* Posts by Paul Crawford

2161 posts • joined 15 Mar 2007

Ex-Microsoft Bug Bounty dev forced to decrypt laptop for Paris airport official

Paul Crawford
Silver badge
Black Helicopters

Re: They've probably captured her password now

That was my thought, that they wanted to record her password for whatever reason. I'm guessing that as she is a security expert she has now changed it, and it was never the same as anything else of importance.

What is a bigger worry is they have copied the encrypted HDD at another time (while sleeping, etc) and they wanted that to get access to it.

As another commentard has pointed out, best to have a 2nd account to demo a machine works so you don't have to decrypt your own files (assuming per-account encryption and not just full-disk).

Hmm, might need a tighter tinfoil hat now...

30
4

Facebook privacy policy change leaves Dutch stomping feet

Paul Crawford
Silver badge

Re: By all means...

No, the law should be where you do business. If FB is selling adverts to Dutch companies, even indirectly, then it should be forced to comply with Dutch laws.

Don't want to follow Saudi, NK, etc, laws? Then don't do business in those countries.

5
0

Healthcare: Look anywhere you like for answers, just not the US

Paul Crawford
Silver badge

Re: France

Keeping your own records sounds like a good idea, until they are needed in an emergency or the person finds they have lost them (or electronic copy is deleted, corrupted, HDD failed etc).

What we need ideally are central records that can only be accessed by staff treating you, and that you can see an audit of access if you want. And not being available otherwise, except as anonymous data for research.

10
0
Paul Crawford
Silver badge

Re: @Chris Miller

You are right.

However, the goal of a single and effective IT and management system across the NHS is a good idea, but government organisations (and a lot of private industry) seem to be useless and properly specifying and developing such a system, and the contract inevitably go to the usual suspects who seem worse at software development than a room full of 2nd year comp sci students.

The answer? I don't know, but I guess that having a small group work with a couple of NHS trusts to prototype something, get proper feedback from those actually using it (not those who fear it, or those paying for it) and then pay more to scale & deploy it when proven would be a good start.

11
0

SpaceX six days from historic rocket landing attempt

Paul Crawford
Silver badge

Re: In world where news is mostly Celebs..

Well said sir!

8
7

The Reg's review of 2014: Naked JLaw selfies, Uber and monkey madness

Paul Crawford
Silver badge

Wrong term

"a back door named Shellshock"

That suggests it was designed and put in there by some agency who named it so. In fact it was just a by-product of some dumb design decisions/coding errors that became a real problem for some. Such as old web sites who passed user-supplied data *unsanitised* to bash, and obviously never met Bobby Tables.

4
0

Stale pizza, backup BlackBerrys, payroll panic: Sony Pictures mega-hack

Paul Crawford
Silver badge

Example to us all

Sony, up there with Gerald Ratner in the annals of business acumen!

Can't say I feel sorry for the board/corporate ethos at all, but it is pretty shitty for all of the ordinary folk who work/worked there.

2
0

Tor de farce: NSA fails to decrypt anonymised network

Paul Crawford
Silver badge

Re: I've said something before, which was ignored, but resulted in some personal discomfort...

The AES was the subject of a public competition with various cryptographers around the world studying the choices and weeding out obvious weaknesses, which is how it should be and leads to a strong and trustworthy standard.

That is not the same as saying the NSA, etc, might find a non-obvious (by global expert standards) weakness that speeds brute-forcing by some useful amount, nor that they might not have spent a small country's GDP on dedicated brute-forcing hardware to attack real high-value messages.

Nor is it the same as saying an implementation using the AES has not screwed up on not leaking the key, etc.

But its a damn sight better than the Dual Elliptic Curve Deterministic Random Bit Generator where the NSA basically wrote the spec with known-to-them weaknesses!

0
0

Bong Ventures will NEVER bow down to terrorism: Our Tough Stance in FULL

Paul Crawford
Silver badge

Drat!

Well this goes some way to explaining why I could never find those horny MILFs. I must be holding it wrong...

8
0

Reg man confesses: I took my wife out to choose a laptop for Xmas. NOOOO

Paul Crawford
Silver badge

Often a Chromebook is the least-worst option for most users, and no matter what you get, you will get support hassle:

Windows: AV/virus problems, TIKAM not looking as old laptop did, old hardware like scanners, etc, often not being supported if it pre-dated 7 for drivers.

