* Posts by Lee D

4232 publicly visible posts • joined 14 Feb 2013

AGM X3: Swoon at this rugged interloper mobe then throw it on the floor to impress your mates

Lee D Silver badge

You are indeed correct. +1 Pedantry.

But I think it's clear what I mean. 99.99% of all the electronics I ever touch aren't waterproof, or even water resistant. I don't see why a phone should be any different.

You can be sure, for example, that even most watches that say you can take them swimming aren't waterproof - they will likely survive a few metres for a few minutes, and that's it.

I'd like that it didn't destroy itself if there was a single raindrop on it. Beyond that, I can't see that having it "water resistant" or "waterproof" makes any difference at all, whatsoever.

People carry around games consoles, tablets, radios and all kinds of other gadgets. Virtually none of them are waterproof and nobody cares. Why should it matter for a phone? It's literally a stupidity tax on us all courtesy of those people who take their phone into the bathroom and leave it dangling precariously beside the sink/toilet while they are using the running water.

Lee D Silver badge

I will pay £200.

I would like a phone that:

- Makes calls.

- Does 4G (or above, I'm not fussy).

- Has plain Android.

- The usuals that you get by using standard chipsets - Wifi, Bluetooth, NFC, hotspot, etc.

- Has a way to upgrade independent of the manufacturer (I mean, seriously, if you don't want the burden of updates, just make it plain Android, give people firmware update access - even if you have to flag the device as modified - and fire the documentation in the direction of the LineageOS people... then you can wash your hands of it).

- Has a screen that isn't going to crack in two seconds (no Edge, no thin metal frame)... the tougher the better. My car has a spongy plastic touchscreen, like the Palm etc. devices of old, and I'd be quite happy with that.

- Can replace the screen, the battery and the storage easily (A microSD slot costs NOTHING and extends the life of my phone significantly).

I don't need:

- Multiple cameras and fancy processing (I really don't care about those photos in the articles any more... if it's not bright enough, put the flash on!)

- Complete waterproofing (handy, sure, but I'm not going to pay for the difference between IP55 and IP65, to be honest).

- Any kind of non-standard screen (flat, rectangular, edged, no-notch and sturdy every time, thank you). Literally, I don't care about hardware buttons either. At least they do something and can detect "The user is holding for 5 so I should emergency power off". All this "let's hide the button inside the screen" nonsense is just wasteful.

- Extremely thin things. Thin things are fragile. Make it thick. Literally, bulk it out with a case and stuff, even if the phone itself is really thin. Then I can feel it in my pocket (or feel when it goes missing), hold it in my hand, and accidentally sit on it without worrying.

I'd quite like:

- Integrated but replaceable cases (sell me it in a big soft rubberised case that people can make replacements of!). Hell, put little flip-stands and bits INSIDE the case too! I'm tired of having to buy a phone and then, immediately, a case to put it in to cover up its fragile areas.

Given that the electronics for that, I can get from a Raspberry Pi Zero, a camera module and a GSM hat, for way, way under £100 even for a single unit, I don't think it's much to ask. Hell, I would actually BUY a phone that was just a Raspberry Pi module in a fancy case with a battery. I honestly don't care about the specs past a point... and running a casual web browser, a couple of Android apps and managing calls and a camera is way within ANY machine nowadays. When it break, replace the Pi. When you upgrade, just backup the SD card and you're done - firmware and all. When 5G modules come out, just swap the module.

Until such a thing exists, I can't honestly say I will never change my phone for one of these modern things until it literally dies and I can't get anything else.

But, you know, a phone with a USB-in, two USB-outs, and a hefty battery combined inside it to make it the size and purpose of a battery pack as well as a phone... sold. I couldn't care less if it was 1.5cm thick to do that.

WWW = Woeful, er, winternet wendering? CERN browser rebuilt after 30 years barely recognizes modern web

Lee D Silver badge

Re: Todays WWW is all behind HTTPS

Lynx works just fine with HTTPS.

You need OpenSSL installed, and it to be compiled with that knowledge, but it works - I use it all the time on SSL sites.

Looking around, that's been the same since the late 2000's at the very least.

Apple reseller Solutions Inc pulls down shutters, calls in administrators

Lee D Silver badge

Companies I would not want to work for:

- Anyone dealing with selling Apple's kit for them.

- Anyone subject to the whims of a single supplier, and their pricing, etc. (there's virtually no such thing as an Apple discount or profit margin on selling their kit, except second-hand).

- Any company turning over £12m that can't make a substantial profit (let alone two years of loss!)

- Any company selling tech that you could easily buy online for the same or a substantially better price.

- Any company that doesn't file returns in time.

Password managers may leave your online crown jewels 'exposed in RAM' to malware – but hey, they're still better than the alternative

Lee D Silver badge

If you are asking software to show you / allow you to copy / etc. your password, then that password is fundamentally electronically available to anything else running as the same user.

If you want to run password software, run it as an entirely different user, or on a entirely different device, to that which you utilise the services.

An "offline" phone holding this stuff in a memo, or even a notepad, is thus fundamentally more secure in such instances. They have other flaws (the former, I'm hard pushed to think of one... you can encrypt it, you can fingerprint-lock it, you can back it up, you can afford to both secure and lose the device, etc.) but they are no less secure.

The problem is that we are STILL running computers as "just one user", in effect. All your processes can sniff other processes RAM, anything that runs as the same user, in fact. All your word processors, web browsers and password managers are running as that same user with no proper isolation. You're more isolated from the DNS client service in Windows than you are your own password manager - at least that runs as an entirely different user.

Sorry, but all the password manager nonsense is just that. If you want to secure your passwords, run such a "password manager" entirely offline, on a separate device, that's not useful if stolen and can't be easily "hacked" (i.e. encryption and keep it in Aeroplane mode without a SIM). A tablet would do, and may help with the "I don't know what the GSM chip is doing".

But if you want the convenience of something that will copy/paste your passwords into third-party applications for you, then it's going to expose them to RAM, and they'll be sniffable as anything that you've allowed to run. As such, it's no more secure than, say, Chrome's in-built save-password functionality.

Sure, it's inconvenient to have to have another device to do all that. Convenience trades off against security, though.

Hell, if you really want to, get something with GPS (so that you can keep the clock updated without being "online") and also use it for, e.g. 2FA TOTP apps for any services that support that (so you can *safely* type those passwords into a pseudo-compromised machine and it won't matter as they won't be valid by the time anyone else tries to use them).

But a password manager running as your browser-user is pointless. A password manager with the convenience of plain-text copy/paste (or even display) on the same device as you're entering the password is useless. A password manager itself - especially if it requires Internet connectivity of any kind - is just another layer of risk around your passwords.

Old phone/tablet. Encrypt it. Install a couple of apps. Kill its offline connections. THEN store your passwords on it. Maybe use GPS timesync and whatever OTP apps you need if you want it to generate OTP tokens (they should only need a fairly-accurate time, not Internet).

Leave it in your house and are burgled? No problem.

Someone gets in your PC? Problem, but they won't have any password you haven't saved on that PC somehow.

Difficulty of using? "Oh, what's that password?". Turn on. Check list. Turn off.

Difficulty of replicating? Ten minutes, the encryption password / fingerprint, and another similar device.

I bought an Android tablet off Amazon for £10, it has no GSM and doesn't connect to any Wifi, let's me encrypt the SD card, and has passcode/passphrase login. That's more secure than any of this password manager tosh.

Visited the Grand Canyon since 2000? You'll have great photos – and maybe a teensy bit of unwanted radiation

Lee D Silver badge

Accused hacker Lauri Love loses legal bid to reclaim seized IT gear

Lee D Silver badge

There isn't a legal system in the world that's entirely innocent-until-guilty. Failing to provide a breath specimen if suspected of drink-driving sees you arrested on a separate offence of doing just that, for example. With harsher penalties. Though the police can't *prove* that you were over the limit because you did that, they have a specific offence for that exact action of failing to co-operate with them. It's not the only example - all kinds of anti-terror legislation and even much more mundane matters have an element of guilty-until-innocent (think bailiffs coming to cart your stuff away... they will happily tag everything, even if it doesn't belong to you, until the person whose property it is comes and proves it... all sanctioned by a court and pre-dating any modern political manoeuvring whatsoever).

In this case, the court has evidence that it says (paraphrased) "may be used in a criminal proceedings" in its possession, i.e. they're not done with it as they may still convict him. He wants that evidence back, before then. And he's still under US indictment, which is why they can still hold that evidence. Legal maneuvering is slow.

