* Posts by sabroni

1639 posts • joined 11 May 2007

Elite: Dangerous 'billionaire' gamers are being 'antisocial', moan players

sabroni
Silver badge
Happy

It's for kids!

Grow up!

3
36

HTTPS bent into the next super-cookies by researcher

sabroni
Silver badge

Yes, but the example code just uses a load of different prefixes on the same domain. Then you just use script to access each sub domain in turn using http and if the browser uses https instead then you know that bit is set.

2
0
sabroni
Silver badge

Re: Ahh, but reading the original article does

Ok, it's not very clear from the article but as far as I can tell it's to do with using the fact that a single site is HSTS enabled as a bit and storing an identifier by hitting lots of sites.

So (I think) the idea is you set up 8 domains for example (to hold a byte). Hit each in turn with a url containing a flag to ask the server to respond with "HSTS enabled" to store a 1 or "HSTS disabled" to store a 0. Then later the code attempts to read those sites again without the flag and using http. The server responds indicating whether the connection was https or not and you can reconstruct your byte with that information!

Yeah, as Google responded "defeating such fingerprinting is likely not practical without fundamental changes to how the Web works". For once I agree with Google. Gah!!!

3
0
sabroni
Silver badge

Investigation helps not!

So reading up on this on Wikipedia and others I see that HSTS is effectively an https only header that tells a browser to i) communicate with the domain using only https for a specific time and ii) interpret any secure transport errors as meaning it should stop communication immediately. The header is ignored on http requests and shouldn't be sent.

So in normal use there is a potential for MITM attacks during your first contact with an HSTS site as the redirect to https happens with the usual 301. Once you connect with https you get the special header and your browser knows to always communicate to the domain using https, making further MITM attacks very difficult.

No where in that is there any requirement for this information to be shared with any other domain, or any advantage to doing so. I don't see anywhere in there a requirement for a magic number between the domain and the browser. What this generates is a private list of sites and durations that the individual browser uses to force https on certain sites.

So how did this become a tracking issue?

1
0
sabroni
Silver badge

Re: the issue is about being able to use it as part of a "fingerprint",

Sorry, that explanation doesn't really help.

What is the "it" you're referring to?

The article says:

>> His point is that an HSTS “pin” is set for each HTTPS-redirected site you use, it's unique to user and site, and it's readable from your browser settings by any site <<

That looks like a domain issue, specifically "it's readable from your browser settings by any site". Is the article wrong? What am I missing?

4
0
sabroni
Silver badge

Re: If this was a cookie, it should only be readable by the server that set it.

Exactly! Isn't the issue here about boundaries not protocols? Why can other sites see a domain specific secret?

7
0

Music fans FUME over PJ Harvey ticket CHAOS as Somerset House site buckles

sabroni
Silver badge

Re: so all the "heart" and "honesty" vanishes

No, it doesn't. What you're talking about is to do with your attitude to artists and whether you think they're cool or not. Artists change over time and success can definitely change them, but it's much more complex than "successful = bad, underground = good". Step away from that and just start listening to the music. Maybe you'll find there are successful acts you actually enjoy listening to, even though they're trying to make music other people like. Some times when an artist tries to make music people like they succeed!!

0
0
sabroni
Silver badge
Happy

Re: and pray tell me how anyone can find out they don't like a track without first listening to it.

Forsooth, good sirrah, for surely that is an impossible task. But nevertheless, one can listen to said track and dislike it without expounding on it's vagaries in the comment section beneath. If one does indeed post in such a manner, then one should not take offence if a gentle ribbing ensues....

0
0
sabroni
Silver badge
Thumb Up

Re: I know right!

Why do people insist on listening to music that you don't like? Fucking idiots.

0
0

Double-digit tablet growth spurt is OVER, say pundits

sabroni
Silver badge

Re: Powerful PC adds dynamic range

And what do you use when you need to get over yourself? I assume lifting gear is required....

4
1

Space Commanders lock missiles on Elite's Frontier Devs

sabroni
Silver badge

Re: so I might even buy it

Purchase it now and you are buying it, those who got it from KickStarter were funding it's development in return for a copy of the game. If you can't tell the difference then maybe you shouldn't be on kickstarter.

9
9

Untangling .NET Core: Open source for Windows, Mac, Linux

sabroni
Silver badge

Re: No sane dev wants anything to do with MS

So everyone who disagrees with you is insane? Seems unlikely....

7
2

Spanish scraper scrapped: Google axes Google News

sabroni
Silver badge
Facepalm

Re: Google is very successful and you are simply jealous

Am I? Of course I must be, what other reason could there possibly be to criticise Google?

2
2
sabroni
Silver badge

Re: Far better to spend the money yourself and get the results you want.

And we're sure the monkeys in control of Google will be better why? Because they don't even have to scrape through an election to get in power? As long as they make money, that must be good for the country?

