* Posts by Kanhef

552 posts • joined 3 Nov 2007

Page:

We tried using Windows 10 for real work and ... oh, the horror

Kanhef

'HERE' is actually the name of the map company: here.com . Still could use a link, though.

0
0

UH OH: Windows 10 will share your Wi-Fi key with your friends' friends

Kanhef

Re: A Stalker's Dream

Nice example of how this can spread access to a network without the owner's consent.

If every device used Sense, it wouldn't be as bad an idea. The network owner is the only one who enters the key, it's shared with their friends and no further, everyone's happy. (Of course, as other people have pointed out, this ignores the reality that many people have contact who are not trusted friends.)

If nothing uses Sense, it's possible for friends to pass on wifi keys, but it requires a deliberate action. John could choose to give Mary's key to Charlie, but it's not something that can happen accidentally.

The problem is when you mix key-sharing methods. Maybe Mary uses a Mac and has never heard of Sense. Maybe she uses Windows 10 and turned Sense off because she doesn't want her wifi key shared with everyone she's ever contacted, which includes Charlie. Either way, when John enters the key on his Windows phone, it assumes he owns the network and has the authority to share the key with everyone he knows. Since John isn't tech-savvy, he isn't aware of Sense and hasn't turned it off; he doesn't even know that Charlie now has Mary's key.

The only way I can see this being workable is if it's fully opt-in: choose to share a key, and choose who to share it with, rather than sending it to all of your contacts.

1
0
Kanhef
FAIL

RTFA: "Microsoft enables Windows 10's Wi-Fi Sense by default, and access to password-protected networks are shared with contacts unless the user remembers to uncheck a box when they first connect."

2
1
Kanhef

When your friends connect, do they share the key with all of their contacts? No matter how secure the keys are as they pass through Microsoft's servers, the plaintext has to be recoverable for their devices to make use of it, so is there any way to prevent it from being spread ad infinitum?

3
0

Microsoft rushes out latest Windows 10 build. 300 fixes? Pff, whatever

Kanhef

So, they release build 10158 saying it has "no significant known issues". A day later, they release build 10159 with 300 fixes. They must have known about these issues in order to fix them so quickly, and at least some of them must have been significant enough to justify releasing another build so soon.

This sort of disingenuity is why a lot of us don't trust Microsoft.

42
16

Sprint: Our 'unlimited' mobe plan has one tiny limit: High-quality video

Kanhef

Why

Because video is easily the largest use of data. If all of Sprint's customers were watching Netflix at the same time, they'd be pulling 80 terabits per second across the network - some 200 times as much as the largest DDOS attacks ever recorded.

1
0

Microsoft says Oculus Rift distorts world, grinds corrective lenses

Kanhef

Re: Comparison

Really depends on the display resolution. If you can see the pixels, it will detract from the overall experience. A slight defocusing could help blend the pixels together without causing distortion.

The Oculus part looks disappointingly cheap. Single lens, rather than compound (which is probably why it has that chromatic aberration). The support ribs on the bayonet flanges suggest it's made of thin plastic, probably flexes if you squeeze the sides of it. Hard to tell what's holding the lens in place, looks like it could pop out fairly easily if you tried. In comparison, the Microsoft part looks more like my vintage telescope eyepieces.

0
0

Hey, Sand Hill Exchange. Shouting 'blockchain!' won't stop the Feds

Kanhef

Re: Regulations. . .

I think Sand Hill's approach was much like Uber et al.: try something new, ignore relevant regulations by claiming they don’t apply to what you're doing, and hope that by the time people decide the regulations do, in fact, apply, you're too successful to be shut down easily. A more cautious approach would have been to start by going to the regulators and trying to get a change in rules, or an exemption for what you want to do. Having Nobel-prize-winning economists saying it would help stabilize markets and prevent bubbles would certainly help with that.

3
0

Redmond: IE Win 8.1 defence destroying hack ain't worth patch, natch

Kanhef

Re: No conditions on the bounty payment?

According to HP, they reported it to Microsoft some eight months ago; their initial report in February said they’d already given Microsoft 120 days to respond. When they sit on a vulnerability in the latest version of one of their flagship products for that long, then decide they don’t want to fix it, they don’t have any right to tell people to not talk about it.

5
0

Wikipedia to go all HTTPS, all the time

Kanhef

Re: Playing to the gallery

MediaWiki renders each article - including templates used - into a single HTML page, so complex articles won’t be any slower to load than simple ones. Articles with a large number of images may require more connections, but that’s true of any site.

