* Posts by Paul Crawford

2164 posts • joined 15 Mar 2007

Tesla tech top dog downs slug, hikes bug bounty to $10k

Paul Crawford
Silver badge

Salutations to Tesla

For once we see a car company reacting sensibly to the holes in their systems. Of course, this should have all been done before the cars were leaving the factory, but at least Tesla has the balls to realise they did not, and are apparently taking it seriously enough to do something about it. OK, bounty is not so big as some other companies, but its a damn sight better than most auto companies.

14
0

A close shave: How to destroy your hard drives without burning down the data centre

Paul Crawford
Silver badge

Sand won't save you this time!

(really though, they did say without burning down the centre)

4
0
Paul Crawford
Silver badge

Really, why go to all the physical risk and effort apart from the fireworks in testing?

Doh, I just answered my own question...

But really the answer is much simpler: all disks encrypted with a long random block of data that is stored on a chip, and then just zap the chip with a high energy discharge while rebooting the servers in to the usual memory testing slow BIOS start-up that you always use as you worry about data integrity if your RAM is not checked. Key gone = data gone and in-RAM copies overwritten as well.

2
0

All hail Ikabai-Sital! Destroyer of worlds and mender of toilets

Paul Crawford
Silver badge

Re: “airline crack”

Probably just like heterophones, but with better taste in interior décor?

14
0
Paul Crawford
Silver badge

Re: So that's what I do!

All hail the high priestess!

17
0

Safe as houses: CCTV for the masses

Paul Crawford
Silver badge

Battery life?

How long do the 4 * CR123 cells last? It could become an expensive toy to feed if its not for 6 months or so.

Also, and I guess its out of the scope of a quick review, how secure are any of these? Have any been subject to a proper penetration test? Given the on going crap about home NAS being insecure, etc, I would be very weary of letting and of these products loose in my home/work.

4
0

Hack a garage and the car inside with a child's toy and a few chips

Paul Crawford
Silver badge
FAIL

Known technique

From the Wikipedia page on De Bruijn sequence:

The sequence can be used to shorten a brute-force attack on a PIN-like code lock that does not have an "enter" key and accepts the last n digits entered.

So not only a fail for using only 12 bits for the garage code, but a fail for not enforcing a start and/or end sequence, nor a minimum time between codes, to make it harder to guess. And that is before we even consider a rolling sequence...

6
0
Paul Crawford
Silver badge

Re: Well...

"Don't all garage door openers use rolling codes now?"

I have no idea, nor any obvious way of finding out.

And therein lies the problem - so many crap implementations of systems with known flaws (to experts) and nobody doing any public ratings of them.

While a garage door is less of a concern than, say, a self-driving car, it is high time that anything with high value or safety was forced to be independently audited for safety and security before sold (or at least insured). Yes, I know that sort of legal talk is not favoured round these parts, but we have seen time and time again really dumb mistakes being made (often to save some money in terms of who is hired to do it) and companies then using legal threats to silence those who question them.

6
0
Paul Crawford
Silver badge

Re: Driving the car

The problems with the simple version of "high tide mark" sort of approach are:

1) Key fobs usually reset when the battery is changed.

2) You might have several key fobs for his & hers, etc, that are at different points in their sequences.

A much better approach would be a two-way negotiation where the car can query the fob for information about a shared secret but then the cost & complexity of the fob, etc, goes up a lot.

0
0

Death to DRM, we'll kill it in a decade, chants EFF

Paul Crawford
Silver badge

Re: People slowly realise how much of a problem it is

The EU could help here, but probably won't. It they made it illegal to discriminate on trade & sales by electronic means not just on inter-EU sales, but on sales and services brought in from outside the EU then region coding world-wide would be a goner. By a toner cartridge from Australia or whatever and it won't work? Then sue Xerox in EU for illegal regionalisation.

5
0

Oracle waves fist, claims even new Android devices infringe its Java copyrights

Paul Crawford
Silver badge
WTF?

WTF?

