Feeds

* Posts by Yes Me

232 posts • joined 11 Jan 2008

Page:

OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts

Yes Me
Facepalm

Blame the programming language, not the programmer

" Essentially, he forgot to check the size of a received message"

No. The world took a wrong turn many years ago (in the early 1980s) and ignored the known fact that languages without strong typing, rigorously enforced at compile time, are dangerous. In particular they're subject to array overrun bugs. In the mistaken name of efficiency, we've been using sloppy languages ever since. It's perfectly possible to get efficient code out of a strongly-typed language where this class of bug is simply impossible; it's just more difficult to get your code through the compiler, because it won't let you do potentially dangerous things. This isn't a wakeup call for individual coders: it's a wakeup call for the whole industry to look again at the basics of systems programming languages.

7
1

USA opposes 'Schengen cloud' Eurocentric routing plan

Yes Me

Re: Nuno trancoso

If the EU governments don't already have end to end encryption for intra- and inter-governmental communications, that's a massive fail. Ditto European companies. They have been aware since 1985 or thereabouts that networks can be tapped by bad actors. (Actually, make that 1974 for those that read The Ultra Secret, or 1945 for a lucky few.)

As others have pointed out, a geographically bound network is immaterial for general purpose traffic that either crosses the ocean anyway, or is subject to local surveillance anyway. Encryption is the only answer, and does not need a separate network.

1
0

The IT Crowd tops BAFTA nominations with four nods

Yes Me

Re: I have to say

Shorely The Internet is already on the pedal stool.

http://cdn.instructables.com/FR5/5S2J/G4PBP7TA/FR55S2JG4PBP7TA.LARGE.jpg

0
0

Vint Cerf wanted to make internet secure from the start, but secrecy prevented it

Yes Me

Not to contradict Vint, but...

I don't doubt a word Vint says, but re: "practical reality had to wait until Ron Rivest, Adi Shamir and Leonard Adleman published the RSA algorithm in 1977."

That ignores the fact that real practical reality had to wait until the RSA patent expired in September 2000. It was pretty much impossible to deploy public key crypto on an unlimited scale until then.

(Also, BTW, the actual *existence* of the NSA was surely top secret until about 1975, and little known until The Puzzle Palace was published in 1982?)

1
0

Steelie Neelie secures MEPs' support for 'net neutrality' – in principle

Yes Me

Re: Net neutrality nonsense

> So spam filtering is against the law then ?

That would be a perfectly reasonable reading of the text. I don't understand the downvotes - they imply that people enjoy it when their Skype call breaks up because one of their neighbours is downloading something big. The text simply doesn't match technical reality. You *should* discriminate in a way that favours timely delivery of audio packets, for example; you *shouldn't* discriminate in favour of some audio services as compared to others. The language needs to be more subtle.

0
0
Yes Me

Net neutrality nonsense

Hmm. Let's look at the net neutrality amendment from

http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+AMD+A7-2014-0190+237-244+DOC+PDF+V0//EN

'The principle of "net neutrality" means that traffic should be treated equally, without discrimination, restriction or interference, independent of the sender, receiver, type, content, device, service or application. ... Furthermore, traffic management measures should not discriminate between competing services and applications.'

This is absurd. If interpreted literally, as lawyers tend to do with laws, it means that a greedy video or audio stream and a non-urgent email transfer (for example) will be treated exactly the same. Would you like your phone call to pause while the next web page loads? That's what the MEPs just voted for. Technical ignorance is not bliss.

1
7

ICANN boss: 'Russia and China will NOT take over interwebs'

Yes Me

ICANN is mostly a success

"There are a few bright spots like DNSSEC and IDN, but they are few and far between."

What on earth is he talking about? ICANN has mainly done what it's supposed to do: hosted the Internet Assigned Numbers Authority, which has worked perfectly there since 1998; managed the process of adding Top Level Domains to the DNS - some (including me) disagree with some of the decisions, but nobody can deny that ICANN has managed the process; overseen the DNS root; and indeed assisted the start of deployment of DNSSEC and IDNA.

ICANN has multiple stakeholder bodies to which it's accountable, including the ICANN Board itself. Yes, there's an element of greed in the gTLD game, which I deprecate too, but that can be blamed on capitalism more than on ICANN. And if anybody has sat back and let that rip, it's the US Dept of Commerce, so the sooner they step down, the better. A few procedural changes are needed for that to happen; but there is no scenario in which any other government obtains control.

1
0

Who's up for yet another software-defined net protocol? Cisco wants to see some hands

Yes Me

Re: Patents?

