* Posts by Kanhef

511 posts • joined 3 Nov 2007

Page:

URL LOL: Delta splats web flight boarding pass snoop bug

Kanhef

Some airlines (such as SouthWest, IIRC) don't assign specific seats in advance, and flight overbooking is routine, so seat conflicts aren't necessarily a problem. You'd still have to deal with getting an ID to match, though.

2
0

Kaspersky exposes SONY-CRIPPLING malware DETAILS

Kanhef

"Tight deadline"?

More likely they deployed as soon as their software was ready.

0
0

Microsoft forks .NET and WHOMP! Here comes .NET Core app dev stack

Kanhef

Security disaster in the making

As Steve Davies mentioned, there will be security vulnerabilities found in the .NET libraries; it's a question of when, not if. The real problem is what to do about them, now that the libraries are bundled with apps.

On the one hand, they could let developers release new versions of their apps every time the libraries are updated. Realistically, most of them won't bother, which creates a large attack vector. I'm sure VXers will find a way to take advantage of it, such as convincing users to install vulnerable apps which can be exploited. (E.g., "you need XX video player to watch this clip of [celebrity]".) Will antivirus programs have to start flagging anything with outdated libraries as potentially harmful? This way lies madness.

The alternative is to push security patches through Windows Update. Except this is supposed to be cross-platform, so you don't necessarily have Windows Update. Maybe solvable with an updater service, but now that also has to be bundled with apps as well, and could lead to issues with multiple instances and version incompatibility if you install several .NET apps. Even with that solved, pushing updates could break signed apps.

Anyone have better ideas on how to not have this turn into a nightmare?

3
0

Twitter App Graph exposes smartphone spyware feature

Kanhef

The real question is

Why would any app need a list of all other (running) apps? Gathering that information and sending it off for 'analysis' definitely counts as spyware. If app functionality depends on the presence of certain other apps, the OS should provide a means to query whether those specific apps are installed, rather than revealing all of them.

6
0

SHOW ME the MONEY: Payment code spied in Facebook Messenger

Kanhef

Re: How to use the Facebook Messenger app

I can understand the need for some of the permissions, such as access to the camera and storage so you can post photos. But I'd love to see their explanation for why it needs to be able to modify contact information, read text messages, change network connections, or modify battery information.

5
0

Business is back, baby! Hasta la VISTA, Win 8... Oh, yeah, Windows 9

Kanhef

Re: Time for Linux

Unless Windows 9 (or whatever it's called) goes back to a familiar user interface, I think this will be an increasingly tempting option for enterprises. If they're going to have to retrain users anyway, why pay an arm and a leg for Windows + Office licenses, plus the inevitably required hardware upgrades? In most cases it would be cheaper to hire an on-site migration assistant from a distro provider than to stay with Microsoft.

10
1

Slapdash SSL code puts tons of top Android Play Store apps in hack peril

Kanhef

Interesting statistics

Trust management problems in 73 percent of the top 1000 apps, but only 36% of the next 9,000 most popular apps. Webkit issues in 77% of the top 1000, but just 6% of the next 9,000. Why are the most-downloaded apps so much more prone to security problems than ones that aren't quite as popular?

0
0

Whoah! How many Google Play apps want to read your texts?

Kanhef

Re: Android permissions cannot revoked after installation?

Apparently you missed the bit about Google removing access to App Ops late last year; as of 4.4.2, you can't use it without rooting the device, and it's possible they'll remove it entirely in future versions.

1
0
Kanhef

Amazon and Ebay aren't actually that unreasonable – they're probably trying to look up your postal/zip code so they can automatically calculate shipping costs. Still, it would be nice to have the option to turn that off, in case you're shopping while not at the location you want things delivered to.

2
4

Watch: DARPA shows off first successful test of STEERABLE bullet

Kanhef

Re: Non-coms ?

There are multiple grammatically-valid ways of parsing that statement, but I believe he meant "limit (i.e., reduce) [the number of] casualties to non-coms".