"what Oracle has worked hard to build and maintain, and in the process to destroy the value of the Java platform"

For a start, most of the work was nothing to do with Oracle, they bought Sun's stuff then have trolled it chasing Android.

As for destroying the platform value, I think the endless security holes in Java, slow patching, and the various problems of which specific JVMs will actually work for a given application have done that. Had Oracle managed to make Java what it promised, i.e. "write-once and run-everywhere, securely" then I might just be able to pull some sympathy from the depths of my arse. But they have not.

17
0

Crackpot hackpots pop top of GasPots

Paul Crawford
Silver badge
FAIL

Is there no end to the stupidity of companies?

You put something of value on the internet and have a system without (a) proper security from the start or swift patching to help out, and (b) allow it by hardware, etc, design to actually do something physically that could either irritate the owner/users or compromise the safety. Guess what, it then gets hacked? Surprised?

Sadly it looks as if serious fines and/or jail time for company execs is going to be the only thing that might stop the tide of moronicity. Always blaming the "hackers" for a stupid design is not an acceptable excuse.

0
0

Windows 10 wipes your child safety settings if you upgrade from 7 or 8

Paul Crawford
Silver badge

Re: How the hell ...

after millions of man-hours a few horny-teenager-hours testing

Fixed it for you...

16
0
Paul Crawford
Silver badge
Childcatcher

Disgracefull!

Its a disgrace that Windows 10 has not kept such perfect protection!

Damn, now I might have to actually talk to children and educate them about safe and sane behaviour on-line instead of watching TV in the next room.

51
9

I could spoof Globalstar satellite messages, boasts infosec bod

Paul Crawford
Silver badge

Mind you, who would be foolish enough to trust the communication 'pipe' to implement security & authentication? Damn, that was a dumb question!

End-to-end or no cigar...

2
0

German prosecutor given Das Boot over Netzpolitik treason charge

Paul Crawford
Silver badge
Trollface

Downfall?

"but it was his decision to pursue Beckedahl and fellow journalist Andrew Meister for treason that led to his downfall."

So when will we see a matching Hitler-rant parody?

8
0

Wait, what? TrueCrypt 'decrypted' by FBI to nail doc-stealing sysadmin

Paul Crawford
Silver badge

Re: This is not a tech problem

He could have bought an IP connected power block and simply cut the AC power remotely. Given the pain of managing remote boxes, I would do that even though I don't have anything particularly worth encrypting to that degree.

1
0
Paul Crawford
Silver badge

Re: id10t

"What are the ways to beat a keylogger?"

Tricky, but I would go for booting from a 'live' CD-ROM so you always have an un-tampered OS (assuming it was clean to start with). Bad luck if they manage to infect it just before you enter your pass phrase, but I guess you should not do email/web sessions before you have already closed the encrypted container.

How long you could do so and put up with the inconvenience is another matter...

0
0

OFFICIAL SCIENCE: Men are freezing women out of the workplace

Paul Crawford
Silver badge

Temp difference also matters

I was once installing stuff in Egypt a long long time ago and the IT/computer room/office was set to 18C when outside it was 35-40C. This room was mostly workstations and some photographic plotters, etc, not a data centre.

They had to wear extra cloths / coats indoors and complained about fingers going numb. Despite being used to much colder in the UK I also found it uncomfortable when dressed for that sort of region so set the A/C controls to 25C as no one there felt they had the authority to do so. End result was a much happier work force and greatly reduced electricity bill!

0
0

W3C's bright idea turned your battery into a SNITCH for websites

Paul Crawford
Silver badge

Re: Solution?

A plug-in that always reports a low, but random, value? That way you don't get force-fed high usage crap, but still it is not an identifying value (except maybe that you are running such as plug-in)?

10
0

What balls! India blocks 0.00008 per cent of web in anti-pr0n move

Paul Crawford
Silver badge

Damn, looks like I will have to study that list in case I am missing something. Other than scruples, that is.