The "You brought this on yourself" is because he had failed to co-operate with any form of accessing that data, presumably. If he was innocent, he could co-operate, the courts get the evidence, he gets his kit back and the matter would be over. But he's not co-operating and instead demanding the evidence back from the courts itself, because - basically - his not-co-operating has slowed everything up.

Though you are not required to incriminate yourself, failing to co-operate with the courts is never going to end well.

As I said before, you don't represent yourself in court because this is what happens. Any lawyer trying to same argument would be laughed at and quite possibly sanctioned. It's like a murderer demanding his bloody knife back from the court, before it could be analysed. Except in this case, the only reason the evidence can't be properly analysed is because he refuses to unlock it.

There's a reason no lawyer would touch him, even via legal aid. And he's not accustomed to arguing in court and instead working on "principles" like "innocent-until-guilty". The law is much more specified than that. And a defendant in a criminal case demanding his own evidence-against-him back while simultaneously preventing the prosecution from accessing it is not something that any court in the world would allow.

This is a plain rebuke from the court for even attempting that line of reasoning. You can be sure any lawyer instructed to argue that would a) refuse or b) be sanctioned for doing so. There may well be several dozens legal paths you could try, but not like this.

And on £120 a week, you better hope that you can hire a legal genius for nothing in order to discover them.

Solder and Lego required: The Register builds glorious Project Alias gizmo to deafen Alexa

Lee D Silver badge

Re: Dear el-reg

"Alexa, set a 3am alarm call with horror noises at full volume".

Lee D Silver badge

"As for the "Did it work?" part: yes, it did. Kind of. Our assembly may have lacked elegance but it did the trick. Sadly the key phrase wasn't always recognised, and the thing was easily flummoxed by background noise, but the makers acknowledge that more training is needed to bring the machine learning models up to speed, and they hope the community will get involved."

Sounds like every single "voice recognition" tool I've ever used in my entire life.

But I can't see why you'd go to the effort of baffling Alexa with lots of other gadgets when you could just use the thing you have that recognises voice commands (as well as anything else) and make your own smart assistant. I'm sure there must be a project somewhere already, if not a dozen of them. And with something like OpenHAB, you could easily make it control anything you liked. Even Alexa/Home-compatible devices.

Twilight of the sundials: Archaic timepiece dying out and millennials are to blame, reckons boffin

Lee D Silver badge

I can read an analogue clock.

I can build a sundial. I can even align it properly by several different means to make it more than accurate enough for everyday use.

And yet, every clock in my house (with the exception of one that's there to look pretty) is digital. And any time I reference the time, I use a digital display. The only "analogue" timekeepers in my house that are ever used are the time dials on the microwave and the egg timer. Even then, that's because the digital egg timer I bought was too quiet so it's useless, all I had otherwise was a spring/clockwork one, and the microwave was cheap.

In work, everything is synchronised to GMT to within a second or so. I mean, everything. Wall clocks, phones, computers, access control. Why that would be any other way in a modern workplace, I can't imagine, because you just plug the NTP settings in and off you go.

I hate watches now (phones are my time source now), but I have spent half my life with a Casio digital watch on my arm because one glance tells you day, date and time without any interpretation required. And if you bought the right model, it was MSF too.

I literally have one clock to change when the summer time idiocy takes effect - that's to that analogue clock. Sure, I can get MSF versions of it but it's not worth it as I never refer to it.

Basically, to me a clock has to be a) synched, b) numbers you can read quickly, c) unambigious (AM/PM), d) have alarms you can set on it.

Now if we could just sort this "60 minutes to the hour, 24 hours to the day, 28-31 days in a month, 365.25 days to the year" imperial-like shite, then I'll be a happy man. Pick a time base, stick with it. Hell, we have no need to tie it to local noon or even the orbit of the planet any more. Just pick a timebase and stick to it, and then you *calculate* things like sunrise and sunset just like we have to do now, but with some sensible numbers.

Why does that website take forever to load? Clues: Three syllables, starts with a J, rhymes with crock of sh...

Lee D Silver badge

I close sites that take too long to load.

A lot of American news sites suffer particularly badly, for instance. The second that tab starts slowing up and affecting the others, I've lost interest in it.

I mean, I kind of get you using a lot of CPU if you making live dynamic heatmaps, or I've asked to load a page with a thousand products and images on it, or things like that.

But a simple news story should load as fast as BBC News articles load, whether they have ads or not.

I feel absolutely no guilt about blocking ads. I have run ad-supported websites myself. You only make a pittance - it's really not a viable income stream for 99% of sites at all - and it annoys everyone.

And, as far as I'm concerned, loading third-party code from that third-party's URL and blindly executing it for all your visitors is tantamount to a virus, and certainly an easy avenue for someone to compromise your viewer's or your website in some fashion.

Just today, I went on the TFL site to plan a train journey on a smartphone. Four times I went on, and it worked fine. The fifth time, there was some different ad at the bottom which decided that every time I was going to click on the "Starting station" textbox, it would try to invoke some kind of popup (which Chrome blocked) and thus stop the keyboard appearing. So I literally couldn't type into the box at all after a dozen or so tries. Reloaded. Got the same ad. Same thing. Reloaded a couple of more times, got a different ad, no more popups, and it started working normally again.

That ad could easily have cost you money, TFL. Or done something even more nefarious.

Take your pick: Linux on Windows 10 hardware, or Windows 10 on Linux hardware

Lee D Silver badge

One of the beauties of Linux is that it pretty much doesn't matter what it's running on. So long as you have drivers, you recompile your kernel and software and off you go.

I often forget whether I'm on a Raspberry Pi, an Ubuntu-based desktop in a VM, or a remote dedicated server running Apache - from SSH they all look and work the same and have the same software available to them, and the only things that differ are distro-specific.

I've actually sat there trying to work out why a pre-compiled binary I uploaded over WinSCP wouldn't run... and then realised the machine was an ARM-based Raspberry Pi and the binary Intel x86. But it didn't matter, the software had source... so I just downloaded the source package instead, recompiled (using the same CMake/gcc etc. process as I would anywhere else) and installed and it worked first time.

I have to say... if you said to me "start IT all over again from nothing", I'd be hard pushed to see a reason to include either a closed-source OS or closed-source binaries at all. And can see no reason that any OS shouldn't be available on all the major architectures.

I even struggle to understand why programs for things like Linux aren't distributed in a single file that includes source and binary for each platform (a bit like the old Mac "universal binary" but with source as the first ELF section, and then each platform - if there isn't already an ELF section for the architecture, just compiles the source on first run, and puts the resulting binary into a new ELF section for that architecture). Then literally your program will "run" on any platform that's compatible. It'll automatically be optimised for the platform in question. People can still distribute programs that will work with zero-compilation necessary for the major platforms, and porting to a new (compatible) platform is as simple as running the program and waiting a little while as it compiles for the first time, and platforms that don't need to load a particular architecture might have a larger executable, but it can be safely pruned if necessary (embedded versions) and wouldn't load the other architecture's ELF sections into memory at all.

(Whenever I mention this someone pipes up something about some 1960's UNIX thing that did this, which I'm sure is true, but now more than ever I can't understand why it still doesn't work like that - for any user-space, open-source, C/C++-based, Linux-API programs at the very least... which covers about 90% of any Linux distribution. Do it right, and you could have a MinGW layer on Windows that automatically does the same for you there for the same binaries when they are run on that platform).

It's really time - especially with the web abstracting out actual executables, the OS's abstracting out the underlying architecture, and things like cross-platform libraries abstracting out hardware - that we started doing this.

Pandas so useless they just look at delicious kid who fell into enclosure

Lee D Silver badge

Someone give him a pair of black eyes...

Oh Snapd! Gimme-root-now security bug lets miscreants sock it to your Ubuntu boxes

Lee D Silver badge

Re: Am I Sam Beckett?

"Who the bloody hell installs flash player ... these days?"

FTFY.

Samsung Galaxy's flagship leaks ... don't matter much. Here's why

Lee D Silver badge

Re: No jack, Jack.

"How can that overshadow all the new tech squeezed into a new flagship phone?"

Because, quite literally, I do not care about all that new tech.

Faster processor. Cool. But my current phone isn't slow.

More RAM. Sure. But my current phone has never run out of memory.

More internal storage. But my current phone has a 128Gb microSD inside it... good luck beating that for the price of a cheap 128Gb card off Amazon.