0
0

Use Tor or 'extremist' Tails Linux? Congrats, you're on an NSA list

Kanhef

Re: they're a spy agency

I'm not trying to defend the NSA here, but as far as targets go, this one isn't unreasonable. People who are looking into ways to hide their online communication are more likely than the average netizen to be doing something of interest. They might be terrorists or other spies, they might be Chinese pro-democracy activists or Iranian counter-revolutionaries; in any case, the NSA wants to know what they're up to. Of course, there are also plenty of people doing nothing of interest who happen to be conspiracy theorists or just don't like being spied upon, but I don't know of an easy way to tell the difference short of spying on them more.

I don't like the overbroad dragnet espionage, but at least there were some attempts to focus on valid targets. If it had emerged that they were scrutinizing visitors to dailykitten.com, that would raise serious questions about their competence.

2
27
Kanhef

'll' isn't actually its own command; it's usually implemented as an alias (to 'ls -la' or similar) in your .fooshrc file. What exactly it does, and if it's present by default at all, depends on your distro.

1
0

VC who wants to split California REVEALED as Silk Road Bitcoin slurper

Kanhef

Re: Very puzzling and disturbing.

That would only happen if it were claimed that Paypal is inherently a criminal enterprise, not just that the CEO has committed a crime. Pretty much everything being sold on Silk Road was illegal, which is what justified shutting it down and seizing its assets. Even if the CEO was using Paypal for money laundering or such, most traffic on that site is legitimate, so they'd only seize the related accounts, not everything.

2
0

Mystery bidder plunders the whole haul in Silk Road Bitcoin auction

Kanhef

Re: A Speculative Fiction

Wouldn't have been Icahn – he only cares about short-term profiteering. Bidding high enough to win all of the blocks of coins means they probably paid above market value, so this is probably someone who expects their value to continue growing long-term.

3
0

Facebook 'manipulated' 700k users' feelings in SECRET EXPERIMENT

Kanhef

Re: "our goal was never to upset anyone"

It could have been done reasonably well. Throw up a notification asking if people are willing to be part of an experiment on social behavior, which may alter their experience of Facebook for the next week. Explain that providing any more details about the experiment would alter people's behavior and invalidate the results, but provide more information about the study and which group people were in after it's over. Not complete information, but enough for reasonably informed consent, and far better than how they provided no information and obtained no consent.

10
0

iFind: Critics slam Kickstarter campaign for miraculous battery-free phone finder

Kanhef

Very, very fishy

Claiming that there's no battery, but it "stores the energy in a uniquely designed power bank." Sounds a lot like a battery to me. Somehow it's able to contain all the circuitry, the power-harvesting antennas, the Bluetooth antenna, the not-a-battery™, the accelerometer, and possibly other components. It can somehow tell the difference between being shaken intentionally by a person and being shaken incidentally when attached to a dog's collar. They're able to connect a wired diagnostic interface to it, but it's sealed and waterproof.

Supposedly they have working prototypes, but there's no clear demonstration or explanation of how they are used. My guess is that it would use some sort of roundtrip timing signal, which would only give a distance to the tag, and no information on direction. If the phone can track its own location accurately enough, I suppose it could do some sort of automatic triangulation. However, AFAIK, GPS isn't accurate to less than about ten feet at best, which is too fuzzy to use for finding something within a house only a few tens of feet wide.

0
0

DOCX disaster recovery: How I rescued my wife from XM-HELL

Kanhef

Re: Something very wrong here.

It doesn't seem like this would be particularly hard to do; you could probably borrow a lot of the code from web browsers, which already do a fairly good job of handling malformatted HTML. There are three main types of XML error that I can see:

Orphaned tags with no matching closing or opening tag, which is what Trevor's problem seems to have been. Easy enough to delete or escape as text.

Transposed tags, such as < a ...>< p >< /a >...< /p >. This would take a bit more work to detect, but the fix is obvious.

Broken tags, particularly missing right angle brackets. Escape the left bracket and recheck the document, as this will probably create an orphaned closing tag.

1
0

TrueCrypt turmoil latest: Bruce Schneier reveals what he'll use instead

Kanhef

Re: Whoa there

And furthermore, how secure are the built-in encryption schemes? Both Microsoft and Apple are subject to pressure from the NSA, and there's no way to independently audit their proprietary code.

