* Posts by Paul Crawford

2996 posts • joined 15 Mar 2007

NSA boss reveals top 3 security nightmares that keep him awake at night

Paul Crawford
Silver badge

Simplified list

All 3 points come down to one basically: We, as people, have accepted piss-poor security in so many computer applications for years, but now we have put important stuff within an electronic arm's reach of world+dog to have a go if they feel like it.

The current arguments about cryptography for law enforcement, etc, is a stupid distraction flamed by clueless politicians and civil servants and distracts from the above. We have found ways of catching and prosecuting criminals when they talked in person and did not write stuff down for many many years, so while it might be nice to get phone contents, it should not be necessary.

Sadly we need to start making a big deal about businesses and gov departments that expose important stuff (from personnel/medical records, through to infrastructure like power and gas) to the world, and/or collect sensitive stuff they don't really need. Make damn sure that those in charge can face personal prosecution if they fail to manage the process, fail to have a system in place to check and fix things, and fail to get outside support to check its good enough.

40
0

Google Project Zero reverse-engineers Windows path hacks for better security

Paul Crawford
Silver badge

Re: : in a path name ?

Actually most *nix systems allow any character in directories or file names except '/' (the directory separator) and the NUL 0x00 used for C end-of-string.

It is the command shell like bash, etc, that treats ':' and '*' and so on as special, and also it is the shell that treats a space as a command delimiter as well, unless you quote or escape-sequence the name. E.g. this wont work

cd my directory

As it treats 'my' and 'directory' as separate inputs, but these do work:

cd "my directory"

cd my\ directory

Since they tell the command shell to treat the space as part of a single string passed to the 'cd' command. Windows has similar problems with command-line use, it is just that few people use it or write scripts for it to complain as much.

18
0
Paul Crawford
Silver badge

Re: win32? in 2016? really???

Stupid enough to want your software to run on W2K - XP - Vista (cough) - Win7 - etc rather than the latest privacy slurping version only?

And not finding your latest API is pulled from below you if MS decides to change again (how is that Silverlight project going)?

MS has a lot of stupid past decisions to support, and practically the only real argument for choosing Windows has been compatibility with the vast range of so-called legacy software, so sad though it may be, this is still important work. Of course, MS could just open-source the legacy path code so we can see for sure and save this reverse engineering trouble and uncertainty...

9
5

Institute of Directors: Make broadband speeds 1000x faster than today's puny 2020 target

Paul Crawford
Silver badge

Re: 10Gb to the home?

You seem to forget this is 14 years from now. 14 years ago 1Gbit was a dream for most, and now all PC motherboards come with GBit ports, and a lot of home routers are Gbit.

Oh yes, sorry forgot about laptops even with £1k price tags with no Ethernet and relying on WiFi that struggles to get 10Mbit on a good day in a built-up area...

0
0

Confirmed: IBM slurps up Bruce Schneier with Resilient purchase

Paul Crawford
Silver badge

Re: Does this signal a change?

Maybe, but most business see taking sane precautions as an unnecessary expense. Until they get well and truly shafted, that is, and then it was "a bad boy did it and ran away!"

2
0

Computers abort SpaceX Falcon 9 launch

Paul Crawford
Silver badge

Re: ICBM

No last minute reprieve there then!

They might be able to disarm the warhead in flight, or possibly change the target coordinates even. That would make a big difference to the outcome...

0
0

Car-makers, telecoms bodies push standards for self-driving vehicles

Paul Crawford
Silver badge

Re: Dumb idea?

So why do they keep telling us that reliable communication systems are essential?

Its almost like they are dependent on vast server farms somewhere, and don't quite want to say so...

5
1
Paul Crawford
Silver badge

Dumb idea?

computer-aided driving will depend on "upgraded communication systems that provide higher performance levels in terms of latency, throughput and reliability of the network"

Really? So what will said self-driving car do when it ventures on to one of the many rural areas that is lucky to get GPRS on a good day? Or if, say, there is another GPS blip that takes out comms networks?

