* Posts by Paul Crawford

2068 posts • joined 15 Mar 2007

Paranoid about the NSA? The case for dumping cloud's Big 3

Paul Crawford
Silver badge

The only way that is trustworthy is to have your own encryption.

That way if anyone has a legal reason to access your data they have to come directly to you with a court order. You then only have to respond to courts that have legal authority over you, not over your ISP or over your cloud provider, etc.

4
1
Paul Crawford
Silver badge

Re: Encryption

Just to add that SpiderOak claim to provide a drop-box like file sync/share with "zero knowledge" of the data stored on their servers. Of course, just so long as you don't create a share link for web access as that needs your key to be transferred.

This is how it should be!

The only reservation I have is I don't think it has been independently audited and even if the source was available to me, I doubt I could audit it myself.

2
1
Paul Crawford
Silver badge

Re: Lovely idea... maybe not

Yes, look at BT here in the UK.

They outsourced email to Yahoo and the buggers changed settings from time to time without it being updated on BT's help pages, and their useless hell desk had no clue either :(

I mean WTF are they doing changing an email server's settings without informing the users. You know, maybe by emailing them in advance?

If I am kind then it is simple incompetence in not knowing the POP/IMAP settings at any point in time. If cynical then its because they want people to use the web-mail interface where they can serve up adverts.

6
0
Paul Crawford
Silver badge

Encryption

Encryption works if you use the "cloud" for data storage, say as an off-site back-up. And it is only trustworthy if you have control over exactly what software is doing it (and realistically that means a well regarded open source system) and you are the only one holding the key.

Where it all falls down is if you are using the "cloud" as a computing-on-demand service, or for document sharing and web-based editing, because then it has to be decrypted on the servers of the host, so they have access to your key.

Sure, the data at rest (i.e. stored on disk) may be encrypted, but they could snapshot the running VM or whatever and then poke through its memory for the key.

Really if you are concerned about privacy then run everything on a local machine, with multiple layers of firewall/VPN style protection depending on who/where access is needed, and only use an off-site provider to keep encrypted backups. That you encrypt before they move off-site.

4
1

SOHOpeless Realtek driver vuln hits Wi-Fi routers

Paul Crawford
Silver badge

Re: We must finally outlaw hardware without publically documented interfaces

Yes, fines should be large and enforced otherwise bugger-all will change.

How said companies chose to respond is up to them. It would be better for free software and probably cheaper for them to cooperate in making specifications fully public, also it would help build trust that nothing dodgy was added. But sense seems to be a rear thing these days.

1
0
Paul Crawford
Silver badge

Re: We must finally outlaw hardware without publically documented interfaces

Even if not going so far, it is time that suppliers were punished financially for failing to freely patch bugs in a timely manner for, say, 5 years after the software/product was last sold.

4
0

Today, the US govt must explain why its rules on shutting down whole cell networks are a secret

Paul Crawford
Silver badge

I don't see the logic here, if they are using phones to simultaneously trigger bombs then by time you know about it all said bombs have gone off. And if your aim is to detonate other bombs a bit later, you have timers and/or the ability to notice the network has gone dead for that.

The only situation where it would make any sense, and probably it is the reason for them wanting the document kept secret, is for demonstrations and similar where you would not want the organisers to be able to re-route a march, etc. And then it starts to look rather undemocratic.

Doh, me being stupid again! Why would they presume the people should have any say in their government's actions?

11
0

When THINGS attack! Defending data centres from IoT device-krieg

Paul Crawford
Silver badge

The problem comes down to two simple issues:

1) People want new & shiny & cheap.

2) No one gets punished for shit software.

Put them together and you see what IoT is bringing. As we can't stop people buying cheap tat, the only other real option[*] is to start making suppliers liable for shit security.

We know you can never be perfectly secure, but "shit" means things like known insecure protocols, no enforcement of password changes, no patching, ignoring vulnerability reports for more than 30 days, etc. That sort of thing ought to be punishable by more or less unlimited fines depending on how much lacking in diligence is found.

[*] Of course we could pay lots to mitigate other people's shit, but that is a lost battle if the projected numbers of IoT are true. Making the "polluter pay" is a better idea IMHO.

2
0

NINETY PER CENT of Java black hats migrate to footling Flash

Paul Crawford
Silver badge

Re: 120%?

They are allowing for the Spinal Tap Hacking Crew.

2
0

Welcome, stranger: Inside Microsoft's command line shell

Paul Crawford
Silver badge

Re: re: Windows XP was the first PC operating system to drop the MS-DOS

I think he meant the first consumer-facing system. They ran in parallel with 95/98/ME and were intended for serious applications (proper 32-bit programs, multi-user, etc).

