* Posts by Paul Crawford

2674 posts • joined 15 Mar 2007

Clear April 12: Windows, Samba to splat curious 'crucial' Badlock bug

Paul Crawford
Silver badge

Lets face it, most of said SMB equipment would be a strong and resilient as a wet paper bag if you expose the network to world+dog, samba patch or not.

I'm guessing this is more of a risk in small businesses if a malicious actor can get a machine attached (or p0wn one via email, etc). Nobody should have a network share visiable to world+dog and big organisations/companies will have network switches set up to reject unknown machines being attached internally. I hope?

7
0

Comms 'redlining' in Brussels as explosions kill up to 30 people

Paul Crawford
Silver badge

Re: boltar

CCTV, APRN, etc. Do you think anyone going to blow themselves up cares about detection *after* the event?

As you seem to have not noticed, the blew up the airport *outside* of the security checks where folk were waiting. How far back do you want those checks? Its turtles all the way down...

21
1

Reposting 8-second sports clips infringes copyright

Paul Crawford
Silver badge

Pro tip - if it has wheels is probably not a horse.

19
1

Champagne supernova in the sky: Shockwaves seen breaking star

Paul Crawford
Silver badge

Re: Supernova Fusion

I think (but may be wrong) that stars normal fusion process can create atoms up to iron, above that and fusion is not generating energy so the star's fusion engine stalls and collapses. That final supernova burst is what powers the creation of heavier atoms (and, of course, releases all of the stuff above hydrogen/helium that we need to exist out in to space so eventually planets form, life arises, porn is created, etc...).

9
0

Cloud security harder than 'encrypt everything'

Paul Crawford
Silver badge

Site white lists?

"The problem here is that an attacker's site can also use SSL/TLS, and if it's a user (who clicks on a phishing link, for example)"

I'm guessing most businesses only really deal with a modest number of sites with ligitimate reason from the corporate LAN (as opposed to the separate guest/coffee break wifi, which of course they have on a separate network). So they could have a system where access to a site has to be requested first by the user (with various checks) to add it to the white-list. That way most phishing links would fail and most malware C&C would be blocked.

Unless the users was really, really dumb of course and determined to access some random site.

0
0

So where has the legal 'right' to 10Mbps broadband gone?

Paul Crawford
Silver badge

I agree with you on the point that rail upgrades all bring major benefits, but I'm unconvinced that £50bn on the HS2 is the best way to spend that pot of money on the UK's rail infrastructure.

0
0

What to call a £200m 15,000-tonne polar vessel – how about Boaty McBoatface?

Paul Crawford
Silver badge
Linux

Good Ship Venus

It simply has to be, as the penguins has missed out on that nautical fun for too long.

3
0

Twitter at ten: The social network designed for 2006 struggles into a second decade

Paul Crawford
Silver badge

Expenses?

Can someone explain how they can have "US$2.2billion of revenue" and be losing money?

To my simple view that would pay for a hell of a lot of serves/bandwidth and a decent number of staff to look after it. So where did the money all go?

3
0

Facebook, WhatsApp farewell BlackBerry

Paul Crawford
Silver badge

More worring

"they don't offer the kind of capabilities we need to expand our app's features in the future"

To me this suggests WhatsApp is going to start shit advert-slinging soon.

Otherwise what do they need to add? It already does chat and photos/video sending, plus group support to help arrange parties, etc. It is all I want in an IM app and I really don't want any other "features" to track me or serve up shit adverts.

4
0

Feds raid 'extortionist' IT security biz Tiversa, CEO put on leave

Paul Crawford
Silver badge

Re: I'm wondering how the FBI made its selection

"Find one of the inevitable vulnerabilities and extort money from either the vendor or the vendor's clients."

Maybe the FBI chose to investigate them because they did not find one of the inevitable vulnerabilities, but still chose to pressure for paid services?

0
0

Microsoft will rest its jackboot on Windows 7, 8.1's throat on new Intel CPUs in 2018 – not 2017

Paul Crawford
Silver badge

Re: Use the Disc?

How many laptops and, indeed, desktops still ship with a DVD drive?

Also will Widows just bork half way through the installation if it discovered it can't switch from BIOS/UEFI loading from the disk to native hardware access because it lacks some driver support?