More cameras. I literally use my phone to take a photo maybe a handful of times a year. When I do, it's usually to email the photo, and having a HUGE image file result of that just means I need to shrink it to email it. I honestly don't even need HD most of the time, even if I wanted (why?) to take a lovely photo of my daughter to print out at high quality. My current phone is so sufficient, I've never questioned its capabilities in taking a photo.

Voice recognition. My current phone has it in apps everywhere and it doesn't work for me anyway. I consider it the slowest form of command-issuing that there is, short of getting a machine-learning camera to interpret semaphore that I flag to it.

Biometric authentication. My current phone has a fingerprint reader. I've literally used it once. To demonstrate how useless it is in terms of security (the old gummy bear tricks).

My phone has 802.11n 5GHz wifi, Bluetooth, NFC, hotspotting, all the usual. I actually use some of them. NFC I use precisely to demonstrate to people how easy it is to read data off your credit cards in your pocket by just swiping a phone near you (and then explain that that just powers up the cards, and once powered up, I could read the radio signal from half a mile away with the right antenna). I use it to convince people to use RFID-blocking wallets, purses and card-sleeves.

All your fancy new tech literally means *nothing* to me. Same way that I could buy a laptop tomorrow that could run every one of my 1000 Steam games faster than I've ever been able to run them. But the fact is that my high-end laptop from 2014 can do exactly that, to the point that I can play through GTA V or any of the other most-demanding games that I have without noticing the performance even once anyway. So what would an upgrade gain me? A worse version of Windows, replicating years of my laptop setup, having to reinstall just about everything, finding none of my accessories in my laptop bag fit any more or need adaptors to work, so on a plane the new laptop looks like Jodrell Bank in order to sit and play a game without disturbing others if I dont' want to re-buy every accessory I already have.

This is what Samsung et al are discovering. I will not pay one penny extra to have a 4K rather than a HD camera. Or screen. I will not pay one penny extra to have edge-to-edge screens. I will not pay one penny extra for the AI chip, or 3D cameras, or any other junk.

But I *WOULD* pay a proportionate price increase over a base model for a headphone socket, a removable battery, NOT to have an edge-to-edge screen but a plain, flat bit of glass that I can replace for £20, a larger battery, a decent case built-in to the phone, hell I'd even accept it being three times as thick as the "slim" phones they want to sell me. I wouldn't even notice.

If you gave me a Dell-website-like customisation of a smartphone, I'd happily turn all those new features off. I'd happily PAY to remove some of them. And I'd happily pay to add back in the stuff I need. Hell, I'd pay just to have standard Android and an unlocked bootloader (which some smartphone companies now actually let you do!).

Just because "it's technically better" does not mean "it adds sufficient value to my purchase that I will automatically part with more money". I can get a ridiculous top-of-the-line graphics card today if I'm willing to part with several grand. But I'd much rather pay less, "only" get 60fps in every game available to me, and then spend the excess on something else that gets me more value.

Smartphone companies are slowly waking up to this. There will always be "But I must have 4K/8K/HDR/128Kbps FLAC/etc." guys. But they are niche. Most people just need a phone "good enough". Same way most people just need a laptop "good enough". Once you get past that point, people are loathe to pay extra, especially if they LOSE features they are accustomed to (e.g. find a cheap laptop that has an optical drive - and, no, I don't want to carry one round with me separately everywhere I go).

Companies found it out with PCs and laptops. A few years later, the bottom started to drop out of the market because people didn't WANT that extra rubbish, as the market had reached full penetration so nobody was buying something that they hadn't seen a million times before and learned that if they follow every possible upgrade, they cost themselves money for nothing and eventually lose functionality.

P.S. I also would not pay ANY extra to have, say, Samsung or Apple logos on my phone. It means nothing to me. I don't mind having the former on there. The latter is a big no-no to me because of what it means in terms of other features. But I wouldn't pay anything extra between two otherwise identical models to get the Samsung or the Apple model.

Lee D Silver badge

Re: No jack, Jack.

The excuse was always "size".

In fact they then just stuck in ten times more rubbish that nobody wanted (quad-cameras and suchlike). So I don't believe that.

And if you've had to pay £799 for a smartphone, you surely don't want to have to rebuy EVERY accessory that you had to buy with your previous similarly-priced smartphone. So I can understand that frustration.

If you bought a £1000 laptop tomorrow, to replace a £1000 laptop two years ago, would you be happy about having to buy all-new USB cables, display cables (HDMI), audio cables (ironically), etc. every time you do that? Sure, once for a generation, and then buy a backwards-compatible cable (e.g. you can still your USB mouse with a USB-C -> USB adaptor or hub, etc.) but not every damn laptop.

New phone = new charger = new case = new car-cable = new car-holder = new USB cable = new headphones and so on... adding to that list doesn't help at all, when cheaper phones don't require that (a double-whammy saving). And that's assuming you don't share that stuff with other phones/audio devices - now you may have to upgrade your in-car aux port, buy bluetooth dongles, keep two cables including one for that old phone you gave the wife, two headphones - one that works at home, one that works on the phones, etc. etc.

I'd expect an £800 phone to do everything a 5-year-old £800 phone could do... and more. Not less.

But then, I have literally not spent £800 on phones in my entire life. Not even if you include the landline phones and cordless handsets of old.

If I was to go to such an £800 phone, I'd have to rebuy and change the way I do everything with my current phone - plugging it in in the car, charging it (the cables on my car, the battery packs - if they are capable of fast charging it already- the chargers at home, etc.), putting a case on it, etc. and it would quickly turn into a £1000 exercise and a complete change of how everything I do on or with the phone works (even signing into it... aren't PINs frowned upon nowadays?).

Or I could spend £200, get something "one model up" on my current phone that uses the same cables, does everything I already do, and more. Alright it won't be a famous brand but... (shrug).

There's a reason I stuck on the S5 mini. Nothing else has the IR blaster. And I use that. Sure, there might be dongles that do it, or BluRay players you can control with an app, but now I'm buying those and setting those up too, having to bolt on extras (that don't fit in even the new case), after having spent lots of money on a phone that then can do "What I did before, but has a 4K camera I'll never use".

When I went from an S4 mini to and S5 mini the transition was seamless. Last year, I reflashed the S4 mini with LineageOS and use it as a living room remote control and "quick google" device. It's actually faster, smoother, higher version of Android, etc. than the S5 mini is and lost no functionality - it even uses the same cables. The choice I face is now really "new phone" or "risk LineageOS on the S5 mini that's not as well supported". A few-hundred pound phone that did everything I needed, without the junk, and requires no extraneous purchases stands out as a better choice to me than splashing £800 on a phone that then requires all kinds of nonsense that probably won't work on my other phones.

Smartphone manufacturer's will learn eventually, but it's gonna hurt them to get there. They will have to settle for people like me buying not-so-smart phones at cheaper prices and demanding things like aftermarket battery replacements and legacy ports.

Ever used VFEmail? No? Well, chances are you never will now: Hackers wipe servers, backups in 'catastrophic' attack

Lee D Silver badge

Re: Another theory

I think you're all forgetting:

Computer viruses were around for many decades, and very destructive - just like this incident - for decades before they started being used to make money. People, skilled people, were writing programs and deliberately spreading them for no other reason than to destroy other people's data "because", profiting literally nothing from it at all, and unleashing them on the world rather than just one person's computer.

The motive can be simply "To prove I can". "To show them they don't have security". Or even "Because then they'll hopefully buck their ideas up".

Look at any proof-of-concept code for a recent hack and you'll find people trading it online with their own twist, and they will have a cadre of "budding" virus-writers describing how they used it "for lolz" just to try to gain reputation.

There are people in this world who will happily call in SWAT teams, waste the emergency services time (e.g. things like fire brigades just to throw stones at them when they arrive) or - as one kid did in my road many years ago - pull down their pants, crap in their hand, and smear it over the only phonebox.

There doesn't need to be a motive, if you're only doing it "for a laugh". And it doesn't need to be for a serious purpose for someone to plan such things.

You probably find that someone ran an automated tool (or even bought an automated cloud-based hacking service! They exist!), it got them a shell on a remote system that they had no idea what it even was, and then they went on IRC and asked "What should I run?" and someone copy/pasted a line to blank their hard drives, and they all had a good laugh.

Again - their motivation is neither here nor there... it could be a targeted internal attack, an external random automated script, a slip of a finger by an authorised admin, or some kids playing games... it literally does not matter. What matters is that it should not be possible. Which is why - rather than rely on "detecting" whether the kids do these things, or working out their attacker's motive - it's also better, and necessary, to just make sure they aren't possible in the first place.

Lee D Silver badge

I work in schools.

