Posts by Ben Tasker

Re: Thailand had 1 case yesterday

> Masks may help to reduce transmission, but they do not prevent it. Also, people from developing countries struggle to get clean drinking water let alone clean masks. Hence you will always have a reservoir of cases ready to reinfect disease-free countries.

Some might suggest then, that given that ever-present reservoir of cases, it'd be wise to take steps that reduce transmission, like wearing a fucking mask.

Re: Thailand had 1 case yesterday

> I have no issues with mask wearing. My issue is a lockdown that doesnt seem to work in a positive way.

Which seems to put you into a minority of those who oppose lockdown.

A very good chunk of those who were against lockdown also now seem to be against wearing masks (oh, sorry, muzzles apparently).

The reality is actually fairly simple - either people need to take proper precautions, or we're going to have to lockdown again to try and protect NHS capacity.

Whether through stubbornnes, stupidity or something else, those precautions seem not to be being taken, so we'll ultimately reach a tipping point where the choice is to lockdown, or to have a massive increase in deaths because the NHS can't cope.

The government screwed a lot up in their response, not least through screwing adherence to lockdown by not observing it themselves, but the number of people bleating about the possibility of a lockdown, whilst not wearing masks is unbelievable.

You can see why some might be opposed to your position in the comments given that position is normally explained without benefit of a mask, and usually with some dubious figures about how it's "not that bad"

Re: Context failure

But it's (usually) on the same network as devices that do have that data (potentially including a wide-open NAS in some households) and makes a convenient, and hard-to-deal with (for the owner) pivot point. And that's assuming that crooks are only interested in getting at your banking data - they're not, and are just as happy to enrol your TV into their DDoS service.

If you need help imagining a scenario

- Attacker manages to poison DNS for the advertising domain, or otherwise establish a MiTM position

- Serves up a video containing an stagefrightesque exploit

- TV opens reverse shell back to attacker's C&C and does whatever

With actual cert validation, the attacker would need to be capable of presenting a valid, publicly signed cert - not impossible, but presents a significant additional barrier. Without it, they can set up their MiTM using a snakeoil cert

Given the IOT industries famous lack of fucks for security, if anything, these devices need *more* care not less.

Re: "Rather than seeing the same old adverts"

> That's the thing that bugs me with ITV player, its exactly the same adverts each break

All4 seems to be doing much the same at the moment, or at least, Apple seem to have paid them to absolutely saturate us with adverts for Greyhound (exclusive to Apple TV dontcha know). I hope the fuckers paid an absolute premium to over-advertise to the extent I'll definitely not pay to watch it now

Re: At least here you have the option to proceed anyway

> However, with HTTP Strict Transport Security your browser developers decided you are not allowed to bypass the error screen

That's not actually true.

In Chrome, when you hit that error page, type badidea and it'll be bypassed. Not intuitive though.

But, to be fair, it's not actually the browser's fault that you can't bypass the screen, all they've done is implement the advice in the RFC - https://tools.ietf.org/html/rfc6797#section-12.1

> If Iranian hackers posted details of millions of US bank accounts online

Yep...

It might be "cyber" (ugh), but choosing civilian targets is not OK, and setting a precedent for doing so is particularly unwise given that others will use that as an excuse to target US civilians.

Re: Detracts from journo standards

> Whenever I read your (The Register) things about the US Trump Administration it is inevitably from a heavily biased viewpoint that they are all bad to the bone.

Out of interest, has it occurred that maybe it's the administration's own actions that lead to that effect of it all being negative?

There isn't _much_ for them to crow about without relying on nuances of language (well, we built *some* of the wall and never said we'd build all of it).

But, I don't really see how your criticism applies to this article in particular:

- Trump revealed he authorized an attack on the troll farm - factual (I assume)

- He's made statements before that hinted action had been taken

- He's repeatedly said they should try to be friendly to Russia - true

- He's been criticised for that position by those who view Russia as an enemy - true

- Revealing the attack will likely help appease some of those who called him soft on Russia

- Russia now know with certainty it was the US

- Russia can analyse the attack to know how the US conducts attacks (because it now knows the US was behind it)

- It contradicts his previous claims that the win was solely due to him being great

Unless you're opposed to the idea that he's said the US should be more friendly towards Russia, or the idea that a troll farm being active (and sufficiently so to warrant counter-attack), it doesn't seem like there's any overt negativity/bias here

Re: I don't get it £840k a year for something you could do over LTE

No, I can see why you'd jump to RFID but it wasn't that - the tags used were active rather than passive. They need to be because the lorry is only driving vaguely in the vicinity of the receptor, it's not like it's passing through a gate housing it or similar (plus RFID doesn't work so well when the tags are inside a big metal container, but the antenna isn't)

Still, the tags were very cheap in the scheme of things, yes.

