Feeds

* Posts by Jamie Jones

1435 posts • joined 14 Jun 2007

Heartbleed exploit, inoculation, both released

Jamie Jones
Silver badge

Re: @Michael Wojcik

2 errors in the comments in this thread:

"They use their own malloc"

No. If you follow the spaghetti trail that is the source code, you'll see that their "malloc wrapper" is simply a call to the system malloc.

"This wouldn't have happened if they used calloc"

Yes it would. Try it yourself!

This bug has nothing to do with memory allocation. It seems many people think that the buffer is malloced to the 64k by virtue of the attacking packet, but only the much smaller payload is copied into the buffer, exposing the rest of the buffer as malloced but stale data.

THIS ISN'T THE CASE!

Besides, any sane malloc on a multi-user system would clear/randomize the returned buffer.

What is happening is that 64K of data is being copied into a 64kb buffer, from a char * buffer that contains the much smaller data sent by the attacker, hence overfilling the buffer with other variable data on the stack.

It can be simplified to:

char retbuf[65535];

char sentbuf[1];

strcpy (retbuf, 65535, sentbuf);

I.e. it's read-overflow (or 'buffer overflow' by reading rather than writing) - nothing to do with the memory allocation!

1
0
Jamie Jones
Silver badge
Facepalm

Re: **facepalm**

"You are aware that there are IDS rules to detect large-packet TLS responses specifically to spot Heartbleed then? No? Oh..."

Hmmmm, so you're saying the attack will be caught on those servers which have updated IDS rules, but not patched servers?

In other words, any update made to explicitly stop/catch heartbleed is irrelevent when talking about attacks against heartbleed!

0
0
Jamie Jones
Silver badge

Re: this could be exploited in just 4 bytes

"The 4 byte example was enough to show it would work, not enough to have any chance of stealing useful data."

Nah... 4 bytes is all that is needed - in fact, any more would be less effective, as you'd be 'overwriting' the out-of-bounds data you'll be getting back!

Note, this is the request data we are talking about. Many such small requests receiving 64Kb replies may be detected, though.

0
0

Canadian taxman says hundreds pierced by Heartbleed SSL skewer

Jamie Jones
Silver badge

Re: This is nonsense...

Um. My apache servers record both the data size of the request, and the response.

If they have something like that, wouldn't checking the logs for repeated large requests that go nowhere imply they were being heatbled?

1
0

OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts

Jamie Jones
Silver badge

Re: "Google's Android 4.1.1 is vulnerable"

"Yes the library inplementing the protocol has a flaw and there is a vulnerability, but the consequences to humanity at large of unsuspecting clients connecting to malicious servers (servers which will still be expected to present a valid SSL certificate) are rather than less serious than those from malicious clients connecting to unsuspecting servers."

Ummm, I don't think anyone has said the problems for clients are just as serious, however you don't seem to understand the situation.

Are you saying you only ever visit google and your banks websites? Or maybe you use the lesser-known plugin "httpsNoWhere"?

Any site you visit could have malicious code - even a non-https site could have embedded https stuff (with a valid certificate too - that's not relevant)

So, you are basically trusting the honesty *and* security of every site you vvisit, and every third party ad company/image broker/js-library provider they use.

2
1

Running OpenSSL? Patch now to fix CRITICAL bug

Jamie Jones
Silver badge
Happy

Re: Isn't it ironic...

"Oh, and Jamie Jones: There is nothing wrong with Alanis Morissette's understanding of irony; armchair pedants who think there is clearly don't know what irony is."

Now, that's ironic!

I'm not implying that any old random URL posed is somehow authoritive, but this one is accurate:

http://fgk.hanau.net/articles/ironic.html"

0
1
Jamie Jones
Silver badge

Re: Isn't it ironic...

Huh?

Either I've missed something, or you're from the Alanis Morissette school of irony.....

5
0

Cheat Win XP DEATH: Little-known tool to save you from the XPocalypse

Jamie Jones
Silver badge
Facepalm

Re: Danger Will Robinson

"Hyperthetically"

Thank-you fellow commentards for not commenting on that abomination of a brain-fart (honestly!)

1
0
Jamie Jones
Silver badge
Pint

Re: Danger Will Robinson

Bollox.

Hyperthetically, if I have a valid license for XP that is no longer in use, I'm perfectly entitled to transfer it to another installation if it's a transfer and not a copy.

Why do people still think EULAs are above the law?

