nav search
Data Centre Software Security DevOps Business Personal Tech Science Emergent Tech Bootnotes
BOFH
Lectures

* Posts by Cynic_999

1398 posts • joined 15 Aug 2013

Page:

London fuzz to get 600 more mobile fingerprint scanners

Cynic_999
Silver badge

Too one-sided

Best thing to do is refuse to submit to having your prints taken on the street. If the police officer has sufficient grounds to believe that you have committed a crime, they should arrest you so that you get a free lawyer and start the clock ticking. If they don't have sufficient grounds to believe that you have committed a crime they should be leaving you alone rather than carrying out speculative identity checks on people who happen to be in a particular area on the grounds that there are bound to be one or two illegals amongst the hundreds checked.

Or maybe wet your finger with a plastic solvent before pressing it against the officer's scanner.

10
0

Three more data-leaking security holes found in Intel chips as designers swap security for speed

Cynic_999
Silver badge

Re: Looking at the wrong holes

"

It would be interesting to think how this could work for, say, a machine running a web browser. You'd need (say) all the JS that you ever ran from anywhere to be signed, or you'd want formal proofs of non-maliciousness of the JS.

"

No, you just have to ensure that the JS interpreter that the browser runs when it downloads js ensures that no js program can ever do anything naughty. Similar to running it in a sandbox. It should not be possible for any script or plugin etc. downloaded from a web site to be able to access anything on the PC except a harmless portion of the system. It's the *browser software* providing the security, not the hardware, so only the browser needs to be signed and trusted.

1
0
Cynic_999
Silver badge

Re: Looking at the wrong holes

"

Otherwise what exactly is the point?

"

Which was exactly *my* point - there *is* no point in trying to gain such software security because it's like trying to nail jelly to the ceiling and you're not going to achieve it 100%. Anything significant that you *do* manage to achieve in the CPU itself will be at the expense of performance. If you cannot set up a VM to be as safe as the main OS, run it on a physically different machine.

17
5
Cynic_999
Silver badge

Looking at the wrong holes

In my opinion nobody should be expecting to rely on the hardware taking care of software security, and in many ways it's a great pity that it was ever attempted. If I understand correctly the original idea was only to protect against buggy software *accidentally* causing mayhem, not to protect against a deliberate attack.

Once any malicious software has managed to get itself running on a computer it will always be able to do damage by one means or another. Effective security means preventing anything malicious being executed by the CPU in the first place, just as you protect machinery from sabotage by physically shielding it (or the entire building its housed in) in some way, you do not design it with gears that can withstand a spanner being poked between them, you prevent the spanner from getting to the gears in the first place.

I develop embedded systems, and in critical systems, in order to protect against a malicious firmware update, all new code is signed with a private key that exists only on a secure machine within the company. All firmware contains the same public key used to check the signature before the code is flashed to memory or executed.

Of course a malicious actor with physical access could remove the Flash memory and substitute firmware that contains no checks, but that's not the threat that's being guarded against. A person with a hammer could also crash the unit!

11
41

Linux 4.18 arrives fashionably late while Zorin OS shines up its Windows

Cynic_999
Silver badge

Wanted to try but couldn't

It sounds interesting - especially the "lite" version that I will try out on a 15 year old Dell PC with limited memory that sometimes struggles just a little with Linux Mint. But they sure make it difficult to find the buttons needed to download the free versions - it doesn't bode well for the design of the user interfaces. (Hint, it's disguised as a "Buy Zorin Core Now" donation button defaulting to a 10 Euro charge, but you can change it to 0 Euro which gets you to the free download screen) Their default automatic download site brought up an error, but hitting the "download now" button eventually initiated a download from Sourceforge.

8
0

US voting systems: Full of holes, loaded with pop music, and 'hacked' by an 11-year-old

Cynic_999
Silver badge

I heard that ...

China hacked the voting system and downloaded all of next years election results.

4
0

Hackers can cook you alive using 'microwave oven' sat-comms – claim

Cynic_999
Silver badge

Re: Risk to people?

"

Ummm lots of satellite Ariel (ariels, whatever) point towards earth ?