32
0

Philips lobs patent sueball at Nintendo in US: Seeks to BAN Wii U

Kanhef

Re: Crazytown...

Sounds like the Nintendo Zapper, which also used a camera-based method of determining where it was pointed, and by far predates the patent filing.

4
0

TrueCrypt audit: Probe's nearly all the way in ... no backdoor hit yet

Kanhef

Re: 8. MainThreadProc() integer overflow

Integer overflow is very different from buffer overflow (and to be pedantic, heartbleed is a buffer overread issue). It can cause mathematical issues (e.g., for a signed byte, 100 + 100 = -56), but it's not easy to turn that into a security flaw.

1
0

FTC gets judicial thumbs-up to SUE firms over data breaches

Kanhef

Re: ?

Using a cloud service isn't an excuse for this. Would you be comfortable putting sensitive data on a server in Beijing? If you don't even know where your data is, you have no idea how well it's secured – and it might as well not be.

3
0

Apple says iOS, OS X is immune to Heartbleed SSL bug

Kanhef
Boffin

Re: Server-side vuln...

NASA uses older chips because they have larger wire traces and other components, which are less vulnerable to interference from high-energy particles. Outside the earth's magnetosphere, solar and cosmic radiation are major problems.

2
0

Dropbox nukes bloke's file share in DMCA brouhaha – then admits it made a 'HASH OF IT'

Kanhef

Hope they're using a good hash

and not one prone to collisions. If they're using something weak like md5, there's a potential denial-of-service attack here: identify a (legitimate) file you want removed, upload a copyrighted image or video carefully padded to have the same hash, issue DMCA notice, and they'll block access to both files.

19
0

Icahn and I will: Carl's war on eBay goes NUCLEAR over Skype

Kanhef

He's as bad as a patent troll

Trying to make more money for himself while contributing absolutely nothing to the economy.

6
0

Security researchers uncover three-year-old 'RUSSIAN SPYware'

Kanhef

Re: Only on Windows...

Maybe not quite as well, but you can hide *nix malware fairly well using similar techniques. Keep most of the payload, scratch files, etc. in an encrypted virtual file system; to anyone else it looks like a regular binary file. The only exposed part would just open the VFS and load the rest of the code; give this a name confusingly similar to a known daemon, and it could easily be overlooked. It may not be as easy as it is on Windows, but don't say it can't be done.

2
0

MtGox boss vows to keep going despite $429 MILLION Bitcoin 'theft'

Kanhef

Re: I'm no Frontiersman

Good analogy; much like the California Gold Rush, the people who really make a profit aren't the miners themselves, but the people selling equipment to them. In this case, it's the companies making Bitcoin mining machines. Low-end models cost $2000 or so, top of the line ones are $10,000 to $20,000. Due to the rapid pace of development, they quickly become outdated and too slow to be competitive, so people need to keep buying new ones.

3
0

California takes a shot at mobile 'killswitch' mandate

Kanhef

Good intention, but not a good idea

The problem with a remote killswitch is that it can easily become a nasty denial-of-service attack target. It might be possible to implement it properly, but knowing the state of the industry, it probably wouldn't.

5
0

Sony denies Vaio-to-Lenovo rumour

Kanhef

Full of weasels

Obviously written by a lawyer: by saying the press report as a whole is inaccurate, they have carefully avoided having to either confirm or deny any of the specifics. They may or may not be having discussions with Lenovo about something. They might be considering a business alliance with a different company. They might be planning to sell the Vaio unit entirely. I suspect they are up to something, but they don't want anyone to know yet.

2
0

Almost everyone read the Verizon v FCC net neutrality verdict WRONG

Kanhef

Re: Nice straw man

Degradation doesn't even have to be that obvious. If an ISP delayed every packet to or from Netflix by 1 ms, no one would be able to tell the difference. Add another millisecond of delay every week, and see how it takes for anyone to notice. Netflix videos would still work without any obvious glitches, but they'd be a bit slower and take longer to buffer than the ISP's service. If only streaming data is throttled, and not ICMP traffic (such as pings and traceroutes), it would be almost impossible to prove that anything unusual is happening.