Re: I don't get it £840k a year for something you could do over LTE

Having used it, I'll tell you one thing for sure - if you want to try and use it for an electronic border, you really are on a hiding to nothing

I said we used it, not that it necessarily worked particularly well/reliably. I certainly wouldn't trust it to enforce border policy.

In a goods receiving context it's not too bad, because if something hasn't checked in you can get someone to go into the warehouse and physically check if there's an extra 1 in stock.

You can't do that with a border because it's going to end up god knows where, and the smugglers aren't going to put tags on in the first place (or will tag, but will declare it's something else).

Boris' electronic border suggestion is and was, complete bollocks, sorry. It only works where good faith is involved, and that's never the case at a border.

Re: I don't get it £840k a year for something you could do over LTE

In the MoD we used to use something similar to this solution for tracking aircraft spares.

The lorry would drive past one of the antenna, and everything in the container would check itself in as arrived (at least that was the theory, sometimes the kit would be turned off, or a few bits wouldn't check in). Large/expensive items got a dedicated tag, smaller stuff may be put together into a container with it's own tag.

Using a LTE based solution for that just wouldn't scale financially. Whilst it's peanuts compared to the cost of a main rotor head, you don't really gain anything for the extra outlay, but get a "tag" that's bulkier and much more prone to damage.

This was a good few years ago though

Re: Liability

> Introducing a cryptominer: "Causing harm to our users". Changing the script to write "The site you're using didn't code properly and is pulling data from another possibly insecure site": "Defaming the organization". Blocking the script, meaning the page doesn't load right: "Deliberately impeding the functioning of the system".

The difference is their perception of it, and the level of motivation each act gives for them to pursue it.

If you block the page and their site stops loading, they'll be a little embarrassed.

If they've had customers contact them complaining of high cpu/battery usage and they discover it's because you inserted a crypto-miner, then it may be they want your scalp to show their customers.

Sure, they could launch a case claiming you impeded their site by blocking the script, but they'd likely realise that they come off looking bad, plus they'd recognise you can robustly defend a decision not to serve something.

Someone mentioning "computer misuse act" and pointing out you've used their user's CPUs "with one of those scripts crooks use"? Joe average is going to be shocked if it comes out they let it pass.

> It's not because I'm worried about their lawyers. As I see it, their lawyers are basically as likely to go after me no matter what I do.

For avoidance of doubt, the correct solution to that feeling of rock-and-hard place is never to go for the path of most-harm, particularly if your only defence is "it's my file, I can edit whatever I want into it"

Re: Liability

> So the only way they would have a legal claim is if I agreed to host it for them.... So the only way they would have a legal claim is if I agreed to host it for them.

You seem far more focused on right and wrong than on reality.

What you mean here, is *in your opinion* the only way they could win, is if you agreed to host it. Anyone can make a claim about *anything*, and it'll cost you to defend it if there's any possibility of it being found against you.

If you host a file called "jquery.js", notice Barclays are hotlinking and deliberately change it to include a crypto-miner, then you're very likely to going to end up paying to defend an action. It doesn't really matter if you would have won it if you go bust before you reach that point, does it?

> I can argue that they were violating my terms of service by linking to the file,

You can, but it's going to cost you money, time and stress to do so.

> If they hotlinked to a file and I changed it to indicate they used without permission, they could get angry. If I blocked their request, they could similarly get angry. If they felt the need, they could have their lawyers sue me for breaking their service. However, if I blocked, edited to print a string, or edited to introduce a miner, I have the same rights to do what I have done

The other side would argue that those are not the same thing. In fact, they'd argue that instead of introducing a miner, you could (and should) have blocked access, or even put a harmless change in to note it was being used without permission (as well as could have contacted them etc). Instead, you went for the path of most harm - and they'll claim that that was a wilful act and why you should have to make reparation.

