* Posts by Adam 1

2545 publicly visible posts • joined 7 May 2012

The Ashley Madison files – are people really this stupid?

Adam 1

Sounds like the next few BOFH episodes have just written themselves.

Anti-privacy unkillable super-cookies spreading around the world – study

Adam 1

Cudos to Vodafone AU

/hey, how often does one get to write that.

//still using a VPN though.

Adobe pays US$1.2M plus settlements to end 2013 breach class action

Adam 1

I've seen Kaspersky slap his staff with a walrus penis – and even I doubt the false-positive claims

Adam 1

Re: The Participant Observer Problem

The hash of the hash file has to be stored somewhere. That somewhere can also be compromised.

Adam 1

Lame. Walking to office*

*in Australia

Adam 1

Re: The Participant Observer Problem

> A hash for every Windows file

That wasn't the suggestion. It was system files. These would number in the thousands. Even if there were a million system files, that would only take 32MB of storage to hold every hash.

The bigger question is how you prove that your hash database hadn't been compromised.

Australian court slaps down Hollywood's speculative invoices

Adam 1

Re: I should be an account

Or a YouTube comment moderator.

Use QuickTime … and become part of the collective

Adam 1

Re: VLC

Heck, some ancient version of winamp would be better.

Google flubs patch for Stagefright security bug in 950 million Androids

Adam 1

Re: Monthly security updates will soon become a major PITA

Whether it is ART or Dalvik or whatever, it is an important point. The update process for me just took 20 minutes and at least 1/4 of the battery to spin through 141 apps. Further, if your device is encrypted then you need to enter your pass code in the middle of it, so you can't just run it unattended overnight. If it truly is optimising apps then they need to move it to a lazy load model and only optimise on first launch, and have a background process completing the job. Sometimes I wonder if they forget it is also a phone.

Watch out, Tokyo! Samsung readies a 15 terabyte SSD

Adam 1

HDD usually give the click of death on the way out. No such warning with SSD. Of course you have working backups so none of that really matters, right?...

If I look at the area most consumers need capacity, it is videos and photo storage. Both use cases get little practical benefit from faster seek time. One more I suppose is as a backup medium. Again seek time is not a benefit. SSD has a theoretical lower minimum cost (lacks motors and spindles and magnets etc that mean that a 100MB hard drive today would not be much cheaper than the smallest capacity manufacturers still bother with. A 128MB SSD would be by contrast much cheaper. HDD is a technology with an end of life (or at least a far more niched existence) but we aren't there yet.

Patching a fragmented, Stagefrightened Android isn't easy

Adam 1

Jeep runs* QNX. Never underestimate the ability of the universe to create idiots that can break anything.

*Autocarrot wanted to write ruins. Well played Google.

Adam 1

Re: Sony

> Sometimes manufacturer updates aren't what they're cracked up to be

True, but I don't think that updates need to be whatever new flavour of confectionary is out. We just want security patches to be delivered promptly for a period of around the expected lifespan of the computer that happens to sometimes make phone calls.. In fact, automatically changing the messaging app and moving the menus around when moving from ginger bean to ice kit pop is going to cause my folks all manner of confusion so I would prefer nothing visible.

Adam 1

Re: Google is taking the lead on revitalising the patching pipeline for the Android ecosystem

The problem with the carriers is that they have a vested interest in obsolescence. If you have to get a new phone then they get another 2 years contract out of you.

IWF shares 'hash list' with web giants to flush out child sex abuse images online

Adam 1

Re: Am I being a bit thick here

> changing at very least a byte or two of data in the source image

Wouldn't even take a byte. I mean, even changing as subtle as #FFFFFF to #FEFFFF would be very* unlikely to not have a radically different MD5 and SHA1 signature.

* it is possible that the signature wont change, in the same way you might win lotto, then on the way to pick up your winnings, an asteroid shoots down toward the spot you are standing only to be blown to smithereens by a coincidental lightening strike.

Adam 1

> The term 'collision attack' comes to mind where two values can produce the same hash.

A hash algorithm by definition MUST permit collisions where the size of the hash is smaller than the size of the input data.

Let's use small numbers to illustrate. If your hash was just 1 byte in length, and your input was 4 bytes, you have 256 possible hashes to share amongst 4 billion odd input possibilities.. Sha1 is from memory 160 bytes, which gives 1.4615016e+48 hashes. That is a big number* but much much much smaller than the possible arrangements of bytes in a valid JPEG file.

* citation needed

Another day, another stunning security flaw in Android – this time hitting 55% of mobes

Adam 1

Re: Permissions?

On a serious note, as a developer (a real one not an app developer :p) being able to stipulate the permissions you don't need is quite a nice security layer. If I decided that the world didn't have enough photo editors and that I should release my own, I can stipulate that it should not access the contacts. If my advertising network started spewing out malware, perhaps a more conservative token collection may mitigate the malware.

Adam 1

Re: Permissions?

You think you are the phone owner. Cute.

