* Posts by Frank Bitterlich

220 posts • joined 9 Nov 2007

Page:

Man-in-the-middle biz Blue Coat bought by Symantec: Infosec bods are worried

Frank Bitterlich
Terminator

CA = Critical Infrastructure

Governments, ICANN und other governing bodies have understood a long time ago that some critical infrastructure - like root DNS servers and such - are way too important to let a bunch of companies (many of them with a questionable rap sheet) take control over them.

Maybe it's time to expand the concept to include the certificate authorities. Or, we could continue to let "the market" regulate who does what with their certs and let anybody sell, leak, lose their certs who has enough money to do so. And then let the big browser makes fix this by blocking some root certs; until they find out that you can make some extra money by whitelisting some certs for cash.

"Can't access this or that website with your browser? Try Internet Exploder 16, it accepts more root certs than any other browser!"

10
0

Kraftwerk versus a cheesy copycat: How did the copycat win?

Frank Bitterlich
Thumb Up

What the court did examine, though, ...

... was the amount of damage that Kraftwerk suffered from the use of this two-second sample, and compared that to the constitutional right of artistic freedom. And they ruled that, in this specific case, the latter was more important.

I don't like Pelham's music or the genre as a whole at all, but I tend to agree with the court here. It's a rare example of a "common sense" ruling - compare the interests of both parties and decide which one weighs more.

Another thing missing from this article: The court expressly said that a mandatory compensation might be regulated by legislation in the future. There is no such law currently, so the only thing the court had to decide is whether the original ruling had considered artistic freedom enough; and they ruled that it didn't.

By your line of argument, Andy Warhol should have been sued out of his pants by Campbell's for his soup can picture.

16
1

Are state-sponsored attackers poisoning the statistical well?

Frank Bitterlich
Boffin

This can have grave consequences...

The consequences of this could be immense.

Like, for example, the PR dept having to change their boilerplate "We were breached, but haven't seen any evidence of ID theft, here, have some free 'credit protection' service anyway..." pre-cooked response to any kind of security incident.

Or, "Sir, looks like we need one of these 'firewall' things. Yes, I know, it's just weather data, but the internet said we're being targeted too. Yes, I know two hundred bucks is a lot of money... maybe we can get the gov't to spen 0.0001% more on the data we sell to them..."

0
0

Ted Cruz knows where you live – if you downloaded his app

Frank Bitterlich
Big Brother

Not surprising...

No surprise... after all, how can you call for a ban on encryption when you're using HTTPS when transmitting the data syphoned off your supporters' phones?

3
0

NZ Pastafarians joined in noodly wedlock

Frank Bitterlich

Religious items?

That guy was probably looking for an excuse to order a lasagna every week...

0
0

URL shorteners reveal your trip to strip club, dash to disease clinic – research

Frank Bitterlich
Holmes

Let me see if I get this right...

So,

1. some people publish unsecured content,

2. use an URL shortener on the URL, and

3. believe that this protects the content they published.

Could somebody remind me again why these "researchers" think that the actual vulnerability is in the URL shortener? Just because they fail to keep the long URL "secret"?

Sure, go ahead and encourage stupid internet users to stick the blame on others when they're too dumb to protect their content because they have no clue about the hosting service they're using.

"We have to put our stuff on the internet." -- "Why?" -- "Don't know, the article didn't say that."

2
1

BTC dev: 'Strangling' the blockchain will kill Bitcoin

Frank Bitterlich

Re: re: Paypal

IBAN? IBAN is an account number - not sure what payment scheme you're referring to here. Wire transfer? Direct debit? Both of these are even worse than PayPal.

0
0

French publishers join Swedish 'Block Party' to pester ad refuseniks

Frank Bitterlich
Thumb Up

If you think that's the right solution...

... then good luck with that. If you don't want me to see your "quality journalism" without at the same time accepting you to push in-your-face jumpy noisy annoying ads down my throat, then I might not be part of your target group.

Good luck with those remaining visitors who apparently don't see a correlation between the advertising behaviour and the quality of the "journalistic" content that is trying to sell these ads.

13
2

Facebook Messenger: All your numbers are belong to us

Frank Bitterlich
Big Brother

"We can help you interact with businesses or services..."

Thank you for that kind offer, Mr. Zuckerberg, but I'm all grown up now and have a fully functional web browser, so I don't need your "help" with that.

But I suspect that the trend of companies and organizations thinking that having a Facebook page is more important than a real website will only get worse.

