Posts by Ben Tasker

Re: Curl.

--- posts/3038156

+++ posts/3038156

- dObERManS

+ doberMans

Fixed your naming convention, please merge

Re: And in related news...

> HTML and CSS combined with judicious usage of a JavaScript (aka JackassScript) and a server side language with a solid framework (Python/Django or Ruby/Rails, e.g.) might be smarter.

It depends. Aside from the learning curve for the average SMB owner, the problem with rolling your own is that you are then entirely responsible for maintaining it, including finding and fixing any vulnerabilities (or even just run of the mill bugs) you might have accidentally introduced.

It also makes things like server refresh a pain as you'll have to take your codebase into account.

That's more responsibility than your average SMB wants to take on. Off-the-shelf increases the number of people looking for holes and bugs , and someone else will likely fix those for you.

On the flip-side, of course, the obscurity it brings does have a little bit of benefit. You won't get pwned when someone starts a script to find WP sites and use their latest 0-day on them. But if you're specifically targeted then rolling-your-own might well lead to you being an easier target.

Re: Can you hold down the power button

> You've told people not to use jargon, but I have no idea whatsoever what 'top-up the jets' means*.

I'd hazard a guess he's American and means topping up the screenwash, but it is only a guess.

Re: Working from home

> In a similar way, I'll be running 24x7 a random IP address generator that will then, for a random number of minutes, do a random number of GETs to that IP address and any subpages that are returned..... both massively increasing and poisoning the haystack with random data, and obscuring my actual surfing.

If you do, be very careful.

I did some work a little while back examining the effectiveness of cover traffic on encrypted links.

You'll need to pay attention to the size of the response body and adjust the time between that and the next page accordingly (but not proportionally).

The time a human takes to switch between pages isn't consistent (we might load a huge page, read 1 sentence and click off because it looks crap, or lead a tiny page and take 5 minutes to read because we went and made a cuppa). But that's very different to random intervals as there is some correlation between the amount of text and the amount of time we spend reading.

You also need to make sure that the start and end times of your cover traffic aren't particularly consistent. Having a sleep at the beginning of the script helps a little, but if the traffic always starts within 60 seconds of quarter past the hour, it quickly becomes identifiable

> In a similar way, I'll be running 24x7 a random IP address generat

Don't do that. You don't want it running 24x7, you want it vaguely aligned to your sleep/wake cycle (as well as taking into account things like you going to work all day). Any traffic generated when there's a high probability it wasn't you gives an observer further means to analyse your countermeasures.

If they decide they're going to capture HTTP Host headers (which really, they'll want to), simply connecting to a given IP and requesting pages isn't going to do anything except make the traffic identifiable too.

There's a lot of other things to be considered too.

When observed over time (which is what an ICR will effectively be) the little differences in behaviour between a script and the average human become readily identifiable, and that's when the traffic is using an encrypted link. It's even harder with plaintext (which, to some extent, includes HTTPS because things like SNI are in the clear)

TL:DR running effective cover traffic is fucking hard, assuming your aim is to thwart anyone with any more than a passing interest.

Re: Android

> unfortunately it's a bit flaky and likes to crash when I expand or move around the page.

That's been my main experience with it, it's just regular enough to be annoying but not so regular that it's forced me back to Chrome.

Re: The Swedes can save face

> The term "rape" is being abused. It normally implies violence or a threat of violence.

No, that would be "Violent Rape" or similar.

The term Rape is all about consent. Sex without consent is rape. Fairly simple.

> Some would say that a woman changing her mind after the event is "rape" because the man should have been more caring...

Some would say that if a woman says "yes, but only if you rubber up" means you've only got consent if you rubber up, and that consent wasn't given (in fact was almost explicitly denied) for bareback.

> Oh do fuck off. Warned by The Register indeed. When any twat knows that mixing [redacted] and [redacted]; both common household chemicals you can make [redacted] gas.

Don't tell them that. They're already going down the path of burning books, the next thing will be to burn any of us that actually learnt anything in chemistry for possession of banned knowledge.

Re: Tesco bank headers missing

> I can promise you that none of these missing headers resulted in the funds of 20k customer accounts growing feet and walking away...

