* Posts by Lee Dowling

1188 posts • joined 28 Mar 2007

Cops find hackers' phone in NOTW office

Lee Dowling
Silver badge

More shameful that you didn't actually check what was pluralised yourself before going off on a rant.

And, as a little side-note, I was in an Italian class the other day and the under-40's English students were put to shame by the foreigners and over-40's because (according to the teacher who also taught English) we just don't learn grammar any more. I happen to agree with her - there were vast tracts of grammar that I had no knowledge of even if I could understand them within a few seconds and I swear I'd never been taught any of it. There is literally a divide in nationality / age that is visible enough in any class of adult learners that the teachers have to change their teaching to take account of it.

But if your biggest achievement is to yell at editors for mistakes that don't exist, you really need to find another hobby.

(Now you CAN complain about the apostrophe on "40's" if you so wish, but it's accepted usage and I find it infinitely more comfortable to read and write than any other variation).

2
0

Back to the Future DeLorean to go under the hammer

Lee Dowling
Silver badge

Does it work?

I have one question... does it drive? I mean, how cool would it be to pull up outside your local fish & chip shop in that car, wearing a white coat and with electric-shock hair, and placing an order for "That 'cod and chips' that you did so well when I was a kid, please".

Dry ice optional.

5
0

Bandwidth restrictions can affect the memory

Lee Dowling
Silver badge
FAIL

Moral

The moral of the story really is:

Don't go upgrading blindly expecting performance increases. Monitor the system, identify bottlenecks, fix the bottleneck.

People who have the kind of responsibility and money to throw hybrid flash/disk SAN's at problems without bothering to see where the bottleneck are EXACTLY the sort of people who shouldn't be in charge of that kind of hardware / responsibility.

Blindly-part-swapping "technicians" do not a good IT department make - unless you're working for PC World, apparently.

2
0

Visa muscles into Olympic pay-by-wave with microSD kit

Lee Dowling
Silver badge

Planning.

You're joking, right? Less than a year to go and the entire payment system is still up in the air? You have "Paywave" only terminals that, as of today, not one person can PayWave on at all? And the only alternative strategy is PayWave microSD's that don't always work through mobile phone cases?

Can I please get a front-seat ticket to the fights at the venue's payment stations, or do I have to have a Visa card for that?

0
0

Survey: Most TV viewers surf while they watch

Lee Dowling
Silver badge

TV

Add TV adverts to the list of things that the Internet killed (along with libraries, honest pub-quizzes, and a lot of disinformation).

The current home TV environment provides the viewer with complete control over what they watch. If I watch TV, it's either a scheduled program that I *only* turn on for, something downloaded from iPlayer etc. or a DVD that I have in front of me. Rarely do I just sit and aimlessly watch TV like we did as kids when we only had 4 channels.

Even my daughter knows this when she sees my laptop - "Daddy, put Timmy Time on." There's no question of *waiting* for it to come on (my girl isn't impatient, but why would you say she has to wait until 3:00pm when she could just watch it now and she's not watching too much?), and we'll almost certainly find exactly what she wants rather than something else that she's not really interested in, even if I have to go to YouTube or put in a DVD.

Back when people *didn't* have pay-for TV, vast personal libraries, hundreds of channels, on-demand TV over the Internet, on-demand TV over their... well, TV, etc. then you could dictate how much advertising they must sit through in order to enjoy it. Now? We have the choice so we'll even skip the adverts on the DVD, thanks.

Hint: I am not going to spend £40+ a month in order to watch what *you* want me to. Cheers, thanks, bye.

3
0

Call routing scam costs telcos $150m a year

Lee Dowling
Silver badge

Change the system

If it's really that simple to scam, there's a problem with the way you pay for those things.

I.e. if Scams'R'Us can make transport that data, in-near-realtime, between an Haitian number and the UK for less than other operators, then you have a problem.

There are three stages - Caller to some centre of operations, centre of operations to remote country, remote country to recipient.

If Scams'R'Us can perform the middle end of the connection for free or for very-much-reduced cost then you have a BIG problem in charging so much for that part. Because any idiot could stroll up with a local broadband connection and pipe VoIP lines transatlantically and beat you at your own game by buying a T-Mobile phone and a computer at both ends, say. They're still paying for the phone calls at both ends, still paying for their Internet connection (which, in turn, must pay for the transatlantic connection to be profitable), and still providing the same service that you are.

If the call quality is not bad enough that people are complaining, there's NO reason why T-Mobile can't do the same - this is how Skype's entire business plan *works* and makes them money.

Either: increase the costs of the middle part artificially and throw out the scammers (which is almost impossible but apparently what the telco's want to do), or lower your termination costs to foreign countries using the same transports and techniques that the scammers were using. If I can send hundreds of Gigabytes of data to Australia in fractions of a second from a bog-standard home ISP line, then why would telco's have problems doing the same given the amount of infrastructure they own? Sure, there might be a tax or something in the middle but the problem stems from artificially-high termination fees for international calls, or so it seems.

It sounds like a synthetic economy to me, where people make money on the back of porting packets from one end of a cable to another and then charging FAR more than it costs to do so, and when someone else comes along and does the same a different way, without people or phone companies being able to even notice, for much, much less they all start shouting.

2
0

On its first birthday, LibreOffice has reason to celebrate

Lee Dowling
Silver badge

The changes are mainly a myriad tiny bugfixes, patches, etc that were queued for OpenOffice and never made it. Quite a lot of stuff is in there but nothing "killer" - they haven't added Exchange functionality or anything that you'd go "Oh, wow", it's just a million tiny fixes that fix a lot of bugbears. Import filters are better. Export filters are better. Help is better. The changelogs themselves are pretty verbose:

http://www.softpedia.com/progChangelog/LibreOffice-Changelog-171618.html

Basically, it's just what OpenOffice should have committed but never did, and a myriad bug fixes and minor tweaks that remove annoying stuff (e.g. the default "Save As" format can be set as Word, etc. which is more telling about their import/export filter compatibility than any political decision)

The main change, of course, is that LibreOffice is installed all over my network, and OpenOffice never really got a look in. That, in itself, speaks volumes to anyone that knows me.

2
0

World takes notice as SSL-chewing BEAST is unleashed

Lee Dowling
Silver badge

That tool is no different to any other - it basically generates certificates on-the-fly and acts as man-in-the-middle.

If you ARE stupid enough to trust random certificates (and your browser will throw a fit unless your network admin has inserted the cain CA into their "trusted CA" list) for a secure connection, then yes, cain can "already" do this.

But in terms of stealing data? This is about breaking the stream, not acting as a TRUSTED man-in-the-middle. Deploy cain on a network, you break everyone's browsers on HTTPS sites and the admins start poking. Deploy this on a network (which allows Javascript through unhindered), get enough people to visit HTTPS sites while it's there (and injecting its Javascript into NON-SECURE pages to help it decrypt the secure ones) and you *may* be able to silently sniff all HTTPS communications and decrypt them in a reasonable amount of time without ANYONE noticing.

