* Posts by djack

181 posts • joined 16 Jun 2009

Page:

Death to DRM, we'll kill it in a decade, chants EFF

djack

Re: People slowly realise how much of a problem it is

"Wouldn't that just cause transnationals to bail out of the EU"

No. They wouldn't abandons Uchida a massive market.. and if being anti-consumer, anti-security and total lock-out freaks is more important to them than trading with the European then we're better off without them.

It's the same argument as paying bankers massive bonuses and letting Starbucks and Amazon get away without paying tax. They may threaten to move away but they are almost certainly not going to abandon the market and profits here and if they do.. good riddance, there are plenty of local people who will do the job.

6
0

It's enough to get your back up: Eight dual-bay SOHO NAS boxes

djack

Re: RAID-0 FFS?

"If you have to have a backup in any case, what is the point of RAID in a normal home environment?"

RAID is for fault tolerance, backup is for disaster recovery.

Disks are relatively unreliable things and will break sooner or later. RAID gives you a bit of breathing space. Hopefully when a disk breaks, you will be able to get hold of a replacement and slot it into the array with little or no downtime or performance loss. Just relying on a backup may involve days of downtime waiting for drives to be delivered and restored.

Even though she has no idea what I'm babbling about, RADI (and UPS) are vital components for a high Wife Acceptance Factor. Indeed, the ability to play crappy rom-com films at a moment's notice (while I'm away) is pretty much business critical.

0
0

Someone at Subway is a serious security nerd

djack

Re: Subway devs employ security by design

"Security is fine where appropriate, and banks should definitely do this stuff, but ordering a sandwich just doesn't justify this"

I'm not even sure that banks should be doing some of the checks that they do. Such as rooted device checking. I was given the choice of running a stock firmware with known vulnerabilities (updates no longer being produced by the manufacturer) and being able to use my bank's app, or running an updated custom firmware that my bank deems to be insecure.

13
0

Make Adama proud: Connect your Things wisely, cadet

djack

Re: Admiral Adama

Adama was the commander of the only remaining Battlestar warship. It was used in a previous war with the 'Cylons' (a robot like race) and Galactica was due to be moth-balled as a museum piece. As such it was not retro-fitted with up to date kit that was networked together and with a central mainframe for efficiency. Adama, as a veteran himself distrusted such intercommunication between devices. His distrust was dismissed as being anachronistic and paranoid.

Sure enough, the Cylons returned, compromised the mainframe and pretty much instantly disabled/destroyed the entire defence system apart from Galactica.

11
0
djack

Z-Wave?

You missed Z-Wave, but to be honest it has pretty much the same properties and problems as ZigBee.

This sort of thing could be done more securely but the big problem is that most if not all of the controller or stand-alone systems are managed via someone else's server on the Internet (I'm refusing to say the 'C' word). My security and privacy should be solely under my control, not mine and someone else's.

I'm currently playing with openhab - a bit rough around the edges but looks like it could be moulded into something pretty good.

2
0

Mad Max: Fury Road – two hours of nonstop, utterly insane fantasy action

djack

Re: Hyped to the max!

Same here. My missus is almost certain to hate every second of this. I imagine that she will get revenge with Pitch Perfect the following weekend :-/

2
0

Google pulls plug on YouTube for older iPads, iPhones, smart TVs

djack

Re: Roll Your Own

"At a minimum I suggested smart-TVs should have a slot-in "smart-unit", which can be replaced preventing the display from becoming obsolete."

It's possible now, just no-one is doing it.

HDMI ports on modern sets can provide power to a dongle, can provide Ethernet over HDMI and allow the dongle to integrate with the TV remote via HDMI-CEC. One the TV is connected to the network, just plug the dongle into a HDMI port and that's it.

I'd pay good money for a thing like that.

0
0

JavaScript CPU cache snooper tells crooks EVERYTHING you do online

djack

Re: whats the problem?

I've learned a long time ago that just because you can't see an attack vector it doesn't mean that nobody else can.

It's scary how many potential vulnerabilities end up losing the 'potential' bit.

11
1

DTS announces DTS:X – sparks object-based audio war with Dolby

djack

"Consequently, with DTS:X you could boost the dialogue level of a movie to suit specific listening conditions. This is apparently a much asked-for feature by users of surround systems."

At last a real use-case for these systems for most users. Having a 5.1 system at home, I am always confused by how much of a difference in the dialogue mix there is with different media. It's not unknown to have to crank up the volume to be able to make out what people are saying and then feel like the plaster is coming off the walls when something loud happens a second later. The dialogue is (usually) the most important biit of the sound.

