Feeds

* Posts by Justin Pasher

44 posts • joined 13 Aug 2008

Oz bank in comedy Heartbleed blog FAIL

Justin Pasher

Re: Apache & OpenSSL

They *could* have been using GnuTLS instead, but considering the extra work involved in doing that as opposed to installing the distro packages, that would be extremely unlikely.

The state of open source SSL libraries is a pretty sad affair right now. OpenSSL is the "defacto" standard mainly because it's been around for so long, but the code is so big and cumbersome, there's not a single person that knows everything about it (or probably even a large percentage). GnuTLS isn't really much better. I've read on some sites where developers dislike the GnuTLS code just as much (if not more) than OpenSSL.

Debian uses GnuTLS for some services (OpenLDAP is the first to come to mind), but they did that because of the licensing issues with OpenSSL (GnuTLS is LGPL).

1
0

Apple is IMMUNE from Heartbleed, it says. But don't check if it's true

Justin Pasher

Re: The reported version of openssl is 0.9.8 so that'll do me.

OpenSSL 0.9.8 is not "dead". Yes, it's the older branch, but it still receives major security fixes. Many systems still utilize it because it's been around for so much longer than the 1.0.x series, so it (should be) more stable.

The biggest disadvantage of the 0.9.8 branch is that is doesn't support the newer ciphers suites.

3
2

Call of Duty 'fragged using OpenSSL's Heartbleed exploit'

Justin Pasher

Re: My thoughts exactly

I understand that the potential risk is there (and theoretically everyone COULD have already had their information exploited) and there's know what to know for sure, but the problem is the media is essentially going straight to the "doomsday" scenario when the odds are it's not nearly that extreme. However, now that world+dog knows about the exploit, I'm sure a lot more attempts are being made to capitalize on it (as evidenced by other sites mentioned by another ElReg article).

I'm not saying it would be a bad idea to change critical passwords for the sites you access, but once the majority of the big providers have patched their servers, a lot of this will blow over and the majority of people will be unaffected, IMO.

0
0
Justin Pasher
Stop

My thoughts exactly

"The flaw is potentially among the most damaging ever to surface on the web but there's been little evidence that it has been widely exploited so far - leading some security experts to say it's been overblown"

The media has severely sensationalized this. The actual compromised data can range from "move along, nothing to see here" to "hide your kids, hide your wife, hide your husband"*. For the majority of the people seeing the reports (read: non-technical people), they are receiving the message that "The world is collapsing and nothing is safe. You have been compromised, change all of your passwords, PINs, combination locks, dead bolts, alarm clocks, dog's name, etc"

Yes, the *potential* for your secure data to be compromised is there, but most likely, the majority of people are just fine. It's hard to imagine that if this particular exploit was in wide use in the "hackers" underground that it wouldn't have surfaced much sooner. Think about it: the main thing the crooks want are usernames, passwords, credit cards, etc. If they've compromised those, I think you would have noticed before now.

It doesn't mean the IT departments around the globe shouldn't have due diligence patching what they can (at a minimum the OpenSSL libraries and rekeying SSL certificates where feasible), but it's not exactly "the sky is falling" scenario that is being presented.

* http://youtu.be/EzNhaLUT520?t=59s

3
2

Running OpenSSL? Patch now to fix CRITICAL bug

Justin Pasher

Not exactly...

"This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content"

This is a little misleading. There's no GUARANTEE that private keys were compromised, although it's possible (and should be assumed as a precaution). It just all depends on what happened to be in the memory location that was leaked. However, statistically the number of instances where this is true is going to be much smaller than the ones where it is not.

1
0

Google grabs Gmail-using HTTPS refuseniks and coats them with SSL

Justin Pasher

It's Secure*

"Every single email message you send or receive ... is encrypted while moving internally"

Yup. Gotta be clear about that little point. INTERNALLY. Once it leaves their server, all bets are off.

1
0
Justin Pasher

Re: Pissing Tiscali...

Eh?

imap.googlemail.com and imap.gmail.com both support IMAPS (port 993).