SSL-interception was, and still is, believed to be impossible when the software and admin does what they should. BEAST is a known-plaintext attack that significantly reduces the time to decrypt a stream you've recorded every byte of if you let it inject plaintext of its choosing into the conversation. Cain in a main-in-the-middle attack that relies on people trusting falsified (and obviously so) SSL certificates for any site they visit, signed only by a "fake" CA that any browser in the world would reject by default. Two totally different things. Neither are that scary when you use the correct protocols, correctly, from a decent security-aware code (OpenSSL has already been fixed against BEAST for 9 years - it's the others that didn't bother).

2
0

OnLive pushes game stream service to UK punters

Lee Dowling
Silver badge

Yeah, but the downside to that is that you have to use BT. Eurk. I think I'd rather pay.

0
0
Lee Dowling
Silver badge

Pricing

Apart from the many problems I have with this service, the pricing isn't exactly great.

First, you have to pay £7 a month (or the equivalent "BT tax" to compensate for their shiteness and package-forcing). Then you have to pay for the game. Okay, maybe you can rent it for a few months, but if you want an unlimited pass (as the article states - legally binding for only three years) then it costs EXACTLY the same as buying the damn game, sometimes a little more. Except it pretty much disappears if you stop paying (and/or after three years).

You don't save much on hardware - £70 for a box or have a computer that's already capable of running quite a lot of stuff anyway (and which you use for myriad other things, upgrade every few years anyway, etc.). You need to tie up your broadband line, most of the time you're playing, you need to already have keyboards, mice, joysticks and other controllers that you want to use. You need to keep the subscription going even if you have a gaming lapse.

It seems to me an incredibly niche usage that cuts a lot of people out of the equation - serious gamers won't tolerate the compression or the latency or the prices, households won't use it because it's effectively single-player-only because of the bandwidth requirements and hardware interfacing, kids who can't afford games but just want to demo things to say they've played it will be disappointed with the requirements and the results (not to mention pricing), casual gamers won't want to pay a subscription / box /software etc. to rent things like World of Goo (which disappear if they stop paying), people who are scared to install games won't even hear, let alone touch, this service.

To me, even a cheap gaming PC and a copy of Steam is infinitely more valuable and solves almost all of the above problems immediately. And, guess what, you're final picture quality will be better! It's effectively the same as those "virtual office" services when you can just log onto a remote desktop, except it really picked the worst possible use-case.

1
0

Ex-Microsofties' IE6 kill squad hits UK

Lee Dowling
Silver badge

XP / IE

Not surprised at all about the XP statistic - there just isn't good reason to move for many, and many reasons NOT to move for most - but the fact that people still rely on IE working for their business to survive is scary. It was when those programs were written, and it's even more so today.

By all means kill off IE. Anyone stupid enough to still be using that heap of junk, especially for anything business-critical, gets everything they deserve. I believe it's *technically* still on machines that I manage but only because its a pain to remove all traces of it and still be stable. I haven't used it for browsing on any machine for, what, a decade? It certainly doesn't get on the net where I am.

But if you try to kill off XP you will hit more barriers than you expect, especially at a time when IT budgets are falling and XP "has always worked".

5
0

Ford spins pop-out anti-prang door shield

Lee Dowling
Silver badge
FAIL

And when *you're* arrested for criminal damage (which includes the wing-mirror thing - believe it or not) rather than your target, what will you do? Just because there's CCTV and you "took a photo" means nothing if you go back the next day and do the damage - you might be on CCTV damaging their car and there be NO proof (especially if, say, they moved their car during the day and another took its place) that they did anything to yours at all.

And what if you *do* get the wrong person and they do the same back to you, or worse? You going to end up nuking each other to sort it out? If you want to be nasty, you put in an insurance claim, or a private damages claim. Infinitely more messy and expensive for them and completely legal. And, don't forget, someone can do EXACTLY the same back to you because you did something to their car, even if "they started it" (it sounds like a kindergarten phrase, because it *IS*).

The best question to ask yourself is: "What if everybody did what I did?" You might think that would mean that nobody would ever park wrong, scrape cars by accident, or start "damage-wars" but in reality what would happen is that people would be rioting in the streets and burning down each other's houses because of a scratch of their precious paintwork done by a passing kid or someone else squeezing between two cars with heavy shopping.

Pillock.

0
1
Lee Dowling
Silver badge

Lessons life has taught me

A car is a tool with moving parts that operates in a harsh environment all day long. Don't buy or drive a car which you would care about someone writing off. It will get scratched, dented, scraped, stained, shat-on (only by birds, hopefully), get hit by rocks and other projectiles on the motorway (deliberate or just road-debris that's thrown up) and everything else even if you're the most careful driver in the world and everyone around you is being careful too. In the real world, that means it's DEFINITELY going to happen anyway, and the chances increase with the amount of time that the car is not in the garage.

I use the lawnmower rule. If I bought a lawnmower, there's only a certain amount I would be willing to pay. It operates in a harsh environment so I would keep it well-oiled, etc. to ensure it continues working. But I'll be damned to be out waxing the damn thing at all hours, or fawning over the slightest scratch. At the end of the day, it's a tool to transport you safely. If it does so, it has earned its money. Everything else is for show.

Although I would *NEVER* deliberately damage someone else's property, it can happen completely by accident anyway. Yes, there are careless drivers but there are also accidents, in the actual meaning of that word. Whether they come to me and say "Oh, I'm sorry, but I think I've scraped your door" or not, it makes no difference - it would still cost me X amount of money to repair that scratch even if their insurance pays for it (the no-claims-bonus scam - I had it explained to me when I was very young that this is NOT a no-fault-bonus like humans naturally expect at first). So worrying about a scratch here or there is pointless. Besides the fact, you can easily pick on up on any motorway that has oncoming traffic and small stones (if they can take out your windscreen, imagine what they do if they "just" hit the side of your car and you don't notice). Touching a overhanging tree-branch and other silly things can cause EXACTLY the same damage. Hell, I've bumped my car into posts and kerbs myself - sometimes it just happens and the post/kerb always comes off better. You can do it by brushing along your own car while wearing a zipped-jacket. I'll be damned to be paying hundreds of pounds on my own car for filling, resprays, etc. to cover a couple of bumps and scrapes. Most people will be selling the damn thing within a few years anyway, so why fuss over it?

So worrying about scratching OTHER people's cars is certainly an issue. We solved that with the little rubber things that go on the door-edges (which are similarly completely useless because it's never THAT bit of the door that contacts!) and being careful. Worrying about your own car being scratched, though, is 100% pointless. It'll happen more by accident / chance than it will because someone is being ignorant and bashing their doors into yours (which damages their door-edge too, don't forget!).

A bit of rubber isn't going to stop people's cars being scratched OR the edge of your door being scratched. I can't wait for the first rubber-flap failure that shuts it in the door along with it's plastic/metal components and damages the door itself.

More importantly - when are we going to get a car with all-round bumpers (the Fiat Panda 1000S doesn't count because it dodgem-like by design) that are EASILY and CHEAPLY replaceable and don't damage other objects at low-speeds, a paint-job that doesn't expose bare metal from the slightest touch, and one that doesn't LET you open the doors far enough to contact another object (by rubberising the whole damn outer edges!).

Gimme a car with a crap look and much, much longer-lasting paintwork and where I can just swap old bumper (the clue is in the name) for new on front, back and sides for minimal cost. If you can make it so that the exhaust isn't hanging precariously unprotected from underneath and poking out the back, even better.

