150 posts • joined 16 Jun 2009
Re: So how secure are 'biometrics'?
"I'm not sure where you are banking. I have multiple US and UK bank accounts and precisely NONE of them have the security of my paypal, apple, or Microsoft accounts (i.e. dual factor)."
Barclays and Natwest (at least) use 2FA with tokens generated by the chip on your debit card. The Barclays variant (I've not used the NatWest one) authenticate access to the account and at the transaction level (the first time you send money to a recipient).
Re: @Keith stupid (calculator size) chip and pin devices for every purchase
"Is the token thingy in the same wallet as the credit/debit card?"
Probably, but that isn't an issue as you need to input your card PIN each time you use it (like you do in a physical shop).
Re: @Keith stupid (calculator size) chip and pin devices for every purchase
AFAIK, all those calculator things use the standard EMV (Euro?? Mastercard Visa) authentication package that is embedded in the chip on your bank card. As such they are pretty interchangeable - at the ery least I can log into my Barclays account using a NatWest device.
It's not too difficult to get a couple of the things (hint: most banks will send you a new one if it gets lost or breaks) and at work, all you need is to get one to share between a small group of trusted people.
It can be made relatively painless really easily too, perhaps you force authentication one (a year?) for each individual combination of retailer and delivery address.
Re: So how secure are 'biometrics'?
Yep, it doesn't matter what biometric is used or even if it is impossible to fool the reader. Biometric authentication is fundamentally the same as any other form..
During enrolment, the authentication server collects data about your authenticator. This may be your password (hash) a seed for a 2FA token, X.509 public key or the base sample data for the biometric (etc. etc.)
During authentication, credential data is collected from the user. This could be input via a keyboard, smartcard reader or some weird and wonderfulscanning device. This data is now a normal bob of data. It may be processed by the client before being sent to the authentication server for processing.
The server compares what it is given by the client to what it has got stored in some fashion. This comparison will result in either a positive or negative result. The authentication server doesn't give a damn about your fingerprint, iris scan or anal probe results, all it needs is a blob of data. If you can supply some data that it can match and inject it into the right place in the communications channel, the server will accept it.
That's why on many Windows networks if you have a password hash, it matters not that you don't know the password or if you have a 2FA token seed and the generation alorithm, you don't need the original token. if you have enough information about a biometric credential and the system in use, you don't need the actual body part and just bypass the scanner hardware.
In the password or 2FA examples, you can revoke the credential and issue a new one. Short of forced surgery, there is simply no way of doing this with biometrics.
Their Description is Right too..
"Holding your cell phone visible giving the driver hands free driving"
Did they really mean that?
Re: Misleading Language
Considering the number of servers out there still supporting Ssl version 2, I can see this being an issue for a long time.
Re: Decline of the high street
The high-street retailers are more of a victim of parking fees and restrictions. They (generally) don't want or enforce them and it's their customers who have the option of going elsewhere.
I've never heard of Code Club or the lady in question before, but I must applaud her stance on not sacrificing her principals.
There are quite a few significant issues with ssh version 1 (the protocol, not any particular implementation), yet you still see it available all over the shop.
That is the thing they are meaning. By all means stay away from the bleeding edge, but also stay away from the bloody and broken obsolete stuff too.
Re: They've got you...
Not really, transmission implies that you have the information in question and are sending it somewhere. Even if you have made a request for the transmission to be made, you are still only receiving it.
I was asked to look at some of the back-end systems for this kind of stuff for a council a few years back. The issues I saw were very scary (even if I weren't under NDA I still wouldn't say as you'd think I'd made it up) and needless to say I chickened out of trying to actually experiment with anything. You can imagine the thoughts running through my head as I joined the massive trafic-jam on the way home. (I later found that it wasn't actually anything to do with me)
How times change .. not
I remember finding similar issues on clients' machines years ago. Though this was unsecured PCAnywhere sessions on dial-up connections.
Zotac Steam Box
I followed the link about Zotac's upcoming steam box. Full, glitzy press release oh! and product details ...
