* Posts by Daniel B.

2846 posts • joined 12 Oct 2007

The injected JavaScript used to smash anti-Great Firewall of China GitHub projects offline

Daniel B.
Silver badge

Wrong Language!

Uninstalling Java won't do anything. The stuff they're using is JavaSCRIPT, which can only be dealt with by either NoScript or by disabling JavaScript on your browser. But the latter would break all tyhose Web2.0/HTML5 bloatware eye candy so the only real solution is NoScript on dodgy websites.

0
0

Bye bye, booth babes. IT security catwalk RSA nixes sexy outfits

Daniel B.
Silver badge
Boffin

Re: As someone from the con / geek community

As you see more and more busy body wannabe tech feminists (as opposed to women with actual skills) enter the tech circles... you'll see more and more of this.

It has even infested DEFCON. The one last year had Hacker Jeopardy get PG-ified as Vanna Vinyl didn't strip down on that edition, due to insistence of the feminazis. (Note: "feminazis" and "feminists" aren't the same thing. "Feminazis" are the radical zealot subgroup within the feminist movement, but not representative of feminism as a whole.)

I might get RSA banning booth babes, but DEFCON? That's just ruining the fun in an event that isn't meant to be business-oriented or PC at all. Reading this thread pretty much talks for itself.

0
0

How a hack on Prince Philip's Prestel account led to UK computer law

Daniel B.
Silver badge

Re: It was dail-up in more senses than the link....

Yes, that's how it reads given that Maggie Thatcher was involved in it. Another black mark on her history of oppression...

3
5

One API to rule them all: The great network switch silicon heist

Daniel B.
Silver badge

Solution looking for a problem?

This has the very distinct smell of being a solution looking for a problem. The only people worried about switch dev code are switch vendors themselves. Why add a useless API to that stuff? Packets aren't going to be routed easier with them. Switches and routers have to do minimal functions at very fast speeds, the less coe they have to execute, the better. Why bloat it with something that isn't even needed? It's not like I'm going to install IOS on a 3Com switch, which is the only thing I'd see this API being useful for.

0
0

FREAKing hell: ALL Windows versions vulnerable to SSL snoop

Daniel B.
Silver badge
Boffin

Re: Bork IE<9

The Freakattack site says that it is still vulnerable, is that because it just checks for IE 11, or because even with these settings (AFAIK TLS 1.1 is still secure) IE 11 is vulnerable and can be forced to use a weaker protocol?

Yes, unfortunately TLS 1.x doesn't mean that EXPORT ciphers are disabled at all. I've tested a couple of sites, and TLS still can negotiate EXP-RC4-MD5, which makes cryptographers' eyes bleed. The problem is that EXPORT should have been removed from the default set of ciphers at least a decade ago.

0
0

Storm in a K-Cup: My SHAME over the eco-monster I created, says coffee pod inventor

Daniel B.
Silver badge
Facepalm

Re: Never made it to civilisation.

Here in the civilized world we have Nespresso which really is an environmental disaster as the composite aluminium and custom plastics are prohibitively expensive to re-cycle.

The Nespresso is the Nescafé-branded version of those awful things. And no real coffee lover would be seen even close to drinking Nescafé. Yeech!

9
10
Daniel B.
Silver badge
Stop

Hipsters

I'd guess it's the hipster version of "brewing" coffee. I decided to give the whole fad a pass, thanks to the first ones being marketed over here having the Nescafé brand. You know, the instant "coffee" made from coffee bean skin scraps and other assorted garbage. No self-respecting coffee lover would ever drink Nescafé, never mind a Nescafé-branded coffee pod.

The DRM just makes the whole thing even stupider. Screw that, I'm using a regular drip coffee maker. I'd even grind my own beans if I could, but alas, I don't have a grinder.

7
7

FREAK show: Apple and Android SSL WIDE OPEN to snoopers

Daniel B.
Silver badge
Boffin

Re: keyword: either

OpenSSL, out of the box, is not suitable for use by developers and administrators who don't want to be bothered learning anything about SSL/TLS.