I can tell you the answer is most likely:

"Because they can". If not, then "For a laugh".

Same as why kids break each other's Chromebooks, pull the power from someone else's computer before the work has been saved, or turn on all the accessibility settings on the login menu so Windows starts talking to you as you move the mouse.

As an IT guy for schools, I'm much more interested in "how was this even possible".

Fun fact: GPS uses 10 bits to store the week. That means it runs out... oh heck – April 6, 2019

Lee D Silver badge

Cool. An 8-bit header. With a reserved bit that indicates there's another bit to follow.

Then you can pack any number of bits. 1 packet of 7 to start, an extended packet taking you to 14 (beyond even their CURRENT plans to change GPS - or were you reading the article and took away that they can't change the protocol?), then maybe another. If you follow any kind of otehr long-established protocol, they then have often fast-bursts. First 7-bits with an indicator in the last biy, which says that the next byte is at, say, double-rate, or compressed. Old devices ignore it, get 7-bit accuracy. New ones read it and get twice as much.

The most inefficient kind of 7-bit packing would give you 7-bit accuracy in the first 8-bits. 14 in the first 16. 21 in the first 24. 28 in the first 32... 56 in the first 64-bits.

It's not about the specifics of GPS - it's about how you go about designing the protocol for future expansion rather than do the literal "640k" gag. And people were doing this WAY BEFORE the 70's because they had seen some of the fastest advances with the tiniest hardware and it became necessary.

It's not about whether GPS *does* it. It's about why it wasn't designed to do it, why you would continue to allow it (if you don't have a single "reserved for extended use field", you are literally stuffed - even TCP did that for ECN), and why - if you ARE extending it - you don't allow for further extension to your own.

Lee D Silver badge

Seriously, in this day and age?

Stop messing about and use 64- or 128-bit for everything, with a reserved bit that - when present - signifies an extended format follows which you can use to add in additional information (but would be ignored by devices that don't support it). And then when you define that extended format.... make that have a reserved bit...

620 million accounts stolen from 16 hacked websites now for sale on dark web, seller boasts

Lee D Silver badge

Re: Hash

One single access to your laptop at the level of your user (i.e. a single browser compromise) and your entire database of unique passwords is available to someone for offline hash-cracking with JohnTheRipper. No different to the browser "saved password" functionality itself. that is encrypted in a similar way.

It would take you longer to change all those passwords (because they are now all compromised) than it would do for someone to find the weak ones.

Not only that, by just having such a tool installed, you're basically flashing your iPhone around in the middle of The Bronx which has only one inevitable conclusion:

https://www.tomsguide.com/us/hacker-tool-keepass,news-21782.html

Tell me - do you do your browsing as a user with access to KeePass?

Much safer to memorise half a dozen decent passwords and then you can literally write "HSBC - level 1 password", "The Register forum - level 5 password" in a document somewhere, or even advertise it to the world.

KeePass is just writing your passwords down and then putting big arrows pointing the way to your password all over your computer. It's no more secure than a notepad file. Plus, you better hope that KeePass never, say, gets a rogue git commit added that compromises it - as has happened to everything from the Linux kernel to Firefox to OpenSSL to entire code repos, etc. in the past. I know which project I'd be trying to infiltrate if I wanted to spend years to get a single code drop inside it, with an accidental "off by one" that gives the person who crafted that complete access to all wallets.

At best, something like KeePass is snake-oil. At worst, it's a tin-foil hat / emperor's new clothes.

Lee D Silver badge

Re: 617M real account details?

Same.

When I do haveIbeenpwnd on my work domains and personal domains, they are the same situation.

Either nonsense, made-up-hex-looking usernames, or off-by-ones in the database (e.g. sername@domain.com, jsmithj@domain.com) etc. where someone can't write a spam database program properly and it jumbles up things. I also get valid-looking but never-been-present usernames on my domain (e.g. genuinelookingname@mydomain.com where genuinelookingname was probably associated with domains *similar* to mine, but not actually mine), etc.

There's a lot of junk. A lot of those accounts may have been valid at some point but not any longer. Most people barely keep an email account more than a handful of years, in my experience. Mine is over 22 years old, though, and still going - because I bought the domains and just forward to Hotmail/Gmail/SquirrelMail/my own server/whatever was trendy at the time to actually *read* the email.

In that time, you'd expect my domain to be spammed to oblivion with all those old accounts. A couple of companies have been compromised in the past, so those email address crop up quite a lot (because spammers just copy other spammer's old databases). Things like addresses I used on Usenet and mailing lists are spammed all the time. Anything used in plain-text on a website (e.g. contact addresses, etc.). But most of the spam is literal made-up or false junk @mydomain.

I'd estimate there are 100 addresses on my domain that are actually valid. Of those about 3-4 are compromised or spammed. About 10 or so I've blackholed for either being spammed or other reasons. But my server sees attempts to deliver to several thousand emails every day that have never actually existed at my domain.

The best bit of such a system - compromise the database, grab the email and password from some ancient account from a defunct company... now try to apply that anywhere else on the net apart from that company's services. Even if I've re-used that password elsewhere (e.g. forum accounts that I just don't care about and hold no information on me), you can't even start to guess the email I actually used to sign up with for, say, Paypal or Amazon or whatever so you couldn't re-use that password anyway.

617m account details would, if I applied statistics, probably relate to less than a million real accounts that are active. Some of those would probably be shared. Most of them would be bog-useless to do anything other than send a spam email (e.g. if you got into my Reg account... what exactly could you do with it? Post a dodgy comment?).

Lee D Silver badge

Hash

Surprised quite how many of them are using salted hashes (even if some of them are out of date).

I was honestly expecting a lot worse.

This is why you use a unique username/email and password for each site, and why you DON'T plug them into a password manager.

Buy yourself a domain. Use the "catch-all" functionality to make up any email address you like for each company, and either generate random passwords or only re-use passwords with same-level-of-access sites (e.g. if one dating sites has all your stuff, then another dating site sharing the same password gets them no more information than they've already got, but saves you having to remember/write down a million different passwords. Use a password for banking, one for accounts with credit cards, one with personal information, one for forum accounts, etc. and you only need a handful of passwords. Plus, if you use unique username/email combos then it doesn't really matter if your password gets stolen from one site - the same credential won't work on another because the username will be all wrong anyway).

Housing biz made to pay £1.5k for sticking fingers in its ears when served a subject access request

Lee D Silver badge

If it contains his name, it could be classed as personal information.

Even "what was the response to my email dated X that you claimed not to receive"? And then escalating to "I'd like you to tell me all the emails that you received from me" (which would be personal data).

Not to mention that they may have passed that information on (to who, when, where?).

I know that I've had any number of run-ins with landlords (most not even my own!) where they tried to disclaim everything, not follow the law, even inform people/organisations that they shouldn't have (e.g. try to delay external servicemen coming out to the property because I'm the grouchy person who complained), gain information about me that they did not need (i.e. I represented a tenant in a dispute once, with their permission, and the agency tried to look into who I was... it ended badly for them, as they had gone way beyond "Well, who is this guy" to using their industry contacts and private databases to try to dig up anything on me that they could), process information poorly (e.g. hand off your personal phone number to a third-party agency of some kind - even a plumber - without your explicit consent).

The old adage "If they have nothing to hide..." applies here. They would just comply, as the LAW requires to them. I could quite easily see that they have gone out of their way to ignore the guys concerns, or try to sabotage his purchase/tenancy to get rid of him, or just deleted emails, or wrote snotty emails about him, and under the law he's entitled to get those from the company if there's a SAR issued. That they didn't comply tells me that there's something in there that they don't want him to read about himself.

P.S. Since - and actually for many years before if you ever read legal case histories - GDPR, if you're discussing something even internally about something, that discussion should come up on the results of a Subject Access Request. It's personal information. Maybe censored, maybe deemed "not to contain personal information", etc. but you have to justify every one or else you could be found liable of not complying with the request.

Guess how I know this, having worked IT management in a school for my entire adult life? Yes, that snotty email where some teacher says "Fred's too thick to be entered for GCSE, we're just wasting our time here, but let's fob the parents off" can end up needing to appear on an SAR response.

The presumption of "well, what could be on there for them not to want to comply" is that they are actually purely professional at all times and have never put something inappropriate, or condemning themselves, in an email, ever. The fact that they REFUSE to comply, even when the ICO threaten, warn and prosecute means that they know that SOMETHING will come up on that SAR that they'll be required to provide that they don't want to.

Maybe even evidence of their own law-breaking in some respect in handling his house/tenancy/complaints/data.