"

Only the ones on satellites, which are too far away to present any safety concern wherever the aerial is pointed. Oh - and satellite systems are not usually connected to the Internet, and the control channel has very strong security.

0
0
Cynic_999
Silver badge

Re: I truly hope so

"

Or are you not counting GPS as satellite communications?

"

Not within the parameters of the risks postulated by this article, no.

GPS is completely self contained. It does not have a control unit (the aerial is fixed), and is not connected to the Internet, so I really fail to see how it could be "hacked".

Oh - and the GPS is still only an auxiliary system for navigating a commercial airliner. The main navigation is done via inertial nav and/or ground stations (ADF, VOR, DME, ILS etc). Pilots are told not to rely on GPS position. In addition ground stations would soon pick up on an aircraft straying significantly off-track.

1
0
Cynic_999
Silver badge

Risk to people?

The location of steerable antennas on aircraft and the vast majority of ships (whether steered mechanically or electronically) means that the aerial cannot physically (or electronically) be lowered to a declination where it could irradiate people. There is never any need for a satellite aerial to point below the horizon so they are not designed to be able to point below the horizontal. Aircraft satellite aerials are situated on the top of the aircraft (for obvious reasons), so cannot ever point at anyone inside the fuselage. Almost all ship aerial systems are mounted a fair bit above the height of the top deck, so again cannot be aimed at anyone on board. Outside of the main beam angle the EIRP is too low to be any safety concern.

Satellite comms that use non-steerable antennas emit barely more energy than a mobile phone at max power, so are no concern.

13
1
Cynic_999
Silver badge

Re: [no need to] communicate off the aircraft

"

"[The company] assumes all responsibilities for analyzing engine data in real time* to manage customers’ engine maintenance and maximize aircraft availability.

"

That's strictly one-way. Data is sent and possibly analysed in real time, but nothing is sent back to the aircraft to change the engine's settings. If the live data indicates a bogus problem then the most that would happen is an unnecessary delay at the next stop for an engineering inspection (which would quickly find that the live data was not the same as the data recorded on-board).

3
0
Cynic_999
Silver badge

Re: I truly hope so

"

Should we therefore "presume" that none of the control systems use SATCOM, not even as a redundant backup for reason a, b or c.....

"

Yes, you may safely make that assumption. Satellite comms are not used for flight control, only for communications. You could possibly feed erroneous position information to ground operations (though that does not include ATC), but not to the flight crew or flight systems.

5
0

Devon County Council techies: WE KNOW IT WASN'T YOU!

Cynic_999
Silver badge

Re: dispatch or despatch

"

So how many people reading this would write "despatch", where did they learn their English spelling, and when did they learn it?

"

"Despatch" was the way I was taught in the 1960's

2
0
Cynic_999
Silver badge

Now we know what is acceptable ...

Maybe the guy should send them a cheque for 60p and when they complain that the fine is £60 he can say, "I'm trialling a new cheque printing software, so sorry, can't be helped."

26
0

Phased out: IT architect plugs hole in clean-freak admin's wiring design

Cynic_999
Silver badge

Re: Wiring limits

"

...rather slow web browsing. Eventually had a look at the switch stats and found it's negotiating at 100Mb instead of 1000Mb

"

You won't notice the difference between web browsing at 100Mbps and web browsing at 1000Mbps. The data is probably coming over an Internet link at below 100Mbps anyway. It's far more likely that the switch keeps re-negotiating the link speed due to long wires or Cat5 rather than Cat5e wiring being used - just configure the PC or router to fix the LAN at 100Mbps and it should be fine.

9
0
Cynic_999
Silver badge

Is that legal now?

Decades ago when I had to read up on electrical regulations in order to re-wire my father's house which was supplied by 3-phase mains, there was a regulation that clearly stated that all the (single-phase) plug sockets in the same room had to be on the same phase.

So I assume that either that regulation has been rescinded, or there is now an exemption for server rooms?

1
0

Top Euro court: No, you can't steal images from other websites (too bad a school had to be sued to confirm this little fact)

Cynic_999
Silver badge

"

What if you can't find the copyright holder? Are you supposed to just not use an image in case there is a copyright?

