* Posts by Charles 9

6871 posts • joined 10 Jun 2009

LogMeIn adds emergency break-in feature to LastPass

Charles 9
Silver badge

Re: Of course any password manager

"And all my saved payment details require the CVV number from the card. Which is *not* stored anywhere - not even on the card (use a soldering iron, the digits are embossed)."

But what happens when you FORGET the CVV numbers or get them mixed up and can't recall which is which?

0
1
Charles 9
Silver badge

Re: KeePass

1) If you use KeePass from the go, this is a non-issue as you're not importing. Indeed, a lack of easy export out of LastPass has to be taken into consideration, as it may swing your decision to take up LastPass in the first place.

2) Perhaps this is for the best. One of the best ways to manage credit is to limit it. If you're down to one or two cards, you can just memorize them.

3) Want to cloud your password safe? Drop it in an OwnCloud or Dropbox. The safe is encrypted with encryption similar to what governments use, so if they can break it, they'll be in trouble themselves.

0
0

GCHQ mass spying will 'cost lives in Britain,' warns ex-NSA tech chief

Charles 9
Silver badge

Re: Right answer, wrong reasons

Then again, the plods were similarly handicapped. Plus, IIRC, the opposition had a lot of sympathizers because they had a political grudge. When they figured out a way to resolve the political conflict, the organization lost most of its mission, thus why you don't hear from them these days.

Al Queda had the advantage that they controlled a sovereign state that effectively gave them a safe haven. Attacking them would mean an act of war that only an atrocity like 9/11 could justify.

But what happens when you're up against a nihilist organization whose justification for total war is your mere existence?

0
2
Charles 9
Silver badge

Re: The man is absolutely right!

But at the same time, to stretch the metaphor, even further, there are highly explosive needles in with the bunch, and if one of them slips through and then blows up, there's going to be an ungodly amount of finger-pointing straight at you for not spotting it in time, even though there's really no practical way to separate them out before they go off, so The State is kinda tasked with a nigh-impossible task by the people, yet when (not if) things go boom, they get the blame regardless.

1
0
Charles 9
Silver badge

Re: Straws in the wind

If you're that paranoid, don't forget to check all your chips...

1
1
Charles 9
Silver badge

Re: The man is absolutely right!

Plus the needles are nonferrous with low melting points, so you can't use magnets or fire.

4
0

Bash, smash, trash Flash – earn $100k cash

Charles 9
Silver badge

Re: Someone call time

As long as there are systems out there—very expensive systems—that require Flash to operate, and no alternatives exist for it.

1
0
Charles 9
Silver badge

No, because out there are highly expensive enterprise control systems that MUST be accessed by Flash and nothing else. They're stuck with the hardware so they're stuck with Flash.

1
0

North Korean operating system is a surveillance state's tour de force

Charles 9
Silver badge

Re: One thing is mind-boggling

Not necessarily. What about subversive documents cut from scratch? Fingerprinting and source tracking would be useful there, too.

0
0
Charles 9
Silver badge

Re: pen and paper

Hidden cameras. They can copy pen-and-paper notes remotely.

0
0
Charles 9
Silver badge

Re: One thing is mind-boggling

You fail to understand the Nork government is in a whole different world from the plebs. The systems running on the Nork government computers are bound to be totally different from Red Star.

1
0
Charles 9
Silver badge

"I wasn't aware of that. It certainly was not the case ten years ago when a colleague was ordered to put his laptop in checked luggage. Rules and regulations change though, so I will take your word for it."

That was before we started getting reports of exploding iPods and so on. Then came the reports of Li-Ion and lithium metal batteries (those AA batteries meant to go in digital cameras) combusting spontaneously, even when not in use, due to the batteries being chemically active even when at rest. Look at the controversy around the 787. Plus lithium is a pretty touchy element chemically: it can react to moisture (just like sodium, one row down on the periodic table). And an in-flight fire is one of the biggest risks for an airliner, so anything that creates a fire risk is taken seriously.