Self-driving cars need to be able to deal with other vehicles that are not on the network, due to faults or them still being driven by meat bags, so reliance on communications of any sort is a really dumb idea.

8
2

Linux lads lambast sorry state of Skype service

Paul Crawford
Silver badge

Munich?

http://www.techrepublic.com/article/no-munich-isnt-about-to-ditch-free-software-and-move-back-to-windows/

http://www.zdnet.com/article/munich-sheds-light-on-the-cost-of-dropping-linux-and-returning-to-windows/

Unless you have more *recent* news?

12
1

The other one. No, not WhatsApp. Telegram. It hit 100 million users

Paul Crawford
Silver badge

Just like we should believe that WhatsApp is not backdoored by the NSA?

Chose your messaging system based on (a) how public the code / analysis / review is, or more likely (b) on who is most likely to be interested in screwing you over for personal reasons.

5
0

'I bet Russian hackers weren't expecting their target to suck so epically hard as this'

Paul Crawford
Silver badge

Re: Argh

You have identified two problems with the example:

1) The comments / "documentation" is misleading, that is not what it is testing!

2) The code is a convoluted way of trying to express what (I believe) is being tested.

Better would be something an is_data_null() test to see if pointer is null or empty or 'blank' string, then to return if alpha fails this "null" test but omega passes it.

1
0

Bill Gates denies iPhone crack demand would set precedent

Paul Crawford
Silver badge

"In order to comply with this order, Apple need to build software to work on a particular IMEI and S/N of this phone"

Fixed it for you.

Next week its a new IMEI and S/N, week after a few dozen more... Come Xmas holidays Apple are being told by the courts to avoid excess costs and just do a tool for to gov that handles every confiscated phone in the USA. Meanwhile in Russia and China they are lining up for the same service...

6
0

UK court approves use of predictive coding for e-disclosure

Paul Crawford
Silver badge
Gimp

Re: It was Professor Plum in the dining room with the lead pipe.

No! It was Miss Scarlet, in the basement, with a strapon...

1
0

German mayor's browser tabs catch him with trousers down

Paul Crawford
Silver badge

Re: the upside

From your link about the Reeperbahn:

"The hottest clubs on the Reeperbahn and Hamburger Berg open, with Irish pubs and Hans-Albers-Platz packed full of live music."

Really, no one goes to German pubs in Germany?

1
0

ADpocalypse NOW: Three raises the stakes

Paul Crawford
Silver badge

Re: Inferring a bit too far

"Shouldn’t a web page get to the user just as the originator intended?"

Er, did the creator of the page also create the adverts? Or are they a parasitic aspect that is relied upon to pay bills?

That is a BIG difference in the net neutrality stakes - one is allowing the end user to choose what they want without interference, the other is allowing the web hosting to push whatever they want without interference.

Andrew is right in one respect though: it is high time that funding of content was properly considered and not left to the cesspool of advertisings.

27
2

UK carrier Three in network-wide ad-block shock

Paul Crawford
Silver badge

@ Ledswinger

There is more to this than simply the goal of 3 to get additional payments (the "fighting net neutrality in the advertising space") as mobile networks are generally congested and if they can cut bandwidth use for *everyone* by around 30% or more due to blocking bloated ads, then it will help end users a lot.

While I have no sympathy for advertisers due to the highly intrusive and resource-hogging sh*t they push, I do have reservations about what this will mean long-term for equal access if only the big hosts can pay to push their sh*t.

3
0

Locky ransomware is spreading like the clap

Paul Crawford
Silver badge
Trollface

Sounds like a BOFH story :)

0
0
Paul Crawford
Silver badge

"If you are logged in as a domain administrator and you get hit by ransomware"

You should seriously be considering a change of job?

