160 posts • joined 11 Mar 2008
Re: Fuck a duck...
Dark matter, apparently.
Re: Goto considered harmful
"if you're forbidding it's use because people can make mistakes..."
You're dead right there. Otherwise we'd have to ban the apostrophe.
Re: This was probably the whole intent
In my case opting out of junk mail has had ZERO effect on the junk mail, but has nevertheless successfully opted me out of NHS circulars, or so it would appear.
So much for that excuse, then.
Re: The BBC tells us what's really happening
The point I was making is that a scientist shouldn't tell you what the evidence is going to show when they've just said they don't have that evidence. They should wait until they have the evidence, then see what it indicates. At least, that's the way I was taught to do science.
But I think it nicely illustrates the do-you-or-don't-you dilemma between attributing unusual weather events to climate change. Beneath every supposedly objective scientist there's a political animal that wants a certain outcome and wants to make that link, as sneaked out here. I'm not saying it doesn't happen on both sides, as it clearly does.
The BBC tells us what's really happening
Here's what the BBC had to report recently from a "climate expert" (Prof Jennifer Francis) on the subject of whether the jet stream is changing:
"Our data to look at this effect is very short and so it is hard to get a very clear signal.
"But as we have more data I do think we will start to see the influence of climate change."
Spot any science here? Yes, it's in the first statement and it says "there is no scientific basis on which to make a claim about climate change". Then she makes that claim about climate change that she has just told us has no scientific basis.
So even the experts don't know what to make of it, but they sure know what they'd LIKE to make of it!
Re: Yes indeedy
My understanding is that you can't pick any old pattern. It has to be every number, or every second number, or every third, etc. But that's just from Wikipedia.
Re: Alternatives are available
Tough. I'm allergic to the stuff, so it'll have to be banned I'm afraid!
Continuous ink supply systems...
...are good things to have if you've a little technical skill to set them up, so it's worth seeking out a printer that'll take one. I'm currently using a Canon MG5250 with a CISS and ink is now effectively so cheap I don't have to worry how much I print.
The downside is the cost of the CISS (about £50 when I bought it) and the fact you'll need a new one if you change printers. So I'm planning on getting an identical printer as a spare.
Re: Somebody put it far better than I could...
You just need to remember that he's more interested in facts being interesting than in being correct.
Re: Who cares who is first to photograph?
I always thought the IAU (www.iau.org) was the arbiter of astronomical discoveries. As the article mentions a "telegram" (remember those?) I assumed this was the official announcement because telegrams used to be the way it was done. Maybe it still is.
However, I couldn't see anything obvious about it on the IAU website.
Re: Sorry, computers are all down
Lettuce spray we can contain the threat then!
Re: "Lawfully collected"???
It may be legal in the US for the NSA to snoop on Brits. But who made it legal in the UK for a foreign power (the US) to snoop on us without a warrant issued in the UK (and the same applies to every other non-US country)?
It seems to me that if the NSA has taps into infrastructure in UK territory, then they are breaking UK law. In that case, the likes of GCHQ should be involved in searching out these taps and turning them off. After all, who do GCHQ work for, us or the NSA?
Much the same should be happening in all other countries as well.
Even if found guilty...
I'd rather have the courts decide what punishment to set. If they decide the miscreant needs to be named and shamed on Twitter, then by all means let the police do it in the name of the court.
But otherwise, this is the police deciding what punishment should be applied and that's not a good direction to be heading in. Before I'd be happy with that, I'd want to see this overwhelming public support translate itself into legislation that authorised the police action.
Even then, I'd want people to have the option of accepting it as a punishment (although obviously it'd be a pretty weak one on its own) or going to court to challenge it - much like on-the-spot fines.
Practice makes perfect
Anyone who plays a musical instrument will know there is an analogous musical problem. Some musical phrases can be especially hard to play for some reason - maybe because the moves are awkward or maybe because they're just unlike anything else you've played before.
Anyway, you can't just label them hard and not play them. The solution is practice. Play them over and over as slowly as you need and eventually you'll find they come naturally. It can sometimes take a while, though.
The same is true of tongue-twisters. Repeat them over and over sufficiently slowly to get them right each time and after a few days (on and off) you'll find they become quite easy. Try it...
And I suppose...
...this is "all within the law" (TM).
So did the UK government know the US was hacking our computers on a grand scale? If so, under what UK laws did they allow it to continue and was GCHQ involved? If they didn't know, then why not?
But wine is commonly brewed today in tanks that are basically like covered swimming pools, dug into the ground and lined to make them watertight. I dare say the ancients could have mastered that technology.
Like knitting with light
Backdoor or Trojan?