I agree that most articles aren’t sensitive, but how do you determine which ones are? If someone is at a sensitive page sent through HTTPS and browses to a non-sensitive page sent through HTTP, their history will be revealed through the Referer: header. If the server has any way to say "you’re not looking at a sensitive page, I’m switching back to HTTP", there’s a MITM encryption-downgrade attack waiting to be found. It’s much simpler to just encrypt everything and not worry about the details.

19
2

Apple to tailor Swift into fully open-source language – for Linux, too

Kanhef

The .NET CLR is a virtual machine.

4
3

Malfunctioning Russian supply podule EXPLODES above Pacific

Kanhef

At least it wasn't the one with the fancy espresso machine in it.

2
0

iPhone case uses phone's OWN SIGNAL to charge it (forever, presumably)

Kanhef

Re: Actually I think it might work ... sort of

If you had a material that could be controllably transparent to radio frequencies (similar to a liquid crystal watch display) and a way to determine the direction of the mast in use, this might actually work. Make the part of the case in the direction of the mast radio transparent, changing as the user moves. The blocked signal could be absorbed to reclaim some energy, or reflected to boost signal strength.

0
1

Boeing 787 software bug can shut down planes' generators IN FLIGHT

Kanhef

So...

How often do planes operate, without shutting down, for more than eight months at a time?

30
0

'Use 1 capital' password prompts make them too predictable – study

Kanhef

Re: Long passwords

I encountered one site with a similar issue. On the account creation page, the password field had a length of 20 characters, but the login page only allowed 10. Somewhat concerning that no one at the company who developed, tested, or used the site had a password longer than 10 characters.

2
0

Mt Gox LEAKED Bitcoin for years before heist, says WizSec

Kanhef

hmm

The discrepancy starts showing up around August 2011. Mt Gox was hacked in June 2011. They rolled back transactions after the hack, but I don't see much talk about strengthening security; my guess is that the hacker still had or quickly regained access, and decided to loot the place more slowly, avoiding the big selloffs that attracted attention the first time.

0
0

Microsoft cramming free stuff into Galaxy S6es? Not so fast – US telcos

Kanhef

All the preloaded apps on Android devices are typically installed as system apps, so they can't be removed without root access.

11
0

Netflix teams with AWS to launch VHS-as-a-service

Kanhef

Digitizing and streaming content that had only been released on tape actually sounds like a decent idea; there's good money in the nostalgia business. If they didn't have the bollocks about degrading the quality, it would be very hard to tell if this is real or not.

0
0

The internet IS a series of tubes. Kinda: A Reg 101 guide to cabling

Kanhef

Airflow

On copper cables? Anyone care to explain what that means?

3
0

Microsoft's Project Spartan browser is HERE (unless you build apps or run VMs, that is)

Kanhef

Disappointing

They know they broke VS and Hyper-V, but were willing to distribute it anyway. This does not inspire confidence in the quality or stability of the final product.

4
19

Flak for Slack chaps in yak app hack flap: User database whacked

Kanhef

Re: Slack app? Never heard of it!

Relevant: http://www.xkcd.com/1497/

3
0

Microsoft enlists web security pariah Adobe to help build Internet Explorer-killer Spartan

Kanhef
Alert

Very much panicking here

Any code that handles web pages (i.e., untrusted data) can and will be used as an attack target. I recall a Firefox exploit where image buffers were allocated but not initialized; attackers could use it to read the contents of the screen. If vulnerabilities exist, they will be exploited; if it's written by Adobe, there will be vulnerabilities.

12
1

Big Data shocker: Over 6 million Americans have reached the age of 112

Kanhef

A bit late to the party

Other news outlets were reporting on this back on March 10.

2
5

Leaked Windows 10 build hints at peer-to-peer patching

Kanhef

Re: Could be useful... if under control

Even better for enterprises with dozens or hundreds of computers all trying to update at the same time every Patch Tuesday. The LAN-only option makes me a lot more comfortable with this idea, since it's a lot harder to compromise than if it's willing to download from anywhere on the internet.

3
1

FCC says cities should be free to run decent ISPs. And Republicans can't stand it

Kanhef

Irony

Republicans love to champion states' rights vs. the federal government, but then get all upset when you apply their same reasoning to cities' rights vs. states.

19
0

FCC Republicans slam brakes on net neutrality, but this wagon ain't slowing

Kanhef

Re: When will they understand...

You're forgetting that for a large percentage of the US, "another vendor" doesn't exist. I've lived in places where Comcast was the ISP; there was no choice. If ISPs decided to be evil, most people would put up with it, not because they want to, but because the only alternative is to give up internet access entirely.