Mac: You need to buy Office again (unless balls-in-the-vice subscription to 365) or use LibreOffice and some other stuff will need a very different software/approach.

Linux: Same issues as Mac, but much more so.

Chromebook: Very limited capabilities, but OK for most folks FB/webmail and on-line shopping.

3
10

Microsoft promises open plan mobile Office. Who sits by the Windows?

Paul Crawford
Silver badge

Re: MS FYI

Adobe has even managed to bugger that aspect though:

http://www.quickpdflibrary.com/faq/if-this-message-is-not-eventually-replaced-by-the-proper-contents-of-the-document.php

1
0

Makers of Snowden movie Citizenfour sued by ex-oil exec

Paul Crawford
Silver badge

Re: For profit?

Underpants. You forgot the essential step in profit making...

2
0

Hilton, Marriott and co want permission to JAM guests' personal Wi-Fi

Paul Crawford
Silver badge

Well if it is not about money making but good cooperative networking practice, how about they offer free wifi so said hotspots are not needed?

65
0

Armouring up online: Duncan Campbell's chief techie talks crypto with El Reg

Paul Crawford
Silver badge

Re: Oh a Windows only article, how interesting - NOT.

Don't forget the swap space on any OS...

0
0

Dangerous NTP hole ruins your Chrissy lunch

Paul Crawford
Silver badge

Re: Alternate attack vectors?

Theoretically, yes, you could force machine's clocks back/forward to get round some time-related checks.

In practice it is harder as any sensible NTP system will be using 4 or more time sources to allow the rejection of bad sources (AKA 'false tickers'). Of course, if you p0wn all of the sources as all are on the LAN and no one considered an "inside job" for attack (as LDS pointed out above), then you are free to do so...

0
0

Nork-ribbing flick The Interview AXED: Sony caves under hack terror 'menace'

Paul Crawford
Silver badge

Responsible criminals?

What, are they like film critics now?

" when the responsible criminals are apprehended."

I would have though it should be "the criminals responsible", but maybe the first one is more accurate.

1
1

30,000 people buy a box of BOVINE EXCREMENT

Paul Crawford
Silver badge

Re: Ronseal -

Non-UK readers might not get that reference.

1
1

Chrome devs hatch plan to mark all HTTP traffic insecure

Paul Crawford
Silver badge
FAIL

Re: I'd consider "broken HTTPS" far more insecure than HTTP

Before worrying about sites that use HTTP for non-important data (OK, you may disagree with that) the world+dog needs to fix the massive hole that is SSL certificate issuing.

As it stands, you only need one signing agency to be compromised and-or paid-off/and-or politically pressured to get a cert for any site in the world. So of the 600+ (?) issuers, only 1 in 600+ need be knobbled to fail, that has to change. We need a system where any dodgy certificate is found out immediately by cross-checking with several brokers, and not accepted because one in that hige parallel chain failed.

5
0

Ofcom mulls selling UK govt's IPv4 cache amid IPv6 rollout flak

Paul Crawford
Silver badge

Re: @P. Lee

That was exactly my point, until the ISPs are offering unmolested IPv6 to customers (none of the "carrier grade NAT" crap), there is zero incentive for the customers to even consider having IPv6 internally.

Yes, IPv6 has a lot of stupidity in its design (not being v4 backwards be design, assuming no one might want NAT in their own system for other reasons, etc) but it is the only realistic way out of IPv4 exhaustion and to give properties with multiple devices an easy way to have external connections if they want (whether that is a good idea is, of course, another matter).

0
0
Paul Crawford
Silver badge

Oh FFS!

They are the industry regulators, just how damn hard is it for them to impose a time limit and fines on the operators? Set an achievable date of say 2016 and fine any ISP that has not provided working IPv6 as far as the customers, per day, after that date.

Of course, there will be customers without IPv6 support in older routers and end computers, but if the ISP-supplied kit is usable then any supported Windows, Mac or Linux PC is going to be just fine.

