* Posts by Aidan Thornton

22 publicly visible posts • joined 24 Oct 2007

Apple arms web browser privacy torpedo, points it directly at Google's advertising model

Aidan Thornton
FAIL

Provides neither trustworthy attribution stats nor reliable privacy

Advertisers would have to be born yesterday to rely on any data from this Apple scheme. It relies entirely on trusting anything that contacts their website and claims an attribution to be honest when it says that it's a copy of Safari that's seen a conversion from ad campaign X on website Y. If the privacy protections work as intended there's no way for them to verify this by tying the reports to actual orders or visits. Any ad scammer could just set up bots pretending to be copies of Safari reporting successful conversions from ad campaigns on their fake sites and the advertisers would have no way of distinguishing them from the real thing.

Worse still, I don't think it will reliably give the level of privacy claimed, because in many cases advertisers will be able to use other information such as IP addresses to match customer information with ad attributions anyway. This won't stop fraudsters since they can target scenarios where this doesn't work. It feels like this would fail to protect actual user's privacy whilst simultaneously protecting scammers faking advertising views and conversions.

Fun fact: GPS uses 10 bits to store the week. That means it runs out... oh heck – April 6, 2019

Aidan Thornton

Maybe. The last time this happened, apparently some devices got very confused about their ephemeris calculations when the week counter rolled over and started looking for satellites that weren't in view while ignoring the ones that were, meaning that they lost GPS lock completely. There's also some complication with the individual satellites having counters that roll over at a very slightly different time from the main GPS week counter. Devices doing a clean start after the rollover completes should be able to navigate but with a wrong date.

Also, all modern devices are meant to be able to handle the week rollover properly so long as it's less than 1024 weeks after the firmware was built. So it's mostly a question of what interesting bugs they have in their handling of it.

Hacker breaks into ThrustVPS, launches phishing attack from firm's own servers

Aidan Thornton
FAIL

I think you're giving ThrustVPS rather too much credit for owning up to this. A number of past customers - including myself - got phishing e-mails demanding our credit card details and PayPal passwords that didn't just look like official e-mails from ThrustVPS but were actually sent from the same ThrustVPS e-mail server as their genuine e-mails. All the headers were literally identical to the genuine article. They could hardly not own up because this information was all over the relevant forums by the time they did and it was obvious they were thoroughly compromised (or scammers themselves).

AV-Test boss dismisses Microsoft criticism of malware test results

Aidan Thornton
Facepalm

So this is why Avast sucks so much now!

Aha! A while ago the Avast developers added a really obnoxious heuristic that blocked any application which was obscure or new from running. This explains it - if you block 100% of new and obscure code, you're guaranteed to block nearly all exotic or zero-day malware. Of course, you also get a really obnoxious amount of false positives which will cause most users to just automatically allow everything or even turn off the feature altogether - so it's completely useless as an actual security feature - but AV-Test don't care about that.

Bitcoin collapses on malicious trade

Aidan Thornton
Flame

Do not rely on the official bitcoin forums!

Despite what the article suggests, you shouldn't look at the official forums if you want to know how bitcoin users feel about this. The moderators have been quietly systematically deleting threads that are negative about Bitcoin or make "alarmist" statements such as arguing Mt Gox shouldn't be trusted. Oddly enough, threads saying that users should continue to trust Mt Gox despite CSRF vulnerabilities, a hacker-induced market crash, and their entire user database getting leaked just days after the site owner claimed it was impossible have remained. (So have ones saying that only trolls would argue there's anythign wrong with Mt Gox, for that matter.)

I think this policy was introduced in the last price crash to keep up confidence.

Amiga on the block (again)

Aidan Thornton

Beneath a Steel Sky is freeware now.

Actually, the developers of Beneath a Steel Sky released it as freeware several years ago in exchange for ScummVM adding support for their more commercially-viable games. (This allowed them to actually sell their other games on Windows without putting in much effort themselves, so it worked out quite well.) You can download it entirely legally from the ScummVM website, no registration required.