2
0

Cheap 3D printer works with steel

Kanhef

Re: Now this is more like it.

This is essentially an off-the-shelf MIG welder with the gun attached to a 3D-printer style mount. Not a complicated idea, though getting it to work reliably is the tricky part. It's fed with standard spools of welding wire and inert gas; there's no way to throw random scrap metal into it, and you wouldn't want to anyway – the resulting objects would be little better than scrap themselves.

Depending on the wire alloy and shielding gas used, the printed parts could be reasonably strong. It'll never be as good as forged steel, but still more than adequate for most low- and medium-strain applications.

5
0

Boffins spot LONE PLANET roaming interstellar void

Kanhef
Boffin

"Orbiting nothing"?

That would be quite fascinating, but I think you mean 'not orbiting anything'. As for "six times the size of Jupiter", is that referring to diameter or mass?

0
0

Microsoft reissues September patches after user complaints

Kanhef

"...between management and the software testing teams"

What software testing teams?

2
0

It's about time: Java update includes tool for blocking drive-by exploits

Kanhef

Re: About damm time

Your analogy was unclear at best. By the same logic, shouldn't Flash, Silverlight, Python, and every other interpreted language be turned into an ISO standard as well?

3
1

Redmond's certification chief explains death of MCM and MCA

Kanhef
FAIL

Could have been handled so much better

Microsoft could have gone to their community and said "Here are the problems with the current Masters certifications. Help us create a new set of certifications that will be more up-to-date and more accessible to people around the world." Once the replacements are more-or-less ready, they could have announced that the Masters certs were being phased out and replaced with Xyzzy certs. No outrage, users feel Microsoft cares about and listens to them, everyone's happy about better and cheaper certs.

Instead, they started by canceling the Masters certs with little explanation and no replacement ready, and now are scrambling to do damage control and try to rebuild bridges. From the phrasing of the announcement, I doubt they had any plans for a replacement certification before seeing what a negative response it got.

4
0

US federal judge: Yes, Bitcoin IS MONEY

Kanhef

Re: Just curious

Bitcoin.org repeatedly refers to it as a currency, as do Wikipedia and the Bitcoin wiki (bitcoin.it). It was invented as a currency, marketed as one, and used as one, so I doubt anyone will seriously entertain claims that it's actually a commodity instead.

1
0

British boffin muzzled after cracking car codes

Kanhef

A bit of a difference

Garcia's work is about gaining access to a vehicle you otherwise can't get into, which usually means breaking into someone else's car. Miller and Valasek's work requires that you are already able to get into and start the vehicle; their paper doesn't tell you how to steal a car by itself, but Garcia's potentially does. That is why they're being treated differently, not the U.S. vs. U.K. legal jurisdiction.

2
2

Bugs in beta weather model used to trash climate science

Kanhef
Boffin

Some people

will use any excuse to bury their heads in the sand.

Nothing here is at all new, or surprising, or in any way invalidates climate science. It's well-known that weather modeling is chaotic; small changes to input data result in disproportionately large variations in output. In this case, the output isn't all that different; there's a discrepancy between the test machines, but the overall result of the simulations are similar.

It's also well-known that floating-point calculations can produce different results on different processors. Chips are often designed to perform these calculations with more bits of precision than the output register can hold in order to produce a more accurate result. This is normally a good thing, but can be a problem when exact reproduceablitity between platforms is needed. Programmers have been dealing with this for many years; for example, back in 2000, Java added the StrictMath functions, which have consistent (but slower) results across all platforms.

4
2

Windows kernel bug-squish, IE update star in July Patch Tuesday

Kanhef

180 days to fix security flaws?

Disappointing; I'd rather see apps removed after 30 days – or less, depending on how severe or actively exploited the vulnerability is.

Of course, then people would expect Microsoft to follow their own standard...

5
0

Wikimedia edges closer to banishing Wikitext

Kanhef

Hardly banished

Just because your editor doesn't show the markup code doesn't mean it no longer exists.

