Sounds like the next few BOFH episodes have just written themselves.
Posts by Adam 1
2545 publicly visible posts • joined 7 May 2012
Page:
The Ashley Madison files – are people really this stupid?
Anti-privacy unkillable super-cookies spreading around the world – study
Adobe pays US$1.2M plus settlements to end 2013 breach class action
I've seen Kaspersky slap his staff with a walrus penis – and even I doubt the false-positive claims
Re: The Participant Observer Problem
> A hash for every Windows file
That wasn't the suggestion. It was system files. These would number in the thousands. Even if there were a million system files, that would only take 32MB of storage to hold every hash.
The bigger question is how you prove that your hash database hadn't been compromised.
Australian court slaps down Hollywood's speculative invoices
Use QuickTime … and become part of the collective
Google flubs patch for Stagefright security bug in 950 million Androids
Re: Monthly security updates will soon become a major PITA
Whether it is ART or Dalvik or whatever, it is an important point. The update process for me just took 20 minutes and at least 1/4 of the battery to spin through 141 apps. Further, if your device is encrypted then you need to enter your pass code in the middle of it, so you can't just run it unattended overnight. If it truly is optimising apps then they need to move it to a lazy load model and only optimise on first launch, and have a background process completing the job. Sometimes I wonder if they forget it is also a phone.
Watch out, Tokyo! Samsung readies a 15 terabyte SSD
HDD usually give the click of death on the way out. No such warning with SSD. Of course you have working backups so none of that really matters, right?...
If I look at the area most consumers need capacity, it is videos and photo storage. Both use cases get little practical benefit from faster seek time. One more I suppose is as a backup medium. Again seek time is not a benefit. SSD has a theoretical lower minimum cost (lacks motors and spindles and magnets etc that mean that a 100MB hard drive today would not be much cheaper than the smallest capacity manufacturers still bother with. A 128MB SSD would be by contrast much cheaper. HDD is a technology with an end of life (or at least a far more niched existence) but we aren't there yet.
Patching a fragmented, Stagefrightened Android isn't easy
Re: Sony
> Sometimes manufacturer updates aren't what they're cracked up to be
True, but I don't think that updates need to be whatever new flavour of confectionary is out. We just want security patches to be delivered promptly for a period of around the expected lifespan of the computer that happens to sometimes make phone calls.. In fact, automatically changing the messaging app and moving the menus around when moving from ginger bean to ice kit pop is going to cause my folks all manner of confusion so I would prefer nothing visible.
IWF shares 'hash list' with web giants to flush out child sex abuse images online
Re: Am I being a bit thick here
> changing at very least a byte or two of data in the source image
Wouldn't even take a byte. I mean, even changing as subtle as #FFFFFF to #FEFFFF would be very* unlikely to not have a radically different MD5 and SHA1 signature.
* it is possible that the signature wont change, in the same way you might win lotto, then on the way to pick up your winnings, an asteroid shoots down toward the spot you are standing only to be blown to smithereens by a coincidental lightening strike.
> The term 'collision attack' comes to mind where two values can produce the same hash.
A hash algorithm by definition MUST permit collisions where the size of the hash is smaller than the size of the input data.
Let's use small numbers to illustrate. If your hash was just 1 byte in length, and your input was 4 bytes, you have 256 possible hashes to share amongst 4 billion odd input possibilities.. Sha1 is from memory 160 bytes, which gives 1.4615016e+48 hashes. That is a big number* but much much much smaller than the possible arrangements of bytes in a valid JPEG file.
* citation needed
Another day, another stunning security flaw in Android – this time hitting 55% of mobes
Re: Permissions?
On a serious note, as a developer (a real one not an app developer :p) being able to stipulate the permissions you don't need is quite a nice security layer. If I decided that the world didn't have enough photo editors and that I should release my own, I can stipulate that it should not access the contacts. If my advertising network started spewing out malware, perhaps a more conservative token collection may mitigate the malware.
Re: innocuous-looking app which, when installed
I give far more credence to the number of and nature of permissions requested than the number of g+ users who give it 5 stars and usually some indecipherable comment.
The raison d'etre of the permissions model is to limit what an app can do. If it fails to do this then it is a critical flaw. But imagine there was some bug in your phones PIN entry screen where pressing the volume rocker logged you in. I suppose you would argue that such a bug isn't too bad because one should expect that anyone who can physically access it could pwn it.
Hack a garage and the car inside with a child's toy and a few chips
Re: Driving the car
Yes, DOS is possible, but it is already possible. I remember visiting a scenic lookout tower about 10 years ago. It doubled as a communications tower. Upon returning to my car, the fob did not work. If you are going to DOS then the easiest and most effective technique is to flood the airwaves in those frequencies with white noise, not some elaborate fob emulator. The backup plan is to use your key. :)
Re: Driving the car
Sure. We move well past my knowledge of how they are implemented presently, but it really wouldn't be too hard to do. If each keyfob has an identifier that gets broadcast with the code, and the car ignores unpaired fob identifiers, then the brute force would have to emulate a particular fob. Then you can count brute force attempts by a fob id having too many wrong guesses and lock them out.
Wait, what? TrueCrypt 'decrypted' by FBI to nail doc-stealing sysadmin
Re: Pretty obvious - a keylogger was installed
> except if you use something like Keepass then even a key logger is not useful without the db you unlocked,
Why do you assume the keyloggers are software based? That would seem overly complicated to me because you have to get them installed through some flaw, social engineering or physical access. The latter would seem to be the easiest for an organisation that in their normal day to day operation need to plant listening devices for suspects.
It would be much easier to swap out the keyboard with a bugged one for a few days and to brute force against the entered strings.
