* Posts by Charles 9

5712 posts • joined 10 Jun 2009

Webmail password reset scam lays groundwork for serious aggro

Charles 9
Silver badge

Re: How stupid do you have to be?

"How stupid do you have to be to not be even the slightest bit suspicious?"

They could make it more indirect and less suspect by instead saying enter the code at a given site they provide which could be well-disguised and pretty plausible. If they know the mark's e-mail address, they can post the same information that way and make it look even more plausible than the real deal.

1
0

Chrome, Debian Linux, and the secret binary blob download riddle

Charles 9
Silver badge

Re: If youre serious about security

"alternatives to graphical captchas are trivial (what is ten minus four ?)"

Most alternatives that use text can be interpreted by a natural language processor. As in run that CAPTCHA through Google and you're likely to get an answer.

"tabular formats are often *easier* in monospace font"

Not for DYNAMIC content. When HTML was first developed, it was designed for STATIC content. Indeed, how does Lynx handle modern CSS styles where things can be revealed and hidden dynamically, which DOES have practical uses regarding context? Put it this way. I once had to do certain transactions by telephone. And that was my only option as I was away for a an extended period, my nearest branch two hours away and I didn't have a car. Compared to that, I consider online banking heaven-sent in terms of practicality.

0
0
Charles 9
Silver badge

Re: We need another rule for free software

Except we're hitting minimum limits on NECESSARY complexity. For example, how can a system effectively manage itself when its vital resources can come from any number of sources, including network-based? And since these things can interrelate, it's harder to just "do one thing and do it well" when that one thing is dependent on other things: things that may not be done so well.

0
0
Charles 9
Silver badge

Re: How can you trust...

"The compiler? Dennis Richie demonstrated decades ago how to propagate viruses through the compiler by making the compiler recognise when it is recompiling itself and then inserting the virus. You can then remove this hack from the compiler source code and it will continue to propagate through every subsequent version of the compiler built by itself or it's descendants."

Except someone found a solution. All it requires is one known-safe compiler and then you can cross-compile the source code several times with differing compilers to see if the compiler's tainted.

As for the hardware, microscopy perhaps?

0
0

Mozilla's Flash-killer 'Shumway' appears in Firefox nightlies

Charles 9
Silver badge

Re: vSphere Console

"The console works in Chrome without adding any extra plugins."

Chrome contains an internal Flash unit (Google does this to maintain a fixed frame of security reference). The free fork Chromium doesn't, so you have to install it manually (if at all possible).

0
0

Sprint: Net neutrality means we can't stamp out download hogs

Charles 9
Silver badge

Unfortunately, over-selling is the ONLY way to get customers' attention. They're too jaded to be attracted to any honest advertising.

0
5
Charles 9
Silver badge

But the reason they have to use the Unlimited term is because it's about the only way to attract jaded data-hungry customers. Flat-rate pricing is practically the only way to steal these kinds of customers. Well, that and raw metered rates in the past tended to be highway robbery.

1
1
Charles 9
Silver badge

Re: Pure BS

But that means it's NOT "unlimited" (a rather clear and concise definition). IOW, NO data plan in America should be allowed to EVER use the word "Unlimited," as it AUTOMATICALLY amounts to False Advertising, in violation of federal law. Throttling of any kind, after all, is—by definition—a limit.

12
1

Disk is dead, screeches Violin – and here's how it might happen

Charles 9
Silver badge

"Currently, yeah. I do recall reading something about crystal-based storage technologies being worked on at one university or another a few years back; they were claiming a practically infinite life expectancy (measured in Thorium half-lives or some such equally preposterous unit of time), exobyte-scale capacities and very, very low costs, but glacial read/write speeds. But traditionally, new offline archive techniques haven't really been commercially viable."

