* Posts by Flocke Kroes

1466 posts • joined 19 Oct 2007

Astroboffins perplexed by QUADRUPLE QUASAR CLUSTER find

Flocke Kroes
Silver badge

If you want to believe things, pick a religion

In science, the test of truth is an experiment. Newton's laws of motion were an excellent theory confirmed by every test up until the orbit of Uranus. The difference between the real orbit of Uranus and the one expected from Newton's laws could be explained by the existence of another planet. This planet - Neptune - was found. When a theory makes predictions that turn out to be true, it is a useful theory. It is tempting to talk of the theory as being true, but that is a lazy simplification so that non-scientists don't stop listening when the sentences become long and complicated.

A few years after the discovery of Neptune, the orbit of Mercury was found not to fit perfectly with the predictions from Newton's Laws. Scientists knew the drill, and started calculating an orbit for Vulcan to explain the differences. Vulcan was never found. At some point, scientists should have accepted the absence of Vulcan proved Newton's laws of motion and his theory of gravity were wrong. Someone with a better knowledge of history and modern hind-sight might be able to put a date on that. In the mean time:

Sound waves are travelling changes in air density/pressure. Ocean waves are travelling changes in water depth/speed. Seismic waves are travelling changes in rock position/velocity. Take away the air/water/rock and the waves cannot travel. Light waves are travelling changes in the electric/magnetic field of erm, err ... luminiferous aether. Take away the aether, and light cannot travel. A vacuum pump cannot suck luminiferous aether out of a bottle. Light waves can travel through the vacuum between galaxies.

Michelson and Morley saw this as an opportunity to discover the grand universal system of co-ordinates. They devised and experiment to measure the velocity of Earth through the aether. They got the answer 0. They waited twelve hours for Earth's spin to get the velocity of their equipment in a different direction, measured again and got 0. Months later, with the Earth's orbit taking the lab in a new direction, the velocity of Earth was zero compared to that of the aether.

At this point scientists could have proudly proclaimed they had _proved_ that the Earth was the centre of the universe, and everything rotated around us. The enormous centrifugal force on distant galaxies was countered by erm, err ... magic. Luckily, hammered in the face by experimental evidence, the theories of luminiferous aether and the grand universal system of co-ordinates were shoved in the dustbin and replaced by special relativity.

Newtons laws of motion are wrong. They make excellent predictions for low velocities, but get worse and worse as velocity increases and are completely useless near the speed of light. Likewise Newton's law of gravity is completely wrong. It gives good results for the gravitational field of a planet that start to go a bit wonky near a star. When you get really strong gravitational fields near a neutron star or black hole, you need general relativity to calculate what happens.

As I am a scientist, I would love to test climatology with an experiment. All I need is a million copies of Earth, and to be dictator of all of them for a few centuries. I would impose different carbon emission limits on each planet and draw some graphs showing how carbon emissions relate to climate. Anyone willing to provide a grant to fund my experiment?

Without such an experiment, I am happy to reduce carbon emissions as a precaution against the possible effects predicted by simulations. Statements about inevitable doom based on climate _simulations_ wind me up. Luckily, certainty is not required as there are excellent reasons not to be completely dependent on fossil fuels that have nothing to do with the climate. Lets build a few windmills where they are cost effective, put in solar panels where the sun shines and build a pile of nuclear power stations so we do not need to burn mountains of coal, oil and gas bought at enormous expense from countries where we are not entirely popular.

It would be nice if people's attention span could last long enough for 'this theory has not yet been proved wrong'. Until then, I am going to have to put up with 'this theory is true'. It would be great if climatology were a science based on experiments instead of simulation. No-one can afford the experiments. It would be astounding if the UK adopted an energy policy that actually added up but if we cannot have that aren't we lucky that anyone mentioning the problem online can be silenced by the state?