Adam 1

Re: innocuous-looking app which, when installed

I give far more credence to the number of and nature of permissions requested than the number of g+ users who give it 5 stars and usually some indecipherable comment.

The raison d'etre of the permissions model is to limit what an app can do. If it fails to do this then it is a critical flaw. But imagine there was some bug in your phones PIN entry screen where pressing the volume rocker logged you in. I suppose you would argue that such a bug isn't too bad because one should expect that anyone who can physically access it could pwn it.

Hack a garage and the car inside with a child's toy and a few chips

Adam 1

Re: Driving the car

Yes, DOS is possible, but it is already possible. I remember visiting a scenic lookout tower about 10 years ago. It doubled as a communications tower. Upon returning to my car, the fob did not work. If you are going to DOS then the easiest and most effective technique is to flood the airwaves in those frequencies with white noise, not some elaborate fob emulator. The backup plan is to use your key. :)

Adam 1

Re: Driving the car

Sure. We move well past my knowledge of how they are implemented presently, but it really wouldn't be too hard to do. If each keyfob has an identifier that gets broadcast with the code, and the car ignores unpaired fob identifiers, then the brute force would have to emulate a particular fob. Then you can count brute force attempts by a fob id having too many wrong guesses and lock them out.

Adam 1

Re: Driving the car

Wouldn't a far simpler solution be if the door detected say 1000 open attempts that it is switches off the receiver for 5 minutes. Make brute forcing impractical.

Wait, what? TrueCrypt 'decrypted' by FBI to nail doc-stealing sysadmin

Adam 1

Re: Pretty obvious - a keylogger was installed

> except if you use something like Keepass then even a key logger is not useful without the db you unlocked,

Why do you assume the keyloggers are software based? That would seem overly complicated to me because you have to get them installed through some flaw, social engineering or physical access. The latter would seem to be the easiest for an organisation that in their normal day to day operation need to plant listening devices for suspects.

It would be much easier to swap out the keyboard with a bugged one for a few days and to brute force against the entered strings.

Microsoft's Windows 10 Torrent-U-Like updates GULP DOWN your precious bandwidth

Adam 1

Re: Security vulnerability waiting to happen

It's no more risky than https. The slithers would be validated with something like sha256 or 512. The hashes for all of the slithers would probably get downloaded over https or would maybe just rely on a digital signature to prove those hashes were decided by Microsoft.

Adam 1

Re: And sharing malware in 5 4 3

Someone doesn't understand how hashes work. Put it this way, If that was possible, don't you think Hollywood would be corrupting the torrents left, right and centre? For sure you could send my computer malware instead of the patch. Problem for you is that it won't be signed with Microsoft's private signature so my computer will file it to the Windows equivalent of dev/null

Edge out rivals? No! Firefox boss BLASTS Microsoft's Windows 10 browser brouhaha

Adam 1

Re: And there's more!

P2P is a completely sensible way to distribute large files. Do you not find it a bit weird that your laptop, PC and media centre* all independently download the same patches over your internet connection rather than sharing amongst themselves and only downloading it once.

I suggest you flag your network as metered..

* yes, sadly dead now

US to rethink hacker tool export rules after mass freakout in security land

Adam 1

Re: The pen is mightier than the sword.

Tin foil? Like those military/citizen blankets for treating people for hypothermia?

Telcos given a breather to meet Oz metadata retention laws

Adam 1

So $127 million to setup collection for about 7.5 million connections. So $17 ish per household. For something that can be bypassed for the price of a cup of coffee a month.

/posted from Romania, because why not, it demonstrates just what a stupid waste of money this is.

MORE Windows 10 bugs! Too many Start menu apps BREAK it

Adam 1

Re: I have 600

Also, 2^9? Really? You could kinda understand some numpty using the wrong type and ending up with a 256 limit. 512 is quite creative though.

Got an Android phone? SMASH IT with a hammer – and do it NOW

Adam 1

Re: filter at the telco level?

OK, assuming some sort of signature based pattern can identify the infected video, why involve the telco at all? That would mean that the hangouts app itself could perform the scan before sending it off for preview. This is important, because hangouts can be pushed through Google play as an update.

Although it wouldn't eliminate the attack vector (too much insufficient storage-esq errors on old devices), the attack surface would easily and quickly halve.

OK Google, you've got 90 days.

Australia to tax ALL international online purchases

Adam 1

Re: Won't affect my spending habits.

THIS.

The eBay's and Amazon's of this world aren't used as some sort of GST avoidance scheme. They are substantially more than 10% cheaper in most cases, are available at 10:30 at night, have detailed information about their products, user reviews and the like. No checkout queues (have you actually been to one of your shops Gerry? Do your sales team know what is available in the market or are they too busy pushing the lines offering the best bonus that month?)

Take something simple like a phone case for some modern smartphone. How much change do you get from $ 35? Now go to eBay and do the same. If you are paying more than $10 you probably weren't looking very hard. Jumping from $10 to $11 doesn't change the equation.