Agreed. It's much more likely that someone gained access to their internal systems (whether that's an internal job or otherwise)

>Or that any missing headers in a web server response ever resulted in something similar.

On this scale? Probably not.

It's certainly feasible on a smaller scale though. Cert authorities have been compromised in the past, and likely will be again. The authentication method LetsEncrypt uses when requesting a cert is known to be vulnerable to DNS poisoning, so there's a potential avenue to obtaining a trusted-but-fraudulent certificate there too.

What's the defence against an incorrectly issued, publicly trusted certificate?

Certificate pinning. Which none of the buggers is using. As mentioned earlier in the thread, configuring it isn't without it's risks, but it's just a case of needing careful management.

Incidentally, that LetsEncrypt issue I mentioned, can be mitigated by DNSSEC, which, again, none of the buggers is using.

Given that banks are "trusted" to hold our money, you'd think the bar would be somewhat higher for what they consider the bare minimum.

Personally, I think it'd be better if browsers got their act together and implemented support for DANE, but that's a whole other topic (and would require the banks to set up DNSSEC in any case).

> Your thinking is backwards, the court isn't saying that elites can't just dictate and must put it to a vote,

Yes, yes it is.

It's saying that the Government cannot simply make the decision and bypass Parliament.

If you'd prefer it termed this way, it's saying the elite of the political elites cannot dictate.

> the court is saying that a fully democratic referendum

You missed out the word "advisory" there. And, before you take umbrage, make sure you read the numerous legal analysis that show referendums in the UK are advisory unless explicitly stated otherwise in the enabling legislation. It could always be disregarded (not that I'm saying it's necessarily a good idea)

They asked our opinion, and now they must vote on it.

Personally, I think Brexit is a fucking stupid idea, but for me this isn't just about that. The idea that the Prime Minister can make such a permanent, nigh-on-irrevocable decision without a complete mandate (see below) is insane and (given who the PM is) dangerous.

On the mandate front, OK, as a nation we voted in majority of Brexit. We didn't vote on losing access to the single market, and certainly didn't vote on coming out of the ECHR. One of those we know May wants, the other varies depending on who's speaking, but neither or which were actually voted on specifically.

Re: OK so let's see if I can find a use for it

> they are land mines how do you defuse/detonate them safely?

You take a step back and then spray the solution in your assistant's eyes

Re: Work the problem?

> Seems to me that every company trying to make a buck out of this opportunity should be met with a "no thanks." whilst we buy/use something else

Here's the thing. When you devalue your currency, the cost of things from foreign suppliers tends to rise as a result.

If MS didn't allow us to buy in GBP, and instead only sold in USD, we'd still be spending more.

It's not just opportunism, it's a direct result of the devaluation of the pound, which has come about as the result of businesses having serious concerns about the UK's prospects post-brexit.

In my book, that's definitely something to dump at the feet of the leave crowd.

Re: nonce field - unfortunate choice of name

> As the actual value is irrelevant I guess that the name comes from a contraction of nonsense.

I've always assumed being a throwaway its just a contraction of "n" and "once"

Not sure though

Re: It would seem

The only thing to watch out for with that is manufacturer idiocy. IIRC when BT first moved from having a generic default WEP/WPA password on the Homehub they went with the serial number. Umfortunately it was possible to get the AP to tell you it's serial before you'd authenticated.....

You can almost guarantee at least one manufacturer will drop that info into the http headers, or body to aid in identifying the kit when they get a support call

Re: Controversial

But, to stretch the analogy, you wouldn't get to claim the cost of installing an alarm as damages against the car thief either. The thief stole the car and gets done for that, you don't get to claim back the cost of doing what you should have been doing in the first place.

In other cases though, the US has tried to reach the bar for damages by including the cost of implementing security that should have been there in the first place.

So whilst he shouldn't get off scot-free he's not wrong when he claims it won't actually be justice that's metred out in the US

Re: Very few commenters seem to know the facts of this case...

> 2. Assange has not been charged and he is not wanted for trial.