It's fine to spend your money for the results you want, but be honest about it, don't pretend it's for the greater good.

1
3
sabroni
Silver badge
Happy

Re: Hey, it's convenient

Well, that's ok then, convenience trumps monopolistic abuse every time.

3
4
sabroni
Silver badge
Happy

Re: *sigh*

You talking to us or your testicles?

7
1
sabroni
Silver badge
FAIL

Re: "... no less parasitic than ... academics ..."

>>So investing in the future of the country by providing training and research facilities <<

Is that what they're doing? You sure they're not just investing in the future of their own company? Wouldn't someone who wanted to invest in the country be a bit less desperate to avoid paying tax?

3
4
sabroni
Silver badge

Re: "We're not a monopoly, honest..."

Oooh, you are gonna get SUCH a downvoting for that!

14
1

Microsoft pulls a patch and offers PHANTOM FIX for the mess

sabroni
Silver badge
Happy

Re: Just sayin'

Instant downvote. Just sayin'.

0
2

Europe's top court mulls vandal's right to privacy after bloke catches thug on home CCTV

sabroni
Silver badge

Re: e.g. Google Glass

Sweet! Make users carry signs!!

(Signage? What is it with the desire to use a fancier sounding word? They're signs, not "signage"!)

1
0
sabroni
Silver badge
Stop

Re: retard

You better mean that as "slowing" and not "mentally disabled". As a term of abuse it's unacceptable. Rein it in.

3
5
sabroni
Silver badge
Facepalm

they shouldn't have tried to photograph a cop/politician/journalist.

Of course they shouldn't. Those are three groups of people we can definitely trust to behave themselves correctly at all times.

5
0

Put me through to Buffy's room, please. Sony hackers leak stars' numbers, travel aliases

sabroni
Silver badge
Thumb Up

Re: Hopefully...

It would be good to see Mr. Pointy back in action!

3
0

Security holes in iOS? We've heard of them, says Apple (as it fixes vanishing ringtones)

sabroni
Silver badge

Not every youtube "how to unlock your phone" video is genuine....

9
0

The Great Unwatched: BBC hails glorious digital future for Three

sabroni
Silver badge

Re: It's handy for a bit of late night Family Guy or American Dad

Yeah, like a shotgun is handy for shooting yourself in the face. Those two are starting to make the endless re-runs of "Two Pints of Lager" seem bearable...

2
0

Microsoft: Hey, don’t forget Visual Basic! Open source and new features coming

sabroni
Silver badge
Thumb Up

Why VB is better?

The main reasons I prefer it is that it's better at autocomplete (sharp seems to lose this ability at the drop of a hat and wants recompiling before getting it back) and better at showing errors (vb tends to flag up the line that causes the issue, sharp often flags all the references to the bad line as well, making a simple job in B much trickier in sharp). Doesn't stop me working in sharp, but it does make me wonder why B is still better at these specific things....

Sharp does late binding better! (Didn't think I'd ever be typing that....)

4
1

Facebook injects CREEPY search engine into mobile app

sabroni
Silver badge

Re: For now.

Yes, for now. They could change that, but that would be them ignoring the "only share this with friends" flag. That would be creepy. Allowing me to search posts you've already shared with me is not creepy in any way.

I'm not standing up for facebook, I don't use it, but the daily mail style knee jerk headlines and typical ill thought out responses posted here get on my tits.

1
0
sabroni
Silver badge
FAIL

the ability to search for any post that's been shared with you

OOOh, creepy! Except, not at all creepy as people have to share stuff with you for you to be able to search it.

0
6

Keep your court orders to YOURSELF – human rights chief slaps US

sabroni
Silver badge
Thumb Up

Re: Might I suggest acquiring some Sesame Street episodes....etc...

That is some top quality sarcasm! Nice!

4
3

Google App Engine has THIRTY flaws, says researcher

sabroni
Silver badge

Re: got no where

According to the article:

we bypassed GAE whitelisting of JRE classes / achieved complete Java VM security sandbox escape (17 full sandbox bypass PoC codes exploiting 22 issues in total);

we achieved native code execution (ability to issue arbitrary library / system calls);

Sounds like a security fail.

5
0
sabroni
Silver badge
Facepalm

Re: It's Oracle Java: Of course it's going to be riddled with security holes!

Ah, of course! I knew Google couldn't be responsible for this!

3
0

Skinny Ubuntu Linux 'Snapped' up by fat Microsoft cloud

sabroni
Silver badge
Mushroom

Extend, Embrace, Elephant

No, they're wrong when they try to shut us down AND when they work with us!

The only safe way is to go back in time and nuke them from orbit in 1990!

7
7

Grooveshark to sink its teeth again into Pandora (legally this time)

sabroni
Silver badge

And yet that model..

...is fine for Youtube. Bizarre how little the law has to do with it.