13
1

BUZZKILL. Honeybees are dying in DROVES - and here's a reason why

Flocke Kroes
Silver badge

@T. F. M. Reader

I have heard 'Honey bees are going extinct' stories for decades. For years cell phones were blamed, then pesticides. Very occasionally, an article is actually based on some research. Real data fingered a combination of mites, pesticide and a fungus as a likely culprit. Have fun looking for some real research hidden in the dross.

4
3

BONKERS apocalyptic WAR WAGONS circle Vulture South

Flocke Kroes
Silver badge

A title is not required

Looks like Simon Sharwood left some debris in place from his previous article.

1
0

NSA spying is illegal? Then let's make it law, say Republicans

Flocke Kroes
Silver badge

Institutions seek to preserve the problems they were created to solve

Stopping the next tourist attack is completely against the NSA's interests. A big bomb blast is something they can point at when they demand their next budget increase. Imagine how much dirt you could dig up on politicians with a $50billion budget. If there was any danger of the NSA's senior management being found guilty, politicians all over the country would leap up to change the law for them.

16
0

Plod wants your PC? Brick it with a USB stick BEFORE they probe it

Flocke Kroes
Silver badge

Destroying the contents is no good in the UK

If I send you a file full of random numbers, and the police demand you decrypt it, you are going to prison for up to five years. The fact that you cannot 'decrypt' the random numbers does not matter. If you want to keep a secret, you have to destroy the _device_ before they can copy it.

10
1

Ransomware scum find the sweet spot to coin it without copping it

Flocke Kroes
Silver badge

This one-off payment to decrypt data...

... is it annual or monthly?

1
0

US hospitals to treat medical device malware with AC power probes

Flocke Kroes
Silver badge

What's the problem?

I cheeked those weirds with the Grauniad Smell Chequer, and their awl perfectly cromulent.

7
0

Stuff your RFID card, just let me through the damn door!

Flocke Kroes
Silver badge

Re: Amalgamated Durables

Amalgamated Durables dissolved last year. Inspired by this near miss, I found 3x Omni Consumer Products, 35x Universal Exports and 314 Ubrella's, but no Weyland Yutani. The Tyrell Corporation could be an ISP in Kansas, but I could not find their web site.

Got to run... the Mighty Jagrafess of the Holy Hadrojassic Maxarodenfoe is getting impatient.

3
1

You! GOOGLE! HAND OVER the special SAUCE, says Senate (of France)

Flocke Kroes
Silver badge

Just tried googling "search engine"

I got links to Wakipedia, DuckDuckGo, Bing, ixquick, ... and freefind.

If we try the same elsewhere:

Wakipedia tells me about search engines and has links to the Wakipedia pages for each of the major ones.

DuckDuckGo links to Wakipedia, Dogpile, Google, DuckDuckGo, Bing, Yahoo, ixquick and webcrawler.

Bing links to ixquick, Dogpile, Wakipedia, freefind, DuckDuckGo, ..., Google.

ixquick shows freefind, ........., Google, ..., ixquick, Wakipedia, ..., and Yahoo.

freefind wanted an e-mail address.

Dogpile won't give results without javascript.

Yahoo links to Wakipedia, Dogpile, Google, ..., Bing, DuckDuckGo, Yahoo, ixquick and webcrawler.

webcrawler won't give results without javascript.

So, most search engines do not put themselves first or even on the first page. For three of these nine, I want my money back - but as I paid nothing to any of them, all of them gave me a full refund without any hassle.

Anyone want to try this in French?

7
0

Someone PLEASE stop patent trolls' stroking their favorite tool, cries Google and friends

Flocke Kroes
Silver badge

An expensive purchase gives rights to demand money?

I paid a million for a boat load of dog pooh. Everyone should pay me £100/week for not shoving some through their letter box.

3
2

Need speed? Then PCIe it is – server power without the politics

Flocke Kroes
Silver badge

USB Ports/Interfaces

Port: something you can pug a cable into

Interface: some silicon the multiplexer connects to one or more ports.