Pretty much any crypto API is not suitable for use by anyone who hasn't at least read something about SSL/TLS. I'm really surprised about the amount of devs, webmasters and sysadmins that had no idea about the existance of EXPORT ciphers at all. This is something they should know because a lot of them actually worked with the "international browser" versions from the late 90's which had the stupid 40-bit restriction hobbling SSL.

There's also a very high amount of developers who use self-signed certs in production enviroments. Another good bunch that outright disable SSL certificate validation to get their stuff to work, basically opening up their security infrastructure to MITM attacks within the organizational network. You've probably noticed that this sounds a lot like how SuperFish does SSL ... well, this is why those devs thought it was normal. They're used to doing this.

Oh well, at least some security-related products will have some kind of FIPS mode available. It's probably worth flipping that switch on as it will disable all EXPORT and LOW ciphers by default, including 3DES which is probably bound to be cracked in the near future.

1
0
Daniel B.
Silver badge
Boffin

Same here

BlackBerry OS 6.0.0.534 invulnerable as well.

I would test it on OS 7.1.x but my 9790's logic board died 2 weeks ago.

0
0
Daniel B.
Silver badge
Boffin

Re: WTF?

I wouldn't see this as a minor flaw as long as the browsers support it. Yes, if the server doesn't accept EXPORT keys, it's a non-issue. But at the time of writing, 2 out of 4 banks I've tested are vulnerable to this. As long as these sites remain unpatched, this vuln will remain serious.

2
1
Daniel B.
Silver badge
Boffin

There is one use for EXPORT in OpenSSL though

I use it all the time to check for exactly this kind of stuff:

openssl s_client -connect www.my.site.with.ssl.com:443 -cipher EXPORT

I've been checking for both this and TDES usage since 2011. I've also made a point of disabling EXPORT, RC4 and TDES ciphers on whatever service I'm configuring from scratch. This is something that everyone should know about, but seems to be noticed only when someone discloses it.

I'd leave EXPORT support on OpenSSL for testing purposes only, but remove it from the "can downgrade to this cipher" list.

The fun fact about this is that it's the US Government's fault, and maybe the NSA's fault as well. The 90s had a lot of criticism on the ban on strong crypto export, and we all knew that was going to come back to bite 'em down the road.

2
0
Daniel B.
Silver badge
Boffin

Re: Ouch....sorry this is going to hurt.

Internet Explorer on Windows phone is NOT vulnerable.

Sorry for any embarrassment caused.

Blackberry OS 6 here, NOT vulnerable as well. Looks like I'm being vindicated about saying that BBOS was more secure than the popular stuff.

1
0

Net neutrality secrecy: No one knows what the FCC approved (BUT Google has a good idea)

Daniel B.
Silver badge

Re: GOPtards are already at it

Um... Tom Wheeler was also a "Big O" appointee, and he was all for allowing ISPs to charge extortion fees against content providers. It wasn't Obama who forced his hand, it was the general public. You know, US citizens, the ones that actually vote people into office. In fact, Wheeler was mostly seen as an odd choice for FCC chairman as he has been mostly associated with cableco lobbying groups.

No they don't deserve to be regulated. They BUILT the internet, the government is stealing it from them.

Nope, DARPA built the internet. If it weren't for ARPANet and NSFNet, there wouldn't even be an internet in the first place.

3
0
Daniel B.
Silver badge
Boffin

GOPtards are already at it

Now they're claiming "OMG now internet is going to get higher taxes, thanks Obama!" which shows how stupid the rightwingers are now. It's the FCC, not Obama, the one passing Net Neutrality rules.

And really, the telcos brought it up on themselves by challenging the Open Internet rules. They deserve to get regulated.

4
3
Daniel B.
Silver badge
Go

Nice

It seems that the Big Bad Telco/Cable operators are mad at this.

Which means it's probably good. Hopefully the FCC will be able to strongarm telcos into submission this time around.

4
1

'Lenovo, Superfish put smut on my system' – class-action lawsuit

Daniel B.
Silver badge
FAIL

I'd rather have a slow I/O OS that lets me do my job quickly, than a fast I/O OS that makes me spend 3x the time doing my daily work.

