Posts by Lee D

Re: Obsolescence?

Just because it runs Gingerbread, doesn't mean it can't be up-to-date.

I'm not saying it's the case (probably cheap Chinese stuff never gets updated at all) but going from Android Gingerbread to Marshmallow is just unfeasible and like forcibly upgrading everyone on Windows 98 to Windows 8.1. That's never going to work and even if it did, it's not going to go down well.

But there's no reason that vendors can't push out patches to any version of Android to patch the same bugs, in the same way that Vista still gets "critical" security patches.

To be honest, in my mind, the constant forced upgrade is much more of a pain than anything else, because it's NOT the case that Android G devices can happily run anything past that anyway, but I don't want to have to change phone every damn year.

My smartphone is currently on the latest vendor-supplied patch (Android Marshmallow at the moment). It pissed me off no end when a simple security patch that was required radically altered how my phone works and looks.

What we need is a separation between "security patch" and "feature addition" such that security patches can ALWAYS be applied to an OS, but feature additions requires the user's consent. We used to have that. Now it's gone.

Technically, that wouldn't matter. They could have stole every item in the shop.

You can't then ban ALL black teens from the store because of that. You can increase security. You can insist no more than X amount of people (of any colour) in the shop at any one time. You can do lots of things.

If you want to know if something is racist, replace the race with any other attribute.

"A group of vegetarians were removed from the store. Henceforth, we were ordered to not let any other vegetarians into the store from that point onwards."

If it sounds stupid when you do that, it's probably racist.

It's always been the case under EU data protection that your data can't safely pass through the US anyway. This is why Facebook et al set up EU data centres and refuse requests from US authorities to just pass on information.

The Internet, from your ISP onwards, is still - and always has been - an untrusted connection. If you're transmitting things in plain-text through it, even to next-door, then you're at risk of your traffic being snooped and need to protect, encrypt, VPN, etc.

This won't make any difference to that.

However, I do love the irony of all those years of having US people accuse the UK of playing "Big Brother" when in reality they are years ahead of us in that regard.

Spam is pretty easy to filter.

If you're not already refusing non-CLI phone calls and using your mobile's blocklist features (you do have a modern smartphone right?), then the number you get is pitiful. Get the apps that automatically looks up those "who's calling" lists for any number you don't already know.

And then you just blacklist anyone who gets through those measures and tell them why.

If the only way you can sell to me is to phone me up at random, without permission, on the off-chance that I might want to buy whatever-it-is, at that exact moment, from that exact company only, then you're really dead in the water anyway and there's no way I'd want to do business with you.

I have to say, HP resellers - and HP themselves - are doing this to me at the moment. I wouldn't mind but there's literally not a single piece of HP hardware or software anywhere on the site, and hasn't been for over a decade.

Bother me once, I'll take your details, make no promises, let you send to my work email.

Bother me again, within six months or a year, no problem.

Bother me more than that, blacklist. And I'll tell you why.

Yeah, it's "just one email to check in" but multiplied by every business in the UK that might want to do business with me, that's a ludicrous amount of unnecessary emails.

Personal users, there's no excuse. Unless I've literally signed something saying yes, the answer is no.

My landline doesn't get answered, it just goes to voicemail.

My phone doesn't get answered if I don't know who you are, it doesn't even HAVE voicemail.

Both are on TPS.

My email I can just click Spam and that's the end of it.

Bother me past that, and I'll just blacklist your company forever in both walks of life, personal and professional.

Re: I don't get it

I'm the same.

Terrible memory for virtually everything EXCEPT those things I desperately need to remember.

Passwords of obscure accounts that other people use once in a blue moon aren't one of those.

But I still know them.

Alternatively, I have a password file stored encrypted on a USB stick (actually two) in the safe in my workplace, if I REALLY need to save them and/or I get run over by a bus.

Are you honestly telling me that using a bit of buggy software to auto-insert those passwords on forms, and store those passwords in the cloud with a random third-party is more secure than either my own memory, or an encrypted USB stick stored in a secure place that only the relevant people (me, my boss - who's data controller and won't reveal it) know is there and/or know the password to, and that it's inside a box that reveals if you've tried to tamper / access it (and hence is checked regularly whenever the passwords are updated)?

Get a clue.

Ask people who have iPhones and iPads if they know about it.

Ask them if they know it's an in-place upgrade of the thing that holds all their photos

Ask them if they've read the release notes (which the article says don't mention it)

Ask them if they are on the public beta (the existence of which doesn't mean anything).