I'd describe it as a backdoor if someone writing the official software sneaked in some unofficial code. If it sneaked itself in, then it'd be a Trojan. Injecting code into an already present file isn't exactly news, though. That's what viruses do, hence their name.
Yes. Just do it!
...our first glimpse of dark matter.
Re: Classic bait and switch coming up....
But it only takes one person to compare the files instead of the checksums and the game's up.
Use two rival teams
I think you need to give the job to two teams who are in competition with each other. Ideally, to two security researchers with big egos and reputations to defend.
That way, neither has any incentive to overlook something at the request of the NSA. If they do that, and their rival doesn't and spots the backdoor, then they will be shown up as either incompetent or corrupt.
It's the only way to be confident they do a proper job.
Re: Definitely a bad choice of name
"Anyone thinking 'Dark' automatically means 'nefarious' and nothing else is simply projecting their world view for everyone to see."
I was thinking rather more of the world view already projected by the media. We already have "Dark Web" as a meme which allows them to stigmatise anonymous communication with underworld associations. Conflating Dark Mail and Dark Web doesn't strike me as something that'll be beyond the limited imagination of the Daily Mail.
The thing that'll stop this push towards proper internet security and anonymity is that something cool and popular (but inadequate) will take over instead, because people will learn what to use from their mates who read publications that are, err.., even more cool and popular than El Reg.
"Dark Mail" doesn't say cool and popular to me.
Where are the marketing people when you really need them?
Definitely a bad choice of name
If they can't see that this will immediately put off 90% of potential users with its implications of underworld activity, not to mention provide a perfect target for the press, then they're well out of touch.
Re: How can a judge overrule a constitution
Presumably he just ruled that the seizure wasn't unreasonable.
Re: Paying for it.
Or maybe from the billions they get from the US government for giving away free open-source software?
That sort of review might not end up being very independent, might it?
Re: Unnamed qualified professionals vs amateurs?
This is a very good point. I think everyone agrees that open source is now the only way one can potentially gain any assurance of no backdoors. But you still need to look very closely at the code and how it behaves - and, of course, you also need confidence in the audit process itself.
So a program to publicly audit key pieces of FOSS for security weaknesses looks like a good way to go and Truecrypt is certainly a good test case. But I think the real work that needs doing next is on the auditing procedure.
How do you produce a public audit process that is itself secure against possible attempts to infiltrate it and overlook security weaknesses? I suggest you probably need at least two independent and well-known (and trusted) experts, probably with support, to produce independent and public reports. Then you may need a separate independent committee to review those reports and draw attention to (and investigate) any discrepancies.
I see the involvement of many people as being essential in building a web of trust that can't be easily subverted. We should perhaps start to see support for auditing security software as being just as important as supporting the writing of the code. If we had as many people doing the former as the latter, we wouldn't be in this mess.
At the same time, we'll no doubt continue to rely on penetration testing by individual security researchers, as we know that regularly turns up obscure ways to defeat security. The idea of a bug bounty is a good one here, I think.
Just some random ideas, really, but I think this is a key area of trust that urgently needs attention.
Aren't our laws great??
I like the way there's a "victim's surcharge" for those whose personal data use hasn't been registered.
I suspect for the true victims the risk to their personal data is the least of their worries.
Re: Think about the copyright
OTOH, it might be a case of impersonating a police occifer.
Actually, it's by no means that simple. At the wavelengths absorbed by CO2 the Earth's atmosphere is optically thick. This means that the radiation occurs from the top of the atmosphere, so it's the temperature "up there" that matters.
What happens is that the radiation surface "up there" moves up to a higher level in the atmosphere so it has a larger area and can radiate more heat. The temperature change at ground level results from the vertical temperature gradient in the atmosphere (the lapse rate) combined with this effectively increased depth of atmosphere. The lapse rate, in turn, is determined by the rate at which heat can be transported upwards through the atmosphere, largely by non-radiative processes like convection.
Both this heat transport and the original greenhouse effect are also greatly affected by water vapour content, which depends mainly on temperature. Indeed, this is one of the main "feedback" effects.
Of course, at other (non CO2) wavelengths, radiation leaves from lower down in the atmosphere and the situation is more like you assume. But in reality, the whole thing is pretty complicated and not very amenable to a back-of-the envelope calculation.
If I had to put money on where the models are wrong (because I believe they probably are) it would be in the area of cloud cover, which is a poorly understood but very important area of feedback. Anything that significantly increases cloud cover as CO2 rises could easily negate any warning effect.
So... a sort of Dad's Cyber Army then?
"Don't tell them your password, Pike!"
"Er, I think I may have left it on the train, Mr. Mainwaring, sir."