New attack bypasses virtually all AV protection

Aidan Thornton
Linux

This is a solved problem on Linux

If someone were to try and develop security software for Linux that has this flaw, the community would give them a good talking too as soon as they noticed. This particular issue and the solutions to it are well known in the Linux community, and the kernel security frameworks are all designed not to be vulnerable.

Aidan Thornton
Stop

I would.

I would be - the Linux developers generally know better these days and make sure to copy parameters to kernel memory exactly once before checking them. They've also put a fair bit of effort into discouraging anyone else from hooking the system call table in this dubious fashion.

Channel 4 to become Channel 3D tonight

Aidan Thornton
Boffin

Stu: woods are easy

Figures that a still of a wood would work well. Woods ought to be easy. They don't require full 3-primary colour to look right, you can do it with just 2. Early colour films made use of this fact.

IE, Chrome, Safari duped by bogus PayPal SSL cert

Aidan Thornton
Boffin

Yes, it's a CryptoAPI problem - but Firefox doesn't use it.

"Firefox has fixed the problem, without MS doing anything, ergo this isn't an OS problem, or a cryptoAPI problem, it's a browser problem."

No, it's an OS problem with the CryptoAPI. As far as I know, Firefox still uses its own cryptographic libraries rather than the OS-provided ones, so they can fix the bug themselves. (Remember that Firefox is (a) based on Netscape, which predates widespread OS support for crypto, and (b) designed to be portable across different operating systems.) The other browsers, however, do use Microsoft's CryptoAPI and that's where the vulnerability has to be fixed.

Microsoft can still sell Word

Aidan Thornton
Stop

Doesn't affect other formats, won't affect other formats, can't affect ODF ever.

Captain Underpants: There are two reasons they sued Microsoft and not anyone else. The first - which someone already mentioned - is that it was Microsoft that partnered with them, stole their idea, and stuck it into Microsoft Office, destroying their business. The second is that their patent doesn't cover what anyone else is doing.

James O'Brien: repeat after me: This is not a patent on XML. This patent does not even mention XML. All the XML-based document formats are entirely unaffected by this patent (even the core bits of OOXML).

Now, Microsoft's recent XML patent is another matter. While that did end up being crippled to the point that it only covers OOXML, they originally wanted something much broader that would've affected lots of people.

Sony explains PS3 Slim's loss of Linux option

Aidan Thornton
Linux

PS3 supercomputers cheap advertising for Sony

"When I first read about labs using PS3s to build underpriced supercomputers, I thought it was cool - but I also thought that, essentially, this meant that Sony was unwillingly subsidizing their work."

Unwillingly subsidising? Every time there's a news article about one of these clusters of PS3s achieving something, it helps promote the PS3 - promotion of a type they couldn't buy. For what they've gotten from it marketing-wise, the cost probably works out quite cheap. Why do you think they put the effort into allowing Linux installation and making it easy for Linux to access the Cell SPUs in the first place?

I have no idea why they're dropping it; possibly management stupidity, but more likely the fact that a lot of the stuff that would use a PS3 cluster seems to be moving to GPUs.

Is Google spending $106.5m to open source a codec?

Aidan Thornton
Unhappy

Doesn't solve the patent issue

Buying up On2 and open-sourcing their stuff doesn't help with the patent issue, though. All On2's patents for VP3/Theora are licensed for free to anyone that wants to use it - the supposed concern is with patents that other companies hold, and moving to VP6 or VP8 increases that risk since they almost certainly not only do most of the patent-infringing stuff from VP3, but also include new shiny ideas.

Jimbo Wales: No one can make money from Wikipedia...

Aidan Thornton
Stop

Why drinking the Kool-Aid?

Yep, the phrase "drinking the Kool-Aid" does come from Jim Jones' cult (the People's Temple). He got his followers to commit mass suicide by drinking a Kool-Aid clone to which posion had been added. (He'd also done at least one dry run before this, in which he pretended it was poisioned, as a loyalty test). The reason for the phrase should be obvious - it suggests the person is such a dogmatic follower that they'd do something they thought would kill themselves if it was what the other followers were doing.