0
0
Charles 9
Silver badge

"Airlines won't allow the laptop to be checked because of lithium batteries. Same goes for any other reasonably recent/modern gadget."

Most laptop batteries are removeable and thus can be taken out so the rest of the laptop can be checked. Otherwise, you have a dilemma when you're told you can't put the laptop in to EITHER the carry-on (over the limit) OR the checked baggage (restricted contents). And since the laptop probably also contains the VPN keys, leaving it behind isn't an option, either.

0
0
Charles 9
Silver badge

Re: A serious question...

If UEFI secure boot with a custom key were required, then how are the researchers fiddling with it right now? Are they running it on Nork hardware, too (which BTW is x86-based, so no built-in security features via the CPU)? With home-grown hardware, even without EFI, it can be secured with a custom BIOS that has signature-checking capabilities (as this is a one-off, compatibility need not be an issue).

0
0
Charles 9
Silver badge

Re: "watermarks" vs. "appended"

You're confusing watermarking with steganography, as the latter is one way to robustly and covertly apply the former. Because this process occurs behind the scenes in the OS itself, transparent to the user, possibly by way of an alternate data stream, I would consider this a form of covert fingerprinting: that's watermarking in my book.

In any event, a series of fingerprints can be used in a technique known as source tracking, which is what this system apparently does to provide an audit trail of where files get transferred.

2
0
Charles 9
Silver badge

Re: Interesting possibilities for someone wanting to take down the regime

"Assuming you can get the ability to inject files into a computer in NK, and are able to fake the signature of a high ranking person's machine, you could create an incriminating file, sign it as if it was viewed by them, which once it became known to the right person would probably cause them to 'disappear'."

I think the way the system is designed, that's very risky, as you could just as easily commingle your signature with the target's, making it easy to tell it's a fake. Remember, the signature process runs within PID0, so you can't get around that without changing or compromising the kernel, and as the article notes, it takes precautions to prevent that. I wouldn't put them above integrity and signature checking.

0
0
Charles 9
Silver badge

Re: I'm gonna download this shit...

"what if I just don't give a fuck if the chinese take over my computer? like seriously that's some first world problem shit"

The problem is that if the Chinese don't target you, they'll use you anyway. Much like how the Chinese Cannon works.

0
0
Charles 9
Silver badge

Re: I'm gonna download this shit...

You're talking a Red Pill exploit aka a hypervisor attack. Something like that would make the technology news since AFAIK no malware has actually been able to break out of the VM and into the hypervisor. There's been a lot of conjecture about it, but nothing in the wild as of yet.

4
0

Kaspersky says air-gap industrial systems: why not baby monitors, too?

Charles 9
Silver badge

Re: @Charles 9 (was:@anonymous boring coward

And I'M right. You don't see the REAL real issue, which goes beyond SCADA.

You're basically saying SCADA shouldn't exist since the REAL real security professionals would be in the government (the agents BEHIND Stuxnet), meaning they can be subverted. What man can make, man can UNmake.

DTA - Don't trust ANYONE.

0
0
Charles 9
Silver badge

Re: @Charles 9 (was:@anonymous boring coward

What's there to understand? Stuxnet relied on subverting a necessarily-complex program just enough so that it wasn't obvious at a glance yet was enough to cause expensive machinery to overload itself and break down. This program was passed around using the only viable transport medium available: USB sticks, as the programs are too complex for a human brain to remember reliably, and it would only take ONE of them, perhaps subverted at the hardware level a la BadUSB, to subvert the first machine, which in turn creates the changes that break the second machine.

Looks to me like an intractable problem. How would you do it properly if the required medium of transport could've been subverted at the factory level, before you ever got your hands on it?

And note, Stuxnet not only had State-level support, but also the assistance of the machine's manufacturer. It's like dealing with bribed guards.