Microsoft's Windows 10 Torrent-U-Like updates GULP DOWN your precious bandwidth
Re: Security vulnerability waiting to happen
It's no more risky than https. The slithers would be validated with something like sha256 or 512. The hashes for all of the slithers would probably get downloaded over https or would maybe just rely on a digital signature to prove those hashes were decided by Microsoft.
Re: And sharing malware in 5 4 3
Someone doesn't understand how hashes work. Put it this way, If that was possible, don't you think Hollywood would be corrupting the torrents left, right and centre? For sure you could send my computer malware instead of the patch. Problem for you is that it won't be signed with Microsoft's private signature so my computer will file it to the Windows equivalent of dev/null
Edge out rivals? No! Firefox boss BLASTS Microsoft's Windows 10 browser brouhaha
Re: And there's more!
P2P is a completely sensible way to distribute large files. Do you not find it a bit weird that your laptop, PC and media centre* all independently download the same patches over your internet connection rather than sharing amongst themselves and only downloading it once.
I suggest you flag your network as metered..
* yes, sadly dead now
US to rethink hacker tool export rules after mass freakout in security land
Telcos given a breather to meet Oz metadata retention laws
MORE Windows 10 bugs! Too many Start menu apps BREAK it
Got an Android phone? SMASH IT with a hammer – and do it NOW
Re: filter at the telco level?
OK, assuming some sort of signature based pattern can identify the infected video, why involve the telco at all? That would mean that the hangouts app itself could perform the scan before sending it off for preview. This is important, because hangouts can be pushed through Google play as an update.
Although it wouldn't eliminate the attack vector (too much insufficient storage-esq errors on old devices), the attack surface would easily and quickly halve.
OK Google, you've got 90 days.
Australia to tax ALL international online purchases
Re: Won't affect my spending habits.
THIS.
The eBay's and Amazon's of this world aren't used as some sort of GST avoidance scheme. They are substantially more than 10% cheaper in most cases, are available at 10:30 at night, have detailed information about their products, user reviews and the like. No checkout queues (have you actually been to one of your shops Gerry? Do your sales team know what is available in the market or are they too busy pushing the lines offering the best bonus that month?)
Take something simple like a phone case for some modern smartphone. How much change do you get from $ 35? Now go to eBay and do the same. If you are paying more than $10 you probably weren't looking very hard. Jumping from $10 to $11 doesn't change the equation.
By all means, include online purchases for GST (and add healthcare and education while you are there). Then fix up the super tax concessions, CGT and negative gearing avoidance schemes. That'll fix your revenue problem.
Sydney adopts 'world's first' e-ink parking signs
Crazy Chrysler security hole: USB stick fix incoming for 1.4 million cars
Iot must die
The sooner that we stop stumbling around the opportunities and take the threats with the same level of consideration, the safer we will be.
It just struck me about a discussion I have been having with someone who was complaining about their browser of choice's decision to block a certificate signed with an old broken algorithm. The inconvenience is real, but so is the threat. I was struck because I know they get the same emails as me and that they were again flooded with iot development technology's marketing. A lot of energy went into pushing people into such devices, but there is really nothing on security.
You wouldn't feel safe with a windows vista machine with no patches applied, yet we are building impossible to update firmware into all sorts of gadgets with life expectancies above and beyond. It is a weird world sometimes.
Get root on an OS X 10.10 Mac: The exploit is so trivial it fits in a tweet
Your gadget batteries endanger planes, says Boeing
Mozilla's ‘Great or Dead’ philosophy may save bloated blimp Firefox
Re: Agree - don't run scripts without permission. mMatrix and mBlock are good for chrome.
>Why can't they bring these libraries under their own domain and take responsibility?
1. They would then have to pay for that bandwidth.
2. Chances are that their site is not the first you have visited that includes that particular framework. They can therefore leverage the cached (possibly even precompiled) version for better load times.
3. A website is never going to take responsibility for the resources your computer asks for.
Sod the law! We'll crack on with our metadata witchhunts, growl cops
Isn't evidence gathered outside the law inadmissable? Surely that u is the whole point of a warrant, to fairly evaluate whether the particular action which would in other situations be illegal should be deemed lawful as an exceptional circumstance, the judgement by someone independent and competent.
Microsoft nixes A-V updates for XP, exposes 180 MEEELLION luddites
Brandis' metadata retention recipe doesn't prohibit USB drives stored in a garden shed
Smartphones are ludicrously under-used, so steal their brains
Samsung stuffs 2 TERABYTES into flash drive for ordinary folk
Microsoft in Blighty reveals its 78 THOUSAND POUND Surface 3 slabloid
Get READY: Scientists set to make TIME STAND STILL tonight
China's best phone yet: Huawei P8 5.2-inch money-saving Android smartie
Australian government demands signoff on telco network designs
Even if I take them at their word, how it will or won't be used is a useless fact, because they can only promise what THEY will or won't do.
Good legislation is rather defined about what can or can't be done and whether some future activity will be ruled as legal or illegal under the act.
Why is this government doing its best to pretend they don't understand what separation of powers is for and why it is a good idea?
Hey, Sand Hill Exchange. Shouting 'blockchain!' won't stop the Feds
Samsung caught disabling Windows Update to run its own bloatware
Re: Windows Update is a nightmare
>I set it to just notify. If I'm tethered to my 4G phone, I don't exactly appreciate the laptop deciding it'll take my 1GB quota all to itself just for Windows update.
That is probably the most useful enhancement in Windows 8. If only they kept the Windows 7 shell.
Mum fails to nuke killer spider nest from orbit
That is the second worst thing I have read about spiders today!
Context: from down under
(and in case you are curious)