11
10

TalkTalk customers demand opt-out fix for telco's DNS ad-jacking tactics

Paul Crawford
Silver badge

Re: I'm not an expert but...

If/when I get a Virgin "Smart Hub" it will be put in modem mode and a proper router behind it...

4
0

BOFH: Capo di tutti capi, bah. I'm having CHICKEN JALFREZI

Paul Crawford
Silver badge

Re: The best part of the week...

I was thinking more corporate Merlin & Morgana le Fey myself, and Merlin usually has something up those wizard's sleeves...

7
0

US Navy's LASER CANNON WARSHIP: USS Ponce sent to Gulf

Paul Crawford
Silver badge

Re: Ouch, my eyes...

"if it blows up your eyes, it's illegal, but it's fine if it blows up your whole head"

AFIK that is it, the convention prohibits weapons intended to cause permanent injury, but not if the goal is killing. A kind of twisted logic that makes sense in only a few situations :(

1
0
Paul Crawford
Silver badge

Re: Ponce

I wonder if they sang that on http://en.wikipedia.org/wiki/HMS_Venus_(R50) ?

At last we reached our station

Through skilful navigation

But the ship was sunk, on a wave of spunk

From too much fornication!

0
0
Paul Crawford
Silver badge

Re: HMS Unicorn

Indeed there is a HMS Unicorn, build in 1824 and still afloat in Dundee!

Not exactly in fighting condition, but if the gov makes any more cuts we might need to press-gang in into service once more :(

0
0

REVEALED: Titsup flight plan mainframe borks UK air traffic control

Paul Crawford
Silver badge

Re: Mirrored systems

We have had some experience of fail-over systems and it is much harder to make it work properly than you imagine at first. You have a few rather tricky issues to address:

1) On what conditions do you fail over? Total loss of one system is obvious (power off, kernel panic, etc) but what do you do if some part is down and other look OK? What exactly are the thresholds for action?

2) If you go for something more useful than total outage, how do you make sure its not triggered by a temporary condition (flood of data requests, etc) that might push system load up higher than normal, but is in fact an acceptable short term condition?

3) When failing over, how do you ensure data completeness and integrity? If, for example, one hard on a NAS fails you could end up with partly written files and may not be sure of what the clients think was successfully written.

4) How do you avoid the "split brain" problem when one system takes over from what it thinks is a failed mirror, but that mirror is still doing stuff with shared resources? If you go for powering down the failed system (AKA "shoot it in the head", zombie apocalypse style) to be damned sure its not meddling with shared stuff, how do you then avoid the risk of mutually assured destruction if both lose the heartbeat link and more or less simultaneously kill the other?

7
0
Paul Crawford
Silver badge

Re: Damn, these guys are good

You could argue: Never have a system that you can't manually work around for the time when (not "if") it goes tits-up.

Massive inconvenience, true, but not one died so that is a pretty good outcome.

10
0
Paul Crawford
Silver badge

Re: User submissions need pre-check

I want a flying shark, even without the laser it would be a cool thing!

Oh and while I am dreaming, a castle or island lair so I can have a moat for said flying sharks to frolic.

2
0

Speaking in Tech: Sony breach proves you can NEVER defend perimeter

Paul Crawford
Silver badge

Re: Of course

Agreed:

1) Defend your perimeter as far as reasonably.

2) Assume the enemy is already inside said perimeter...

3) Segment internal machines and protect them from what (2) suggests.

4) Don't forget printers and other systems that never get security updates...

1
0

Ford dumps Windows for QNX in new in-car entertainment unit

Paul Crawford
Silver badge

Re: Honestly ...

On the same hardware?

Really?

2
0

UK flights CRIPPLED by system outage that shut ALL London airspace

Paul Crawford
Silver badge

Re: Edinburgh

"I expect the right answer"

Which is: they are both a bunch of lying, thieving, two-faced, thieving bastards...

0
0

Solar sandwich cooks at 40 per cent efficiency

Paul Crawford
Silver badge

Re: Professor Green?

It was done by Professor Green with a telescope in the Observatory!

Or was it by Miss Scarlet with a strap on in the basement?

Any clues?

12
0

How HAPPY am I on a scale of 1 to 10? Where do I click PISSED OFF?

