232 posts • joined 13 Nov 2015
GCHQ pushes for 'virtual crocodile clips' on chat apps – the ability to silently slip into private encrypted comms
Re: Quid pro quo, Clarice...
WhatsApp has already gifted the alphabet agencies a backdoor to their users chats via a new 'feature' which backs up your chats to Google drive (unsure about apple version) totally un-encrypted. You might disable backups but has the other end you are speaking too?
Expect to see more of these crafty backdoor ways to your chats as well as interference with keys at the service provider end to give real time access/mirroring capabilities.
Scumbag who phoned in a Call of Duty 'swatting' that ended in death pleads guilty to dozens of criminal charges
Re: So the police bear no responsibility ?
You could count the shooting mistakes by UK police over the last 20 years on a single hand.
Even when you consider the population difference of the UK and US, the amount of bad US police shootings a month probably surpasses the last 2 decades of bad UK shootings.
Re: No headphone socket - no sale
Still have a Oneplus 1 and a OnePlus 3T but the increasing cost and a few annoying Oneplus quirks (no automated quiet times because 'the settings may interfere with the hardware DND switch', battery issues after updates, no Daydream support even though the chipset supported it, among other things) and the increasing price made me think twice about getting another OnePlus.
Ended up getting a s9+ with 256gb of storage for such an awesome deal it worked out cheaper than the OnePlus. Obviously I had to de-bloat it with package manager as I prefer the cleaner OP experience and generally dislike Samsung, but can honestly say im happy with the performance of the phone. The waterproofing and camera quality are worth paying that little bit extra for, even though I actually paid less.
I think my love affair with OP is over now. Loved their first phone but now they are becoming similar prices as other flagships and all have quirks which annoy me to some extent and have terrible support. Hurts my pride to say I like a Samsung phone too, compared to the pride of having an OPO with cyanogenmod as standard.
Re: Maybe I've just been really lucky, but...
While I had about 98% uptime/internet connection with Virgin over many years, 50% of the time it had packetloss, horrible jitter and slow speeds.
99% uptime sounds good but when you can't game or stream things due to congestion on the line and all the related problems, the uptime stat becomes a bit meaningless. Give me 95% uptime and a clean non-congested connection over a 99% uptime congested all over the place shit one.
After so many years of fibre problems, Virgin couldn't pay me to go with them now. Every FTTC service I have had since has been flawless. The network topology virgin uses, DOCSIS, was just bad for congestion but they can probably hide the flaws better with the higher speeds and more stream connections they use now.
Super Micro chief bean counter: Bloomberg's 'unwarranted hardware hacking article' has slowed our server sales
Amazon, Cisco etc no Angels
I can see Amazon not wanting to push this publicly other t might get mentioned how they work with the CIA and allow parcels on route to be opened, motherboards with backdoors placed in to packages in place of legit hardware, then sent on the rest of the journey.
It's highly possible super micro has made a few modified boards for Chinese intelligence to be used in a handful of places, in a similar way the US works with Intel, Cisco, Apple, Microsoft etc to backdoor devices and software in a small number of cases.
Finding evidence when only a few are out there would be difficult. At the same time, without evidence anyone can com e along and claim x, y and z and damage a companies credentials. The US have a habit of trying to damage foreign competitors of its companies. Look at all the angles they attacked Kaspersky with (even signing US gov malware with kasperskys digital keys) in a hope of damaging the company beyond repair. THey have upped their game on these attacks since the Sony attack.
Reddit also allowed the old design to be used too when they made major changes recently. Link was prominent at the top too so easy to access.
There is am opt-out at the bottom of the register page, It might be hidden under a floating toolbar asking you to click OK to accepting cookies though, requiring you to click that before you can reach the opt-out link.
The BBC admitted to changing their staple of lots of information down to smaller byte sized generic sentences so they could fit on mobiles too. So even the stories got shit and more tabloid looking amongst all that white space.
The register shouldn't have that issue at least as stories are still a decent length.
In the past I have used the Stylish addon to change the look of sites/pages but that addon got pulled from both browsers app stores when an update started sending data back to their servers. Don't want to create security risks just to fix horrible formatting for a site.
Too much white and too much empty space. Exactly how shit the BBC site looked when they made it to look better on mobiles. No care about those that use huge monitors due to stats saying a mobile users are a larger percent of viewers.
In this day and age it should be easy enough for technology to format on the fly better for mobile/large screens yet no one seems able to do it. Web 2 maybe not fit for purpose if it can't handle that.
My browser removes cookies that it hasn't blocked on exit, so im guessing every visit I will have to opt-out.
From using the BBC site daily I now use it once a month at best since they made the changes everyone hated. I guess im now going to have to find another way to view register content which isn't so dreadful or it will go the same way as the BBC in my viewing habits.
Re: redirecting HTTP to HTTPS
Searched for the Beefeater site yesterday and google gave a http link which didn't redirect to https once on it which I thought was odd for this day and age.
To view a menu it wanted my postscode and while it's not the end of the earth for that to be sniffed, it felt too dirty to post it over http so I had to manually change it to https.
My name was a good few years of nagging at el register to https up and it took google to start giving horrible chrome messages and lower search engine ranks to http site before it was changed. Anyone company not using https now should be considered lazy and not fully competent imo.
Re: Don't assume they don't have supercomputers...
It wouldn't surprise me if they have access to be able to use every idle CPU on the Amazon cloud along with some tools that distribute the load of the job. No supercomputer needed when you can have a million computers working for 2 minutes on their section of the same job.
Re: Am I being thick ?
Apps on phones such as whatsapp run in their own memory space so it is not a simple task to add another encryption layer on top without rooting phones and such which cuts out most users. A keyboard app could potentially convert what you type ad copy to clipboard and convert replies but it would be far from pretty and straight forward which is what app users want.
The NSA/GCHQ's are being crafty now and instead of asking for backdoors in encryption, they are asking technology companies to implement sly changes which means no backdoor is needed. Skype conversations used to be peer to peer and never touched servers so one assumes they got Microsoft to buy and change the product so all conversations went through their servers for the 5+ eyes benefit.
One assumes Whatsapp went out of their way to help the government agencies by adding a chat backup option, an in your face popup to all users asking if it should be enabled and when they do, it disabled the encryption of their chats. The backup of their chats are also stored on their servers indefinitely for the 5+ eyes too.
So expect more sly changes like these as technology companies shout publicly that they are fighting for your privacy while still looking you eye add these privacy defeating changes they hope you don't notice.
Integrity is not guaranteed but could be
Hash of the page made (with a decent hashing standard to avoid collisions) as soon as it's mirrored and that hash stored in a blockchain or another tamper proof method, then it can be trusted a lot more.
All it takes is for one vulnerability or a determined hacker to phish their way in to their systems and modify some content and the trust is all gone. It's no good saying the files or disk is read only when someone can change the links and results to point to their own created content instead.
Archive.org is far from perfect as evidence as it stands imo. It could be made better for evidence integrity but as long as they continue to do the great job they started out to do, that should be their main focus.
Is the data not ours? Do NI payments mean we paid for the care and have data protection?
Why must my data be given away in the first place?
At no point while being treated by the NHS was I told that my data would be shared or sold with anyone. I have never given permission for my data to be sold or shared nor have I ever signed any paperwork that said that my data will be shared outside the NHS if I accept treatment.
If they start asking patients to sign away their rights, they may stop using the NHS to avoid their data being shared. This could lead to instances where for example someone who suspects they have contracted HIV may choose to not get checked/treated and go on to infect others rather than risk company x,y,z getting hold of that pseudo-anonymized (not anonymous at all) data.
Sharing NHS data in 99.9% of cases will not benefit NHS patients.
Re: So they fixed it...
Companies list what products they pay a bounty out under on Hackerone and the VPN product was not on the list. It is that simple.
There is nothing to sell black hats in this case as there is no exploit for a vulnerability. It's a data leak problem.
Kaspersky should however be ashamed of itself for supplying VPN software with DNS leak problems. They could potentially argue that the VPN is to stop encrypt your traffic to avoid it being read or modified (MITM'ed) while on public networks rather than for anonymity although I have not seen how they market the product. In this day and age though one would expect DNS traffic to be VPN'ed along with the traffic as standard for such a product.
Re: "Wrong" email addresses
I know someone with an apostrophe in their email address, due to their irish O'whatever name. Despite the fact it's 50/50 whether the receiving email server will accept it or not, the admin has never enforced a policy that removes it when creating accounts.
What annoys me is when you have to login somewhere else and it's not obvious they have a different country keyboard layout. Those special characters are not where they are supposed to be. So do I devise new passwords which only uses the characters that don't move say between US and UK layouts, thus weakening the password due to less entropy, or use them and struggle to login some places?
Stating the opposite of the bloody obvious
You do not have to be a security genius or have a degree in politics to know the whole US attack on Kaspersky is political butt hurt revenge.
They are having to do the transparency tour to repair their business after US gov pressure against them. The CIA has previously tried to leave kaspersky fingerprints on their bad deeds. Its open day on the company that found and reported some of the NSA malware.
Journalists asking Kaspersky ridiculous useless questions instead of asking governments and politicians to backup their statements, is half the problem. They are not real journalists. They just parrot scripted lines told to them to publish with no actual journalism done.
The comments here show that the majority of IT people think the article talks a load of bollocks and there is indeed a vendetta against Kaspersky. Nothing has changed since the banning of their product. Move alone, nothing to see here. No story yet, until the actual transparency tour and even then, going by this article, we will get another crap axe job article. It's a good job el'reg has a lot of good articles to read between the crap like this one.
Hi JV, thanks for the reply.
Having read the article I appear to have missed the fact that Troy had shared a database of hash's and the comparison was done against that. Apologies. I usually blame lack of caffeine for my mistakes as otherwise I would never make any *cough* :)
There are many variables in passwords that cross the IQ barrier. Not everyone has a job related to their IQ as ambition and other factors are involved but if you generalise that a manual labourer may have a lower IQ than a director of a company you may expect the labourer to have a weaker password. A fair percentage of the time it's their favorite sports team or player with maybe a capitalised first letter and a number at the end if the signup forces those attributes. Yet a lot of CEO's will also use their sports team as a password too.
There are differences where say a fruit seller on a stall in London may have a football(soccer) related password, a CEO who went to Oxford might have a Rugby related password as social economic groups also play a part.
At the same time both groups may use a password based on a crush/partner/kids or dog or a date of birth.
Both high IQ and low IQ people know they are supposed to have good passwords. Is it down to IQ about who puts the effort in?
The article says that 215 students hashes were in Troys database and states this was down to bad/unsafe passwords. Wrong. They are in Hunts databases because they happened to be signed up to websites that got hacked. There is no relation to IQ at all.
Maybe a correlation between how many sites someone signs up to, or quality of site, could be made relating to IQ but that is not what the article says.
Speed + Quality/Stability score
We still need a quality score to go with the speed with advertisements. 200mbit is no good for streaming or gaming if latency jitter is all over the place.
Something occasional browsers conned in to getting 200mbit to solve their browsing issues on the 50mbit service can ignore but gamers can use to make an informed decision.
30+ years later I still can't purge the music from a cartridge game called Radar Rat Race out of my memory. Found a Vic 20 emulator and the game cartridge turned in to a 6k rom....everything gets emulated these days.
The Action replay cartridge for the Amiga was also emulated, so I assume they did the same for the C64.
Re: We need a court action
Depends on the attacker and the tools they use. Some of the programs used to try user/email combo lists against sites also allow you to specify a public proxy list which can be grabbed from many places. So you end up with hundreds of IP addresses with random User Agents with a bigger gap in time before a particular IP/proxy gets used again.
Some of the better tools allow you to specify a timeout before retrying with the same IP so you work out beforehand what triggers the captcha and adjust settings accordingly.
A captcha at every login would help but I hate with a vengeance having to fill in captures every time I want to login somewhere. Even then, it's easy to add code to a tool to cover sending the captcha's to a usually Indian based site where they charge you a fraction of a penny for each captcha solved on your behalf by an army of people employed to do so. 2captcha and anti-captcha are two such services. 50 cents for 1000 solved captchas, 2000 people online, 8 sec solve time.
Re: To root or not to root
Probably easier and quicker for them to get the info via XKeyscore thanks to Tempora mass collection and it will be up to the second logs compared to synch + database integration once a day or week. But if you read my comment again, you will notice i'm not wearing the tin foil hat in this case anyway, so a moot point.
However, injecting payloads when the IP of Russian arms suppliers browse badly SSL'ed site....
To root or not to root
It appears the only security angle they look at with .gov sites is it secure from being rooted. Anything else doesn't seem to matter to them except for a working website. The fact that browsers have now started acting on bad SSL setups has exposed the bad config and bitten the admin on the ass.
Although in other areas I would be happy to don the tin foil hat and say the bad ciphers and config is to make it easier for GCHQ to log data, inject payloads and other shenanigans, these .gov issues are just down to bad administration.
Also, out favourite el-reg was a long holdout for SSL despite having a login form for users. Hence my username.... It was only when Google said they would list sites lower without SSL that they were forced to move their butt in to gear and add SSL that they did. The bad publicity might be enough to make the gov sites fix ssl issues but a lower search engine ranking might do the job faster.
The GEOIP location data is based on what the ISP/owner of the Netblock registers the location of the IP to be at.
So while one ISP might register a block of IP's to their local office location or even a head office, some will be more accurate and give a town or village name for a set.
Re: Why not openVPN?
My VPN provider has their own client with lots of options but it acts more as a frontend to OpenVPN with extras. You can choose ports, RSA 4096, scramblesuit, tor-obfuscation etc which get passed along as parameters to openvpn. Obviously the extra code for that gets installed with the client, at least with their Linux client.
A few VPN providers probably have something similar.
You mean like anti-terrorism law RIPA being used by half of councils for waste and littering offences or BBC for licence enforcement?
This is exactly what the committee is getting at and I am impressed they have stuck up for everyone with a decent argument. Yet nothing will change, making the whole thing pointless.
Re: Correction needed
I also have a OnePlus 3T which can handle VOLTE but it won't work on Three as they refuse to add it to the Volte list. No reason for them not to add the support other than the fact they don't sell the phone themselves.
The Three in touch app is utter shite and it annoys me that I am expected to use it on a phone that supports Volte natively but is nerfed by the Three network.
From what I understand, other networks do it too. So it's not as if I can switch to another provider to get Volte working on my current phone. My mobile pet peeve beyond the obvious broken SS7 protocol.
Mueller bombshell: 13 Russian 'troll factory' staffers charged with allegedly meddling in US presidential election
That is the hypocrisy here. In many countries, including the UK and the US, teams of people are paid to try and influence the elections for the team that employed them. Sometimes under the banner PR, sometimes through leaking negative information about the other party and using friends in media to publish it.
Lots of nasty tricks that can influence elections but it's only bad if the rushkies do it.
It amazes me that the world knows that most of the world emails are intercepted and stored by the big intelligence agencies yet someone doing a secret job vs the NSA went and email'ed home to their parents confessing their crimes about covering their tracks from the FBI. Seriously?
Backed my first Indiegogo project last year and the buttons say you are claiming a perk for that amount now. So Indiegogo has already got around that issue and rubs it's hands clean of having to help it's site users again.