1
0

Hackers break SSL encryption used by millions of sites

Lee Dowling
Silver badge

Kudos to you for trying it. You can't ask for more than that.

And actually, I know what NoScript does. Which is why I say that it's nothing that Opera can't do. If you're that paranoid that you only want scripts to run on certain sites (as we've established, all netscape-compatible plugins like Java and Flash are already handled this way in Opera with "play-button" mechanics), you would disable Javascript (F12, click the obvious highlighted option) and add sites one at a time to a whitelist (F12, Site Properties, Scripting tab and choose what you WANT the site to be able to do).

It's not single-click but for the amount of times you should actually be whitelisting sites (if that's the way you want to play, rather than just, say, having it switched on) it's not a hassle in the least.

While you're there, you can also configure site-specific options on the other tabs of the same dialog - cookie policy, popup policy, images, animated images, plugins, frames, individual groups of Javascript capabilities (e.g. Allow Script To Hide Address Bar), referrer info, proxies, whether to allow caching, user-agent-spoofing etc. On one menu, built-in, right in the default install of the browser, and with settings that transfer to all your machines if you so wish (you can even right-click instead of pressing F12, if that's too hard to remember). Or you can just override all sites with a blanket setting that applies to them all. Sure, there may be an option or two that NoScript and a handful of random plugins have on top but it won't be anything killer, and you don't need to worry about updating the damn thing every time the browser changes the plugin interface, and you don't need X amount of plugins to do so. It's literally out-of-the-box functionality and has been for a long time - and more importantly most of it was there BEFORE NoScript and others even existed.

Your Opera 10 problems are your own, besides the fact that we're on 11.51 now. On all the machines I've ever managed (that's how long I've been installing it as the default) the only problem I have is on a single server that has a known procedure_entry_point error because of a MCVCRT file compatibility problem. It still runs, it just pops up a dialog first. Hell, it even works from a single shared network folder for dozens of users simultaneously - and a lot neater than trying to bundle Firefox MSI's onto corporate machines (Ick!) has been in the past. Whether a clean install or an upgrade (like I say, my Opera profile is carried forward from some ridiculously old original profiles).

Now, the Japanese thing I'll have to concede - not because I know that Opera won't do it, but because I have never needed to install a non-western language into any installation, ever. But I'd be very surprised if there weren't half-a-dozen Opera "extensions" that did the same thing without executing native code, no need for the Netscape plugin API that's common to all the browsers, Opera included (how do you think we run the latest Flash, Java, VLC plugins, etc.?). (Opera Widgets are a security-sandbox for plugins that actually integrate into the browser much better - the equivalent of a Firefox extension rather than a plugin - and just as powerful).

Opera isn't "middle of the road". It's quite often "cutting edge" and other browsers play catch-up. That's kind of the point that most Opera users will make. You say "Oh, the NoScript plug-in adds that functionality" and we say "We've had that in the default build since before that plug-in even existed".

And that's BEFORE you even delve into a proper configuration dialog at opera:config (which does have EVERY option you can use, unlike Firefox which makes you plug some of the more obscure ones in yourself manually).

I don't require people to USE Opera, I just think they should actually seriously trial it. There may be use-cases where it doesn't fit, but it's the only browser I trust for every job from giving it to computer-newbies (it's pretty damn hard to break your computer by viewing sites in Opera, even if you try - years of experience has taught me that it's the only "safe" option that people really have a hard time trying to mess up) right up to installing it across hundreds of machines, kiosk-mode internet terminals (built-in kiosk modes, automated slideshows, and URL filtering to keep people on your intranet, for example), home use and serious IT Office use. And strangely, that's because it *doesn't* compromise - my home setup is much more complicated than anything I use in work, which is locked down immensely.

0
2
Lee Dowling
Silver badge

Opera gets a bad rap, but most people honestly haven't tried it for a month.

With my current Opera setup (migrated from something ridiculous like Opera 3.5 - nothing fancy or third-party), all flash and java apps appear as a big white play button. Until I click that, zero code of the appropriate plugin executes. And when I click it, ONLY that particular app runs, and no others on the same page.

Why you'd want to sit and rely on a white-list to do such things, I have no idea. Most flash/PDF/Java compromise is via injection into known-good servers, or people wouldn't be viewing them in the first place. Better that you "play" only the apps you want on only the sites you want, when you want. Also - this means you remove the crap that runs on the same servers and run ONLY the game/advert/application that you want on a page (and NOT automatically - which is a BONUS).

I'm not at all sure the point of seeing every script, either, to be honest, but there is work that way via Opera Dragonfly in the last few releases (but never seen the need for it, so never use it, but they're always talking about exactly that).

The problem is not that you couldn't use Opera. It's that you're used to working a certain way, and defiant that it's the only way. Every time Opera upgrades I think "oh, damn it" because they'll have changed something about the way I work. 99.9% of the time I end up liking it better (their user-testing team must be GOOD, and that's coming from someone who's sticking with XP and Office 2003!), the rest I revert the changes using the built in config dialog.

For years, I was a Netscape nut purely because it was the only half-decent user-browser of the age. Then it died and IE / Firefox cropped up again. Back then, Opera was scary and threatening but when their first ad-supported version came out, it was surprising comfortable using it compared to the other "ad-free" browsers. Now that all browsers are ad-free, Opera still hasn't left me and is also my primary email client too - mainly because, as a network manager, their forethought for security and standards is unsurpassed. They always get there before everyone else - the problem is that nobody thinks they will need it until it's too late, and by then the other browsers bolt-on the same code with lots more bugs.

You just have the words "NoScript" plugged into your brain and unless you get exactly that on every browser, you're not interested. But, seriously, have you tried Opera for a month, migrating your email, using it exclusively, etc. for a half-recent version? Most Opera users have zero extra "plugins" or "scriptlets" or "widgets" running at all. Because you just don't need them with the default config.

I honesty don't understand any more how people struggle through with IE or even Firefox. I have to support both, so use them all the time, but it feels the same to me as running Windows 95 in this day and age. They feel old, clunky, thoughtless, and their best features are outside-code that you have to install yourself.

All I need is for Opera to do a deal with the Pidgin guys and incorporate their code into Opera's sadly under-used IM / IRC code and I'll never carry another program around with me when it comes to online communication.

11
5

Why was Duke Nukem Forever s**t?

Lee Dowling
Silver badge

Filled it in.

After selecting "I did not play", I got a set of questions along the lines of "do you like shooters with puzzle elements / driving sections", etc.

Clicked Next and that was the end of the survey.

I suspect they're only interested in the opinion of people who played it (and hence probably bought it, or were able to play for free) and not the opinion of people who deliberately DID NOT buy it after reading reviews / seeing footage. Which kinda seems contrary to the point. If you bought it, they probably don't care about it because you bought it. If they could work out why people WEREN'T buying it, though, that would be a million times more useful to them.

I didn't buy it because:

1) It was shite, as the article inferred.

2) It was a dull, wishy-washy FPS with no imagination, specifically:

a) linear. TOO MUCH LINEARITY. By far

b) toilet-humour with nothing to back it up with

c) over-use of violence/sex as the reasoning behind a character / image / scene

d) It looked and, from what I saw, played like a shooter from the pre-Duke era with fancier graphics

e) None of the "good" content that's been leaked of previous iterations of DNF were included.

