Posts by David Roberts

49'ers ground?

Have you been in the area and looked around?

Pretty damn bleak and desolate even in March/April.

Not surprised that any cables (plus probably loads of other stuff) gets lifted from time to time.

ISP blocking

Just wondering how many botnets are in locations where the ISP could be expected to co-operate (or even give a shit).

Trend Micro Botnet Map

suggests that a hell of a lot are in the USA so if this was just a push for our US friends it could have significant impact globally.

Policing at the PC seems the logical thing to do - in the same way that everyone SHOULD be running a capable anti-virus package on their Windows PC (and this does seem to have sunk into the general conciousness) everyone SHOULD be able to run anti-botnet software (although I think that argument just sank underneath me as most botnet infections are probably due to lack of protection from anti-virus packages).

Problem is that the argument starts to smack of "terrist - and think of the children" because a capability which can snuff out botnets can also do loads of really undesirable things to your PC at the whim of someone over whom you have no economic or political control.

The other issue is Microsoft. If this initiative was a cool new optional feature with Linux Mint, for example, it might get a more favourable reception. Nobody trust M$ any more. Which may be one reason why M$ are trying to be all "fighting for the customer against the man" at the moment.

One thought - M$ regularly ship an update which searches for "malicious" software. Could this not search for botnets?

Another thought - policing at the SOHO router? Although this would have the same issues as with policing at the ISP if VPNs were used to conceal the traffic.

Bottom line - attacking botnets at source on the infected PCs is the logical way to go. The worry is that the cure will be worse than the disease.

Virtual Cloud?

Just had an uncomfortable vision of Google deploying their cloud by front ending Azure, who in turn were deploying their cloud by front ending Amazon.

Much like the dodgy financial derivatives which boosted the apparent size of the market by investing in each others products with little real customer money involved.

Just back from NZ

As far as I could tell it was cheaper to buy fuel from BP without a discount than from Z with the discount.

Still more expensive in the UK. £1 per litre is about $2.20 per litre.

Anyone remember Jam ECHELON day?

The basic principle being that ECHELON was known to intercept communications and search for key words so a day was nominated to flood communications channels with as much traffic as possible with as many keywords as possible so the system would be unable to cope.

We already know that the TLAs cannot process the level of (non-encrypted) intelligence they already gather in any meaningful way so providing a back door into encrypted communications isn't going to solve the current problems any time soon.

There is already a huge amount of background noise from SPAM and social media to obscure any meaningful traffic in clear.

So one response to mandated back door encryption would be to roll over all the currently "clear" traffic to use the new wonder safe but transparent government approved encryption method.

Presumably perfectly legal unless someone wants to pass a law that only illegal traffic can be encrypted.

Meanwhile content encrypted on your computer (as with encrypted content in email messages) and not using the new back door method should be nicely indistinguishable from mundane traffic.

Online banking would, of course, remain a concern.

I assume the real aim is to ensure the collection of meta-data from the session and not to gather/inspect the content but if all traffic is encrypted by default this may increase the load on the snoopers with no real benefit. Then again, most web sites these days apart from El Reg seem to be going to HTTPS so we may be partly down this route. Is the main concern mobile Apps which can establish secure tunnels between handset and server without the traceability of HTTPS sessions?

Given the current tools and skillsets it shouldn't be too hard to develope a "Crimchat" App which is opaque to interception.

Which I suppose brings me back to the start. If mandatory back doors are implemented then perhaps everyone should install a copy of "Crimchat" in protest.

[I think Apple and WhatsApp at least may already be ahead of the game here.]

Hot fill washing machines

AFAIK these were phased out because by the time you had run all the cold through to get some hot water the washing machine was full.

OT for smart metering of course.

For the Kiwi posting to this thread, the mention of easily switching between suppliers is a dead giveaway. For this to work the smart meters would have to be built so any supplier could read any meter. It is suggested upthread that this is not possible. So the benefits of doing it right do not currently (!) apply in the UK.

Performance vs security?

AFAIK one reason that more and more functionality is being crammed into the processor chip is to increase performance by bringing everything closer together.

To follow the security advice, everything should be in discrete auditable packages.

So are we now at the point of "fast, cheap, secure - chose any two"?

In related news

The Government promises to alert us to possible Microsoft snooping.

Aurora Australis?

Any chance of Southern Lights?

Or does the Aurora favour the winter latiudes?

Further

http://www.theregister.co.uk/2014/01/15/mountain_bike_mishap/

Kudos for publishing over the Christmas break.

Shame the proof reader was drunk and incapable.

Intersting article, though.

Already in use?

Wonkypaedia suggests that this status code is already used by Microsoft.

"451 Redirect (Microsoft)

Used in Exchange ActiveSync if there either is a more efficient server to use or the server cannot access the users' mailbox.[68]

The client is supposed to re-run the HTTP Autodiscovery protocol to find a better suited server.[69]"

So interesting times if this part of Exchange is ever exposed to web crawlers.

Just checking

Was the outsourcing to manage the same contracts and the same staff and magically save money?

Or was it to reduce the number of supply contracts e.g. get down from 8 to 2 suppliers?

If the latter there might be eventual savings, however during the time you are running the old system and implementing the new system your costs will obviously be much higher in the short term.

Sounds as though someone said the equivalent of "we can replace 8 systems at 100k each with 2 sysyems at 250k each - there you go, 300k saved ". Without the magic "from year 3 onwards" or "there may be some additional short term expenditure during switch over".

Encryption in the client?

If you have a side channel to securely exchange keys (which could for example be hidden on an SD card) then you can encrypt all your data on your local device and then send it over a clear connection.

Not much the service provider can do then, apart from reporting you for sending encrypted data.

I guess the issue with the spooks is providing the feature to unskilled users and making things too easy.

Well, cup of concrete time. Harden up and do it the old fashioned way with feet on the ground

Conspiracy or cockup?

Did some naive engineer stick in some "special" code just to make support easier. Avoid all this juggling of one time passwords for remote support? Saw this kind of thing done a long time ago and people who should have known better didn't think "security breach" but thought "isn't that clever".

Too late to enter...

.....but should it be anything else but the Gentleman Loser?

Although El Reg staf in general may not immediately get the reference (judging by recent past performance). :-(

Not really mentioned

What is this expected to cost?

Eurocrats don't care. They will have unlimited broadband paid for by the rest of us. Their only problem is licencing restrictions.

Media suppliers would have to extend their platform to handle authenticated streaming over the Internet and/or broadcast from additional tramsmitters (satellite or terrestrial) with suitable encryption. Could be a use for those card slots in the back of TVs that nobody seems to use.

Travellers would have to pay for access via the new broadcast platform or Internet. Note that this is for residents who are temporarily abroad not for ex-pats who would be expected to have a decent Internet connection.

It would make a tablet with a 3 SIM quite attractive with the roaming deal but generally a short term mobile contract is limited on data.

So of most interest to ex-pats who would find a way of fiddling it. Oh, and Eurocrats of course.

Show me the risk

Family has a Galaxy S3 and S4. Well out of date and updates, but so far we haven't apparently been ripped apart by hackers .

So what is the real risk of bad things happening to the average Joe? Or do you have to root your handset, sideload software and visit dodgy sites before you get attacked?

Good idea, crap implementation?

It is always helpful to be able to confirm that a website domain has been maintained for several years, and not very recently registered to a dubious name somewhere in Delaware.

This is not a guarantee that the website is genuine but it is a pointer in the general direction.

Useful when you see a potential bargain on t'Internet which looks slightly too good.

If someone declines to provide details this is also a pointer. This should be less of an issue for personal web sites which aren't asking for credit card details.

I did note that there was an option to log into your account. Always a better route than clicking on an email link.