* Posts by DaLo

732 publicly visible posts • joined 30 Aug 2012

Page:

Surprise! Apple launches iOS 14 today, and developers were given just 24 hours' notice

DaLo
WTF?

Re: Deep Analysis

Yes, it is - Apple developers will need to implement the ability in their apps, that is what it is saying in the article. Why does my post not make any sense, maybe your analysis wasn't so "deep"? I presume having done"deep analysis" you have checked the iOS 14 developer documentation or just some articles as well to back this up?

I'll break down the paragraph for you:

""Android devices have had this for some time and the [Apple PiP feature] must be implemented by developers on an app-by-app basis. It's therefore conceivable that your preferred streaming service on [iOS 14] may not support it on launch. Obviously, both Safari and Apple TV [developed by Apple] will offer it from the get-go [but othe Apple apps will not as they have to develop it for their apps].""

DaLo
Facepalm

Deep Analysis

So your "deep analysis" is stating that others create a "half-baked version" and "Apple takes its time and gets it right". To prove this point after doing "deep analysis" you point to the fact that on Android a developer needs to implement this in their app.

However your "deep analysis" failed to spot the context and the text after which I'll quote in full here "Android devices have had this for some time and it must be implemented by developers on an app-by-app basis. It's therefore conceivable that your preferred streaming service may not support it on launch. Obviously, both Safari and Apple TV will offer it from the get-go."

Which even with some "light analysis" is obviously talking about Apple developers needing to implement it on an app-by-app basis.

Therefore my conclusion is that you must actually now agree (maybe after some further analysis?) that Apple has actually released something half-baked?

SpaceX Falcon 9 and Dragon cleared to hoist real live American astronauts into space

DaLo

Maybe that's why one of the astronauts, Bob Behnken, looks like he's bricking it pre-launch?

https://ichef.bbci.co.uk/news/976/cpsprodpb/65F7/production/_112430162_49927475262_d1079989f9_k-.jpg

Remember the Uber self-driving car that killed a woman crossing the street? The AI had no clue about jaywalkers

DaLo

Re: Surely

I think the biggest issue is false positives. These systems can detect these objects, and easily avoid them (as long as they have a radar reflection and/or a lidar map). However allowing the vehicle to do that would result in a horrendous ride that could be dangerous to other vehicles. It'd be jumping like a kangaroo at times.

So it tries to risk profile detected objects - similar to how humans do (and we often get it wrong). So if we see a human on the side of the road we look for subtle clues in body language as well as whether they are looking at us to determine whether they are about to cross the road in front of us, or pull out at a junction. Just determining a path is not always enough of a clue as to the risk.

Sod 3G, that can go, but don't rush to turn off 2G, UK still needs it – report

DaLo

Re: On the other hand

How many people and businesses are prepared for the PSTN and ISDN switch off in 5 years time?

How much PSTN and ISDN kit is still available to buy?

Conspiracy loons claim victory in Brighton and Hove as council rejects plans to build 5G masts

DaLo

Re: Wow, what a catalog

They don't need growing evidence.

Just evidence would be enough*

*peer reviewed of course and published in a respectable journal

Teletext Holidays a) exists and b) left 200k customer call recordings exposed in S3 bucket

DaLo

Re: What muppet recorded the keytones ?

They are storing on an insecure public server and you think they might have gone through a proper PCI compliance process.

Interestingly, the fact that they are clearly not PCI compliance should see major fines from their card processing company and possible suspension of their use of Visa/Mastercard for the foreseeable future.

DaLo

Re: [S3] users have to actively turn off security

They find it a hassle to create an AWS VPN, especially when they are an agency dev and used to working directly on LAN servers, will continue to develop the app once the intial builds have been dropped and the new VPN would need to be transferred (or second one created) for the customer. WHich will then require some configuration of their firewall ... etc..

So you just assign it a public IP, open it to the public and connect to that from the application. Works from Dev, From Test, From customer and from partners (oh and from anyone else who wishes to connect to it without you knowing).

It's just lazy (non)security. Then again it is still possible to find SQL injections floating around, even from major enterprise communication companies. So it's no surprise.

Despite billions in spending, your 'military grade' network will still be leaking data

DaLo

Re: Mis delivered letters

"...and put it back in my mailbox."

Surely if you put it back in your mailbox you are delivering it back to yourself?

Sleeping Tesla driver wonders why his car ploughed into 11 traffic cones on a motorway

DaLo

Not true and this is a well known limitation of automatic braking. Fully stationary objects, especially if they aren't recognised as a vehicle don't work very well. If the cones were moving slowly then it would work or if the cones had moved slowly then stopped it would.

Lidar would also have worked in this situation.