Lee D Silver badge

(Oh, and the reason I ask is because I bet the reason for the SAR in the first place was to prove that they hadn't met some other legal obligation, and he was basically "subpoena'ing" them for their own evidence against themselves. It's very common for companies to get all shirty when you do so and refuse to comply because it will only ever hurt them. And, there, even £1500 probably is worth it to just not-comply).

Lee D Silver badge

Question:

Did the guy get access to the data he requested?

Because, if not, I'm sure you could just keep suing them and/or sending them SARs and repeating such court action.

Lovely website you got there. Would be a shame if we, er, someone were to sink it: Google warns EU link tax will magnify media monetary misery

Lee D Silver badge

It's like taxing adverts in a published magazine.

All you're going to do is make adverts much more expensive to run. The advertisers will give up buying magazine adverts before the magazine itself will go out of business.

London's Met police confess: We made just one successful collar in latest facial recog trial

Lee D Silver badge

"Since when is hiding your face to avoid cameras "acting suspiciously"?"

Since turning and walking when you see a police officer, or running when they shout Stop, or any of a myriad actions (even getting tetchy/sweaty when they do stop you).

It doesn't take a genius to draw an analogy there.

The question is:

- If they are acting suspiciously, are you allowed to stop them on that basis alone. Answer: Yes. Otherwise police work is literally entirely "witnessed crimes" and nothing else.

- If you stop them, are you allowed to hinder them longer than necessary to ascertain their identity, purpose, etc.? Answer: No. Never have been.

- If you stop them and they kick off and breach the peace, can you arrest them? Answer: Yes.

- If they don't, can you arrest them? Only if you have reasonable suspicion that they have committed a crime. Which means that, without anything more than their identity, you have to hope something pops up on the computer? Or that they have a knife or something in their pocket. Then you can arrest them, otherwise no.

Police have the right to stop, search and ascertain your identity. They need almost ZERO reason to do that. It's been clear-cut in just about every developed country for decades, if not centuries. They can't unduly inconvenience you, they can't arrest you for no reason (even "suspicion" for an arrest requires an actual reasonable suspicion with corroborating evidence and a suspicion of a specific charge - e.g. suspicion of burglary of a particular location on a particular date, etc.)

To stop is not to arrest.

To arrest is not to charge.

To charge is not to convict.

They have every reason to stop the man, under the law, for literally anything they like. Whether you agree with that or not, you're several hundred years of the relevant legislation too late. What they can't do is arrest him for the sake of it. The fact they arrested him means that he kicked off and dropped himself in it.

If a police officer stops you, you don't have to co-operate more than the legally required minimum (identify yourself, maybe co-operate with a search if requested). But equally you don't have to get yourself arrested either.

"Certainly, officer, am I under arrest?"

"Okay, sure, I just don't want to be on camera. No particular reason."

"Absolutely, I'm X and here's my ID to prove it and/or I will provide proof of ID at a police station and/or here's a contact number for my employer and they can identify me if you wish."

"Okay, so am I under arrest?"

"I understand, but I'm in a rush, am I allowed to leave?"

Being dickish about it gets you arrested anyway. Being polite about it raises alarm bells along the lines of "Is this guy a lawyer and am I gonna end up with a charge of false arrest if I reply once wrongly to his questions?"

Now, some people go *too far* and say you shouldn't speak anything but your name, etc. but I think that will raise more suspicion than anything else.

P.S. The police can arrest anyone they like. Literally anyone. So long as they have reasonable grounds to believe an offence has been committed. They can arrest you, take you to the station, question you, etc. etc. etc. And arrest is "to stop" someone and ascertain more facts about the situation. They can then de-arrest you. You would be hard-pushed, if arrested and later de-arrested without charge, to claim that they *hadn't* got reasonable grounds because they won't really arrest you without reason. But they can do it. They literally have the right to do that. Whether or not their "reasonable grounds" are actually reasonable or not is a case for a lawyer, not an armchair rebel, and occurs after the arrest/de-arrest.

Hence, it's really stupid to push them to anywhere near something they can arrest you for, even on the slightest and most dubious of potential charges.

You can be arrested and de-arrested in the street. False arrest is only if they didn't have reasonable grounds upon which to do that. The bar is quite low on what's reasonable. Always has been.

The alternative is that police literally can't then arrest someone walking a few streets away from a burglary with an arm-full of DVD players because "no suspect description matched him" and stuff like that (an exaggeration but not by much).

If you don't understand this, I hope you never get stopped, because you could quickly end up being arrested.

If you do understand this, it doesn't *guarantee* that you won't get arrested, but it does pretty much guarantee that you can't be charged (like this idiot) except for things you actually have done.

Be nice to your police. Not because "they'll nick you if not". Because their job is hard enough without twats making it more difficult anyway. And every time I've ever been stopped, spoken to, pulled over, etc. by one, we've all walked away smiling.

If you were a security guard in a shop, tasked your entire career with detecting shoplifters, and maybe it costs you personally if someone nicks something (e.g. you own the shop), and you saw a guy come into your shop and hide his face from the cameras deliberately... would you not be suspicious? Suspicious enough to monitor him further, at minimum. Maybe let your presence be known, or ask him a question or two and see the reaction? I know I would.

Bam. The police did *just that*. They stopped someone for acting suspiciously. And they have FAR more wide-ranging powers available to them.

Maybe he was cold. Maybe he's shy. Maybe he just saw his ex girlfriend. Maybe he was a criminal who didn't want to be recognised. That's why it's a suspicion.

Stopped on suspicion != arrest and, in this case, charges unless you're a world-class moron.

Lee D Silver badge

So.. it would actually be equally effective to put up a fake van and fake camera, avoid all the privacy issues entirely, put up a sign, and watch for people trying to avoid the cameras.

There's a phrase for that, I believe, and it's often used in medical trials. "No more effective than placebo."

Though I have no doubt that the guy trying to cover his face kicked off and thus gave police an excuse to arrest him, I would question why he was approached just for covering his face in the first place, and whether he would have avoided being stopped any longer than strictly necessary and/or being subject to facial recognition if he'd been polite.

Lee D Silver badge

Re: London

Tell that to the post office.

Accused hacker Lauri Love to sue National Crime Agency to retrieve confiscated computing kit

Lee D Silver badge

Re: Representing himself

It's incredibly rare to set a precedent.

It's incredibly rare to represent yourself.

There's a phrase even in legal circles: "A man who represents himself has a fool for a client". No lawyer would ever sit in court without a lawyer of their own (there are literally things that "lawyer for person X" can do that "person X representing himself" can't do anywhere near as easily). Note that for all the ground-breaking work, he had lawyers.

Now, not one of them is present.

Basically, he might well get a win out of it, but it won't set a precedent. Purely because it's just the prosecution that are dragging their feet, probably because of political sensitivities. In that sense, there's no real precedent to set - that law is there for a reason, to stop people dragging their feet in perpetuity, and that's what he'll use it for.

In terms of "can he be convicted/extradited" in this particular case, that's an unanswered question, but the court looks to be swaying towards "yes, if the other side stop dragging their feet".

It's entirely possible that it triggers a quicker prosecution on the original charges, in fact.

Notice that what's NOT been said is "I didn't do it, guv".

UK transport's 'ludicrous' robocar code may 'put lives at risk'

Lee D Silver badge

Re: Missing the obvious

Would *I*, as a qualified driver, be allowed to operate a remote-controlled car on a public road, under normal driving conditions, entirely via remote control?

I believe the answer is no.

So why does an "AI" bot that's untested get to have that as the only safety measure if the electronics fail?

And, if I did do that, and it killed someone, would I be liable for not being in control of it - no matter if I couldn't override the controls or compensate even though I can see the accident coming - , or would the AI creator be held liable?

It's a stupid idea solved by simple testing procedures. Allow them with a supervisory driver inside the vehicle. When they prove themselves (but never needing any intervention), then have them do several thousand miles unaided (but with remote vehicle control). Then ramp up slowly.

But, to be honest, the REALLY stupid thing is the venue. When the devices prove themselves in a simulated environment (i.e. looks like a road, works like a road, not some on-screen fake 3D stuff) off public roads, and then on public roads but at slow speeds (e.g. moped speeds only), and then on motorways, and then in extreme conditions, etc. THEN you can authorise a full trial on public roads with no restrictions on what road/weather they can drive in. Not before.

I would be more than happy to let automated cars on our roads today. With a 20mph limit, not allowed on motorways, human driver behind the wheel. If they can't cope with that without interventions, they shouldn't be allowed anywhere NEAR 70mph, a motorway or the public, and certainly not unsupervised.