"

Let's say I want to use a bicycle. I see a bicycle parked outside a shop, but I have no idea who owns it in order to ask them whether I might borrow their bike. Am I supposed to just not use the bike in case there is an owner who doesn't want to let me borrow it?

6
3

'Unhackable' Bitfi crypto-currency wallet maker will be shocked to find fingernails exist

Cynic_999
Silver badge

"

Given that cryptocurrency wallets are open to all to view - only the most idiotic physical attackers would not check the wallet's contents. <...> I would be very nervous if I held any significant amount of cryptocurrency in a nation with kidnapping for profit..."

Yes, you can easily find out how much cryptocurrency a wallet with a certain ID holds. But how do you find out who owns that wallet? And how do you find out the ID of a wallet a particular person has? If you were to buy something from me using BTC, I would create a new wallet and transfer the amount you want into that wallet before transferring it to you. You can trace both transactions, but for all you know the fat wallet belongs to a BTC vendor that I bought the BTC from to pay you.

0
1
Cynic_999
Silver badge

Re: No need to hack anything?

"

... you lose your imaginary money.

"

It is no more imaginary than the bits of coloured paper or plastic in your wallet, or the magnetic ones and zeros on the HDDs of your bank's computer. Earlier this year I enjoyed a very nice holiday in a distant and exotic land paid for entirely by what you are calling "imaginary money"

7
2
Cynic_999
Silver badge

"

What next? "Incredible: You can die of poisoning if healthy food is mixed with poison" ?

"

You can see that, yet you fail to see the stupidity of a food producer who sells loose items of food while claiming that their product cannot be poisoned. Planting malicious code that transmits passwords to a 3rd party is an extremely common method that hackers use to gain unauthorised access. If I can plant a backdoor in a device by gaining physical possession of it for a few minutes, then it cannot possibly be described as "unhackable." At the *very* least the case should be made such that it would be obvious if someone had opened it.

7
0

UK 'fake news' inquiry calls for end to tech middleman excuses, election law overhaul

Cynic_999
Silver badge

Re: Easy solution ...

No, only the people who believe that voting is more important that Twitter or Facebook would get to vote. Which I submit would be a *good* thing.

2
0
Cynic_999
Silver badge

Easy solution ...

Don't allow anyone who has a social media account to vote. QED.

9
3

Sysadmin trained his offshore replacements, sat back, watched ex-employer's world burn

Cynic_999
Silver badge

On the other side of the coin ...

I've known employees who attempt to make themselves irreplaceable by deliberately obfuscating and hiding data. One guy had been responsible for carrying out most of the data wiring in the building when we moved the main server/telecom room. Each cable and outlet was clearly marked - with a completely different number at each end! Only he had a translation table, so if a network or phone line needed to be re-patched to a different location, he was the only guy who could do it. Until we needed something done while he was on vacation so I spent an entire long weekend tracing, swapping, re-lacing and re-labelling all the cables so they were in a logical order with the same reference number at both ends.

22
1

This is the contract you've been looking for: Pentagon releases JEDI bids

Cynic_999
Silver badge

Security?

Wouldn't it be far more sensible to keep servers containing military information inside a military facility with strictly controlled access? I should think the average grunt employee of a commercial outfit might be tempted to clone a HDD or 10 if offered a large sum by someone in Iran, China or Russia.

7
1

Windows 10 Insiders see double as new builds hit the deck – with promises to end Update Rage

Cynic_999
Silver badge

Re: Update Hell

"

(isolated via military grade firewall and air gap with data paths routed through a learning algorithm that only lets packets through that contain no data that might be malicious)

"

If it's air-gapped your firewall and learning algorithm would appear to be somewhat redundant.

0
0
Cynic_999
Silver badge

Re: Whats wrong with

"

"Your windows PC needs updating.

please schedule a day and time within the next 7 days to download and update your PC

<open time and day manager window>

"

The thing that's wrong with it is that I don't want MY computer to dictate what *I* must do. Perhaps I am doing something that must not be interrupted for even a second, and that unasked-for window that just popped up has caused me to wreck £1000's of remote controlled equipment. Would you be happy if all of *your* goods had a similar policy .... e.g. your 'fridge says you must order more yoghurt within the next 2 days or it will order 4 litres from the local supermarket immediately. Your CH boiler says you need to order new loft insulation within 7 days or it will switch off all heating until you do.