13
1

Get ready to patch Git servers, clients – nasty-looking bugs surface

Paul Crawford
Silver badge

Fuzzing tools - throw all sorts of sh*t at the program until it breaks then take a look at what the breakage reveals.

3
1

Steve Jobs, MS Office, Israel, and a basic feature Microsoft took 13 years to install

Paul Crawford
Silver badge

Lets face it MS should have spent the last 15+ years fixing the damned thing (and not supporting main stream languages like Arabic and Hebrew is a bug to me, not a "feature request"). What did they do? Piss around with the the ribbon, and generally make most versions shittier than before.

Only recently I found that equations pasted from Windows version of Word to Powerpoint won't work on Mac Powerpoint. And MS fans bitch about LibreOffice not being "compatible", etc?

A pox on them all! May the fleas of a thousand camels infest their groins!

36
2

Brits shun nightclubs and CD-ROMs for lemons, coffee and woman’s leggings

Paul Crawford
Silver badge

I found I got a better sound out of the drill, but that is just be. not so much "musically challenged" as musically defeated.

7
0

TLS isn't up to the job without better credential protection, says RFC

Paul Crawford
Silver badge

IP then domain authentication?

Given the privacy implications of ISPs storing domain names, and some servers front many domains so you usually can't get away with the IP number alone, what about having two layers?

The first is a certificate, etc, for the numeric IP address so you know the URL will be secured, and the second is the same sort of thing for the URL to authenticate that the domain name matches. That way all a snooping ISP can see is the numeric request, such as 104.20.24.212, and nothing more personal such as www.theregister.co.uk

Assuming El Reg gets round to security at some point...

0
0

Here's what an Intel Broadwell Xeon with a built-in FPGA looks like

Paul Crawford
Silver badge

Re: One thing I don't understand is, why?

"That's partly because embedded hardware designers have no clue whatsoever about programming languages."

I don't think so. It seems to be down to (usually) having only one choice of tool, that blessed by the FPGA supplier, and they have little incentive to do any better. I really hope you are right and programmable hardware accelerators become popular enough to have multiple vendors competing to supply the tools, but I double it will come soon.

1
0
Paul Crawford
Silver badge

Re: One thing I don't understand is, why?

As someone else pointed out, for things like software-defined radio where you need lots of small integer-like operations performed essentially in parallel to process the signal as it is shifted in frequency and sample-rate. Those steps can be implemented in dedicated chips, but there are only few of them off the shelf and often not quite what you wanted. So being able to push the "simple but massively parallel" tasks to FPGA and keep the "complex but slow" stuff on the CPU makes sense.

Except that programming tools for FPGAs suck donkey balls big-time. Really, you think that developing for C is a pain, just try VHDL with tools that lack any sort of usable context-sensitive help for the vast number of uber-pedantic problems you will encounter. And weep....

4
0

Shock: Russian court says Russian court is right in slapping down Google monopoly

Paul Crawford
Silver badge

Much as I hate to say...

...the Russians have a point. Almost exactly the same point as the past MS anti-trust investigators found with the bundling of IE and similar on Windows to leverage the near-monopoly that MS had with OEM deals for Windows at a "competitive price" on the hardware.

Of course the US investigation folded before anything useful was done (you know, like breaking MS in to separate OS & apps companies to compete openly, a la MySQL now...) and the EU took ages to pick that up and it was all to little and too late.

Will Russia have enough clout to force Android licensing and app compatibility to be free of Google's slurping? OK Yandex slurping maybe not be much better, but choice is kind of a good thing.

16
0

Polite, helpful? Stop it at once in the name of security

Paul Crawford
Silver badge
Trollface

Re: Security helpful...?

"ask yourself whether you'd break down the door of your secure data store to rescue the guy inside in the event of a fire"

Depends, did you set the fire?

15
0

Hey Windows 10, weren't you supposed to help PC sales?

Paul Crawford
Silver badge

Re: Improve PC Specs

Or maybe some laptops with better displays for other than DVD watching, you know like Google pixel, etc?

5
0
Paul Crawford
Silver badge

Re: My next machine will be a desktop.

But more, much more than that, you can have a screen that is better that "HD", or the sub-HD pish the push for most laptops under £500 or so, and more like the resolution a good CRTs could manage around y2k

7
0

Facebook can block folks using pseudonyms in Germany – court

Paul Crawford
Silver badge

Re: why the difference in how they're treated?