When I repeatedly state that I do not and will not ever have a Facebook account, some people still look at me like some kind of idiot who lives in the past. Good luck, mankind, with that level of ignorance.

30
0

TV streaming stick brings the movies and the network backdoors

Frank Bitterlich
Facepalm

Re: Brute force ...

Do you really think that a company whose idea of security is an 8-digit numeric root password would ever implement anti-bruteforce methods?

2
0

Microsoft encrypts explanation of borked Windows 10 encryption

Frank Bitterlich

Re: Translation follows...

Sure, because as we all know, posting instructions on how to tinker with your registry so that the nagging stops into a large knowledgebase, is way better than to just add a "No, thanks, leave me alone"-Button to the nagware.

0
0

HSBC COO ‘profoundly apologises’ for online outage

Frank Bitterlich

Re: Likely causes....

Well, that list is roughly equivalent to saying "The problem must be either hardware, software, or human error." Not wrong, but useless.

5
0

City of London cops in Christmas karaoke crackdown shocker

Frank Bitterlich
Terminator

Costing money? How?

So, we're talking about tracks that are not available for purchase. Which makes me wonder how "... would still have been costing the legitimate music companies money ..." could be working. Other than general "home taping kills music" arguments.

Oh, and I call BS on the "legitimate" attribute.

19
0

WhatsApp laid bare: Info-sucking app's innards probed

Frank Bitterlich
WTF?

What's the point?

The article says:

This data included WhatsApp phone numbers, WhatsApp phone call establishment metadata and date-time stamps, as well as WhatsApp phone call duration metadata and associated date-time stamps. They also were able to acquire WhatsApp's phone call voice codec (Opus) and WhatsApp's relay server IP addresses used during the calls.

So, this "collecting" phone numbers, call duration and other stuff is clearly what WhatsApp needs to make the call.

Don't know exactly what the article is about. Somebody has looked into WhatsApp traffic and fails to find someone with their hand in the cookie jar?

24
0

You want a 6% Google Tax? Get lost, German copyright bods told

Frank Bitterlich

Re: cry me a river....

The remedy is clear: 1) do it like Spain, add extra legislation making it lillegal/impossible for publishers to opt out; and 2) make it illegal for aggregators like Google to opt out as a consequence as well.

(Optional: 3) make it illegal for the users to not read an article taxed in this way.)

After all, it's called a "tax" for a reason.

And, some simple math:

6-11 % fee x 19-21 % VAT: Nice extra money for the state. But that, of course, has nothing to do with anything.

3
1

iCloud phishing attack hooks 39 iOS apps and WeChat

Frank Bitterlich
Facepalm

I need the list of affected apps...

... just to compile a personal blacklist of app developers whose apps I'll never use or download again.

Because if their devs are so utterly clueless, their apps are dangerous even without this compromise.

@TeeZee: God help us. We really are truly f...ed. Indeed.

3
0

Class action launched against Facebook over biometric slurpage

Frank Bitterlich

This time, it's not just a matter of changing the ToS

In similar cases, Facebook et.al. usually just amend their ToS to effectively state that all your stuff belongs to them, and that by using the system, you agree to that.

But this time it's about data of other people - non-users - that they ingest and process. This means that just adding an "I agree" button will not work this time. They'll probably try to add words to the smallprint that the user (=uploader) has to obtain consent from all people in the pics, which is (a) ridiculous and (b) probably not defendable as due diligence.

This will be an interesting case...

10
0

Anonymous UK 'leader' fined for revealing ID of rape complainant

Frank Bitterlich
Headmaster

Re: Anon Leader

Wouldn't that be an oxymoron, rather than a tautology?

You know, as in "... Anonymous member Malcolm Blackman, 48, ..."

11
0

ICO probes NHS clinic's data blunder that exposed HIV+ status of 800 patients

Frank Bitterlich
FAIL

Sure, "human error"...

Once again, the blame will be on the individual making the copy-and-paste mistake. Or maybe their immediate supervisor.

And nobody will ask the really important questions. Like, why the hell are they using desktop email programs send out newsletters? And why do they have no safeguards in place (like leak prevention rules on their mailserver) to prevent this? They are working in the most privacy-sensitive medicine branch, why don't they have management-level data protection people? Or if they have them, what kind of qualification do they have?

But of course it's much easier to fire some secretary for "not following the rules."

16
0

Microsoft backports data slurp to Windows 7 and 8 via patches

Frank Bitterlich
Terminator

Newspeak...