I don't buy Apple - My reason for not doing so is very simple - I manage several hundred Apple devices.

And an in-place filesystem upgrade is NOT something that you push with an update without even mentioning it in the release notes or giving people a chance to opt-in rather than just doing it.

Re: Sounds reasonable

Slight exaggeration there.

Re: Pah!

Cables beat radio every time.

It's not hard to see why, or to find proof in your own house.

Cables are dedicated, cables are isolated, cables are point-to-point.

Wireless is shared, wireless is subject to interference, wireless is to a sphere of a radius

I can put 10Gbps down a Cat6a cable, to as many cables as I have.

I can't put 1Gbps in a room in my house without it dividing by two the second a neighbour turns on theirs, or another device comes online.

Same principle applies to landline/cabled broadband vs mobile broadband. And the day it DOESN'T work like that, mobile broadband is dead because how are you going to provide the backhaul needed to the cell tower anyway?

The rule of thumb I use for everyone who complains about their login speed over wireless:

Expect wireless to be 20 times slower than a cable, in ideal conditions.

It seems to hold pretty well. That one-minute login with your large roaming profile will take 20 minutes over Wifi.

Although 4G is quite impressive, you can't expect people's demand to lessen, or the network's to improve in-line. I barely get a few Mbps to my phone most of the time. Enough for a stream or a download and really handy for browsing compared to the GPRS days, sure. But if I need to download a large backup, ISO or VM image or similar, I'm going to be plugging into a real connection.

Re: How can you not notice?

I don't care what YOUR SYSTEM can refund.

YOUR COMPANY will refund me for 18 months of non-provided (and non-providable) service.

Quite literally, it's theft as they've taken your money and not provided the promised service, if there's no phone line to provide it on.

Both of which are worse than just securing your machine (not letting people see you type your passwords), choosing sensible passwords (* long, not complex) and not running third-party software with access to EVERYTHING on your computer, including an explicit list of every password you've ever used, anywhere, ever.

Like antivirus - the only program to run as SYSTEM, begin at startup, run for every user, intercept every possible file access on the entire machine, able to hide anything it does, not let itself get shut down, connect to the Internet, update itself automatically, and even nowadays run your firewall, decide what can get out or see packets, and what can come back in, often with remote-support tools built in. Yeah, that's not a recipe for disaster.

(*) Human-rememberable passwords are WAY outside brute-force limits - just make sure they are LONG, not faff around with fancy characters in your potential alphabets. Starting with just an ordinary alphabet, a character added to password length would make the password 26 times stronger, while including a new character (e.g. an asterisk) into the alphabet itself only makes it 1/26th stronger. STOP IT.

Re: bypassing CCTV is easy

Bypassing it is easy.

Doing it without arousing suspicion is hard.

Most CCTV systems have an "image obscured / power fail" alert that detects when a camera is obscured, damaged or disconnected and alerts people.

And such alerts - because they NEVER happen - generate much more suspicion than anything else. Hell, you can even have it set off the house alarm when that happens if you like, it's that rare.

Re: That's funny, isn't this the same as how the stock market works?

Not exactly sure that I agree either is really a crime.

"Hey, John, this product is so fabulous you should buy shares!"

John does so.

Shares turn out to be worthless.

As far as I can see, John kinda deserved that by not doing his homework.

Now if they were fiddling the accounts, or putting out false sales figures to make the stock prices rise, that is indeed fraud.

But bigging up worthless shares? Not sure I see the problem with that. The only people hurt are those stupid enough to believe advertising.

Re: Radical new idea

IrDA and the like has indeed been around forever.

And site-to-site infrared / microwave systems too.

They have serious problems that stop them being used for anything other than consumer toys (IrDA way surpassed by Bluetooth, line-of-sight kills anything but use over your own land or free space).

Been trying to convince my employers to put in site-to-site-links but the only places that can "see" are in positions that would show the ugly, and they disapprove.

Instead, we spend £10k a year on a Virgin leased line and another £10k on a BT leased line at the other end (because no one supplier covers both areas... sigh). When I can see each building from the other. Just a shame we don't own all the land in-between because I'd just get them to chop down a couple of trees and problem solved.

Re: Never knew...

Offtopic but - the single most stupid rule for a rotational movement.

Technically, for your identity to be stolen you would have to have been permanently deprived of it.

Therefore, if what you say is true, you are literally nobody.

Identity "theft" is really identity "fraud". There is no permanent deprivation of your identity.

