Posts by Adam 1

Re: Communication

> They are as factual as the accuracy of the information provided to the ATO and centerlink

No. You are either ignorant of the issue or trolling. They are not using the information provided to the ATO. The ATO doesn't hold income per fortnight. Centrelink have inferred that fortnightly ATO figure through a patently flawed algorithm.

It is outrageous to falsely accuse a person of fraud, send in the debt collectors (oh hi there credit ratings) and not have sufficient resources to deal with challenges from people who have evidence to show they were indeed entitled to those benefits.

It's not just 'dole bludgers' who should be worried by this crazy math shoot first ask questions later behaviour. Should we apply this logic to pension asset tests or family tax benefit?

A few years ago I lost elegibility to part b after a pay rise in one of those perverse getting a rise leaves you worse off cases that makes living wage an interesting idea. The same 'logic' applied here would have seen me being asked to repay a debt I didn't owe.

If they are moving into speculative invoicing, then here's a thought. Anyone found to have been incorrectly accused should be paid at minimum wage for their reasonable time in producing the evidence and their refunded amount should be returned at government bond interest rates.

Re: Nothing new here

Opel have been caught with something slightly more subtle. It only operates it's emission controls in a very narrow temperature range which luckily coincide with lab conditions. It doesn't operate whilst revving beyond 2400 rpm which again luckily isn't needed in the lab. That it hops out the way when you give it the beans isn't surprising (safety first), but the fact it remains off even when the engine is just ticking over once the need for hard acceleration is done means that in real world city stop start driving you will likely disable the emission controls on pretty much every trip. That doesn't excuse VAG. There is enough criticism to go around.

Re: Why would this happen-

> Far better than giving kids a new tool to go and harrass others with.

Look it has a few minor challenges but at least the device can't be disabled with a few layers of aluminium foil....

Re: Off Topic: Whoopee! El Reg has HTTPS! Almost

It's a cloudflare certificate, so at least the initial hop is encrypted. Doesn't mean traffic between cloudflare and El Reg is encrypted. It might be but you can't tell. Anyway kudos for removing prying eyes from at least the most vulnerable link.

Re: Reloading

African or European? Or does it depend on the weight of your order?

Re: This leaves open all sorts of pranks!

It's already done. Google WiFi pineapple.

No sympathy from me. Clearly using encryption makes you a pedoterrorist.

Now that's off my chest, I can continue with the broadcast of my simulation of a very long running game of heads or tails.

Why so much trouble. They always put extra screws in as evidenced by the leftovers once everything is reassembled.

You mention a consultation period. I need to clarify for context, are we referring to a Brandistanian consultation, or something more Gleesonesq?

> I think most companies are smart enough to realise the negative PR would cost them far more.

So you're suggesting that Oracle will probably try it?

Re: How do you get that through baggage handling?

I don't see a big problem getting it through. It may be a solid rocket booster and oxidiser so there is a small risk, but it's not like they're launching something really risky like a Note 7.

Re: deja vu

Well no doubt German has a word for such types of work being performed by a Danube steamboat captain.

You are right in pointing out that the brokenness of md5 isn't the key issue here. I mean, broken when talking about cryptographic hashes is a technical term which basically means that there is a more efficient algorithm to discovering the input than to brute force it.

It's big flaw here is that we have much better hardware now and can do most of the computations on GPUs at rates best measured in "billions per second". That makes brute force attacks for passwords under 7 characters practical and dictionary attacks highly likely to spill the beans in a substantial percentage of records.

Collisions just get you another password that the system would accept. In other contexts they are more worrying. The following link gives 2 example executables that do different things but have the same md5 hash.

http://www.mscs.dal.ca/~selinger/md5collision/

But at the end of the day, it's much less effort to try hundreds of billions of combinations of words, common letter substitutions, common prefix and suffixes and passwords found inside plaintext password dumps. The attackers here won't be worried if they can't unlock all accounts. Even if it's "only" tens of thousands, they can still use it as a steppingstone to attacking other services a user might have, doing a ransomware on flickr photos or whatever or resetting passwords for other non yahoo services they find emails for.

Trick question

There's no such thing as an untested backup.

Re: Whaaa...?

> wouldn't it be simpler to make it a "Internet not delivered by NBN tax" tax.

Simpler maybe but politically unpalatable. It makes it impossible to not look like your trying to ruin a business model. To be honest, I'd rather they funded it from general revenue. It is useful infrastructure with a long shelf life* and will add to GDP and hence future revenues, plus borrowing is still at an excellent rate.

*FTTP, not the crappy FTTN half arsed obsolete before it's finished crap.

> would assume this pretty much impacts every mobile phone (cell phone for our American readers) bill too.

No. It won't impact mobile. From the linked proposal:

"... which will require all eligible fixed-line superfast broadband networks to make a proportionate contribution to the long-term cost of these services"

4G isn't fixed line.

Re: Nice

I can't comment on Iceland specifically, but generally speaking minor parties would be weighing up the short term influence they would hold in a coalition against the base who get angry when their hobby horse issues are horse traded. Many minor parties who find themselves in a coalition or even guaranteeing support in a hung parliament find their own base abandons them at the next election. Add to that that many minor parties don't have an obvious viewpoint on issues not in their field of concern means they can find their candidates splitting on those issues (particularly in a hung parliament where every vote counts). The leader might agree to some trade deal only for someone else in the party to vote against it.