Oh let me guess - because it involves real property and real money?

Or because your bank is not going to post/share your details pretty much publicly with stalkers, ex's, and friends-of-friends you would not wish to ever meet again?

2
0

How the FBI will lose its iPhone fight, thanks to 'West Coast Law'

Paul Crawford
Silver badge

Re: "Law can't defy science."

The UK tried "evidence based policy" on the risks of drugs in society but found it did not tell them what they wanted (or more accurately, what the tabloid papers were pushing). Dr David Nutt was in charge and knows his stuff (you know, life time of research, etc), but that counted for nothing ultimately:

https://en.wikipedia.org/wiki/David_Nutt#Dismissal

4
0

Google gives ringing endorsement to US VPN providers with 'right to be forgotten' expansion

Paul Crawford
Silver badge

Better solution?

The original complaint was if you searched for a given person's name, the page it found was for some sort old page showing court action of many years previously. Why can't google deal with this personal privacy by using an algorithm that simply limits the time of a search if it is a personal name, and no other details (e.g. the name of the court, etc)?

That way if you are looking for a specific case, you still find it, but if you are simply trawling (or trolling) for dirt on someone then old sins are quietly forgotten.

1
0

Norman Conquest, King Edward, cyber pathogen and illegal gambling all emerge in Apple v FBI

Paul Crawford
Silver badge

Re: No - it's binary

No, its not exactly binary. True, if you make software vulnerable then suddenly everyone's phone and tablet can be accessed, probably remotely, and with very low cost or discoverability. That will open the doors to more abuse of such powers in exactly the same way the NSA, GCHQ, etc, decide that spying on all of us "just in case" was OK.

What if the key could be accessed by physical forensics, e.g. by grinding the top off a chip and using an electron microscope to read it out? Bingo! The law can access the phone if it is important enough but the time and cost, along with the need to basically destroy the phone physically, means it can't be massively abused in the way a permanent backdoor (key escrow) or software bypass (as the FBI are currently requesting) can be.

13
0

We suck at backups. So let's not have a single point of failure any more

Paul Crawford
Silver badge

Re: Independent backups

And if the Linux admin's password or SSH key is leaked?

This problem is not OS-specific, though most victims so far have been Windows users. The solution is, equally, not an OS choice (even if it helps the odds) but having some arrangement that when the admin's key is leaked it is not enough to trash everything.

This means probably multiple keys for different areas of a system, but more importantly (in my humble view) that you have something else, something physical or fundamental to a bit of hardware design, that prevents trashing of all backups along with the primary data.

Having different roles/accounts for backing-up separate "root/admin" is a start. But you have to start with the assumption that someone has got complete control of the victim machines and so can undo any permissions on those machines.

2
0

We survived a five-hour butt-numbing Congress hearing on FBI-Apple ... so you don't have to

Paul Crawford
Silver badge

Re: Trey

Trey Gowdy is probably right, but for all the wrong reasons.

The problem I see with the FBI's request, and indeed most of the debate, is about the ability to bypass encryption with software. Quick, easy, and something that can probably be used remotely as well (if it can be a forced "upgrade" with Apple's signature) on any phone they can get an IP address for. That opens a floodgate of possible abuse not just by the FBI but every police and intelligence agency world-wide.

But what if they only way was a physical forensics approach? So you have to de-solder the encryption chip, grind off its packaging, and use an electron microscope to read out the key? That is analogous to an autopsy and the removal of bullets for evidence. It is not quick or cheap, and certainly not possible remotely. That would bring some parity in the argument where safes, bank deposit boxes, etc, are being compared to encrypted contents.

5
0

We're doing SETI the wrong and long way around, say boffins

Paul Crawford
Silver badge

Re: Maybe we could combine ?

"Or they could literally be sending probes to every system and take a local gander red-neck behind the bushes with some lube."

Fixed it for you...

1
2

NSA boss reveals top 3 security nightmares that keep him awake at night

Paul Crawford
Silver badge

Simplified list

All 3 points come down to one basically: We, as people, have accepted piss-poor security in so many computer applications for years, but now we have put important stuff within an electronic arm's reach of world+dog to have a go if they feel like it.