ZOTAC Previews ZBOX Steam Machine
Intel Core processor (TBA)
NVIDIA GeForce GTX graphics processor (TBA)
Other details TBA
Final naming TBA
All-black 3rd Generation ZBOX chassis
Steam Controller bundled
Coming 2H 2014
I found that complaining about the (beta) installation process of an OS that is still in beta, and is targeted for self install only by people comfortable building their own rig from scratch, or bought pre-installed on a system to be a little disingenuous.
Re: Good for them, and for Yubico
There is no hard 'artificial' expiration feature.However, there is an internal counter that is incremented every time the device is plugged in. This counter serves as part of the authentication mechanism to prevent replay (and provide some protection from pre-play) attacks. That counter is a 16bit word. Yubico say that this will his corresponds to about 25 tokens every day for 7 years or 5 tokens every day for 35 years.
You can replace the secret key on a Yubikey but I'm not sure if this resets that counter or not.
Re: Good for them, and for Yubico
I really like Yubikey. Effective and nice and cheap. So cheap that it's feasible to use for your home system security. Each key costs about £25 and that's it. No licensing fees for authentication software, 'agents' or ongoing support fees.
As they supply a preconfigured freeradius virtual appliance, you can (with a bit of work - no more than any other 2FA system) use it with almost anything.
I've just found you can do this with practically any computer or laptop!
All you need is an uber dangerous hacker tool called a 'boot disk' and you can load your own software onto the computer without loggingin in!!!
Remember, these are real computers with important things like accounts, porn and world of warcraft characters stored on them.
But, shh, keep it to yourselves guys, I might present this at next year's defcon.
But seriously, this actually makes it more likely that I will buy one. I was interested in Nest when it first came out but was instantly turned off by it's reliance on 'the cloud'. If I can mod the software on these to only talk to my servers, I could be interested.
I like home automation, as long as all that data stays within my security domain.
Re: Genuine reason.
"Except you shouldn't expect a warning of FIRE coming from the radio."
He clearly didn't realise that the message was from the radio. Many modern cars have a multifunctional display in the middle of the dashboard. Trip computer, door ajar warnings, parking sensor warnings and audio information etc. etc. all share the same space, with whatever is selected (or deemed more approriate by the car) shown at any one time.
There already is something similar to that bundled into Prime, the 'Kindle lending library' ("Over 500,000 Kindle titles to borrow for free"). As they are trying to strong-arm the indies into agreeing terms to be included, we can assume that the new service does not cover their entire catalogue.
So, this is even more money for similar access to an unknown, but limited selection (sorry, that will be 'selected titles') that you can't query in advance?
Re: The fock?
AFAIK, the male are uses humans.txt as a test to see if rfi is possible. Seems a bit draft and wasteful to me. Implying that Google could prevent this malware (and therefore it's all Google's fault) by changing humans.txt seems a bit disingenuous to me. The test could be easily changed to refer to any other arbitrary file.
Re: So much better than original FW
I assure you the signal is very different. Before I could not connect to the network at all from outside the house. I was able to sit in the garden and work yesterday morning :)
I'm also a fan of Mikrotik, in fact I'd just ordered one of their boxes as a replacement AP when I had the brainwave of checking the OpenWRT compatibility. I now need to decide wether to send it back or keep it as a spare (you can never have too many spare bits of kit ;) )
So much better than original FW
I only 'discovered' OpenWRT a couple of days ago and quickly dis-proved two beliefs I had about the software, I thought it was only useful if you need extra features not included in the manufacturer's firmware and that it was only for Linksys routers. how wrong I was.
I have a new TP-Link wireless AP. This thing had a weak signal that keeps dropping out and needing a reboot. I had tried everything to make it work reliably and was on the verge of chucking it out until I noticed that OpenWRT would run on it. The difference was noticable straight away, I have a much more stable network and can now even access it from further afield than before. I honestly don't know why TP-Link bothered trying to write their own FW, just ship the thing with OpenWRT, or have the installation instrictions as the first step in the manual ;)
Re: The economics
From what (little) I know of RenderMan, it is a rendering suite and a very flexible one. It is not a modelling or animation tool, you (can) throw the models and scenes you produce in those tools into RenderMan to get your pretty pictures.
£10 - really?
To pick this up again from the last time this story was reported ..
Quite where can one buy a network accessible KVM device for £10??