Type lsusb (or whetever the MS equivalent is) and the result starts something like this:

Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

So, this computer has one USB2 interface, and 4 USB1 interfaces. When you connect USB1 devices to ports, each one gets assigned a USB1 interface by the port multiplexer until there are none left, then any further USB1 devices share the USB2 interface, trashing its bandwidth. Likewise, USB2 devices get assigned there own USB2 interface until there are none left, and then they have to share the same interface.

USB3 is a bit more troublesome. Computers come with separate USB2 and USB3 ports. I do not know if the multiplexer can assign a USB2 interface to a USB3 port. USB3 devices understand USB2, and will work slowly on USB2 ports. USB3 ports can speak USB2 or 1 to slow devices. A modern machine may have a few USB2 interfaces, but only one USB3 interface - even if it has two or even three USB3 ports. USB3 eats up to 10Gb/s per interface (5Gb/s x full duplex), regardless of the number of ports. If the south bridge is limited to 20Gb/s, I can see why people are not rushing to release chips with two or more USB3 interfaces.

0
0

Marvell: We don't want to pay this $1.5bn patent bill because, cripes, it's way too much

Flocke Kroes
Silver badge

Re: But did they...

Back then:

Marvell said that they did look at the patents, but that it was impractical to implement the design in silicon, so they did something else instead.

Patent quality is generally so pathetic that this is very believable, but I have no idea what is actually true.

1
0

Tape thrives at the margin as shipped capacity breaks record

Flocke Kroes
Silver badge

WTFusebox?

"thereby saving 15-20 kilowatts per hour for each PB that’s not on disk."

A 3½" hard disk is about 10 Watts. If we assume modest 2TB disks and mirroring, that is 10 Watts per TB or 10kW per PB. Add in RAID controllers and switches and you could get to 15-20kW/PB - if you spin all the disks all the time.

Where does that "per hour" come from? I could understand 15kWh/hour/PB. If killowatthours per hour sound stupid, there is a reason. Just cancel out the hours. The Register does not have a simple unit of power, but one can be constructed by multiplying force by velocity: Norris ⨉ (Percentage of maximum velocity of sheep in a vacuum). Like many units in physics, two things multiplied together. Units do not have to be something per something else.

3
0

GLOWING TAMPONS hold the key to ending pollution

Flocke Kroes
Silver badge

Re: Why use tampons?

Wild guesses:

Almost everything contains fluorescors. Tampons might be one of the few things that don't.

The concentration in fluorescors in river water could be too low to detect with cheap equipment.

Washing powders include fluorescors to make your shirts look whiter. If the fluorescor simply rinsed out, it would not be of any use. I assume they include one that binds to cotton.

If my three guesses are correct, tampons concentrate fluorescors to the point where they become easily detectable with cheap portable equipment.

6
0

Helium-filled drive tech floats to top of HGST heap

Flocke Kroes
Silver badge

Sure about that?

Helium can be forced to form a few compounds, including He2. In real life, I doubt you would find any in a hard disk.

0
0

Blighty's 12-sided quid to feature schoolboy's posterior

Flocke Kroes
Silver badge

Re: security chip???

It is a secret. The Royal Mint's explanatory web pages and video say it is excellent, but does not give a word of detail. So if you get an ISIS coin, you can tell it is genuine because ... err ... erm ... well you cannot tell it is genuine because all the new security features are secret. I assume the security features are like the emperor's new clothes - if you cannot see them you are not fit for your job.

0
2

Ping-pong sueballs: Bankruptcy dogs LightSquared's chances

Flocke Kroes
Silver badge

According to Lightsquared...

Lightsquared and GPS use different frequencies - but they are close to each other. GPS receivers should filter out frequencies not used for GPS, and be immune to Lightsquared's transmissions. In real life, GPS manufacturers used cheap filters that let enough of Lightsquared's signals through to cause confusion.

Lightsquared think this is not their fault, so GPS manufacturers should use better filters and everyone should buy new receivers. The FCC say that Lightsquared's license is dependent on their signals not effecting GPS - even though GPS receivers should use better filters. Lightsquared became a litigation company specialising in suing the FCC.

The real purpose of chapter 11 is to keep the creditors at bay while lawyers transfer the company's remaining assets to each other. This can go horribly wrong if the largest creditors agree to form a committee to run the company in chapter 11.

0
2

A gold MacBook with just ONE USB port? Apple, you're DRUNK

Flocke Kroes
Silver badge

Use cases

1) Handed some data on a USB flash key. Cheap laptop: plug it in. New Mac: need to carry an adapter.

2) Handed some data on an SDHC card. Cheap laptop: plug it in. New Mac: need to carry an adapter.

3) Need a fast network connection. Cheap laptop: plug it in. New Mac: need to carry an adapter.

4) Device gets broken or nicked. Cheap laptop: can replace screen or whole device for a pittance. New Mac: ouch.

There are some cool things that could be done with USB C. The charger could be a USB hub with an HDMI socket, ethernet port and SDHC slots. Apple have taken care to let their customers pay extra for the benefits of USB C, but that seems to be what their customers want: "Look! My computer is more expensive, shiny and fragile than yours!"

17
4

UK.gov in pre-election 'Google tax' blitz against internet firms

Flocke Kroes
Silver badge

Check it out

Here is the dr̷aft law.

Overview of legislation in draft: 226 pages

Draft clauses and explanatory notes for Finance Bill 2015: 552 pages

Some UK MP's can read a page or two. I am sure nearly two of the 650 can read five pages. If you want to find someone who can read and understand all 552 pages, try asking a Micrappoogle accountant. One of them probably wrote it, and made it that long to hide a dozen loopholes.

The good news is that as the MPs are wasting so much time and effort on something that will achieve nothing, they should be too distracted to do anything more damaging.

10
0

OK, they're not ROBOT BUTLERS, but Internet of Home 'Things' are getting smarter

Flocke Kroes
Silver badge

Re: Cheaper power

Which lies have you heard about your 'free' smart meter?

'It will only cost an extra £20 on your bill.'

'Your bill will only go up by £20 per year.'

'It will only increase you bill by £20 for the fist year, £40 for the second and £60 for the third.'

The staged increases in electricity bills have already been approved to cover the cost and installation of smart meters. There is no requirement that bills should go back down afterwards. I am looking forward to MPs getting an e-mail like this:

I pwn your smart meter. I will let you have power between 12:00 and 13:00. If you want power for a whole month, send me a bitcoin.

5
0

Give biometrics the FINGER: Horror tales from the ENCRYPT

Flocke Kroes
Silver badge

More recently

Jason Bourne records a phone conversation with Noah Bosun, and plays back the first two words (Noah Bosun) to Noah's safe. The safe opens and is full of incriminating evidence.

Years ago, early attempts at speech recognition (understanding what was said) succeeded at voice recognition (identifying who is speaking). I could say 'Help! Help! He has a gun!' and voice recognition would happily allow access to my account. Someone can do an excellent impression of me saying 'Flock of crows', and get access to his own account.

Finger prints are just as good as voice: they give you a list of account names of people with similar fingers/voices. If you have few enough customers, that list might have only one entry, and you have a useful identification device. Identification (the account name) is not the same as authentication (confirming the user is the owner of the account).

Understanding the difference between voice and speech recognition is beyond the ability of most PHBs. Clearly no-one has yet been able to explain the difference between identification and authentication to a bank manager.

8
0

'Why Digital?' Seriously? You plainly don't Get It enough. Or at all

Flocke Kroes
Silver badge

What happened to มาลัย

Has she been replaced by a digital alternative?

2
0

Top Euro court ends mega ebook VAT slash in France, Luxembourg

Flocke Kroes
Silver badge

@Pensioners keeping warm

I thought pensioners avoided VAT on heating by burning second hand books.