According to https://datatracker.ietf.org/ipr/search/, none so far. But the lawyers might still be chewing on that.

BTW, it doesn't look like an SDN protocol to me. It's more of a YANMP (yet another network management protocol) and I don't think the IETF is quite ready for that while still digesting NETCONF and RESTCONF.

0
0

Bruce Schneier sneers at IBM's NSA denials

Yes Me
Paris Hilton

Why (not) IBM

> Why does IBM think(lie) that it was able to evoid the NSA whereas MS, Google & Apple couldn't?

Because, having got rid of the IBM Global Network many years ago and with all their PC operations moved to LeNovo, IBM doesn't actually have clients among the general public any more. So their client databases are completely different in nature from those of MS, Google, FB, etc. and probably less interesting, except for industrial espionage. Please don't down-vote me just for saying this, but IBM might even be telling the truth - because their data is boring.

Paris, because I expect Hilton is still an IBM client.

1
0

US saves self from Huawei spying by spying on Huawei spying

Yes Me

Re: Protectionsim and hypocrisy

Maybe it depends on the site. At the one I'm thinking of they glue up your USB slots (literally). Maybe not so much at a sales and support site?

otoh I remember once being left alone at DEC in a meeting room that had their departmental product development plan for several years ahead posted on the wall. It was at least 15 minutes before someone noticed and yanked me out of there.

0
0
Yes Me
Black Helicopters

Protectionsim and hypocrisy

It's clearer with each new revelation about the USG machinations against Huawei that all this has little to do with security (since, obviously, US vendors are even more exposed to NSA backdoors than Huawei can possibly be) and everything to do with protecting the US market in favour of US suppliers. It isn't irony as much as it's hypocrisy.

Huawei, not coincidentally, has much stricter rules governing laptops entering and leaving their sites than any US vendor I've visited. It would be interesting to learn how the alleged backdoor code was actually inserted.

3
0

Ex-Autonomy boss Mike Lynch goes nuclear: Claims HP 'misleads' its own shareholders

Yes Me

coming out fighting

> either shut up or say that he is "confident of being cleared"

Why? That's how people react who are slavishly obeying a defence lawyer's advice. Lynch is coming out fighting. That proves nothing about the facts of the case; it does suggest that he's not too afraid of the truth.

s/Autonomy/Whatsapp/ and see how the real value of the acquisitions compare. This is a business full of BS valuations - apparently HP wasn't aware of this until recently.

3
0

US govt: You, ICANN. YOU can run the internet. We quit

Yes Me

Re: What if ICANN goes renegade?

That's what the multistakeholder buzzlanguage is about - checks and balances on ICANN. Actually that's how it works today; NTIA has had almost no influence via its contract. The end of the contract is a Good Thing, especially given the widespread distrust of the US Government in recent months.

See http://www.iab.org/documents/correspondence-reports-documents/2014-2/internet-technical-leaders-welcome-iana-globalization-progress/

4
0

Those NSA 'reforms' in full: El Reg translates US Prez Obama's pledges

Yes Me
Black Helicopters

A little escape hole here...

Have a careful look at the text of the actual Presidential Directive: "In particular, when the United States collects nonpublicly available signals intelligence in bulk, it shall use that data only for the purposes of detecting and countering: [various specific threats] "

Two comments on that word "nonpublicly":

1. That's a word?

2. This text means that the restriction to the specific threats listed doesn't apply to publicly available bulk sigint (such as scraping Facebook pages).

13
0

FCC net neutrality blueprint TRASHED by US appeals court

Yes Me
Alert

Re: Seems reasonable to me

And yes, I will upvote this because indeed the issue is one of fair trading and consumer protection. Trying to use the common-carrier argument always struck me as strange.

Big fan of http://tools.ietf.org/html/rfc4084

0
1

Campaign to kick NSA man from crypto standards group fails

Yes Me

Re: Conflicts of Interest

As usual, you don't understand the IETF, and in particular you don't understand that the IRTF is not a standards body.

Of course, all standards bodies consist of people with opinions, some of whom work for organisations with opinions. Of course, people communicate outside the official sessions and of course, rough drafts of documents exist before more polished drafts are made public. Of course,people try to influence the work in accordance with their opinions. How could it possibly be otherwise?

But I suspect we agree that making conflicts of interest as visible as possible is a Good Thing.

0
1
Yes Me
Black Helicopters

Storm in a RESEARCH teacup

And in case nobody else has pointed it out, he isn't co-chair of a "standards group". He's co-chair of a research forum - admittedly one that offers advice to various standards working groups in need of a crypto algorithm. And he's co-chair because having more than one chair lowers the risk of biased chairing.

