993 posts • joined 23 Oct 2007
Just a tip - if you're ever in front of the beak, don't expect them to agree with you ;)
Whether you like it or not, Parliament passes laws which they _can_ punish breaches of (so long as a sufficiently large proportion of the population abides by them - they can't punish us all). Copyright is just one of those laws.
What the muso's are asking for is farkin ridiculous (for reasons plenty of others have stated), but you've just made them look a comparatively normal IYDMMS
Re: Obviously govenment is just trying to pass the buck.
True, but why use TLS?
Once you've created a client that can do OTR, it's not that bit a step to have it use PGP instead ;)
Re: Obviously govenment is just trying to pass the buck.
No need for peer 2 peer, run it through facebook or Google Chat but use a client that adds a layer of crypto (so all FB/G see is base64 encoded ciphertext).
I already do exactly that routinely when discussing anything I wouldnt be happy publishing on the nightly news :)
Re: Jump on the privacy bandwagon
Which isnt entirely unreasonable. They're not under the jurisdiction of the UK courts after all.
We all cry foul when some numpty US judge assumes his jurisdiction extends into other countries, can't see a logical reason for what the SS are suggesting being any different. Plenty of emotional arguments, sure, but very little logic.
Even if they all caved an answered every warrant, all the terrorists have to do is switch to communicating through a SILC server, or even just use Facebook chat, but with an OTR client and suddenly the SiS can't see anything, again.
The status quo will likely be maintained, whether or not our privacy gets invaded (again) on a massive scale
Apparently you've not been following very closely Looper.
The Swedish process demands a formal interview before a subject can be charged. Its that interview they want to have, and it seems even Assange's lawyer believed he'd be charged following interview.
So, no, he hasnt been charged but for the reason above it's an indicator of fuck all because they cant charge until theyve had the interview.
Whether or not Sweden is a US lapdog has no real bearing. A) there's no evidence the yanks will actually ask for him and b) he's been in the UK a fair while - we've a history of handing people over to the US with little evidence needed.
Yes, using HTTPS will break the addition. Its been a bad year for the TLS stacks security wise, but its also been a year where it feels like everyone is going out of their way to encourage wider adoption.
Re: In-Private Browsing an option?
Wouldnt say its the only fix, just the most convenient.
Passing everything over VPN is also a viable fix, and something I've been doing for a while. It might not be possible to keep the alphabet agencies from watching your traffic, but it's easy enough to keep your ISP's nose out.
Course, you've got to have an endpoint somewhere, so you've still got to find a hosting (or vpn) provider you trust.
Re: Another one bites the dust
Because consumption has risen in Countries/States that have relaxed or outright legalised some of what we consider Class C/B drugs right? Wait it didnt.
If you're suggesting that the only thing stopping most people from doing drugs is the fact its illegal, you're fooling yourself.
Drugs are illegal because they are perceived as harmful to society. Problem is, a lot of the common examples of harm are a direct result of them only being available through the black market.
There are good arguments on both sides, the problem is that no adult debate is happenning at a level that can make a change. The obvious example is cannabis - is it really right to destroy the life of a teenager because they were caught with 1/8 of weed
Would be a nice touch if someone compromised a CIA server and hosted SR3 there
Re: Another one bites the dust (@ Jack of shadows)
Or more recently, how many peddlers does it deter in the various far eastern countries where it is a capital crime.
The war on drugs is a failure and has been for a long time. Not that I pretend to know the solution mind
Re: Re Mark 85 Moral?
As I understand it, after the first Silk Road, a lot of the 'traders' and customers started using PGP for their comms. Doesnt sound much like a group so thick they thought the feds would never raid again.
In fact to me you sound more like a prejudiced tit swiping a broad brush over a community (loosely termed) he knows fuck all about.
Re: Whoops !
Yes but you give the traders etc the hidden service URL (i.e the .onion).
Mapping a .onion back to a physical server is bastard hard, misconfigurations and fuck ups aside.
Its not like giving out a traditional domain where a quick nslookup will give you the servers IP.
