrypted instructions over WiFi or Bluetooth.
Wrong! What is needed is a tarpaulin design that becomes transparent when observed by law enforcement who have a special camera lens but which is opaque to everyone else. I urge the tarpaulin industry to come onboard and help us. We are an innovative country. Why do you keep mentioning physics?
For the price of a 10 year old movie on Blu-ray down under, you can get 3 months Netflix. Heaven help you if you wanted something like a 3D / 2D / DVD combo edition. Maybe I'm just getting old and my eyes are wearing out, but these same 10 year old movies are in the DVD bin for under ten bucks. It's better but not 3x better.
> So what if someone (say a state) produces a completely bogus chain of trust and then publishes a bunch of updates to the system while posing as the company, spreading the bogus-signed stuff everywhere and then say hacking the original company to say their chain of trust got broken and had to be refreshed?
Here are some random URIs
https://en.wikipedia.org/wiki/DigiNotar#Issuance_of_fraudulent_certificates
https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
> Facing a twelve mile walk by road we reckoned the train line was probably shorter as it ran in a mostly straight line, so we jumped down onto the track and started walking.
I was going to point out how dangerous that is. Inebriated folk do have a tendency to grab a quick kip and walking all long a track isn't the best location to be when that happens. But not only is it dangerous, I can't think of anything more stupid and ill prepared. Tell me, just where did you expect to find a kebab shop on that route?
There's plenty of things it could be. Perhaps it's vulnerable to a replay attack where for example a specific command can simply be recorded and repeated to get the drone to do the same thing again.
Or perhaps they are using the MAC address as part of the key generation algorithm.
Or perhaps they can MitM attack the pairing operation between the device and remote.
Or perhaps some development numpty hard coded the root password in the firmware.
Or perhaps they can drown out the packets coming back from the device and trick the remote into falling back to some ancient broken encryption.
Or perhaps it suffers heartbleeding beast poodle....
Don't understand the relevance of that sorry. The bug here is simply the wrong choice of data type meant all available values were exhausted. (Hint, for 64 bit fields that won't happen until after the heat death of the sun).
The xkcd comic refers to the common mistake (let me guess, it is still OWASP top error) of not using parametrised queries and so allow a user not just to provide data, but additionally instructions.
Sorry Phil, a common mistake, like people confusing light-years with speed rather than distance.
Whbs aren't a measure of wealth but rather a measure of frustration or angst.
Usages:
* He was so rude to me, I hope the next guy pays with 2 Whbs!
* These #£&+ mosquitos are everywhere. Every time I get one another starts buzzing. It's like 7 Whbs.
* Is it so hard to put your phone on silent at the theatre. May the parking ticket machine return her 400 mWhbs in change.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