That tech has been "around the corner" for nearly 20 years. Australians and Americans may have seen the tech once or twice on an episode of Beyond 2000. From what I can tell, the big problems with the tech has been (a) getting the writing and reading to work together in a precise and reliable manner and (b) media longevity issues that aren't immediately apparent, such as destructive reading and thermodynamic stability (as in most crystals aren't as stable over geologic time as they appear; even diamond isn't that stable).

http://physicsworld.com/cws/article/news/2013/jul/17/5d-superman-memory-crystal-heralds-unlimited-lifetime-data-storage

0
0
Charles 9
Silver badge

"I was also going to point out that both formats pretty much lost out to CD in the end anyway, followed by DVD."

No, both formats lost to the VTR because VTR had a killer feature; it could RECORD shows. When DVD came along around the turn, VCRs hung in there because they could still record. It finally pretty much saw the light when consumer DVD recorders hit the market.

0
0
Charles 9
Silver badge

Re: What about flash foundry capacity?

"At which point, who knows what other technologies will be around?"

Thing is, post-Flash at this point is rather like nuclear fusion: it's been "just around the bend" for well over a decade. It's becoming rather a "I'll believe when I see it" thing. When one or two of them hit mass-market release in competitive capacities, THEN we'll pay attention.

0
0
Charles 9
Silver badge

Re: This will kill X blah blah blah!

"1. Ability to recover data after the drive dies or write cycles have expired (Tests have shown that few if any SSD's allow you to easily recover the data. They should theoretically go into read only mode. But an endurance test done on several brands shows that they pretty much just die and not allow you to access the partitions at all!)."

Because it's not usually the media that breaks on those but the controller. Once that goes, the drive's toast no matter what the tech (even spinning rust is too expensive to reconstruct all but the absolute must-have-to-survive data).

"2. The ability of the device to erase data beyond recovery. Privacy concerns seem to indicate that although it is more difficult to recover data from Flash devices (especially after it has died). The data is actually harder to destroy completely than a simple 'erase' cycle over a hard disk byte value due to over provisioning/garbage collections etc."

But at the same time, unless one is willing to physically go and manually inspect every single chip on the thing (a task not unlike electromagnetic restoration of a platter--see above), there's no way to know what's in what. Furthermore, enterprise-grade SSDs can come with internal full-disk encryption to defeat this technique. If the controller goes (or you order a key change), so does the means to recover the data, making the whole "secure erase" business moot.

0
0
Charles 9
Silver badge

"But in this post cataclysm world, what do we do about long term archiving? Stuff we actually want off-line? Or are we supposed to change our way of thinking and eliminate the concept of off-line storage altogether? (Please no...)"

In terms of archival-class storage, tape still wins. Its physical properties are better suited for the job than any other medium on the market to date. Thing is, it's become so niche that it's basically an enterprise-only solution now. In contrast to the late 90's when it least had a prosumer solution which I miss terribly; I would LOVE to have something that can keep terabytes of data safe in cold storage for about 5 years plus (basically long enough that it maintains its integrity until it's replaced with the next evolution). Hard drives are rather iffy at that length of time, and everything else is too small, not reliable enough, or both.

0
0
Charles 9
Silver badge

I think it's a little more than this. LaserDisc may have had the wow factor thanks to its relation to compact discs, but it had genuine technological advantages. For one, since it was an optical medium, LaserDiscs would be left open compared to the caddys of CEDs. It also helped that LaserDisc could keep up with CED (using CLV mode--not as many bells and whistles, but it worked). But neither one took off in the home market because the VTR had one key advantage consumer optical media could not allow until around the time of DVD; It couldn't RECORD. LaserDisc's bacon got saved by the specialty market that could use the disc's more exotic features (like image storage and frame-accurate seeking, exclusive to LD CAV mode) to display interactive video.

0
0

AT&T fined about 3 days of profit ($100m) for limiting 'unlimited' plans

Charles 9
Silver badge

Thing is, other carriers like Sprint and T-Mobile then steal customers by using the word themselves. The only solution is to level the playing field and declare that any "unlimited" plan is automatically False Advertising since there is no way to achieve this within the confines of physics.