3) It was expensive

Seriously, the title was nothing more than a cash-in on the name. Want to know why it failed? Go look at other FPS and even the original Duke.

And stop being patronising - you really AREN'T interested in why it failed, hence why your survey doesn't even cover the greater proportion of people who you need to capture.

P.S. Think we'll be buying another sequel even if you fix most of the problems? Think again.

8
2

Sixty-seven WIMPs spotted in the wild, maybe

Lee Dowling
Silver badge

Thought it was "Compact" Halo Object?

2
0
Lee Dowling
Silver badge

You're confusing two separate theories, probably deliberately, possibly in order to forward a pro-religion agenda by the sounds of it.

We "know" the mass of the universe, to a certain extent. We also know that if, after plugging it through lots of equations, we get something less than 1, the universe will collapse and expand forever. If we get EXACTLY 1, it will expand to a fixed size and stop forever. If we get more than 1, it will expand forever and never collapse back. We currently measure that figure to be 1, plus or minus several dozen (i.e. totally inconclusive).

None of that has anything to do with the fact that the mass we *do* see out there (by observation) can't be ALL that's out there because there's hidden stuff "tugging" it about and the only explanation is hidden (dark) matter. We know how much that hidden matter must be (by the extent it tugs space/matter about) so we take it into account with everything we "weigh" in the universe. But this article is about finding out what that dark matter is, not how much it weighs. You're talking about finding out what that number is, which is based on what we KNOW must be out there (we just can't see it), the article's talking about what nature of material some of that hidden mass that we KNOW is out there actually is.

Spuriously related, but entirely separate issues. And not one single jot of it has anything to do with God. It can only be good for us that you left physics all that time ago, because you're mixing two separate things in order to bitch about someone who has more accepted published papers in physics than you'll ever write (or even understand). Whether or not he tried to do it starting from an anti-God assumption, I don't care - his physics was, and still is, pretty sound. But, to be honest, I'd be very surprised if that's how he started off, or if God actually figures in his equations at all and think it's just you mis-interpreting the book and confusing two entirely separate portions of it, again.

5
0

Schoolkids learn coding at GCSE level in curriculum trial

Lee Dowling
Silver badge
Thumb Up

Yay!

At fecking last.

(From someone whose entire work career has come from providing IT to schools, witnessing IT lessons from age 5-18 and being utterly disheartened by them).

4
0

ASA probes Microsoft cloud reliability claims

Lee Dowling
Silver badge

They'll probably get away with this.

They don't seem to claim that it WILL be up 99.9% of the time, just that they provide a "99.9% guarantee", which may not be interpreted the same way.

My laptop has a 2-year guarantee. It doesn't mean it WON'T break down in that time - it just means they'll compensate me and fix it if it DOES break in that time. That doesn't seem a world away from what Microsoft say in that quote in the article.

1
0

Virgin Media finally offers network options on SuperHub

Lee Dowling
Silver badge

"Modem Mode"

It's amazing how many devices miss off something so simple for so long.

Look, seriously, just pass ME the damn packets and I'll do what I need to with them. All I need you to do it put them on the wire/fibre and not worry about them at all. How hard is that to do? You *can* do NAT and UPnP and all sorts of other unnecessary junk that a) takes effort to get right and b) gets in my way, so just make a mode where all of that is "off" and I make my own decisions about what sits between my computer and the Internet. Those people too stupid to know what it does won't be activating it and won't get any success if they DO, so just let the power-users bypass you.

I have Virgin Media but I still have an ancient clunky 10MBps modem because all their modern gear is more trouble than it's worth, and I want to plug into a wireless network and custom setup that I *KNOW* is secure rather than guesswork based on how many attacks have been sighted against the SuperHub firmware. If you *truly* have a modem mode on your new SuperHubs, I can finally upgrade to something sensible without having to overhaul or reconfigure my network and without risking my data.

Old modem out. New SuperHub in modem mode in. Installation complete. I have *literally* been putting off upgrading the speed on my line *purely* because of this SuperHub crap and the junky wireless routers that you bundle with your lower speeds.

2
0

Anti-gay bus baron rages at being stuffed in Google closet

Lee Dowling
Silver badge

Don't be too quick to jump on his bandwagon. Specifically, parts of that section included things like:

"promote the teaching in any maintained school of the acceptability of homosexuality as a pretended family relationship"

which HE wanted kept in and others wanted removed (and it was). The impact of such things? "a number of lesbian, gay and bisexual student support groups in schools and colleges across Britain were closed owing to fears by council legal staff that they could breach the Act".

So while no-one is claiming that schools should put the idea of everyone "trying" a homosexual relationships into kid's heads, they are being lumped with people who didn't want schools telling little Johnny that it's okay that he has two dads/mums (specifically, that would be "unacceptable" as a family relationship), or that his gay sister is somehow "unacceptable". To the extent that support groups were shut down for fear of somehow portraying being gay as "acceptable".

I'm not gay but (as the line goes) I have gay friends, and have friends whose family includes gay people. I think you'll find that in school they suffered enough without the teachers being told BY LAW that they can't view a second daddy as an acceptable family member, or that they can only help a student who comes to them with issues about their sexuality by, basically, saying they can only be straight.

It's almost funny (if it wasn't so serious) to see a law worded, on a legal text, in a way that actively breaks much stronger laws on discrimination.

18
1

Logitech Touch Lapdesk N600

Lee Dowling
Silver badge
FAIL

I got one that has a little light on it (which I removed because it got in the way and my laptop is more than bright enough even in the pitch-black) and even a cup-holder (which I don't use because I'm paranoid about water on my laptop).

Best bit was, the underside is padded and soft so it fits to your legs, the top is hard and cold (and thus gets rid of a lot of laptop heat really well without needing noisy fans), and you can unzip the padding to clean it (and keep your USB sticks / DVD's in there). It also costs less than one tenth of this feature-replicating junk (I have a touchpad - if you gave me space to the right of the laptop, I'd plug in a damn mouse not another touchpad).

<Mmm, silently wonders if he could fit an old DVD-drive drawer + suitable cover to his bodge-a-tray so that he can pop out a mouse mat for when it's needed...>

0
0

Onkyo TX-NR609 AV network receiver

Lee Dowling
Silver badge

Eh?

"when a car drives past on screen and goes out of the left edge of the shot, we instinctively expect the sound to proceed from front left to rear left as in real life, the car would now be behind us."

But the car ISN'T behind you. And never will be. You are looking through a static window onto a fake world but your brain is MORE than aware of that, because it can't move an inch without destroying its sense of visual perception of the scene, even with a 3D movie on a 3D TV. Having the sound go behind you just makes you jump and/or want to look around to follow the car. TV's, Cinemsa are nowhere near good enough to provide that sort of visual feedback so having audio feedback of that type is actually *wrong* and disorientating.

This is why I'm inclined to agree with the OP. Hell, I have a gaming laptop with 5.1 surround. All it means is that the game sounds are in the wrong place - if I turn my HEAD to follow a sound, it doesn't help me at all because I have to move the WINDOW into the world instead. Hence, why I have the Windows audio settings to see it as a 2-speaker system only - I get "louder" sound, positioning that I can make more use of, and much less processing time. Plus, a pair of headphones cost £20 instead of £100 because I only need two speakers and no fancy tricks. Even my copy of VLC is set to downmix surround into just two stereo channels.