5
0

Boffins say Mars had ocean covering 20 per cent of planet

Flocke Kroes
Silver badge

If you draw Mars with 20% of the surface covered in water

Why are there lots of craters, but no rivers or clouds?

4
1

Samsung-Microsoft deal will bundle Office 365 with Android Knox

Flocke Kroes
Silver badge

Other possibilities ...

1) Look at all these patents. It would be a shame if one of your products faced an injunction. You need protection. Would you like to pre-install Office 365?

2) All our distributors get a contribution towards marketing funds that are a big fraction of the cost of Windows licenses. It would be a shame if you received a much smaller contribution than your competitors. Would you like to pre-install Office 365?

3) Some boiling frogs are so locked into MS Office that they actually like it pre-installed.

11
5

FREAK show: Apple and Android SSL WIDE OPEN to snoopers

Flocke Kroes
Silver badge

Re: A Question

Have you got over $100 in your bank account? Is your credit limit over $100? Can you borrow $101 from Wonga?

1
1

SpaceX lofts two all-electric ion-drive comsats to Clarke orbit

Flocke Kroes
Silver badge

The satellite will be over the equator, but will have several directional antennas concentrating signals north or south.

2
0
Flocke Kroes
Silver badge

SpaceX vs Skylon

SpaceX concentrated on minimising R&D cost and time. Last year's prices were $61.5million for 13150Kg to low Earth orbit. After paying off R&D, the launch cost is expected to fall to $1100/Kg assuming recovery of stage 1.

Skylon is a much more challenging design. The budget figures are $12billion R&D, 15000Kg to low Earth orbit for £650/Kg (including R&D). I could not get dates for the prices (probably 2004), so I have not tried to adjust them for inflation. Skylon has not yet received 1% of its R&D budget. If the money appeared tomorrow, the first test flight could be in 2021.

Skylon would have to stay on budget for years to compete against a mature Falcon in 2022. On the other hand, SpaceX could keep their prices near current levels and buy Skylon. Plenty could happen in the next seven years. The Chinese are eating their own dog food, even though it costs more than SpaceX. The EU are looking for ways to cut costs. The US government are looking for ways to increase launch costs and I have no idea what the Russians will do.

2
0

Satellite cannon starts shooting Doves, this time under control

Flocke Kroes
Silver badge

Re: Over tightened screws?

Real quotes from PHBs: "I know how to tighten screw", "Using the torque screwdriver makes me look incompetent" and "Look! I got it to hold together using only two screws!".

2
0

Telly behemoths: Does size matter?

Flocke Kroes
Silver badge

Re: You want a bigger picture?

At 16:9 aspect ratio, a 152" screen + bezel just about fits through a standard EU door without tipping it diagonally. If you have a desk that can take the weight, you must either trim the legs, remove the ceiling or tilt the screen to make it fit.

I have always wanted the screen size to go the other way: a few mm across, with a lens so screens can be a few mm from each eye. So far, I have only seen such screens with low resolutions and high prices.

0
0

Elon Musk plans to plonk urban Hyperloop subsonic tube on California

Flocke Kroes
Silver badge

Re: For a little fella....

Hyperloop is a solar powered transport system that will compete with traffic jams and light aircraft. Anyone would think you wrote you comment without checking your facts.

5
3

MEGA PATENT DUMP! Ericsson, Smartflash blitz Apple: iPhone, iPad menaced by sales block

Flocke Kroes
Silver badge

RE: The wheel

Patent already granted.

0
0

Revival of fortune: Mad Catz Mojo Android gaming micro console

Flocke Kroes
Silver badge

The difference is USB 3

Gigabit ethernet + USB3 is a rare combination on ARMs, and pushes you over half way to the cost of an Intel box. I started reading more carefully when I saw USB3. A quick check of what is available puts Mad Catz Mojo on the short list for when I need a new high spec cheap silent computer.