If they used fraud to steal your money, they have deprived you of the money. They have stolen your money VIA committing identity fraud. Obtaining goods/services by deception.

Like software "piracy", identity "theft" doesn't exist. Unless they kill you in the process. But even then the charge would be murder and fraud, not theft.

Re: Forget 5G

People get confused here.

A cable, fibre or copper, gives you what's promised, and only tends to get more as time goes on (ADSL->ADSL2->VDSL, DOCSIS->DOCSIS2->DOCSIS3, etc.). You are sharing it with your street, but can be guaranteed a portion of it.

A speed on wireless / cellular is HIGHLY variable and totally out of your hands and will ONLY get less with time as more people jump on. And the old devices will make your new devices slower. You are sharing the connection with anything in a sphere of a certain radius and there are no guarantees.

It's a bit like Ethernet - Gigabit to every single machine is easily doable. Gigabit wireless to even half-a-dozen devices is almost impossible to guarantee in any significant way as you're sharing, say, 802.11ac between six before you even start. Adding more points makes more noise too. Whereas adding more cables makes things faster (LACP, etc.).

I use the rule-of-twenties. It takes one minute to download your network profile on a wired connection? It would take 20 minutes to do the same over wireless. This is why you don't use wireless, especially in crowded environments or for more than web browsing.

5G would be no different. Technically, it can give amazing speeds. In real life you'll get a pittance just larger than the previous pittance, which will get less as more and more people use it.

Re: I see what you did there

Since when has The Reg been Apple-loving? They can't even get a quote from them any more.

Re: Maybe ....

Lenovo kit is okay.

It's their home-based junk that got loaded with all sorts but what kind of place doing any serious deployment doesn't just image over the computers, even if they are brand-new.

My place is entirely Lenovo (IBM Bladecenter servers, Lenovo clients) on the PC side, their hardware is pretty bullet-proof. The laptops aren't bad (IBM Thinkpad legacy), the desktops are solid yet cheap. Their Chromebooks leave something to be desired but are in the same ballpark as Acer, Asus, etc.

Pretty much, they have the business side down. Their problems in the home-market are self-inflicted but I'm not sure most people would even recognise the Lenovo brand, and certainly won't understand its history.

200+ desktops deployed, into the fourth year soon, not one failure - not even a hard drive.

Re: hmm

Private schools are far from doing what they like.

We have exactly the same child protection and e-safety problems as any other school, plus a bunch of pushy parents threatening to remove funds all year round if their darlings don't pass standardised exams with top grades every time.

With the ISI etc. breathing down your neck as vehemently as Ofsted.

Re: Ping

No, they said that having ping enabled made it a visible attack vector - which is hilarious as the connection in question offered SMTP, HTTP and HTTPS among others.

PoD is old-hat caused by people expecting packets to be compliant with RFCs, which is a stupid assumption in any network-connected system.

Re: Astrophysicists think

If you have enough on-board energy to slow down, you could just use the same amount of onboard fuel, travel at half the speed, be able to stop and start yourself, and not need some complicated interplanetary laser system to help.

It just doesn't really add up.

Re: Code injection.

Do you think the vetting process tests every possible code path? Do you think it even can?

Do you think you hand over your source code to Apple for testing, or a pre-compiled binary?

Do you think you can't just put "Test this website DNS entry, is it X.X.X.X? If so, be a virus" into the code and have it slip past ANY app review process?

Even if you have to obscure it, have you seen how easy such obfuscation is?

Even pretending that you're auditing such code is just smoke and mirrors, I'm afraid. There are no guarantees whatsoever even with the most skilled reverse engineer on the other end. Modern apps are tens of megabytes of compiled binary.

Stop relying on some guy at Apple who has seven millions apps to approve before Monday to spot things.

Just make sure that your permission model means they CAN'T ACCESS those hidden internal APIs, that they can't gain permissions they weren't given, that they can't interfere with other apps or data not explicitly given to them (e.g. via "Share" or other IPC) and that they can do no worse than run up your CPU time.

But, of course, that requires a proper security model rather than smoke-and-mirrors.

P.S. There is still an app - for the last three years - on the Apple iTunes store which is a full VPN, advertised as "break through your school filters", which is rated suitable for ages 3+, and Apple refuse to change it because "it's up to the app developer" (I have the emails if you'd like to see!). But Google Chrome, official app, is rated 18+ because it "lets users access the Internet).

Apple couldn't care less about you. All they want to do is stop you bypassing the app-store to do things.