"What's that you've got there, Corporal Jones?"
"It's a packet sniffer sir. They don't like it up 'em. Not up their backdoors they don't, sir!"
Oh, the fun we're going to have with this one ;-)
I think you'll find...
That "dog's bollocks" means that something is very good. The term is rarely used when referring to government.
Probably you meant "pig's ear".
I can't really see how phone data is any more anonymous than ANPR data (as El Reg asserts). You can anonymise either set of data by (for example) replacing the car registration number or the phone number with a simple counter - such that the mapping isn't known to whoever buys the data.
Where the problem lies with both systems is that we only have someone's word that this is being done properly. And we all know how "misteaks" can happen.
Re: the NSA was one of several contributors
No. If someone is found to have been conspiring to corrupt a process, you can't just go over their work again with a finer comb. They have a resource advantage after all. You need to exclude their contributions entirely.
Re: Simple h/w device?
There are some resources here to make use of devices you may already have (like a sound card):
Re: Linus is correct in both form and substance.
But on Linux, /dev/random is supposed to produce *true* randomness, with full entropy. Its output should be completely unpredictable by an adversary who even knows the exact state of the rest of your system and all the past output. There is no scope for pseudo-randomness or imperfect entropy in /dev/random. If you try to read random bytes and there isn't enough entropy, it must block.
If you want a non-blocking source of randomness, you read /dev/urandom instead, which uses a pseudo-random number generator seeded from /dev/random. So the quality (true randomness) of the entropy harvested for use in /dev/random IS critically important. If the sources used don't have full entropy, you need to "condition" the data before use, which is a way of concentrating its entropy. For example, you might want to take the "random" CPU data in 1MB chunks and hash each of those down to 64 bytes. Then you could be more confident of having truly random bytes.
Let me explain why this is important. If you use a pseudo-random number generator (PRNG) to generate a key with a fixed seed, your random numbers obviously won't fill the keyspace* - because it will only ever produce one output sequence. But what people don't seem to realise is that if you seed it with "random" numbers that don't have full entropy, the output *still* won't fill the keyspace. It may look perfectly random and be unpredictable, but an adversary who understands the PRNG well enough doesn't have to search the entire keyspace equally to discover the key.
So you need to be exceptionally paranoid about /dev/random.
*By which I mean that the probability of each possible sequence of output bits won't be equal.
Re: Linus is totally wrong
I agree you should use a proven algorithm rather than making your own, but I think you've missed part of the point here. A mathematical algorithm can only produce pseudo-randomness. It still needs to be initialised to a non-predictable value otherwise all computers will generate the same pseudo-random sequence (as I think Android was recently found to be doing).
So good cryptography also depends on a source of true randomness for seeding the mathematical algorithm (and also for re-seeding it occasionally just in case someone spots the pattern). On Linux, /dev/random is the standard place to go to get that "true randomness". So you don't have a choice here. You can't rely on a mathematical formula. You have to have true randomness derived from a physical, non algorithmic source.
All that extra traffic is probably doing wonders for your anonymity.
I think we're missing the obvious
This traffic is all down to the member for Scunthorpe.
Doesn't this stuff make encryption potentially more secure for those who know what they're doing?
If there are biases in (say) how people choose keys, or in the plaintext, that can be exploited, then an attacker will be using methods that search for the most likely cases first.
So if you are able to choose keys or plaintext that are statistically unlikely (as far as the attacker's knowledge goes), then it's likely to take the attacker longer to crack the encryption than if he used unbiased techniques.
It's a bit like trying to choose lottery numbers that no-one else will have chosen, in order get a bigger payout.
Re: Time to grow up
I don't think anyone is saying you don't need a security service. They're just saying you need to keep it under control.
Re: gnu indent is your friend
Nah. Displaying a logical document structure in a variety of interesting ways is what CSS is for. I'm sure it'd work.
Keep it simple.
Water vapour is the most powerful greenhouse gas, but it is usually not described as such by climate scientists. This is because they regard any changes in its concentration as being driven by changes in CO2 concentration. So it's not an independent player.
The thinking is that atmospheric water vapour concentration simply depends on atmospheric temperature, because water evaporates and condenses continually (whereas CO2 doesn't). So changes in CO2 concentration drive changes in temperature which drive changes in water vapour, which cause more heating. The feedback isn't strong enough to run away, but may be strong enough to amplify the original effect of CO2 changes. Estimates of the amplification factor vary.
So both sides are right on this issue. Water vapour is sort of irrelevant if you accept the simple feedback model as it's just a slave to CO2. But it's also a potent greenhouse gas. That means that if your simple feedback model is wrong, then the error you make could be quite big.