Of course, I chose neither: I jumped to OSX when all laptops turned into "Windows 8 or bust". Well played MS, I chose bust.

0
1
Daniel B.
Silver badge
Stop

Re: This is why

Or be nice and send out an SSD with a clean Win8.1 on it, thereby giving customers a nice present for their trouble.

Giving Windows 8.1 is the opposite of a nice present. Better off with Windows 7, or a nice Linux distro. But not Windows 8.x.

2
0

Crims zapped mobes, slabs we collared for evidence, wail cops

Daniel B.
Silver badge
Boffin

If a phone finds a wifi signal it can connect to, that could also trigger a self-destruct.

Only if the phone had WiFi activated when it was taken away, and even then only if the phone can find a WiFi network that was previously added to its list of known WiFi networks.

1
0
Daniel B.
Silver badge
Boffin

Re: 1) remove battery (or turn the device off until you can get it to the lab)

I thought the anti-theft signal didn't care about SIM? If it does, then yeah, that'll work too.

It doesn't care about SIM, but it can't register with the mobile network without a SIM (it could do it with a different SIM card, or if it has WiFi enabled and registers with a known WiFi network.)

Crypto is not much of a hurdle against most people, because most smartphone users are security-stupid and will use 4-digit PINs or that annoying "secure" figure-point thingy instead of a really secure password. 4-digit PINs should be crackable within an hour, maybe less.

1
0

Linux clockpocalypse in 2038 is looming and there's no 'serious plan'

Daniel B.
Silver badge
Facepalm

Re: Answered years ago!

Processes do need microsecond precision. You fail at UNIX. Or OSes in general.

0
0

Man the HARPOONS: YOU can EASILY SLAY ad-scumware Superfish

Daniel B.
Silver badge
Boffin

Re: jail for superfraud

They are like the American version of Phorm (but far worse)

Yes, this is basically what Superfish is, only on steroids as Phorm would've been unable to tap into SSL connections. I was actually reminded of Phorm when this news broke out...

6
0

So long, Lenovo, and no thanks for all the super-creepy Superfish

Daniel B.
Silver badge
Alert

lolwut? Apple weren't even validating SSL certs, arguable an even worse situation for the end-user.

And yet, they issued an actual fix for that pretty quickly. Fixing the goto fail issue involved downloading the most recent update, while fixing SuperFish requires at least two actions, with at least one requiring the user to do advanced stuff (removing a root CA) by themselves.

0
0
Daniel B.
Silver badge
Joke

Re: How not to do asymmetric key cryptography

But ... but... it's a PKCS8 protected by encryption! By a password!

And we stored the PEM file with the strings in reverse order so nobody will be able to read them even if they find them!

1
0
Daniel B.
Silver badge

Re: Cue the ClassAction lawsuits in 3... 2... 1...

California USA is already "sue happy" with reguards to shit as lowball as being served a cup of hot coffee from McDonalds

Bad example for a frivolous lawsuit; coffee so hot that it causes third-degree burns is a real hazard.

17
6
Daniel B.
Silver badge
Boffin

Re: the fire rises

Maybe ASUS. But Acer isn't going to see my money, I got burned enough back in 2011 with crappy Acer laptops. Nevermore!

Still, neither will see my money as long as they sell Win8-only laptops. I'm not going to pay for the worst MS OS ever concieved.

14
4

Superfish: Lenovo ditches adware, but that doesn't fix SSL megavuln – researcher

Daniel B.
Silver badge
Boffin

Re: IT IS THE SAME ONE IN ALL CASES??

Its actually an ongoing thing. Like an STD, it's the gift that keeps on giving.

The news broke up early this day about the SuperFish thing, to someone ripping up the malware and finding that the fake CA was embedded within the installed program, to the discovery that the password was easily guessable (and related to another product that does a similar thing), to confirmation that all SuperFish installs use the same public/private key combinations.

Someone at Lenovo is definitely having a very bad day.

3
0
Daniel B.
Silver badge
Mushroom

Re: SSL Certificate now public

IT IS THE SAME ONE IN ALL CASES??

It seems to indeed be the case. The password protecting the PKCS8 Private Key package is the name for another product that does MITM stuff "to protect your children", the Private Key is part of the actual .exe and is extracted from the program's memory, its in PEM format, so I'm pretty sure it is the same one for everyone.

Hell, you don't even need to extract the key, there's a screenshot showing modulus, publicExponent, privateExponent, prime1 and prime2 out there. The horse has bolted. Someone will get burned.

Bad Lenovo! Bad Boy!

5
0

Regin super-malware has Five Eyes fingerprints all over it says Kaspersky

Daniel B.
Silver badge
Black Helicopters

Five Eyes

There seems to be a lot of comic book humor within the national intelligence services. "Five Eyes" is the kind of name you'd expect to see for a James Bond supervillain convention or a Marvel nemesis alliance. It would blend in nicely with Iron Man's "Twelve Rings". Maybe that one's real as w--%$%&·$%/·$%&·$%&·

NO CARRIER

1
0

Lenovo shipped lappies with man-in-the-middle ad/mal/bloatware

Daniel B.
Silver badge
Facepalm

Phishing paradise

Now all phishers have to do is to strike Superfish and make it reroute requests to e-banking sites into their own sites and nobody would find out until it's too late.

Way to go, Lenovo!

1
0

Hackers break the bank to the tune of $300 MEEELLION

Daniel B.
Silver badge
Boffin

Malware?

Interesting that plain old malware would give hackers access to sensitive banking systems. Maybe those banks are relying too much on Windows? Either that, or they targeted banks with really bad security systems ... or both things.

And even with lax security, I'm amazed that daily reconciliation didn't catch up with this. Because most of the "hacking cases" I've known about are caught by this, and the would-be rich hackers will instead end up in jail when they try to withdraw their iffy funds.

0
0

Vint Cerf: Everything we do will be ERASED! You can't even find last 2 times I said this

Daniel B.
Silver badge
Boffin

Re: Turtles all the way down?

It's not the media the data is stored on that he's worried about, it's the format it's stored in. When we switch to binary encoding, bits don't have the nice fixed meaning that letters on a page do. Instead we assign meaning to large collections of bits. If we forget how we've done that, then we're unable to recover the meaning from the data.

The fun thing about this is that he's talking about this now, when the issue has been very known in the IT world for quite some time now. Even my dad, who isn't in the IT world already knows about this. Why? Because the following things are no longer readable:

His probability programs written in college, which are stored in a big-ass magnetic tape roll. We don't even know which format the files are in.

His PhD thesis, which was written in either Aldus PageMaker 1.0, 2.0 or 3.0 and is stored in a lot of 3.5" floppies. And they're all in HFS Mac format. Extracting that data requires getting at least PageMaker 2.0, 3.0 and 4.0 to get them up to a point where we might extract that data into a Windows PageMaker version, a PPC Mac or a Snow Leopard-toting Intel Mac that would be able to run PageMaker.

All my Commodore 64 programs and data.

All the stuff we stored in Jasmine Removable 45 HDDs.

All the stuff we stored in MDS88 Removable HDDs.

All the stuff stored in iomega Jaz or ZIP drives. (Fortunately, I had a wee bit of foresight on this, so I managed to rescue most of my ZIP cartridge data before I was no longer able to read 'em. No such luck for my dad.)

I'm pretty sure that anyone who got into the whole "computers" thingy back in the 80s like me has already lost something to the "digital dark age" by now.

5
0

Microsoft: Oh, go on, Xbox Live user. Show us your spammer

Daniel B.
Silver badge
Mushroom

Re: "But for now friends/my profile/privacy/custom and check friends only"

It's probably because we're smack in the middle of the weekend, and the usual commentards are probably somewhere else. The MS shilltards are however always here, in full force.

1
1
Daniel B.
Silver badge
Go

Re: Simple solution...

Don't buy or use an inferior console. I have had ZERO spam messages on my Playstation. Not a single one.

This is also true for PS3. I simply haven't seen any spam in the 7 years I've owned a PS3. It's probably because PSN accounts are created from the PS3/PS4 devices, so that probably cuts back on spammers' ability to create fake accounts.