17
0

2FA? We've heard of it: White hats weirded out by lack of account security in enterprise

Cynic_999
Silver badge

Re: Depends entirely on the risk

"

Actually there are many ways that an attacker with a tiny foothold on the network could use that foothold to elevate their privileges and gain access to far more resources.

"

You have "gained a foothold" onto this site by logging in to comment. Explain how that makes it easier for you to elevate your privileges.

1
0
Cynic_999
Silver badge

Depends entirely on the risk

I have a login to my company's private server, but there really isn't much damage that an attacker could do, because all that's on it is my daily calendar (when I bother to update it), current project status, leave applications and a few other things that allow damagement to get a basic picture of employee availability and what we are all currently working on. We are not a high-profile company doing secret stuff that leaked project statuses would be of benefit to anyone.

If there's nothing that really needs protecting, then anything that makes things a bit more difficult to log on is a disadvantage. Not many people fit steel doors with separate deadbolt locks on all 4 sides of the door to their house, because in most cases the risk is not high enough to warrant the expense and inconvenience of doing so. If however you were at significant risk of murderous attack, it might be worth doing.

3
2

British Airways' latest Total Inability To Support Upwardness of Planes* caused by Amadeus system outage

Cynic_999
Silver badge

Re: Amadeus

"

Given that I plan on getting from point A to point B in one piece, fuel loading and weight and balance is something that's calculated before every flight.

"

Why? If you calculated the W&B once, why do you believe it is necessary to do so every time you fly with that same (or very similar) load? The answer won't change because it's a different date!

I would calculate W&B if I was taking an unusual or marginal load, but in most cases I would be quite confident that full tanks plus 3 passengers (say) would be well within W&B unless the passengers were grossly overweight. But if I was taking 5 passengers plus luggage, then sure, I'd do a full W&B calculation to determine how much fuel I could carry (and yes, I'd weigh the passengers).

0
0
Cynic_999
Silver badge

"

Some can, but it's not accurate enough for reliable use. Sloping aprons, uneven tarmac, and wind will all throw off the calculation

"

It will not always give a 100% reliable figure, but will certainly catch gross errors that are large enough to cause a disaster.

1
2
Cynic_999
Silver badge

Re: weight calculation

"

You do these calculations before you load the cargo into the plane. Having the plane measure it and then say "oops, that's outside the safe limits, you need to unpack and rearrange" is sort of not helpful...

"

It very much IS helpful for the pilot to know that the ground crew has loaded some heavy freight in the wrong hold, or failed to load such freight because it was delayed. Because it is far better to know that the W&B is out of limits when the aircraft can be unloaded and re-arranged than to only realise after take-off when the pilot does not have enough forward elevator authority and the aircraft stalls into a housing estate from 500 feet.

Or to get at least some advance warning that all the passengers are walking to the back because the steps for the front door have not arrived, and the aircraft is just about to tip onto its tail (has happened more than once).

4
0
Cynic_999
Silver badge

"

Calculating its total weight is one thing, but calculating the distribution of the weight is a different matter.

"

The aircraft sits on three legs. This is sufficient to be able to calculate the total weight and 2-axis C of G (which is all that is required). An electronic load cell is not expensive, and could be fitted to each landing strut (though would have to be done at the design stage, I doubt retro-fitting would be possible).

Alternatively the pressure of gas in the oleo would surely be proportional to the weight on that landing strut? A pressure sensor on each oleo could probably be retro-fitted.

1
5
Cynic_999
Silver badge

"

Just make sure you have the passenger numbers to start with. Its known as plan b

"

Weight & balance could indeed all be calculated by the pilots or some simple software, but it's a bit more complex than that. The load sheet is used by the ground handlers to know what items to put where - which is determined by things other than just weight. Aircraft carry freight as well as passengers and baggage, and not only would the pilot need to have a list of all the freight & weight thereof (which he would not get if the computer is down), but will also need to know the volume and shape of that freight and any special requirements. Putting 5 items of freight weighing 2500kg into the forward hold may be great for the weight & balance, but the items might not all physically fit into that hold.