"Customer experience" => Data grabbing

consent.exe => "No need for you to consent, it's all in the EULA."

"By applying this service, you can add benefits..." => "That's benefits for us, not for you, of course."

Hardcoding the host address: "Preventing us from siphoning you usage data? Ha ha, nice try."

The MS legal department must be bored, so they're trying to pick a fight with various data protection agencies.

21
0

Ads watchdog slams Mind Candy for upselling subscriptions to kids

Frank Bitterlich
Devil

Good to read that they are considering...

... to remove the word "now" from the ads. Now the world is safe again.

4
0

Směrť Špionam! BAN Windows 10, it SPIES too much, exclaim Russians

Frank Bitterlich
Coat

In Russia, ....

In America, you download operating system.

In Russia, operating system uploads you.

(Yeeees, I know, that one was predictable.)

8
0

Linux Foundation wants open source projects to show you their steenking badges

Frank Bitterlich
Alien

GPL == security?

... criteria being considered include whether the project is under an explicit open source license ...

OK, so choosing the right license will contribute to the security of my product?

Wow, I didn't know it was that easy...

3
0

Don't fight the cistern: Voda takes the plunge with plumbers’ parking app

Frank Bitterlich
Big Brother

Combine the useful with the creepy...

... as in "Combine an app that shows free parking spaces with a gadget that sniffs around in your car's data and your driving habits." None of the users will question whey these two things need to be combined or even understand that they are constantly being monitored.

I just wonder why the OBD-II gadget doesn't feature a CCTV camera and voice recorder.

4
0

Microsoft Edge web browser: A well-presented mea culpa

Frank Bitterlich
Big Brother

Re: "It's worth turning on the (potentially) privacy-invading Cortana for that feature alone."

The most interesting part:

"AutoSearch and Search Suggestions in Internet Explorer automatically sends the information you type into the browser address bar to your default search provider [...] as you type each character. In Microsoft Edge, this feature automatically sends this information to Bing even if you have selected another default search provider."

Why?

21
0

Did speeding American manhole cover beat Sputnik into space? Top boffin speaks to El Reg

Frank Bitterlich

Re: Sounds like a job for:

... or xkcd's "What If?" blog.

9
0

GCHQ: Security software? We'll soon see about THAT

Frank Bitterlich
Big Brother

The definition of "security"

So, some security agencies are trying to disable security software in order to keep us all secure (from whatever threat of the day may be). And some of these security software companies apparently don't need to be fought/hacked/persuaded for unclear (read: obvious) reasons.

Seems to me that there are a number of different definitions of "security" out there.

"I go down to Speaker's Corner I'm thunderstruck [...] Two men say they're Jesus – one of them must be wrong..."

6
0

Obama issues HTTPS-only order to US Federal sysadmins

Frank Bitterlich

Just to clarify one thing...

Ordering all federal website to use HTTPS does _not_ mean they want to ensure the users' privacy. It just means that since they have the data anyway (they're running the servers, after all), they just want to make sure that nobody _else_ gets to listen in too.

While still a good thing for users (and encouragement for other sites to go the same way), just don't be fooled into thinking that this will make your traffic more secure against official US snooping.

I know, for most readers of this comment this is obvious - but not for the general public. The just see the shiny lock icon or green address bar and think they're "safe."

1
2

Secure web? That'll cost you, thanks to Mozilla's HTTPS plan

Frank Bitterlich
FAIL

This site is best viewed...

... with any browser other than Firefox.

Will be fun to see these statements popping up again just like in the old days.

Oh, and good luck trying to upgrade all these appliances with their built-in webservers to support HTTPS.

13
1

'Logjam' crypto bug could be how the NSA cracked VPNs

Frank Bitterlich

"Export" grade...

See... and you thought prohibiting the export of <del>working</del> strong encryption in the 1990s would never pay off...

2
0

Security bods gagged using DMCA on eve of wireless key vuln reveal

Frank Bitterlich

Re: Man up

The DMCA is a rather large piece of regulation. It contains both the takedown notice mechanism (the Online Copyright Infringement Liability Limitation Act, which I guess is what you're referring to) and the WIPO Copyright and Performances and Phonograms Treaties Implemention Act, which makes it illegal (criminal) to circumvent copy-protection measures and such. There is no "DMCA order" involved here; it's just that the attorneys are threatening that what IOActive plans to do would be a criminal act.

That's the way I understand this whole issue.

8
1

Apple Watch WRISTJOB SHORTAGE: It's down to BAD VIBES

Frank Bitterlich
WTF?

Obsolete? Upgrade?

Looks like Apple didn't send a batch of free watches to The Reg or iFixit. That would explain the weird arguments like "not offering an upgrade program". What was the last watch you bought that comes with a way to "upgrade" it? Or which smartphone, even (other than upgrading the software)?

And sure, if you can't upgrade it, it must be "obsolete" in 10 years. "Unlike most watches", of course. Who makes that stuff up? Any digital watch technology is outdated after 10 years (oh, and mechanical watch technology too, btw.) Would you call a chronograph built 20 years ago "obsolete" and toss it into the trash? Because you can't "upgrade" it? OTOH, Apple's watch is more closely related to a smartphone than to a watch, and of course you can (hardware-)upgrade smartphones. Right?

Reg, your Apple-bashing is funny up to a certain point, but at some point it's enough already.

2
15

Dell System Detect update vulnerability exposed

Frank Bitterlich
Holmes

What's wrong with that?

What's wrong with that?

What is wrong with that is that the average Dell customer won't ever visit the Dell website and run the DSD.

Do I really want patches applied to my servers without a chance to review them?

Nope, but you want at least a notification that a patch is available that fixes a quite serious vuln without having to active look for updates.

10
1

BT Home Hub SIP backdoor blunder blamed for VoIP fraud

Frank Bitterlich
FAIL

Blame Game

I wonder why so much focus is put on the part that the router was meant for home use and not SMB. Would that have made a difference if it were a home network (not a few people use Asterisk PBX at home too) ? Yes, one difference: The SIP passwords would more likely have been "123456" instead of 256 bit.

Also, there are more than enough valid reasons to use SIP on the same subnet. One of them being that you might want to use software-based SIP clients.

To me, the router is broken. A firewall is not a firewall if it doesn't obey its configuration. And enabling UPnP funtionality when UPnP is off (if it is true that the router actively searched for a SIP device, then it's probably not really UPnP, but even more troubling), in my eyes, is "broken" too.

"Sure, Sir, that belt you just bought doesn't work, but it's you own fault that you didn't wear suspenders too."

11
1

EU creative collection agencies want YouTube et al to pay their wages

Frank Bitterlich

Re: Organised crime is in the wrong business

That is exactly what the collection agencies are asking themselves these days; they slowly become aware that they are not the only way any more for an author to earn money with their works. So, in order to protect their income and power, they lobby the MEPs to create a law that effectively disowns the artists by forcing them to sell their works exclusively through them.

And it looks like they'll win; after all, they're "protecting" the artists from "exploitation". That's so somple that every MEP and even "H-Dot" will understand that.

1
0

Storm gathers around CDN Cloudflare after doxxing allegations, Pirate Bay deal

Frank Bitterlich
Terminator

I wonder...

... how compatible it is with the DMCA rules to make a complainant accept arbitrary conditions in order to "accept" a complaint.

"By submitting this complaint, you agree to your SSN and credit card details being sold on a chinese black market website. And also, we sign you up to our newsletter."

2
0

Keyless vehicle theft suspects cuffed after key Met Police, er, 'lockdown'

Frank Bitterlich
Meh

Keyless Vehicle Theft...

This story has a less technical viewpoint than expected (for me at least). "Keyless Vehicle Theft" means theft without a key (which I'd guess covers at least 95% of all car thefts). Not necessarily a keyless car. While the Met police article links to another one on the methods of stealing keyless cars, I'd guess this is the exception rather than the rule.

So, read "keyless" as "jamming a screwdriver into the ignition lock" rather than "mad scientist cracks OBD encryption key using an abacus and duct tape" in most cases.

I still wonder how complicated it really is to forge wireless keys from the available data (via OBD).

4
0

IBM drops patent bomb on Priceline.com

Frank Bitterlich
Terminator

Re: Surprising

Yep... "Success Starts Here"...

"... and if you have finally succeeded, we'd like to have the money you have earned. Thank you."

0
0

Bitcoin trade biz MyCoin goes dark, investors fear $387 MEEELLION lost

Frank Bitterlich
WTF?

Does not compute...

Can anybody enlighten me on how anybody who has been on this planet for longer than six weeks would ever invest large sums of money into a Hong Kong-based sub-company of another company that has a "sole director" (who apparently does more successful business on Virgin Islands), promises extraordinary large gains, and that requires you to bring new marks into the game (sorry, "sign up new investors") in order to get your money back?

And how these people have made a fortune (apparently) while being that stupid? I mean, come one, they cannot *all* have inherited their wealth, can they? Lottery winners, maybe?

7
0

Download alert: Nearly ALL top 100 Android, iOS paid apps hacked

Frank Bitterlich
Childcatcher

Metrics?

I suspect that what they do is to scan the black app markets for anything malicious that uses the name or look of any of the top apps, and if they find one, voilá, "WhatsApp has been HACKED!!!111!!!"

Try to offset the actual number of malicious or really "hacked" instances of downloads to the total number of (legit) downloads of those top 100 apps, and come back when you have real numbers. Thank you.

I'll take that report for what it is: advertising disguised as a "press release."

15
2

Heatmiser digital thermostat users: For pity's sake, DON'T SWITCH ON the WI-FI

Frank Bitterlich
Alert

Re: Where are the crims?

Read the article again - it reveals the WiFi credentials.

1
0

Malware gets your Android blabbering to HACKERS

Frank Bitterlich

Zero permissions?

I admit that I'm clueless when it comes to Android, but can a "zero permissions" app really initiate a phone call? If that is the case, then this Speak'n'Steal attack appears to be not the only security problem...?

2
0

Voteware source code requester labelled 'vexatious'

Frank Bitterlich

"Freedom" of Information...

... funny what a name can do. Most "FOI" laws are actually the opposite - a means to prevent disclosure of information. It gives the public bodies a "tick all that apply" list of excuses on why it won't disclose anything. I wonder what judicial oversight is on this process; a potentially wrong election result vs. "commercial sensitivity" –– guess which one wins...

"This government was brought to you by ACME Inc."...

2
0

PEAK APPLE: Mystery upstart to hurl iLord from its throne 'by 2020'

Frank Bitterlich
Facepalm

Really? Again?

That would be the Apple Death Knell™ #65, right?

"In other news, Fred Wilson announces new startup that has something to do with the cloud and does think about data."

15
0

China funds devs to write smog-clearing vidcam code

Frank Bitterlich
WTF?

Visibility - WTF?

"...that if visibility is reduced to three metres, [...] even top end cameras couldn’t see beyond 10 metres."

No, dude. If the visibility is reduced to three metres, then top-end cameras can't see beyond 3 metres. That's what "visibility" means. OTOH cameras tend to be mounted a bit higher than eye level which sometimes improves visibility in smog a tiny bit.

But to me the idea of improving visibility by software sounds a bit like "24": "Can you zoom in a bit on that pre-recorded QVGA CCTV picture?" - "Sure, here it is, I've converted it to 4k resolution for you. Would you like me to switch on 3D?"

2
1

Azerbaijani election app announced winner before polls even opened

Frank Bitterlich
Thumb Up

Works as designed

A good voting app should show the results as soon as they have been determined. If the results have been <del>fixed</del> determined that early, why not let the public know... The OECD will be impressed with this level of transparency.

2
0

Airbus imagines suitcases that find themselves

Frank Bitterlich
Terminator

So just to make sure I get it right...

... the traveller is supposed to (a) pay a premium and (b) *list* the contents of their luggage (guys, looks like you need to add a few fields to the Passenger Name Record), and as a reward the airline won't lose your luggage. Or at least, they'll notice when they do.

"What a nice suitcase you have... would be a shame if anything happened to it, no? How about joining our new RFID-tagging program for a small fee, and we'll make sure nothing... "bad"... happens to your luggage...?"

0
0

Higgs data shows alternate reality will SWALLOW UNIVERSE

Frank Bitterlich
Alien

Some people think it has happened already...

... or are there other explanations for the fact that I actually had to browse to the _second_ page of comments to find the first Hitchhiker reference?

0
0

Tennessee bloke quits job over satanic wage slip

Frank Bitterlich
Trollface

Want to make this guy go mad?

Anybody want to mail him this URL?

http://www.google.com/search?q=Slonopas+666

He'll probably sue Google afterwards.

0
0

Data cop slap for Brit text pests

Frank Bitterlich
Facepalm

Some Math...

OK, if they really sent out up to 840k messages per day (which seems a bit high to me), let's assume they did on average 100k messages per day and operated this for, say, one year, roughly 200 days (without the weekends and such). That makes some 20 million illegal text messages. A fine of 440k makes the steep price of £0,000022 per message. This is probably less than 1% of what they paid their operator.

So that's what "new powers to levy heavy fines" means. That will teach them. They will probably never do this again.

0
0

Page:

Forums