29
0

Your anger is our energy, says Microsoft as it fixes Surface

Paul Crawford
Silver badge

Re: Just setup a few Surface Pro 4

Sure that helps. But you should not have to do any of that for a stable and privacy-respecting machine.

4
0

Bulk sensitive data slurp? You can't stand under our umbrella-ella-ella – EDPS

Paul Crawford
Silver badge

Re: @national security purposes

Its far worse that "any bollocks we chose to call national security" because its any bollocks another government, for whom we have no democratic input to, chooses to call national security.

That is a big point - while I have serious doubts about the integrity of my own government, at least I have a vote in the matter. Far from perfect, but something others have fought and died for.

1
0

US Dept of Defense to shift 4 million devices onto Windows 10

Paul Crawford
Silver badge
Joke

Re: systemd

I presume? I guess they wanted something that would know what svchost.exe was up to....

3
0

Go full SHA-256 by June or get locked out, say payments bods Bacs

Paul Crawford
Silver badge

Using XP if fine so long as you don't have it on the Internet. So run old software in a VM of XP if you want, but as you say - not for internet banking, remotely accessible SCADA, etc.

2
0

Why Tim Cook is wrong: A privacy advocate's view

Paul Crawford
Silver badge

Re: This is wishful thinking

If you read the slashdot article you see why - the limit on brute force is largely in the crypto chip. The key used for the data is massive - 256 bits symmetric AES - and is largely revealed by the crypto chip on success, so its not a 4-6 digit PIN worth of tries. So the options are:

1) Brute-forcing a 256-bit key, possible with NSA resources I guess, but a serious challenge.

2) Somehow compromising the crypto chip. How hard that is depends on its design, maybe it can be done as sloppy mistakes, or maybe it really is properly tamper-proof and then Apple's position is 100% correct - it simply can't do it.

4
0

China 'evacuates' 9,000 around monster radio 'scope

Paul Crawford
Silver badge

Re: Humans gone

Unless your goat has WiFi its not a problem...

23
0

Good thing this dev quit. I'd have fired him. Out of a cannon. Into the sun

Paul Crawford
Silver badge
Pint

Re: anything so modern as fortran 77?

Converting FORTRAN IV from https://celestrak.com/NORAD/documentation/spacetrk.pdf in to C was not much fun, but sadly it was necessary to have any sane way forward. Start with f2c conversion, spend time sorting out the weird functions it used to make Fortran-like calls (i.e. by reference) instead of C-like (usually by-value) and finally work out how to restructure to code so it looked sane and still worked.

Oh, and a subroutine with multiple ENTRY points also had to be converted, but thankfully it was just a dodgy way of having shared auto-allocated (implicit declaration & typing) variables. Anyone writing Fortran without "implicit none" deserves a serious slapping!

Needed oh so much =>

7
0
Paul Crawford
Silver badge

Re: Really a GIT

Where was the GIT repository, as surely you did not have just one copy?

And the machine's backups?

0
0

Firemen free chap's todger from four-ring chokehold

Paul Crawford
Silver badge

Re: @x 7

The Circus of Horrors is a good show - can highly recommend it. Not just for the dwarf & Henry, but all do a good and amusing job of entertaining!

1
0
Paul Crawford
Silver badge

Re: I'll bet the fireman didn't get the title "Lord of the Rings"

Did he use a King Dick spanner, that is the question we all want to know:

http://www.kingdicktools.co.uk/

0
0
Paul Crawford
Silver badge
Gimp

Re: @Graham Marsden

That, sir, is most definitely NSFW!

Pro tip - set your browser to always open a single tab on your safe home page. Today I had an accidental viewing of your link on opening Firefox, they must think I am a part-time gimp now...

0
0

Boffins' gravitational wave detection hat trick blows open astronomy

Paul Crawford
Silver badge

Step 1 done

Big kudos for having detected gravity waves - that is awesome science.

