* Posts by Craig 8

23 posts • joined 31 Jul 2009

Security damn well IS a dirty word, actually

Craig 8
Holmes

Re: Its the people, not the computer

Some people are unscrupulous, and some people are gullible, and no amount of technology is going to change that.

It's not necessary to understand how to build a car in order to drive one, and I don't suppose anyone thinks mechanical engineering should be part of the driving test, so what happens? You take your car in for service and the garage tries it on by saying "your brake disks are under tolerance, you need new ones to be safe" which, if you have any sense, you politely decline. This happened to me a few years ago and I took the same car back to the same garage a year later and, for laughs, said "can you be sure to check out the brakes please?" and they came back and said "your brakes are fine, but we need to do [this other expensive work]". This was not a backstreet operation, it was a main dealer for a prestige brand, incidentally.

Perhaps what we need to do is stop wringing our hands about bad people using the Internet and just deal with it. You don't trust everyone you meet face-to-face, so don't trust people you "meet" on the Internet.

4
0

Twitter clients stay signed in with pre-breach passwords

Craig 8
Thumb Down

It's NOT a login [Re: There is a very clear risk]

The "auth" stands for "authorisation", not for "authentication". The authorised service never had your password in the first place, so it is entirely irrelevant whether your password is changed or not. What you want to do its revoke the authorizations, not change your authentication credentials.

1
0
Craig 8
Stop

I Don't Think You've Quite Understood This...

Let's see, the point of OAuth is that you can authorise services to access your Twitter account without needing your password. Logically, I don't see any reason that this should change just because you change your password; you might change your password every month for security reasons (yeah, right!) but that shouldn't mean you've stopped trusting the services you said you trusted before.

There's some wrong-headed thinking here, that "change my password" should be the same thing as "reset all the security decisions I've ever made". If you think your account may have been breached, there are several other things you should do (like checking what spam has been posted in your name) as well as changing your password and revoking any inappropriate authorizations.

2
0

Silly gits upload private crypto keys to public GitHub projects

Craig 8
Facepalm

Re: There's always google of course.

Fair play, "BEGIN RSA PRIVATE KEY" site:github.com returns 29,100 results, and "Proc-Type: 4,ENCRYPTED" site:github.com returns 5,200 results, so it does look like the majority of them are in plain, which is pretty dumb.

2
0
Craig 8
Stop

More detail is needed

Before I believe this is a major security cock-up, I want to know how many of those private key files were actually password protected. While it's still inadvisable to post your private keys publicly, even if they're encrypted, there's a world of difference between that and posting just the plan key. All the formats found by the sample searches quoted can, and should be, password protected.

3
0

Cloudy admin? Here's how to ward off Call of Duty-playing teens

Craig 8
WTF?

> looked at the identity of an application

How's it do that then?

0
0

Free Android apps often secretly make calls, use the camera

Craig 8
WTF?

SMobile's Ethics

In case anyone doubts that they shamelessly used a fatal disaster to plug their anti-virus product, I was amazed to find the video still online here: http://www.smobilesystems.com/fox-news-interview-with-rick-roscitt/

0
0
Craig 8
Unhappy

I suppose this is the part of Juniper that used to be SMobile. Frankly I don't believe a word they say. Why does the headline bear no relationship to the content of the article? Did they find ANY apps that SECRETLY make calls and use the camera? I think not. I still remember the time when an SMobile executive went on local TV in the US after a bridge collapse saying, yes, wasn't it terrible that people died, but think how much worse it would have been if the emergency services had malware on their smartphones. WTF?

0
0

Caltech shrinks optical accelerometers

Craig 8
Devil

> They're probably about to ****ing buy some washing powder anyway.

Yes, but the supermarket knows which brand you normally buy, and now has the opportunity to influence you to buy a different brand that's more profitable for them. *That's* why they would do it on a mobile (tied to a specific person and their buying habits) and not on a TV screen; also if you normally buy the profitable brand anyway then they can save money by not offering you the discount.

You're just not thinking evil enough.

0
0

Nokia pumps up Lumia browsing with Xpress

Craig 8
Stop

What About the Security?