Recovering a big spinning disk from backup over USB2 should take about 50 hours. Half that if you have 2 USB2 interfaces (most of the time, the hardware is a few USB1 interfaces, a USB2 interface, and a port multiplexer that will assign USB1 interfaces to ports with a USB1 devices attached until it runs out of USB1 interfaces. All the remaining ports share the same USB2 interface). USB3 would be limited by the sustained transfer rate of a spinning disk (~7 hours for a 4TB disk). eSata + an Sata hub should be quick too, if the chips are compatible. (You are lucky to get 1 Sata port on an ARM. I have never seen 2).

USB3 has value, but it is not something I need every day.

0
0

El Reg regains atomic keyring capability

Flocke Kroes
Silver badge

Try lithium deuteride instead

The fission explosion creates a burst of neutrons that smash lithium into tritium and helium. This gets you your fission fuel when you need it without the hassle of trying to store a radioactive cryogenic liquid.

0
0

And the buggiest OS provider award goes to ... APPLE?

Flocke Kroes
Silver badge

Not comparing at all

The purpose of the source article is to demonstrate the importance of keeping up to date with the patches with whatever software you are using. No-one gets to sit back and say "I don't need no steeking patches", no matter what OS they are using. The statistics do point at two important security tips not mentioned in the article: "If you do not need it, do not install it", and "If at all possible, turn it off".

For a proper comparison, you need to know what is being defended, and who it is being defended against. Publicised exploit statistics are not a good source for comparison. I would suggest setting up multiple high value targets with the same budget, regularly pulling the hard disks, comparing the contents to a clean install and seeing which OS survives the longest.

3
0

C’mon Lenovo. Superfish hooked, but Pokki Start Menu still roaming free

Flocke Kroes
Silver badge

Re: Blank box

If you search hard enough, you can find computers with no OS installed. They usually cost more than the same hardware with Windows. Years ago, that was because you were still paying the Microsoft tax even though the software was not installed. These days, crapware can more than pay for the minimum Windows license.

I used to be annoyed by the lack of crapware available for Linux. Now all the crapware in the world cannot bring the price of a new Intel box down to the price of an ARM sufficient to replace a dead desktop.

Superfish's biggest achievement is to educate some noobies about the value of a clean install.

6
0
Flocke Kroes
Silver badge

Re: Installing from scratch now

That distro has been around since 1999.

3
2

OLPC spin-off teases modular 'Infinity' computer

Flocke Kroes
Silver badge

ATX is about 20 years old

Standards can last. I expect that when 7nm becomes mainstream, there will be an ATX motherboard for it.

The big problem with ATX is that almost all customers can keep their old monitor, keyboard and mouse when they 'refresh' (does anyone say 'upgrade' anymore?). Customers able to use a screwdriver can replace the motherboard, CPU, memory, graphics card, power supply, optical disk and hard disk individually as required. The laptop was a great leap forward, requiring a regular purchase of a full set of new components. Modern designs include cases that crack if you try to upgrade the hard disk or memory, glued-in batteries and self destruct when the warranty expires.

Customers with a clue have wanted modular laptops with standard parts for over a decade. The big manufacturers have worked hard never to repeat the mistakes they made with ATX. Sometimes a small player proposes a modular laptop (or phone). All goes well until people see the high price caused by lack of economies of scale and a poor deal on the crapware. It would be great if more customers could appreciate the long term savings available when upgrading only components that matter.

OLPC have been around since 2005. By past performance, I would expect a modular computer in 2017, and an upgrade module in 2020. Some way will be found to avoid providing a machine suitable to large numbers of people in wealthy countries.

5
0

Mozilla mulls Superfish torpedo

Flocke Kroes
Silver badge

I love crapware

Makes the machine cheaper. Even if I was convinced a new computer came with a clean install of the OS of my choice, wiping and installing is required to proove I can restore from backups.

2
8

Shodan boss finds 250,000 routers have common keys

Flocke Kroes
Silver badge

I am Brian and so is my wife

Everyone with one of these routers can find the private key. If the key is not on the internet already it will be soon. Everyone who knows how to set up an ssh server will be able to pretend that their box is one of the 250,000 routers. After they have stolen all the underwear, how to they profit?