0
0
Charles 9
Silver badge

Re: @Charles 9 (was:@anonymous boring coward

If you can demonstrate someone who can memorize a complex PLC program in their head just by reading it from a screen, then going over to an isolated machine and keying in the same program, without mistake or means to verify there is no mistake, then I'll withdraw my claim.

0
0
Charles 9
Silver badge

Re: @anonymous boring coward

""Stuxnet", for example, was delivered by SneakerNet into systems without a clue about actual air gap security ... SneakerNet in this case being the wire, albeit a one-way connection[0]. A true air-gapped system would have never have allowed Stuxnet to propagate."

The thing was, for something like was targeted by Stuxnet, true air-gapping was impossible as parameters have to be entered into the system to change its operation. In this case, it can be a complex set of instructions: too much for a human head to enter correctly, AND it's intolerant of input errors (unavoidable: the products in play are intolerant by nature). It's a necessary evil of a dynamic system; Stuxnet exploited the necessary evil. With something of state-level importance, few precautions can be considered too extreme since an enemy state will find and exploit the one you leave out.

0
0

Here's your Linux-booting PS4, says fail0verflow

Charles 9
Silver badge

Re: so what

Just because you pay rent or leases doesn't mean you own whatever you rent or lease. And by the EULA's, what you get doesn't necessarily constitute a sale, even under exhaustion clauses. IOW, monkey with the software that's require for the hardware to run, and be prepared to end up with a brick.

0
0
Charles 9
Silver badge

Re: Typo?

"Which is a shame as Kodi modified to use the GamePad as a dual purpose remote/player would be a great media centre."

Hmm...then again, you have to wonder if the Wii U has the grunt work to handle Kodi properly, especially at high resolutions, hi-gamut, and/or H.265 encoding. It's like with WiiMC: strictly an SD affair and known to chug when it encounters more complex H.264 video.

0
0
Charles 9
Silver badge

Re: Typo?

The Wii was exploited via games until LetterBomb appeared, which exploited the Wii's internal messaging system. By that point, though, the Wii was getting long in the tooth, and while it's a nice thing for retro gaming (load up some emulators from the Homebrew Channel, hook it up to an old CRT TV, and cue the nostalgia), the novelty tends to wear off before long, especially once you try to more sophisticated stuff.

0
0

Trustworthy x86 laptops? There is a way, says system-level security ace

Charles 9
Silver badge

Re: Stateless and trusted

Problem is, one of the adversaries is The State, and they have the resources to subvert the system at the factory, possibly even at the hardware level. How do you deal with such an adversary?

2
0
Charles 9
Silver badge

Re: Lots of whining, no real solutions

Except most of the complexity came out of necessity, out of demand. You'd have to paradigm shift the people along with the computer, and if history is any indication, all you can say is, "Good Luck!"

2
0
Charles 9
Silver badge

Re: Going back to dumb terminals ...

But at the same time, you reduce the attack surface, meaning hackers concentrate on the few places left, and as the saying goes, they only have to be lucky once. As for separation of code and data, that's impractical if one of the programs you have to run is a compiler or something else that must use the von Neumann blurring of code and data (data is code and code is data). Plus there's things like Return-Oriented Programming that can use existing code (and thus defeats both Data Execution Prevention and the Harvard separation of code and data) to do its work. Finally, the tighter you lock things, the slower you make the business until the economic factor kicks in. If you make things TOO tight that things can't get done, people start finding ways around your security. In the end, you have a business to run, and that business is run ultimately by people.

1
0
Charles 9
Silver badge

Re: ALL YOUR x86 ARE BELONG TO US

Last I checked, biro (ball-point) pens still used ink. I believe you're referring to a fountain pen or some other type that writes without a lot of pressure. I believe you can get similar results with a felt-tip marker-like pen (using one very light not only doesn't leave an impression but controls the possibility of bleed-through).

1
0
Charles 9
Silver badge

Re: It's Turtles all the way down!!!