Still, I didn't know there was a web site stiflersmom.com but I guess having seen it mentioned in India Today I will check it out later, and not at work. Look, its bound to be NSFW...

9
0

It's enough to get your back up: Eight dual-bay SOHO NAS boxes

Paul Crawford
Silver badge

Re: Just wondering...

The one with btrfs should support snapshots to allow a roll-back to a past point in time. Not sure I would choose that over ZFS mind, but then all file systems have sucked donkey balls in my experience. As a previous commentard reminds us RAID != Backup, and of course an on-line file system is not a backup.

0
0
Paul Crawford
Silver badge

Re: Unlike ext4, btrfs provides "file security against viruses and malware"

Not exactly, but it supports 'snapshots' as it is a copy-on-write file system. So malware that trashes files on your Z: drive or whatever will cause the file system to write the malicious changes to new blocks on disk. Once you find out, and have killed the infection, you can go back to the snapshot time and get your previous files' contents back.

Assuming you snapshot regularly and notice the infection before those snapshots get overwritten.

1
0
Paul Crawford
Silver badge

Re: access speed

What you need in access speed depends on what you are doing, i.e. the balance between your computer's ability to process data and the storage systems ability to provide/accept it.

Most cheap NAS can achieve about 1/2 of a HDD speed if you have Gbit networking and if your budget is limited you might be happy enough just to let it run overnight, etc.

1
0
Paul Crawford
Silver badge

Re: Macs can be problematic

If you are not using the NAS for sharing (i.e. it is a backup copy and/or space for keeping very large files) then try to use it as an iSCSI target, and then have the block storage formatted in Apple's own file system. That way the (stupid IMHO) use of alternate data streams for photo metadata, etc, are all supported.

Down side is the extra faffing to get that running and that you can't really access those files on any other machine.

1
0
Paul Crawford
Silver badge

RAID-0 FFS?

Please, there is only one application for a RAID-0 box and that is a temporary store for massive video files, etc, while you work with them. You should make that very clear in any proposed test. If you value your data then RAID-0 has no place at all!

Also worth pointing out for the more technical commmentards to consider, you can get an HP ProLiant Gen8 G1610T micro server for under £200 and slap FreeNAS on it, and if you want some more performance also stick in a small SSD for the ZFS Intent Log to give you a reasonable comprimise in performance vs. storage cost.

21
0

$100m fine? How about, er, $16k? AT&T teabags FCC with its giant balls

Paul Crawford
Silver badge

Re: Its a shame

"There are always conditions attached"

Which are not explained, or often are changed after you have signed up. THAT is the problem.

If I have paid for a 8Mbit/sec connection why can't I use it all the time? Why should it slow down?

Now you and I both know the realities of networking hardware and the fundamental limits of information theory so we realise the situation is complex and usually over-subscribed so throttling is inevitable at times. But the majority of customers were lied to in order to get their custom, and they know SFA about how it works. That is the whole point of this action.

2
0
Paul Crawford
Silver badge

Re: Fine seems reasonable

"I know half a dozen people who abuse their "unlimited" data plans or have in the past. People who would stream Netflix and Hulu for hours on end."

I'm sorry but you can't "abuse" unlimited because it is, as they say: unlimited.

Now if they can't actually deliver on that, why did they offer it? Did they lie to millions of customers who know nothing about spectrum usage and contention ratios, etc, to obtain their custom? If so they deserve the fine and it has to be big enough to make them, and others, think again.

It is just a shame that other toothless regulators have not been forcing honest advertisement of what you can expect to get from an ISP for your money.

6
0

Stop forcing benefits down my throat and give me hard cash, dammit

Paul Crawford
Silver badge

@TheTick

Maybe gov spending is not very efficient, but are any of the other options actually better? A lot of charities are way less efficient at delivering aid to the intended.