Me, I think it's better to know that the NSA is interested in cryptography; but I didn't need Mr Snowden to tell me that.

2
0

Scientists discover supervolcano trigger that could herald humanity's doom

Yes Me

Bulging in advance

"... cause the ground above to rise "hundreds of metres" in advance of the eruption"

Right. So you see this big bulge which says that there'll be a supervolcano there in 1000 years or so. What next? (I mean seriously, not unreasonable dreams like living on Mars.) I think there might be a bit of social breakdown.

0
0

US Department of Justice details Kim Dotcom evidence

Yes Me

Re: He refused to allow the NSA snooping rights.

For sure, if Mega was outside the scope of both National Security Letters and DMCA takedown notices, it would piss off both the spooks and the Mickey Mouse industry. But in that case, how can Mega also be inside the scope of US jurisdiction when it comes to this vengeful extradition attempt?

And note the tendentious language they use. By repeating the words "criminal" and "conspiracy" often enough, they hope they reader will believe they are true, rather then simply being allegations, which Mr Dotcom denies.

Also note how legal fictions can change to suit whatever you're trying to prove. Sometimes a URL that points to an infringing copy is itself an infringement. This time, deleting such a URL doesn't count as deleting an infringement.

Let's hope the Kiwi courts keep their eyes on the ball.

4
0

How much did NSA pay to put a backdoor in RSA crypto? Try $10m – report

Yes Me
Black Helicopters

Switzerland and Crypto AG [Re: This just undescores...]

I think you need to look into Crypto AG a bit before being too bullish about Switzerland.

1
0

Google's Dart on target to replace JavaScript? That'll be the day

Yes Me
Meh

What ECMA does for a living

C# is ECMA-334. ECMAscript is ECMA-262; ECMA also backed the .docx junk as ECMA-376 before MS conned ISO into adopting it. JSON is ECMA-404. This is what ECMA does to survive; they don't like people to remember that their name stood for European Computer Manufacturers Association.

So, if you're shopping around for a standards organization to rubber stamp your favourite proprietary format, ECMA's the one for you.

6
0

Security guru Bruce Schneier to leave employer BT

Yes Me
Angel

Re: Sigh.

Annoying when people like that are *right*, isn't it?

I found Bruce stimulating when I met him.

2
1

ICANN posts guidelines to avoid gTLD mix-ups

Yes Me

.cs

.cs? That was a problem in about 1985, when we had to handle some email addresses in JANET name order (user@uk.ac.ucl.cs) and some in DNS name order (user@cs.example.edu).

But indeed ICANN is right - this stupid money-grab will lead to epic fails.

6
0

UK.gov's web filtering mission creep: Now it plans to block 'extremist' websites

Yes Me
Childcatcher

Clever Nanny!

"Only the adult account holder will be able to change the filter settings."

So they have technology that can detect age from keystrokes do they? Given how many Aged Parents don't understand technology and leave passwords and crap to the kids, I really do wonder how it will work.

22
0

Mandatory HTTP 2.0 encryption proposal sparks hot debate

Yes Me

Re: Trust

Worse: *anybody* can do that. The best trick is probably to generate a binary of an open source browser that happens to include some home-made CA certificates, post that binary on a juicy-looking free download site, sit back and wait. Also, at best, TLS only authenticates one end, even if the certificate is valid. The trust model for TLS is so broken that bad actors don't even need to worry about breaking the crypto.

1
0

SECRET draft copyright treaty LEAKED: Meet the Trans-Pacific Partnership

Yes Me

Re: Beep beep

And today, I find msyelf agreeing with Don Jefe, unlike a few days ago on another matter. Impose Hollywood's and Big Pharma's view of IPR protection so we can sell more kiwi fruit, dead sheep and milk powder? There's a real risk the NZ government will take that deal. Beuh.

8
0

Watch out spooks: STANDARDS GROUPS are COMING AFTER YOU

Yes Me

Re: Actual facts about the IETF

@Don Jefe: I call BS. What on earth makes you think that government pressure has substantial effects on the IETF? Please give chapter and verse. Of course engineers from vendors and operators participate in the IETF, which is why IETF standards actually relate to the real world. Again: educate yourself.

I do know exactly who steers the IETF. I mean I know them personally. I assure you that the quickest way to get shouted down in the IETF is to say "My company thinks...". And nobody is stupid enough to say "My government thinks..." because it would be greeted by raucous laughter.

3
0
Yes Me

Actual facts about the IETF

I think Mr Jefe should actually watch the video of the session at http://www.ietf.org/live/ or https://www.youtube.com/watch?v=oV71hhEpQ20. You can skip the first 22 minutes of routine reports.