Adding to that, breaking a contract doesn't automatically mean you are breaking the law anyway.

17
0

Google-funded boffins figure out age-busting facial prediction system

Jamie Jones
Silver badge
Thumb Up

"It would be alot more convincing if they showed unfudged output images side-by-side with the real pictures. Photoshopping them into the real pictures ruins the credibility in my opinion."

I agree.

At first I though this amazing algorithm could also predict the way they stood and even the type and colour of clothes they wore!

0
0

Not just websites hit by OpenSSL's Heartbleed – PCs, phones and more under threat

Jamie Jones
Silver badge
FAIL

Re: Who Still Uses Malloc?

Any sane OS (basically all multiuser systems) already zero freshly malloced memory, otherwise it would be a trivial method of exteacting memory information the user wouldn't normally be privileged to do so.

This bug is nothing to do with malloc - it's a basic overflow - the data returned is bigger than the allocated size, thus returning other parts of the processes memory/variables.

So even using calloc throughout would have made no difference here.

Please check before posting that you are secure on that high-horse of yours! :-)

1
0

Tesla in 'Ethernet port carries data' SCANDAL

Jamie Jones
Silver badge
Facepalm

Re: "Because ethernet and wireless are the same."

someone could plug in an ethernet wireless adaptor in and mess up my sat-nav?

How on earth can we survive this, when all we had to worry about before was brakes lines being cut, sugar in the petrol, a banana up the exhaust pipe etc..

Sigh, if someone drives into oncoming traffic or off a cliff due to satnav issues, they shouldn't be on the road!

1
0

Torvalds rails at Linux developer: 'I'm f*cking tired of your code'

Jamie Jones
Silver badge

Re: coding

"Dismissing someone who is leading the biggest and most important software project in existence based on "he used naughty words mummy". Grow the fuck up."

Your obvious bias shows with that comment, but leaving that aside, I'd say Obama is a more important person as a leader oof something, and I'm sure you wouldn't expect him to behave the same way.

1
3

In three hours, Microsoft gave the Windows-verse everything it needed

Jamie Jones
Silver badge

Re: Too Little Too Late

"The world has moved on from Microsoft's proprietary API's to FOSS solutions like Android, ChromeOS, Ubuntu, and SteamOS. "

Hmmmmm, another one who thinks FOSS == Linux/GNU

Your use of the 'fanboi-alert' penguin icon was a clue!

5
1
Jamie Jones
Silver badge

Re: Lots more than that -

"Now now, look what you did - you spoiled all the fun with your unwelcome little fact. Tyrion was an a roll with 5 upvotes already!"

Indeed. As a long time opponent of Microsoft OS's and business practices, I get frustrated by the damage done by the FUD spreading Linux users that happen to be cult-of-RMS fanbois, they do more harm than good to Linux and FOSS in general.

4
3

Can you tell a man's intelligence simply by looking at him? Yes

Jamie Jones
Silver badge
Windows

I don't know......

It started in school, when someone came to give a talk on apprenticeships, and was surprised to hear that I was going to University.....

And continues throughout my adult career when people (both in and out of the field) say that they are surprised as I don't look like I'm good with computers..

p.s. Post icon is being used for non-windows purposes!

0
0

Amazon is decompiling our apps in security gaffe hunt, says dev

Jamie Jones
Silver badge

If there are security issues for others, then you have to be responsible.

Additionally, I've made many cockups that I'll admit to, but as I tried to say, for an error so fundamental...

Are you saying there is *nothing* embaressing that you've ever done you'd rather keep to yourself?

Also, note, the blog post wasn't even warning/advising about the error itself - that was an aside - his story was that Amazon picked it up. I'm sure if they hadn't, and he found out his error through other means, no article would have been written.

0
0
Jamie Jones
Silver badge
FAIL

I'm no Reg shill, but it is clearly impled that the very least that he is shocked by this, and deems it a revelation worth posting about:

Amazon Is Downloading Apps From Google Play and Inspecting Them

I got the following email from Amazon about one of our Android apps that uses our AWS credentials as simple strings in the app itself.

Clearly Amazon or someone working with them is downloading apps from the Google Play Store and decompiling and/or otherwise inspecting them.

I’ve since fixed this problem, but my guess is that I am not alone in using credentials like this in my apps.

I'd personally never make such a schoolboy error, but if I did, telling everyone about it would be the last thing on my mind!

3
1

App cr*p

Jamie Jones
Silver badge
Thumb Up

Re: Um...