Here is a good infographic on what the UK spends money on, though I have not verified it is correct:

http://headlinesuperheroes.co.uk/stuff/cashogram/cashogram-1.0.1.png

1
0
Paul Crawford
Silver badge

"People in the UK give over £10 billion a year to charity"

The problem is the UK's welfare spending is an order of magnitude bigger than that, and there is no way that those of a chartable disposition are in a position to donate 10x more for reasons that are not personal factor to them (e.g. protecting animals, children, etc)

9
0

Windows 10 marks the end of 'pay once, use forever' software

Paul Crawford
Silver badge

Try the approach I went for - run Linux as your host and have a couple of VMs of XP, 7, etc for the software that is only windows. OK, you need a decent amount of RAM, but it works well enough and those VMs generally never need to see t'Internet so a few less security points to worry about.

2
0
Paul Crawford
Silver badge

Re: Linux @DropBear

When you install Linux go to the advanced options for disk partitioning and set up something like this:

/ ext4 (~30GB if you have enough space)

/home ext4 (most of the rest of the disk)

And leave about 30GB if you can (say on a 1TB HDD or similar so its no big deal). That way you can nuke your OS installation without losing your own data, and if you prefer install a later version in the unused space and also have it mounting your home partition later. Then the grub boot menu will give you the chance to boot in to old or new versions.

5
1

Open source Copyright Hub unveiled with '90+ projects' in the pipeline

Paul Crawford
Silver badge

Sounds like a good idea

Firstly I must thank you for cheering my day up with the description " the rancid free-for-all of today’s clickbait-infested swamp", it is spot-on!

It remains to be seen how well the system works, but for a lot of commercial sites I can see it would be a great advantage if photos and other materiel could be licensed for a small fee more-or-less instantly. Even for some of us who choose to put things up for free, it would be nice to track its popularity (particularly if your funding is based on "public impact" factors).

However, the issue of meta-data stripping is more complex as it can reveal information about the person they really don't want public. For example, the lat/lon of their home, or a personal identifier if its a crime they reported. Having an agree copyright metadata field that is not stripped by web sites on pain of legal action is much better, so long as phones, etc, always confirm you want it sent in sensitive cases.

1
1

UK's first 'DIY DAB' multiplex goes live in Brighton

Paul Crawford
Silver badge

Ofcom report

It is worth a read of the report, in particular section 6.7 is damning of the quality and consistency of the DAB radios out there.

I am not surprised really, and having read parts of the DVB-S2 standard you can see why it is a high risk to implement and of these sort of systems in silicon for space projects etc - the standard is so damn long (from memory about 1000 pages in the various pdf documents) and complex that the chances of someone implementing all of it correctly is quite small.

Really, when you compare DAB in practice to FM and factor in receiver availability, battery life, coverage, etc, there is not a good case for DAB. The suggestion of killing it off and leaving FM and IP radio is a worth considering.

17
0

Small number of computer-aided rifles could be hacked in contrived scenario

Paul Crawford
Silver badge

Amusing concidence

Funny when I read the article the last part was:

Have also fired 12-bore shotguns on a few occasions and was once even present at a grouse shoot.

Sponsored: How to deal with Windows Server 2003 end of support

Related I wonder?

4
0

Microsoft's Windows 10 Torrent-U-Like updates GULP DOWN your precious bandwidth

Paul Crawford
Silver badge

Re: I did think that

Very much so if you have a few PCs on a LAN and are not using WSUS (like most homes and small businesses). In that case the overall benefit to you is probably much more than the penalty of it sending a copy out again.

5
1

Think beyond the Beeb: Gov consultation is crucial for free telly

Paul Crawford
Silver badge

Re: 4k

The bandwidth problem for worthwhile 4k is also an issue for IP TV, at least, unless some serious headway is made in terms of fibre to, ideally, the home.

0
0
Paul Crawford
Silver badge

Re: 4k

The Japanese have looked at Ka-band satellite for UHDTV as there is really not much spare at Ku band. However, the investment in both space-side and the upgrade costs for everyone wanting it are not pretty

OK, if we dropped a lot of the 100+ shit channels we might have it on Ku, but that is not looking likely.