Ebay has plenty of connector cables for (much more expensive) IPKVM switches but I have yet to see any evidence to back up this £10 claim.
"When you're dying due to shitty sales it's not the time to go cutting off sales channels of any kind"
Even if said sales channel is explicitly trying to poach your loyal customers for a competitor? It looks like if they stayed with T-M, they would have fewer customers, not more.
Re: Great idea, but there's just one thing
That's exactly why this is a mailing list rather than a website. Everyone can create an archive whereever they want. Just as the archives of the old FD list are available all over the place.
Besides, Fyodor has repeatedly proven his backbone in the face of takedown 'requests' and the like over the years.
"Finally, if going abroad give the customers an easy way to inform the bank, we are going to be in country X between Y and Z."
One of the few things that MBNA have got right is precisely this. I just drop them a text saying when , where and how long and it's all sorted.
I'm pretty sure that my card was cloned whilst I was in a UK airport when going abroad on holiday a couple of years back. The number was used several times (though I had not attempted to use it whilst away) and the anti-fraud systems kicked in really quickly. The dodgy charges were all sorted and the card cancelled within a few hours of me getting onto the hotel and there was a nice shiny new card waiting for me when I got home :)
Dunno, seems to be bash PN month at the reg.
Re: For me there is a basic question
'The crucial difference was *the Cisco router could be patched*.'
The supplied Thompson device is actually firmware upgradable, though it's a faff on to do it. I had to flash the stock manufacturer's FW onto mine to allow my firewall to do PPPoE itself. The btchered firmware it came with was truely dire.
Re: And nothing of value was lost...
I disagree, there has been a fair amount of good stuff on BBC Three. As well as those other examples that started on the channel Being Human and The Revolution Will Be televised spring to mind.
I don't think that there has been anything on TV recently that has called out the hipocrisy, corruption and double-dealing in the governemt and large commercial entities.
That said, they could easily fit all of thequality programmes and new experimental stuff on BBC 1 and 2 by cutting down on the number of repeats and examining the synopsis of the shows they have. If the word 'reality' appears in there, then chop the programme. Simple.
What's this got to do with WhatsApp?
Thanks for that link - most informative. A couple of things jumped out at me ...
What information will be shared? : Your NHS number and date of birth, your postcode.
Some reasons why you might choose to opt out: There is a small risk of your data being traced back to you. You cannot be sure which companies may have access to your information in the future.
So.. one item of data that uniquely identifies you and two others that, when combined can almost certainly identify you only pose a 'small rsik' of identification?? Oh, and you have no idea where this data is going to end up - who in their right mind can think that this situation is acceptable?
the fact that there is no standard, straight-forward way of opting out of this speaks volumes.
From what I have read, Station X was the name for the whole BP operationand not much (if any) wireless listening was actually done there. There were numerous Station Y (Y-erless .. geddit?) posts around the globe that actually did the listening and intercepts, most of which were sent to Station X for decrypting.
Many stories about Station Y posts are covered in "The Secret Listeners" by Sinclair McKay. Quite a fascinating read, The managers at BP were upsetting other, related organisations even then aand we actually had the sort of PRIM-like data capture capability that everyone is getting up in arms about today .. back in the 20s.
Re: Can't resist
The games you have bought may not have been posted, but but there are many that have. For example, if of the entire Valve collection only Portal 2 and CS:GO don't have a Linux version (no idea why those two have been left out). I have almost a hundred titles in my library - most of which were imported via the humble bundle, and but some were recent Linux specific purchases. The others being the HalfLife 2 bundle I am bought a when Steam was first launched.
Re: @DropBear Beg pardon?
"Can you tell me how you do that please."
Install owncloud (http://www.owncloud.org/) on a server.
Install a CalDAV and CardDAV client on your phone (I use two separate apps, but people have reported good results with DAVdroid).
I have calendar and contacts synced between my phone, tablet, laptop and desktop.
"Cable & Wireless Worldwide became part of Vodafone in April this year."
Yep. C&W have run those networks for many years. A few years back, they lost the contract to Energis - remeber them? They won the gov contract and were then quickly bought by .. Cable and Wireless .. odd, that ;)
"..Many BT exchanges used to (and I suspect still do) have classified compartments"
Quite true. However, it does not set them apart from other large companies. For example, it's no secret that Vodafone runs the GSI network, which deals with a lot of the classified data traffic in the UK. Most large players in the managed datacentre field have secured DCs that can be used to house classified services and data.
