> “The protocol also determines which determines which device is going to be the master clock – there's a mechanism for devices to evaluate which is the 'best' clock,
I'm Spartaclock!
No I'm Spartaclock!
No I'm Spartaclock!
2545 publicly visible posts • joined 7 May 2012
> They are as factual as the accuracy of the information provided to the ATO and centerlink
No. You are either ignorant of the issue or trolling. They are not using the information provided to the ATO. The ATO doesn't hold income per fortnight. Centrelink have inferred that fortnightly ATO figure through a patently flawed algorithm.
It is outrageous to falsely accuse a person of fraud, send in the debt collectors (oh hi there credit ratings) and not have sufficient resources to deal with challenges from people who have evidence to show they were indeed entitled to those benefits.
It's not just 'dole bludgers' who should be worried by this crazy math shoot first ask questions later behaviour. Should we apply this logic to pension asset tests or family tax benefit?
A few years ago I lost elegibility to part b after a pay rise in one of those perverse getting a rise leaves you worse off cases that makes living wage an interesting idea. The same 'logic' applied here would have seen me being asked to repay a debt I didn't owe.
If they are moving into speculative invoicing, then here's a thought. Anyone found to have been incorrectly accused should be paid at minimum wage for their reasonable time in producing the evidence and their refunded amount should be returned at government bond interest rates.
Opel have been caught with something slightly more subtle. It only operates it's emission controls in a very narrow temperature range which luckily coincide with lab conditions. It doesn't operate whilst revving beyond 2400 rpm which again luckily isn't needed in the lab. That it hops out the way when you give it the beans isn't surprising (safety first), but the fact it remains off even when the engine is just ticking over once the need for hard acceleration is done means that in real world city stop start driving you will likely disable the emission controls on pretty much every trip. That doesn't excuse VAG. There is enough criticism to go around.
It's a cloudflare certificate, so at least the initial hop is encrypted. Doesn't mean traffic between cloudflare and El Reg is encrypted. It might be but you can't tell. Anyway kudos for removing prying eyes from at least the most vulnerable link.
> Were you involved with the Australian Census?
No you have me confused with someone else. I've been working on an innovative welfare compliance system where we crosshatch tax records, divide a magic number by 26 and assume every fortnight is paid equally then send out the debt collectors.
> "Unlimited" doesn't mean "infinite",
Absolutely correct.
> it just means there are no pre-set limits.
No, you should have stopped at infinite.
It means that they don't have a limit that you can violate. If you wanted to put a number on it, an ADSL2 line can in theory download 25Mbps. There are 2678400 seconds in a month. There are 8 bits in a byte, so
2678400 * 25 / 8 = 8370 GB per month.
Don't call something with limits unlimited. At its kindest, that is a bait and switch scheme.
> The take-out-the-trash timing of the review, announced in the afternoon of Friday December 23, meant Vulture South missed it at the time.
Not quite. I emailed Simon with the ag.gov.au link on 23 Dec and he replied with a link to this saying we're on it.
Glad it's being picked up in its own right though. It seems to my reading to be just waiting to be abused. It doesn't take too much imagination for some jilted partner who knows the WiFi password to ensure some less tasteful/borderlining illegal websites make an appearance in the ISP logs and then use that in some custody hearings to argue why the other should not be allowed near kids. It is also not beyond imagination that a business partner wanting to escape some contract responsibility could generate the appearance of SMTP traffic to a recipient which wound strongly indicate that confidentiality clauses had been breached.
My 2c. The retention policy is an expensive way of generating large haystacks and it should be scrapped. My visits to el Reg or any other site are not in my ISP logs. Only connections to my VPNs endpoints, and they don't log. Legislators should try harder to understand the systems they are trying to regulate and stop with the do something brigade logic. Otherwise we end up with π == 3 laws.
> You're overlooking the obvious flaw: the descent would need to be controlled and hence would require power
At 45000 feet this object will contain a lot of potential energy and very little kinetic energy. As it drops, most of that potential energy gets converted into kinetic. Even commercial jets use a ram air turbine for emergency instrumentation power in the event of fuel exhaustion or other engine failures. Flight calculations are relatively modest unless you start trying to get into weather modeling or something. We are talking iPhone battery levels of power.
Actually, come to think of it, maybe if they use a note 7 battery, they weeks then have a good rocket to launch the drone back to the mothership.
It's even easier though* given quantum computing. Bob can tell if the qubit from Alice has been observed by the waveform collapsing. Makes a very nice key exchange channel.
* It's getting the quantum qubits to survive without near absolute zero and for more than a handful of milliseconds that's the hard bit.
You are right in pointing out that the brokenness of md5 isn't the key issue here. I mean, broken when talking about cryptographic hashes is a technical term which basically means that there is a more efficient algorithm to discovering the input than to brute force it.
It's big flaw here is that we have much better hardware now and can do most of the computations on GPUs at rates best measured in "billions per second". That makes brute force attacks for passwords under 7 characters practical and dictionary attacks highly likely to spill the beans in a substantial percentage of records.
