One could well ask what NSA/GCHQ has done to protect us. They should have known of such insecurities, so are either incompetent at their jobs (unlikely), view the protection of consumers against such scams as beneath them, or have such a warped paranoid world-view that maintaining hacking capabilities is more important than actually protecting us (most likely).
2161 posts • joined 15 Mar 2007
Re: Can someone please explain
Cheap outsourced coding monkeys?
Graduates not taught about security and made to run automated tests for it?
Web sites developed by consultancy then never updated?
Developers wanting (or being told to by PHB) to prioritise shiny over robust?
I don't know really, but those are my semi-educated guesses.
Its not just the initial cost of the batteries, but also the expected lifetime that is needed for an economical case.
Same with solar panels, they have pay-back times today in the order of 10-20 years (even with subsidies, that that may change as oil costs rise) but who is guaranteeing the hardware (panels & inverter) lasts for anything that time?
Re: @Steve Todd
Take the UK as an example: where are the CHP plants, and who is making use of the "low grade" heat that makes for the 40% or so of that 80% efficiency?
Very few. Our local University has a campus heating system that uses it, so runs its own 5MW (I think) CHP plant and pumps steam around the major buildings to heat them. Which is great.
But often if they need a bit more heating, in goes another conventional gas boiler as its cheaper to do than to extend the CHP distribution!
Now then, where are the GW sized generators, and is anyone prepared to dig up towns and cities for hot water distribution to make said efficiency worth it?
So far, the cost of energy that everyone complains about is not enough to cover the cost of western world labour for infrastructure development. Sad but true :(
You still need the big thrust to get off Mars again, even if not quite the magnitude of leaving Earth's gravity pool.
At the thrust figures mentioned here (even assuming they are right), that means carrying chemical fuel, or making said fuel on Mars, or using some nuclear thruster (not necessarily Project Orion, but as heat source for expanding/accelerating a propellant) that you would not get permission to use on Earth for safety fears.
A typical satellite with 2.5kW of power is in the big communications class, so its likely this would be similar, so around 1000kg.
With 0.72N of thrust you get an acceleration of 7.2E-4 m.s^-2 (i.e. 7.3E-5 g) or 62.2m/s per day. To double the escape velocity of about 11km/s would take about 176 days, and then double that time to stop the craft again.
So of course you keep accelerating, but this is not suddenly going to make interplanetary travel convenient.
"a fuel-less drive system like EmDrive changes that equation"
Until one works out where all of that power comes from.
Close to the Sun you may have solar panels, and farther out you might use a RTG for power, but with 2.5kW needed for 720mN of thrust you are looking at serious power levels to cut the flight-time to Mars.
Also did they bother to funnel the wast heat for more drive?
I feel your pain - I have an HTC Wildfire until recently, now have a Moto G.
Its quite a usable phone really...
"To my mind your data is no safer on your own servers than it is in the cloud unless you want to encrypt it and refuse to hand over the keys (and are therefore prepared to go to jail for not handing over the key)".
No. If I were living in Ireland then the only authority to make me hand over my keys would be the Irish courts. End of story.
What we have here is the US demanding the data on a non-US service/server based on the company having ties to the US. Had they the slightest sense of decency and international decorum, they would have made a formal request to the Irish law enforcement agencies who, no doubt would have cooperated if there was probable cause.
In that case here I'm pretty sure the comentards on this forum would have supported it as the proper legal process.
Re: 2KW across 35mm !!
Looks like they have re-invented the induction hob?
Tell it like it is...
"it prefers not to comment on analyst figures, especially ones that don’t fit with its view of the world"
Could not have put it better.
"security updates for *any* software as long as possible"
While for any software would be nice, the real problem here is a physical device that cant be used securely after a certain time due to embedded software/firmware. It becomes landfill, a waste of the Earth's resources.
With pure software (i.e. stuff running on a computer, including its OS) you can often change it/upgrade it and not throw something away, and we have had automated patching of OS and applications for years already. So its not like a fancy "new technology" is it?
As far as time scale is concerned, it should be defined in terms of the expected usable life (from the buyer's point of view), so something like at least 5 years after end-of-production.
It is high time the law was changed to make manufacturers/carriers liable for a failure to provide a timely patch.
Just now most of them just don't give a damn because its in their interest that you either buy a new phone or take out another 2 year contract. And if anything goes wrong to you, your bank account, etc, its none of their problem.
That would change noticeably if they were required to pay up for failure to act. Of course phones will still have bugs, and they can't be expected to indemnify for the unknown, but they sure as hell should be punished for not fixing stuff once they have, say, 1 month's notice.
Edited to add: And do the same for the crappy/creepy "IoT" devices as well.
The problem with 'cold' burning is also efficiency: the ultimate (theoretical) efficiency of a heat engine depends on the ratio of hot & cold absolute temperatures (e.g. Kelvin), and the "cold" one is always above ambient in practice.
Re: Point of Issue
That is why various guidelines and standards have been developed to make coding safer:
Whatever language you use, you can screw up, but C/C++ just gives you a more direct way of doing so. Safe code is hard to do and needs some skill and the willingness to stick to the above guidelines and to USE the tools already out there to check for errors and bad practice.