"We don't do mobile redirects atm"

And long may it continue!

Some sense in a sea of of User-Agent sniffing I once thought was in our past, but is unfortunately alive and kicking in tthe mobile world...

0
0

Cloud Overlords

Jamie Jones
Silver badge
FAIL

Re: Cloud Overlords

I personally haven't notice cloud-bias in the articleseither way.

The comments, however, are overwhelmingly anti-cloud, and obviously aren't being censored...

0
0
Jamie Jones
Silver badge

Re: Cloud Overlords

:-)

I assume he was referring to the original poster.

Drew, your fault for not implementing some kind of 'in reply to' header :-)

0
0

Ye Bug List

Jamie Jones
Silver badge
Unhappy

Re: Date/time in comments is now date only.

I agree totally. It's a bit of javascript bling.

Now, the time shows as '..a few minutes ago' etc. (for those of us readers unable to tell the time .....sigh)

As you've noticed, without javascript (which is how I run things on my portable devices) , you just get the date and no time.

A classic case of change with no advantages and just disadvantages.

I've always commended the Reg website for being one of the 'cleanest' and fast (yet still design-rich) sites. Up until know, javascript 'enhances' have been low key and not a requirement.

This change (which isn't even user-configurable scores a BIG black mark)

0
0

Selfies are OVER: Welcome to the age of 'Sleeveface'

Jamie Jones
Silver badge

Australias next big thing?

... hit the rest of the world about 5 years ago.

0
0
Jamie Jones
Silver badge
Happy

Re: Nice.

"Yes, you are missing something.

7-bit ASCII doesn't need the initial '0' ... The modern 8 (16/32/64)-bit systems use of ASCII should be obvious to the cognizant."

Haha, he was quoting you with the initial '0', so I guess your insult is directed at yourself?

1
0

Judge throws out lawsuit lobbed at Facebook for using kids' pics in targeted ads

Jamie Jones
Silver badge
FAIL

Re: CA Minors *can* sign contracts

" You can not delete a Facebook account, "deleting" a Facebook account merely hides your profile page."

Wrong. Facebook has both a 'deactivation' option, and a deletion option. Tin-foil-hat conspiracy theories relating to the latter option are irrelevant.

1
1

Molyneux: Working at Microsoft is 'like taking antidepressants'

Jamie Jones
Silver badge
Facepalm

Re: Confirms my view about Microsoft as a cult

"Anon", I'm as anti-MS as the next guy, but if you weren't trolling, seek professional help especially as you seemed to miss the irony talking about cults when you clearly follow the cult-of-GNU (and no I'm not saying all GNU users/developers/proponents behave cultishly, but unfortunately, many do)

1
0

Sticky Tahr-fy pudding: Ubuntu 14.04 slickest Linux desktop ever

Jamie Jones
Silver badge

Re: Head to head @1Rafayal

" Interesting that you see it that way. I see many posters ( or is it just one or two ACs) proclaiming that Windows is far superior whilst still seeming to need to rabidly attack Linux with the same old tired untruths."

As a unix user and developer for over 20 years, and a FreeBSD user/developer for 15, I actually have to agree with the 1Rafayal.

Yes, you have the windows trolls but the Linux fanbois are far more prevailent.

Even as part of the open source / free software / unix-not-windows culture, I've regularly been severely voted down for making valid points perceived as being negative against Linux.

And surely you can't have failed to see the enormous upvotes posts get for praising Linux - even those offering no actual substance?

Unfortunately the Slashdot-style 'cult-of-gnu' is alive and kicking on the Reg.

3
5

Tesla firms hot bottoms: TITANIUM armor now bolted to Model S e-cars

Jamie Jones
Silver badge

Re: "Safety does not sell"

" It worked, really, really well. An automobile design that was so out of touch with US design preferences that it couldn't be sold here was repositioned as 'it's ugly because it's safe' and people ate that shit up"

They had the same campaign here in the UK, and it worked here too - everyone 'knew' that the ugly Volvo box car was safer.

1
0

Homeopathic remedies contaminated with REAL medicine get recalled

Jamie Jones
Silver badge
Unhappy

Re: "Harvard Cancer Expert: Steve Jobs Probably Doomed Himself With Alternative Medicine"

" Sadly, the desperate act the most desperate, and grasp out at anything."

Indeed.

My cousin started going to see one, and he and his parents said it was really working. He died a month later, aged 22, after being milked by these bastards for lots of cash.