Collisions just get you another password that the system would accept. In other contexts they are more worrying. The following link gives 2 example executables that do different things but have the same md5 hash.
http://www.mscs.dal.ca/~selinger/md5collision/
But at the end of the day, it's much less effort to try hundreds of billions of combinations of words, common letter substitutions, common prefix and suffixes and passwords found inside plaintext password dumps. The attackers here won't be worried if they can't unlock all accounts. Even if it's "only" tens of thousands, they can still use it as a steppingstone to attacking other services a user might have, doing a ransomware on flickr photos or whatever or resetting passwords for other non yahoo services they find emails for.
The big benefit with salting is that you can't leverage knowledge about one user's password to determine someone else's. Md5 was considered a bad choice 10 years ago. Why were yahoo still using it is a big mystery. It is literally broken to the point where you can google the hash to reverse it.
If you aren't using salt, you find someone with the password hint "password is Bernie2016" and now you know what all those F1697D2047065D93EECFEC16D670CD61 hashes mean. At least with salt you have to brute force each user independently.
And now you have that detail, you can use enumeration attacks on other sites to see what other accounts are valid and then try your luck with the same password.
Lesson 1
Use a different password on each website, so your yahoo breach doesn't give away your other more important passwords.
Lesson 2
Use long passwords. 4 random English words (like random, not quotes, verses or xkcd comics). This will guarantee that it is easy to memorise and type yet is too much entropy to exist in a rainbow table.
Use a password manager if you find that easier.
> wouldn't it be simpler to make it a "Internet not delivered by NBN tax" tax.
Simpler maybe but politically unpalatable. It makes it impossible to not look like your trying to ruin a business model. To be honest, I'd rather they funded it from general revenue. It is useful infrastructure with a long shelf life* and will add to GDP and hence future revenues, plus borrowing is still at an excellent rate.
*FTTP, not the crappy FTTN half arsed obsolete before it's finished crap.
> would assume this pretty much impacts every mobile phone (cell phone for our American readers) bill too.
No. It won't impact mobile. From the linked proposal:
"... which will require all eligible fixed-line superfast broadband networks to make a proportionate contribution to the long-term cost of these services"
4G isn't fixed line.
It's just a money go round. The "tax"is really the built in cross subsidy amount and gets around the problem of tpg et al cherry picking the profitable high density rollout sites and leaving NBN to do the less profitable and loss making sites.
In principle it makes sense but I'm not convinced they have thought it through (law of unintended consequences). Will tpg just spit out a new 24.999Mbps fibre plan to sit just below the cut off point? Will Telstra or Vodafone provide faster services than the cut off point but be exempt because they're not fibre? Of course they will.
I can't comment on Iceland specifically, but generally speaking minor parties would be weighing up the short term influence they would hold in a coalition against the base who get angry when their hobby horse issues are horse traded. Many minor parties who find themselves in a coalition or even guaranteeing support in a hung parliament find their own base abandons them at the next election. Add to that that many minor parties don't have an obvious viewpoint on issues not in their field of concern means they can find their candidates splitting on those issues (particularly in a hung parliament where every vote counts). The leader might agree to some trade deal only for someone else in the party to vote against it.
I'm unconditional about it. Without question there is a design flaw that poses a very real safety concern in a very small but significant percentage of these devices. Yes the recall should be mandatory, but this solution fails to take into account that risks are always relative to other risks. Perhaps there is a risk that someone in possession of such a device can't make an emergency call in a timely manner? A better approach would be to include a nag screen that pops up every minute and forces you to watch some recall notice in 5 different languages, and otherwise limits the apps it will load. There are plenty of measures to make the experience so bad that laggers without a really good excuse will make the effort without adding any risks to safety.
Not sure how that would work. Definitely worth a look, but as I understand it this is just a "try these areas first" collection of data points. That is to say, it can't interfere with the positioning values themselves (via http MitM).
My old tom tom would take several minutes to find itself; you basically have to drop to that sort of brute force scan.
It is possible to believe that a malformed file could be misprocessed causing a buffer overflow or equivalent. Seriously though, if you want an easy way to pwn most android handsets, write a simple app with two threads, activate copy on write, load an executable owned by root and .... you know what, I'm not doing your homework, this isn't stack overflow here...
Going for a walk alone in the wrong part of town is going to result in a mugging or worse. Leaving your iPad on the back seat of your car in some poorly lit car park is going to result in a smashed window and no more iPad.
None of this excuses or reinforces the behaviour of the perpetrators. It's simply a recognition that there are injustices in this world. We can chew gum and walk here.
Well that pretty much describes windows update. Here's a font vulnerability fix that breaks outlook.
Seriously though, it is the responsibility of the original developer to create sufficient test case coverage that my fix gets rejected by the build server. Apart from the most egregious introduced bugs, if someone breaks functionality that I wrote, I ask myself:
* Did I adequately name the variable/parameter/method/field/const/enum/class/whatever?
* Did I include a comment where what is being done is obvious but why it's done less so?
* Did it structure my code with single responsibility principles?
If the answer to those is no then I tend to blame myself.