The current arguments about cryptography for law enforcement, etc, is a stupid distraction flamed by clueless politicians and civil servants and distracts from the above. We have found ways of catching and prosecuting criminals when they talked in person and did not write stuff down for many many years, so while it might be nice to get phone contents, it should not be necessary.

Sadly we need to start making a big deal about businesses and gov departments that expose important stuff (from personnel/medical records, through to infrastructure like power and gas) to the world, and/or collect sensitive stuff they don't really need. Make damn sure that those in charge can face personal prosecution if they fail to manage the process, fail to have a system in place to check and fix things, and fail to get outside support to check its good enough.

40
0

Google Project Zero reverse-engineers Windows path hacks for better security

Paul Crawford
Silver badge

Re: : in a path name ?

Actually most *nix systems allow any character in directories or file names except '/' (the directory separator) and the NUL 0x00 used for C end-of-string.

It is the command shell like bash, etc, that treats ':' and '*' and so on as special, and also it is the shell that treats a space as a command delimiter as well, unless you quote or escape-sequence the name. E.g. this wont work

cd my directory

As it treats 'my' and 'directory' as separate inputs, but these do work:

cd "my directory"

cd my\ directory

Since they tell the command shell to treat the space as part of a single string passed to the 'cd' command. Windows has similar problems with command-line use, it is just that few people use it or write scripts for it to complain as much.

18
0
Paul Crawford
Silver badge

Re: win32? in 2016? really???

Stupid enough to want your software to run on W2K - XP - Vista (cough) - Win7 - etc rather than the latest privacy slurping version only?

And not finding your latest API is pulled from below you if MS decides to change again (how is that Silverlight project going)?

MS has a lot of stupid past decisions to support, and practically the only real argument for choosing Windows has been compatibility with the vast range of so-called legacy software, so sad though it may be, this is still important work. Of course, MS could just open-source the legacy path code so we can see for sure and save this reverse engineering trouble and uncertainty...

9
5

Institute of Directors: Make broadband speeds 1000x faster than today's puny 2020 target

Paul Crawford
Silver badge

Re: 10Gb to the home?

You seem to forget this is 14 years from now. 14 years ago 1Gbit was a dream for most, and now all PC motherboards come with GBit ports, and a lot of home routers are Gbit.

Oh yes, sorry forgot about laptops even with £1k price tags with no Ethernet and relying on WiFi that struggles to get 10Mbit on a good day in a built-up area...

0
0

Confirmed: IBM slurps up Bruce Schneier with Resilient purchase

Paul Crawford
Silver badge

Re: Does this signal a change?

Maybe, but most business see taking sane precautions as an unnecessary expense. Until they get well and truly shafted, that is, and then it was "a bad boy did it and ran away!"

2
0

Computers abort SpaceX Falcon 9 launch

Paul Crawford
Silver badge

Re: ICBM

No last minute reprieve there then!

They might be able to disarm the warhead in flight, or possibly change the target coordinates even. That would make a big difference to the outcome...

0
0

Car-makers, telecoms bodies push standards for self-driving vehicles

Paul Crawford
Silver badge

Re: Dumb idea?

So why do they keep telling us that reliable communication systems are essential?

Its almost like they are dependent on vast server farms somewhere, and don't quite want to say so...

5
1
Paul Crawford
Silver badge

Dumb idea?

computer-aided driving will depend on "upgraded communication systems that provide higher performance levels in terms of latency, throughput and reliability of the network"

Really? So what will said self-driving car do when it ventures on to one of the many rural areas that is lucky to get GPRS on a good day? Or if, say, there is another GPS blip that takes out comms networks?

Self-driving cars need to be able to deal with other vehicles that are not on the network, due to faults or them still being driven by meat bags, so reliance on communications of any sort is a really dumb idea.

7
2

Linux lads lambast sorry state of Skype service

Paul Crawford
Silver badge

Munich?

http://www.techrepublic.com/article/no-munich-isnt-about-to-ditch-free-software-and-move-back-to-windows/

http://www.zdnet.com/article/munich-sheds-light-on-the-cost-of-dropping-linux-and-returning-to-windows/

Unless you have more *recent* news?