> I have the same rights to do what I have done and they have no basis to win the case.

The very fact you've written "and they have not basis to win the case" strongly suggests you don't know how court cases *actually* proceed.

You won't find a lawyer who'll tell you a case is a dead-cert - they'll tell you that you potentially have a strong case (or the claims *seem* without basis), but that *anything* can happen once you reach court, and it's impossible to predict outcomes. In fact, a good lawyer will probably advise you to try and settle the case.

And all of this, is stuff that could be avoided by just not being a clever dick, and blocking access rather than willfully trying to screw up their users. There are an awful lot of things that you're allowed to do, that change with context and intent and suddenly aren't permitted.

Re: Liability

> For example, cryptomining scripts are not illegal, so you can put them up if you wish. If someone decides to link to a file and you switch it to a different file, that's their problem

I think you'd potentially have issues if you joined the two of these too.

Lets say you were hosting a copy of (say) jQuery. Then, you notice that Barclays have hotlinked it into their own site. If you now come along and stick a crypto-miner into that file, you're opening yourself up for a world of hurt.

Particularly, as it's not really about who's in the legal right - defending a case could still break you financially, and well before you actually get to the point of vindicating yourself (if in fact, you managed).

Particularly if the "victim" is someone large/with resources - if they perceive you've exploited their mistake to harm their customers, they may feel the need to "make an example".

If you notice hot-linking, your best bet is just to block it, and not to start screwing around with what you're serving up.

Re: Honey pot

> What I find interesting is that a service like this or, say tor, are like putting your name on a list when you sign up for them.

You don't sign up to use Tor, you just use it (and if you're worried about ISPs noticing you're using Tor, can use things like meek and snowflake to obfuscate).

It doesn't overly detract from your point, just if you have stumbled across some "sign up to Tor" site, it's all but certainly a scam site.

> Plain sight platforms plus your own encryption and you are more likely to be lost in the noise.

The problem with that, for many users, is the feasibility of doing so and (more importantly) the difficulty involved in securely exchanging keys. Even something (relatively) simple like installing OTR is too much for some, and a significant proportion of those that do probably don't verify keys properly.

Encrypted platforms abstract and automate that away from the user.

Even now, I'm sure the attention still mainly comes the other way round - you become "of interest" and they try and look at your comms, rather than you use an encrypted service and become of interest. There'll be exceptions of course

Re: They are doing this now?

Why would they do this earlier?

They hadn't started any public cases against him until much more recently, because he was hiding in his cupboard.

They may very well have been sat on this evidence for quite some time, partly due to there not being an appropriate venue to air it in, but also because of the "theatrics" that make up the US justice system.

Remember that they tend to like to sit on evidence, wait until you make a defense and *then* disclose the evidence that shows you're lying. That way they can discredit you, which may come in useful in other aspects of your trial when they refer back to it "so we're just to take the word of a liar?"

I don't see where I said it was more accurate than anyone elses, you seem to have inferred that for itself.

What I said was that it's able to cope with facemasks.

In fact, the only time I implied theirs was better than others was when I pointed out that it's quite possible that our lot underpaid and bought an inferior product. That's not nearly the same thing as China being at the height of technology.

> They just have better propaganda promoting its use. It's a bit like the lie detector, which "works" only because the subect being tested believes that it works.

Possibly. Although the number of people being picked up despite wearing masks would tend to disagree with it being purely propanda. Of course, it may be that it wasn't FR which led to those arrests, and it's instead used as cover for an on-the-ground network.

I tend to think the false positive rate *will* increase with mask usage, but probably not so much so it can't be addressed with a bit of extra manpower put into checking the matches

> COVID19 and the wearing of face masks have made the police use of facial recognition pretty useless anyway.

*If* that's the case, then it's only because the police have bought a less advanced product.

China's FR has been able to cope happily with face masks for a very long time now, it's certainly possible to do.

Aside from some very clever t-shirt printing - https://www.wired.co.uk/article/facial-recognition-t-shirt-block - the only way to really avoid it is to completely cover your head (and then you'll stand out if you're the only one doing it, and other techniques like gait analysis would probably be rolled out if it became widespread)

On the other hand, the accuracy rate the police achieved with theirs probably tells you quite a lot about the quality of the product they're using, so it may well flag false positives based on what colour of mask you're wearing...