And even read a few words about how the IETF actually works, for example starting at http://www.ietf.org/newcomers.html

0
1

Berners-Lee: 'Appalling and foolish' NSA spying HELPS CRIMINALS

Yes Me
Black Helicopters

Re: More to the point, let's fix the code

Yes, people in the IETF are *very* aware of the risk of crypto algorithms and implementations that have been suborned, but that is only one issue among many, and *all* the issues need to be dealt with. What we now know with great clarity is that if any attack on privacy is possible, it will be exploited, so every single one of them needs to be fixed. The risk of backdoors being exploited by bad actors was pointed out years ago:

" What this boils down to is that if effective tools for wiretapping exist, it is likely that they will be used as designed, for purposes legal in their jurisdiction, and also in ways they were not intended for, in ways that are not legal in that jurisdiction." (RFC2804, May 2000)

3
0
Yes Me

More to the point, let's fix the code

Signals intelligence agencies have been breaking codes for a hundred years now, and they aren't going to stop because TimBL says so. So the constructive approach is to fix the problem, by making the Internet surveillance-resistant. The IETF decided to do that for the protocols it specifies just yesterday, in Vancouver. What's the W3C doing to help?

http://www.ietf.org/media/2013-11-07-internet-privacy-and-security

5
1

Australian confirms Huawei ban

Yes Me

Re: They have

> So who is right and who is wrong?

Apparently the Australians (and the Canadians) are more obedient to instructions from Washington than the Brits or the Kiwis. I don't think there's any sense in asking who's right, since the whole thing is founded on xenophobia anyway, and on fear of a rising economy while the West declines.

2
1

New Oz government keeps Huawei ban after spook briefing

Yes Me

Why expect rationality?

Since this is all about paranoia, stereotyping, xenophobia, and political posturing, why would you expect any rational reason to be needed for anything?

Rationally, you are far safer from backdoors with Chinese kit, because their industry doesn't have the fifty years or so experience with modern signals intelligence that UKUSA companies have. PRISM didn't just happen by accident, did it?

0
0

Huawei coming in from the cold in Oz?

Yes Me

Re: After all the sabre rattling....

Strangely enough, the revelation that routers from the main US vendors have been subverted makes the paranoia about Huawei more understandable: people who knew what was going on with Cisco and Juniper boxes (but weren't allowed to talk about it) would have good reason to suspect Huawei boxes, but couldn't say why, so they used rumour and innuendo.

You're right though - the Snowden revelations have levelled the playing field, and about time too.

0
0

Divorcing ICANN and the US won't break the 'net nor stop the spooks

Yes Me
Thumb Down

Re: Europe should create its own Internet

We tried that. Didn't work out too well.

http://www.cordis.europa.eu/projects/rcn/8882_en.html

0
0
Yes Me
WTF?

Re: Can you see where this is going?

"global body comprised of governments"? Who ever suggested that; even the ITU can't be described accurately as that. The suggestion always has been a multi-stakeholder body without governments having a deciding role - which to be fair to ICANN and the US Govt, is to a large extent what we have today. It just needs to be moved out of US jurisdiction, into a jurisdiction that properly recognises the status of non-governmental organisations.

I can't imagine, though, why anyone would think for a moment that divorcing ICANN and the US would break the 'net or stop the spooks, so I find the whole story very puzzling.

8
0

Brazil's anti-NSA prez urged to SNATCH keys to the internet from America

Yes Me

Re: Equal footing with Uncle Sam

That isn't quite the point. Nobody is naive enough to believe that smaller countries (economically speaking) can have as much influence as larger countries. The issue is that ICANN shouldn't function under the law and jurisdiction of any one country, because it shepherds resources for the whole world. It shouldn't function under the UN (i.e. ITU in this context) either, on the basis of past experience. It should be (and should always have been) based as a recognised NGO in a neutral country, not as a pseudo-non-profit in the US.

All of which has nothing to do with PRISM.

19
0

MI5 boss: Snowden leaks of GCHQ methods HELPED TERRORISTS

Yes Me

Snowden leaks of GCHQ methods HELPED STUPID TERRORISTS

The ones who aren't stupid, presumably the most effective ones, have surely known for years that Five Eyes were reading their traffic. If they didn't know it before Rumsfeld talked about "chatter in the system", they certainly knew it then. But I presume they already used strong cryptography long before.

3
0

Oz government knew about PRISM BEFORE Snowden leaks

Yes Me
Black Helicopters

Re: So ... UKUSA agreement cracking?