That might be why Indiegogo seem happy to let people use it's platform to fleece customers of their money.
After being five Months late and hardly any updates or communication, the campaign director of the project I backed has only sent a few of the backers the item, even though he now sells the same item on his website which you can buy and get straight away. Obviously he will get more selling them through his website than the original Indiegogo campaign so has decided to sell them there instead of giving them to the backers.
Try getting Indigegogo involved to get some communication or action taken and they just don't want to know. Would not touch Indiegogo with a barge pole in future.
Oh and their whole refund system, does not work. Plenty of people asking for refunds for the same project but because the project is overdue, Indiegogo say you have to get it back from the campaign manager. When the campaign manager refuses to answer any emails about anything, let alone delivery or refunds, Indiegogo do not care will not help in any way whatsoever. If you try and progress things they just don't reply either.
Sham of a company IMO. /Rant
Logs from security guy....
Around the time this was happening, a flaw in the template used by many of the DDoS sites and re-sellers of VDoS was found. Through this the logs could be snarfed among other things.
So it appears the FBI used data hacked from the systems of the stress testing site to get the info needed to get this guy. Saying it was provided by someone else gives them the ability to do this without questions asked on any cases they want?
The guy is obviously stupid enough to get caught anyway but the method is questionable imo.
CD drawer wont open
A few years ago working for a well know insurance company a user logged a call to say the computer would not read her cd and the cd drawer would not open to get the cd back out.
Upon visiting it was clear she had no cd drive in her desktop. I asked where she put the cd and she got another cd and started to poke it in the thin gap between two blanking plates. She had just pushed the previous cd through the gap in to the frame of the pc.
Re: "A third country might offer a new couch"
"Although the Ecuadorian embassy is now no longer under 24-hour surveillance by the police."
That's what they want you to think...
Probably a lovely antique clock on a shelf opposite the Ecuadorian door with a lovely crystal 720p lens, backup up by an in-house informer.
The article quotes him as saying 'highly likely' which is different from confirming they did it.
A bit like America's 'high confidence' of weapons of mass destruction in Iraq.
So they are not 100% sure but they are making a statement now that sounds like they are, as the political timing is right due to action they want to take towards NK.
Re: RE: NonSSL-Login
I side with you on the UK sovereignty issue. But you yourself were probably were labelled racist by some because of your anti-eu stance if you said so publicly.
If you had aligned with UKIP or this Britian first in an attempt to get out of the EU as they were the only group/party interested in leaving the EU, then there is a chance your social media accounts could be deleted if Twitter or whichever platform going by these recent deletions.
Like it or not, Twitter and Facebook heavily influences voters. Censoring one point of view and not others influences votes.
UKIP getting so much support frightened the conservatives in to giving the referendum so as not to lose more votes. Social media played a big part in getting the referendum to happen.
What happened in England for years was anyone who mentioned the problems uncontrolled immigration was causing was instantly shot down with the 'racist' tag, stifling debate on the matter. The end result was years of the issues getting worse until enough people voted for Brexit.
If UKIP and it's supporters were banned from Twitter back then (which I think they would be if Twitter had started banning accounts back then), the Conservatives would not have been forced to offer a referendum on the decision to stay in. Brexit probably wouldn't have happened. Whether you think that is a good thing or bad is not the point though.
So Twitter has the ability to steer countries political direction by choosing what people can and can't see, which is bad. Is it doing it's owners bidding or being an American company, Americas bidding?
Think past the bigger picture of 'Group A' I disagree with = bad, 'Group B' that I agree with = good and agreeing with bans based on that simplicity.
The minute you enter my local Maplins you are watched like you are a prolific shoplifter by the young staff there, who pretend to tidy up hanging things at the end of every aisle you are browsing. More unnerving than the ridiculously high prices for some things.
They may never be able to compete with online mail orders shops on price but some of the prices seem to be just fleecing customers who don't have a clue. If they had more sensible prices I would buy more there and accept the premium for having the item instantly.