It happens with software all the time, where by the time a specific bug bubbles up through onto a sprint, it has been coincidentally neutered by another fix or improvement. It can also happen when a developer working on an unrelated ticket stumbles upon the initial problem and fixes it at the same time, legitimately believing that it had never been reported. Obviously not saying that this is definitely what happened here, but let's not feign surprise about something that would happen in a product as big as windows at least daily has indeed happened.
> But the publisher can tell if ads are being loaded or not
To do this they need to wait for the ad content to download and render before delivering the content. With video or animations that is impossible. Even for simple images or text you would be adding substantial lag to your page display time for the 80%ish users who aren't using them.
Current detection approaches involve making using JavaScript to fetch a beacon from the ad network and then detect whether that download is blocked. The simple counter measure allows such beacons to download but it does prevent simple hosts file blocking of the whole network.
There are other possible measures. Many moons ago I had to deliver a "way too complex for html of the day" report over the web which ended up being a dynamic png rendered on the server side. These days you could do it with html5 and angular. It was an absolute usability nightmare. You could get dynamic screen sizes to be taken into account and image map out hyperlinks but it was non trivial. It also made it inaccessible to screen readers.
I'd like to think that websites would not screw up everyone's experience to spite the relatively small proportion of users who bypass their ads. Then again, we are already stuck with animations that interfere with content, fake download buttons, etc all apparently in the name of supporting websites so yeah.
Not quite. When you ask for x, you get exactly x. This x contains URIs for other resources such as images, videos, scripts, stylesheets and frames. Your browser then requests those resources and renders them. The ad blockers work by choosing to not download some of those resources and/or adjusting the stylesheet so those resources are not visible.
A blackhat could have mined bitcoin with every new instance of red hat on Azure, pushing a custom version of ps that hides the process and a custom version of ls that masks the version details of ps. Setting up a 24 hour "do nothing" on first start would make this really hard to detect as would throttling the computations to say 25% of the CPU in a low priority process.
3500 is a joke given that risk.
1. IBM don't want to get excluded from circa $500,000,000 pa in contacts. $30,000,000 (and it's less) is a pretty good investment on those numbers.
2. The government can't afford the focus to fixate on their failure to appoint someone to that position for the better part of a year and to accidentally forget it in a reshuffle, and then replacing the minister in charge mere weeks before. They can't even stop their coalition partners from freelancing, they need this off the front page.
3. The ABS needs this to disappear too. They have screwed up numerous indexes over the past few years because of poorly planned methodology changes. Their hubris on privacy was exposed for what it is. Everyone I spoke to on it scratched their heads about how the maximum anticipated load could be so low. It defied common sense. Everyone I have spoken to who I would describe as technically literate were puzzled by the suggestion that ddos can be prevented with geo blocking (even if done well). Let alone the inevitable truth stretching that happens when people are forced to identify themselves. The data will be forever tainted by larger than typical "typos". But hey, at least linkage keys right?
So this settlement is a win win win for IBM, the government and the ABS. Just a shame for the rest of us who hoped that it might be useful for policy development.
> and you get redirected to the page where you can purchase more
Which absolutely shouldn't be possible if security is done right. You can't serve a 302 when MitM a HTTPS connection unless you can convince my browser to trust the certificate you sign the page with. And with HSTS you can't even get my browser to talk HTTP even if you type it into the address bar if the server is known to support HTTPS. (Try to visit Google over HTTP)
And if you use a VPN, your ISP has exactly zero ability even for this sort of farting around. Send an SMS or email. Hardly rocket science.
> loan made on cost grounds, not due to concerns about the business model
Colour me shocked. How convenient. The question isn't about whether someone somewhere would lend them the money at 15%pa or whatever. The question is why the market would put a large premium on those loans. Hint: the project has suffered from the Not Invented Here syndrome with stupid meddling just so there was a way to throw a waste and mismanagement angle at the political foes. Whilst the original plan was hardly perfect, it at least would have left us with a cheap to maintain cheap to upgrade natural monopoly that unlike the mistakes made when privatising Telstra did not result in a vertically integrated entity with a self interest in making their competitors' network access difficult. When something is perceived to have higher risk, the interest rate must be higher to attract capital. It's the same reason that payday loans have ridiculous interest rates and government bonds have low interest rates.
Yes it's you. The problem with the suggested backdoored encryption is one of mathematics. The person between Bob and Alice is an adversary. There is no value judgement on the adversary. Perhaps Bob and Alice are evil and the adversary is benevolent. The crux is that you can't make it easy for the good adversary without making it easy for the bad one. The best you could hope for is some sort of golden key, so then we turn to how we keep that protected. Given the US was unable to prevent early nuclear research finding its way into Soviet hands, what makes you remotely imagine that such a sweet honeypot would not be leaked. Those 20 million OPM records could easily be used to blackmail for access.
But let's just leave all those challenges aside for the moment and pretend there can exist a solution if we "try harder". Why would any terrorist use encryption that they know to be broken when they have the mathematically secure algorithms already in existence. You are throwing out the baby with the bathwater except not even managing to throw out the bathwater you wanted to dispose of.