1
0

Microsoft closing in on Apache's web server crown

Justin Pasher

Re: Apples & Pears

My thoughts exactly. I think it's pretty rare and unique circumstances that make someone run nginx as their primary web server software (at least at the present time). It would typically be a front end/proxy for another server instance. Imagine if Varnish identified itself as the "web server" instead of passing through what was behind it.

All in all, I don't think it really matters what web server someone is running, as long as it gets the job done and you can configure things correctly and securely. Even if IIS jumped over apache, does that mean Apache will die off? Of course not. Now if PCI compliance checking companies started saying stuff like "well, you need to be running the top web server in order to make things secure", then we'd start having problems.

0
0

MtGox has VANISHED. So where have all the Bitcoins gone?

Justin Pasher

Re: Were people really stupid enough to use MtGox as a bitcoin wallet

And this is where I get confused. Was MtGox not (supposed to be) used just as sort of an escrow service that facilitated the transfer of bitcoins from one address to another? I'm only moderately versed in how bitcoin operates, but you only need the private key to send money from one address to another, so why would you ever give the "keys to the kingdom" away to someone else? I would think the process was "pay X bitcoins to a MtGox address, they take a cut, then send the payment along to the person that bought it".

Did it operate differently where MtGox was the judge, jury, and executioner for your wallet?

2
0

Super Bowl's SUPER BALLSUP: CBS broadcasts Wi-Fi password

Justin Pasher

Rubbish?

"Just to add insult to injury, the password was rubbish, featuring the word "welcome" with a few numbers."

The password displayed was w3Lc0m3!HERE

12 characters long, mix of uppercase, lowercase, numbers, and symbols. Decent entropy (number seems to vary depending on what site you ask).

You may not think it's as secure as LnzujrfAI5489u!#$a832PT, but rubbish? I wouldn't go that far.

6
0

KCOM-owned Eclipse FAILS to cover up the password 'password'

Justin Pasher

Re: Login without knowing password is entirely possible

It's easy to retrieve the auto-complete password just with a javascript snippet after it's been autofilled by the browser.

1
0

Rap for KitKat in crap app wrap trap flap: Android 4.4 is 'meant to work like that'

Justin Pasher

Terminology confusion

El Reg seems to be confused with the term "deprecated". If NARROW_COLUMNS and SINGLE_COLUMN was deprecated, it would still work properly, just no guarantee it would work in the future. According to the Android development page, the feature was completely removed, not deprecated.

Without researching, I'm not sure if they previously deprecated these features, but if they didn't, it's a little brash for Google to remove an important feature out of the blue without any warning.

1
0

Lifesize, driveable AIR-POWERED LEGO CAR hits the road

Justin Pasher
Black Helicopters

Well that didn't take long

Hmmm... It sure didn't seem to take long for the [censored] to catch wind of this dangerous new technology and deploy a drone to investigate and/or possibly destroy it.

1
0

Winamp is still a thing? NOPE: It'll be silenced forever in December

Justin Pasher

Re: useful features

Check out foobar2000. I switched away from WinAmp a few years ago and I use foobar2000 for my light playback needs. It supports a lot of the features that people probably use in WinAmp and is much less bloated. It supports most (all?) of the common formats and few additional ones via the plug-in system (.MOD anyone?). I also use it for WAV > MP3 conversion (interface to lame.exe command line)

10
1

Yahoo! starts $1.99 'watch list' to recycle old usernames

Justin Pasher
FAIL

Security: That's someone else's job

So let me get this straight. Their method of "security" to avoid people getting emails intended for the previous recipient is to make everyone ELSE implement code that lets said third party check to see if an email address has been "valid" since a certain time frame? So basically if said third party does not implement this new Require-Recipient-Valid-Since header in their "ping back" email, it's no different than someone taking control over an email box through some other nefarious means.

What could possibly go wrong?

0
0

Spotify strikes back at Radiohead - but artists are still angry

Justin Pasher

Adapting to the times

Of course artists should be paid for all their hard work they put into music, but just like music as moved from a physical format to a digital format, the primary source of income for an artist as moved from selling the music to PLAYING the music (e.g. concerts). That's where all the money is going to come from nowadays.