32
0

Steely wonder? It's blind to 4G and needs armour: Samsung Galaxy S6

djack

Re: I'm sad I know....

Not quite, according to Samsung's website.

It does appear that the 32 and 64 gig normal ones are out tomorrow and the edges are on 24th. I only saw the 24th date.

0
0
djack

Re: I'm sad I know....

Friday? Do you mean tomorrow?

I thought the release date is the 24th?

0
0

Intel shows Google how to stick it real good

djack

HDMI features?

If these things support HDMI-CEC and Ethernet over HDMI, these could make a nice MythTV frontend.

0
0

David Cameron's Passport number emailed to footy-head

djack

Re: Passport Chip

Yep, it's passport number, date of birth and the expiry date of the passport.

Once you have thise details, you can access the passort via NFC to get at the biometric data.

2
0

Ford: Our latest car gizmo will CHOKE OFF your FUEL if you're speeding

djack

Re: Hmm...

"Does this mean that if I put the number ten in a circle on the back of my getaway car, I can create a slow moving knot of traffic to delay the cars chasing me?"

I'm pretty sure that the camera in my car has reacted to those maximum speed stickers you sometimes see on the back of lorries that look like a speed limit sign.

3
0
djack

Re: Oh...

"I assume anyone who doesn't want this just needs to cover the camera that's watching out for the signs."

.. or just not turn it on.

My car reads the road-signs and like the Volvo above, this is incredibly unreliabe as it can't tell what sign applies to you (I'm feeling slightly better that it's not just the Vauxhall system that does that).

The car also has a limiter and it is incredibly useful, especially in areas with average speed cameras. I'm glad that the sign reader and limiter haven't been linked.

2
0

Banks defend integrity of passcode-less TouchID login

djack

Ahh.. the Lemming defense..

"Other banking institutions across the world are also using this technology with their customers."

I've heard similar things to this from software vendors on multiple occasions.. often just before I demonstrate a whopper of asecurity flaw.

7
0

Don't pay for the BBC? Then no Doctor Who for you, I'm afraid

djack

Re: Devices

Never mind PVRs, adding a CA layer will involve having to upgrade/replace pretty much every TV.

7
0

MELTDOWN: Samsung, Sony not-so-smart TVs go titsup for TWO days

djack

Too many aliases?

It is back up and running now, and resolving to the same address it was last night (when it failed). However, last night there were five CNAME records in the chain :-

www.samsung.com. 0 IN CNAME www.samsung.com.edgekey.net.

www.samsung.com.edgekey.net. 2616 IN CNAME www.samsung.com.akadns.net.

www.samsung.com.akadns.net. 4 IN CNAME china-www.samsung.com.edgekey.net.

china-www.samsung.com.edgekey.net. 7998 IN CNAME china-www.samsung.com.edgekey.net.globalredir.akadns.net.

china-www.samsung.com.edgekey.net.globalredir.akadns.net. 117 IN CNAME e1722.g.akamaiedge.net.

e1722.g.akamaiedge.net. 12 IN A 104.72.168.26

Whereas this morning there are only three :-

www.samsung.com. 60 IN CNAME www.samsung.com.edgekey.net.

www.samsung.com.edgekey.net. 9367 IN CNAME www.samsung.com.edgekey.net.globalredir.akadns.net.

www.samsung.com.edgekey.net.globalredir.akadns.net. 1998 IN CNAME e1722.g.akamaiedge.net.

e1722.g.akamaiedge.net. 11 IN A 104.72.168.26

I think that's a smoking gun.

Still, it's bloody stupid having SmartHub depend on www.samsung.com or even an Internet connection - I have an app that provides nice access to content on my local media server - the missus was not happy that that was unavailable too.

0
0

PENGUINS are just TASTELESS, say boffins

djack

Re: Useless

That's awesome.. How did I miss that when it was broadcast?

0
0

Windows 10 to give passwords the finger and dangle dongles

djack

Re: Read the specs

* You authenticate using a cryptographic private key. The fingerprint just unlocks the private key on the local machine (like a screen unlock on an iPhone)

That is even worse!

For the private key to be stored securely, it must be encrypted with a key. This key needs to be provided identically each time the system decrypts the private key.

Unlike a password, each presentation of biometric data is slightly different each time the fingerprint (or whatever) is scanned. Confirmation of the print is based on a 'near enough' match of the stored biometric data (which is why you have the risk of false positives and flase negatives). Therefore the key to decrypt the private key cannot be reasonably derived from the biometric data provided at the point of 'aithentication'.