2
0
Charles 9
Silver badge

This is why I keep looking to push for an Act that demands that ALL ads of any nature tell nothing but the complete, unvarnished truth, with all claims required to be conservatives and all testimonials to be of typical results. The truth, the whole truth, and nothing but the truth so help you $DEITY.

4
0

How to hijack MILLIONS of Samsung mobes with man-in-the-middle diddle

Charles 9
Silver badge

Re: The Fix

That's how you do it. You remount the /etc directory Read/Write, edit the hosts entry, then remount it Read-Only again. That's how programs like AdAway work.

2
0
Charles 9
Silver badge

Re: frame the issue

"At least in the UK, I'm pretty sure you can't declare EOL for a device that you are still selling."

They'll just stop selling them, period. No longer a problem. And they'll argue that since they're no longer selling it, they can't be expected to continue defending them against essentially moving targets: caveat emptor.

0
0
Charles 9
Silver badge

Re: frame the issue

"Just block the domain on your home router?"

Doesn't make sense to block it on the home router. At least YOU have control over it (and if it's pwned, you're screwed anyway since they can poison the DNS lookups).

No, it's best to edit it on the device itself so it doesn't matter where it goes. Since local lookup takes precedence over DNS, editing the hosts file trumps poisoned DNS. Only a direct IP number can beat that, and blocking the update route catch-22's that.

2
0
Charles 9
Silver badge

Re: Wait a minute

No, because all that crud is part and parcel with actually-useful stuff...like Wi-Fi Calling. Trust me, I'd blow TouchWiz in a heartbeat...except for THAT, which is pretty damn essential when abroad.

1
0
Charles 9
Silver badge

Re: frame the issue

Except they probably won't update the 4 or 5. They'll just declare those EOL an their users SOL unless they change over to the 6.

In any event, if you're rooted and can edit the hosts file, can you pothole the update domain?

2
1

LastPass got hacked: Change your master password NOW

Charles 9
Silver badge

Re: Physical security?

And what's to stop a more-sophisticated password cracker looking up books and song lyrics and trying the first-letter approach, complete with leetspeak substitutions? Plus as noted, it gets complicated once you add up the sites. Soon you'll be thinking, "Was it 'correct horse battery staple' or 'staple horse battery correct'? Or was it 'Rosita Chiquita Senorita' or 'Senorita Chiquita Juanita'?" Why do you think "password reset" attacks are becoming more common? The average human brain simply cannot cope, and there's really nothing better on offer that can't be copied or stolen.

1
0
Charles 9
Silver badge

Re: Physical security?

"I sometimes wonder if an ideal password locker would actually be totally in the open, with all the encrypted password files available for open download and inspection by everyone. Maybe the password locker service could even hold an annual "crack the password" competition."

How would you hold such a competition without getting sued up the wazoo for breach of privacy?

0
0
Charles 9
Silver badge

Re: Why did anyone think it was a good idea to have all your passwords stored online?

Because you MUST be able to retrieve it ANYWHERE, ANYTIME, AND you have a BAD MEMORY? Tell me how someone like that can get by.

2
0
Charles 9
Silver badge

Re: The problem with passwords

But you DO. If they break into ONE shite site, they can use that to log onto your other shite sites. Which allows them to build a profile on you that lets them run a believable spear phishing attack on you to get to the higher tiers.

Put it this way. Even the most useless bit of detritus you leave on the Net can be used to cobble together an identity theft.

1
1
Charles 9
Silver badge

Re: OOH OOH!!! I know what the weak point is

"How about using one of the many password keeper programs that can run on all your platforms? Most of them make it very easy to copy your password data between platforms."

Assuming you can actually COPY them, which may not be possible on a platform where local storage is restricted BUT you still need to be able to get the password to the site RIGHT F'N NOW.

As for the paper in the wallet, people have been pickpocketed in the past without their knowledge. AND their memories are bad enough they can't decide if it was "RositaChiquitaSenorita" or "SenoritaPequitaRosita".

0
0
Charles 9
Silver badge

Re: KeePass

KeePass is multiplat with iOS and Android support.