0
0

Signatures no good at protecting databases, says Juniper

Kanhef

Another technique

Once attackers have been identified, redirect all traffic from them to a second server, full of good-looking but fake data. The intention is to make them waste time attacking the fake server, and even let them think they've succeeded, while preventing them from accessing the real database.

0
0

COLD FUSION is BACK with 'anomalous heat' claim

Kanhef

Re: The big problem is:

For nuclear reactions, it doesn't matter what chemical compound the atoms involved are part of. Having pure elements makes controlling the reaction easier (so you aren't also turning oxygen into fluorine, for example), but isn't necessary.

1
0
Kanhef
Holmes

Turns nickel into copper, eh?

Should be easy enough to test - put a piece of pure nickel in, let it run for a while, then take it to an independent lab and have them do an elemental analysis of it. No concerns about revealing "trade secrets" there.

Of course, they'll never agree to it, as it would immediately show their claim of achieving fusion to be false. There are too many hallmarks of bad science to consider this credible. The only question I have is whether they've managed to fool themselves and actually believe what they're saying, or if they're just trying to fool everyone else.

0
0

Windows Phone 8 support to end in 2014

Kanhef

Another possibility

is that they're killing Windows Phone entirely, replacing it with Windows RT/8/9/Blue. I seem to recall them saying a while back that they wanted a more unified interface across all versions of Windows.

2
1

SimCity 3000

Kanhef
Alien

SimMars

I remember SimEarth had a 'terraform Mars' scenario. It would be interesting to see that game redone with more sophisticated modeling, now that personal computers are a few orders of magnitude more powerful than they were when it was released.

2
0

World+Dog don't care about climate change, never have done

Kanhef
FAIL

Flawed study

It appears they asked the question, "which of these eight issues are you most concerned about?", as if people are only capable of caring about one of them, and assumed they don't give a damn about the other seven. A properly done study would have allowed people to indicate how concerned they are (from 'not at all' to 'extremely') about each of those issues.

Also, "seventeen years of continuous surveys" is flat-out wrong. According to the linked report, the survey was conducted exactly three times, in 1993, 2000, and 2010.

4
2

Did GM food cause GIANT TUMOURS IN RATS?

Kanhef
Boffin

Summary

A study with methodological errors, written up in a paper with multiple analytical errors (severe enough that some scientists say it should not have been published), by a biased group with a history of similarly flawed analyses and questionable use of statistics. Move along, nothing to see here.

Hopefully in a couple of years we'll see different scientists re-do the experiment properly and publish results that actually mean something.

7
1

Insider cuts into Apple, peels off Intel Mac OS X port secrets

Kanhef

Re: OS X & x86!

The PowerPC chips were problematic, particularly on heat - even the G4 laptops were uncomfortably warm - so I can understand the shift to a different architecture. I'm just disappointed they didn't pick another sane and properly-designed one, such as ARM. Compared to either, x86/x64 is a 35-year-old steaming pile of crap, with one layer of (mostly) backwards-compatible cruft bolted on after another.

0
2

Big Data is now TOO BIG - and we're drowning in toxic information

Kanhef

Something of a point

To elaborate on his stock market example, if you look at prices on a minute-by-minute basis, there's a tremendous amount of random fluctuation (i.e., lots of noise). If you only look at daily closing prices, you have a few orders of magnitude less data to process, and it's just as good for making medium- and long-term predictions. Of course, it's easy to go too far; monthly stock market updates might not provide enough data to extrapolate from with an acceptable degree of confidence. And there are exceptions: an automated arbitrage trading program might be able to make use of price updates as often as every second.

As for log files, many of them are useless, and most will never be looked at. But when security breaches happen, they're essential in figuring out how someone got into the system and what they accessed.

The point here is that companies need to work on collecting better quality data, not more of it.

3
0

Final countdown for NASA's NuSTAR X-ray black hole telescope

Kanhef
Mushroom

Poor choice of words

Referring to a supernova as a "Big Bang", and saying the most recent supernovae can provide the most information about it, is rather confusing for anyone who's paid attention to cosmology.

0
0

EMC registers mysterious new trademark

Kanhef
Holmes

Virtual Service Provider eXchange

They've virtualized service as a service (SaaS) and are providing it as a service.

0
0

Page:

Forums