0
0
Flocke Kroes
Silver badge

Re: @Dan 55

A public key is the product of two large primes. The corresponding private key is the two primes not multiplied together, but in either order, so there are only two possible private keys. It is almost certain that if two public keys are the same, then so are the private keys. In this case, any competent cracker with physical access to the device can read the unencrypted private key. (In the other case, any cracker able to get the unencrypted private key from the telco could just as easily get every unencrypted private key if they were all different). There is nothing to decrypt here.

If all the keys were different, and I had physical access to Alice's router, I could install my device that can pretend to the telco that it is Alice's router. As all the keys are the same, I cannot do that because the telco knows beyond all possible doubt that the secret key is not secret.

<voice style="John Cleese/Romanes eunt domus">

If understanding this is beyond the ability of the average commentard, imagine the near impossibility of explaining to a PHB why the telco needs to spend money maintaining a database of which customer has which key. If by some fiendishly cunning stratagem you sneak the database into the telco's budget how on earth are you going to explain what is going on to the customer when his router does not have the secret key in the database?

</voice>

0
1
Flocke Kroes
Silver badge

@Dan 55

You are not making any sense. You can try to crack a public key - create the secret key by factorising the public key. You can try to crack an encrypted secret key by guessing the password. Even when I did not know which key this was about, the private key/keys were not encrypted. The challenge is to steal the unencrypted key/keys from where they are stored.

0
0
Flocke Kroes
Silver badge

Found which key it is:

Dropbear's banner tells you the public key used to authenticate the device, so the secret key is on the device. With physical access and a little hacking, you can copy the secret key to some other device. You can put some other device where the router is, and when the telco tries to log in, you can fool them into thinking your device is the router they supplied.

As the same key is used by many routers, if you can get between the telco and someone else's router, you can convince the telco that they are updating the customer's router when they are really talking to yours. This leaves the customer's router with out-of-date software.

Now imagine what changes when every router has its own key. The telco could keep a database of which key belongs to the router of each customer. When they do updates, they can check that they are talking to a device with the right secret key. If they assume someone with physical access to the router did not copy the key to another device, then they can have confidence that they are updating the router in the customer's home and not some man-in-the middle device.

I can easily imagine the majority of ISP's not bothering to maintain the database. Pretend one does, and finds the wrong key where they expect a customer's device. There are plenty of legitimate reasons: mixing up which device went where so the database is wrong. The customer using his own router - and giving the unused one to a friend whose router broke. The customer generated a new key pair, or the NSA are preventing router updates. So the telco knows something is going on. What are they going to do?

Email the customer man in the middle with an explanation of the issue? Phone up the customer and explain what a secret key is?

Is there a genuine threat that could realistically be countered by telling each router to generate its own keys? If all the keys were different, would you assume that your new device is the only place where the secret key is stored?

0
0
Flocke Kroes
Silver badge

Linus's public key on 100000 computers!

If someone finds Linus's secret key, all those computers could be fooled into thinking Linux signed some source code that he didn't! Even worse, type:

gpg --recv-keys 79BE3E4300411886

and you get a copy of Linus's public key, and something similar will get you anyone else's (if they have one). It is almost as if public keys were available to anyone!

The routers have two obvious uses for ssh keys. One use is for authenticating the router - in which case the same secret key is on every router. I could copy that key to another device, and the telco could be fooled into thinking they are talking to any one of their routers when they are really talking to my laptop.

The other use is for remote administration. Each router could have its own key. When the telco does an update, the computer doing the update needs to know the secret key for every router. If a cracker can get one, she can get any or every secret key, so having only one key does not remove any security.

What is the issue here?