However regular AEB from most (all?) will struggle and probably fail here. It is easy for them to be detected and work with stationary objects it's just your car will be driving like a kangaroo for many journeys through town and you'll be constantly rear ended. There AEB only kicks in when it is sure.

Tesla’s Autopilot losing track of devs crashing out of 'leccy car maker

DaLo

Re: A fair way to go

"Plus it doesn't help that the EU cripple all systems from auto-steering tight rural road bends."

It's a UNECE Working Party 29 requirement which is for type approval of cars across North America and Europe. It wasn't an EU mandate.

UK privacy watchdog threatens British Airways with 747-sized fine for massive personal data blurt

DaLo

Oh that'll be a nice bit of compensation for the customers whose data was taken due to security failings.

Doesn't help with the amount of anguish knowing you are just a moment away from being the victim of identity theft and having to once again change your card details and keep constantly vigilant for unauthorised loan applications. However £378 goes a little way towards easing the pain.

...wait, what was that?

You're saying the people whose data got stolen don't get any of it and the money all goes into the general taxation pot?

Well that sucks.

Court drama: Did Oracle bully its customers into the cloud? Nine insiders to blow the whistle

DaLo

Re: Do you HAVE to use Oracle?

For huge databases there are also alternatives. however Oracle is legacy - legacy with DBA experience, legacy with applications, legacy in the mindset.

There really aren't that many companies where Oracle is the only fit for their needs, however - if it ain't broke and the fees are still smaller than the GDP of a distant nation then carry on.

Oh dear. Secret Huawei enterprise router snoop 'backdoor' was Telnet service, sighs Vodafone

DaLo
Facepalm

Re: Telnet IS a backdoor

Of course that is the way to 'prove you wrong'.

71 downvotes so far on this topic, it may tell you something.

DaLo

Re: Telnet IS a backdoor

From this comment: "Learning things from sources other than Google searches might help..."

From your previous comment: "You know, you would've come across as less ignorant had you searched in Google for..."

You know there is a troll icon that you can use that saves a lot of time and is generally considered good manners to use on this forum when trolling?

DaLo

Re: Telnet IS a backdoor

Wow, you're a bit abusive aren't you? First you confuse insecurity with a backdoor, then you claim there's no such thing as a Telnet Server.

Hmm -> Telnet Server

DaLo

Re: Telnet IS a backdoor

"There was. At least I hope there was a password. That's what Huawei said. Because they needed Telnet for troubleshooting and maintenance."

They didn't say that at all. They said, according to the article, "configure and test the network devices". Now this could very easily have been during manufacture as part of the QA with the final sign off, disabling the login or writing out the customer firmware to the device. There doesn't appear to be any suggestion that a login still remained on the device. If you've ever looked at a lot of electronics they have a diagnostic port that is often underneath the cover that is used for the same purpose.

As for your talk about no such thing as a telnet server? What are you on about, in client server computing you define one thing that accepts requests as a server and you connect to it with a client. A machine with ports open to accept an incoming Telnet connection can be referred to as a Telnet Server or Service, the machine you connect to it with can be regarded as the Telnet Client. What tool you use to fire this up or maintain it, or if it calls itself something different on your device is largely irrelevant.

DaLo

Re: Telnet IS a backdoor

You are completely confusing the word 'backdoor' with 'insecure'. The issue with being able to sniff the traffic is only an issue if the end user decides to use Telnet, and if they are security conscious they wouldn't use it where it is possible to intercept.

Having Telnet does not allow you to sniff the traffic going across the router/switch it just allows you an insecure way of logging in.

You could easily say that if it didn't have password complexity requirements built in it is a 'backdoor' using the same logic. No it isn't it is no less safe a device, it could just be used in an unsafe way.

If there was a hardcoded password on the device that was available to the telnet interface (especially if it could be access remotely) = backdoor.

It's use wan't in 2019 - it was 2011/2012 and many, many switches and routers still included telnet servers (and SNMP v1) at that time.

Apple, Samsung feel the pain as smartphone market slumps to lowest shipments in 5 YEARS

DaLo

Re: Just one question

It's not just that it's a replacement market. It's also the fact that the replacements are slowing too.

<IMHO>

When there was high innovation (especially when prices were lower) then more people were enticed by the shiny new kit. When older devices still work so well and can run most of the apps available there is less incentive to upgrade. A combination of bundled phone insurance, third party repair shops and screen covers/cases being almost ubiquitous make replacement due to damage less likely also.

</IMHO>

DaLo

Re: 5 YEARS

I wonder if Huawei are also suffering for the same reason

Seemingly not. From the article "Huawei snuck into second spot with 50 per cent climb in shipments to 59.1 million, giving it a 18.8 per cent share of sales, versus 11.7 in Q1 '18."