Buggy 'smart meters' open door to power-grid botnet

Aidan Thornton
Unhappy

@cornz 1: they use mesh networking

The smart meters actually use mesh networking over radio - each meter forwards along data from the other meters. They don't use GSM at all (too expensive). This is probably why there's such a big security issue regarding updates.

AMD pulls forward six-shooter Opteron cannon

Aidan Thornton

TeeCee: the cores will have their own RAM

I'm pretty sure that, even with existing AMD multi-core processors, there's more than one group of cores, each with their own dedicated memory interconnects and RAM. AMD seems to quite like this sort of design. It appears likely that each chip in the Magny-Cours package will have its own set of memory interconnects, just like if it was two 6-core processors.

Radiohead diss freetards

Aidan Thornton
Pirate

The artist pays for recording in the end, anyway

"This is the kind of laughable logic that The Registrar is attacking. Selling it for £1.10 does not mean £1.10 profit and removing a record company from the equation doesn't magically remove production costs. Once we subtract all them, and subtract personal expenses, you can be sure the bottom line profit enjoyed by the artist is less that £1"

IIRC, from what I've read production costs are generally effectively paid for from the artist's royalties anyway. (Specifically, they're paid from the advance, and the artist's royalties initially go to repaying the advance. I think songwriting-related royalties don't, though.) Record companies work in interesting ways, and record contracts are worth less than they appear to be.

Official: OOXML approved as international standard

Aidan Thornton
Gates Horns

Not even one implementation

There are currently exactly zero implementations of this standard - Office doesn't comply with the modified parts, and I think Microsoft have publicly stated that it never will.

Netflix falls in behind Blu-ray

Aidan Thornton
Stop

Blu-Ray has nastier DRM

"DRM in both Blu-Ray and HD-DVD is damn near identical, and damn near pointless from the point of view of video enthusiasts since it's been broken on both, so the point is rather moot."

Now that's just plain wrong. Blu-Ray has BD+, a VM that allows content providers to include custom decryption code with the ability to read and modify the player's memory. The intention is that it can poke around in the player's internal data structures - which are on file with the BD+ licensing group - in order to check that it's a genuine, unmodified player of the model it claims to be before it decrypts the data. (Can anyone say "hardware compatibility issues"?). A secondary intention is to give them a way of running arbitrary native code, which means that if there is a Blu-Ray version of the Sony rootkit, holding down Shift won't stop it running - in fact, you won't be able to.

As far as I'm aware, Blu-Ray hasn't been broken yet, and in fact it'll probably be damn near impossible to break it outright (as opposed to one title at a time) short of a 100% faithful (and entirely illegal) emulation of a hardware player.

Office update disables MS files

Aidan Thornton
Gates Horns

Hotmail WebDAV access

captainslog: the feature that allowed you to access your Hotmail account from Outlook Express has been disabled for all new Hotmail accounts (and all the old ones that never used it) for years now. The official reason was that it was being used for spam. Unofficially, I think it was because it was a bit too open for Microsoft's liking; it was based on WebDAV and some third parties managed to figure out how to add support to their own mail clients and websites.

(Some of the M$ developers had an odd liking for WebDAV at one point; IIRC, there's an e-mail from Bill out there somewhere complaining about it. Apparently, they should've been using some proprietary solution of their own devising.)

Secret mailing list rocks Wikipedia

Aidan Thornton
Unhappy

Very nearly official policy

Shortly before Durova banned !!, there was an attempt to make it official policy that users could be banned forever as sockpuppets for suspicious activities like knowing too much about Wikipedia workings for the amount of time spent on the site, making too many edits, that sort of thing - basically, for being suspiciously good editors. I think it was devised by Durova, and it was supported by admins well-known to WR readers like SlimVirgin.

Fortunately, it got shot down. Unfortunately, I think it's been effectively unofficial policy for a while know.

Nasty PDF exploit runs wild

Aidan Thornton

PDFs are not non-executable

Unfortunately, these days PDFs aren't exactly non-executable. Adobe decided to add JavaScript scripting a while ago and didn't think the security model through too well...