Also, the notion that 'if one company is bad, they'll be forced to back down when all their customers leave for competitors' doesn't really hold up when you look at historical precedents. For example, commercial airlines started cutting services and adding fees for everything in the late '90s. None of them went bankrupt or had to reverse course over it, because in short order all of the airlines were doing the same thing.

6
1

Got $600 for every Win Server 2003 box you're running? Uh-oh

Kanhef

"standard application abstraction layer that is OS independent"

You mean something like the Single Unix Specification/POSIX?

2
1
Kanhef

A bit confused here

If extended support is ending and there won't be any security patches, what exactly are people supposed to be paying for?

0
1

VirusTotal wants YOU (but not you) to join its epic AV whitelist

Kanhef

Possibly shortsighted

I don't know exactly how AV signatures are generated, but if there's any way to force collisions (like with md5), this could be a very bad idea. I'm sure plenty of people would love to have their malware whitelisted because it's identified as a core Windows component.

2
1

Bitcoin trade biz MyCoin goes dark, investors fear $387 MEEELLION lost

Kanhef

Re: I can see how would work

Not a bad idea, pretty much naked short selling bitcoins. Promise sales (of something you don't actually have yet) at one price, trigger a market panic, buy cheap and deliver. This would be illegal in a regular stock market, but due to the lack of regulation of bitcoins, you could get away with it. Once.

0
0

$10,000 Ethernet cable promises BONKERS MP3 audio experience

Kanhef
Paris Hilton

One born every minute

There's at least some plausible basis for fancy audio cables for analog connections, where noise or interference can affect the output. (Whether or not that effect is noticeable or not is beside the point.) Once things are digitized, though, all the ridiculously expensive materials become irrelevant; as long as it still resolves to the same sequence of 1s and 0s, it doesn't matter how much noise there is in the signal.

44
1

'If someone in Australia says lick my toad, it's not a euphemism'

Kanhef

re Golden Dropping

Nice to see an eloquent counter to the "if you've got nothing to hide, you've got nothing to fear" argument. When it's been brought up, many people dismiss it out of hand, but few have been able to explain why it's a bad argument.

0
0

Siri? Are you seeing another man?

Kanhef
FAIL

RTFA

Particularly the parts where they say it would work equally well with Google Voice on Android, or with VoIP phones.

4
2

Scary code of the week: Valve Steam CLEANS Linux PCs (if you're not careful)

Kanhef

There might be a use for upward directory traversal for specifying files to delete (e.g., "rm ../*.c"), though it would probably be safer to navigate upward first, then call rm. The -r option definitely shouldn't attempt to process . or ..; on the Mac/BSD implementation, it throws an error to even try "rm -r ..", but it will accept "rm -r ../*".

0
0

Comcast sued for – you guessed it – allegedly SCREWING OVER CUSTOMERS

Kanhef

Re: I HATE comcast

You mean BFHs. BOFHs are actually competent at what they do.

10
0

Microsoft turns the power of FINE PRINT onto enterprise licensing

Kanhef

Solution: give them what they ask for

...which isn't necessarily what they want.

Someone takes a work-issued laptop home? That changes the number of licenses on site; notify Microsoft. They bring it back? Notify them again. A device turns off? Arguably, that changes the number of licenses, so notify Microsoft again; same when it turns on. Shouldn't take too long before Microsoft decides to clarify what they mean by "any changes".

11
0

Microsoft Azure was most FAIL-FILLED cloud of 2014

Kanhef
FAIL

Math fail

There are 8,760 hours in a typical year, give or take a few. By some fairly basic calculations, the Azure uptimes should be 99.5098% and 99.8757%. I don't know how CloudHarmony came up with their numbers, but I wonder if Microsoft 'encouraged' them to use some alternative voodoo calculations so they can claim "99.9% uptime", when any service that is down for more than 8.76 hours clearly fails to meet that standard.

5
1

$500 TEDDY BEAR teaches tots to spit up personal data

Kanhef

Worse than useless

This will result in more neurotic parents freaking out over every slight variation in the kid's vital signs, because they don't have the medical knowledge necessary to understand what it means and what is or is not cause for concern. I wonder if some hospital executive is behind this, trying to see how many more urgent care visits they can get and bill for.

3
0

Google unveils Windows 8.1 zero-day vuln – complete with exploit code

Kanhef

Sure; the Shellshock bug was introduced back in 1989. Once it was reported, though, there was a patch available in 12 days, from someone who maintains Bash for free as a side project. Microsoft pays thousands of people to work on Windows as their full-time job, so not being able to respond to vulnerability reports in a timely manner is embarrassing, to say the least.