There are probably countless numbers of artists out there that think "I'm just gonna write the songs then let the money pour in from the sales while I kick back." It's just not the way the big boys do it.

3
5

Poor iPhone sales mean Verizon could owe Apple $14bn

Justin Pasher

Business as usual (for Apple)

Like them or not, you have to admit that Apple has a pretty slick deal for their phone order contracts (assuming they follow through in some way):

The phone is successful, Apple gets paid

The phone is unsuccessful, Apple gets paid

0
0

Suck it Vine: Instagram adds 15-second video clips with fancy filters

Justin Pasher

Must Have Filter

Please tell me one of the filters they have is this:

WARNING: You are shooting your video in portrait format. This is not the standard video format used by every playback device on earth. It will not only look bad, but it will also waste over half the pixel space when viewed in a standard viewing box / monitor / TV / etc. Please rotate your camera 90 degrees. Otherwise ...

Continue?

Yes - Pfft. What do you know about how to hold a phone?!

No - Thanks for helping me become smarter and save the world from yet another poorly shot video clip!

1
0

I told you I'd be back: Arnie set for another career revival

Justin Pasher

Standing out

"I'm very happy that the studios want me to be in Terminator 5 and ... I'm also going to do [Conan the Barbarian sequel] King Conan ... and also to do another Twins movie."

Hmmm.... One of these things is not like th other ....

1
0

Interwebs taunt Sir Jony over Apple eye candy makeover

Justin Pasher
Stop

Keep them away!

I an a former programmer turned IT manager, and I can definitely say one thing:

Keep us away from the design aspect!

It's one thing to IMPLEMENT the design. It's another thing altogether to MAKE the design. It's like the difference between a paint by numbers picture and a blank canvas.

I'm sure hardware designers fall in the same basic category.

0
0

US spyboss: Yes, we ARE snooping on you, but think of the TERRORISTS

Justin Pasher

Re: Who'd have guessed it, NSA exceeding their remit

In a lot of cases, they wouldn't even need to go that far. Just look how easy it is nowadays to take a phone number (at least non-mobile) and perform a reverse lookup. Granted, some people will have made the effort to "unpublish" their number or make it private, but most will not.

You want "anonymous" data? Convert each phone number to a one-way hash key. That allows you to "link" the data between two callers but makes it very hard to KNOW who those two callers are.

Then again, what good would the data be to them in that case .... I guess that's why they need a little more than "anonymous" data...

4
0

Oracle to lop off Java's least secure bits to save servers

Justin Pasher

Re: @jerry 4 (toolbars)

I was hoping that the "removal of certain libraries" was a reference to that...

0
0

'Extremely sophisticated' Apple settles watery iDevice lawsuit

Justin Pasher
Stop

Re: It Just Works

@Velv: Check the article. The settlement only applies to the iPod TOUCH and some iPhones, not all iPods.

Referencing the "never wrong" Wikipedia [1], about 100 million iPod Touches have been sold (including later gen models not covered). It says approximately 250 iPhone units have been sold (also including later gen models not covered. Granted, with those numbers, the percentage is still pretty small, but 350 million is a lot smaller than 800 million.

[1] http://en.wikipedia.org/wiki/IPod_Touch

0
0

First Cook, now Intel bigwig pokes Google in the eye over Glass

Justin Pasher

History will repeat itself

Although I don't (yet) see exactly how well Glass will pan out, here's my prediction

1. Google releases Glass

2. Apple says "that's stupid"

3. A few years pass

4. Apple releases a product that's basically the same with a prettier interface and say they have invented a revolutionary new product

5. Fanbois swoon and flock in droves to buy it.

For some reason, this all sounds so familiar... just ... can't ... put my finger ... on it...