1
0

In praise of China’s CROONING censors: Company songs NOW!

Daniel B.
Silver badge

The company song!

The company song/hymn is pretty much alive and well. The difference seems to be on the company itself promoting it or not. Back when I worked at a certain bank, the "hold music" was an instrumental version of that song... in my country. If you had the "pleasure" of calling a certain South American branch, the hold music was the actual anthem, sung by an actual singer and in some other country it even had a kid chorus singing it as well!

Forget suffering your corporate song during company events; some people in South America hear it every time they're put on hold!

0
0

ARM grabs Dutch 'SSL of Things' biz Offspark

Daniel B.
Silver badge
Boffin

Re: Not too happy about this :/

I don't think they are going to implement the entire PolarSSL stack on hardware; they're probably just adding hardware acceleration on the specific ciphers like AES.

0
0

City broadband ISPs: PLEEEEASE don't do 'Title II' net neutrality

Daniel B.
Silver badge

Legislation

The problem with legislation on this topic is that both legislative bodies are now controlled by the GOP. GOPsters hate Net Neutrality and thus won't bring up any new legislation that would enshrine that. So the only option seems to be Title II, even if it does suck as a solution.

3
2

You'll NEVER guess who has bought I Taught Taylor Swift How To Give Head dot-com

Daniel B.
Silver badge
Trollface

Re: Asking for trouble...

No, they haven't thought it out well. I have found at least two possible trollish domains. Hell, maybe someone will buy 'em just for shits and giggles...

2
0
Daniel B.
Silver badge
Trollface

Re: Taylor Swift?

I was actually going to ask, "who's she?" but it seems it's one of those dudes with a girl's name...

0
3

Net neutrality: Someone WILL sue. So will the FCC's rules hold up?

Daniel B.
Silver badge

Re: FCC is Not The Answer

Actually, most of the internet has been for this regulation ever since ISPs started engaging in bad practices. It does seem that this started around the time when ISPs started collapsing into only a handful of companies, many which have a monopoly in their coverage area. ISPs must be forced to give the level of service they are offering (do nt lie to your customers) and they must only charge for transfer rates asked by the client. No double-dipping allowed. And that requires regulation!

3
1

LOOK OUT - it's a GOOBER! Google's über-Uber robo apptaxi ploy

Daniel B.
Silver badge

Re: I'd be more shocked

Actually I'm surprised trucks aren't an area they're exploring more directly. It seems like a specific scenario especially well suited to automation, with pre-planned routes predominantly on 'easy' roads.

Ahhhh, instead of Stephen King's Christine, you're going for "Trucks"?

0
0

Enough is ENOUGH: It's time to flush Flash back to where it came from – Hell

Daniel B.
Silver badge
Boffin

Java

Java is probably the one language/platform that should (theoretically) be ready for distributed application deployments. They have all the stuff for clientside, serverside, and client/server support with a robust middleware tier for complex stuff. The problem has been that for many years, Java was seen as "slow" and "unsexy", so many web devs have jumped into other stuff, or use JS to fill the gaps. So we probably will need something as good as Java, but without the security issue stigma that Java got. Ideally I'd propose Java, but I doubt people will want it as the main option for this, given its reputation.

0
0
Daniel B.
Silver badge
Boffin

Re: Plugins are actually the symptom, not the root problem

Indeed. People advocating for the ultimate quash of plugins are missing the point: the WWW itself was not intended to carry dynamic content at all. HTML has had a lot of stuff hacked in, from the hideous JavaScript to CSS and a lot of bloatware on top of that (AJAX! JSON!) to the point where JavaScript stuff has grown into being the same kind of bloatware that plugins have been anyway. There are sites which will make my smartphone hot just because of the crappy JavaScript stuff running in the background.

Plugins were made to add native programming functionality into websites, which can be good (Java), can be iffy (Flash), or can be downright hideous (ActiveX). The needs aren't going to go away just by banning plugins. Ideally we would have something better replace the WWW itself for "web app" stuff, but at the moment we have to work with what we have.