In my view this issue still isn't settled yet. Water vapour affects things that aren't perfectly understood by a long way - cloud cover probably being the most important . So I'm still on the fence over this one. I wouldn't be surprised to see new feedback effects involving water being found that change the conclusions.
Just trying to advance the debate a bit to scientific issues (instead of name calling), you understand!
Re: asdf Wake up call
Plus you may not be a political activist yourself, but you could well stand to benefit from the efforts of those who are. And they may well have something they quite legitimately wish to hide from the government. Giving the government blanket powers to suppress opposition, which is what this is all about, disadvantages everyone in a democracy.
The tech solution
Is banknotes printed on paper that's a foldable display with an embedded chip. Then your wallet can download whatever pictures you prefer to display on the notes you own.
Oh and Google can track all the money - and use the data it's gathered on you to put an advert underneath.
Re: 5 minutes with a screwdriver...
"I think I'll go AC on this, as I also DIY electrics.......and all the other things that the stateist nazis say I shouldn't."
You might want to check your council's building control website for an update then. The rules changed in April and a lot of what you weren't previously supposed to DIY without nanny's supervision is now OK again. Unless you're installing stuff near a bath, shower, swimming pool, etc. you're probably not breaking the rules any more.
Of course, relaxing the rules hasn't seen nearly as much publicity as when they were introduced in 2005. That's mainly because the electricians bodies aren't nearly so keen on things going back the way they were. I wonder why?
Re: How naive!!
The rather transparent attempt by the PM to conflate this type of filtering with the blocking of illegal child pornography (which already happens of course) in order to justify it also raises suspicions.
One should actually ask why those cases he cites (of child molesters having access to child pornography) weren't prevented by the filtering already in place. In an ideal world, members of the press would already have asked him that question in public, but these days it's beyond them it seems.
And speaking of conflation, did anyone notice how Cameron conflated Google with ISPs when he claimed that "internet companies" are responsible both for finding information and delivering it to you? So that ISPs have to be held accountable for the content.
I'd have loved to see (say) Jeremy Paxman interview Cameron and point out that Google and Virgin are actually different companies. The idea of Cameron having to wriggle out of that on a subject he knows sweet FA about is quite appealing. Oh, well, we can dream...
Still to be convinced there's an easy solution
I doubt this issue is going to spawn a new huge market, but it could well get enough interest to substantially increase the sales of security companies, which is presumably what this AVG spin is all about.
But then you have to trust AVG, or whoever you go with. So now they're no. 1 target for NSA infiltration. Ultimately, I don't see the proper solution being reached by going down that route unless the security firms can find some sort of distributed trust system that doesn't give them any privilege. But that's probably incompatible with the profit motive. So I'm inclined to think FOSS is pretty much essential here. Too bad that generally fails so badly on ease-of-use.
Even with end-to-end encryption - if it can be made practical for the novice - metadata and traffic analysis is still way too powerful to be ignored. Unfortunately, the options here are pretty limited. Re-mailers, VPNs and the like all place trust in those providing the service. Various dark nets have addressed the issue in a distributed manner but nothing of much practical use seems to have emerged. Tor is perhaps a borderline exception, but I don't think it handles most messaging requirements too well (not even email). Also, the fact it hasn't already been shut down makes me think the security services aren't too much troubled by it.
Possibly that might change if Tor were to become large enough that it's impossible to observe enough of it to draw conclusions, but that's unlikely to happen as, being FOSS, ease-of-use isn't exactly high. Possibly if someone were to market a small Tor appliance that would plug into a home router, though, that might make a difference to take-up.
But on the whole, I'm not optimistic that this whole snooping issue will lead to anything more than a whole lot more bloat in existing security suites.
Re: The MAD question
Well if you've been dumbed-down sufficiently by long-term consumption of BBC content maybe that'd make sense to you.
But the value of the nuclear project actually lies in the fact the enemy doesn't know what's written in the letter.
It's, like, game theory, innit?
Re: Violent Sites Included
Hmm, well the protect-the-kiddies content filter that came on my wife's phone (and was on by default) also blocked alcohol-related sites. So her first attempt when on holiday to locate a good pub for a meal was singularly unsuccessful.
Never mind, I'm sure the government don't have a thing about alcohol.
Oh, hang on...
- Bugger the jetpack, where's my 21st-century Psion?
- Something for the Weekend, Sir? Why can’t I walk past Maplin without buying stuff I don’t need?
- Review 'Mommy got me an UltraVibe Pleasure 2000 for Xmas!' South Park: Stick of Truth
- The land of Milk and Sammy: Free music app touted by Samsung
- Privacy warriors lob sueball at Facebook buyout of WhatsApp