In principle (again, fuckups aside), you should be able to give a fed a .onion address without that meaning you've given them any details about your server.
Re: It's gotten better.
> I still don't like ... that the /home/luser/cat_pictures directory can be much bigger and on a completely different disk than its parent dir /home/luser
You can do that on Windows too.
Does the average user actually need to know which physical disk something is on, so long as they know the path they need to navigate to reach it?
And case insensitivity is a stupid thing to have on a file-system IMO, but I guess if you're used to it, it's probably frustrating as hell working with something that cares about case.
Re: It's gotten better.
I never really experienced that (aside from seeing the odd user who seemed to go looking for posts to flame on), or perhaps I did and just failed to notice it.
Re: @Ben Tasker
I'm sure there are plenty of women who don't mind being objectified either - I'm not saying it's wrong (it's part of a base urge really IMHO) - what is wrong is painting it that men objectify women and women never objectify men.
Not that I disagree with you about the strapline and the image being un-necessary, but characterising it as a male-orientated problem is wrong.
The simple fact is women objectify men too. Not every woman does it (just as not every man does it), but it's all too often characterised as 'men objectify women, the pigs' when it swings both ways.
I wrote a rather lengthy blog post on it a while back, and found far, far more examples than I ever expected of female orientated media objectifying blokes.
Re: OK, I can't follow this one.
>I suspect it's just because there's very little pay off, even on vulnerable systems, the potentially most vulnerable say a website cgi would need to be running bash,
The CGI doesn't need to be running BASH, but BASH does need to be called at some point. If the malicious data is added to the environment (perhaps because you're chucking request headers into environment variables) then that's more than sufficient.
Lots of Webhosts offer servers with CPanel - which included 2 vulnerable (and accessible without authentication) perl scripts, so it's not even the 'admin' who needs to have fucked up. One request = reverse shell and the rest is down to the skill of the attacker on any CPanel box that hasn't been updated (or those scripts disabled)
Even with that, there's very little payoff now - it was pretty high profile and most have patched.
Fairly simple, the update doesn't overwrite the passwords database ;) The box pulls rather than being pushed to, so simple enough really.
Well, I say database. If you've ever rooted one you'll find it's actually an XML file containing all sorts of config.
BT's not a shining example though, they have services open by default (and potentially accessible by anyone on the internet) using HTTP basic auth. They also rather spectacularly fucked up with their 'different default wireless keys and passwords' a while back by using the routers serial for the wifi and neglecting to think about the fact the access point was helpfully broadcasting it's serial number.
Re: web client sucks
It really brought home to me just how shite the web-client is when I needed to upload a disc image through the browser - special plugin needed for it. That in itself isn't great, but the bit that really did it for me was the plugin download being 80MB. A friggin 80MB browser plugin?
The web-interface sucks in general too. Thankfully don't have to use it too often
What an absolute shower of idiots.
If you're storing credentials, assume whatever #defences you have in place will be breached at some point and an attacker will walk off with your database.
Doesn't mean you shouldn't have other defences in place, but having other defences is never a suitable excuse for not doing your best to ensure those credentials can't be calculated if stolen - requiring strong passwords is just one part of that. Using a good hashing mechanism is another part.
Advising against re-use is more about protecting your users - if the worst does happen, it's one (hopefully irrelevant) account, rather than every account they have on every service.
I mean, if we're working on the assumption that our defences are good enough, why even bother using salted hashes? An attacker's never going to get to the database, so plaintext passwords are fine, just like they have been for years
I suspect it how he got to that is that I assume the major UK ISPs control 80% of the market, so that causes an 80% drop with the block.
Sounds incredibly likely sadly.
Sounds to me like you're doing a poor job of assessing the risk, assuming you're making a loss because of the payouts....
Not that I disagree with your sentiments about Copyright infringement being wrong, but add me to the list of people who have a hard time gathering much sympathy for an insurer.
If I had to guess, based on the current 'porn' filtering in place. If your ISP's server receives a DNS query for TPB (for example) they'll make a note and you'll later receive an email. Only a guess mind, but it'd be cheaper/simpler for the ISPs to implement than going the DPI route.