First in a long time
That article on the OK trends was the first listed since 2011 when they were bought out by match.com and I had thought the founders had simply quit at that point.
It is also worth noting that an earlier blog critical of match.com and other paid dating sites was pulled from the blog around that time.
Re: Speaking as a CRT user...
Don't sharks have multiple gill slots, which is how you know its a kettle of fish (single gill slot) and not a kettle of sharks?
Oh, and fish don't have lasers...
You have to consider each aspect separately. All they have proven is the implemented logic of the microkernel meets the specifications.
You can have bugs and flaws in:
- Sub-systems called by the microkernel
- Standard Libraries
- CPU/FPU hardware
But compared the today's huge kernels in Linux/UNIX/Windows/etc which have the last three as well as a box-of-frogs evolved design, that provability is a big start to something reliable for critical jobs.
"has provable upper bounds on interrupt latencies"
Er, those upper bounds would include hardware jitter as that is a known value and generally much much smaller than the software steps in ISR task-swapping.
Re: Was it really necessary for MS to change
For marketing yes, and that ultimately won along with a lot of legacy-supporting crud and mind-numbing stupidity like making IE deeply embedded.
If they had stuck to the original microkernel approach as planned by Dave Cutler and just accepted the performance penalty then it would have been one of the most secure OS around.
No, it is not pointless.
The point is with .docx you have to do it MS' way, and they can fiddle with that and withhold info (e.g. the binary blobs in .doc format that is included), while with .odf it is an open and transparent standard.
That way anyone can do it properly and the goal is to compete on the quality/price ratio of your editor, and not on having the only one that works with some secret sauce.
Long term, that is MS' way forward to a profitable future - to do better and not to rely on lock-in and unethical practice. Not holding my breath, of course...
Re: Already Given Up
"Anyone can grab hold of a 1/4-20 UNC bolt and use it to mount their camera anywhere they want"
Tsk, tsk, you should be using BSW for that...
"Did you know that Word 97 and Powerpoint 97 work quite happily with the 2007 converter pack?"
Er, have you tried to use them with a 2010+ era .docx document? It sucks and MS has only themselves to blame, so .odf is a major improvement here as it won't have the same petty hidden changes to bother with.
If this brave new world of on-line services resulted in an end to stupid GUI changes and features no one wants, and instead bugs were fixed and actual improvements made I would support it.
Sadly from my (limited) experience of MS and Google, it is the usual stupidity but on a regular payment plan.
And people wonder why the likes of MS and Adobe are pushing on-line versions? Money, regular money, and no need to offer something new/better to keep getting paid.
Re: "lying face down on with arms and legs dangling"
Now where has my spanking paddle gone?
Alternatively they looked at the success (or otherwise) of other's attempts (e.g. the French) and decided its not cost-effective.
While availability of legal sources for some things is much improved (e.g. no DRM on audio after Apple's ITunes more or less forced the major player's hands), there are still problems in video actually getting what you want, when you want it, and in a format that won't piss you around in an attempt to play it.
Some will always pirate, some may stop if they are threatened, but the results of, for example, Spotify on music piracy where it is available has been enormous and that is a lesson to be learned. Shame it has not benefited the artists as much :(
Re: SourceFire report
Oh, the other thing lacking from the report is the time-to-patch. That is a big factor in how secure you can be with a given product/supplier.
It is worth reading the SourceFire report as it gives an interesting look at the disclosed vulnerabilities over the years.
Forum trolls will delight in being able to quote it for/against any fanbois of OS as well. It has some correct, possibly controversial, ways of reporting, for example counting the webkit browser engine as "Apple" so the CVE count is way higher than you might have expected. Similarity it treats Linux as one product, but the different versions of Windows as separate (mostly, this is discussed).
However, what the report lacks is the exploit count relating to these. For example, it has the iPhone as much worse than Android by CVE count (210 versus 24), but we all know that Trojans and general shit-ware, etc, for Android are much, MUCH bigger problem in practice.
Oh, and check your buffers please? That is the No.1 vulnerability of the quarter-century!
Time-line is claimed to be:
VIII. DISCLOSURE TIMELINE
2011-02-12 - Vulnerability Discovered by VUPEN Security
2014-03-14 - Vulnerability Reported to ZDI and Microsoft During Pwn2Own 2014
2014-06-10 - Vulnerability Fixed by Microsoft
2014-07-16 - Public disclosure
Do we really believe they told no one before Pwn2Own?
Maybe the Russians had a point in dumping iPads, etc, for gov work after all?
Short answer is probably the knew it would loose money. After all they are pushing a similar form-factor in the bigger Nokia-softs and, while decent enough phones in many ways, they are hardly flying off the shelves.
I guess the recent changes to the user-whoring platform to push adverts in to the news feed is working then, but I find it astonishing there is enough sales liked to FB adverts to justify agencies spending "$6.44 in average revenue per user in the US and Canada".
Re: Good article, but...
Same idea as the French insult (more of a derogatory term than outright insult mind you) referring to the British as roast beefs, presumably from out habit of cooking meat until it is usable for shoe soles.