Sadly in the push to make consumer & professional lines converge and be fast enough for gaming, compatible with older badly written software (some of it MS' of course!), etc, a lot of dumb decisions were made w.r.t. security, etc.

0
0

So how should we tax these BASTARD COMPANIES, then?

Paul Crawford
Silver badge

Re: High Wage and High Cost Economies

"That affects the price of everything"

Yes, but it also pays for better standards of health, hygiene and public safety. Where would you rather live, a poor-to-middle region of the UK, or poor-to-middle of Indonesia?

(nothing against Indonesia as such, but its your example)

3
1
Paul Crawford
Silver badge

Why tax?

AFIK the reason for taxation is we all want to live in a safe and prosperous environment.

That in turn means we need protection from those who would steal our sheep and rape our wife (or steal the wife and rape the sheep, same principle). For outside of our nation (a somewhat arbitrary boundary, usually resulting from hundreds of yeas of bloodshed and the odd natural boundary) it means we need some armed services and intelligence agencies , and inside that boundary we need the police and legal system. All has to be paid for.

We also want things to be generally clean and safe, so we need things sanitation and refuse disposal, health care, some standards and enforcement of employment law, etc. For long term prosperity we also need education so those who are able can do well in employment, not just those lucky enough to be born to those who value and can afford to pay for it. Bitter experience has shown that most people are lazy and will try to avoid "public spirited" support, very much so if it costs them money, so we also have to find a way of making sure it is paid for. So we have taxation.

"why not negative income tax for individuals"

Is that not one key aspect of the welfare state? To provide support for those who cant otherwise afford food, shelter, etc? While it might be popular in certain political circles to class them as spongers and time-wasters, and I dare say there is a proportion who are like that, the reality is a lot of folk will find themselves out of work at some point in their lives for any one of a number of reasons. Without support they could well end up as 'unemployable tramps' and never get a 2nd chance. Even if you are totally self-interested you should still want some welfare state, as poor and hungry people may decide to take your property and maybe life as well since they have little to lose.

I am not saying current governments are optimum, but it is a hell of a lot better than the pre-taxation days.

10
0
Paul Crawford
Silver badge

Evasion opportunities?

One thing that has been touched upon in these comments, rather than in the article, is the issue of how easy it is to evade the show of profit in order to avoid taxation.

That is the main beef of "man in the street" when it comes to corporate tax, not that it is, say, less than standard rate income tax, but that on massive turnover somehow international business (and some UK based ones) magic it away via shell companies, curious accounting practice, etc, and they are only seeing a pittance in "profit" to tax, when we know (or at least suspect) someone, somewhere, has made a fortune.

Now there may well be a truth that taxing people directly, be it consumer, worker or shareholder, is simpler and ultimately who pays anyway. But for a lot of the public having some system that taxes on turnover or related activity would be seen as fairer as there are not huge sums of money going abroad without tax being paid to support the local government and population.

7
1

Who was downloading smut in the office while eating ice cream?

Paul Crawford
Silver badge

Re: hmmm

Indeed. As the apocryphal survey found out: 90% of men masturbate and 10% are liars.

13
0
Paul Crawford
Silver badge

Shame that she felt she could not come back to the job. He should really have just given her a stiff talking-to so she could come clean and not be interfering with the company's download jobs, those that ought to have been in-hand at that time of the evening.

42
0

Why Box and not SharePoint? 'Everybody doesn't hate us' says Box engineering veep

Paul Crawford
Silver badge

Re: SaaS Bubble

At least if you are using a synced-to-the-cloud system and the supplier goes off line one day forever, you still have a local copy of your data.

0
0

China tackles vital strippers-at-funeral problem

Paul Crawford
Silver badge

@h4rm0ny - down votes

There is often no rhyme nor reason for commentard's voting actions.

They might not like the practice and chose to down-vote you as the messenger, or maybe they have some petty grudge based on some other posting of yours they didn't like. Or maybe their underpants were on too tight. Who knows?

Actually I'm betting on the underpants.

5
0
Paul Crawford
Silver badge

Re: @Ian Emery (was: Fantastic idea, I have already booked some for my funeral.)

He won't benefit in any way from even having a funeral, or anything, being dead.

But while he is alive, or even on his way to meet Death, he can enjoy the joke.

18
1

Ransomware crims drop Bitcoin faster than Google axes services

Paul Crawford
Silver badge

Reactive vs Proactive

"Far too many people are willing to pay up to have their data decrypted"

Such a shame they are so much less willing to pay for a backup (or someone knowledgeable to arrange & test it for them). Such is life...