1
0

Judge rules Baidu political censorship was an editorial right

Jamie Jones
Silver badge
WTF?

World Police?

I may have missed something here, but what the hell has this got to do with New York citizens and US courts?

Maybe we should prosecute Fox News here in the UK because of the lies they broadcast

2
3

FTC: Do SSL properly or we'll shove a microscope up you for decades

Jamie Jones
Silver badge
Black Helicopters

It's a funny old world

One government department exploits weaknesses, the other punishes them!

5
0

iFixit boss: Apple has 'done everything it can to put repair guys out of business'

Jamie Jones
Silver badge
Facepalm

Re: A new Apple T&C clause needed?

Maybe they could ask for your first-born too?

Despite what so many think, terms and conditions / EULAs are not allowed to override laws or reasonable expectations.

2
0
Jamie Jones
Silver badge
Thumb Up

Even though not a very thorough response I'm surprised apple even replied to the reg at last!

4
0

BOYCOTT FIREFOX, rage gay devs as Mozilla appoints JavaScript daddy as CEO

Jamie Jones
Silver badge
Facepalm

Re: Jamie Jones Subconscious homophobia showing here

"Major fail for insisting that the injustice of banning gay marriage is somehow equivalent to the misery of slavery, the Holocaust, rape or many of the other issues you listed."

Major fail for erroneously insisting that what I wrote bore anything remotely resembling that.

By your logic, I also equate banning gay marriage similar to banning blue smarties.

I assume you are just trolling again, because nobody can be that stupid.

It was pretty clear (by way of *extreme analogies*) that I was saying that ultimately, you won't be happy with someone who does any of the extreme bad things, yet you presumably don't care about their smartie fixation.

So any indifferent views on whether *this* is acceptable basically reveal how little you care about the subject in hand.

Please go and develop a reading comprehension (and whilst you're at it, look up this thing called 'paragraphs')

2
4
Jamie Jones
Silver badge

Subconscious homophobia showing here.

I don't know enough about the situation, or Eich himself, so my comment is going to be directed at the general circumstance as discussed, and not necessarily the person himself.

Many comments are along the lines that his personal opinions are his own, and as long as he's not discriminating against Mozilla staff, it isn't an issue - we should respect others opinions.

OK, extreme analogy time, in which of the following circumstances is the above paragraph an appropriate comment?, if someone donates $1000 to a group that campaigns for: (in no particular order)

-- investigations into government corruption

-- an end to racial/gender discrimination.

-- stopping cruelty to animals

-- banning blue smarties

-- restricted access to firearms

-- sending Piers Morgan to Mars

-- paedophiles rights

-- slavery

-- extermination of Jews

-- rape to be legal

-- all brown eyed women to be killed

-- piercings to be banned

-- banning gay marriage

-- an end to the BBC license fee

I'm sure you would all find some of the above unacceptable.

If you think banning gay marriage is an acceptable view for someone to financially support, then either you agree with the sentiment yourselves, or you'd be happy with someone supporting all the above examples.

1
5

Google slashes cloud storage to $0.026 per GB. Your move, Amazon

Jamie Jones
Silver badge
WTF?

Re: Not sure a small Wordpress blog

" And $10 a month for a server ain't bad either."

$10 for a 500mb server?

One of my backup servers is a FreeBSD jail - 5GB for less than $5 a month (from joinvps.com - i've nothing to do with them, just a customer etc. I think they also do the Linux equivalent at the same price)

Another is only $10 a month for a KVM VPS with native ip6 and 5 ip4's ...

0
0

Schoolkids given WORLD'S CHEAPEST TABLETS: Is it really that hard to swallow?

Jamie Jones
Silver badge
FAIL

I'm currently typing this on a tablet that cost me £33 brand new (that included postage)

In fact, since my desktop went meh, *all* my El Reg posts over the last 6 months have been on either this, or my old mobile phone (a Nokia E63 back-of-the-sock-draw phone given to me by my brother) - I find the laptop a hassle to use on the sofa/bed etc, and now it's mainly used as a server.

The phone and the tablet run terminal emulators, SSH, VNC, and browsers.

With this same tablet, I've written / debugged, / patched, and enhanced various programs - earning a bounty from one, and fixing a problem in a core FreeBSD utility. I'm currently working on another.

"And weevil, If you mean what you say, then it sounds like you don't have the energy, skill, or interest, to make one of these little things sing."