Paul Crawford
Silver badge

Re: OK

Yes, people need to get priorities straight and that means *useful* screening and not the various pointless additions (like 100ml fluids) that were knee-jerk reactions to a failed terrorist attempt. They are winning you know, not by blowing us up but by wasting our lives and freedom by knee-jerk reactions.

Incidentally can anyone cite a case of the new THz scanners actually leading to an arrest or something to justify the additional invasion of privacy?

4
0

'We're having panic attacks' ... Sony staff and families now threatened in emails

Paul Crawford
Silver badge

Re: Err...

It this the plot of a new film script? Sound interesting...

0
0

One year on, Windows 8.1 hits milestone, nudges past XP

Paul Crawford
Silver badge

Re: "security swiss cheese known as linux"

Indeed, so many desktops running Linux are hacked. infested with malware and pointless browser toolbars and parasitic AV software that didnt do its job, leaving the poor users to wipe & re-install from scratch, and left hunting for their license key to re-enable the OS and the recovery DVD they (failed to make) made when it was new.

Oh wait, got the wrong OS...

3
0

Orion 'Mars' ship: Cosmic ray guard? Go. Parachutes? Go. Spacerock shield? Go!

Paul Crawford
Silver badge

Re: Disappointed!

Nothing like my disappointment!

This isn't the Orion spacecraft I was hoping for...

This is: http://en.wikipedia.org/wiki/Project_Orion_(nuclear_propulsion)

12
0

Deloitte's files on bean counters swept up in Sony hack stash – report

Paul Crawford
Silver badge

Re: A Silver Lining?

"any of them online could only come from one source so it will be easy to trace the downloaders and sue them several hundred gazillion dollars"

Oh please tell me the torrents were seeded from Sony machines before this hack was discovered? The irony would be delicious and good for my red blood cell count...

2
0

IETF takes rifle off wall, grabs RC4 cipher's collar, goes behind shed

Paul Crawford
Silver badge
Joke

But not long enough for bad women!

2
1

Musicians sue UK.gov over 'zero pay' copyright fix

Paul Crawford
Silver badge

How would compensation work? A tax on blank CDs (a past technology for music transfer), or on HDDs, and if so how is it calculated? Given a 4TB disk could hold millions of songs, should it be taxed to the £1k range?

The other side of this coin is the question of pirating, if you have already paid compensation on your audio equipment for the right to copy, why should it matter where you copied from? In such a case it is going to end very badly for the music industry.

Finally, how is this done in the USA where "fair use" AFIK allows copying without a fee? Do they offer compensation for it, and if not, why should the EU?

(Just to say I do believe musicians deserve compensation for their work, but this seems an unworkable position that you deserve compensation for what has been allowed for years and is seen as "fair use").

13
0

Google dodges 'costly' legal precedent, settles Daniel Hegglin case

Paul Crawford
Silver badge

Yes, but its easier to shoot messengers.

8
3

Windows Phone will snatch biz No 2 spot from Android – analyst

Paul Crawford
Silver badge

Re: Telling...

I think the answer is so many people, in particular high up in the company, just don't want a Windows phone/tablet. Have you ever tried to use a typical non-tech person's home Windows PC (not an El Reg reader) that is more than a few months old? It is a horrific experience of blot, advert tool bars, shitty trial-ware AV, etc.

So when they first used an iPad or iPhone with near instant resume, slick UI and more or less "just working" experience they liked it and wanted it for work.

Of course a large scale corporate deployment by a good Windows admin person is easier and in most ways better than wrangling iOS, but it seems not to be what enough important folk want.

2
0

Renewable energy 'simply WON'T WORK': Top Google engineers

Paul Crawford
Silver badge

Re: I seem to remember

It is a good approach, but not many places are suited to using it (i.e. close to the magma's heat). Iceland is a good example, but few others I can think of.

5
0
Paul Crawford
Silver badge

Re: reducing energy consumption

The big things we need for comfort, like heat and clean water and being washed more than twice a year are not something we really want to give up.

Transport is another that we could do much better on, but ain't going away so long as we operate efficient farming, etc, that moves large amounts of stuff globally.

And we have a LOT of folk still in 3rd world misery and they also deserve something better.