"how do you know the 3d printer isn't infected? You build the first printer from scratch, and it has very limited functionality, just enough to build the next printer, and you iterate, so that at the end you have a trustable device. This isn't reasonable for a person to do, but for a state actor, maybe..."

But then, a state actor may have the resources to subtly subvert the very first printer you make (on in the other example, the system on which you build the initial assembler/compiler). And they may even defeat the technique to detect the latter (cross-compile against a known-good compiler) by making it so you can't be sure you have a good compiler.

1
0
Charles 9
Silver badge

Re: Going back to dumb terminals ...

"There was IT before we had PC's, smartphones & tablets. There were millions of end user devices like 3270's and VT100's, but there was no malware problem. Building dumb terminals with browser capabilities shouldn't be rocket science ..."

One problem. You just put the eggs in one basket, so to speak. Sure, there wasn't a big malware problem in decades past because the terminals weren't worth breaking, but hacking has existed as long as IT, too, and what was the big sci-fi element of the 80's? Hacking into those big honking systems that all the dumb terminals connected to. Sure, single point of defense, but also possibly single point of failure.

1
0
Charles 9
Silver badge

That problem will exist as long as humans exist. As a comedian once said, "You can't fix stupid."

1
0

3D printer blueprints for TSA luggage-unlocking master keys leak online

Charles 9
Silver badge

Re: Tie Wrap

Not if they use the ol' "pen in the zip strip" trick, which is reversible.

0
0

China wants encryption cracked on demand because ... er, terrorism

Charles 9
Silver badge

Re: Whistling in the Wind?

China can do whatever it wants. It's a sovereign nation.

0
0
Charles 9
Silver badge

Tibet, I'll give you since it's adjacent to China and still in dispute as far as China is concerned, but to engage in action in another sovereign state against actors against their interest raises an international stink, and they're already getting dirty looks from various other powers both near and far.

0
0

NSA spying on US and Israeli politicians stirs Congress from Christmas slumbers

Charles 9
Silver badge

Re: h4rm0ny Seriously, though

"No. Mostly because it's a state built on stolen land and the genocide of the indigenous Palestinian population."

No. Because it's a state built on land stolen FROM them and the genocide of the 12 Tribes of Israel. They claim the land is theirs by God-given right, so their claim is absolute.

So unless the Palestinians can claim to be the descendants of the people of Jericho, from whom God took the land that was to become Israel, it's a land dispute where each side claims rightful ownership with proof. And since part of the land is considered sacred to both sides and can only be sacred if they and they alone possess it, well the only way it can turn is ugly, which is why Israel tends to take a defensive stance over their ancestral home.

1
3
Charles 9
Silver badge

Re: Why is this news?

The trouble with a DTA attitude is that eventually you stop trusting anyone, not even yourself. That inevitably isolates everyone and civilization would collapse because society requires a certain level of trust to function.

4
0

John McAfee rattles tin for password replacement tech

Charles 9
Silver badge

Re: Who will be pleased?

(= what we know and nobody else knows).

Trouble is, are there REALLY things we know that nobody else knows or rather there are things we know and only THINK nobody else knows. It's like searching for that absolute truth everyone can universally agree upon. I suspect it'll be like chasing unicorns; there's no such thing as something ONE AND ONLY ONE person can ever know. So what else can we use?

0
0
Charles 9
Silver badge

Re: Close, but no cigar

So what about if you only carry one factor on you: the fob, because you don't believe in cell phones, for example?

And what if your memory is so bad that even ONE long password is problematic ("Now was it 'correcthorsebatterystaple' or 'cotterpindonkeypetrolwrong'?)

0
0

Good news! US broadband speeds are up. Bad news – they're still rubbish

Charles 9
Silver badge

Re: One of my pet peeves

No, it's mostly down to raw capitalism. It's especially true out in the sticks where small communities would like to get on the Internet, don't want to go to the cities (which is why they're out in the sticks), and face the little problem of the nearest trunk line being 100 miles away or so. Laying a cable from there to the town is going to cost a pretty penny, but the community doesn't have that kind of money. So they're basically over the barrel which is why cable providers offering to roll out to the sticks can coerce exclusivity agreements out them. For many it's a simple matter of bend over or go without, and the community won't accept the latter.