1
0

Surveillance, broadband, zero hours: Tech policy in a UK hung Parliament

Paul Crawford
Silver badge

Sadly we, the populous, were given a chance to vote on at least some revision to the first-past-the-post system and we rejected it. Why you ask?

Maybe due to the Tories & Labour pushing to keep the system in place that has served both of them well since WW-2.

Or maybe because the morons out there felt it better to "punish" the Lib-dems for failing to hold back the Tory's education cuts & fees, than to make for a better and more representative future.

What do they say about getting the government you deserve? :(

14
0

Microsoft to offer special Surface 3 for schools

Paul Crawford
Silver badge

Re: Chromebook?

The big saving comes from the almost complete absence of malware for a chrome book, and the inability of BYOD style kids bringing them in infected with that, or other general crap that might be disruptive installed.

5
2
Paul Crawford
Silver badge

Re: Back in my day...

Slide rule? Oh how we dreamt of a slide rule!

That were luxury! We had to work with an abacus down t'mine and were beaten for 27 hours per day if you got it wrong! And you tell the kids today and they won't believe you...

2
0

FBI alert: Get these motherf'king hackers off this motherf'king plane

Paul Crawford
Silver badge

Really? I thought Boing, etc, assured us all that there is NO POSSIBILITY of in-flight systems being connected to the critical aircraft systems and thus leading to vulnerabilities.

Are you telling me they lied about this? When are Boing, Airbus, etx, going to be arrested and prosecuted for recklessly exposing critical systems to danger?

5
1

London man arrested over $40 MILLION HFT flash crash allegations

Paul Crawford
Silver badge

Re: meh

"HFT isn't the issue"

Really? Being fooled by proposed sales that don't ever take pace, and you say that is not a fundamental failure?

What he may (or may not) have done may be dubious, but the real issue is just how much those automated traders were taken in by momentary data of sales that did not complete. You would have thought after one or two incidents they would have learned, but no, it seems to have been profit for years if the allegations are true...

8
1

White House cyber-general says US must be able to cyber-nuke the worst of the cyber-worst

Paul Crawford
Silver badge

+1 for that.

Really, the note about UL is the only sane thing but it misses the point - there is a need for standards of software/systems not being shitty that are legally enforced. If your kit fails the UL standards then AFIK you can't sell it in the USA/Canada and if you do you can be prosecuted.

We need something similar for software: a requirement that best-practice (e.g. MISRA coding standards, etc) is used when writing it and the security aspect is properly considered, and finally that timely bug-fixes are provided for free (i.e. covered by the intial sales cost) and are practical to install for 5 years or so after the product family is last sold. Some legal stick is also needed, e.g. making the supplier liable for the consequences if not patched effectively after say 30 days of a vulnerability being reported, and obstructing security testing/auditing of your products to be illegal.

Yes, I know that costs money to do, but if it is a requirement on ALL businesses then doing it right is no longer a cost-penalty compared to the shitty state we currently see.

3
0

VAMPIRE SQUID romps stun scientists: Unique sex lives revealed

Paul Crawford
Silver badge

Motion in the ocean

But does it make for a small craft advisory?

1
0

High on bath salts, alleged Norse god attempts tree love

Paul Crawford
Silver badge

Oh once he has come down from the drugs he will be discharged

12
0

iPhone vs. Galaxy fight hospitalises two after beer bottle stabbing

Paul Crawford
Silver badge

Re: Wrong conclusion to the report

The funny thing is stupidity seems to increase quickly with alcohol consumption.

2
0

D-Link router patch creates NEW SOHOpeless vuln

Paul Crawford
Silver badge

The whole printf() family should always be regarded as suspect because (1) a lot of compilers can type-check the format string against the variable argument list, and (2) you don't always know if the destination string(s) are long enough to hold the result(s).

These days gcc can format-check, and most decent static analysis tools also do this, but I have seen too many projects with shed-loads of compilation warnings that were obviously ignored. And most modern libraries have 'nprintf' variants where the target buffer can have its size passed in to stop buffer overruns.

As with a lot of these problems, the solutions are already out there if only they would use them :(

2
0

In some ways, dating apps are the anti-internet

Paul Crawford
Silver badge

What is worse is that some folk do seem to succeed by using the “Hi, wanna jiggy?” approach, and that leads to the tragic reality of Darwinism:

"Survival of the fittest" is often misunderstood to be about strength, cunning, health, etc. It is not, it is about the ability to out-breed your opponents by any means.

8
0

Why are enterprises being irresistibly drawn towards SSDs?

Paul Crawford
Silver badge

@Rebecca M

The majority of HDD errors are indeed detected by the controller and/or reported by the disk itself when a read request cannot be honoured. That is what classical RAID protects against.