Rendering the HTML on a server means breaking the end-to-end security model of SSL/TLS browsing. Opera Mini is great and I use it a lot for reading public web sites, but I'd never do any payment transactions with it. Even if you trust Opera/Nokia/whoever-else, what happens when they get hacked?

2
0

Password hints easily snaffled from Windows PCs

Craig 8
WTF?

re "You might want to encrypt that"

What do you suggest it's encrypted with? given that the point is to display it without the user entering their password of course (chicken and egg).

5
0

GCHQ to encrypt your tweets with Enigma - for science

Craig 8
Stop

Where are they going to get the cribs?

To use a Turing Bombe to crack an Enigma message, you require a "crib" (some known plaintext of the message). Are they going to add a fixed preamble to every message to provide that crib, then? (e.g. "Cheltenham Science Fair: ...") I think it's only fair to disclose that, as otherwise the educational point is missed, i.e. that the Bombes weren't magic and weren't even computers, they just tested all the possible rotor orders and positions.

1
0

Researchers propose ‘overclock’ scheme for mobiles

Craig 8

This is not news

Symbian was working on this 5 or 6 years ago. The cost of the SoC is the only problem.

0
0

FTC tears into Apple, Google over kids' privacy - or lack of

Craig 8

re "any app updates can't ask for more permissions in the future"

Assuming we're talking about Android, then yes, they can. The difference is that if you don't ask for more permissions then the update can happen invisibly in the background, but if you do then the user has to explictly permit the update. Seems like a reasonable model.

0
0
Craig 8

"go back to symbian" Re: Winds me up this corporate bullshit...

To be fair, Symbian OS doesn't allow you to selectively grant permissions either. I think there are other reasons for preferring Symbian over Android, but I'm afraid the permissions model isn't one of them (Symbian's implementation is arguably better but the design is essentially the same, app gets all permissions at install time or it doesn't get installed).

0
0

Facebook password reset coming to phone near you

Craig 8
Black Helicopters

Suspect Motives

Facebook seem awfully keen to get people's mobile numbers, but of course they're doing this to help you, not to give them more opportunities to make money from you, oh no...

2
0

PlayStation Network credit cards protected by encryption

Craig 8
Stop

Encrypted, so what?

It doesn't matter that it was encrypted, it doesn't even matter much how it was encrypted, what really matters is, where were the encryption keys and how were *they* protected?

0
0

Mobile Trojan mimics Android clean-up tool

Craig 8

> As a soon to be Android owner, what am I missing here?

The original malware (downloaded from the legitimate Android Market) rooted the device, and was able to install other software from places other than the Android Market. Google can remove the original malware, but not any of the other software it may or may not have installed in the meantime.

1
0

LG comes to the NFC party

Craig 8
WTF?

NFC in Televisions?

Are the unwashed masses supposed to get off their couches and tap their phones on the screen to vote in X-Factor then, or what?

0
0

Experts rubbish iPhone for health use

Craig 8
FAIL

What Pete B Said...

Never mind the f-ing battery life! I don't want my medical data put on any smart phone, the risk of it being lost, stolen or corrupted is far too great.

3
0

Nokia: go straight to Symbian 3, skip Symbian 2

Craig 8
FAIL

@Paul, how about...

learning the difference between flash memory (C:) and RAM (heap)?

0
0

Crypto pioneer and security chief exits Sun

Craig 8
Stop

Pioneer, yes, but Inventor?

I have nothing against Whit, who is a friend-of-a-friend and by all accounts a very affable gentleman and deserving of his place in the history of computer security, but he doesn't have exclusive claim to inventing public key cryptography. James Ellis et al. in the UK reportedly got there first (although it was classified at the time) and Diffie and Hellman's work was apparently based on Ralph Merkle's.

0
0

Malware afflicts 1.5% of Symbian handsets

Craig 8
Thumb Down

"Study" lacking grasp of statistics, scruples

See http://secblog.symbian.org/2009/07/31/mobile-malware-study-not-news/ for a rebuttal.

0
0

Forums