But...no one has yet established they travel at the speed of light. Establishing THAT would be pretty conclusive proof of the theory. Any other speed opens a new can of space-time worms...

2
0

How one of the poorest districts in the US pipes Wi-Fi to families – using school buses

Paul Crawford
Silver badge
Joke

"You should see the amount of data being used by these kids,"

Translation - they discovered on-line pr0n

12
4

Offers? Opera's board likes Qihoo, says shareholders should too

Paul Crawford
Silver badge

Re: Firefox, meet Opera

Have an up-vote sir!

Firefox need to be *different* from Chrome and better in a way that users appreciate, things like:

1) Not sucking. Seriously, try to keep memory use, etc, under control.

2) Value privacy. This might mean returning 'anonymous' browser info so everyone's installation looks largely the same (maybe just info that might be needed by the web site or useful for stats, such as major browser and OS versions, something like ~3 bits entropy)

3) Value privacy. For the hard of thinking, again, think! Do stuff like small dither to drawing so browser fingerprinting (like canvas draw / hash) is different *every* time they test on the same machine.

4) Respect the user's wishes. So offer the ability for all audio/video and animated images to be "click to play". I do not want web sites to start stuff in adverts, etc, and waste my bandwidth an patience. If its worth it, *I* will chose to play it.

5) Allow legacy plug-ins on demand. Sure they are not secure but there is a shed load of stuff out there that might be wanted. Make it default-off, of course, but still give me the *choice*.

6) Don't dick around with the GUI for no bloody good reason.

5
0

Flash flushed as Google orders almost all ads to adopt HTML5

Paul Crawford
Silver badge

Better still - just ban all animated and/or sound producing ads, any images over 100kB or so, and anything with java/javascript. Then so much of of the ad-blocking needs would go away...

15
0

Scary RAM-gobbling bug in SQL Server 2014 exposed by Visual Studio online outage

Paul Crawford
Silver badge

Re: Yes, but why pizza?

Its what you feed software people when they have to work late to fix something, along with some coffee.

Where as the rest of the time they just eat pizza.

0
0

Security? We haven't heard of it, says hacker magnet VTech

Paul Crawford
Silver badge

Re: I've never understood why parents buy this crap

Probably more secure as well...

2
0

Microsoft researchers smash homomorphic encryption speed barrier

Paul Crawford
Silver badge

So you have the key stored somewhere in the program's memory to run the operations on the encrypted data, instead of both the key and some plaintext in memory?

I guess its a bit less likely to get slurped, but if the machine is compromised enough to allow reading arbitrary blocks of memory, isn’t the key also vulnerable to this? In the conventional system I guess you could zero the memory after using it so the plaintext was short lived (if that really is the nature of the risk it is mitigating) and be a damn sight faster.

1
1

Who would code a self-destruct feature into their own web browser? Oh, hello, Apple

Paul Crawford
Silver badge

Re: I know how this feels

Once upgraded a video card in my work Linux machine and it would randomly crash. Spent hours and hours of frustrating time with video drivers of various release versions and even a new kernel. Went back to old card and setting and STILL crashed!

Turned out the PSU was on its way out and the power cycling was the last straw. Changed that and all was fine, except for two days of my life wasted :(

1
0

Microsoft explanation for Visual Studio online outage leaves open questions

Paul Crawford
Silver badge

Yes, it pisses down on you from time to time.

4
1

Lights out for Space Vehicle Number 23: UK smacked when US sat threw GPS out of whack

Paul Crawford
Silver badge
Trollface

Re: Dependency exposed

Maybe the USAF should have a "happy hour" once a week then the turn civilian GPS off just for shits & giggles. Certainly would focus people's minds on any dependency on an assumed-benevolent foreign power :)

8
0
Paul Crawford
Silver badge
Trollface

Funny that: Digital radio, that can't report the new year's bells on-time due to the various processing delays, falls over when there is a timing glitch of tiny proportions, while analogue FM just keeps working as they never assumed precise synchronisation of transmitters in the first place.