Re: I wonder how anyone can be that stupid

As opposed to pokies?

Re: Maybe they should...

> I'm unconditional about it.

Er, uncomfortable. Bloody autocarrot.

Re: Misread as $10

You are right. It was a terrible misunderstanding. The cheque was actually for $10!!!

Re: This will be fertile ground for attackers to check

Not sure how that would work. Definitely worth a look, but as I understand it this is just a "try these areas first" collection of data points. That is to say, it can't interfere with the positioning values themselves (via http MitM).

My old tom tom would take several minutes to find itself; you basically have to drop to that sort of brute force scan.

It is possible to believe that a malformed file could be misprocessed causing a buffer overflow or equivalent. Seriously though, if you want an easy way to pwn most android handsets, write a simple app with two threads, activate copy on write, load an executable owned by root and .... you know what, I'm not doing your homework, this isn't stack overflow here...

Re: Who cares?

I know it's only Tuesday, but @gazthejourno for FotW.

Tbh, it's not the premature shutdown on a galaxy note that would worry me about their batteries.

Going for a walk alone in the wrong part of town is going to result in a mugging or worse. Leaving your iPad on the back seat of your car in some poorly lit car park is going to result in a smashed window and no more iPad.

None of this excuses or reinforces the behaviour of the perpetrators. It's simply a recognition that there are injustices in this world. We can chew gum and walk here.

Re: accidental fix

Well that pretty much describes windows update. Here's a font vulnerability fix that breaks outlook.

Seriously though, it is the responsibility of the original developer to create sufficient test case coverage that my fix gets rejected by the build server. Apart from the most egregious introduced bugs, if someone breaks functionality that I wrote, I ask myself:

* Did I adequately name the variable/parameter/method/field/const/enum/class/whatever?

* Did I include a comment where what is being done is obvious but why it's done less so?

* Did it structure my code with single responsibility principles?

If the answer to those is no then I tend to blame myself.

Re: Why is this even a discussion?

> But the publisher can tell if ads are being loaded or not

To do this they need to wait for the ad content to download and render before delivering the content. With video or animations that is impossible. Even for simple images or text you would be adding substantial lag to your page display time for the 80%ish users who aren't using them.

Current detection approaches involve making using JavaScript to fetch a beacon from the ad network and then detect whether that download is blocked. The simple counter measure allows such beacons to download but it does prevent simple hosts file blocking of the whole network.

There are other possible measures. Many moons ago I had to deliver a "way too complex for html of the day" report over the web which ended up being a dynamic png rendered on the server side. These days you could do it with html5 and angular. It was an absolute usability nightmare. You could get dynamic screen sizes to be taken into account and image map out hyperlinks but it was non trivial. It also made it inaccessible to screen readers.

I'd like to think that websites would not screw up everyone's experience to spite the relatively small proportion of users who bypass their ads. Then again, we are already stuck with animations that interfere with content, fake download buttons, etc all apparently in the name of supporting websites so yeah.

Re: Well...

> This IP had a TCP connection to that IP and this amount of data went in one way and another amount in the other direction.

You have possibly just made the first really good argument to switch all comms to IP6...

Re: $3500 for having found a risk of that magnitude ?

A blackhat could have mined bitcoin with every new instance of red hat on Azure, pushing a custom version of ps that hides the process and a custom version of ls that masks the version details of ps. Setting up a 24 hour "do nothing" on first start would make this really hard to detect as would throttling the computations to say 25% of the CPU in a low priority process.

3500 is a joke given that risk.

Re: You don't mention...

I'm just glad that all the products and services that I use have proper cryptographic protection on their auth tokens and so can't possibly be vulnerable to such MitM attacks.

I LOVE BOOGERS!

> and you get redirected to the page where you can purchase more

Which absolutely shouldn't be possible if security is done right. You can't serve a 302 when MitM a HTTPS connection unless you can convince my browser to trust the certificate you sign the page with. And with HSTS you can't even get my browser to talk HTTP even if you type it into the address bar if the server is known to support HTTPS. (Try to visit Google over HTTP)

And if you use a VPN, your ISP has exactly zero ability even for this sort of farting around. Send an SMS or email. Hardly rocket science.

Re: switch off your Wi-Fi...

That is brilliant AC. Thanks

Re: Is it me?

Yes it's you. The problem with the suggested backdoored encryption is one of mathematics. The person between Bob and Alice is an adversary. There is no value judgement on the adversary. Perhaps Bob and Alice are evil and the adversary is benevolent. The crux is that you can't make it easy for the good adversary without making it easy for the bad one. The best you could hope for is some sort of golden key, so then we turn to how we keep that protected. Given the US was unable to prevent early nuclear research finding its way into Soviet hands, what makes you remotely imagine that such a sweet honeypot would not be leaked. Those 20 million OPM records could easily be used to blackmail for access.

But let's just leave all those challenges aside for the moment and pretend there can exist a solution if we "try harder". Why would any terrorist use encryption that they know to be broken when they have the mathematically secure algorithms already in existence. You are throwing out the baby with the bathwater except not even managing to throw out the bathwater you wanted to dispose of.