So efficiency might help a bit, like 20-50% perhaps, and reducing birth rate would help a lot long term, but really the Google guys are right - we need so much energy for a comfortable life that when either fossil runs out or it screws our climate beyond achievable farming and population relocation changes, we are fscked.

Unless we do something now about large scale generation that is not fossil based.

38
5

Download alert: Nearly ALL top 100 Android, iOS paid apps hacked

Paul Crawford
Silver badge

Re: Fabulous news

I'm sure the official+cracked apps need all those permissions for a good reason.

Fixed it for you...

0
0

'Most advanced mobile botnet EVER' is coming for your OFFICE Androids

Paul Crawford
Silver badge

Just shows if you give an ignorant person the ability to install crap with system-wide capabilities then you get Trojans.

14
0

YOU are the threat: True confessions of real-life sysadmins

Paul Crawford
Silver badge

Re: So in short, you've four motivations to look out for.

Everyone has their price, its just a shame its so low in some cases.

Really you need to plan for people making mistakes or doing the wrong thing, and have arrangements to detect and correct that as far as possible. Often that costs money or causes inconvenience though so its not done...

2
1
Paul Crawford
Silver badge

Re: One trick I heard of..

They were kind. The alternative punishment/time-waste is to send them to a meeting to suffer hours of "death by powerpoint"!

But seriously, the problem in some cases is they only have one admin, or only one that every looks after XYZ systems, so on antagonistic exit (or a bus accident, etc) they find they can't do anything due to a lack of passwords or alternative admin accounts.

Businesses, particularly those with only one admin person, should have a policy of root passwords being written down and kept in a safe and regularly tested to ensure they still allow access, and that password changes are recorded and done for good reason[1].

[1] Changing periodically to me is dumb, it just promotes writing stuff down in insure places. For example, changing once per year would give a hacker a mean time of 6 months to do stuff. just how long do you need to set up shadow accounts, email redirects, etc?

However, if you think a compromise might have occurred, or someone leaves, then changing is essential.

0
0

HUMAN DNA 'will be FOUND ON MOON' – rockin' boffin Brian Cox

Paul Crawford
Silver badge
Joke

Re: Christ on a bike!

I am sure they already have enough DNA from the various "pluck'em, fuck'em, chuck'em" alien sex tourism experiences that red-neck abductees report...

7
0

YIKES: Combination of LIVING WOMAN and MACHINE sighted in NYC

Paul Crawford
Silver badge

Snake skin?

Most women I know would want nothing to do with snake skin.

Alas the bit "Intel is hoping that women are eager to strap a rather flashy, blinged-up gizmo" quickly disappointed me when I read it was the wrist upon which the gizmo would be strapped on.

3
0

Cries of spies as audit group finds possible 'backdoor' in Bittorrent Sync

Paul Crawford
Silver badge
FAIL

Re: Dan 55

I take that back, just had a cursory look at the code and found stuff like this without any comments:

bs, _ = base64.StdEncoding.DecodeString("H4sIAAAJbogA/0SPsW4iMRCG+3sKM0I6W7L8AKCrTtw16ZIOURh7nDXx2pvxLAQtvHucJZBuPP413/fb/DomS6YvfkwoYbDV2TQQuo4Nk801WUZQJljHhc4Slo/tM1uO7l9MWJ+K9Uigt7B8Bw3LjnkAHcbsOJYsrd6riZBHyuKxdGqKQS7c5bJwphFD/JjHOoY2Ku6onETGk9gQFZLwt4zJ598sUoOJOsNF+KJrkYu4XRCFxO2AqAO6GCL6Baj10ZLwf6zxGJCkWn/L7OU0Ulpt7wLamTc867vEzhxKzBJA6R65K34F/zcvoAdLtq8rgKtqSeewVvlTVk3eENaSjtgeLYJzgUfg9n9Ax3LGtYj2TaD0seL1ulPrX58AAAD//wEAAP//1rAncZcBAAA=")

gr, _ = gzip.NewReader(bytes.NewBuffer(bs))

bs, _ = ioutil.ReadAll(gr)

assets["angular/angular-translate-loader.min.js"] = bs

So sorry "Syncthing" but unreadable code for me means untrustworthy code.

5
0

Forums