1
0
Charles 9
Silver badge

Re: grim reality

Except there isn't. Especially for people with bad memories.

2
2

Trans-Pacific Partnership stalled says Australian trade minister

Charles 9
Silver badge

Re: "The need for secrecy tells us all we need to know about its intent."

"BTW: These same corporations watered down the packaging laws eons ago, so that any product containing under 1% or close to it, didn't even have to register as Trans-Fatty!"

It's HALF a percent, and even that won't be allowed soon since the very presence of trans fats will be illegal without special exemptions (that will only be allowed on a case-by-case basis).

2
1

It's 2015 and Microsoft has figured out anything can break Windows

Charles 9
Silver badge

Re: Oh, this warms the cockles of my heart

But then you run into that nasty problem of "Who Watches the Watchers?" What protects the anti-malware since its limit on perspective means it can't reliably scan itself (because anything that can subvert the anti-malware can subvert the checks on the anti-malware) AND any external agent repeats the question ad nauseum? In fact, I think you can tie this to Turing's Halting Problem to prove it's impossible.

0
0
Charles 9
Silver badge

Re: Why not just integrate EMET into Windows 10? @Charles 9

Probably because you simply can't fix stupid, and any fault of the OS is NEVER the user's fault in the minds of the users.I mean, they bitch and moan about UAC as it is. Now you're going to break MORE stuff with SteadyState and EMET? Sound to me like a bridge too far and an excuse to not budge from where you are. Better to face the dragons you know than the ones you don't.

0
0
Charles 9
Silver badge

Re: So all it does...

"The same things that stop malware from subverting anti-malware software today. This is an API that vendors like Kapersky can plug into. It enhances the range of their capabilities if they choose to use it."

So what's to stop a malware from posing as an anti-malware, hooking into THE SAME APIs, and subverting them. "Who watches the watchers," IOW?

"If you're upset that the anti-malware software or OS, is "software", then perhaps you would be interested in the tool MS announced a couple of months ago that runs security from a separate Hyper-V instance that exists in parallel running directly from the hardware."

Hyper-V is a VM hypervisor. I'll grant you no one's been able to pull off a Red Pill to date, but since it's still software it can't be ruled out. Particularly if cyber-warfare really does go to the next level and hardware starts becoming compromised. It may seem paranoid, but given all the news we've had lately, we're almost in DTA territory as it is.

2
1
Charles 9
Silver badge

Re: Goody

"There are already versions of malware that will probably get pass this! There are web based attacks where the downloaded script is 'innocent', only it includes calls to remote code that is only provided when invoked..."

But wouldn't the kit detect that remote code is needed (since it would have to be "included" at some point) and demand that code be loaded up (and thus scanned) BEFORE the script is allowed to run or continue?

2
0
Charles 9
Silver badge

OUR point can be summed up in three words: IN YOUR DREAMS.

Just because you're better doesn't mean you'll win. Beta max was better than VHS but LOST the VTR war. Microsoft has nothing to lose by doubling down. If Linux overtakes, they'll be as insignificant as Blackberry is now, and switching kernels would be seen as an act of surrender much like again Blackberry.

Plus ask yourself this. If Linux is so superior, why isn't professional workstation software coming out for Linux more often? Why can't Valve convince more developers to embrace Linux and Vulkan?

1
0

Wikipedia to go all HTTPS, all the time

Charles 9
Silver badge

Re: Hmm...

"I don't need to modify Wikipedia on the fly - I can just edit the page directly, that's kind of the point of a wiki."

Don't think the content itself. Think hostile script injection like the Chinese Cannon.

"And if I'm doing on the fly modification - I can probably make a nice certificate as well anyway"

That would take a lot more resources than just a relay. You'd need to plunk down for the certificate and to make it a dead ringer for Wikimedia would likely take state-level resources, in which case they'll just attack you directly if they REALLY want you. In which case you're staring down the barrel and are screwed anyway.

"Additionally HTTPS isn't the best solution for ensuring that data isn't modified in flight - that only requires (signed) hashes (which could be included in the page)."