With multiple SIP trunks at my disposal? Not a lot. Especially once you call the BT abuse line and just tell them to intercept your line for an hour because of the harassing calls. BT don't much care for such things and have ways to block it upstream and take you out of business past a certain point. Did it to a bank, who got threatened with all their phonelines being disabled (they had an automated dialler that went potty and just kept dialling the same number, no CLI, but soon after BT intercepted it I got a phone call from the managing director of the bank to apologise).

I don't answer non-CLI calls and it takes only a few seconds to add certain groups of international numbers for, say, a few days to a very, very, very long and boring phone menu that costs me nothing to send them through, doesn't disturb or interfere with my system at all, but costs them a lot to dial and listen to.

(Last time someone tried to pull similar stuff it was actually a UK letting agent I was dealing with, who didn't have anything at all techy in the way of a switchboard, and I pissed one of the call-centre guys off so they thought it would be funny to keep ringing from all their different numbers and from withheld numbers. So I called their call centre direct - always argue prepared - and when they realised who I was, i.e. the guy they were trying to spam for sport, they kept hanging up. So I jammed their phone lines solid for 30 minutes with automated calls and scripted it to ring me only when they decided to stay on the line for more than a few seconds. Basically, I carried on with my day and just waited for the phone to ring which meant they actually wanted to talk rather than hang up or play pranks. They confessed that they couldn't do any business for all that time and eventually relented and dealt with my complaint - after threatening all kinds of things that never happened. Probably cost me about £10. I think it cost them a LOT more. Worth every penny for the phrase "No, look, we're sorry, please stop")

Problem with relying on server bounces? Server bounces end up creating more spam than the original messages, because you can't verify that the address to bounceback to is correct. The only thing that guarantees the server that is sending to you got the message is an error response in the SMTP session itself. Which is easily ignored and not propagated back to the original sender because... you can't verify the original sender's email address if you're the endpoint or a transport server somewhere in the middle of the conversation (e.g. a mail forwarder). And if you don't have the correct settings and suspect that bounceback email isn't genuine, you CANNOT send a bounceback and if you do, likely you're distributing spam on their behalf, etc. anyway.

Email is fundamentally broken in this regard, as are the associated standards which say you MUST send bouncebacks no matter what, etc.

Until someone re-invents email, there is no guarantee of delivery or timeliness.

"I'm going out on a limb here, but I guess they get the foil from the kitchen."

So prisoners are walking out of a kitchen with a concealed metal object, back to their cell, where it's stashed, traded and used and nobody notices?

This is exactly my point. There's a problem right there.

Re: Optional DR/Resiliency

The number of times that I've had to explain this:

If you want a backup system, it will cost you what the real system cost, again, and a bit more for whatever tech to make it fall over.

And, yes, that functionality, hardware, processing power, storage, etc. will NOT be available to you to use. It will literally be idle (from a user point of view, but hopefully replicating etc.!) most of the time.

If you want something that tolerates a failure, you have to buy two of them and one of them does nothing all day long but wears, depreciates and costs just as much as the first. If not, it's not a suitable replacement.

And then you get into the depth you take this to - a redundant disk is just another disk. A redundant array is just another array. A redundant server is just another server. But a redundant site is another site. A redundant datacentre is another, fully-funded, fully-functional, datacentre. That sits and does nothing but can break in exactly the same kinds of ways over time.

And then you have to have a controller card, or another storage array, or a licensing for the server and software to make it failover, and site-failover logic and hardware, etc. on top of that cost.

I'm currently working at a place that can put a value on their data. They very nearly lost everything, and it would have cost an awful lot to get back running, let alone try and get their data back. Thus their DR is "proper" as they realised how much it would have cost in time and money, realised how much it would cost to avoid that (including my salary, for instance) and choose the "good" side of the coin.

As such, despite being a tiny employer by global standards, we have remote sites, remote servers, remote backups, full remote operation in an emergency, redundant leased-lines, redundant cabling around the site, redundant servers and all the logic to tie this together nicely.

But to secure System A against failure requires System A and System B of the same spec - MINIMUM - sensibly System C and maybe System D as well, plus the additional licensing and logic to fail them over and complete copies of EVERYTHING on them all. So you would have to pay 2-5x the total price your system cost originally, just to do a basic job of it.

When you do the maths, that STILL works out better than data loss, however. But nobody ever costs data loss properly until it happens and they realise how much it REALLY costs in terms of lost custom, legal requirements, hassle, time and money, the complete INABILITY to recover some data (no, you can't just post it off to 'a specialist' and expect anything to come back except a bill), etc.