So what was your point?
What are the Affected Schemes?
Why does there not seem to be a full list of the schemes that Loyaltybuild were responsible for? A couple of company names have been given, but how are people expected to know if they are affected without a definitive list of the schemes?
I'm pretty sure that this will be the first that 99% of the people on the schemes have heard of 'Loyaltybuild'.
Re: So will this 7% rise be in addition to the 11.5% rise BB only subs got gouged with?
"Handily VM have included a setting in the admin screens to switch off hub features and enable "modem only mode". There is no reason to stick with 20Mbps just because you don't want a superhub because there is no good reason not to want a superhub"
When the 'super' hub first came out, the modem only mode did not exist. It was simply a planned feature for the future. This came in at the time I was moving out from a shared house with VM BB. They lost me as a customer because they wouldn't supply me with a device that behaved like a plain modem.
That situation has changed now, it may be that Pete 47 isn't aware of the upgrade.
" I don't use Google products now bar analytics, but even that is soon to change."
You are probably already aware of this, but Piwik does an amount of the stuff that google analytics does and can be self hosted ..
Re: 6502/6809's rool btw...
"EIEIO on the 6502? You jest. It's the PowerPC "Enforce Instruction Execution In Order" opcode."
Hmm, my memory is failing.
The mnemonic expands to the same wording, but I've definitely not done any assembly code on PowerPC (not done any at all for at least 15 years tbh,) so it must have existed on an earlier platform. It could have been 68000 I suppose.
Re: 6502/6809's rool btw...
Whilst I was more of a Z80 kid, I do remember being amused by EIEIO on the 6502 (I think!)
Re: dont get it
The point of the differences is not to find the best performing system, it is to find a sweet spot between price and performance that a typical user would accept.
It's my understanding that SteamOS will be free to download and install wherever you want.
I'm sure that they'd be delighted to have your input.
Re: Really? Are you sure?
Unlike physical security who typically have no need to enter the secure areas - just keep others out, information security is much more far reaching. There isn't a clear boundary that is the only place you need to actively defend, you need eyes everywhere from the external boundary firewall(s) through to internal authentication, applications and data stores.
Also, the skills needed to break in are not the same as those needed to secure. My field, penetration testing is the one where people always fail to see that. A bad guy needs to 'simply' find one way to compromise the system and exploit that.
In addition to that I need to find as many other ways as possible and know how to mitigate or fix those issues. I also have to do that with as minimal an impact on the system (not always possible) and communicate the issues to the system owner. I'm also expected to know about pretty much anything that I encounter on a network.
Re: at least my unlocked iPad and iPhone works ANYWHERE!
If it were a radio issue, and the warning would point out that it won't work at all in the other countries. The implication here is that roaming would work, and just not a local SIM. Whilst a technical limitation of a device is disappointing, adding deliberate blocks to functionality that the device has is abhorrent to me (even more than defending Apple).
Is it possible that there is a new standard for a SIM that has only been rolled out in Europe and that the phone depends on a feature in this version?
Re: This is supposed to be a tech site
"er no ... <£10 on eBay (I checked)"
Link please. I checked also and failed miserably to find one.
Re: Police are looking for the smug git
True, the Android crowd have already started slavishly copying it's new features.
... two years ago : http://www.gsmarena.com/motorola_atrix-3709.php
Re: Do I spot a tendency here?
I've always thought that to MS, the term 'partner' means 'entity in the queue to be shafted'
Typical O2 Rip-off
£2 for only 25MB ??!
Get on Three, throughout most of Europe it is £5 a day (note the lack of a data cap) - that was cheaper than the WiFi in the hotel I was in :)
- Product round-up Ten excellent FREE PC apps to brighten your Windows
- Review Tough Banana Pi: a Raspberry Pi for colour-blind diehards
- Product round-up Ten Mac freeware apps for your new Apple baby
- Analysis Pity the poor Windows developer: The tools for desktop development are in disarray
- Chromecast video on UK, Euro TVs hertz so badly it makes us judder – but Google 'won't fix'