1
7

Have YOU got Equation NSAware in your drives? Meh, not really our concern, says EU

Flocke Kroes
Silver badge

The secrets are not in the software

The big secret is to be Western Digital, Seagate or Toshiba. Those are the only drive manufacturers left. The margins on drives are so thin that enormous economies of scale are required to make any profit. The spinning disks market is in its final stage of consolidation. A new player would need to commit running their business at a loss until they can get above 10% of the market and refine their manufacturing process to the same efficiency levels as one of the big two. In real life, a new manufacturer will implode before they have a business worth being crushed and bought out by WD or Seagate.

WD and Seagate could release their firmware under GPL without harming their businesses. The thing is, I am not sure it is their firmware. It certainly used to be a component they bought in - like the controller cards. If this problem gets fixed, it will be by people creating 'The Open Rotating Disk Initiative Obnubilating NSA' for themselves.

1
1

This one weird script continually crashes Android email

Flocke Kroes
Silver badge

That is not a reason to blame the chip makers

If your example is correct, the phone makers should have bought a chip they could control.

Personally, I blame the customers. They should have checked for a cyanogen installer before purchase.

1
7

Lenovo shipped lappies with man-in-the-middle ad/mal/bloatware

Flocke Kroes
Silver badge

may?

"... presents identical and similar product offers that may have lower prices"

In this context is 'may' equivalent to 'almost never'?

7
0

DARPA's 'Cortical Modem' will plug straight into your BRAIN

Flocke Kroes
Silver badge

I was thinking of ...

Did I fall asleep?

0
0

ACHTUNG! Scary Linux system backdoor turns boxes into DDoS droids

Flocke Kroes
Silver badge

To catch this malware ...

The original Russian disclosure says SSH, not SSL, so step one is to install and enable SSH, on a port where people can find it. This is a terrible idea on any machine visible on the internet because the machine will be found and hit with a continuous stream login requests attempting to find an account by brute force. Although this stands no chance of success with even basic precautions, it does waste a little CPU time and lots of network bandwidth. (The most popular way to avoid the network traffic is to set up port knocking.)

Next, you will have to make some changes to /etc/ssh/sshd_config. The one that is definitely required is 'PasswordAuthentication yes' otherwise all attempts to log in with a password will fail (sshd should be set up to require one type of public key authentication, and have all other methods disabled). You can save the crackers some time with 'PermitRootLogin yes'. Without that, the cracker will need to use some sort of privilege escalation - which a competent cracker probably knows. Next you need an account with a password that was not created with a random character generator. If you permitted people to log is as root, make sure you set root's password to a word or two out of the dictionary, swapping i to 1 and o to 0. You can save some network bandwidth by using the most popular pasword: 123456. (Logging in as root should require logging in as an ordinary user, then upgrading to root access).

Next up, this malware requires a bash script in /etc/init.d/ to install itself. The vast majority of them are sh scripts, but I did find a couple of bash scripts. The malware is looking for '#!/bin/bash', which is the way to specify the bash interpreter in Linux. The BSDs require '#! /bin/bash', and Linux accepts that too for compatibility. You can trip up this version 1 installer by adding a space to bash scripts in /etc/init.d/ - if you have any.

The translation of the incident page said something about using a virus scanner to detect infection. I stopped reading at that point because the advice is clearly bollocks. If you installed and configured sshd to use the ssh port and password authentication with a brute forceable root password then you computer will be infected with something that can hide from any virus scanner running on the computer. You might be able to find the malware by pulling out the hard disk, putting it in a USB enclosure, attaching it to a different computer and comparing it to your backup.

I think the biggest barrier to catching this malware is that something more nasty will get in first and close up the configuration errors before everyone and his dog pwns the machine.

35
0

WATCH IT: It's watching you as you WATCH IT (Your Samsung telly is)

Flocke Kroes
Silver badge
Joke

It's for the DRM...

Speech recognition is for working out which words were spoken, but this article is about voice recognition: identifying the speaker. Make sure to create a recording of your voice so you can watch films you purchased even if you catch a cold.

5
2

Forums