0
0
Paul Crawford
Silver badge

On a technical level IP TV is a horrendous wast of resources, all of those duplicated data streams...

3
0
Paul Crawford
Silver badge

Re: happy to pay the license fee

While I happen to think EastEnders is rubbish as well, I don't mind the BBC paying for it to be made as a lot of folk do link it.

What I do/would object to is the BBC bidding stupid sums of money for sports coverage. Not that I am against them doing sports, but I think the amount of money pissed up the wall by premier league footballers or the organisers of F1, etc, is not a good way to spend money. Other up-side is that Sky can pay a bit less for said sports, so those who do end up paying don't need to spend as much either.

5
0

SPUD – The IETF's anti-snooping protocol that will never be used

Paul Crawford
Silver badge

Re: Added value?

That is a good example, but I fear that ISP's would abuse the ability to rank and manipulate streams and app developers, for that matter, to lie about what they are to appear better to a customer.

3
0
Paul Crawford
Silver badge

The most obvious beneficial case is caching common and/or large volume stuff, something that was largely pissed on by DRM anyway and becomes impossible for always-encrypted traffic.

3
0
Paul Crawford
Silver badge

Added value?

"we want to provide mechanisms to let operators try to add value"

Can anyone explain what "added value" is in this context? Why would I want it? (And I don't mean being whored to advertisers by my ISP)

2
0

Microsoft Edge web browser: A well-presented mea culpa

Paul Crawford
Silver badge

Google docs, what about Office 365?

Is the bad behaviour on Google's cloudy editor, etc, shown also on MS' offering?

Do MS still push Active-X stuff if they can for Windows browsing of Office365?

1
4

Bloke cuffed for blowing low-flying camera drone to bits with shotgun

Paul Crawford
Silver badge

Re: Let the arms race begin...

I don't know much about guns, but I imagine that a typical shotgun charge has a lot of small round shot in it, so the risk of that coming down far away elsewhere under gravity and remaining momentum is a whole lot smaller than a bullet.

Any commentards with more knowledge willing to add to this?

2
1

Tired tablets don't tickle the imagination, so sales fall again

Paul Crawford
Silver badge

Re: jerkyflexoff

Maybe for you, and your use.

But for various non-tech folk I know they are a breath of fresh air without all of the AV and other crap that a Windows laptop has/accumulates in short notice. Also they are often much cheaper than a laptop for a decent screen resolution, for reasons I never could fathom...

2
0

Bloke who tried to get journo killed by SWAT cops coughs to conspiracy charge

Paul Crawford
Silver badge

Re: A complete and utter failure of the 911 Caller ID technology

Of course, they could check first if the phone can be reliably located to the immediate vicinity of the alleged incident and, if not, treat the call as a touch suspicious and perhaps survey the scene a little more before bursting in with guns blazing.

10
0

Ford's parallel PARCing: Motor giant tries to craft new tech just like Xerox

Paul Crawford
Silver badge

Lets just hope all of this new software-controlled driving is more reliable than their stop/start switch that needed a patch recently.

1
0

Secretive trade pact the TTIP: Death of the web – or a brave new horizon?

Paul Crawford
Silver badge
Big Brother

Fundamental

No, the fundamental reason why these "trade pacts" should be kicked out is simply the undemocratic process by which they were generated. Secret negotiations with only a few officials (and certain lobby groups) being given access, and not us, the people to which they will apply.

So no matter what they are offering, they should be destroyed on the simple principle that they are attempting to re-write our laws by the back door - by secret agreement that is then presented as fait accompli for the EU nations, Australia, etc, to swallow without any sort of scrutiny.

15
0

Got an Android phone? SMASH IT with a hammer – and do it NOW

Paul Crawford
Silver badge

Carriers monkey with the OS/apps, then the carriers should fix them. It is high time that the law treats this sort of thing as a fault to be fixed for, say, 5 years after last sale. For everyone, so no supplier can wriggle out and not have to pony up to fix the damn software.

5
0

Forums