But if the hashes are in the clear, THEY can be modified on the fly, too, to match, and if you have to transmit the hash encrypted, why not the whole page?

Let me put it this way. Why else were telnet and rlogin abandoned for ssh?

"Just because you have a hammer in your hand doesn't make everything a nail."

And just because not everything is a nail doesn't mean there are no nails at all. And some of them might have been nailed from the other side, leaving the room with a serious tetanus risk if you don't start nailing those points back down.

0
1
Charles 9
Silver badge

Re: Hmm...

It's STILL better than having all your dirty laundry out for the world to see...AND MODIFY ON THE FLY. Got any better ideas besides just hanging our butts in the breeze?

1
1
Charles 9
Silver badge

Re: Hmm...

"Not quite sure about the justification here..."

With ANY in-the-clear transmission, your stuff can be altered in-flight by any relay. That's how the Chinese Cannon works, and Verizon's session tagging, and that's why Telnet and rlogin were abandoned for Secure Shell. Using HTTPS blocks this in situ modification unless the relay can masquerade as the source site.

5
0
Charles 9
Silver badge

Re: Playing to the gallery

"Reducing the cacheability of the site makes matters even worse."

Given how easy it is for any given page of the Wikimedia project to be edited, caching would actually work against you rather than for you since there's a chance you'll miss an edit. If data constraints are such a big issue, perhaps that should encourage browsers to adapt hash requests over HTTPS to compensate.

1
0

BlackBerry on Android? It makes perfect sense

Charles 9
Silver badge

Re: I'm planning to buy a new washing machine...

Well, a washing machine, mechanically speaking, isn't entirely that complicated. You have a tub motor, a number of solenoid valves, maybe a pump or two and some sensors. The tricky stuff is choreographing the pieces to work together, but let's recall that just a few decades ago your average washing machine ran its programs on a cam cylinder and a bunch of microswitches (watch "The Secret Life of the Washing Machine"). What electronics have done is allow more varied control of the parts, but the parts haven't changed that much. Maybe the motor has more speeds to it and so on, but the basics are still there. What is it about a modern washing machine that gets all so complicated?

1
0
Charles 9
Silver badge

Re: BB UI without QNX is?

"A cute, popular pig, but..."

Or a stout big-tusked boar like the Blackphone, unless you can prove otherwise...

0
0
Charles 9
Silver badge

Re: Interesting conjecture.

"A case can be made, but in the end that case isn't particularly compelling. If that were to be the endgame then why bother at all with hardware? It would be simpler to get out of the device business altogether and allow whomever licenses the suites to provide the hardware and the engineers to bolt it together. It boils down to what additional value the OS has that can be extracted in other ways."

Because it's going to take more than just slapping your UI on top of the Android kernel to make it properly hardened. One of BlackBerry's calling cards was that it was a system secure enough for proper enterprise use. As of now, baseline Android doesn't make the cut, but as noted by devices like the Blackphone, you CAN make it good enough if you get under the bonnet. So for BlackBerry to make a good Android device, it will have to do the same: be almost as picky as Apple when it comes to how the devices are built and the core software assembled so that it can properly pass the enterprise acid test.

1
0
Charles 9
Silver badge

Re: Agree with the title, but...

"Mainstream sells. Non-mainstream does not."

That doesn't mean you can find your niche and survive on it. That's why professional software can still turn a profit, in spite of the small audience, if it's the right software for the job such that the pros are willing to shell out for it. For years, BlackBerry survived by finding its niche in secure enterprise devices. It suffered from a combination of government interference and intrusion from the mainstream. I strongly suspect the niche is still there, it's just changed its shape and BlackBerry still has the potential to retake the niche and find its market again.

1
0

Windows 10: Forget Cloudobile, put Security and Privacy First

Charles 9
Silver badge

Re: Windows 10 who cares?

"The sad and sorry truth is that..."