8
0

Reports: New Xbox could DOOM second-hand games market

Justin Pasher
Stop

Steam vs Xbox game = invalid comparison

Assuming that it is impossible to pirate an Xbox One game (yes, I'm sure it will eventually happen), I don't see why people are missing the most obvious reason why you can't compare something like Steam to an Xbox game:

Once you sell the Xbox game, you don't have it anymore! Period.

With something like Steam, you already have a copy of all the files needed to run the game, so it is MUCH easier to maintain a copy of the game. That's why "reselling" a used game on Steam wouldn't work. You don't have that problem with an Xbox game because you don't have a copy of the game anymore.

Obviously once the hackers figure out a way to rip and play "backed up", the argument becomes moot, but until then, there's absolutely no comparison. There's also really no logical reason in my mind why they shouldn't allow second hand games just like the past (excluding corporate greed, politics, etc).

1
1

FLABBER-JASTED: It's 'jif', NOT '.gif', says man who should know

Justin Pasher

Pronouncing acronyms

I'm more confused by the people that feel that an acronym has to be pronounced using the same hard/soft letters as the words it stands for. Using that logic, take these examples:

ASCII - Do you pronounce it uh-ski, since "A" stands for American?

ICANN - Do you call them ih-can, since "I" stands for International?

... just to name a few

3
0

T-Mobile US announces 'no BS' rate plans, iPhones, LTE

Justin Pasher

Shake it up

I welcome T-Mobile trying to shake things up in the cell phone market (there's basically no competition in the segment), but I'm a little unsure exactly how much influence they will be able to push. We are almost at the point nowadays where AT&T and Verizon are so big, there's not much that can be done to knock them off their thrones.

1
0

iPhone 5S and lower-cost sibling coming this summer?

Justin Pasher

Free with contract?

I find it REALLY hard to believe that Apple would release even the "low cost" version completely free with a 2-year contract. I think $50 or even $100 would be more likely.

One of the big ideas that Apple has toted over the years is the "value" of their product. They don't want to undermine that value by pricing things really cheap, regardless of their actual cost ($100 premium to go from 32GB to 64GB?). That's why you don't see them on sale like other products (although they seem to have relaxed this a little bit over the recent years).

0
0

Judge slashes Apple's pile o' cash Samsung judgment

Justin Pasher

Karma

That is all.

14
1

Rackspace cuts network bandwidth prices on its cloud

Justin Pasher
Stop

"using the open source OpenStack controller and the KVM hypervisor"

Hmmm? Rackspace uses Xen and XenServer as their hypervisor (not KVM), just like Amazon.

0
0

Jam today: Raspberry Pi Ram doubled

Justin Pasher
Trollface

RAM increase for the same price?

Hmmm. I wonder if another fruit-based device manufacturer would argue that you just *cannot do that*.

0
0

Police head-cam TV show debuts in US

Justin Pasher

Theme Music

Did anyone else have the tune of Doom E1M1 in their head while watching this without sound?

0
0

Motorola Backflip Android smartphone

Justin Pasher

Nice design, poor performance/quality

I bought this phone right after it came out because it was the first Android phone available for AT&T (I really didn't want to get an iPhone). Initially I thought it was great (my previous phone was a Blackberry Pearl from work). However, since this was my first Android experience, I didn't have much to compare it to.

I like the keyboard flip out design. I have always been a much bigger fan of physical keyboards than virtual keyboards, and it seems like more and more Android phones are moving to virtual-only handsets. However, that's about the only thing that really stands out. It has poor video quality, a lackluster processor, and measly storage included. Oh, and it's still stuck on Android 1.5 (and based upon the Motorola timeline, no one knows when 2.1 will *actually* be released in the USA). I personally think they are still releasing it in the USA to avoid a class action lawsuit for falsely advertising that it was upgradeable to Android 2.0. This makes me question how the performance will be. The phone has been rooted recently, and the people that have done it have said good things, but I don't think I want to take the risk (I have to use the phone for work).

Personally, I'm looking at something in the Samsung Galaxy S series, such as the Captivate. My wife recently bought one and it's pretty nice. It has a lot nicer screen, it's much faster, and it already has Android 2.1.