Course, it'd be no proof that you'd actually visited the site, but not sure that'd stop them sending an email.
Opens up a new, much more legitimate phishing angle though. Once it becomes known that CCUK are sending email notifications, it'd become more believable if you received a notification with a link to pay your small 'fine'.
On the other hand, given the general ineptitude often shown by the media companies, most of their emails will probably only ever see the inside of a spambox anyway
Re: "Copyright infringement is theft, pure and simple"
"In the USA A person is guilty of theft if he dishonestly appropriates property belonging to another."
Except of course, we're not in the USA, so the US definition has no bearing on what a UK minister has said.......
"Theft is also commonly understood to mean "taking something that doesn't belong to you". A word can have more than one definition."
True, but if you're talking about the legality (or otherwise) of a behaviour or action, it's not unreasonable to expect that you use words based on their legal definition.
The Cambridge dictionary linked to above also defines 'rape' as "destruction of the natural world, often for profit", yet I'm not sure anyone would be happy with seeing an implication that someone behaving in that way should be treated as if they'd committed the sexual offence.
Re: Another solution
It's definitely not only men, either.
Nope, I've had my arse groped quite a few times without invitation, or even prior social interaction. Not recently though, must be getting old.....
In an environment dominated by women, they show a lot of the attitudes that men are criticised for, although the actual physical actions might be slightly different. IMO the reason it seems to be blokes misbehaving more often is probably more to do with the fact that there are still more male-dominated environments than the other way round, plus given social attitudes, a lot of blokes probably wouldn't say anything for fear of being seen as a whiner (see Matt Bryant's "well I would" comment above)
Re: This article's about the minority
I think it's a case of being tarred with the same brush, because the only faces you remember out of the sea of faces at a big conference are those of the twats.
It's still not right though, it's often characterised as being 'male IT workers' when really it's "a minority of IT works who'd likely behave just as badly if they worked at McDonalds"
Re: Another solution
Not that alcohol can't/doesn't have an impact, but IME the assholes are assholes whether they've had a drink or not.
Blaming the booze is easy and doesn't address the actual issue. I can happily drink at events and not wander around groping anyone, so it's quite unlikely the booze is solely to blame.
"if people wouldn't drink they would get into alcohol-related trouble, full stop"
Well, yeah, obviously but the cunts will still be cunts. The only thing it would mean is they couldn't try and explain it away by blaming it on the alcohol.
Drink or not, groping a complete stranger is never acceptable.
Came across them when they first launched (one of my old bosses contributed some cash to their development IIRC). Played around a bit, but it was a bit *meh*, especially as it's hard to use social media when there's no-one else on there.
Came across them again when they got publicly hammered for an absolute shed-load of vulnerabilities (most stupid and easily avoidable AFAIR).
Had faded out of my memory until now though
Re: we need the public to become educated in the tools they are using and what can be installed
> I like to think of people who call other people muggles as "wankers".
Perhaps my tone was a little too dry, but before anyone points me to http://xkcd.com/1386/, it was a joke, perhaps a bad one, but a joke none-the-less
Re: we need the public to become educated in the tools they are using and what can be installed
Unlike El Reg and its commentards, not everybody devotes their whole life to being a tech expert. IMO, pins set by default would help those normal people.
Normal? Round here we call them muggles....
In all seriousness, just what is 'Normal'? Pins set by default will help with the current issue, but there are a fair number of other issues in general with your 'normal' people not giving two fucks about security. So that issue still needs to be addressed, which means those 'normal's need to start giving at least half-a-fuck and making the effort to understand some of the tech.
Knowing why it's a good idea to have a PIN set should absolutely never be the realm of 'tech expert's.
Whether a law is needed is doubtful. Better just have the manufacturers set the unique PIN by agreement.
Unique being the key there, if the default PIN is 1234 then we end up worse off than now (as most of those 'normal' users will leave the default).
I do actually agree with you, just resent your use of the word 'normal' (even though I am not, and never have been 'normal' and proudly so).