The SADDER and SORRIER truth is that the desktop version of Windows is not meant for people like you but for Joe Ordinary who wants something they can just turn on, browse Netflix, get the e-mail from their boss with the next week's schedule, do their taxes, oh and even play a few games. The BARELY-computer-literate, IOW. A famous Douglas Adams quote springs to mind about the audacity of complete fools and the idea you just can't make something foolproof. How do you cater to such a crowd WITHOUT ticking them off (since if you tick them off, you'll probably lose more than them)?

0
0

How much info did hackers steal on US spies? Try all of it

Charles 9
Silver badge

Re: Dear US of A

"But on an isolated network you would have to use a radio link out, and that could be monitored as part of a sweep for bugging anyway."

Not if it's designed NOT to transmit all the time but instead only on a specially coded signal it receives first, THEN it transmits its stuff in a quick short-range burst that would require omnipresent super-sensitive (as in prone to drowning out) detector to trace. If you're pro enough to get this far, you probably have an egress plan as well.

0
0
Charles 9
Silver badge

Re: you have DEcrypt it SOMEWHERE.

"Others have already mentioned that the user interface has built in rate limits. "

That doesn't stop a PATIENT adversary, though. And the GOOD ones are patient. Patient adversaries are how we developed techniques like Smurfing and steganography. They probably started at a position where the stuff is used as part of the job, sniffed out the ones picked up during normal operations, and slowly worked up, finding ways to defeat the detectors as he went.

0
0
Charles 9
Silver badge

Re: What the Chinese did with it?

"Everybody - and I mean everybody - with a security clearance is going to have to be turned over and checked thoroughly."

Credits to milos the FIRST people turned are going to be the CHECKERS, putting your square in a "Who Watches the Watchers?" scenario and no way out since you need checkers to hire more checkers.

0
0
Charles 9
Silver badge

Re: you have DEcrypt it SOMEWHERE.

Trouble is the multi-layered approach suffers from a common ponit of failure: the user interface where EVERYTHING has to be removed in order for the stuff to be of any use. About the only solution to this problem (essentially an exploitable "analog hole") is to go cyberpunk (in the style of William Gibson or Shirow Masamune) and have enc/dec security capabilities built directly into our brains.

1
0
Charles 9
Silver badge

Re: Dear US of A

"When hole is deep enough, stop digging..."

But what happens when you've been digging through sloppy mud all day and all you have is a shovel? Oh, and you hear thunder in the distance...

0
0
Charles 9
Silver badge

Re: we who are about to be ripped off (again)

"In my shop (an NGO, ffs) all externally facing data was encrypted at rest and in transit. All systems using that data needed to use a key and two way handshake before the data was useful."

Thing was, the stuff has to be useful at SOME point, which is where you attack the database: at the points where they MUST be decrypted to be useful. That's always been the unavoidable flaw with encryption. In order for data to be useful, you have DEcrypt it SOMEWHERE.

2
0

If hackers can spy on you all then so should we – US Senator logic

Charles 9
Silver badge

Re: the only solution

"Most seniors are also just barely able to keep roofs over their heads. Being fired for voting is against the law. If they don't stand up for that then they need to STFU and stop blaming anyone else."

At least they have protections set up decades ago like Medicare and Social Security. The young don't even have THAT to back up on. As for being fired for voting, two words: AT WILL. Try proving your firing was for voting and not for incompetence, insubordination, or (thanks to at will) purely at the employer's discretion.

"The hippies, war protestors and civil right marchers (both black and white) back in 1960s were fighting against the same problems. Many went to jail. Many lost their jobs."

But the barriers were MUCH lower then. There were much fewer people. They could find new jobs or start their own businesses and so on. Plus there was a war on, so they could go to 'Nam and earn a new reputation. Today, with knowledge of you everywhere, two words: GOOD LUCK.

"So if Gen X and Y aren't willing to stand up just to that, then they're screwed and the longer they wait, the more we're going to become just another large banana republic from the 19th century."

Well, if THEY'RE screwed, then WE'RE ALL screwed because they're gonna take everyone else with us.

PS. EVERYTHING I've described I've seen...FIRSTHAND...in multiple places.

0
0

Forums