Then there's a multitude of restrictions that the aircraft captain does not necessarily know about. The MRI scanner mustn't be placed in the forward hold because its magnetic field could upset the navigation systems. Certain types of live animals must not be put in the same hold together (dogs and snakes for example). There are lots of chemical combinations that must not be transported in the same hold. Fruit & veg should not be placed in proximity to fresh fish. Plus 1001 other rules that the pilot would not be expected to know but the loadmaster must take into account when preparing the load sheet.

32
0
Cynic_999
Silver badge

"

Surely it would make more sense for the plane to calculate it's own weight & balance

"

Yes, my thoughts exactly. Would just need a suitable load cell in each gear strut. I've never seen a satisfactory reason as to why it's not done.

2
5

Spectre rises from the dead to bite Intel in the return stack buffer

Cynic_999
Silver badge

How serious is it ... really?

Yes, I've read the descriptions and the theoretical attack vectors of these CPU vulnerabilities. And am left wondering whether anyone would in practise be able to write an exploit that actually achieved anything useful for the exploiter except in a miniscule percentage of occasions.

1
1

Wearable hybrids prove the bloated smartwatch is one of Silly Valley's biggest mistakes

Cynic_999
Silver badge

Re: Shopping lists?

"

Am I really the only one that doesn't need a list when I go out, and instead just live with the consequences when I get home and the discoveries of The Forgotten© are made?

"

My normal method is, "Shit, I'm out of shampoo!" Get out of shower, dry, dress, go to supermarket. Come home with 5 carrier bags of stuff. Put away. Get undressed, enter shower. "Shit! Forgot to buy shampoo!"

32
0

Trump wants to work with Russia on infosec. Security experts: lol no

Cynic_999
Silver badge

Fox in the henhouse?

ISTM that the "fox in the henhouse" analogy in the article is just as true from both sides. From Russia's POV America is the fox and Russia's cyber-security is the henhouse. Your enemy's security measures tells you a lot about their probable attack strategies (because people tend to ensure that they have a defence against their own methods of attack).

4
0

'Fibre broadband' should mean glass wires poking into your router, reckons Brit survey

Cynic_999
Silver badge

Better in the 3rd World

I was staying a few weeks with a friend in Nepal. My arrival prompted him to get an Internet connection. He ordered it around 17:00 Sunday, and the router was installed and fully up & running in the house by 10:00 the next day (Monday). Bit of a bird's nest at the top of the pole and the fibre cable not routed all that elegantly around the walls of the house, but it was definitely fibre all the way, not an inch of copper. No deposit required, no line rental, no installation fee, pay the first year's subscription after trying for 7 days. He chose the 35Mbps unlimited data option at £120 per year (up to 125Mbps was available IIRC). In the past 6 months it has had one 4 hour outage (lorry crashed into the pole outside his house and brought it down, snapping the fibre cable). They also have 5G in many places in Nepal. And that is very much a 3rd World country. I get better quality video calls to him than to another mate in the U.S.

5
0

EmDrive? More like BS drive: Physics-defying space engine flunks out

Cynic_999
Silver badge

"

that's not how science is done in *my* field.

Yes, models exist, but the *models* are adjusted to match the data, not vice versa.

"

That's the difference between a scientist and an engineer. If asked what 2+2 equals, the scientist will reply "4" and the engineer would close the door and whisper, "What do you need it to equal?"

0
5
Cynic_999
Silver badge

"

Would you like to give concrete examples rather than making vague accusations of malpractice?

"

ITYF the poster was referring to Global Cooling. I mean Global Warming - erm - make that "Climate Change"

0
1

US military manuals hawked on dark web after files left rattling in insecure FTP server

Cynic_999
Silver badge

Re: Of course, that's the stuff they found ...

It's marked with the original source, sure (i.e. the legitimate owner who was hacked), but that's no impediment to the thief who is selling it anonymously, nor to the buyers who know that they shouldn't be reading such documents.

12
1

Google offers to leave robocallers hanging on the telephone

Cynic_999
Silver badge

"

If I don't have your number plugged into my phone as a contact, your phone call doesn't ring, or get answered.

"

All very well if you are 100% certain that you will *never* want to speak to anyone you don't know. Mother rushed to hospital? You'll never know because you won't get the call. Wife had a car accident and her phone got lost/broken in the accident? You'll be blissfully unaware. Delivery driver cannot find your address so is calling you for directions from his mobile? You'll find out in a few days when you call to find out what's happened to it.

16
5

Foot lose: Idiot perv's shoe-mounted upskirt vid camera explodes

Cynic_999
Silver badge

Re: The real question is: did he want to get arrested?

"

.. couldn't think of a plausible innocent reason for having a camera mounted in his shoe in the first place

"

He would obviously have removed the shoe + camera before visiting ER, and there's all manner of stories that would explain something catching fire close to his foot. Like dropping a Samsung onto it, for example ...

3
0

Disk firmware can kill a whole cluster how exactly? Cisco explains

Cynic_999
Silver badge

"

Luckily they are still 50% more expensive than regular drives ...

"

No, they are about 10% more expensive - and in some cases the same price depending on supply & demand. You may well be using a SED yourself - unless the SED function is activated it behaves like a non-SED HDD so you wouldn't necessarily know.

SEDs make it easier to comply with certain standards, and where you are holding sensitive information that requires that nobody can get access to your data-at-rest, it provides a faster system because there is no overhead of software encryption.

Then when it comes to selling or disposing of old equipment, all data on a SED can be rendered unreadable in about 10 seconds while still leaving you with a serviceable HDD. Compare with many hours per TB required to securely wipe a conventional HDD.

3
1
Cynic_999
Silver badge

"

have the same cleartext encrypted with 2 ciphertexts

"

Except it is extremely difficult for anyone to get access to the ciphertext because it is never sent outside the HDD. And even if you know that you have 6 different copies of the same data, each encrypted with a different key, I'm not sure that it will make the task of decryption any more successful.

0
2

Boffins want to stop Network Time Protocol's time-travelling exploits

Cynic_999
Silver badge

Who cares?

It's all relative anyway

2
0

Potato, potato. Toma6to, I'm going to kill you... How a typo can turn an AI translator against us

Cynic_999
Silver badge

Re: Hmmm

It's a strange fact that if the first and last letters of a word are correct, the order of the rest of the letters doesn't matter too much, the human brain will interpret it correctly.

0
0

The butterfly defect: MacBook keys wrecked by single grain of sand

Cynic_999
Silver badge

You're using it wrong

Apple's products are not designed to be taken into environments where contamination is an issue. They are designed to be shown off by posers and admired by sycophants, preferably while stored inside hermetically sealed glass cases. Use as props in films showing impossible computations being achieved effortlessly is also permitted so long as the apple logo is very prominent.

1
0

UK taxman has amassed voice profiles of 5.1 million taxpayers

This post has been deleted by a moderator

Happy birthday, you lumbering MS-DOS-based mess: Windows 98 turns 20 today

Cynic_999
Silver badge

I still have a set of Win98SE floppies. I expect many readers remember sitting feeding them one at a time, and having to fetch a spare when the inevitable disk read error occurred.

5
0

Intel CEO Brian Krzanich quits biz after fling with coworker rumbled

Cynic_999
Silver badge

Re: Similar thing at HP

"

Who can say if relationship is consensual because the underling feared being fired?

Who can say if the underlings are trying to seduce their managers to get a promotion?

"

IMO it doesn't matter WHY it is consensual, so long as it genuinely is consensual. Or should we decide that any sex is rape if one of the parties hopes to gain some advantage or avoid a disadvantage from the relationship?

If an employee reckons they were fired because they refused to have sex with the boss, then that's a matter that should be dealt with the same as any other allegation of unfair dismissal, and if proven THEN the boss in question should be fired (and face criminal prosecution).

If they are doing it to gain approval & promotion, then it's no different than any other way of arse-licking (except in this case it might be literal).

23
6

Page:

The Register - Independent news and views for the tech community. Part of Situation Publishing