I am sure there are folk in my list of friends who would struggle with email, but they can use a phone so that is not a problem.
Also I don't really want to be part of making FB the only way folk communicate, a propitiatory way that is controlled by one company with the primary goal of whoring us from advertiser to advertiser.
I got fed up of the endless stream of pointless re-posting of crap and generally depressing updates from my "friends" on trivia and decided to ignore it completely for a while. Anyone who really needs to contact me can use email, or better still actually call and talk to me.
If FB is important enough to you, try the F.B.Purity add-on for Chrome & Firefox, it makes the current website a touch more bearable. Sadly it won't deal with idiots polluting your news feed.
While it is tempting to poke fun at Yahoo, etc, the issue of what happens to our digital data once we are gone is something that needs to be properly addressed.
While I might not care (on account of being dead, for example) it might still have some impact on the few living ones who may care about me in some way. When stuff like bank accounts and other aspects of one's estate become virtual and there is no obvious paper print outs lying around my 2nd last resting place, how will those who should benefit from whatever I have to leave find them and access them?
A will is the obvious starting place, but how many would think of listing all on-line accounts in there (and updating them with the regularity they change at which is typically much shorter time-scales than a will) , and how to manage the passwords?
Re: What could go wrong?
Or the seemingly endless stream of XSS flaws that has bothered Yahoo mail in recent years?
Re: @Crazy Operations Guy
"get a copy of a terrorist handbook and make it the same way that they do"
Thanks, but no. I'd rather keep my limbs if you don't mind...
If you really like stuff that is not nice to handle (for various reasons), just Google for "Things I won't work with" (for Derek Lowe's blog).
Re: Venezuelan Beaver Cheese?
I am simultaneously intrigued and horrified by the prospect of tasting Venezuelan Beaver Cheese.
I think the original commentard was referring to this:
Cyanobacteria are postulated to be the cause of the first major organism extinction as they produced plentiful O2 by photosynthesis which is toxic to obligate anaerobes.
So the first life on Earth did not need atmospheric oxygen, but of course it did need it bound with hydrogen in water.
Re: What is the point of a warrant?
There is little you can do about limiting reading to pairs of keys, as with email you have to be able to read it stand-alone from the other person being present. So with encrypted traffic either party can decrypt it, or its no good. You are always one of the two parties even when many others with different keys are present.
A much simpler and easier option is for the police to ask the judge "We believe that ABC and XYZ were involved in criminal actives between START and STOP dates, please can we get those emails?" and the judge to get a 3rd party to filter both ABC and XYZ's emails for the period START-STOP for communications each other.
Job done, police can look for the specific info the believe is needed to clinch prosecution and 3rd parties are not having their privacy invaded.
Re: There's a peculiar phenomenon at work here ...
That is exactly my concern. Today I don't really have anything to fear from what GCHQ know about me, but can you imagine what would happen in a few years of the likes of the BNP/UKIP got in to power and started looking for anyone who was a "threat" to their propaganda and monitoring of Joe Public to find them?
Same here for most El Reg readers - dangerous intellectuals with an interest it technology...
Re: @Roj Blake
You might also want to include the "USA" in how it dealt with the native Indians (not to mention the first appearance of prisoner camps in the civil war), and the Spanish in various south America countries.
Not to mention government-church sanctioned massacres throughout Europe in the late middle ages, oh yes, and that bit of bother caused by the Romans earlier...
A few nutters have nothing on the ability of national organisation to cause suffering.
Re: Dangerous precedent
I think the Nuremberg trials established that simply obeying orders and laws is not an acceptable defence against actions that are clearly morally abhorrent.
By implication, those who speak out and act against said actions should be protected against perverse laws or illegal orders.
It is the whistle-blower's charter on a grand scale: If you have evidence of wrong-doing you should not be punished for revealing it, but that is kind of hard when the evidence is against the government who is also in charge of the trial & punishment.
Dunno, maybe they like that sort of thing?
Had a quick shuffle over to ppv.xxxurabi.com but damn - its all in Japanese! Other than the NSFW images of course...
Unless your PC is also compromised, then said kiddy-porn or terrorist postings would be traced back to other IP addresses where it was logged in under control of the hackers.
The bottom line is people are shit at security, and some things (like regular password resets) don't help at all. What MS recognise is that not all accounts are equal, and the consequences need to be weighed up against the effort of remembering passwords.
 Assume that you are forced to change password one per year, as my work proposes. If your password has been randomly compromised then the mean time to exploit it is 6 months. Just how long does a hacker need to have it to install a trojan and/or create another account for mischief?
So why bother unless there has just been a major breach and they KNOW that everything has to be reset?
I would have though that hard coding the login credentials (as in SSH key, etc) to the source code would be a BLOODY STUPID thing to do. He asked for the code, not the cryptography keys. There are numerous open-source projects that don't get magically hacked because they are fully inspected by all.
And if, as you suggest, there are dozens of ways to break this then it is clearly not good enough for an important job such as vote-counting. At the very least it should have been subject to more than one security review by competent outfits and the result published after the flaws have been fixed (and not those with any ties to the supplier).
Re: At least...
Oh you just had to slip that one in...