With a periodic "scrub", where the system attempts to real all HDD sectors so errors are seen and re-written to hopefully fix the problem via sector reallocation, you get a good chance of not ever suffering from known RAID failure under normal conditions (data read, or more commonly when a HDD is replaced and a rebuild is needed).

But today where you might have massive data sets you can't ignore the problems of "silent errors" where the HDD's correction/detection system, or any one of a number of other sub-systems, has mess with your data. You might want to read this paper on the subject:

http://research.cs.wisc.edu/wind/Publications/zfs-corruption-fast10.pdf

(There is another from CERN but I don't have the link to hand)

2
0
Paul Crawford
Silver badge

You have to start with the assumption that if a storage device fails, you won't ever/economically get any/trusworthy data back off it.

From that starting point, you ought to have enough paranoia to assume the worst, so you begin with the question of what happens when (not if) your device fails/corrupts?

RAID save you down-time, both use (machine keeps working) and admin (no need to restore your backup) but RAID!=Backup as we are always told.

Also most RAID & file systems don't have integrity checks so you can have data corruption and not know until something starts playing up. Once you realise this and the vast amount of data you may need to store (comparable to the 10^14 bits of HDD error rate) you might want that, so you then invest in ECC memory and a file system like ZFS or GPFS that has checks. They also support snapshots, a vastly under-rated feature that can save a lot of hassle in restoring a just deleted/modified file, or simplifying a consistent backup point-in-time.

And there there is your backup, which ought to be in another building and not on-line as a mounted file system or you might get randsomeware screwed (something that snapshots can also help with, if you notice soon enough).

Really the arguments for SSD vs HDD that matter are cost/GB and IOPS, and smarter systems will use both to give to lots of storage at good price and responsiveness.

5
0

This open-source personal crypto-key vault wants two things: To make the web safer ... and your donations

Paul Crawford
Silver badge

I suspect such side-channel attacks are only a real problem for remote equipment, or DRM applications where the end user/customer/dupe also "owns" the hardware that is intended to oppress them.

If you are enough of an intelligence agency target to have probes attached to hardware in your own business or home, I doubt the finer points of hardware design will be your biggest problem...

2
0

Life after Nokia: Microsoft Lumia 640 budget WinPho blower

Paul Crawford
Silver badge

GUI madness

"apparently taking away a phone UI people love and replacing it with a desktop UI people don’t is regarded by the Head Shed at Redmond as some kind of strategic masterstroke"

Redmond is not the sole practitioner of this dumb practice. You can take most recent GUI designs for phone and desktop and look at the respective replacements offered by MS, Apple and the majority of Linux distros, and you are left wondering: WTF do GUI designers aim to do? So often the "new" approach is dumber, less usable and hides the stuff that made folk like something in the first place.

Bah, a pox on them all!

21
1

Welcome to the FUTURE: Maine cops pay Bitcoin ransom to end office hostage drama

Paul Crawford
Silver badge

Re: How hard can it be?

Firstly it was most likely a Windows system.

Secondly while you thought you were being smart, you just gave yourself a false sense of security - what about /tmp /var/tmp (probable some others under /var as well), and /run/shm which are by default world-writeable and support execution?

0
0

Bored with Blighty? Relocation lessons for the data centre jetset

Paul Crawford
Silver badge

Re: Depresses me that consideration for UK areas...

Scotland had/has some collocation of hydroelectric generation and high-consumption industries like aluminium smelting. I'm pretty sure you would get a good deal on power and no cooling problems in those locations. Getting top-notch connectivity might be an issue, but I guess it depends on what your budget is and what the ratio of data to processing load in the centre is.

However, understanding the locals can be a challenge, even for those born in Scotland but 50 miles away...

1
0

IBM tightens Passport Advantage licensing terms

Paul Crawford
Silver badge

GPL as "complex" really?

Its quite simple really: I give you my code with the condition that if you modify/improve it for distribution, you make said changes available to others. That way we all benefit.

2
1
Paul Crawford
Silver badge
Linux

More and more it seems the incentive to keep away from any of the big software vendors is huge.

This is not a rant against paying for software/services, but at the complexity and opacity of the terms of said licenses.

Tux - a friendlier license ->

2
0

Astronomers battle plague of BLADE-WIELDING ROBOTS

Paul Crawford
Silver badge

Why don't these companies choose any one of the bands already free for use, rather than pissing on other's established usage and then asking for rules to be changed due to their own incompetence?

111
0

UK.gov: We want Britannia's mobe-enabled cars to rule the roads

Paul Crawford
Silver badge

Autonomous?