0
0
Charles 9
Silver badge

Re: Typical Feral Blovating

Age.

London is an OLD city, meaning full of built-up infrastructure that you have to get around to put in new infrastructure. Sparse places don't have as much infrastructure. Nor do young cities like in the Far East where lots of stuff got REbuilt. As I recall, New York City suffers from the same problem in places, particularly Manhattan where infrastructure is a case of trying to cram a baker's dozen in an egg carton.

1
0
Charles 9
Silver badge

Re: 8 years

They may change their tune if Verizon or AT&T start bringing fiber to your area. Cox has to keep their prices down after Verizon FiOS was rolled out in my area (since the two now directly compete service-for-service).

0
0
Charles 9
Silver badge

Re: Advertised speeds?

They're BOTH involved since the ads go through and involves a communications medium. The FTC gets involved because of trade practices, the FCC because of the use of a regulated medium.

0
0
Charles 9
Silver badge

Re: Typical Feral Blovating

Grant County got the deal because the fiber company responsible for it wanted to make an example. And they didn't want to do a ton of infrastructure costs, so they use a sparse, rural county that happens to be up north and not TOO far from the IT haven of Redmond, meaning they've got a major data trunk nearby. And note, they went NORTH, where natural cooling attracts data centers (which is what happened to Grant County--big companies built data centers there). I doubt you could make the same case in, say, Tuscon, Arizona. As they say, read between the lines and you'll see there's more to the story than meets the eye.

Color me impressed when a rural community in the middle of Nebraska (or like I said, a place like Arizona or New Mexico) can do their own high-speed installation without some carrot deal from a provider (which is how most communities get locked in: many times the providers demand exclusivity before they'll agree to send a data line their way, take it or leave it).

2
0
Charles 9
Silver badge

Re: Advertised speeds?

Thing is, the FCC regulates advertising. Sure, there is the catch-all "up to", but the FCC can still check to see if the advertised maximum rate is in any way feasible or within reason, and if it isn't, the ISP can still be nailed for deceptive advertising. IOW, the FCC's survey can have legal consequences.

0
0

US Marines kill noisy BigDog robo-mule for blowing their cover

Charles 9
Silver badge

Re: All Terribly Silly

Donkeys have load limits, endurance limits especially under load, and have maintenance costs that continue even when they're not in service. And you wonder why trucks and other mechanized cavalry quickly replaced pack mules...

0
0

You ain't nothing but a porn dog, prying all the time: Cyber-hound sniffs out hard drives for cops

Charles 9
Silver badge

Re: Disk-sniffing

But when Hum-Int fails (as in you keep saying, "No Comment"), then they call in the Forensics team.

0
0
Charles 9
Silver badge

Re: SSD?

"Ah, but they would have to prove that such existed. This is where the real danger lies: you could be accused of refusing to give up a secondary key where none exists,"

And that's why you're screwed. Plausible deniability doesn't exist against an adversary that assumes guilt, regardless of whether or not the law says otherwise. As far as they're concerned, you're an Enemy of the State, a direct threat to the future of the country's existence, so no holds are barred.

1
0
Charles 9
Silver badge

Re: Disk-sniffing

But still possible to reconstruct given a determined forensics team. And since nuking from orbit isn't an option, the next best choice would be something easily combustible since nigh nothing apart from a phoenix has been able to be reconstructed from burnt remains.

0
0
Charles 9
Silver badge

Re: So...

You may wish to use the "Joke Alert" icon in future if you intended this as a joke...if this was intended as a joke. (OK, if you used mobile, I'll forgive that)

I think he's referring to "skunk" as in a particularly odorous kind of marijuana. It would be the kind dogs would be able to sniff out easily if they were in range.

0
0

Forums