They're learner drivers, at best. Taking the instructor with dual controls out of the car before they've passed their test, or at very minimum a qualified driver happy to take the blame at all times, is illegal for a human at that stage, why should an untested technology leapfrog that requirement? Not to mention motorway driving, licenses with points on which they can lose, etc.

LibreOffice patches malicious code-execution bug, Apache OpenOffice – wait for it, wait for it – doesn't

Lee D Silver badge

Re: Tried Libre about 3 weeks ago....

You can easily run just about any business from Libre, Google Docs, etc.

You don't "need" Office. You "want" Office, because you have decades of legacy documents that you tinker with incessantly rather than use a proper system or have to re-do them. I've literally walked into companies that are entirely reliant on spreadsheets that they have *no idea* how they work, or how to fix them when they don't. Some guy made it 20 years ago, it gives us the numbers we want, therefore we're happy so long as it keeps doing that forever, so why would we change to something like LibreOffice that it might not work on?

It's a sign of an outdated business process to not be able to move your software occasionally. It means you're tied in and don't review the longevity or safety of such arrangements to process the data you want. This is why banks are still stuck on COBOL, have difficulty transitioning away from it, and can't hire staff who know how it all works. Because they don't do it often enough, they only do it when everything collapses around their ears.

Libre is more than adequate. As an IT guy I ran Windows networks when my personal machine only had OpenOffice (though I wouldn't recommend that now because Libre is so far ahead). 99% of people will happily use Libre and not even notice. 99% of people will happily go to Google Docs and not even notice.

It's just a question of whether they understand "Occasionally, I have to learn something new, no matter how minor that is" versus "I only understand one thing, and that incompletely, and I can never, ever, ever move off that because everything will collapse and burn around me".

The biggest difficulty comes from pillocks who say you have to use X "because". Or try one thing, badly, once, decades ago, and never touch it again for the rest of their lives (e.g. everyone who says "Oh, you don't want to use Linux", etc.).

If the Microsoft activation service blew up tomorrow, if they lost the source code to everything and couldn't re-create it, if we were literally left without MS Office... there'd be a bit of inconvenience, we'd push out alternatives and we'd be back and working quickly and a year on would have forgotten all about it.

Yet I still see people buy an iPad and then "buy" the Microsoft Office apps for it "because you have to have those, don't you?".

Tedious Service Bulletin: No prizes for guessing which UK bank's services are DOWN for business users

Lee D Silver badge

Honestly, if clearing cookies and cached data are necessary, you have a really rubbish website and server infrastructure.

That's why pages have a modified date / hash, which browsers and other caches query to see if it has changed even if they don't actually download the full file.

And cookies at worst should give you a stale session that sends you to a login page to create a new one.

That's really the "just turn it off and on again" rubbish answer that poor IT support give out when they have no idea but want to sound like it could be your fault.

Honestly, I have had thousand of customers using several different websites that I provide as part of my employer's business, used day in day out for everything, that all get updated on a regular basis and accessed from every kind of device you can think of, and not once has my answer ever involved clearing cookies or caches. Not once have *I* ever cleared a cache or cookies (any more than F5 would - and nowadays it basically does nothing more than trying to access the site again!). Not once has it ever solved a problem.

If I were allowed, such phrases would result in termination of technical support payments, along with rebooting (I'll accept a shutdown in order to change hardware, obviously, but just a plain restart/reboot shouldn't ever be required).

Now, if they asked "Are you using IE? Then please stop." I'd give *them* money.

Oh cool, the Bluetooth 5.1 specification is out. Nice. *control-F* master-slave... 2,000 results

Lee D Silver badge

Re: BT?

Mobile data is this phone connecting to the Internet. It costs money.

Wifi is this phone connecting to the house's Internet. It doesn't cost money.

Bluetooth is this phone connecting to something else. Headsets, other phones.

Though, in theory, you can connect using Bluetooth to another phone's mobile data offering (Bluetooth PAN), it's very old-hat and I've literally only ever used it once as any decent phone has Wifi hotspot functionality (which is harder to explain but still only "Hotspot is this phone offering out its Internet to other phones by pretending to be Wifi. It costs the hotspot phone money, but not the others").

Lee D Silver badge

Re: BT?

I find that BT works or doesn't. when it doesn't faffing can always fix it but I can't be bothered.

I set up my car BT to connect to family phones, that just works. Even for music, calls, if the phone BT is turned on after the car etc.

I set up BT speakers and audio cable to BT adaptors. They just work. I set up Bluetooth pairing for Internet when one phone runs out of data. It just works. But if I send an image from a random device to another randon devie it's pot luck time.

BT drivers on PC used to be atrocious as they were tied to the chipset used and so you couldn't have a BT dongle in a laptop with an otherwise crappy BT internal module, etc. Pretty much those situations are resolving themselves as BT drivers standardise.

Hell, if you use a Wiimote, you're using BT. You can even connect them to a standard PC.

Sysadmin's three-line 'annoyance-buster' busts painstakingly crafted, crucial policy

Lee D Silver badge

a) Testing.

b) Change Management.

c) Proper naming conventions (which should include the date and/or author). Name a policy with 20190204 on the end when you make it today and it's impossible to get confused with one people wrote years ago called the same but with THAT date. Plus, you instantly know how old that policy is, i.e. how long it's been useless and/or working, and can modify your interference behaviour accordingly.

It reads like a catalogue of errors from the start.

Only lucky that the "overwriting" that was being prevented originally didn't overwrite something much more critical when deployed to all the relevant servers and leave you with, say, a blank DNS database for example.

OK, it's early 2019. Has Leeds Hospital finally managed to 'axe the fax'? Um, yes and no

Lee D Silver badge

20 years ago, I started working for schools.

I was amazed even then that they were still using fax.

One of the my early projects for any school I worked for was to eliminate it. Mostly because, by then, almost all faxes received were spam anyway. High consumable cost. Plus telephony costs. Plus there were viable alternatives just sitting there.

I spent many years going to boot sales and snapping up "real" modems (serial, not Winmodem). I still have a stash. I would then connect those modems to a machine and install something like hylafax.

Now they could fax direct from the program by just printing to a network-wide printer. All users could do it (with controls to ensure only those who should could use it). All programs supported it. And it all went out from one number so it could be monitored.

All incoming fax automatically dropped into an email account as a PDF and were distributed that way. Users who "needed to sign" something could even fax direct from the scanners / copiers if they so desired.

In every school I ever did this, actual fax usage was shown to be absolutely minimal. Spam faxes were treated like spam email. The only faxes going out were few, and they got even fewer as time went on. By the time that everyone had automated banking and communications (i.e. no longer accepting or printing cheques, school parents getting reports online etc.) fax was dead and gone.

My current place has a fax line that works this exact way. I couldn't even tell you the last time we needed to fax. The technician I tasked to set up and manage the current fax system left over a year ago. It's still working, but it honestly doesn't receive anything worthwhile at all and never sends out. We keep a single analogue line up as an emergency backup for a SIP trunk, and that operates as a fax line when it's not an emergency. It's not even worth a line on its own.

That there are modern organisations with fax still based on physical fax machines churning out paper (even MFP's), I find unfathomable. If primary schools ditched the technology 20 years ago, you should have as well. At best an all-electronic system is an acceptable substitute, but that's literally lost in the error margins of any telecommunications contract - one fax line per site, with a box to manage it but to be honest most telecoms devices nowadays just let you nominate a line as fax-to-email and you're done. Even the big SIP-trunk people have that kind of functionality.

Anything you're faxing is going to be a patient record of some kind, or a legal document (the only reason for retaining a fax in many workplaces was literally "because the solicitors say we must fax it" - but email has far taken over in that respect). Thus it needs to be monitored, stored, and accessed appropriately, not churning out on a bit of paper in an office, never to be put back into someone's records or destroyed.

They should have just turned all the lines off. Literally, if the switchboard detects fax tones on a non-fax-to-email line, it drops the call. Any analogue telephone lines should be cut and - at best - centralised to use the core switchboard as the only endpoint (so you can still make calls through them, but there's no possibility of sending stuff outside just because you snuck a fax machine in). That should have happened 10-15 years ago. VoIP is SIGNIFICANTLY cheaper that it should have been done years ago on a cost basis alone.

They are just asking for trouble, and their deadline is 20 years too late as it is. Zero tolerance should be applied. At worst, these are official communiques and need to be logged, audited and searchable in such a large organisation.

If your switchboard can't handle it, there are boxes designed expressly to convert such devices. I have a bunch of Hylafax-compatible modems if you want to do it the cheapest way possible. Most cost me £1 each.

Mobile network Three UK's customer details exposed in homepage blunder

Lee D Silver badge

Re: Security? Really.

If only they had a way to determine that the device in question was in your possession and/or that the payment details you had previously given them belonged to you and/or that you could log into a secure portal to request such a thing automatically.

Of course, that would reduce the possibility of them actually being able to try to upsell you as you go, but I can't really see a downside in that either...

Personally, I'm much more concerned that data usage has accelerated for no reason (I've actually been turning off devices on my 3 Wifi box trying to work out which it is, but if anything it's getting even bigger) and their portal shows that my daily data usage only up to the 25th Jan (it's the 2nd Feb now) and for some stupid reason they sort by day-of-month, which means that to plot my usage means a lot of jiggery pokery as the 26th, 27th, 28th, 29th, 30th, 31st December come just above the 22nd, 23rd, 24th, 25th Jan...

Boffins debunk study claiming certain languages (cough, C, PHP, JS...) lead to more buggy code than others

Lee D Silver badge

Re: It's "What's the best language" all over again

Such snippets can be small things.

I keep a file that loads dynamic libraries on various OS (i.e. LoadLibrary/GetProcAddress or dlopen/dlsym). It would be massive overkill to rely on some centralised library to do so, for what is half-a-dozen lines.

But equally having to prototype functions / load libraries / get function pointers on both Unix and Windows systems can take more time than necessary for it to work and correctly fall over when something's wrong.

I have a couple of crafted macros where you can literally build the function prototype just from a simple substitution of the function definition (e.g. copy/pasted from a library's API or similar) which then prefixes the function name so you know it's dynamically loaded (rather than whatever the linker might pick up of the original function from a static inclusion), creates a prototype, puts in a function definition for you, loads the library, checks it loaded, has all the functions check that the library loaded and/or had that function inside it, etc.

The number of "professional" programs I deal with where just switching out a DLL or having the wrong version result in the propagation of a NULL pointer back until it's dereferenced when that function is first used - which may be deep within usage of the program - with no checking, just assuming that the DLL will always be there, always be the right version, not pick up system versions, etc. DLL Hell was rightly named and entirely the result of poor programming. And now there are attacks that revolve around just sticking a DLL in a program folder with the right name and poor programs will try to blindly use them in preference to the actual system DLLs, which generates all kinds of security nightmares.

Having a copy/paste works, but I wouldn't rely on any simplified library loading system to do it right, and it's not worth including other's code just for that, but similarly not worth having to rewrite it each time.

Same way that I keep a handful of Exchange Powerscript lines in a text file on the Exchange Server. Nothing I couldn't Google in ten minutes and get working, but I don't need a specific library for it, it's easier to copy/paste them, and I can put my own safety barriers in that example code from the MS KB often doesn't (e.g. -WhatIf, piping to make sure that only one OU is affected etc.)

Lee D Silver badge

Re: It's "What's the best language" all over again

Pretty much like asking what the best language is.

I'm sure you can argue Shakespeare vs Dante vs Aristocles vs... to the end of the earth. What matters is not what language they expressed it in, but what was expressed and that it was expressed fluently.

I work in schools and I program in my spare time, so what with the focus on "every kid coding" (when clearly every kid can't even play a musical instrument, let alone code), it's the same question I get all the time.

The answer? I really don't care. So long as I can understand it, and show you where you've gone wrong, that's infinitely more important - that you find a language that you find easier / more complete / are able to source examples for / whatever I don't care.

Fact is, I've never programmed in Python in my life. A colleague gave me a teenager's Python code without telling me anything. In LITERALLY one glance, I spotted every kind of problem with the code that showed it was an amateur programmer, corrected them and was able to run my modified version of their program about 30 seconds after getting a Python interpreter working while simultaneously running their code and demonstrating bugs theirs had that mine didn't.

It's about fluency and expressiveness, not what language. I'm sure Chinese has more language subtlety, that Latin-based languages are easier to learn, that English is understood in more countries. But if you are going to write a ground-breaking novel, the language really doesn't matter as much as the content.

Raspberry Pi Foundation says its final farewells to 40nm with release of Compute Module 3+

Lee D Silver badge

Re: braaaaiiiiinnnssss...

History shows that just as you get settled with such a device, technology moves on so much that the underlying bus becomes useless and out of date.

PCMCIA -> PCCard -> Cardbus -> ExpressCard -> miniPCIe is just one example (each of which had several revision numbers for each technology even if they were electrically or backward compatible in some fashion, they weren't between technologies necessarily).

MCA -> ISA -> VLB-> PCI -> PCI-X -> AGP-> PCIe -> ....

The RPi itself had pins added to its GPIO header in later revisions.

If every pin was identical in purpose and nothing more than, say, an Ethernet link that joined a link-aggregration group (e.g. via LACP), and where all devices of all ages and speeds speak the same language (i.e. 10, 100, 1000 and 10,000Mbps can all auto-negotiate and join the same group) and then have one huge bus that allowed hundreds of such devices to join and collate their data together (so powerful devices can negotiate, say, dozens of 10G lanes which also allows an old 10Mb lane to talk to the same bus or work on only a single 1G lane if put into an mid-range machine) and complete remove all "device description" off the bus into the underlying protocols entirely, then maybe you could do so.

By the time you got that working, you'd quickly find that all the old devices were designed with really poor connectors and linkage so that devices are unreliable or slower than they need to be on those machines, and every top-end device would be stealing all the lanes at max speed to do what they need and you need even more lanes and even more speed, which obviously the motherboards of today hadn't been designed for, so new cards are unreliable and slow, and so on and so forth.

You can do it. USB and PCI even had good shots at that. Still, though, even in the Ethernet stakes we can't bolt people down to 10/100/1000/10000MBps reliably, and that's only recently. There were 40Gb protocols and all kinds of legacy culling from the 10G Ethernet, and that needs Cat7 cables or whatever it is or it doesn't function, and so on.

Specified serial interfaces, negotiating from base-speeds, on flexible lanes (almost per-pin), designed from the start to have more than enough pins and electrical characteristics to cope with all future requirements, hell from there you could literally just talk to them as if they were IP-based devices even over a local bus. It wouldn't be difficult to even layer USBoIP or PCIoIP over something like that, and storage has already headed that way.

Trouble is that your computer now needs the internals of a decent managed 48-port 10G+ Ethernet switch to talk to a graphics card, which is likely prohibitive for the cost of a motherboard on top of everything else.

Lee D Silver badge

Re: Pi great for running Kodi

Indeed.

Retropie + KODI + tvheadend is a good combination, and with the new DVB-T hat for the RPi you can pull in Freeview direct with no dongles required.

It's my only "TV", it's an NVR recording onto a 128Gb SD card, I can stream it to my phone anywhere in world (ala TVPlayer), and it's set up with all my classic games consoles and games on it, too.

The RPi now is what I wanted the RPi to be when it first came out and I was involved in the earliest testing. It's powerful enough to be useful, low power enough to be portable and tinkerable, extensible and supported enough to not be obsoleted, and cheap enough to be commodity.

Lee D Silver badge

Re: Like warm apple pi?

That's like a 20 minute job.

Even if you're starting from scratch and doing manually, it's only this page of instructions:

https://www.instructables.com/id/Pi-Shield/

P.S. Squid and DansGuardian are the basis of the Smoothwall project, which sell their custom boxes with that software into thousands of UK schools costing about £2000-5000 a year depending on other features.

The expensive bit of such a project isn't the hardware, setup or software, though. I've deployed the above (not on an RPi, but an old office desktop machine) basically for free. It's the paid subscription to a decent updated blacklist, because the free ones are often trash. You can do "okay" with something like OpenDNS (which used to have a DNS server that you can use to filter out most sites) but if you want to do a decent job, you need to buy a subscription to a blacklist to use with DansGuardian.

Lee D Silver badge

Re: Good & Bad news

As the article points out, it's not really for the likes of the average computer nerd, but the electronics and Bitcoin-like compute cluster guys will like it.

The aim is to become commodity hardware, that can run things like photocopiers, etc. I should imagine.

Having a stable interface, Linux support, built-in storage, cheap, easily-available, etc. makes them attractive for certain embedded tasks. You could end up with one of these in your Sky box in theory. Or a wireless router. Or a fridge. Or a washing machine. Or even a tablet.