18
0

Microsoft showers Office 365 sellers with gold in Google snub

Paul Crawford
Silver badge

I find Google docs great for collaboration, but ultimately I don't trust any of them.

They (MS & Google, etc) can and do change products and T&C without giving a toss about the products, sorry, customers and I don't fancy my data being under USA jurisdiction no matter how much they protest about caring. Before Snowden revealed PRISM they were quite happy to cooperate with the US Gov secret requests and accept payment for them. Remember that...

5
1
Paul Crawford
Silver badge

Re: M$ doesn't need to compete with Google on price...

Really? Just tried composing using Gmail (Chromium browser on Linux) and no, it won't accept wugahumphtuma or color instead of colour. But maybe that is just my sane installation doing the spell-checking locally?

However, Google docs is accepting US spellings as well as UK spelling. Having said that, just how many installations of Word, etc, do you see with US spelling enabled?

4
4

Google ninjas go public with security holes in Malwarebytes antivirus

Paul Crawford
Silver badge

Re: Removes the HDD from the machine and scan it with another PC

Or use one of the "rescue CD" images from Bitdefender or Kaspersky to boot the troubled machine and check for the biggest problems first.

0
0
Paul Crawford
Silver badge

Two reasons I can think of:

1) The design is such a clusterfsck that there is no sane way to fix it short of a major re-write.

2) They won't (or can't) allocate sufficient competent programmer time to fix it.

In either case it is software I don't want to have dealings with.

11
1

When customers try to be programmers: 'I want this CHANGED TO A ZERO ASAP'

Paul Crawford
Silver badge

Volatile?

That example was (presumably) an easy one, no change to tested variable/condition.

What does catch folk out is when "SUCCESS" is supposed to be changed in some asynchronously called function (interrupt, or signal), maybe in another file, in which case the bug is usually not declaring it as 'volatile' and the compiler optimises the test to an endless loop, instead of checking the memory location "just in case"

5
0

Safe Harbor ripped and replaced with Privacy Shield in last-minute US-Europe deal

Paul Crawford
Silver badge

So has the US dropped the secret court orders and the demands that companies comply and do not reveal that data was requested?

8
0

Disputed eBay platform vuln poses ‘severe risk’ to tat bazaar's users

Paul Crawford
Silver badge

Re: Wrong culprit?

The javascript might not do anything much itself, but it allows all sorts of nasties such as flash or PDF documents to be directed at the user, and at the very least it would allow a 3rd pay to pass off as eBay pretty effectively given they are on that site, so stealing username/password and so on with a little social engineering is trivial.

1
0

Firing a water rocket to 1km? Piece of cake

Paul Crawford
Silver badge

Not in this case. More generally there is an issue for rockets not wanting to reach too high a speed low down in thick lower atmosphere due to drag (and possible heating) but they ain't getting high enough for that!

3
0

Little warning: Deleting the wrong files may brick your Linux PC

Paul Crawford
Silver badge

Re: a way to make "rm" command safer?

There is "safe-rm" that has a blacklist of "dumb to try deleting" checks on what you ask for, and I think most modern versions of rm need '--no-preserve-root' if you give them '/' as the argument before destroying your OS (to catch mistakes like "rm -rf / tmp/*" where you mistyped, adding space in /tmp/*).

0
0

Euro-security group ENISA notices cars are insecure, plots fixfest

Paul Crawford
Silver badge

Not just security

It is other safety and practical issues related to the stupid muppets in marketing, etc, deciding that everything must be push-button and app-controllable along with a move away from simple low-risk control approaches. We have in no particular order:

Toyota ECU design faults causing runaway and crashes

Ford recall as "off" button not stopping the engine (WTF was wrong with a switch in the MCU power line? Same question to you Toyota?)

Jaguar door unlocking silly buggers

And on, and on, ...

3
0

Forums