2
0

BYOD is NOT the Next Biggest Thing™: Bring me Ye Olde Lappetoppe

Daniel B.
Silver badge
Boffin

Re: "secure" WiFi, "greynet"? It depends.

Keep it simple: 1) Mandate VPN connections for all External access; 2) Define WiFi as External.

If I had complete control over IT infrastructure, that would be exactly how I would define WiFi. In fact, one of the bigger banks I've worked at had this policy, and in addition to this they have their WiFi restricted to "authorized users only". It's kind of funny, because you have to jump over far more hoops just to get WiFi access, and it still requires VPN access to the real good stuff, while Ethernet access is only a matter of raising a support ticket. You get plugged in in 24 hours, tops. WiFi access there will require C-level signatures, it's incredibly stupid!

0
0
Daniel B.
Silver badge
Boffin

It depends.

It depends on what the WiFi at the organization is. Any company with a competent IT Security Division that actually listens to their Security bods will have the WiFi network separated from the main network. WiFi is for guests, mobile devices, and will have unrestricted access to the Internet. Only company-issued devices should have WiFi access to the "secure" network, and even then the "secure" WiFi should be a separate "greynet". If possible, have the secure devices connect to the main network via VPN to avoid wifi sniffing.

1
0

Does your mate send smut vids on Facebook? 1. That's a bit weird. 2. It may be malware

Daniel B.
Silver badge

Ah yes

This thing has been spamming FB everywhere. It spams about some "breaking news" involving some smut video. It's annoying, as it spams FB groups as well.

0
0

Cuddly robots, whipsmart laughs and plenty of heart in Big Hero 6

Daniel B.
Silver badge

Re: 2problematic4me

To be honest, Japanese anime also has all their characters round-eyed. San Fransokyo is probably inspired out of some cyberpunk works where Japan takes over San Francisco and the resulting cultural merge. Maybe the author of that particular article is reading too much into it?

3
0

'Revenge porn' bully told not to post people's nude pics online. That's it. That's his punishment

Daniel B.
Silver badge
Mushroom

Re: What I do not understand..

He hasn't been charged with extortion ... yet.

That's why they're saying that even after the out-of-court settlement with the FTC, he's still open to legal action from the victims themselves. It's entirely possible that each of his victims will bring up blackmail charges against him. Hell, it might even fall under RICO. And I'm betting that at least one of them will do it, especially the ones that were asked for the $$$ to take down those pics. They might even do it just for the lulz ... or at least, as a warning to others.

5
0

FCC hits pause on Comcast-TWC gobble AGAIN

Daniel B.
Silver badge
Boffin

Everyone knows the answer, FCC.

Don't allow it. Cable co's are already awful as it is.

Or do allow it, but impose the common carrier requirement upon their data pipes if they merge.

1
0

FCC sexes up, er, sextuples 'broadband' speed to 25Mbps in US

Daniel B.
Silver badge
Boffin

It doesn't matter what word they use...

You're missing the point about redefining broadband. The real meat is in this:

The FCC is obliged to produce an annual report on broadband deployment and is authorized to take "immediate action" if it feels that is not happening "in a reasonable and timely fashion."

This means that even if Verizon, Comcast/TWC or MegaShaft Internet Services decides to call their inferior options "narrowband" or whatever, if they still don't meet the FCC broadband standards, the FCC can actually intervene and speed up things. By doing things like breaking municipal monopoly contracts or challenging those iffy laws banning municipal broadband efforts.

Eventually, either the big telcos or cable companies crank up their broadband speeds, or they let someone else do it.

It's awesome. The FCC seems to have grown a pair.

8
0

Five years of Sun software under Oracle: Were the critics right?

Daniel B.
Silver badge
Boffin

Re: Chalk and cheese

Yes, it is sad but true. One of my previous jobs was at a consulting company where pretty much everyone was an ex-Sun employee. All of them left after the Oracle takeover, and they all left for the same reason: once Oracle took over, they were relegated to second-class citizens in the corporate ladder.

Sad, because for what they've told me, Sun was a place where I would've loved working. Alas, it's long dead.

3
0

Forums