FFS, if by now you don't know why that's bullshit you're either being willfully ignorant or are just too plain dense to conceive that different countries have different legal systems.

He cannot be charged (and therefore cannot be wanted for trial) until after the interview they want to have with him. It's not a difficult concept, and it's not new.

> 4. Assange has not "refused to come to trial or indeed be questioned".

No, but he (the suspect) is trying very hard to dictate how and where that happens. What other suspects would you say could get away with that?

> 5. Assange did not "flee".

For a start, he's a bail jumper which most would consider fleeing. Secondly look up tje circumstances of his departure from Sweden. Not that whether he flee'd Sweden really matters, if he left to visit his Great Aunt Norma the requirement for him to go back wouldn't change.

Maybe try reading a wider range of sources and verifying facts a little more thoroughly. It might be a fact that he's not been charged, but there's another fact that explains why and that its not unexpected.

Re: Mono

Yes and Yes.

Xamarin bug is here - https://bugzilla.xamarin.com/show_bug.cgi?id=39859

Edit: clicky

Re: on the rights of man and common sense

>> increase the risks criminals need to take

>

> struggling with ideas here that don't involve logging everything everywhere. fuck off.

Perhaps reduce the time wasted on fighting for things that harm us all and focus on doing some actual police work? More coppers doing what they're supposed to be doing should increase the risk of getting caught

>> ; remove the excuses for it

>

> Does anyone have any good excuses for cyber crime? Crap wars in foreign lands?

I've got a sinking feeling that in the future we may all have a good excuse - they've clamped down so hard on things that "normal" stuff like using https is now potentially a cybercrime.

Re: Can someone explain

With bcrypt, the salt is stored in the "hash". The output of bcrypt is essentially a string containing the actual hash - in effect ${cost}${salt}${hash} - so if you've got the bcrypt "hash" you've got everything you need except the real password.

But that's fine, because a salt isn't intended to be secret, it's intended to make it more expensive for an attacker to try and bruteforce hashes

> Millions of pounds of hi tech equipment destroyed for want of a £1 microswitch.

By the time it's been rated "aviation safe" it'll cost much more than £1. I remember seeing £20 spanners coming into the aviation workshop still carrying a price tag that indicated they'd cost 10x as much. Partly because Government contract, partly because they'd been rated as OK for use on aircraft.

So that £1 microswitch may well cost hundreds, if not thousands from the supplier

Re: Quick Release or build it like it is in my head

Inevitably leading to someone having to stand at the tobacco counter at Tesco's as their icecream nelts and say, errr... has anyone handed in a steering wheel? I'm sure I had it when I paid, but can't find it anywhere

Not that I once realised I'd left my wallet on the counter once I'd driven 100 miles. Thankfully there was enough diesel in the tank to get back

Re: Ban Them!

> Me neither. *shakes fist at pesky adblocker*

Same here. Was only yesterday I was debating whether to whitelist the Reg so they could earn some income from my views. Guess that settles it.

Re: Banks are just as bad

Perhaps if you'd clicked it it would have resent the email, but in a larger font this time to try and get the information to sink in?

But yeah, I've had similar from my bank - we take account security very seriously, click this link to a random looking domain to find out how to avoid getting scammed

Re: Mr Robot

>  when you see people in DC doing whatever they're doing, while wearing t-shirts but not seeming to feel the cold.

I don't think I've ever felt the need to layer up in the DC. I have occassionally had to leave the hot aisle because I was getting too warm though. A tshirt is otherwise normally fine, but its possible Ive built a tolerance since the smoking ban exposed me to the elements more frequently

Oh, and Ill usually have something in/over my ears if Im going to be in there for too long. Not so much the volume as the constant exposure that gives me a headache.

Re: Why?

It's part of Skynet:

....the chip can execute 115 billion operators a second while....

But seriously, as others have said - does there need to be a "why" for trying everything new? Once a technology is developed, uses will generally be found for it, and otherwise unthought of technologies sometimes grow up around them

Tesco are using DNSSEC for their financial arms right? right? Oh wait, no they're not. Hell, they're not even using HSTS or HPKP

Got curious, turns out they're not the worst of the lot, even if far from great.