12
1

The other one. No, not WhatsApp. Telegram. It hit 100 million users

Paul Crawford
Silver badge

Just like we should believe that WhatsApp is not backdoored by the NSA?

Chose your messaging system based on (a) how public the code / analysis / review is, or more likely (b) on who is most likely to be interested in screwing you over for personal reasons.

5
0

'I bet Russian hackers weren't expecting their target to suck so epically hard as this'

Paul Crawford
Silver badge

Re: Argh

You have identified two problems with the example:

1) The comments / "documentation" is misleading, that is not what it is testing!

2) The code is a convoluted way of trying to express what (I believe) is being tested.

Better would be something an is_data_null() test to see if pointer is null or empty or 'blank' string, then to return if alpha fails this "null" test but omega passes it.

1
0

Bill Gates denies iPhone crack demand would set precedent

Paul Crawford
Silver badge

"In order to comply with this order, Apple need to build software to work on a particular IMEI and S/N of this phone"

Fixed it for you.

Next week its a new IMEI and S/N, week after a few dozen more... Come Xmas holidays Apple are being told by the courts to avoid excess costs and just do a tool for to gov that handles every confiscated phone in the USA. Meanwhile in Russia and China they are lining up for the same service...

6
0

UK court approves use of predictive coding for e-disclosure

Paul Crawford
Silver badge
Gimp

Re: It was Professor Plum in the dining room with the lead pipe.

No! It was Miss Scarlet, in the basement, with a strapon...

1
0

German mayor's browser tabs catch him with trousers down

Paul Crawford
Silver badge

Re: the upside

From your link about the Reeperbahn:

"The hottest clubs on the Reeperbahn and Hamburger Berg open, with Irish pubs and Hans-Albers-Platz packed full of live music."

Really, no one goes to German pubs in Germany?

1
0

ADpocalypse NOW: Three raises the stakes

Paul Crawford
Silver badge

Re: Inferring a bit too far

"Shouldn’t a web page get to the user just as the originator intended?"

Er, did the creator of the page also create the adverts? Or are they a parasitic aspect that is relied upon to pay bills?

That is a BIG difference in the net neutrality stakes - one is allowing the end user to choose what they want without interference, the other is allowing the web hosting to push whatever they want without interference.

Andrew is right in one respect though: it is high time that funding of content was properly considered and not left to the cesspool of advertisings.

27
2

UK carrier Three in network-wide ad-block shock

Paul Crawford
Silver badge

@ Ledswinger

There is more to this than simply the goal of 3 to get additional payments (the "fighting net neutrality in the advertising space") as mobile networks are generally congested and if they can cut bandwidth use for *everyone* by around 30% or more due to blocking bloated ads, then it will help end users a lot.

While I have no sympathy for advertisers due to the highly intrusive and resource-hogging sh*t they push, I do have reservations about what this will mean long-term for equal access if only the big hosts can pay to push their sh*t.

3
0

Locky ransomware is spreading like the clap

Paul Crawford
Silver badge
Trollface

Sounds like a BOFH story :)

0
0
Paul Crawford
Silver badge

"If you are logged in as a domain administrator and you get hit by ransomware"

You should seriously be considering a change of job?

29
0

Your anger is our energy, says Microsoft as it fixes Surface

Paul Crawford
Silver badge

Re: Just setup a few Surface Pro 4

Sure that helps. But you should not have to do any of that for a stable and privacy-respecting machine.

4
0

Bulk sensitive data slurp? You can't stand under our umbrella-ella-ella – EDPS

Paul Crawford
Silver badge

Re: @national security purposes

Its far worse that "any bollocks we chose to call national security" because its any bollocks another government, for whom we have no democratic input to, chooses to call national security.

That is a big point - while I have serious doubts about the integrity of my own government, at least I have a vote in the matter. Far from perfect, but something others have fought and died for.

1
0

US Dept of Defense to shift 4 million devices onto Windows 10

Paul Crawford
Silver badge
Joke

Re: systemd

I presume? I guess they wanted something that would know what svchost.exe was up to....

3
0

Go full SHA-256 by June or get locked out, say payments bods Bacs

Paul Crawford
Silver badge

Using XP if fine so long as you don't have it on the Internet. So run old software in a VM of XP if you want, but as you say - not for internet banking, remotely accessible SCADA, etc.

2
0

Forums