Re: Beware survival bias
I've got an original run X220T, Model M from 1986, and enough spare parts to service them for years to come. If they're ephemeral then I must be a ghost, and you'll have to take them from my ghostly ectoplasm-covered hands.
Posts by ds6
315 publicly visible posts • joined 17 Jul 2017
The Wristwatch of the Long Now: When your MTBF is two centuries
The Reg produces exhibit A1: A UK court IT system running Windows XP
HP Inc to Xerox: If you complete a hostile takeover, and try firing our chief exec, you will pay...
Sadly, the web has brought a whole new meaning to the phrase 'nothing is true; everything is permitted'
Password killer FIDO2 comes bounding into Azure Active Directory hybrid environments
Tuesday 3rd March 2020 16:56 GMT 
Re: Get rid of the commercial middlemen
Read the FIDO2 spec and you will see it is not inherently evil. It is perfectly workable by corporations, businesses, and end users without compromising security. It is not designed to track you and is not really capable of doing so. All communication is voluntary and E2E—no middleman, unless the the service you signed up with decides to use another service to authenticate you, but FIDO2/WebAuthn is simple and well supported enough that it should not need such a thing. Whether or not that will change in the future is up for debate, but if FIDO/U2F is still supported by the spec despite being obsoleted, I think there's hope FIDO2 will be supported for a long time coming.
There are plenty of other authentication modes and open source libraries/example code that you can choose from if FIDO2 isn't your cup of tea, including OTP-HMAC which is also widely supported.
But like others have said, this article is about Azure, which is already fundamentally compromised in the sense that your data is no longer in your own datacenter. The argument on whether or not FIDO2 is respecting of your privacy etc. is moot when the whole platform may or may not and there's no 100% sure way to know.
Hey, fatso. If you're standing desk-curious, the VariDesk Pro Plus won't break the bank
Tuesday 3rd March 2020 12:42 GMT
Re: Who cares about the desk?...
I have a 1982 M with the removable PS2 cable, and it is the most comfortable keyboard I have ever used, even more comfortable than newer M's. After a bit of oiling the keys have the perfect weight and travel for my hard-hitting fingers. I mash my keyboards like a gimp by his domme.
Unfortunately is is pretty clear with Unicomp that the original moulds are wearing out, as it's easy to see in the resulting plastic where they have patched up and repaired them. They also seem to use the newer variant moulds that aren't as thick and deadly like the older one I have. Keys don't fit as well as original M's either. Unicomp definitely put in a lot of effort and care into theirs, however; and if you want a "new" Model M with USB and mostly original tooling, it's your best if not only bet.
Also, their new compact versions are their own designs and feature new moulds, so the production value on them is much better.
What I really want now is eithet an original Model F or one of those reproductions that fellow made from that one website—you know, that guy.
Sophos was gearing up for a private life – then someone remembered the bike scheme
NASA's Christina Koch returns to Earth as the longest-serving woman astronaut – after spending 328 days in space
RIP Katherine Johnson: The extraordinary NASA mathematician astronauts trusted over computers
It is with a heavy heart we must inform you, once again, folks are accidentally spilling thousands of sensitive pics, records onto the internet
Call us immediately if your child uses Kali Linux, squawks West Mids Police
Crypto AG backdooring rumours were true, say German and Swiss news orgs after explosive docs leaked
If you're running Windows, I feel bad for you, son. Microsoft's got 99 problems, better fix each one
Google Chrome to block file downloads – from .exe to .txt – over HTTP by default this year. And we're OK with this
Saturday 8th February 2020 16:25 GMT
Re: Annoying tho
I still refuse to use Pale Moon for the whole petulant children incident, and WaterFox phones home just as bad as mainline does. And even if I hate that Mozilla killed off XUL and Jetpack, there aren't a whole lot of reasons for me to go back, since everything I need has either been ported or its functionality recreated; there's also no denying that Quantum is leagues less heavy and significantly faster than old Firefox/Pale Moon.
IceCat and Ungoogled Chromium work just fine for me at this point.
Google's OpenSK lets you BYOSK – burn your own security key
Tuesday 4th February 2020 13:23 GMT
Re: It's all very fascinating
There are multiple ways to use security keys like this. The FIDO2 spec is the standard right now so I'd look into that if I were you. There are multiple modes you can use with it, including private/public key-based authentication, one-time keys that cycle based on an algorithm known fully only by the device (and can be solved on the authenticating end using the number yout device spits out), and third party PKIM authentication where you set up a chain of trust like you mentioned and the third party is contacted to verify your identity with a signed root certificate.
Here are some useful links to see how the technology is used in practice from a low but not too low level:
https://docs.microsoft.com/en-us/azure/security/fundamentals/ad-passwordless
https://developers.yubico.com/#learn (features all U2F modes!)
Unlocking news: We decrypt those cryptic headlines about Scottish cops bypassing smartphone encryption
Saturday 1st February 2020 14:51 GMT
Re: Extracting encrypted data?
Technically all encryption can be broken, the only reason it's considered safe is it will take a very, very long time with current methods and technology to defeat it.
More directly, the length of you password doesn't matter if your phone is already booted and has been unlocked once, as the decryption key can be siphoned out of /data/misc/vold; encrypted partitions are not unmounted when your phone locks, even if you trigger Lockdown. Your password is only used to unlock the phone and to encrypt the key used to encrypt the /sdcard filesystem (and other filesystems/per file encryption). Keep in mind there are sometimes 20-30+ partitions on an Android device, varying by vendor/ROM, and only a handful of them are encrypted.
If you have Xposed, Magisk, root over ADB, or root shell available and the passwords for any of those are either not enabled or easy to guess, then data can be easily exfiltrated. I don't think Xposed Manager, EdXposed Manager, or Magisk even have the ability to lock module installs behind a password.
It could also be possible to attack memory, flash a new bootloader, attack proprietary firmware like the baseband and/or wireless controllers, or use social engineering to get you to install a malicious APK.
Remember those infosec fellas who were cuffed while testing the physical security of a courthouse? The burglary charges have been dropped
Saturday 1st February 2020 14:28 GMT
Re: State is not county
Not all county jurisdictions are equal. Some municipalities don't have the ability to override the state like in this situation. It's understandable they got caught up in this, even if it could have been avoided.
Lest we forget, Sheriff Big Pants could have said "oh makes sense" and just left. The instigation was all due to not wanting the state to have its way, not because the guys were innocent or guilty. They were about to be sacrificed in the name of political bickering.
Why is a 22GB database containing 56 million US folks' personal details sitting on the open internet using a Chinese IP address? Seriously, why?
Saturday 11th January 2020 20:51 GMT
Re: late capitalists
Just because people don't mind paying exorbitant prices doesn't mean they are not paying exorbitant prices. The guy stated that service costs are high and made no attempt to attack anyone that owns one, nor was it implied. You are pushing a false agenda.
I want to try assuming intent too: It sounds like you are in the group of people that own one of these vehicles and feel the need to vehemently defend yourself over any percieved criticisms in order to validate your expensive purchase. Wow, that was fun!
Sometimes shining a light on a nuclear problem just makes things worse
Hundreds of millions of Broadcom-based cable modems at risk of remote hijacking, eggheads fear
IT exec sets up fake biz, uses it to bill his bosses $6m for phantom gear, gets caught by Microsoft Word metadata
Patch now: Published Citrix applications leave networks of 'potentially 80,000' firms at risk from attackers
Mozilla locks nosy Avast, AVG extensions out of Firefox store amid row over web privacy
Saturday 14th December 2019 23:29 GMT
Re: fajensen
Nice comeback, bro.
If you're gonna complain about an antivirus product doing what it advertises re: SSL (actually, it's TLS...) then you should probably look into CloudFlare MitM on probably 80% of sites you visit; guarantee you'll blow a gasket. Even el Reg used to use them, seems like they don't now though.
Hundreds charged in internet's biggest child-abuse swap-shop site bust: IP addy leak led cops to sys-op's home
Wednesday 30th October 2019 15:52 GMT
Re: Bitcoin anonymity
There is a common misconception that because most cryptocurrencies including Bitcoin are not managed by a central bank or controlled by a government that they are anonymous. I do believe that's the reason for our good friend bob's sarcasm. Or I could be way off the mark and bob's blown a gasket again.
Monday 28th October 2019 05:11 GMT
Re: Bitcoin anonymity
See:
It's only as anonymous as the individual allows, i.e. if you make no attempt to hide your identity you will be easily found out.
Of course, it is possible to obscure transactions and launder coins—and based on the article they may have tried to do so—but the point I was trying to make was that there are cryptocurrencies out there that are altogether better at it without the user having to do anything. Still the only completely untracable way is to remove any third parties and mine your own.
Remember that competition for non-hoodie hacker pics? Here's their best entries
Time to check who left their database open and leaked 7.5m customer records: Hi there, Adobe Creative Cloud!
Monday 28th October 2019 08:37 GMT
Re: What price Photoshop?
Wish we would have when they killed off Device Licenses, and for three months did not offer an alternative; meaning no CC for our clients in the labs, despite the fact that materials had already been updated for it. Imagine how many schools were thrown out of whack when their device licenses just stopped working.
Help! I bought a domain and ended up with a stranger's PayPal! And I can't give it back
Tesla has made a profit. Repeat, Tesla has made a profit – $143m in fact
Monday 28th October 2019 04:49 GMT
Re: Smart Summon used "more than one million times"
When I say "anonymize" I more readily mean clumping data sources together and stripping as much metadata as possible.
For driving locations, I would be fine with generating a heatmap based on mass grouped datasets, eg. Model 3 users drove around a lot in LA. Anything more I believe to be entirely irrelevant to anything except tracking individual driving patterns and improving GPS navigation. Of course, there still is a problem of single drivers being in weird locations like you said, but I normally take a stance against all telemetry so it's not like I've ever put that much thought into it.
For tracking statistics, you could keep vehicle-local controls that trigger thresholds to eg. indicate safe vs aggressive driving, and pass on a limited subset or set with reduced accuracy on to the server. This (and any delivered data) should not be bundled together, eg. so that location information cannot be mapped to driving style.
And of course the user should be able to disable all of this as they see fit, as no matter how anonymized every system has a risk factor.
Biting the hand that feeds IT