By all means, include online purchases for GST (and add healthcare and education while you are there). Then fix up the super tax concessions, CGT and negative gearing avoidance schemes. That'll fix your revenue problem.

Sydney adopts 'world's first' e-ink parking signs

Adam 1

Next micro business, some kid with Photoshop charging 20 bucks to change the times on the sign for your fine protest letter.

Crazy Chrysler security hole: USB stick fix incoming for 1.4 million cars

Adam 1

Iot must die

The sooner that we stop stumbling around the opportunities and take the threats with the same level of consideration, the safer we will be.

It just struck me about a discussion I have been having with someone who was complaining about their browser of choice's decision to block a certificate signed with an old broken algorithm. The inconvenience is real, but so is the threat. I was struck because I know they get the same emails as me and that they were again flooded with iot development technology's marketing. A lot of energy went into pushing people into such devices, but there is really nothing on security.

You wouldn't feel safe with a windows vista machine with no patches applied, yet we are building impossible to update firmware into all sorts of gadgets with life expectancies above and beyond. It is a weird world sometimes.

Adam 1

Maybe not, but assuming the very long bow that such connectivity of the core systems of your car is needed, why were they not NAT'd inside some walled garden?

Get root on an OS X 10.10 Mac: The exploit is so trivial it fits in a tweet

Adam 1

Re: Congratulations on repeating exploits before they can be fixed

You're reporting it wrong....

Your gadget batteries endanger planes, says Boeing

Adam 1

Re: Temperature

Stackexchange; is there anything you don't know?

Mozilla's ‘Great or Dead’ philosophy may save bloated blimp Firefox

Adam 1

Re: Agree - don't run scripts without permission. mMatrix and mBlock are good for chrome.

>Why can't they bring these libraries under their own domain and take responsibility?

1. They would then have to pay for that bandwidth.

2. Chances are that their site is not the first you have visited that includes that particular framework. They can therefore leverage the cached (possibly even precompiled) version for better load times.

3. A website is never going to take responsibility for the resources your computer asks for.

Sod the law! We'll crack on with our metadata witchhunts, growl cops

Adam 1

Isn't evidence gathered outside the law inadmissable? Surely that u is the whole point of a warrant, to fairly evaluate whether the particular action which would in other situations be illegal should be deemed lawful as an exceptional circumstance, the judgement by someone independent and competent.

Microsoft nixes A-V updates for XP, exposes 180 MEEELLION luddites

Adam 1

Re: How does this change ANYTHING?

> PS Why are we allowed to play with < UL > but not < OL >?

One does not simply play with < OL >.

Brandis' metadata retention recipe doesn't prohibit USB drives stored in a garden shed

Adam 1

Re: Did I miss it?

I have a scheme where I work out the letter number (a is 1, b is 2, etc) and add 64 to it. I then convert it to binary. Foolproof!

Adam 1

Already done. If the US government can't keep 20 million personnel records safe, why would I trust my ISP to?

Smartphones are ludicrously under-used, so steal their brains

Adam 1

Great idea

.... because most of us smartphone users think that our batteries last too long.

Adam 1

Re: Gah!

If your idea gives a drop bear nightmares, I am not reading about it!

Samsung stuffs 2 TERABYTES into flash drive for ordinary folk

Adam 1

Re: 10yr Warranty?

I wish my company was that unsuccessful.

Microsoft in Blighty reveals its 78 THOUSAND POUND Surface 3 slabloid

Adam 1

But it comes with a 3 month Now TV subscription. That's got to be worth at least 76K right there.

Get READY: Scientists set to make TIME STAND STILL tonight

Adam 1

Re: Having a single time is a nonsense

>Then drop time zones, and move to the 24-hour time format.

Seems like a lot of effort and you aren't even going to get it decimalised.

China's best phone yet: Huawei P8 5.2-inch money-saving Android smartie

Adam 1

Re: How the heck can they sell this in the West...

It is fine. It has sharp corners.

Australian government demands signoff on telco network designs

Adam 1

Even if I take them at their word, how it will or won't be used is a useless fact, because they can only promise what THEY will or won't do.

Good legislation is rather defined about what can or can't be done and whether some future activity will be ruled as legal or illegal under the act.

Why is this government doing its best to pretend they don't understand what separation of powers is for and why it is a good idea?

Hey, Sand Hill Exchange. Shouting 'blockchain!' won't stop the Feds

Adam 1

Re: Yes, but...

Not like endlesshorse though.

Samsung caught disabling Windows Update to run its own bloatware

Adam 1

Re: Windows Update is a nightmare

>I set it to just notify. If I'm tethered to my 4G phone, I don't exactly appreciate the laptop deciding it'll take my 1GB quota all to itself just for Windows update.

That is probably the most useful enhancement in Windows 8. If only they kept the Windows 7 shell.

Mum fails to nuke killer spider nest from orbit

Adam 1

That is the second worst thing I have read about spiders today!

Context: from down under

(and in case you are curious)