3
0

Speaking in Tech: Android 5.0 Lollipop is a TRAIN WRECK

sabroni
Silver badge

Re: Lollipop is as close to perfection as one can get

I'd say the capability to upgrade without the need to sideload or do a factory reset would get it a little closer to perfection....

0
0

Euro Parliament VOTES to BREAK UP GOOGLE. Er, OK then

sabroni
Silver badge
Unhappy

Re: and lets' not pretend Microsoft aren't pulling the strings here

Trevor, seriously, get some help.

0
0
sabroni
Silver badge

Yeah..

Remember opening the Yellow Pages and seeing all those other Yellow Pages services promoted over the competition?

No, me neither, because it didn't happen with Yellow Pages but is a fundamental part of this discussion about google... Reality.

0
3
sabroni
Silver badge
Meh

@ plrndl

Yes, I know. Only a moron would think the fact that their search is good means that they should be able to finagle themselves up the results list when they have a product to sell.

You didn't address my point, which was that there is a conflict of interest between the best search results for the user (ie. most relevant) and for google (ie. promotes their other products). Care to engage on that?

1
1
sabroni
Silver badge

Re: How are they bundled?

They're returned with prominence in the search results. Is it the excellence of their services that put them at the top of the list? Is it Google pretending to do just a search while shoe horning in ads for their own services that results in their services prominence?

Surely anyone can see there is a potential for a conflict of interest here. It's not tricky.

9
5

MEPs want 'unbiased search', whatever that is – they're not sure either

sabroni
Silver badge

C'mon, you're not that dim.

Google don't just return 1 result per search. They could easily put some business promotion results in with the actual search results.

Google's central business plan MUST be to continue to work for its customers, the advertisers that provide it's revenue. Meaning it has to keep it's users onside enough to be a valuable advertising base, no more than that.

I'm not suggesting that all Google do is promote themselves, they do a ton of stuff I use and appreciate, but I'm not so enamoured with them that I'll pretend there's no conflict of interest when users search for a service that Google and it's competitors both provide.

0
0
sabroni
Silver badge
WTF?

surely search by its very nature must discriminate

Indeed, but there's a difference between discriminating based on the words I type in the search box and discriminating based on your business plan. To conflate the two, or to make out that the first naturally leads to the second, is ridiculous.

6
1

Man asks internet for $1k for pebbles. INTERNET SAYS YES

sabroni
Silver badge

Re: Whisky should be served....

however the drinker likes it!! I don't like mine cold but I definitely don't want it watered down thanks.

8
0

One year on, Windows 8.1 hits milestone, nudges past XP

sabroni
Silver badge

Re: Love 8.1

The three options are "Sleep", "Shut down" or "Restart", there is no hybrid sleep menu choice.

Windows Power States

>> In Windows 8, the default shutdown behavior puts the system into hybrid shutdown <<

But you can go to power options and turn off "fast start-up" to change this so you may well have disabled it. My Laptop boots in 6 seconds with fast start on, and 12 without. If you're managing 2 seconds for a real boot you have a very fast pc... Have you tried it from a reboot without updates to see if it's still 2 seconds?

2
0
sabroni
Silver badge

Re: Love 8.1

No, it really doesn't shut down when it does that, it's in what I believe they call a "hybrid sleep" mode. If you want to see how fast it boots from cold you have to hit restart, then you get a genuine reboot.

I'm not slagging it off, I like this behaviour, means it comes on quicker, but it's misleading of MS to not make it clear that this is different behaviour to all previous versions of windows.

3
1
sabroni
Silver badge
Happy

If your tablet supports 1080p resolution, why on earth would you accept an arbitrary 720p limit?

Easy, because Google said so!

3
1

Device fingerprinting tech: It's not a cookie, but 'cookie' rules apply

sabroni
Silver badge

Re: to protect your money!

Can I have that back now please? Not sure how you got it in the first place....

0
0

Sick of the 'criminal' lies about pie? Lobby the government HERE

sabroni
Silver badge

Re: What a fool

He didn't THINK OF THE CHILDREN!!!!

1
0

Chromecast video on UK, Euro TVs hertz so badly it makes us judder – but Google 'won't fix'

sabroni
Silver badge
Headmaster

Re: None issue for me

But it's a non-issue, not a none issue, so it has an extra "e" and a missing "-".

4
0
sabroni
Silver badge

Re: None issue for me

Thank fuck for that!

19
0

The Glorious Resolution: Feast your eyes on 5 HiDPI laptops

sabroni
Silver badge
Meh

Re: Monitor resolution

The last bastion of the patronising and pompous, apparently....

1
3

Universal Credit CRISIS: Up to £200m in IT spend WASTED – NAO

sabroni
Silver badge

@Valeyard

Complications are not "unknowns".

I'm not saying it's not complex, I'm sure it's ridiculously complex, but the complexities aren't secret.

0
0

Forums