"This is another example of an incompetent retail CEO incapable of providing leadership and process to secure their organization. Just as the CEO must manage his staff and assets, the CEO is responsible for protecting the security of his network and his customers," said Philip Lieberman, president of security firm Lieberman Software.
Haven't read the background (only what's in the article) but had to re-read this block because the tone is pretty harsh from the get-go.
Don't get me wrong, I agree that holding the CEO ultimately responsible is potentially a good way to get companies to start paying proper attention to security, but I'm not sure firing him's the best way forward (unless there's some additional background I've missed, or you simply want to make an example so that other CEO's perk up).
Some unpleasant consequences, but retention of the job (this time) would surely be the better way forward. If you're going to teach an someone a lesson, it's generally better for the business if you continue to employ them afterwards, than to kick them out and then ultimately replace them with someone who hasn't learnt that lesson first hand (though obviously it depends what they did wrong).
Maybe I'm just feeling overgenerous this morning?
Re: No long passwords
I set it up to generate a 20 printable character passwords. At least 60% of the sites I try this on will not allow it - too long, objectionable characters etc. Not that any of these tell you beforehand what the restrictions are. 16 character alphanumeric works on most sites but even that is rejected by some as too long.
Yup, but that's still better than the bastards that 'accept' it, silently truncate it down to their max length and leave you wondering why you can't log in.
Knowing coppers, there probably was no explicit threat, more a what do you think will happen to your two kids if you're doing 20+ years?.
The publicly stated reason was poor coding standards in Reiser4. Whether that's the truth or not may be in question, but it's definitely not the same thing - if the kernel devs are lying, then it's different because Ebay are being honest. If it truly is the coding, then it's different because Ebay haven't blocked sales because his music is shit.
Definitely not the same thing....
Is it really metadata?
Is it really metadata, or is it actually the data (i.e. the log) that was used. Ever since various leaks, all I seem to see is the word metadata being used, even when it's not appropriate.
So did they use the logs, or did they provide some data about their source data (and if so why, given there was only one subject)?
Re: FUCK OFF
Did you RTFA or just the title?
The ICO having more funding and power is likely a good thing IMHO at it means they can chase the fuckers that don't take care with our data.
From a read of the title though, I thought it was going to be DRIP phase 2
Let alone the exchange of perl one-liners, clearly that mismash of symbols must be a secret code, could $_ be code for 'the attack'.
If I was exchanging semi secret stuff in the clear, I'd use brainfuck just to mess with them
You need to make sure you email the author of one of the blogs too (link on the right hand side) asking when service will be restored:
Yup, Mr Boscovich was indeed included in the recipient list.
Have ignored the temptation to add a comment to either post though, generally companies are less willing to just cough up if they feel you've gone out of you way to publicise/publically deride the issue.
Don't send it directly. First contact your law firm (if you don't have one I recommend Dewey, Suem, and Howe) and have them send the bill as an attachment to an official letter.
When I send 'gimme-money' letters (not that it's that regular), I tend to give a 14 day period to resolve it before I both the lawyers. Works for the most part (I've got a success rate of 98%, though I suspect MS will drag that down shortly), especially if I have the good sense to proof read and make sure I've not dropped a bollock somewhere in what I've written.
Slightly different if I was responding to a similar letter though, that'd always get looked over by a lawyer from the outset.
I figured I'd send MS an invoice for the time I've spent fixing the resulting issues, given that as a third party not covered/protected by my contract with NOIP, they've become the de-facto service provider and fucked everything up through sheer incompetence
"they've no idea about planning infrastructure to scale."
The existence / scalability of Azure (the world's second largest 'cloud' I believe) tends to disprove that.
Yes, because Azure has been so reliable. Size != reliability.
The fact that an worldwide outage was caused by MS forgetting to renew a SSL certificate, a week after a 5 day outage on one of their SQL components further reinforces the idea that big != reliable or good, especially when it comes to Azure.
An of course, we fall back to the current situation. If they're any good at planning things to scale, why aint their DNS infrastructure coping eh?
Re: Let's clear it up...