Really, is it wise to depend on communications for an "autonomous" car?

I thought the whole point is they can deal with current real-life traffic and the millions of human-driven vehicles that will still be in use for decades after the first self-driving cars are able to be deployed.

So while data links are nice and helpful to coordinate avoiding traffic jams and to warn about up and coming road conditions, accidents, etc, you still have to be be able to deal with that if you are the first car there thus operation without radio links should be a starting point in certifying a design.

18
0

Al Franken to FBI: We need MORE revenge smut arrests

Paul Crawford
Silver badge

@h3

Yes it is simple for some old bugger like myself to see how foolish some young person is to allow a photograph or video to be taken that might appear later. Also I can point out the hypocrisy and deceit of a society that will judge you by the odd image depicting you without the requisite amount of clothing.

But that is a reflection of my, and other's, own weakness and prejudice.

Though I suspect the whole 'revenge porn' law and action is more about self-serving wankers in power, I do feel deep down that we, the mass of humanity, need to take a look at ourselves and to realise that a photo or video of some consensual activity should NEVER be seen as a problem for those taking part. Only for those who object without any experience or justification (probably the psychological reason for such a 'problem' in the first place).

8
0

Project Spartan: We get our claws on Microsoft's browser for Windows 10

Paul Crawford
Silver badge

Re: How...

My thought exactly, if I want "full screen and no controls" I can use F11

6
0
Paul Crawford
Silver badge

Nope - creeps me out too...

7
1

Put those smartphones away: Google adds anti-copying measures to Drive for Work

Paul Crawford
Silver badge

Re: The more I think about the security of Google Cloud.

You seem to be missing the obvious - you are then sharing EVERYTHING with Google and therefore are under Uncle Sam's laws.

Oh yes, and if you get in to any sort of contract or IP/DMCA-style dispute they can make your business vanish in a stroke.

9
0

Microsoft update mayhem delays German basketball game, costs team dear

Paul Crawford
Silver badge

Re: Two words...

"Few options but to kill the power and corrupt the SD card"

Can't you SSH in and shutdown from there?

2
1
Paul Crawford
Silver badge

Re: @NumptyScrub

Firefox warns you it needs restarted, so unless you really hold the browser open for days on end (just how much RAM do you have?) that is dealt with.

Also any new instance of a call (e.g. starting flash for a new video) gets the new version, so unless you are watching the same compromised video for weeks, same applies.

Its not perfect, but it seems a better approach than Windows where you cant replace an open file, so all sorts of stuff has to be done on shutdown/restart.

7
2
Paul Crawford
Silver badge

Re: Linux

"get stuck waiting for a disk check"

That is not too long if you use ext4 (default these days). E.g. my PCs typically take 10-20 seconds to check and that is with spinning rust HDD filled with 100+GB of crap I could probably safely delete.

Still, if you ever had to wait for the old non-journalled systems like ext2 to fsck then you have reason to be concerned.

2
0
Paul Crawford
Silver badge

Re: Linux

"With Linux 4.x you will not have to reboot at all soon for ANY updates..."

For the kernel maybe, but what about the cluster-fsck that is systemd?

10
0
Paul Crawford
Silver badge

Re: Clearly it's a case of...

Oh I don't know - being unable to use your PC for 17 minutes due to updates is a serious flaw in the OS design.

While not really wanting to start a pointless OS willy-waving competition, I still ought to point out that other OS can updated without needing you to stop and more critically, for updates that actually need a reboot such as a new kernel, its just the usual 30 seconds or so to restart.

All possible because the new files were already in-place earlier as *NIX style file systems allow an atomic in-place replacement of files, but still allows an open file handle to continue using the previous on-disk data until the last handle is closed (i.e. on shut-down for the kernel or similar).

18
9

Think server vulns are the IT department's problem? Think again

Paul Crawford
Silver badge

Re: Attack surface

While you might think that is a good idea, its not really as then your IT folk are unlikely to be good at all of the systems.

Sure, chose the less-attacked OS if you can (i.e. you can get matching applications that work for you) but you really need to concentrate on:

1) Having someone (internal or contractor) who is good at their job and looks after things. For example, having someone who really knows Windows and is allowed to lock things down will be better than a monkey who thinks they know Linux, even if the attack statistics point the other way.

2) Keeping stuff patched as far as possible.

3) Having an isolated backup that you KNOW you can recover when its needed (i.e. something that randsomware can't also encrypt because its not visible as a file system to normal computers).

4) Training staff not to do dumb things and, more importantly, if they do make a mistake or suspect something odd is happening to get it dealt with immediately and not pretend it never happened.

My 2p worth.

2
0

Forums