Exactly!

It's funny - those who are snobby and try to prove their 'leetness' by saying kit isn't powerful enough for them are actually proving their lack of ingenuity.

4
0

AMD: Why we had to evacuate 276TB from Oracle DB to Hadoop

Jamie Jones
Silver badge

Re: Good software, stupid name

True, I am going back to the early 90's - when open source and free software weren't generally known, and there was still a big 'Nobody gets fired for buying Microsoft' ethos..

(Yes, I know the phrase originally mentioned IBM, but it was used for Microsoft in the 90's)

1
0
Jamie Jones
Silver badge

Re: Good software, stupid name

Yep, I eventually got FreeBSD used in a previous place of employment - ultimately, it's ability spoke for itself - however, in the initial stages, 'suits' weren't impressed with the word 'free' in the title.

And I''m sure we've all heard of religious American nutjobs who are against it because it 'glorifies satan' etc.

0
0

MPs blast HMRC for using anti-terrorism laws against whistleblower

Jamie Jones
Silver badge
Facepalm

Re: We want action @Mad Mike

" What do you base that on? It certainly doesn't follow on from what I said. Buffoon."

Obviously, he wasn't replying to you.

Buffoon.

2
0

The plot to kill Google cloud: We'll rename Windows Azure to MICROSOFT Azure

Jamie Jones
Silver badge
Happy

Re: The comments posted here should be on SNL in the US. You Brits ROCK!

" This was the highlight of my day. Thank you England!!!!!"

You Texans keep forgetting Wales, Scotland, and Northern Ireland!

0
0
Jamie Jones
Silver badge

Re: Logical move...

:-)

The problem is, though, that the word 'Microsoft' holds the same negative connotations - actually, I think it's worse, as there is no ambiguity to the word as there can be with 'windows'.

2
0
Jamie Jones
Silver badge
Thumb Up

" This is the company who thought that because 'people' liked running a single application full screen on their tablets, that they'd obviously like to be able to do that on their fucking great big (very expensive) desktop monitor..."

Of course, you could do that already. Microsoft brilliance was in making a new version of windows where you had no choice(*) - thus removing the stress associated with making the decision.

And let's face it, who doesn't want a computer costing hundreds with the same functionality as a 30 quid tablet?

(*) Yes, I know the traditional desktop is there, but MS were pushing metro/not-metro (or whatever) as the next big thing.

1
0

Google grabs Gmail-using HTTPS refuseniks and coats them with SSL

Jamie Jones
Silver badge
Happy

Re: It's Secure*

Sorry, I was being a pedantic little twit (Hey, it's the internet, I'm allowed!)

0
0
Jamie Jones
Silver badge

Re: It's Secure*

"the MX record offers STARTTLS,"

Huh?

0
0

ICO decides against probe of Santander email spam scammers

Jamie Jones
Silver badge

@Alan: yep, anything@domain is too generic. That's why I use a subdomain for wildcard stuff.

@AndrueC: As above. Also, sendmail blocks 'no such user' at RCPT

Cheers, J

1
0
Jamie Jones
Silver badge
FAIL

I have <anything>@jamie.mydomain.com go to my main mailbox. If anything needs to be blacklisted it can be set to 'no such user' in the sendmail virtaliases file.

A long time ago, I used to use date-expiring email addresses for usenet, of the form YYDDD - even now, I'm still seeing sendmail rejecting spam sent to email addresses last valid in 1997!

2
0

This changes everything: Microsoft slips WinXP holdouts $100 to buy new Windows 8 PCs

Jamie Jones
Silver badge
Joke

Re: this sounds like a deal

" I'm sure. Definitely sarcastic. You posted in vain."

Yup. We definitely need(*) an "An American in the room" icon for such occasions!

/me runs away and hides

(*) Sorry, just a crappy joke about the stereotypes regarding America/British sarcasm! Don't be angry old chaps. There's plenty of cake left in the queens parlour. Toodle pip, cheerio old fella!

5
0

The Reg's guide to cursing in Mongolian

Jamie Jones
Silver badge
Headmaster

This week?

The article is dated 15/3/2013 and the images 22/3/2013

1
0

'It is disappointing that the government secretly did this stuff'

Jamie Jones
Silver badge
Unhappy

Re: @Titus Technophobe

"Another one would be at every intersection recording all cars that went by (maybe stopping them to do so without missing any)."

We have that in the UK already - they are called 'average speed cameras'

0
0