When RPi / Arduino first came out, that was my first thought - all those companies I deal with that supply me with custom-made boards for their proprietary products... they could all just switch to cheap commodity boards with a custom OS on them (RPi doesn't just run Linux). The access control system I use has a old ARM chip on a custom board with a handful of connectors for bare-wires. They could make a new board for their next model that was just the connectors and a SO-DIMM slot for this thing.

My workplace used nComputing thin clients for several years (which are still running as digital signage) - they were custom boards running some version of Linux with rdesktop. Quite literally the new versions of their products are just a Raspberry Pi in a box.

And I can't say that wouldn't be good. My little vacuum robot thing is custom-chips and I'd love to be able to tinker or replace that board when he inevitably dies. The burglar alarms and things that I see have atrocious interfaces and never see software updates, etc. Imagine an Alexa-like thing with an RPi inside that you can actually customise.

And from business point of view, no custom chip design, and putting your uniqueness into your design instead of spending lots of time and money reinventing the wheel. I wouldn't even be surprised to see these things turn up in, say, something like a homebrew hardware RAID controller.

While US fires criminal charges at Huawei, UK tells legislators not to worry, everything's fine

Lee D Silver badge

Every major British ISP has been required by law to insert devices into their core network to enable certain agencies to monitor Internet traffic. The reason most people haven't heard is that they weren't allowed to tell you, and there are reports that people at ISPs were asked to sign the Official Secrets Act concerning their installation.

https://www.theregister.co.uk/2012/07/11/communcations_data_bill_joint_committee/

This is why "canaries" are used on certain websites. If they are ever forced, under threat of imprisonment, to comply with certain agencies, they stop posting certain signed updates that say things like "We have received no such requests from law enforcement today". No updates - they've been compromised and are unable to talk about such things. (Though I'm sure, even there, there would be some way to ensure such canaries continued to be posted even without the original person's co-operation, it would be a lot more difficult than just holding a gun to their head).

The UK is no different in this regard to any other state entity. Nor the EU. The US is actually a lot worse than those, but probably not as bad as China.

Anyone who thinks that ANY government couldn't simply demand that a major corporation on their territory give them total access to their entire system is an idiot. And revealing it, whether on the nine o'clock news, or in an a disguised tweet, would probably be seen as contempt of court or worse. We are the country that had the scandal over super-injunctions, you know. And it wasn't that the country protested and they were abandoned and never happened again - it was years of quiet court action, eventual use of parliamentary privilege and no clear end to the possibility that it could be done again which are the only reasons that we know about them.

The biggest case about such things is the US vs Microsoft case where the US wanted to raid EU datacentres but the EU (and Microsoft EU) said no. If the EU said yes, do you think they wouldn't be demanding access to those datacentres? It was only the "then handing that data off to the US" part that troubled them.

If a government want to put in a backdoor into a product made, you can be sure either a) it will happen, b) that product will never be made (because the creators object to doing so). It's highlyu unlikely c) that the creators will blab about that to the world's press and give themselves some decades in prison by doing so.

P.S. It's only because of government backdown and that you were able to legally discuss it that things like Clipper chips never met mass adoption. You have no idea if, somewhere in that process, something did get mass adoption but was never public knowledge.

I'm the absolutely antithesis of a conspiracy theorist. But if a government want to do this, it'll happen. Strangely, your biggest champion in this area is Apple who are quite vocal about not co-operating with the FBI etc. to decrypt their own devices. It's seen them in a lot of hot water and legal costs, but they happen to basically have the wealth of a country all their own just sitting in the bank to fight such things. You can be sure that places with less funds, more government ties, or less morality have already co-operated and you'll probably never know who, when or what until it does become public knowledge (and therefore too late as it'll be useless to use so they'll move onto something else).

The NSA were attempting backdoor-inclusion into open-source encryption standards for years, and they still have questionable intentions (they have "chosen" the curves that Elliptic Curve cryptography standards use, in many cases - are they doing that because they know that those curves are strong, or that they know that those curves are weak? History isn't on the "protecting the public" side).

To think that any government is above such actions is to severely misunderstand any modern government. These people choose whether or not to murder tens of thousands of civilians to "stabilise" countries, enforce government on them, while selling them arms, buying up oil rights, etc. There are vanishingly few "moral" countries around.

In that respect, sure, you don't want Chinese kit spying on it. But neither do you want Russian, Indian, British, American, Australian, French, German or any other kit spying on you. And those are just as, if not more, likely.

Microsoft decides Internet Explorer 10 has had its fun: Termination set for January 2020

Lee D Silver badge

"This would be a good a time as any to enable Enterprise Mode to make the browser behave like older versions of IE for those pesky corporate intranet applications that insist on a specific incarnation of a specific renderer."

Or just finally rewrite those obsolete pieces of junk in something even vaguely modern with proper security controls.

Sorry, but if your product is "IE / ActiveX -only" in this day and age, you are failing at IT, it's as simple as that. Not just from a "Ooops, that's a bit old" viewpoint but because it's useless cross-platform, it's inherently insecure by design, and the warnings have been there for 10+ years.

"Legacy software" you cry? Yes. So ditch it. Like you should have before it became legacy. If that costs, then that costs, but it's like expecting a 1960's Morris Minor to be the company car and I bet that doesn't happen.

Honestly, if you even SAY the words "Internet Explorer" nowadays when on a tech support call - unless it pertains to finding out if I'm using some obsolete piece of insecure junk - then you've failed. If that's the customer's ONLY option to use your product/service, you should really get out of the industry.

I honestly judge our banking supplier (Barclays) SO harshly because their online smartcard-based super-duper sign-in to authorise payments for a multi-million-pound business has a minimum spec of "IE 10, or Firefox ESR"... and it literally doesn't work on Chrome at all. That's just so ridiculously stupid nowadays that I can't fathom why we give them the business. And that's orders of magnitude better than "only runs on IE".

If you are at all affected by this, for anything, at all, whatsoever, then you are using dangerously out-of-date software (whether "just internally" or not) and have been for years. Try doing something about that, this time round, rather than enabling backward-compatibility (a.k.a. "please pretend to be as useless and insecure as you used to be") and propagating into even greater levels of ludicrousness.

Apple: You can't sue us for slowing down your iPhones because you, er, invited us into, uh, your home... we can explain

Lee D Silver badge

Same company that testified before a court of law that their devices are only designed to last a year before breaking.

Sorry, but why anybody touches their stuff, I'll never understand.

Oof, are you sure? Facing $9bn damages, Google asks Supreme Court to hear Java spat

Lee D Silver badge

Re: Wash, rinse, and repeat.

You can't appeal unless you can pick up on a potential error in the applicability of the law that could reasonably change the outcome.

i.e. if the opposition had had a wateright case in the first place, there wouldn't be room for an appeal or the appeal would be dismissed.

It means Google has something which it believes is in error - most likely in the amount of damages awarded, which is one of the reasons that exaggerating damages claims (even if you were in the right) is a bad idea generally... the other side need only prove you were taking the mick to end up costing you even more money.

With something like this going up to higher courts, it's literally saying "the court was in error doing what it did". Not "we don't have a case, your Honour". The Supreme Court might laugh that out, or send it back to the lower court again saying "No, this part isn't right, do it again".

Endless appeals only come about from not securing your case in the first place (which is hard with a complex case, admittedly) and/or by playing off favourable courts against your opponent and not considering that they could argue that later (in which case it would be Oracle that were taking the mick, not Google).

However you paint it, Oracle suffering $9bn of damage because Google made a Java-alike solely for it's Android OS is ridiculous. Especially when they have since gone through not only Dalvik but another two formats of executables that aren't Java-related at all. i.e. there's more than one way to skin a cat, and we can do them all without affecting anyone, and we don't "need" Java technology at all, not even for Java-like Dalvik.

Chances are it'll go through the Supreme Court, who'll limit the damages, and Google won't even pay half of that.

Miscreants sweep internet for unpatched Cisco kit, fears over bugged Chinese parts, Roger Stone nabbed...

Lee D Silver badge

"You don't have to be authenticated, you just have to be able to reach the router's web-based management portal."

And why would you have that visible remotely over a plain Internet connection, or indeed internally unless you're on an administrative VLAN?

It's the ridiculous logistical arrangements that companies decide to use that cause security problems, much more than the fact that someone may have found a small hole?

It's time we made systems that *ACTIVELY* prevented their poor implementation. Like refusing to expose administrative web consoles on any Internet-facing connection, enforcing administrative action only over a physical separated console cable (like we always used to do!), refusing to activate service until passwords have been changed from the default, etc.