0
0

Microsoft justifies lost Office 2010 upgrades

Justin Pasher
Gates Horns

Re: Once

"Any clue as to how it does this? Is it a one-time code? Is it implying that a buggered hard disk will result in buying a new copy of Office? A swift "no, thanks" will be offered to them from me."

Make sure you read their new EULA very carefully. The "key card" method of purchase is very similar to an OEM license.

Page 17, Section 3 (Product Key Card Terms), subsection 2a

"a. One Copy per Device. The software license is permanently assigned to the device on which the software is initially activated. That device is the “licensed device.”"

In the past, Microsoft as defined a "device" as being the core component (i.e. the motherboard), meaning that when the motherboard dies or is swapped out, the device no longer exists, and your license is no longer valid. This is why the key card version of the software is cheaper.

0
0

iPhone: The OS with big aspirations

Justin Pasher

A hard sell

Considering that Apple would never want to lose money on the hardware end of a system, it sound like a pretty hard sell to me.

"You get the same hardware as a Mac Mini for $50 less ... and a lot less functionality"

But then again, fanbois will be fanbois...

1
0

Opera cuts cord on first open-source baby

Justin Pasher

Out of touch

"The reason to do open source is for marketing purposes"

I can see how knowledgeable they are about the open source community.

4
2

Sony seeks 'universal console controller' patent

Justin Pasher

Funny choice of examples

It's funny what example system they mention ... Jaguar. I doubt they would invest money in engineering support for that. Turbographics ... do you mean TurboGrafx? C'mon Sony!

... and Gravis... really? Why not mention the original Pong controller or Atari 2600?

0
0

BlackBerry outage blankets North America

Justin Pasher

No big surprise

@Pandy06269: Blackberry makes the devices and they also run the mail servers that handle the "push" traffic (i.e. when you send an email to the address assigned to your Blackberry, such as joebob@tmo.blackberry.net).

On that same note, RIM has always been a little clueless when it comes to properly running a mail server. For example, they had a problem about a year ago (and I'm sure they still do) where they would silently drop all forwarded emails where the original sender was @yahoo.com. If you decide to redirect a copy (M$ Exchange rule) of your incoming email to your @*.blackberry.net address to get them "real time", and the original sender was @yahoo.com, the RIM servers would accept the email, then silently drop it on the floor. After multiple hours on the phone with their clueless "tech support" people, along with countless mail logs proving they accepted the emails, the problem was never fixed (luckily the person experiencing the problem has moved to an iPhone that syncs directly with Exchange).

I personally think it's all a scam to try to force the users to buy their stupid Enterprise Server software.

0
0

RockYou admits security snafu exposed email login details

Justin Pasher
FAIL

Hypocrites... or just plain stupid

"Our users' privacy and data security have always been a priority for RockYou and we strive to keep them secure" ...

Yet they stored passwords in plain text format. There is absolutely NO excuse for that if you "strive to keep them secure". The sad thing is I'm sure there are many other big sites that do the same thing, but the end user would never know about it until something like this happens. I guess to many people think, "Hey, they're smart enough to create this amazing web site functionality, so they MUST know what they are doing!"

0
0

Adobe breaks sound barrier with Flash Player 10

Justin Pasher

Linux fixes

So after all this wait, have they finally fixed the longstanding bug under Firefox/Linux with the flash always appearing on top of other div layers?

0
0

Microsoft's Hotmail hybrid struggles to life

Justin Pasher

Real usage?

You mean people actually use hotmail for REAL purposes instead of a spam-box address for bogus forum and newsletter sign-ups?

0
0

Mythbusters busted over RFID gagging

Justin Pasher
Happy

MythBuster busted

Ahhh, the irony that Adam Savage was wearing his "Make stuff up" shirt in the video from the conference.

0
0

Security researchers' accounts ransacked in embarrasing hacklash

Justin Pasher
Thumb Down

Security consultants using free email?

Seriously, why is a security consultant using a free email service to send and/or store potentially private documents? Not exactly someone I would like to consult regarding my security.

0
0