Nah. Canada, Australia and NZ have been part of it since 1942 or thereabouts, even though it wasn't actually signed until 1946. No cracks worth mentioning, I don't think.

http://www.nsa.gov/public_info/declass/ukusa.shtml

http://www.nationalarchives.gov.uk/ukusa/

1
0

US.gov - including NASA et al - quits internet. Is the UN running it now?

Yes Me
Joke

NSA

www.nsa.gov sez "Due to the Government Shutdown, this site is not being updated." Maybe they aren't capturing any metadata then.

1
0

IPCC: Yes, humans are definitely behind all this global warming we aren't having

Yes Me

Re: Such a waste of time and paper.

Er, some people can hold two ideas in their head at once, like trying to reduce human impact on the climate *and* limit population growth. And there's a bit of a problem here, too: we know that family sizes get smaller as people get richer, so the people of Africa and Asia need to get richer and less polluting simultaneously. Put that in your pipe and don't smoke it.

5
2

'British Bill Gates' Lynch laments HP's Autonomy 'botch-up'

Yes Me

Re: Boy, do I need to study business!!

The real confusion is calling Milo Minderbinder a "cook". What an insult - the man was a genius, and he was the mess officer, well placed to buy and sell eggs with other people's money.

1
0

Huawei CTO insists: 'We are not a threat to UK and US national security'

Yes Me

Re: I did busniess with Huawei 10 years ago.

"I dont know who started the rumors ... ten years before any of the NSA spy stuff was confirmed."

ECHELON was already well known by then, and you can be sure that NSA and GCHQ were already busy suborning the Western vendors and carriers ten years ago; the Snowden revelations are pretty old news. So somebody suggested to somebody to suggest to somebody else that Huawei might be doing the same thing. Or that they should be, if they wanted to sell kit to the West.

0
0

So WHY does Huawei's enigmatic boss shun the West's spotlight?

Yes Me
WTF?

Re: Watts is a traitor

Where did that come from? In any case, everything he is reported as saying makes complete sense.

3
0

Verizon finally drags FCC into court fisticuffs to end one-speed internet for all

Yes Me

Re: FCC: Stand your ground!

You say Verizon is trying to "monetize something which they don't own". That's not quite right. They're objecting to two rules - one that prevents them from arbitrarily blocking user access to content, and another that only allows them to perform traffic engineering for "reasonable" technical purposes. What they are trying to do is grab the right to have captive customers, which is a lot *worse* than simply opposing network neutrality by discriminating against some content.

Go FCC!

2
0

US intelligence: Snowden's latest leaks 'road map' for adversaries

Yes Me
Alert

Backdoors

"NSA and the UK's Government Communications Headquarters (GCHQ) have placed backdoors in popular encryption standards "

That is *not* what Bruce says. He says they have placed backdoors in *implementations* of the standards - in other words, they've got at the code.

That's why open source implementations of cryptography are the way to go; you can look for the backdoor yourself (assuming you have the right skills). What we have learned this week, which we really knew already, is that you can't trust an implementation of cryptography that's sold to you in a black box.

5
0

Kiwis (finally) confirm software ban under new patent law

Yes Me
Black Helicopters

Re: Good (or not)

otoh they passed a security bill the other day that effectively makes the Prime Minister a one-man FISA court, so that they next time they want to spy on the likes of Kim Schmitz they can do so legally.

3
0

Guardian teams up with New York Times for future Snowden GCHQ coverage

Yes Me
Facepalm

Griffin

"(sadly) ,Nick Griffin was at Downing."

Of course. That's why the College coat of arms has a griffin segreant:

http://en.wikipedia.org/wiki/File:Downing_Crest.svg

0
0
Yes Me
WTF?

history of the Guardian

" history of the Guardian. It was formed and funded by "liberals" with the sole aim of..."

Huh? It was "formed" by the Manchester Guardian, founded in 1821, which had achieved national circulation (unlike *any* other paper from outside London), relocating to London and dropping the "Manchester". In 1821 it was indeed "liberalist" but that meant opposing government oppression such as the Peterloo Massacre. The founders were for democracy and free trade.

It was however the first British newspaper to print the word "fuck" after Kenneth Tynan used it on live TV.

10
1

Microsoft Patch Tuesday: The '90s called. It wants its 'Ping of Death' back

Yes Me

Our country will be the very last

It's an odd assertion anyway, given the amount of IPv6 activity in the US.

Also, "over-engineering" is a pretty vague slur. At this point in history, IPv4 is horribly over-engineered (just look at how load balancing works, for example).

0
0

Page: