Posts by Adam 1 2545 publicly visible posts • joined 7 May 2012
Device initiates. If you want your device to be untrackable*, you need to switch off WiFi. I think there are some ways to randomise the MAC address periodically to reduce the problem but you can bet lots of places do this.
*By WiFi traffic analysis I mean. It's still going to be broadcasting on its 4G frequency.
> Shadow copies / snapshots. Why are they not enabled by default on all computers, and why are they deletable? Literally just set every machine to fill up its disk with "backups" and only remove them when there's no space left
Enabled by default yes, but it hardly solves the ransomware problem. If the ransomware sees 250GB free, it just has to overwrite the files enough times that the oldest shadow copy must be from after the infection. As the files are encrypted, there is very little potential for deduping compared with more typical shadow copy use cases.
It's also a fundamental misunderstanding of where the said energy is coming from. It does not produce energy. It consumes some of the energy that would normally be returned to the walker. This should make walking more difficult (in the same way that walking through dry sand is more difficult than walking along the wet sand at the shoreline). If walking isn't noticeably more difficult then the power extracted is pretty laughable. Basically you are using the human body as a power generator. Putting aside for the minute that some of us really should be expending a few more KJ or moderating our intake, the efficiency question becomes about how efficient a human is at generating that energy and whether it would be more environmentally friendly to burn coal (almost certainly).
There may well be some applications where you don't need much energy, where running power specifically is a PITA where this may work (eg doorbell or keyfob that gets just enough energy from the button press to broadcast its signal) but it isn't chances are against watch batteries not coal, gas, nuke, solar, wind, hydro.
> Either way the payload is unreadable whether the payload is in the email body or on an attachment.
I disagree. I guess it depends though if you recognise that metadata is in and of itself also data. And that social graphs can be drawn from those headers. And that goes to the heart of freedom of association. We don't use email for its security capabilities. We use it because of inertia and because distributed key sharing without a trusted intermediary is a dam hard problem to solve.
Of course electricity naturally flows downhill. Geez people. I thought it was obvious how the high voltage lines were really high up, local street distribution tends to be about 10m up and within homes most power points are waist height or even lower down near ankle height. Why do you think it costs so much to move electricity supplies underground?
The two statements that concern me about this research are:
1. Signal employs a novel and unstudied design, involving over ten different types of keys and a complex update process which leads to various chains of related keys
Novelty is not a positive feature. It doesn't necessarily mean it's negative (all designs were at some point in human history considered novel in this sense) but anything that makes it harder to study is just security through obscurity. In the same way obscurity doesn't mean insecure, but the obscurity may mask some actual flaws from the whitehats/design reviewers so the security ends up compromised.
That leads to
2. the protocol is not substantially documented beyond its source code
Given the supposed advantage of the novel design, the design itself should be will documented at a high level so that inherent design flaws can be effectively studied. Not the implementation itself (through implementation bugs also need to be checked) but the interaction between the parties with data/keys/RNG etc for inherent attack vectors.
Crowdsourced rating of domains for trustworthiness and child safety. It's a pity. As per others I have recommended it in the past for my less technically adept friends and family. It gives a traffic light style indicator next to Google results etc so you don't have to deal with the otherwise inevitable "I downloaded the latest version of Photoshop from myfreeverygoodsoftwarebestfree.cn (it had a padlock icon) and now my computer is slow". Uninstalling now, sigh...
I remember this when I was looking after about 30 win 9x boxes for a school keeping them breathing. A little esmith (now smeserver) would make the 64K connection tolerable.
The downside of http is that MitM attacks are trivial and that's not exactly comforting when your applying security patches delivered over such an insecure channel.
When you burn a CD you get to choose whether to support multiple sessions on the disc to allow subsequent changes or whether to burn as a single finalised session for compatibility.
Very good compression with ultra low CPU overhead algorithms exist. The only reason I can see for wanting to avoid it would be for more efficient deduping.
Let's not confuse algorithm and file format. The language used seems very loose to me. The algorithms are simply the methodology taken to transform one byte stream to another. It stands to reason that different architectures will be better at some algorithms than others because of the various sizes of caches and buses involved. Some lend themselves to larger dictionaries and better parallelism than others. There's no reason other than priorities as to why they haven't switched to something more suited to x86 in newer versions.
And while they correct the challenge to reflect volume rather than area, they could correct the measurements to be a more meaningful nanograpefruits.
Troy did a blog post on it. Apparently some guy for reasons unexplained was connecting to random IP addresses on port 80 to find those with directory browsing which exposed database backup files and helped him(presumably)self to it. He then shared it with Troy who worked with AUSCERT to get it dealt with quickly.
Troy's argument was that since the organisation committed to actively contact those affected, since he had not shared it with anyone*1 and that the mystery guy promised he had not shared it with anyone else and promised to delete all copies he had personally*2, there were no further known copies of that data in the wild.
Now unless the mystery guy was some "friend of a friend", I'd be a bit doubtful that all copies were wiped securely. I would have preferred he treat it as a sensitive breach (even if he withheld notifications for a few weeks to let RC notify through official channels everyone they can still locate) but hey, his bat and ball, his rules.
*1 - I have completed confidence of that being true personally
*2 - I am somewhat less confident in that assurance.
The point is valid but this paper makes a bit of a time jump. We are not going to swap over from meat bags to microchips overnight. Cars will automate more functions over time. Cruise control became adaptive cruise control became autopilot. Reversing sensors became reversing cameras became surround cameras and self parking. In the medium term, even self driving capable cars will allow meat bag control, so the pedestrian has to risk the fact that the car may not be under AI control.
In reality, many cars today come with autonomous braking systems that could equally be pranked by chicken players. In another few years, that'll be every car from energy level up (probably will become part of the highway codes)
I'm a bit more optimistic than the paper anyhow.
Why all the hate? Updating your Samsung to the latest critical fix is really easy online. Simply visit Amazon or your favoured electronics retailer's website and order the new model. Once it arrives, simply dispose of the old one in accordance with your local electronic waste disposal guidelines.
and as you pointed out then; "trams are designed for carrying passengers, and do not usually have the specialist equipment that would be required to weigh a rhino."
Why do people insist on trying to weigh rhinos using trams? Shirley there are more convenient, cheaper, easier to operate machines out there? Not to mention that both operating a tram and the handling of aggressive mammals weighting well over a ton each require substantial training and experience to do safely. Simply put, this is cost cutting gone mad.
> bring down a decently designed survey site
I think you just answered your own question there. Their ddos mitigation plan was to block overseas traffic, which they self evidently didn't test sufficiently. But even if they did get that part right, that is a rather blunt sledgehammer which is going to both impact legitimate users (on VPNs, tor and possibly even those using overseas DNS servers) and is useless once the attackers figure it out as they will just switch to a botnet built from compromised Australian addresses or attack other infrastructure like Telstra/optus/tpg/iinet DNS servers.
They are so far out of their depth. It would be funny if not for the millions of man-hours wasted that evening and the almost certainty that the information collected will be pwned at some point.
The ddos was too small to even register on global attack map yet overwhelmed their configuration. And they believed that all the bad guys are overseas and can therefore be easily blocked on IP ranges. That strategy was never going to cut it. They clearly haven't looked at the paid er "load test services" on offer over the dark web. You know, the ones where you can select the country from which the attack should originate. The only thing that surprised me is that noone took credit for it. That combined with the lack of presence on digital attack map leads me to believe they ddos'd themselves by underprovisioning.
I read/watched/heard recently about a particular data breach. The vendor had in between the time the breach occurred and the time they discovered it changed something about how they stored the passwords, so they judged it unnecessary to inform anyone who had a new structured password. On one level it makes perfect sense as "someone has just stolen your old password you don't use anymore" doesn't sound like a big issue. Of course it means that anyone using the same password for their e-mail or other services is waiting to be pwned. I would name names if I could remember. So in short, yes, self appraisal of the seriousness of a breach (particularly from companies who don't deal in security day in and day out) is rather problematic.
As you predicted, a safety mechanism caused by grid issues caused these generators to perform an emergency safety shutdown. Did exactly what it should have.
Why the grid operators and generators hadn't specifically consulted each other on what those thresholds should be is very much a live question. The fact it took them so long to acknowledge the cause is also regrettable as it allows the opportunist pollies to come out. I wouldn't hold my breath for an apology from them however.
> Theres always that eCat thing... The one that lives in a shipping container full of AA batteries that nobody is allowed to open when they "test" it.
I'm sure that uses fusion.
Not quite. It's a bit hard to explain, but in essence you have what looks like a miniature wind turbine, except attached to each blade is an array of cats, arranged in such a way that some of them always have their feet up in the air. The feline self righting principle then takes over causing the turbine to spin at very high velocity. Most of the box is simply sound proofing (very high rpm) and the inverters to produce AC and various step up transformers (largely off the shelf stuff).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