Re: As for username and password,

Personally, I don't know the answer to any of my secret questions. I generate a random string and paste that in.

Passwords are in a manager so the questions shouldnt ever be needed, and if they are Ive bigger things to worry about.

Does mean it's a right shit when a site suddenly updates login to include "enter character 6 of the answer to your security question" though.

Re: The blog ppst

> No, I linked to a page on the Tor Project blog only, not the website Appelbaum mentions.

Strange then, the second paragraph of the statement is a bit unnecessary IMO, but otherwise not quite sure it'd fall under defamatory, even if the language is a little woolly

Re: What date is good for you?

> And unless VM support for DX12 comes along, I don't trust virtualizing a gaming rig with a Steam collection that's Windows-only and VM- and WINE-unfriendly.

Not saying it's necessarily the right solution for you, but one option would be to do something like this

http://lg.io/2015/07/05/revised-and-much-faster-run-your-own-highend-cloud-gaming-service-on-ec2.html

Edit - making link clicky

Re: Symantec

Browsers need to start tracking the certs for each website and if the certs change, then its untrusted even if Symantec say its trusted.

That's already possible with HPKP and/or DANE.

Googles certificate pinning, is Googles log, I have no reason to trust Googles logs either.

If you don't trust the operator of the site (in this case, Google), why are you exposing your system to their services?

Re: Is it just me, or...

Surely we've all dealt with a user or a boss where we've thought I'd rather feed my todger to a snake?

Or... alternatively, it might be we're currently in bootnotes ;)

Some go further that that and are included on a list pre-baked into the browsers. So on a virgin install of Chrome (for example), if you enter http://www.google.com it should change to HTTPS without bothering to try port 80.

Helps to remove the inherent risk in just HSTS when talking about users who're visiting your site for the first time.

They're your statutory rights, you can't waiver them. They can throw money at you and make you sign something in the hope you don't use them, which is something different

True, however, they can have you sign an agreement which states that in return for the "advanced redundancy package" you won't exercise those rights.

If you then choose to do so, you lose out on the "advanced" element and fall back to being eligible for a statutory redundancy (1 week per year), in the hopes of perhaps getting a better payment, which will almost certainly be calculated using statutory values.

So, no, you can't waive your statutory rights, but by actually exercising them you effectively throw money away.

Re: Acts of God...

> Also, ankle holsters are crap except in very particular circumstances.

For example when you're a leggy femme fatale in a movie that's just looking for an excuse to show some leg :)

It might be a limited imagination, but I can't think of a civilian circumstance where it'd likely be beneficial as it's more of a "backup" thing

> Most of the problems with systemd stem from not knowing or not caring about how to use it

I think that's a little unfair, but, that said, the very presence of systemd on a system can also lead to a systemd blinker coming down when troubleshooting.

I actually spent some time dealing with an issue earlier. For some reason systemd-udevd had started deciding to rename a NIC from it's configured name to "rename2".

I'm sure Lennart's ears were burning for a little while, until I looked a little closer and remembered what fuckwits Realtek are.

The NIC in question is part of a bond, and on the reboot just before the issue, systemd got impatient waiting for the network to come down cleanly, so just shut it off. On boot, the RTL driver reads the MAC from the NICs volatile storage (instead of the PHY) so got the bond's IP instead, which of course matches the other slave. So two NICs matched the same udev rule...oops

Blaming the (sometimes) clusterfuck that is systemd is too easy and rarely solves the problem itself.

But systemd isn't faultless either, just as some distros managed to ship flawed selinux configs (apache context? Nah, won't need /var/www/html). It's got it's problems and journalctl is a fair example (system hung and want to know why? Sorry the binary log is corrupted). Being able to pass through to rsyslogd is a bandaid not a fix for the issue

Or, as others have pointed out, the NTP issues.

Re: "E-cigarettes help save lives, says Royal College of Physicians"

In the past when I've said similar, I've had people say "you think the cig is calming you, but actually it's just satisfying the addiction, making the cravings go away"

Because, you know, the twat who pushed untested changes to production clearly had nothing to do with the irritation in the first place..