Feeds

* Posts by Paul Crawford

1526 posts • joined 15 Mar 2007

Reports: NSA has compromised most internet encryption

Paul Crawford
Silver badge
Unhappy

Such a surprise?

For those with a good range of metallic headgear, this should come as no big surprise. After all, few bank robberies actually break the safe door, they either get the keys (by bribery or coercion) or they go in via the walls that are weaker.

It has long been known that the whole concept of SSL is fundamentally broken: compromise any one of the ~600 issuers and you can fake a certificate for man-in-the-middle attacks, and yet no one has serious tried to fix this in spite of the occasional publicised attack.

Similarly a lot of VPNs use only PPPT as it is MS's favoured option, though known to be also fundamentally broken w.r.t MITM attacks, etc.

And with MS being on such good terms with the US gov it is hard to avoid the conclusion that they would work with three-lettered agencies to either allow direct access, or not to close useful holes unless the "bad guys" start using them. Why are the likes of skydrive (and Google's offerings) not client-side encrypted by default? Maybe laziness, maybe to help? Who knows, so adjust your hats accordingly...

None if this means that encryption is not a good way of protecting your privacy, it is. But what it means is you cannot trust most of the current players that should be delivering it to be acting in the interest of you, the customer.

25
0

Microsoft, Nokia and the sound of colliding garbage trucks

Paul Crawford
Silver badge

@LDS

Remember MS are as much a part of PRISM as Google.

And the issue there is not that they were complying with court-ordered access (as in the "Nuremberg defence") , but that they went out of their way to assist in the gather of such data as part of a paid program...

2
0

Furious Frenchies tell Apple to bubble off: Bling iPhone isn't 'champagne'

Paul Crawford
Silver badge

oenophiles had their wicked way

Oh yes baby!

0
0

'Anonymous' to Reg hack: We know SEA leaders' names

Paul Crawford
Silver badge

Maybe, just maybe, they could hire and empower some smart folk to properly secure their systems and BOFH-enforce good practice on their employees' use of passwords, etc, so they don't get hacked so often?

Deal with the problem (badly secured system), not the symptoms (Anonymous, etc, posting goatsee images for fun, etc).

3
0

Boffins follow TOR breadcrumbs to identify users

Paul Crawford
Silver badge

Re: Anonymity

>Did anyone really think that anonymity Tor could be guaranteed?

I suspect even for gov-level snooping (maybe less so for pan-gov like USA/UK/CAN/NZ sort of thing) and for its intended job of the occasional spy/oppressed activist message it is good enough. But not for users who route a lot of traffic through it, which is the key to this discovery.

And WTF routing bittorrent through it? Not only is that going to give your game away much more, it is a serious abuse of the network and going to be real slow. Really, such folk should be using a VPN for that sort of thing.

12
0

HTC trio suspected of pilfering design IP

Paul Crawford
Silver badge

Was this valuable IP?

"downloading info on the new Sense 6.0 UI"

Strewth, as our antipodean cousins are alleged to say, why pilfer something that is hardly worth the time of day? Maybe these jokers at the top of HTC and that sense of priority partly explains why the phones have sucked for so long.

2
2

Microsoft cedes board seat to activist investor

Paul Crawford
Silver badge

Re: So less than 1% of stock will get you a seat on the board?

I suspect a break-up and profit maximise route will be taken.

I am not sure how to react to that as I have no love lost for MS. On the one hand, MS employees should be worried, on the other, breaking up MS in to 4 or so separate businesses could be the best thing for MS, its users, and the competition as each would have the incentive to do the best for its customers, and not to leverage sales/lock-in for any other business unit. For example:

Windows (both home & server)

IE and Office (eventually to make them properly multi-platform and totally independent of Windows)

Bing and Azure

Xbox and consumer trivia

Development & management tools for Windows.

5
1

Indian government to bar politicians from using Gmail for official business

Paul Crawford
Silver badge

Re: They were using Gmail?

Quite. From a national security point of view, and an audit point of view it is mind-bogglingly dumb, and something that almost defies sense. At least for el Reg readers who understand a bit about Gmail, Office365, etc, policies.

But here in the west a lot of organisations use either Gmail or Office365 as their provider, and the likes of BT outsourced to Yahoo. Us tech folk pointed out a whole host of issues, and upper management ignored them for reasons of cost and convenience (actually the "convenience" aspect is often about internal IT policy & cast as well).

And that is without having to deal with the crushing bureaucracy in India. That should not be dismissed as a racist or xenophobic comment by the way, as my Indian friends and business contacts would tell you the same :(

1
1

Punter strikes back at cold callers - by charging THEM to call HIM

Paul Crawford
Silver badge
Trollface

Informing of costs?

What, you mean that Ofcom and the telecoms industry has not organised phone numbers so the prefix can be parsed simply to tell you the cost?

20
0

Quantum crypto nearly ready to go mobile

Paul Crawford
Silver badge

What is the application for this?

I mean, what real use is an uber-secure link to a smartphone that is likely to get lost and/or otherwise compromised by being basically a consumer-grade machine with (in most cases) damn-all in the way of regular security patches?

Put it another way, how often is the maths of https broken (as opposed to some dumb certificate issue) compared to Trojans or other hacks being deployed to end user's computing devices to achieve the same thing?

So full marks for ingenuity, but I am still kind of wondering who and what this will be used for in practice.

0
0

Boffins' keyboard ELECTROCUTES Facebook addicts

Paul Crawford
Silver badge
Thumb Up

@LazyLazyman

Well played sir!

0
0
Paul Crawford
Silver badge
Gimp

Other usage?

So I am guessing there is a version for fetlife that makes it more addictive?

1
0

Nissan promises to sell self-driving cars by 2020

Paul Crawford
Silver badge

Re: Insurance?

Not just insurance, but also system support. What happens in 6 years when your Whizo Mk3 is not supported any more? Will it be a bit like aircraft (where it is illegal to use it for commercial use) and so force it to be scrapped?

Also will you have to get it serviced to aircraft-standards (and presumably cost) as so much of the system is safety-critical and you will find it illegal/uninsurable without that? Will the cars simply refuse to work if they are not up to schedule on this?

While I can see the safety benefits from eliminating morons, I can also see cars becoming a lot more expensive to maintain.

1
0

Microsoft Xbox One to be powered by ginormous system-on-chip

Paul Crawford
Silver badge
Coat

Re: " tweaked by Microsoft to within an inch of its life"

Why did I read that as "twerked by Microsoft to within an inch of her life"?

Mine is the dirty mac(OS) ->

4
4

NASA: Full details on our manned ASTEROID SNATCH mission

Paul Crawford
Silver badge

Re: Powerpoint mission...

Expensive over many years? Yes. But compare with the 1-year budgets of others for perspective:

Defence (including State, Homeland Security and Veterans Affairs) - $618 billion.

Health and Human Services - $78.3 billion.

Education - $71.2 billion.

Housing and Urban Development - $33.1 billion.

Energy - $28.4 billion.

Agriculture - $21.5 billion.

6
2

Oracle launches paid support for 'free' NoSQL database

Paul Crawford
Silver badge

Re: Clever

Also to add to the debate around the GPL, you do realise that you can still charge for software under the GPL?

http://www.gnu.org/licenses/gpl-faq.html#DoesTheGPLAllowMoney

Of course, the requirement to distribute to source code with any binary may still not work for your type of application (you have not said what that is, and posted as AC there is no obvious way to find out) but for big range of application areas where the customer is moderately trustworthy this can be an advantage in completing a sale.

1
1
Paul Crawford
Silver badge

Re: Clever

"Free software cannot impose limitations on use"

I am sorry you seem to lack the ability to understand copyright laws and software licenses. Software that is "free" is released for use under the conditions expressed by the authors, which may be the GPL. They can, and do, insist that if you choose to use their code that you respect that intention.

What you do with your own code is up to you, but should you wish to use GPL code then you have to play according to the rules of those authors.

"it cannot be considered a free software license, an "ideological software license", perhaps"

Call it what you want, but it is still a license and a large number of people chose to use it. You don't have to use it, after all you could re-invent the same work on your own if you chose not to abide by the GPL.

The GPLv2 versus GPLv3 argument is a lot more complex than you seem to comprehend. One key point is v2 has allowed the likes of TiVo to use the software in hardware but to prevent the owners of the hardware from changing it due to boot loader signing, v3 was intended to address that restriction on the end user's freedom.

"Statistical anomaly. Most companies trying the "buy support, get a free application" model have gone to the wall. I addressed these outliers, do try comprehending the complete argument next time."

Can you give some examples of these failures?

Off hand I can think of some obvious success, like Redhat and IBM with support as a directly paid service, and others like Mozilla and Android that are indirectly paid via advertising revenue.

1
1
Paul Crawford
Silver badge

Re: Clever

"when I write a separate library which merely makes use of a GPL library, I am forced to release my own code. *MY RIGHTS* to *MY CODE* have been removed from me due to [A]GPL infection."

No, you seem to be unable to grasp the idea that the GPL library exists only for use by those who will agree with the author's intentions.

Why complain? You are not being forced in to using other's work, you are complaining that you can't legally take short cuts to developing an application without rewarding the GPL author(s) in terms of freedom, rather than money.

Funny you should consider GPL to be "fine for hobbyists and tinkerers whose efforts will never enter mainstream professional use" when a large number of contributors to, for example the GPL'd Linux kernel, include such money-hating organisations as IBM, Intel, Oracle, Cisco, and even MS made it in to the top-20.

Oh, and Redhat's current market cap of $9.76B clearly shows you can't possibly make money off a service business...

1
1
Paul Crawford
Silver badge

Re: Clever

"The GPL remove MY RIGHT to MY CODE."

The GPL protect the original author's rights to their code. They offered it openly with the intention that others would benefit and DO THE SAME for others. As I said, if you don't want to reciprocate then you have no rights to make use of such open source code.

Keeping code secret is not the only way to make money, though in some cases necessary. If you work from scratch you can do what you like with your work, but as soon as you want to make use of other's work you need to respect their rights.

Also if you get code under LGPL then it is acceptable to link it is as a library, but any changes to that library code need to be released back. Use things according to the author's intentions.

3
1
Paul Crawford
Silver badge

Re: Clever

"its infectious nature (you have to give everything away that derives from or links to GPL code, and thus can´t recoup investment costs) "

You write this as if it is bad, you know that you took someone else's work and expect to make money from it without giving anything back?

"If you are running a project, pick a license other than [A]GPL to ensure adoption."

If you are running a project, either respect the original author(s) rights, or do the whole damn thing yourself from scratch.

Fixed it for you...

6
1

Germany warns: You just CAN'T TRUST some Windows 8 PCs

Paul Crawford
Silver badge

Re: Swings and roundabouts....

Really, you can get *ALL* the code for windows and build it yourself? Including those modules considered "DRM" or "security", and promptly for all patches?

Why have the Germans not been aware of this openness?

10
0
Paul Crawford
Silver badge

Re: Swings and roundabouts....

This is much deeper than the auto-update feature, we already have that with most OS including Windows.

This is about stopping any way of monitoring code by means of a VM or debugger without the OS knowing. While that could be used for malware protection, that is not the primary reason why this was developed. It was developed for money - to toughen DRM and/or prevent users from things that go against the vendor's policy - like installing software that has not come from a walled garden pay-store, for example.

What I think the Germans are concerned with is this ability for the OS to hide its actions by not running (or running in a different mode) if there is any attempt to analyse it. Added to that you have the machine-ID aspect which a lot of organisations would love to have - a definite way of tying on-line activity to a specific machine.

28
0

Kim Kardashian's bosom pal in bling snatch Instagram unpleasantness

Paul Crawford
Silver badge

I expect most readers think it is wrong to steal, but equally they think it is mind-numbingly stupid to advertise / taunt the masses with something that is there principally to show off the fact that the wearer has more money to spend on a single item of decoration than the average person can earn in a decade.

As for taste, well that of course is one's own matter. Personally I think the watch is tacky, as a fraction of the cost would buy a selection of watches that are either better examples of mechanical engineering and/or more accurate in time-keeping (possibly both). If you ask readers of a technical news site for an opinion, don't be surprised if they don't share some of this view point.

7
0
Paul Crawford
Silver badge

I think that would still be true with a plastic watch from the Poundshop...

4
0

Need the loo AND need to build a website? There's an app for that

Paul Crawford
Silver badge

Re: Dedicated web presence

The problem (for them certainly) is when you then get "you have to log in to Facebook" in order to see the page. At which point they have just lost a customer...

1
0

Flash! Ah-ahh! Saviour of the universe? It'll save every one of us?

Paul Crawford
Silver badge

Re: Hybrid really isn't the way to go.

That is exactly what is wanted, but given there are no signs of any of the big OS vendors rolling this out in the next few years you will see punters option for hybrid as the "best" compromise between speed, capacity, and cost for those with either low budgets and/or big data files.

0
0
Paul Crawford
Silver badge

Re: Best upgrade...

I sincerely hope you are not using scandisk as that would imply you are using a Win9x / FAT32 system!

I am guessing you mean chkdsk? And if so you should be running it with /r option to search for any bad sectors.

But if your data actually matters to you, then in addition to a backup copy you would be using a RAID system and making sure it was scrubbed regularly to (hopefully) find and fix bad sectors while the other disk(s) are still good at that location.

By default Debian Linux systems using the MD RAID system do a scrub on the 1st Sunday of each month, but if your machine is not on 24/7 then you may want to run it manually or more frequently.

I have no idea if Windows has a scrub option for its software RAID, anyone able to comment?

Better still, use ZFS for its checksums and, again, make sure you have it scrubbed periodically so badness is detected and possibly corrected (or at least the disk failed out) before you get in to a state of being unable to rebuild the RAID parity as multiple blocks have failed across all of the storage.

0
0

Four ways the Guardian could have protected Snowden – by THE NSA

Paul Crawford
Silver badge

Re: But, but...

Look at it this way:

Apple - USA company, part of PRISM, closed source. Definitely compromised.

MS - USA company, part of PRISM, closed source. Definitely compromised.

Linux - no specific country, open to inspection. Probably compromised.

If you are *that* worried keep an air gap.

6
0
Paul Crawford
Silver badge

Re: A wrong assumption

DES was created and recommended in the mid-70's, is it any wonder that after computer power increased by several million times that the trade off in effort using it versus effort breaking it is a bit weak now?

It is also worth noting that DES was surprisingly resistant to differential cryptanalysis, something only made public years after it was created:

http://en.wikipedia.org/wiki/Differential_cryptanalysis

So you really need to reconsider your tin-foil hat's settings. Most attacks do not go via the algorithm (if it is at all competent) but via the key, probably using Trojans or rubber-hose cryptanalysis.

3
0

Brazilians tear strip off NSA in wake of Snowden, mull anti-US-spook law

Paul Crawford
Silver badge

Re: Dr Strangelove

An upvote for remembering an awesome film!

0
0

Firefox takes top marks in browser stability tests

Paul Crawford
Silver badge

At my work nobody has found a browser that allows you to keep ~100 tabs open and not either crash outright or soak up >8GB of memory and so page the machine in to oblivion.

I close mine every night and keep to ~20 tabs max for that reason :(

Back to the WTF point of this, even 400 tabs & 8GB or memory is approx 20MB used per tab, really how do you get that usage from a few 100kB of download per open tab?!

1
1

So, you gonna foot this '$200bn' hacking bill, insurance giants asked

Paul Crawford
Silver badge

Cheaper option?

Maybe just making those at the top of said companies liable for losses (or open to prosecution) from ill thought out IT systems being public facing, when the main driving factor to do so is cost-reduction and good IT advice is ignored or not sought, would cost us all a lot less?

4
0

Report: NSA spying deals billion dollar knockout to US cloud prospects

Paul Crawford
Silver badge

Re: U.S. NATIONAL DEBT

I can't see this making any difference to non-IT systems.

Maybe for Cisco, MS, etc. it will cause problems.

Most definitely for cloud provides as things stand. But really, the whole idea of putting your data into someone else's hands without verifiable client-side encryption is dumb by any standards. All that the recent NSA revelations have shown is this risk (your data being subject to secret access by a foreign gov) is real.

It applies no matter which country you store data in, not just the USA (though they seem to be the worst so far). The moral of today's story is encrypt before any others (ISP, cloud provider, etc) get access!

2
0
Paul Crawford
Silver badge

AES, or not AES...

Some people don't seem to grasp that AES was created by two Belgian cryptographers and after a lot of competitions and open peer-review by most of the world's experts and was ultimately decided to be the best by more or less everyone. That is why it became the official US choice (i.e. NIST), not because it was created with a NSA backdoor of any sort.

Now you might argue that the NSA has built acceleration hardware to assist AES code-breaking, but with the advent of FPGA systems that can be re-programmed to suit any cypher, hence no common cypher is going to fair better. And if you go inventing or adapting your own or some obscure one, most likely you will inadvertently make matters much worse for your own security.

So if cryptographic security really REALLY matters to you, you need to concentrate on having a high entropy key, and securing the key against "APT" style of system wide hacking. Most likely, that is the weak link.

Finally, don't over-estimate your importance to the spooks, most comentards seem to think the NSA, etc, will blow days of billion dollar machine's system time on their scribblings. They won't, not unless you are important enough.

Maybe you are, say a business that is serious money competition to a US gov supplier, for instance. But in reality making your data encrypted in any way means they (and advertisers, private investigators, etc) can't read/mine it so it gets stored away in case they do want to investigate you. Out of 1 billion or so Internet users? Really?

4
0

Horrific moment curvy mum-of-none Mail Online spills everyone's data

Paul Crawford
Silver badge

The entire Internet would go smarter.

There, fixed if for you...

4
0

IBM opens up Power chips, ARM-style, to take on Chipzilla

Paul Crawford
Silver badge

It will be interesting to see how this pans out. Sun was one of the first to open up a CPU for such things but it ultimately failed to make enough money to survive, and Oracle have, it seems, little real interest in this.

Given the "limited success" of Itanium, it seems the only significant player left is IBM so maybe it can work this. But...I find it hard to see what most users will find that makes it sufficiently desirable compared to the current market leaders of x86 (lots of legacy software) or ARM (cheap license, good for systems with lots of cores).

1
0

Can't agree on a coding style? Maybe the NEW YORK TIMES can help

Paul Crawford
Silver badge

Re: Clueless in America

Only the Japanese have the "correct" date format with MSB-left as in 2013-08-06

Those in the USA have sadly converted the spoken way of "August the 6th" in to numbers, hence the dumb approach.

Tip: Always use letters for the month, as anyone reading your text will understand that Aug is the month no matter where in the order it is placed.

0
0
Paul Crawford
Silver badge

Re: "several entry points, how far can that be from spaghetti code?"

Multiple entry points is really just a glorified "goto" mess but with the option of some locally visible variables. Quite why one would care about variable visibility if using such an horrible approach is left to the readers...

However, I think you are over-reacting with the multiple exit point issue. For example, if is not uncommon to have something like:

int myfunction(char *ptr)

{

if(ptr == NULL) return -1;

....<some code...>

return 0;

}

While you could code this as

int myfunction(char *ptr)

{

int rc =-1;

if(ptr != NULL)

....{

....<some code...>

....rc = 0;

....}

return rc;

}

I doubt it is any easier or more understandable to the reader. And that is what code is about, not just doing the algorithm, but making the process as transparent to the reader as possible.

p.s. A good read are any of the Numerical Recipes books (3rd edition is only C++), and not just for those with hard maths problems to consider.

1
0
Paul Crawford
Silver badge

Re: ARRRGGGGG!!!!!!

Macros are useful for building tables of names stuff, sort of:

#define ADD_VAR(x) {#x, (char *)&ptr->x},

table_t something[] = {

ADD_VAR(wibble)

ADD_VAR(wobble)

};

Which creates an array like:

{"wibble", (char *)&ptr->wibble},

{"wobble", (char *)&ptr->wobble},

etc.

As for "all functions have precisely one entry point" you have obviously never used old FORTRAN where a subroutine could have multiple entry points as well as exit points. Now that really is the Devil's work!

2
0

Tor fingers Firefox flaw for FAIL but FBI's also in the frame

Paul Crawford
Silver badge

Re: Why use Tor?

PPTP is not terribly secure and has no real defence (AFIK) against man-in-the-middle attacks.

OpenVPN is probably much better as it should be able to notify you of an SSH certificate change in such circumstances, though not all VPN suppliers support it so well.

Finally, any "free" VPN is not going to be very fast in general, someone has to pay for the bandwidth needed!

3
0

Arrr! Comcast working on new tech to nudge PIRATES to go straight

Paul Crawford
Silver badge

Re: This is just stupid

Yes, and 20 years for being an anonymous asshole and troll as well.

3
0

Big blue Avatar movie spawns THREE SEQUELS

Paul Crawford
Silver badge

Re: Avatar = "Pocahontas In Space"

"Dances with Smurfs" was used on El Reg recently, which sums it up...

1
0

Win XP alive and kicking despite 2014 kill switch (Don't ask about Win 8)

Paul Crawford
Silver badge

Re: That Was the Plan: The World Did Not Cooperate

You forgot to mention the bit about one major reason why Vista sucked so badly - DRM.

Yes, a lot of the effort they put in to "securing" the OS had little to do with protecting the end user, and a lot to do with sucking up to Hollywood as they hoped to make Windows the #1 choice for home consumers of media, rather then actual business/engineering/software development stuff.

See: http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.html

4
0

Virgin Media blames scruffy students for HUGE drop in cable subscribers

Paul Crawford
Silver badge

Re: Downward spiral

Same here, but as currently cable is stable and fast I have not moved. Still, following the recent price hike and the censorship in the name of "protecting children of moronic parents" I might look at a move to Zen or Andrews & Arnold with ADSL as it might be better overall.

1
0

Ubuntu puts forums back online, reveals autopsy of a brag hacker

Paul Crawford
Silver badge

Re: "Hashed using MD5"

AFIK in practice any password extraction would rely on a rainbow table style of attack, not on any particular weakness in MD5/SAH1/etc. So the real questions then become:

How much entropy did the salt add?

Are you only trying for a specific user's login?

I have not seen what the salt used is, but have not really looked. For example, if just the email account then it would probably match other attack sites of interest, but if a hash of that plus the user's first log-in time, etc, then it could be usefully big in making a rainbow table impractical.

Anyone care to save my some time and to enlighten El Reg's commentards?

0
0

Highway from HELL: Volcano tears through 35km of crust in WEEKS

Paul Crawford
Silver badge
Joke

Logically, the answer clearly must be he is a Vulcan.

1
0

Mystery object falls from sky, area sealed off by military: 'Weather balloon', say officials

Paul Crawford
Silver badge
WTF?

Re: released from Where?

Yes, been there and had a walk in the forest and found - a lighthouse!

0
0

USB accelerates to 10 Gbps

Paul Crawford
Silver badge
Unhappy

Re: interference problems

I doubt it :(

In a world where everything is build down to a price, and the likes of Ofcom don't care about end user or public good but only licensing fees, we should not expect any radio gear to work at all well.

0
0
Paul Crawford
Silver badge
Boffin

Tsk, you should know El Reg's official measure of speed is the kilowrist of pr0n movies (at least, until UK censorship is implemented):

http://www.theregister.co.uk/2008/11/12/arizona_boffins_grasp_fat_pipes/

1
0

Chubby-chasing SEX TROLLS ran me offline, says fashion blogger

Paul Crawford
Silver badge

Re: Depressing.

"ashamed of my species...."

There, fixed it for you.

6
2