6
0

Tor de farce: NSA fails to decrypt anonymised network

Kanhef

Re: Seems to me

The only way security-minded people would accept a version of Skype as 'compromise-free' is if it's completely open-source, and can be reliably compiled to be byte-for-byte identical to any distributed binaries. If we can't inspect the code and prove that there are no backdoors or weak, home-rolled crypto systems, it will still be considered compromised, no matter what anyone at Microsoft says.

8
0
Kanhef

Re: Timing...

If every node delays every packet by a random amount in the same range, all this will do is slow down the network. With enough packets to analyze, the randomness averages out and isn't a significant obstacle. A better approach might be to add delays depending on the speed of the individual connections between nodes; the idea is that all traffic takes the same amount of time to transit through a node, no matter where it came from or where it's going.

1
0

URL LOL: Delta splats web flight boarding pass snoop bug

Kanhef

Some airlines (such as SouthWest, IIRC) don't assign specific seats in advance, and flight overbooking is routine, so seat conflicts aren't necessarily a problem. You'd still have to deal with getting an ID to match, though.

2
0

Kaspersky exposes SONY-CRIPPLING malware DETAILS

Kanhef

"Tight deadline"?

More likely they deployed as soon as their software was ready.

0
0

Microsoft forks .NET and WHOMP! Here comes .NET Core app dev stack

Kanhef

Security disaster in the making

As Steve Davies mentioned, there will be security vulnerabilities found in the .NET libraries; it's a question of when, not if. The real problem is what to do about them, now that the libraries are bundled with apps.

On the one hand, they could let developers release new versions of their apps every time the libraries are updated. Realistically, most of them won't bother, which creates a large attack vector. I'm sure VXers will find a way to take advantage of it, such as convincing users to install vulnerable apps which can be exploited. (E.g., "you need XX video player to watch this clip of [celebrity]".) Will antivirus programs have to start flagging anything with outdated libraries as potentially harmful? This way lies madness.

The alternative is to push security patches through Windows Update. Except this is supposed to be cross-platform, so you don't necessarily have Windows Update. Maybe solvable with an updater service, but now that also has to be bundled with apps as well, and could lead to issues with multiple instances and version incompatibility if you install several .NET apps. Even with that solved, pushing updates could break signed apps.

Anyone have better ideas on how to not have this turn into a nightmare?

3
0

Twitter App Graph exposes smartphone spyware feature

Kanhef

The real question is

Why would any app need a list of all other (running) apps? Gathering that information and sending it off for 'analysis' definitely counts as spyware. If app functionality depends on the presence of certain other apps, the OS should provide a means to query whether those specific apps are installed, rather than revealing all of them.

6
0

SHOW ME the MONEY: Payment code spied in Facebook Messenger

Kanhef

Re: How to use the Facebook Messenger app

I can understand the need for some of the permissions, such as access to the camera and storage so you can post photos. But I'd love to see their explanation for why it needs to be able to modify contact information, read text messages, change network connections, or modify battery information.

5
0

Business is back, baby! Hasta la VISTA, Win 8... Oh, yeah, Windows 9

Kanhef

Re: Time for Linux

Unless Windows 9 (or whatever it's called) goes back to a familiar user interface, I think this will be an increasingly tempting option for enterprises. If they're going to have to retrain users anyway, why pay an arm and a leg for Windows + Office licenses, plus the inevitably required hardware upgrades? In most cases it would be cheaper to hire an on-site migration assistant from a distro provider than to stay with Microsoft.

10
1

Slapdash SSL code puts tons of top Android Play Store apps in hack peril

Kanhef

Interesting statistics

Trust management problems in 73 percent of the top 1000 apps, but only 36% of the next 9,000 most popular apps. Webkit issues in 77% of the top 1000, but just 6% of the next 9,000. Why are the most-downloaded apps so much more prone to security problems than ones that aren't quite as popular?

0
0

Whoah! How many Google Play apps want to read your texts?

Kanhef

Re: Android permissions cannot revoked after installation?

Apparently you missed the bit about Google removing access to App Ops late last year; as of 4.4.2, you can't use it without rooting the device, and it's possible they'll remove it entirely in future versions.

1
0
Kanhef

Amazon and Ebay aren't actually that unreasonable – they're probably trying to look up your postal/zip code so they can automatically calculate shipping costs. Still, it would be nice to have the option to turn that off, in case you're shopping while not at the location you want things delivered to.

2
4

Page:

Forums