Remember it's not No-ip hosting the content either.
" Despite numerous reports by the security community on No-IP domain abuse"
I find the structure of this sentence interesting, to me it reads as though it's talking about Papers and articles (reports on), and not reports to No-IP. Given they are just hosting DNS records, without a list of affected subdomains what precisely are they supposed to do?
Microsoft claimed some of the subdomains use MS protected marks,
That's the bit that really baffles me. A number of subdomains get set up infringing a mark and the judge hands the entire domain over? That's bat-shit insane.
And that's before anyone starts on the fact that No-ip serves DNS records not content. The malware could have got the same content just by going to an IP address, and never touching no-ip (though DNS obviously makes life much, much easier from the malware authors PoV :) ), which makes the decision all the more bat-shit crazy.
Doesn't Microsoft produce infrastructure frequently exploited by cybercriminals?
If one thing's clear, they've no idea about planning infrastructure to scale.
Leaving aside the rights and wrongs of being given custody of the DNS, how the fuck have they managed to take custody so that they can filter out the 'bad' but fail to make sure their servers will stand up to the load so the 'good' is unaffected?
Re: WTF is anyone still using PayPal for?
Not to mention that whilst you may not use Paypal, most other people do (and don't use other services). So if you don't accept Paypal you're artificially (and quite severely) limiting your own market.
I had to provide them with ID a while back because the amount I'd received passed a threshold. Normally they do an 'online check' but it seems that I don't exist, wherever it is that they check.
Re: Eggs and Baskets
What amazed me about so many commentards on saturday morning was how many of them thought they were smart because they knew how to change DNS servers, but were still dumb enough only to point themselves at one DNS server.
And were 'smart' enough to change DNS servers, and tell everyone else it was a DNS issue, whilst completely failing to take note of the fact that changing DNS didn't help with accessing quite a lot of sites. There was a hell of a lot of the blind leading the blind on the net on Saturday
Re: Wasn't a DNS issue...
Yup, though as lots of people on social media were trying to be clever and tell others it was a DNS issue, I fully expect that if BT do cough to the root cause they'll blame DNS.
Was sat troubleshooting the loss of connectivity, and it looks like a couple of interfaces went down on a box near Telehouse based on comparison of traceroutes before and after. Possibly elsewhere too, but that's what we were seeing.
BT's DNS servers, inevitably, are the other side of that hop, so whilst there was an issue reaching BT's DNS, it wasn't _the_ issue.
Re: It would help an awful ****ing lot
Never thought I'd use this sentence - Ill give HSBC their dues on this one.
They phoned me recently and authenticated themselves rather than asking me to do the same.
There are still far too many bad practices that leave us exposed though. If verified by visa increases the likelihood that I'll be liable for a loss, they should damn well let me use special characters in my password *grumble*
Re: anonymized & agregate results
A great example being the NYC data that was released - Drivers for > 173 million trips identified from 'anonymised' NYC Cab data
Because in theory, they could identify an area that's likely to see an increase in demand and then build a mast nearby to give themselves a competitive edge (everyone else's masts being a bit further away). As well as capturing punters, they can rent some of that mast space to the other networks for a suitable price.
In reality, if that happens it's rare. At the moment the main focus seems to be on rolling out 4G in heavily populated areas rather than trying to eliminate blackspots (though as the former is potentially more profitable, you can't really blame them).
With tongue carefully in cheek, I'd also point out that having multiple companies, any one of which could be the owner of that brand new mast, probably (briefly) makes the network's life easier, as those wishing to complain of having headaches/illness from the radiation emitted by the (occasionally, not even turned on yet) mast will have to narrow down the owner before sending their emails.
- Product round-up Ten excellent FREE PC apps to brighten your Windows
- Review Tough Banana Pi: a Raspberry Pi for colour-blind diehards
- Product round-up Ten Mac freeware apps for your new Apple baby
- Analysis Pity the poor Windows developer: The tools for desktop development are in disarray
- Chromecast video on UK, Euro TVs hertz so badly it makes us judder – but Google 'won't fix'