And, again, 5.1 is more than sufficient if you *really* want that sort of thing (and I'd be inclined to ask why you can't just put a subwoofer in each of the 4 four speakers required - the quadrophonic sound you refer to - and have a "full" 4 rather than a "partial" four with other bits scattered around at random and not positional - which 7.2 actually makes worse). 7.2, in that respect, is no more realistic than a standard "2.0" - the bass is coming out of somewhere that bears little relation to what's on screen, and you've paid hundreds/thousands and ran cable all the way around the sofa just to make things more disorientating.

0
0

Windows 8 to boot in 8 seconds

Lee Dowling
Silver badge

Erm...

Correct me if I'm wrong but my XP laptop has been doing better than this for a LONG time. It's basically called hibernation or standby - this isn't improving BOOT times at all - it's hibernating. And hibernating with a MUCH faster disk that I'll ever put into a laptop to make it look fast. And all the problems and software-cooperation that comes with that, too (hope all your legacy drivers are perfect and now how to hibernate properly!).

Now my XP workstation can avoid BIOS boot, so long as I keep some very low battery power supplied, for 24 hours of more (it's called "bog standard standby"). Resume is pretty much instantaneous. All this is is an improvement on hibernation (where you write the standby memory to a disk instead). Granted that the BIOS would pop up but any half-decent BIOS can easily be written to do such a thing quickly - it's just the same as something like Coreboot speeding up the hard-disk into its fastest modes and THEN reading a file from disk and resuming from its state. It's not anything particularly clever, innovative, or new.

Computers have been doing this for literally DECADES and a one-off show on pre-chosen hardware is really nothing to crow about. In fact, in that case, 8 FECKING SECONDS?! That's ludicrously slow. You could have diddled the BIOS into being a "Windows 8 compatible" one and made it near-instantaneous with an SSD (which Windows is increasingly being designed towards so would barely raise an eyebrow).

Additionally - we have the age old problems with boot-time claims:

1) Nobody boots. Laptop users don't HAVE a boot time, only a suspend/resume time. Full boots are for when things go wrong.

2) Those who do boot don't notice the time compared to anything else (e.g. application load time, etc.)

3) Those who do boot and take ages in BIOS (i.e. servers) do so for a reason - stability, testing and predictability (not to mention that they only full-boot once a year, if that).

So smartphones/laptops (hell, even my old Palm) already have it. 99% of servers wouldn't use it (not much point in a server being in hibernation - either it's on or not). The rest of the market don't really care about boot time anyway.

Don't get me wrong, the tech is wonderful. It was back when APM was first invented too, and even before that. But claiming that Windows 8 will be doing anything "special" as regards boot-time is ludicrous. If this is the first selling-point of Windows 8, that's a warning to people like me who have to decide whether or not to buy hundreds of units of it.

1
4

Zalman ZM-VE200 portable virtual Rom drive

Lee Dowling
Silver badge

Been using one for years

I have one of these, and I made my workplace buy me one. It's wonderfully practical for installing software on notebooks, to save you carrying driver disks everywhere, for booting Linux ISO's to repair machines, etc. and it just appears as a standard USB CDROM drive to even a vaguely modern BIOS.

I also have things like a Ghost boot disk (with ghost images stores in the non-_iso folders of the drive), Windows/Ubuntu install CD's, etc. loaded onto it. My one actually remembers the last ISO you used, too, so I don't know what's wrong with this new revision or whatever it is.

The only problem - large files being fragmented on the NTFS drive cause merry hell and sometimes it will just refuse to load a DVD image until you defragment the entire drive.

1
0

DNS hijack hits The Register: All well

Lee Dowling
Silver badge

And?

What exactly do you think matters about version numbers and extension names that The Reg shouldn't be showing them?

There is nobody with a brain out there attacking servers but "ignoring" certain version numbers of Apache / modules because they look up-to-date. It's a pointless task because where there is no version number at all you'll probably try your exploit anyway because it almost certainly means someone who's scared of showing what ancient version they have running, and where a version number is returned it can easily be faked, and where it's not faked and not-out-of-date, it takes longer to check the version number against some magical list of "non-exploitable" Apache versions than it does just to try whatever exploit you're attempting anyway. And Apache version numbers mean nothing because even Debian/Ubuntu sometimes uses "old" versions of Apache that have been patched even if their version numbers aren't one of the "officially" fixed versions.

SSH has as part of the protocol that you MUST give a version number out in the initial parts of the handshake (a lot of clients rely on it for feature detection etc.) and it's never been a problem in all the time that protocols been around (and, if anything, encourages people to upgrade!)

If you're worried about showing your version numbers, you're scared about people finding out what you ACTUALLY run. That's more worrying than anything they could do with that information (which would be precisely ZERO because most attack tools are automated and just-don't-care about version numbers because they can try the entire exploit in the time it takes to find out the version of a remote server; in the same way that I still witness tons of SPF failures on email - because the people sending out spam just don't care or it's not worth the effort to bother to weed out SPF-enabled domains from their "fake-from-address" list).

Someone in IT suggesting that someone else knowing what version number of a piece of software you run is like a mechanic saying that you should take the badges off your car so that people don't know it's a Ford in case they try all to break into it using methods that only work on Fords. 1) It fools no-one. 2) Car thieves aren't stupid enough to be stopped when their "Ford-only" exploit doesn't work. 3) A brick through the window works on pretty much every car in the world.

6
0

Plods to get dot-uk takedown powers - without court order

Lee Dowling
Silver badge

Wrong suffix

Why, then, would you want a .co.uk when you should be using .org.uk (for non-profits) or .me.uk instead?

2
4

Don't buy your iPad in a McDonald's car park

Lee Dowling
Silver badge
Facepalm

Groan

Groan

0
0

Prime Minister recalls holidaying MPs after London riots

Lee Dowling
Silver badge
Angel

Re: Suggestions

or

You and a spell-checker.

1
0

RunPee

Lee Dowling
Silver badge

Eh?

The average film is, what, 2 hours? You seriously can't go 2 hours without needing to pee? Unless you have a case of the runs or similar affliction, it's not difficult for either sex with appropriate planning - go before you go in.

And if you have the runs, what the hell are you doing in a cinema giving your germs to all-and-sundry?

2
1

12% of UK don't carry cash

Lee Dowling
Silver badge

Re: VAT

Er, not according to:

http://www.hmrc.gov.uk/helpsheets/e24.pdf

No VAT is charged on tips at all (though there is a difference between a tip and an "optional service charge", that doesn't seem to affect VAT). However, tips are subject to income tax in the manner you specify (i.e. cash tip = untaxable, anything else = taxable).

That said, even handling that money as an employer can make it taxable, cash or not, and seeing as most places operate a tip-sharing scheme, it's all pretty academic. (The flow diagram on the last page pretty much sums everything up).

Basically, though you might be right, it's not my problem to represent the people who have negotiated a work contract (legally required to be above the NMW) and some form of agreement as regards tips. Many places have to share tips, some have them allocated in certain portions, some even have them go straight to the company (cash or not!) - your tip is in no way guaranteed to go to that person and it might be against their company's code of conduct to accept a tip personally (i.e. they nod and smile and thank you, then have to put it into a big jar in the kitchen, out of sight of the customers, or face charges of theft). You might think your tip is rewarding an extraordinary service from someone when in fact it just goes into a pot, part of which that awful OTHER waitress gets - and maybe even a bigger share because she waits more tables.

And, to be honest, one of the best ways to ensure you don't get a tip is to ask for one (either on paper, or in person with some form of gesture or hesitation), beaten only by including it on my bill (or even suggesting how much it should be!) without my express request. I don't tip via card purely because it's a pain in the arse (and also because I consider it rude for the person serving me to know I've tipped them, or how much until I've left). Whether it's taxable or not isn't my problem and there are a million and one obscure rules that blur the clear line of "cash = goes into that person's pocket, tax-free".

But then, I'm one of those horrible people who doesn't tip if the service wasn't up to scratch. Nothing more hilarious than seeing some old couple fuss over how much to tip to the awful waitress who was rude to them all night, like the world would end if they got the percentage wrong.

0
0
Lee Dowling
Silver badge
FAIL

Not quite.

Oyster cards had the same said about them. I can tell you that the first revisions were easy to clone, fake and edit and it was only because someone decided to reveal their techniques (against legal advice not to) that we actually KNOW that. Hell, I set up a MiFare-based system in the school I work in - I can tag in and out of the premises with my Oyster card - so the readers, writers, and cards are already "commodity" hardware which means that, like mag-stripe readers, the criminals have working examples to hack to their heart content.

Hell, the "chip-and-pin" system was supposed to be infallible - that's why you *still* get card skimmers on ATM's - they are STILL reading the details off the card. And just because it's short-range for YOU on a standard reader doesn't mean that NO-ONE else can read it. RFID passports have a very similar technology and it's been demonstrated that you can read them from a comfortable distance with any sort of aerial and a decent RFID scanner. Hell, there are people hacking into Bluetooth enabled cars from streets away now to set off the alarms so that people leave them unsecured and then they can walk up and take them (my garage could read data from any OBD car with Bluetooth, for instance).

Technically, even Wifi is only "short-range" but with a cantenna you can extend it to tens of kilometres. Bluetooth can be picked up from across the street without having to even try. Radio technology is, by definition, broadcasting whenever it's powered. The only difference with RFID is that it relies on being in range of an electromagnetic field to power itself and then just broadcasts normal radio. The RFID might only be powered in a short distance, but the resulting radio broadcast is no different to any other.

You *can* even power RFID technology from a remote location, that's already been proved with the passport-hacks (where it's possible to sit in an airport lounge and just read everybody's passport as they walk past, without having anything on you that's obviously suspicious), but as long as the radio is powered, then the resulting signal can be picked up by anyone pointing an antenna at that point (hey - how often do you check surrounding buildings for aerials/dishes pointed in the direction of cashpoints / wireless-retailers that you use? - even if you need to be within an inch to power the RFID device, the signal it sends is readable from miles away if you have the right aerial aimed at the reader).

The cost limit is neither here nor there. There is infinitely more mischief in having your card rescinded than in the amount they can steal from it - and £10 is £10 and if you're planning to "mug" someone, whether via real or virtual means, it's all profit and it just means you target more people at smaller transactions to avoid detection (and thus your chances of being hit go up - and the most likely way to do so is to point an aerial at a reader in a very busy area that gets lots of contactless plonkers all thinking they are safe. But your card(s) being cancelled for a few days because of rogue payments means that 88% of people would have NO way to pay for everyday items, if this articles headline is correct. And there are truly some people who don't even want the possibility of a £1 loss from their account, let alone a couple of hundred.

Contactless is wireless. Treat it the same, because the hackers do and have demonstrated examples of doing just what you say there is "no chance" of, including in public streets. If you really want to have each card that's affected cancelled until you've received the bank's "tick here to say you authorised this transaction" sheet through the post, that's fine.

Some people, though, research this things and find out exactly what IS possible rather than what SHOULD or SHOULDN'T be possible. Hint: All version 1 Mifare (Oyster) cards can be cloned remotely with the capture of a single transaction and a few minutes of processing time. Think of that next time you put a few thousand pounds worth of Travelcard on them, or use them to buy stuff at the local newspaper stand (as is becoming popular). If you're a big user of PAYG to pay for products, you probably *won't* notice that £1.99 transaction every day until a few weeks down the road, if at all. But that's not the point. The point is that they don't NEED to be contactless at all - if you have to get within 1cm of the reader anyway, why not just have a physical contact system that *can't* be sniffed remotely?

8
1

Death haunts government petitions site

Lee Dowling
Silver badge

And?

So what business where the people who provisioned a high-end, public-facing, high-traffic, website in then? "People in government" doesn't necessarily mean politicians. Some tech somewhere put up the backend of that website knowing what it was going to hold.

0
0
Lee Dowling
Silver badge

Load balancing

Seriously, have people in government never heard of akamai, or any of the myriad other services that can front-end this thing so at least you could see SOMETHING (i.e. a warning they are busy, and what the website does when it is up) on their website?

It's not difficult - you're expecting some significant portion of 65m people to go look at the damn thing - a VPS from your local host just isn't going to cut it, and this isn't the first time that you've been caught off-guard on the opening of a major government website.

Government IT - maybe we can put a petition up about improving that?

4
0

Thousands of gb.com sites go dark

Lee Dowling
Silver badge

LOL

Deserve everything you got.

Can someone please do this to uk.com and all those other incredibly, horrendously useless "bottom-level domains". If you'd had the .co.uk, you could have at least complained to Nominet or someone. And if you couldn't get the .co.uk - either you don't have a right to it, or you're being far too fussy about having an exact domain name when nobody even cares (some people never type in domain names at all - that's what Google is FOR, you know, and even the addresses for that are hidden behind search buttons and toolbars).

If I see .uk.com, my estimation of your business goes down hundred-fold immediately (almost as much as if your email is not @ the domain your website is on). A lot worse than just having a slightly obscure or unintuitive domain name. And, guess what, Google doesn't care what domain you have. Not a jot. Hell, the biggest search engiine in the word is called "google", and even that's a made-up abomination based on a "googol" (a big number).

I can't even remember the last time I visited a .uk.com (either deliberately or by clicking through something) and to my knowledge I've NEVER visited a gb.com. Give it up and get a REAL domain name that you actually own a right to.

11
1

Film studios thrash BT in Newzbin site-block test case

Lee Dowling
Silver badge

Holdon

So, hypothetically, if an image, document, or any other type of file with MY copyright is found somewhere, I can force BT to block that site?

What about if, purely hypothetically here and not encouraging anything, a big band's website was hacked and content was inserted into it which allowed people to download my copyright. Can I ask BT to block that website for all of its subscribers, in theory?

What about if I notice that, say, bittorrent is used to download lots of infringing copyright material - can I ask that BT block access to that software, website downloads of it, etc. or just every torrent?

It seems far too far-reaching a judgement to stand as it is. What about if, for instance, someone like Anonymous or Lulzsec decided to file several thousand copyright complaints against the website of the big record labels with regards to images, text, CMS software, etc. and they couldn't answer them in time via their lawyers... could someone then force BT to block their websites until they do?

And how, exactly, should this blocking be mandated? DNS? IP? Application traffic type? It seems an incredibly stupid and out-of-place judgement that just leaves more room for mischief than it does for common sense.

8
0

Fingerprint scans learn to spot chopped-off fingers

Lee Dowling
Silver badge

@Anon

They don't have my fingerprints. Precisely because of this stupidity.

0
0
Lee Dowling
Silver badge

Awesome?

They don't need to. What about an "almost" clear material over a real finger? The colour and fingerprint don't have to be the same finger, necessarily. The system probably isn't clever enough to detect that, especially if it blurs the underlying fingerprint just enough to make it flat but let colour through and then the camera will "see" the right fingerprint and the right colour from two different objects. Sure, there are probably countermeasures but it quickly becomes more expensive for the sake of some incredibly low-tech "hacks".

And fingerprint security is the most ridiculous form ever but controls a lot of things. Hint: If you want access to a secure building (like a lot of schools nowadays) you just need to stick a gummi bear over a existing fingerprint (my bet would be the gate/door handle next to the fingerprint reader) and then put it on the fingerprint reader. You would be accepted as a valid user (hence the gummi-bear being renowned as completely defeating fingerprint security), allowed entrance and nobody would know who you were. It takes seconds and gets you into everything from private home to schools to industry to military complexes (not to mention encrypted off-the-shelf fingerprint-capable laptops like the Thinkpads).

My daughter's nursery wanted my fingerprint in order to verify who collected her. You literally cannot get into the building without having your fingerprint taken and checked at every entrance. Once inside, they don't care who you are (yes, that's stupid but it's how fingerprint technology is perceived), because the fingerprint-reader verified you as a parent. At which point I told them that they wouldn't be getting my print and enquired about their procedures (which included - if I phoned them and told them that someone new was picking my daughter up, they would open the door for them and not require fingerprints or ID at all - and the phone call validation would be nothing more than SOMEONE phoning up and they had no way to tell if it was me or not). It was all a waste of time with SO much effort put into expensive equipment wasted by trusting it blindly.

I could, literally, have stolen any child from that nursery using a gummi bear, or even just a previous phone call using the name of a parent.

9
0
Lee Dowling
Silver badge
FAIL

Not just that

Vibration-white-finger, colour-calibration on the cameras being out, someone sweating, someone with high/low blood pressure (people literally "go white" when their blood pressure is low), someone hyped on adrenaline (same effect, visible in anyone that is experiencing fight-or-flight, used as an indicator by anyone with knowledge of self-defence: red face = he's mad but you're safe for the moment, white face = run or get ready to fight back, and now you can't get into your building because the serial killer chasing you has made your adrenaline flood your limbs instead of blood).

My bet is that it will be fooled by someone holding a CLEAR, very thin Gummi bear (or even just simple PVA-glue-skin with the right imprint) over their real finger. Did they test that? It took me all of five seconds to imagine one way around it, and would probably take only a day of testing on the system to make it a viable attack.

6
1

'Directory traversal' attack becomes premier hack tool

Lee Dowling
Silver badge

databases

I could never understand it, from the second I first heard about people being attacked via remote SQL injection. It's like having a DOS command tagged onto your URL. If you wouldn't allow:

http://www.example.com/?deltree%20C:\

then you shouldn't bloody allow SQL to creep into the URL, POST data, or anything else you intend to act upon.

You want to execute SQL statements based on an input? Okay, make up a language/translation that takes input from your web user and produces a set of SQL stanzas from it. Have external apps send ONLY that language. Have your server translate the language into a set of static PRE-FORMED SQL strings that can never change. Your PHP scripts should not have a single word of SQL in them.

You can now do simple things like: join every single translated SQL stanza in every possible combination and see if it's possible to actually get stuff out of the database that you shouldn't (and this is ASSUMING your SQL is so damn open that any web user can do things like query other tables at all). If you don't want web-users to be able to delete your tables, don't have a translation for it. It is then IMPOSSIBLE for them to do so, because they will never give you anything that corresponds to SQL that you're executing that contains a DROP TABLE statement. It's not in your "language's" vocabulary to even express the idea and you're NEVER interpreting the users input as SQL.

Also, if you delimit all the individual translated stanzas, then there is NO way to produce valid ones that do anything different by concatenating them in strange orders. You can literally fuzz-test those statements on their own and you should never expose anything other than what you intend.

Seriously people, if you don't get this, you shouldn't be managing fecking databases in the first place (the operative word being DATA, as in subject to the Data Protection Act).

0
0
Lee Dowling
Silver badge

Pfft

Well, that list reads like a "security 101" checklist.

Seriously, directory traversal (i.e. not bothering to sanitise inputs, chroot folders - either via the calling app or via the OS -, etc.) and SQL injection (not bothering to sanitise inputs, PUTTING FECKING SQL STATEMENTS IN DATA YOU EXPECT TO RECEIVE AND ACT UPON!) - those are the most ridiculously stupid things to have yourself vulnerable too.

Follow the example of Bobby Tables. Sanitise your inputs, and never trust data you're given externally EVEN BY YOUR OWN CODE, and all these "problems" go away.

1
0

Sorry, time travelers, you’re still just fiction

Lee Dowling
Silver badge

Energy

Something tells me that the energy required to do that would probably take longer than the entire journey to collect - and then you'd be stuffed in terms of getting back home.

1
0
Lee Dowling
Silver badge

Better

Better than that - they arrive completely undetected until they smash into the planet (at speeds they and their crafts are able to survive quite easily), weaving through vast amounts of space junk that contains our complete communications networks without touching a thing, in order to probe a single example of a soggy organism. Not very good science, stealth, or observation.

They also routinely attract the attention of locals, usually near military bases, and are written about, observed and recorded in military literature. On top of that, they also put the subject of their experiments back into the wild like nothing had happened, and their encounters always last less than 24 hours (average time away would almost always equal that of the average hangover). Where are your long-term experiments? Where are your controls? What happened to reintroducing captive subjects to their natural habitat slowly?

And why, in 170bn observable galaxies made of billions of stars each, bother with Earth - who still haven't worked out that it's probably not a very good idea to shoot each other? Go find that planet full of nubile air hostesses and retire there for the sake of science, if you call yourself an intelligent species!

1
0

Nominet pilots .co.uk domain security pump-up

Lee Dowling
Silver badge

At last

That's how it SHOULD be, and my post a few above this is decrying this exact problem.

And it's not often you run into the author of a piece of software on a website and get to thank them for doing something "properly" from the user's point of view.

Cheers, Bert.

1
0
Lee Dowling
Silver badge

Because.

Neither was SVG at one point.

Neither was HTML5 at one point.

Neither was PNG at one point.

Neither was Flash at one point.

Neither was Java at one point.

Neither was ActiveX at one point.

....

....

The point is that they make DNS much more secure and break a lot of happening-today attacks on things like SSL certificates that rely on being matched to the correct domain name (e.g. complete compromise of most modern-day use of SSL), and stopping DNS-spoofing / filtering in those countries that do that.

This is INFINITELY more useful than EV-certificates ("green bar" secure sites), for example.

1
0
Lee Dowling
Silver badge

Well

I have no doubt that if I sat down and needed to deploy this for a single domain, I could probably get it done in a day if I had nothing else to do. But as someone who runs their own domains, has their own servers, and plays about with DNS as required (e.g. I IPv6 enabled my domains one day when I was bored, proved my ownership of a domain via TXT cookies, implemented my own SPF records etc.), I can safely say that I'm still not entirely sure what the hell I'm doing when it comes to DNSSEC, or whether I'm doing it right, or whether what I do would make it any more secure.

There seems to be a complete lack of readable documentation - if it isn't RFC-level, then it's just a checklist of commands to blindly run in Ubuntu/Bind (and no clear advice on what to publish and what not, and what parts of those things are private and should be deleted/stored securely, etc.). And at the end of the day, I have little idea exactly how, say, .org.uk is magically authenticating my domains/nameservers via a record I publish on said nameserver. I've a mathematical degree, for God's sake (albeit a decade ago), and studied cryptography but the various records, signings, etc. aren't immediately enlightening me on how to deploy DNSSEC at all, and certainly not how to know whether I've done it properly.

And everything seems to want to use bind tools. Shockingly, most people don't run their own bind nameserver for their domain - and literally just want to be given a DS record they can publish, or ask their host to publish for them. Then you have the question of updates and expiration. Just how often, exactly, am I going to be required (either automatically or manually) to push our new DS records because something, somewhere expired? And if I don't update them properly, DNSSEC-enabled servers will see my domain as "untrusted" - whereas if I *don't* publish anything at all, I can sit quietly in a greylist somewhere and never have a problem until everything is DNSSEC and people decide to actually require it?

So until DNSSEC is literally "built-in" to domains and domain-hosting packages somehow, it'll be a long while before it meets mass-adoption. Hell, people aren't using IPv6 and that's simple enough now and explicitly supported in all major operating systems (not to mention a requirement of things like DOCSIS 3 and some mobile technologies).

DNSSEC proponents really need to think not of ISP's and mass-domain-hosts (who should have people more than skilled enough to do this, and a business reason to ensure it stays updated), but of the people who own domains (who may be reliant on those hosts/ISP's, running their own VPS, etc.) who literally just want a checkbox procedure to DNSSEC-enable themselves. At the moment, it seems far too complex and uncertain for a five-minute deployment to actually be possible and help the domain owner.

Compare to SPF, for example, where - yes - you can break email reception/sending for your domain if you do it wrong but it literally takes minutes to get it right, or correct a mistake, and then you never have to worry again until you change the servers receiving/sending your email. Compare to IPv6 where IPv6 day pretty much proved that you aren't going to break anything by deploying it and a five minute enabling process is available (and the only issues are having another avenue of entry to secure, enabling IPv6 in daemons, firewalls, etc.).

DNSSEC is a bit of a hideous nightmare at the moment, so no-one is touching it, so Nominet really have to push things like this. Until the time that such tick-a-box functionality is available to someone who owns a domain through every host/ISP, does anyone have a simple run-through, that isn't bind-specific, explains what's going on and explains which bits of the process are secret, should be published, how and who to and how often? At the moment, it just seems one big modern mess.

0
0

Amateur claims crack of final Zodiac Killer cipher

Lee Dowling
Silver badge

FFS

NO!

WRONG, WRONG, WRONG!

From TFA:

"police ... indicated that the killing was connected to the U.S Virgin Islands."

"Starliper believed that the “340” of the 340 cipher was significant," (it's the area code for the Virgin Islands - fair enough)

"This is where it gets even creepier. 3+4+0=7. Right. So you get 7+0=7. 707...707 are the area codes for Vallejo, Napa, and Solano. So I figured, why not start this with Caesar code using 3,4.”

WOOP WOOP WOOP! Mathematician's junk alert! Random assertion based on silly patterns that you can find BILLIONS of if you look. Hey, did you know, you can find messages from the devil if you play your records backwards and the Bible has codes in it?!

"Starliper extracted symbols and changed them to letters they ****could**** correspond with."

To quote Scooby: Ruh-roh.

"After everything symbolic had been interpreted alphabetically, he started applying reverse Caesar shifts. He found the first two letters to be “K” and “I”. “What are the next two going to be? right? I figure, what’s the first word he’s going to throw in there? Kill,”

OMG please, send this kid to school. So you basically MADE it be L and L and made up whatever pattern you liked.

"For the first few lines, the pattern remained constant, but it changed beyond that. He said he was able to figure out the non-patterned series that by finding “similarities in the numerical sequence.”

Translation: He made it fit a pattern he wanted it to.

"When he was done, he had decoded the following text: KILL/SLF/DR/HELP/ME/KILL/MYSELF/GAS/CHAMBER/AEIOUR/DAYS/QUESTIONSABLE/EVERYY/WAKING/MOMENT/IM/ALIVE/MY/PRIDE/LOST/I/CANT/GO/ON/LIVING/IN/THIS/WAY/KILLING/PEOPLE/I/HAV/KILLD/SO/MANY/PEOPLE/CANT/HELP/MYSELF/IM/SO/ANGRY/I/COULD/DO/MY/THING/IM/ALONE/IN/THIS/WORLD/MY/WHOLE/LIFE/FUL/O/LIES/IM/UNABLE/TO/STOP/BY/THE/TIME/YOU/SOLVE/THIS/I/WILL/HAV/KILLD/ELEVEN/PEOPLE/PLEASE/HELP/ME/STOP/KILLING/PEOPLE/PLEASE/MY/NAME/IS/LEIGH/ALLEN/"

So apart from the bad text, bad spelling, random words, complete gibberish, complete guesswork whenever it looks like it's going wrong, rubbish patterns, pre-supposed ideas, it's not bad right? Except the Zodiac actually had a reputation and history of pretty well structured messages and codes and nothing like the mistakes in this one (which, if they were encoded merely incorrectly, would have resulted in gibberish rather than a lovely pattern from the next word)

"Along with a lack of progress contacting Solano, Vallejo, and Napa counties, Starliper has contacted the San Francisco Cold Case Unit and Special Investigative Unit without response.

He even sent the code to a cryptographer, who, after looking over the solution, said that it appeared “not valid,” according to Starliper."

Hint: The cryptographer and all those other people do this for a living, and have their works tested in courts.

Complete and utter fail, Register - how dare you stoop to reciting this Daily Mail trash?

25
1

Four illegal ways to sort out the Euro finance crisis

Lee Dowling
Silver badge

Well,

Looks like Gordon Brown actually got something right for once:

http://en.wikipedia.org/wiki/Five_economic_tests

Shame they are no longer policy, but I think it would be political suicide to suggest entering the Euro in the next 5-10 years anyway.

0
1

Apprentice runner-up becomes Greggs bigshot

Lee Dowling
Silver badge

Do people actually watch that garbage show beyond the first episode?

Yes. Purely for that moment when the back-stabbing, management-phrase-speaking, underachieving wastrel that can only speak their way through their job rather than provide the numbers gets into the boardroom, torn apart, throws a strop but still ends up getting fired.

How I wish it were some of the people like that that I know, and that the "You're Fired" referred to their current jobs...

0
0

Forums