The only way I can see it working is that the key needed to decrypt the private key is actually stored on the system (presumably in some sort of obfuscated fashion) and that the software only chooses to use it to gain access to the private key after a successful biometric authentication event. It may as well be stored in the clear and hope for the best.

2
0

M0n0wall comes tumbling down as dev throws in the trowel

djack

This article reads as though it is seen m0n0wall as a failure, or that it demonstrates a weakness in the way that open source software is developed.

Yes, the project is closing but it is clear that so many people and other software packages owe so much to m0n0. It's code base is old and had been superceded in terms of flexibility and maintainability by those who came later and built and modified what was there . And so, in time, these packages will be replaced by others building upon them.

It's not a failure, pfSense and the others are all the children of M0n0. It has gone into retirement but it's offspring have great futures ahead of them.

26
0

So long, Cyanogen! OnePlus says its future belongs to OxygenOS

djack

Re: Just another Distro

I'm guessing here, but I think it's more of a case of won't instead of can't and it is all down to app compatibility. Device manufacturers and therefore app developers will follow Google's releases. Third parties can develop their own new APIs or change coire functionality to their heart's content, but when Google produces their own equivalent all of that is dead work.

Therefore pretty much everyone waits for the big G and just adds niche additions or their own brand of polish.

I'm not saying it can't happen but any true fork has to have enough traction to make it worthwhile. For example, ISTR that initially Ubuntu followed Debian releases and Mint now seems to be emerging from under Ubuntu's release shadow.

4
0

UK Scouts database 'flaws' raise concerns

djack

Probably not allowed to do a full test

Whoever did the testing (if any) was probably only engaged to look at the underlying Of layer and not the application itself. Or expected to test the system without being permitted to actually log in to the application.

I am faced with this quite often and am amazed by some customers' opposition to me doing the job properly.

8
0

US and UK declare red-team CYBER WAR – on EACH OTHER

djack

Re: Outages

It is basically impossible to guarantee no disruption or outages in even the most tightly controlled and planned test, never mind exercises like this. You can not do things that are likely to result in an outage, but that's as far as you can go. You simply don't know how everything is going to react to anything.

I have shut down a manufacturing production line with no more than a TCP portscan so I know of what I speak.

2
0

Tesco tosses loss-making Blinkbox into TalkTalk's basket

djack

It was possible to get the instant video service running on other android devices. They published the application via their own store a number of months ago. It was a pain to set up but it did work on my Nexus 10.

Just tried it again last night and it no longer works (may have had something to do with the Lollipop upgrade).

1
0

Ford recalls SUVs … to fix the UI

djack

Re: Push-button gear change? Really?

"However, they also included a hill-start setup whereby you could just use the throttle (and clutch if manual) to set off. Once the car realise you were setting off (putting enough torque down to the wheels) the handbrake released."

Yep. Vauxhall / Opel cars operate exactly the same. Whoever sold the car to voland's right hand obviously didn't explain that method of releasing the brake - the dealer that sold my car didn't show the other way to me. The car will do both though I've yet to see a use case for the 'manual' method.

I've had it for over six months now and have never rolled back on a hill start. That said, not having direct control of the brake feels strange and I still don't really trust it so hill starts are scary.

7
0

YEAR of the PENGUIN: A Linux mobile in 2015?

djack

Jolla Have Produced a Mobile Device

"If nothing else there's at least a large market of Linux enthusiasts clamouring for a Linux-based [mobile] device."

Whilst they haven't yet produced the tablet, Jolla produced a phone based on Salilfish last year.. and don't forget the venerable N900 and lesser-spotted N9. Going further back, the 770, N800 and N810

'True' (not Android) Linux mobile devices hit the shelves a long time ago.

5
0

Misfortune Cookie crumbles router security: '12 MILLION+' in hijack risk

djack

Re: djack

There are other ways of raising awareness than going full apocalypse scare tactics as a thinly obfuscated attempt to sell software that won't actually fix the problem.

A single http request with a specially crafted cookie from a Web browser with an extension to allow modification of cookies is a far cry from a single packet sent by a normal Web browser. Checkpoint know the difference and have made that statement to confuse and terrify those who don't.

It's difficult enough to get people to take security seriously without this sort of marketing shenanigans.

I'm not just singling out checkpoint here, there are many others who have also done this sort of thing.

4
0
djack

I really hate this sort of shit. Is this an actual issue or a marketing piece?

If it is a real technical announcement, what does this mean :-

"All an attacker needs in order to exploit Misfortune Cookie is to send a single packet to your public IP address. No hacking tools required, just a simple modern browser."

Other than (maybe) some relatively complex code with websockets, I'm not sure how to make my browser output a single packet. Such bullshit can only harm any real warning of a real issue.

9
0

Security SEE-SAW: $3 MEEELLION needed to fight a $100k hack

djack

"The fact that they are not being openly addressed shows me that people who understand don't care and people who care don't understand."

Not quite. Often the people with authority don't understand / care. I can't think of a more fruitlessly stressful job than ISO. So many are given the responsibility but not the necessary authority.

1
0

Not sure what RFID is? Can't hack? You can STILL be a card fraudster with this Android app

djack

Re: Bank cards are not susceptible

I can't remember what variant of card is in my bank card, but a number of the newer mifare chips have the ability to emulate a classic but without the (same) flaws.

1
0

Mastercard and Visa to ERADICATE password authentication

djack

Re: So how secure are 'biometrics'?

"I'm not sure where you are banking. I have multiple US and UK bank accounts and precisely NONE of them have the security of my paypal, apple, or Microsoft accounts (i.e. dual factor)."

Barclays and Natwest (at least) use 2FA with tokens generated by the chip on your debit card. The Barclays variant (I've not used the NatWest one) authenticate access to the account and at the transaction level (the first time you send money to a recipient).

0
0
djack

Re: @Keith stupid (calculator size) chip and pin devices for every purchase

"Is the token thingy in the same wallet as the credit/debit card?"

Probably, but that isn't an issue as you need to input your card PIN each time you use it (like you do in a physical shop).

0
0
djack

Re: @Keith stupid (calculator size) chip and pin devices for every purchase

AFAIK, all those calculator things use the standard EMV (Euro?? Mastercard Visa) authentication package that is embedded in the chip on your bank card. As such they are pretty interchangeable - at the ery least I can log into my Barclays account using a NatWest device.

It's not too difficult to get a couple of the things (hint: most banks will send you a new one if it gets lost or breaks) and at work, all you need is to get one to share between a small group of trusted people.

It can be made relatively painless really easily too, perhaps you force authentication one (a year?) for each individual combination of retailer and delivery address.

0
0
djack

Re: So how secure are 'biometrics'?

Yep, it doesn't matter what biometric is used or even if it is impossible to fool the reader. Biometric authentication is fundamentally the same as any other form..

During enrolment, the authentication server collects data about your authenticator. This may be your password (hash) a seed for a 2FA token, X.509 public key or the base sample data for the biometric (etc. etc.)

During authentication, credential data is collected from the user. This could be input via a keyboard, smartcard reader or some weird and wonderfulscanning device. This data is now a normal bob of data. It may be processed by the client before being sent to the authentication server for processing.

The server compares what it is given by the client to what it has got stored in some fashion. This comparison will result in either a positive or negative result. The authentication server doesn't give a damn about your fingerprint, iris scan or anal probe results, all it needs is a blob of data. If you can supply some data that it can match and inject it into the right place in the communications channel, the server will accept it.

That's why on many Windows networks if you have a password hash, it matters not that you don't know the password or if you have a 2FA token seed and the generation alorithm, you don't need the original token. if you have enough information about a biometric credential and the system in use, you don't need the actual body part and just bypass the scanner hardware.

In the password or 2FA examples, you can revoke the credential and issue a new one. Short of forced surgery, there is simply no way of doing this with biometrics.

6
0

Hey, you, PHONE-FACE! Kickstarter in-car mobe mount will EMBED your phone into your MUG

djack

Their Description is Right too..

"Holding your cell phone visible giving the driver hands free driving"

Did they really mean that?

2
0

Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE

djack

Re: Misleading Language

Considering the number of servers out there still supporting Ssl version 2, I can see this being an issue for a long time.

3
0

EE buys 58 Phones 4u stores for £2.5m after picking over carcass

djack

Re: Decline of the high street

The high-street retailers are more of a victim of parking fees and restrictions. They (generally) don't want or enforce them and it's their customers who have the option of going elsewhere.

2
0

'Stop dissing Google or quit': OK, I quit, says Code Club co-founder

djack

/me Applauds

I've never heard of Code Club or the lady in question before, but I must applaud her stance on not sacrificing her principals.

53
2

NIST to sysadmins: clean up your SSH mess

djack

There are quite a few significant issues with ssh version 1 (the protocol, not any particular implementation), yet you still see it available all over the shop.

That is the thing they are meaning. By all means stay away from the bleeding edge, but also stay away from the bloody and broken obsolete stuff too.

4
0

The police are WRONG: Watching YouTube videos is NOT illegal

djack

Re: They've got you...

Not really, transmission implies that you have the information in question and are sending it somewhere. Even if you have made a request for the transmission to be made, you are still only receiving it.

7
0

Need a green traffic light all the way home? Easy with insecure street signals, say researchers

djack

Unsuprising

I was asked to look at some of the back-end systems for this kind of stuff for a council a few years back. The issues I saw were very scary (even if I weren't under NDA I still wouldn't say as you'd think I'd made it up) and needless to say I chickened out of trying to actually experiment with anything. You can imagine the thoughts running through my head as I joined the massive trafic-jam on the way home. (I later found that it wasn't actually anything to do with me)

3
1

RealVNC distances itself from factories, power plants, PCs hooked up to password-less VNC

djack

How times change .. not

I remember finding similar issues on clients' machines years ago. Though this was unsecured PCAnywhere sessions on dial-up connections.

1
0

The agony and ecstasy of SteamOS: WHERE ARE MY GAMES?

djack

Zotac Steam Box

I followed the link about Zotac's upcoming steam box. Full, glitzy press release oh! and product details ...

ZOTAC Previews ZBOX Steam Machine

Intel Core processor (TBA)

NVIDIA GeForce GTX graphics processor (TBA)

Other details TBA

Final naming TBA

All-black 3rd Generation ZBOX chassis

Orange lighting

SteamOS preinstalled

Steam Controller bundled

Coming 2H 2014

Ahh, informative.

I found that complaining about the (beta) installation process of an OS that is still in beta, and is targeted for self install only by people comfortable building their own rig from scratch, or bought pre-installed on a system to be a little disingenuous.

3
0

Linux kernel devs made to finger their dongles before contributing code

djack

Re: Good for them, and for Yubico

@MyffyW

There is no hard 'artificial' expiration feature.However, there is an internal counter that is incremented every time the device is plugged in. This counter serves as part of the authentication mechanism to prevent replay (and provide some protection from pre-play) attacks. That counter is a 16bit word. Yubico say that this will his corresponds to about 25 tokens every day for 7 years or 5 tokens every day for 35 years.

(http://static.yubico.com/var/uploads/pdfs/Security_Evaluation_2009-09-09.pdf)

You can replace the secret key on a Yubikey but I'm not sure if this resets that counter or not.

1
0
djack

Re: Good for them, and for Yubico

Yep,

I really like Yubikey. Effective and nice and cheap. So cheap that it's feasible to use for your home system security. Each key costs about £25 and that's it. No licensing fees for authentication software, 'agents' or ongoing support fees.

As they supply a preconfigured freeradius virtual appliance, you can (with a bit of work - no more than any other 2FA system) use it with almost anything.

1
0

Google leaves STUPID vuln on Nest devices

djack

Panic!!

I've just found you can do this with practically any computer or laptop!

All you need is an uber dangerous hacker tool called a 'boot disk' and you can load your own software onto the computer without loggingin in!!!

Remember, these are real computers with important things like accounts, porn and world of warcraft characters stored on them.

But, shh, keep it to yourselves guys, I might present this at next year's defcon.

But seriously, this actually makes it more likely that I will buy one. I was interested in Nest when it first came out but was instantly turned off by it's reliance on 'the cloud'. If I can mod the software on these to only talk to my servers, I could be interested.

I like home automation, as long as all that data stays within my security domain.

3
0

Motorist 'thought car had caught fire' as Adele track came on stereo

djack

Re: Genuine reason.

"Except you shouldn't expect a warning of FIRE coming from the radio."

He clearly didn't realise that the message was from the radio. Many modern cars have a multifunctional display in the middle of the dashboard. Trip computer, door ajar warnings, parking sensor warnings and audio information etc. etc. all share the same space, with whatever is selected (or deemed more approriate by the car) shown at any one time.

7
0

Amazon's Spotify-for-books: THE TRUTH

djack

There already is something similar to that bundled into Prime, the 'Kindle lending library' ("Over 500,000 Kindle titles to borrow for free"). As they are trying to strong-arm the indies into agreeing terms to be included, we can assume that the new service does not cover their entire catalogue.

So, this is even more money for similar access to an unknown, but limited selection (sorry, that will be 'selected titles') that you can't query in advance?

1
0

Manic malware Mayhem spreads through Linux, FreeBSD web servers

djack

Re: The fock?

AFAIK, the male are uses humans.txt as a test to see if rfi is possible. Seems a bit draft and wasteful to me. Implying that Google could prevent this malware (and therefore it's all Google's fault) by changing humans.txt seems a bit disingenuous to me. The test could be easily changed to refer to any other arbitrary file.

7
0

Page:

Forums