Hams try to re-carve the amateur radio spectrum in fight over open or encoded transmissions

DaLo

Re: Can we please stop

I think you've misunderstood the article. Might be an idea to reread it?

Fortune favours the Brave: Privacy browser chap takes gripes over adtech body's website to Irish data watchdog

DaLo

Re: The next target ...

And PECR which preceded it.

Ex-Mozilla CTO: US border cops demanded I unlock my phone, laptop at SF airport – and I'm an American citizen

DaLo

How do you know they don't. There might not have been any commercial secrets of significant classification on there. Maybe he just didn't like the intimidation and the fact that they wanted to go through his private stuff without a warrant. They may also have planted anything they wanted in there once they got access.

He might also just not wanted random stabbed to be rummaging through his holiday snaps, sms, emails etc. Perfectly understandable if you ask me. Why is it any business at all of some random dude to be rummaging through you personal data?

P30 pic pyrotechnics in Paris: That's one Huawei to set the smartphone world alight

DaLo

Re: "range"?

Other way around as Chz said. The P30 has a Jack the P30 Pro doesn't.

This headline is proudly brought to you by wired keyboards: Wireless Fujitsu model hacked

DaLo

yes, but don't forget the PC would also need to be left logged in and unattended for certain amount of time (I instinctively WinKey + L when I leave my desk).

However I would suggest that you don't need to type into a hex editor blind. You just inject a whole series of commands automatically as a set routing which would have the desired results - just as you notice the target standing up to go to the bathroom and before their PC timeout occurs.

That's Numberwang! Google Cloud staffer breaks record for most accurate Pi calculation

DaLo
Headmaster

"Who knew that the when the company derived its name from the number Googolplex"

They didn't they derived it from a googol, their HQ came from a googolplex.

DaLo

How I wish I could calculate PI, really tried but failed

No guns or lockpicks needed to nick modern cars if they're fitted with hackable 'smart' alarms

DaLo
Facepalm

'the company boasted their security was "unhackable"'

When will they ever learn.

USB4: Based on Thunderbolt 3. Two times the data rate, at 40Gbps. One fewer space. Zero confusing versions

DaLo

Re: What about power delivery?

If the device needs 30 Watts then surely 100 Watts is more than enough for that?

I don't quite understand your point.

Use an 8-char Windows NTLM password? Don't. Every single one can be cracked in under 2.5hrs

DaLo

Re: 1Pass

This will be Troy Hunt's recommendation. He is definitely a big fan of their's!

DaLo

They aren't typing the password in multiple times. They have already stolen the password, it's just that it's in an encrypted form. What they then do is try to find the original password (or even a different password that would give the same result when encrypted!).

They can do this by trying every possible password one by one (against the same encryption method) until the encrypted result matches. So they start by trying 'a' then 'b' then 'c' ...a loong time later.... then 'Abhg75^&%fgtrds'. All these encryption methods cannot simply be reversed. ie. they are one-way so you can't just enter the encrypted (hashed) password and get the original plain text password as the plain text password no longer exists in any form. However some encryption schemes have vulnerabilities in the random number generator or method used that can reduce the number of attempts significantly. They might also demand a minimum of 6 characters so the attacker doesn't need to check for passwords less than 6 chars. However they would normally start by checking a dictionary list that would contain popular passwords, all the passwords from major breaches, all the words in a dictionary, every birth date, peoples names, including multiple capitalisation, swapping letters for common symbols (such as pa$$w0rd) etc.

In then end they may get a match for the password (and - it doesn't always need to be the exact same password, but nowadays it normally is, it just needs to produce the same output when encrypted). They then use this password to log in on their 'first' attempt.

How do they steal your encrypted password? Well either they have access to your PC/Network and have dumped the 'encrypted' password file or more likely they have stolen it from a website or intercepted it when sending it remotely.

First they came for Equifax and we did nothing because America. Now they are coming for back-end systems and we're...

DaLo

"...it was not aware of anyone selling or misusing the pilfered information"

Well they didn't notice someone breaching their system so the chance of them 'being aware' of anything is slim. It's quite galling when this line is trotted out, as though them being aware makes any difference whatsoever to whether someone is at risk of their information being abused. You can assume that if someone went to the trouble of hacking their systems and gaining some extremely valuable data then it already has been misused and it is likely to be misused further - why wouldn't it.

Completely meaningless.

Lovely website you got there. Would be a shame if we, er, someone were to sink it: Google warns EU link tax will magnify media monetary misery

DaLo

Re: Contentious but ....

"The simple solution is Google News pays for it's contents (like other aggregators) "

Can you point to these other aggregators that pay to link through to other sites (with no more than a headline and an image)?

Things that make you go .hm... Has a piece of the internet just sunk into the ocean? It appears so

DaLo
Headmaster

Re: "just north of Antarctica"

Surely most things are a certain colour due to 'reflected light'?

DaLo

Re: "just north of Antarctica"

"It's an old joke. A bear walks by, and everywhere he looks is "south". Where is the bear?"

Joke? ... or riddle?

Thanks for all those data-flow warnings, UK.gov. Now let's talk about your own Brexit prep. Yep, just as we thought

DaLo

I don't really see what the problem is.

Whether we leave with a 'deal' or not does not impact data as we will still be a 'third country' to the EU. It's only if that deal specifically includes a clause that the EU will, using section 101 of EU Regulation 2016/679. The withdrawal agreement in Article 71 suggests some protections of personal data but does not state that the UK will be found to have equivalent data protections under this agreement. However having fully implemented GDPR then the European Commission could very quickly agree adequacy of data protection whether there is a deal or not - remember the USA is still deemed adequate despite being refer to the courts saying it sin't and obviously doesn't have the same safeguards as the UK.

Therefore accessing of data that is stored in the EU can still be access just by the UK determining that it is holds sufficient data protection when they formalise the Great Repeal Bill.

The issue then comes if the EU determine that they refuse to grant the UK a status that would ensure it is seen a adequate to protect EU data and they also feel that the data sat on the servers in the EU is now EU data due to residency and refuse to allow it to be processed by the UK. However how would they know if that data holds PII without somehow demanding to see that data.

I don't think anyone stopped using US servers when it was found that Safe Harbour was not adequate - I'm not sure why our GDPR protections and the EU GDPR protections would suddenly seem to be invalid and therefore the data storage location immediately relevant?

Trying to log into Office 365 right now? It's a coin flip, says Microsoft: Service goes TITSUP as Azure portal wobbles

DaLo

Re: And this is what you get

And there in lies the problem. You get geographical separation, however you need to do synchronous replication to ensure consistence, which has issues if you have a distance with even moderate latency as you have to await the ack from the remote site before processing the next bit of data. So you then use a cached synchroniser which keeps the latency down but must be physically separated from the rest of the network, separate power etc. However you also need local redundancy so you don't have to rely on your separate geographical location. So you can end up with three to four parallel systems (possibly each running RAID 10 ) and you storage requirements get quite large.

You also need a third location to ensure you don't get a split brain scenario. To use your second geo location you also need the infrastructure to be able to run from that location - extra internet connection, switch hardware etc. Then you might also need a physical location to use that connects to it. Don't get started about the live testing that you need to do to make sure it all works (and what if it doesn't during that test - all hell breaks loose)

Or you could just host it in the cloud (which has some of its own risks, for sure) - you can see why it can be an attractive option. Don't need to worry about it and your head isn't on the chopping block if it your expensive "bullet-proof" system stops working.

DaLo

Re: And this is what you get

Hmm, very different from "if you can't afford for it to go down".

There's also still many ways that a system can go down, other than a single or even multiple server outages.

Also a backup will only restore to the a certain recovery point in a certain recovery time. May be fine for your file server but if you are dealing with real-time high volume databases then restoring from backup might be pointless - if that is your 'solution' to a system you can't afford to go down.

DaLo

Re: And this is what you get

"If you can't afford for something to go down, host it yourself and have backups."

Ahh, yes it will never go down if you have that 'solution'!

Kwik-Fit hit by MOT fail, that's Malware On Target

DaLo

Re: re: Too bad they couldn't continue operating as normal with paper records,

I doubt it is all rubbish it is an exercise in risk. You aim to mitigate risk and put procedures in place and analyse the impact. Sometimes pen and paper might suffices. Sometimes it's running a script every hour to create a report of all current orders/customers etc which is save to a different location.

However the idea that every organisation can revert to paper just because some can is a fallacy. Even in some case where they could revert to paper you can get to a stage where that data would need to be reentered into a system before any new data (so the new data also has to be handled manually) can be accepted once it is back up. After a certain period of down time (will vary for all systems and organisations) you can get to a point where the outstanding queue of data becomes too large to be able to re-enter.

I would always look to engineer a fallback to the lowest common denominator, however sometimes it is not possible and you have to accept that if there is a systems failure, you're better off shutting up shop until it is resolved and then re-opening again and hope you don't go bankrupt in the meantime.

Stop, collaborate, and listen: Microsoft Teams gets an Atlassian glisten

DaLo
WTF?

Yeah, you're right. On closer inspection even though it is an MSi (which is normally a great deployment option for Windows) the Teams installer doesn't actually install it. It just runs the installer and creates a separate copy of the program in APPDATA every time a user logs in. WTF?

DaLo

iPhone price cuts are coming, teases Apple CEO. *Bring-bring* Hello, Apple UK? It's El Reg. You free to chat?

DaLo

Re: so

Who's Jack?

Page: