* Posts by Adam 1

1576 posts • joined 7 May 2012

'I found a bug that let anyone read anyone's Yahoo! Mail and all I got was this $10k check'

Adam 1
Silver badge

Re: Misread as $10

You are right. It was a terrible misunderstanding. The cheque was actually for $10!!!

0
0

Android, Qualcomm move on insecure GPS almanac downloads

Adam 1
Silver badge

Re: This will be fertile ground for attackers to check

Not sure how that would work. Definitely worth a look, but as I understand it this is just a "try these areas first" collection of data points. That is to say, it can't interfere with the positioning values themselves (via http MitM).

My old tom tom would take several minutes to find itself; you basically have to drop to that sort of brute force scan.

It is possible to believe that a malformed file could be misprocessed causing a buffer overflow or equivalent. Seriously though, if you want an easy way to pwn most android handsets, write a simple app with two threads, activate copy on write, load an executable owned by root and .... you know what, I'm not doing your homework, this isn't stack overflow here...

0
0

Robotics is coming on leaps and bounds – literally: Bushbaby bot most vertically agile yet

Adam 1
Silver badge

two things

> US Army backs droid for search and rescue missions

Yeah. That's definitely the use case they have in mind. The other one plays jingle bells.

> Roboticists

That has got to be the most awesome job title for your business card.

-- Adam 1 - Roboticist

1
0

Don't have a Dirty COW, man: Android gets full kernel hijack patch

Adam 1
Silver badge

I assumed this would have been fixed long ago

At least there is no way for an evil app could get itself root access. Oh wait....

Come on Chocolate Factory. You get all 90 days on other vendors.

0
1

Sony kills off secret backdoor in 80 internet-connected CCTV models

Adam 1
Silver badge

> you can login as root and get command-line-level access to the operating system if you can crack these password hashes:

$1$$mhF8LHkOmSgbD88/WrM790 (gen-5 models)

iMaxAEXStYyd6 (gen-6 models)

---

In that case I'll be extra careful to not Google those hashes in a day or two.

0
0

Local TV presenter shouted 'f*cking hell' to open news bulletin

Adam 1
Silver badge

Re: Who cares?

I know it's only Tuesday, but @gazthejourno for FotW.

4
0

Apple blames air for iPhone 6S's narcolepsy

Adam 1
Silver badge

Tbh, it's not the premature shutdown on a galaxy note that would worry me about their batteries.

0
0

'Toyota dealer stole my wife's saucy snaps from phone, emailed them to a swingers website'

Adam 1
Silver badge

Going for a walk alone in the wrong part of town is going to result in a mugging or worse. Leaving your iPad on the back seat of your car in some poorly lit car park is going to result in a smashed window and no more iPad.

None of this excuses or reinforces the behaviour of the perpetrators. It's simply a recognition that there are injustices in this world. We can chew gum and walk here.

8
1

UCam247 tells El Reg most of its cams aren't vulnerable to GET vuln

Adam 1
Silver badge

clearly fake

> IoT security camera vendor ...

and

> A new firmware is due to be released within the next couple of weeks

Clearly a real IoT product would never release updated firmware to fix things

2
0

Google's Project Zero tweaking Microsoft, because it did fix a bug

Adam 1
Silver badge

Re: accidental fix

Well that pretty much describes windows update. Here's a font vulnerability fix that breaks outlook.

Seriously though, it is the responsibility of the original developer to create sufficient test case coverage that my fix gets rejected by the build server. Apart from the most egregious introduced bugs, if someone breaks functionality that I wrote, I ask myself:

* Did I adequately name the variable/parameter/method/field/const/enum/class/whatever?

* Did I include a comment where what is being done is obvious but why it's done less so?

* Did it structure my code with single responsibility principles?

If the answer to those is no then I tend to blame myself.

0
0
Adam 1
Silver badge

accidental fix

It happens with software all the time, where by the time a specific bug bubbles up through onto a sprint, it has been coincidentally neutered by another fix or improvement. It can also happen when a developer working on an unrelated ticket stumbles upon the initial problem and fixes it at the same time, legitimately believing that it had never been reported. Obviously not saying that this is definitely what happened here, but let's not feign surprise about something that would happen in a product as big as windows at least daily has indeed happened.

5
0

Adblock again beats publishers' Adblock-blocking attempts

Adam 1
Silver badge

Re: Why is this even a discussion?

> But the publisher can tell if ads are being loaded or not

To do this they need to wait for the ad content to download and render before delivering the content. With video or animations that is impossible. Even for simple images or text you would be adding substantial lag to your page display time for the 80%ish users who aren't using them.

Current detection approaches involve making using JavaScript to fetch a beacon from the ad network and then detect whether that download is blocked. The simple counter measure allows such beacons to download but it does prevent simple hosts file blocking of the whole network.

There are other possible measures. Many moons ago I had to deliver a "way too complex for html of the day" report over the web which ended up being a dynamic png rendered on the server side. These days you could do it with html5 and angular. It was an absolute usability nightmare. You could get dynamic screen sizes to be taken into account and image map out hyperlinks but it was non trivial. It also made it inaccessible to screen readers.

I'd like to think that websites would not screw up everyone's experience to spite the relatively small proportion of users who bypass their ads. Then again, we are already stuck with animations that interfere with content, fake download buttons, etc all apparently in the name of supporting websites so yeah.

3
0
Adam 1
Silver badge

Re: Why is this even a discussion?

Not quite. When you ask for x, you get exactly x. This x contains URIs for other resources such as images, videos, scripts, stylesheets and frames. Your browser then requests those resources and renders them. The ad blockers work by choosing to not download some of those resources and/or adjusting the stylesheet so those resources are not visible.

4
2

100k+ petition: MPs must consider debating Snoopers' Charter again

Adam 1
Silver badge

Re: Well...

> This IP had a TCP connection to that IP and this amount of data went in one way and another amount in the other direction.

You have possibly just made the first really good argument to switch all comms to IP6...

0
2

Microsoft update servers left all Azure RHEL instances hackable

Adam 1
Silver badge

Re: $3500 for having found a risk of that magnitude ?

A blackhat could have mined bitcoin with every new instance of red hat on Azure, pushing a custom version of ps that hides the process and a custom version of ls that masks the version details of ps. Setting up a 24 hour "do nothing" on first start would make this really hard to detect as would throttling the computations to say 25% of the CPU in a low priority process.

3500 is a joke given that risk.

4
0

Grand App Auto: Tesla smartphone hack can track, locate, unlock, and start cars

Adam 1
Silver badge

Re: You don't mention...

I'm just glad that all the products and services that I use have proper cryptographic protection on their auth tokens and so can't possibly be vulnerable to such MitM attacks.

I LOVE BOOGERS!

0
0

IBM pays up after 'clearly failing' DDoS protection for Australia's #censusfail

Adam 1
Silver badge

it's actually quite simple

1. IBM don't want to get excluded from circa $500,000,000 pa in contacts. $30,000,000 (and it's less) is a pretty good investment on those numbers.

2. The government can't afford the focus to fixate on their failure to appoint someone to that position for the better part of a year and to accidentally forget it in a reshuffle, and then replacing the minister in charge mere weeks before. They can't even stop their coalition partners from freelancing, they need this off the front page.

3. The ABS needs this to disappear too. They have screwed up numerous indexes over the past few years because of poorly planned methodology changes. Their hubris on privacy was exposed for what it is. Everyone I spoke to on it scratched their heads about how the maximum anticipated load could be so low. It defied common sense. Everyone I have spoken to who I would describe as technically literate were puzzled by the suggestion that ddos can be prevented with geo blocking (even if done well). Let alone the inevitable truth stretching that happens when people are forced to identify themselves. The data will be forever tainted by larger than typical "typos". But hey, at least linkage keys right?

So this settlement is a win win win for IBM, the government and the ABS. Just a shame for the rest of us who hoped that it might be useful for policy development.

4
0

Comcast is the honey badger of ISPs – injects pop-ups into browsers, doesn't give a fsck

Adam 1
Silver badge

> and you get redirected to the page where you can purchase more

Which absolutely shouldn't be possible if security is done right. You can't serve a 302 when MitM a HTTPS connection unless you can convince my browser to trust the certificate you sign the page with. And with HSTS you can't even get my browser to talk HTTP even if you type it into the address bar if the server is known to support HTTPS. (Try to visit Google over HTTP)

And if you use a VPN, your ISP has exactly zero ability even for this sort of farting around. Send an SMS or email. Hardly rocket science.

1
0

Australian government never asked nbn™ to apply for private loans

Adam 1
Silver badge

> loan made on cost grounds, not due to concerns about the business model

Colour me shocked. How convenient. The question isn't about whether someone somewhere would lend them the money at 15%pa or whatever. The question is why the market would put a large premium on those loans. Hint: the project has suffered from the Not Invented Here syndrome with stupid meddling just so there was a way to throw a waste and mismanagement angle at the political foes. Whilst the original plan was hardly perfect, it at least would have left us with a cheap to maintain cheap to upgrade natural monopoly that unlike the mistakes made when privatising Telstra did not result in a vertically integrated entity with a self interest in making their competitors' network access difficult. When something is perceived to have higher risk, the interest rate must be higher to attract capital. It's the same reason that payday loans have ridiculous interest rates and government bonds have low interest rates.

2
0

TfL to track Tube users in stations by their MAC addresses

Adam 1
Silver badge

Re: switch off your Wi-Fi...

That is brilliant AC. Thanks

0
0
Adam 1
Silver badge

Re: switch off your Wi-Fi...

Device initiates. If you want your device to be untrackable*, you need to switch off WiFi. I think there are some ways to randomise the MAC address periodically to reduce the problem but you can bet lots of places do this.

*By WiFi traffic analysis I mean. It's still going to be broadcasting on its 4G frequency.

1
0

The encryption conundrum: Should tech compromise or double down?

Adam 1
Silver badge

Re: Is it me?

Yes it's you. The problem with the suggested backdoored encryption is one of mathematics. The person between Bob and Alice is an adversary. There is no value judgement on the adversary. Perhaps Bob and Alice are evil and the adversary is benevolent. The crux is that you can't make it easy for the good adversary without making it easy for the bad one. The best you could hope for is some sort of golden key, so then we turn to how we keep that protected. Given the US was unable to prevent early nuclear research finding its way into Soviet hands, what makes you remotely imagine that such a sweet honeypot would not be leaked. Those 20 million OPM records could easily be used to blackmail for access.

But let's just leave all those challenges aside for the moment and pretend there can exist a solution if we "try harder". Why would any terrorist use encryption that they know to be broken when they have the mathematically secure algorithms already in existence. You are throwing out the baby with the bathwater except not even managing to throw out the bathwater you wanted to dispose of.

20
0
Adam 1
Silver badge

Re: Stupid is as stupid does

> I think you will find that software being written outside the USA is only a theoretical possibility

Totally agree, especially encryption technology like that designed by those two American and definitely not Belgian men Vincent Rijmen and Joan Daemen.

22
0
Adam 1
Silver badge

Re: Predictable sequence...

Perhaps I can see a way through this impasse. Apple should be made to provide a TLA friendly encryption mechanism which terrorists should be mandated to use, leaving secure encryption for those who aren't terrorists. Win win!

13
0

Antivirus tools are a useless box-ticking exercise says Google security chap

Adam 1
Silver badge

> Shadow copies / snapshots. Why are they not enabled by default on all computers, and why are they deletable? Literally just set every machine to fill up its disk with "backups" and only remove them when there's no space left

Enabled by default yes, but it hardly solves the ransomware problem. If the ransomware sees 250GB free, it just has to overwrite the files enough times that the oldest shadow copy must be from after the infection. As the files are encrypted, there is very little potential for deduping compared with more typical shadow copy use cases.

0
0
Adam 1
Silver badge

> Telling users not to click on phishing links

Surely that's phushing lunks

/ah, my coat. Thanks.

3
0

After Microsoft joins Linux, Google Cloud joins .NET Foundation

Adam 1
Silver badge

Eadon has been approached for comment.

7
0

'Pavement power' - The bad idea that never seems to die

Adam 1
Silver badge

It's also a fundamental misunderstanding of where the said energy is coming from. It does not produce energy. It consumes some of the energy that would normally be returned to the walker. This should make walking more difficult (in the same way that walking through dry sand is more difficult than walking along the wet sand at the shoreline). If walking isn't noticeably more difficult then the power extracted is pretty laughable. Basically you are using the human body as a power generator. Putting aside for the minute that some of us really should be expending a few more KJ or moderating our intake, the efficiency question becomes about how efficient a human is at generating that energy and whether it would be more environmentally friendly to burn coal (almost certainly).

There may well be some applications where you don't need much energy, where running power specifically is a PITA where this may work (eg doorbell or keyfob that gets just enough energy from the button press to broadcast its signal) but it isn't chances are against watch batteries not coal, gas, nuke, solar, wind, hydro.

4
0

Encrypted email sign-ups instantly double in wake of Trump victory

Adam 1
Silver badge

Re: Is it...

> Either way the payload is unreadable whether the payload is in the email body or on an attachment.

I disagree. I guess it depends though if you recognise that metadata is in and of itself also data. And that social graphs can be drawn from those headers. And that goes to the heart of freedom of association. We don't use email for its security capabilities. We use it because of inertia and because distributed key sharing without a trusted intermediary is a dam hard problem to solve.

0
0

Angry user demands three site visits to fix email address typos

Adam 1
Silver badge

Re: Nightmare!

Of course electricity naturally flows downhill. Geez people. I thought it was obvious how the high voltage lines were really high up, local street distribution tends to be about 10m up and within homes most power points are waist height or even lower down near ankle height. Why do you think it costs so much to move electricity supplies underground?

3
0

Spain's Prime Minister wants to ban internet memes. No, really

Adam 1
Silver badge

I don't understand.

I mean, one doesn't simply ban internet memes.

18
0

Robot solves Rubik's Cubes in 637 milliseconds

Adam 1
Silver badge

I'm impressed with ...

... how quick the ink dries after being quickly sprayed on all 6 sides.

4
0

Bungling ATM thieves blow up bank statement machine

Adam 1
Silver badge

Re: It's "Kontoauszugsdrucker"

Donaudampfschiffahrtsgesellschaftkontoauszugsdrucker

Do I win?

7
0

Australia again ponders making attorney-general netadmin-in-chief

Adam 1
Silver badge

why all the fuss

> Earlier this year, The Register reported strong industry opposition to the laws.

I'm sure they would have been consulted* about the changes

*As defined in the abridged dictionary of Brandis...

1
0

'Trust it': Results of Signal's first formal crypto analysis are in

Adam 1
Silver badge

Re: Yes but

The two statements that concern me about this research are:

1. Signal employs a novel and unstudied design, involving over ten different types of keys and a complex update process which leads to various chains of related keys

Novelty is not a positive feature. It doesn't necessarily mean it's negative (all designs were at some point in human history considered novel in this sense) but anything that makes it harder to study is just security through obscurity. In the same way obscurity doesn't mean insecure, but the obscurity may mask some actual flaws from the whitehats/design reviewers so the security ends up compromised.

That leads to

2. the protocol is not substantially documented beyond its source code

Given the supposed advantage of the novel design, the design itself should be will documented at a high level so that inherent design flaws can be effectively studied. Not the implementation itself (through implementation bugs also need to be checked) but the interaction between the parties with data/keys/RNG etc for inherent attack vectors.

5
0

Browsers nix add-on after Web of Trust is caught selling users' browsing histories

Adam 1
Silver badge

Crowdsourced rating of domains for trustworthiness and child safety. It's a pity. As per others I have recommended it in the past for my less technically adept friends and family. It gives a traffic light style indicator next to Google results etc so you don't have to deal with the otherwise inevitable "I downloaded the latest version of Photoshop from myfreeverygoodsoftwarebestfree.cn (it had a padlock icon) and now my computer is slow". Uninstalling now, sigh...

1
0

Cerber ransomware menace now targeting databases

Adam 1
Silver badge

Re: Most of these arrive via the Inbox

> coming up with a suitably deterrent punishment. Like publicly skinning them alive one square centimetre at a time over the course of a week or two.

Now now. I'm not a fan of Hillary or Trump either but I think I have to draw the line at a day or two.

7
0

Microsoft puts Windows Updates on a diet with 'differential downloads'

Adam 1
Silver badge

I remember this when I was looking after about 30 win 9x boxes for a school keeping them breathing. A little esmith (now smeserver) would make the 64K connection tolerable.

The downside of http is that MitM attacks are trivial and that's not exactly comforting when your applying security patches delivered over such an insecure channel.

1
0
Adam 1
Silver badge

Re: So, granularity in patches, OK

This patch segment changes the gwx close button so it accepts the win10 upgrade.

This patch segment ignores your previously hidden update.

This patch segment adds another t registry key you need to set if you don't want gwx to update.

2
0

Want to spy on the boss? Try this phone-mast-in-an-HP printer

Adam 1
Silver badge

Re: HP Inc - please don't tell them...

Only buy genuine HP phone mast printer accessories! They updated the firmware a few months back and now if the printer detects a non genuine phone mast it will refuse to work.

3
0
Adam 1
Silver badge

Why does the phone trust the base station? Naïve me thought thinking my phone might expect some sort of certificate gets checked before it connects and can emulate a network I connect to.

11
0

Ghost of DEC Alpha is why Windows is rubbish at file compression

Adam 1
Silver badge

Re: So why not create a new v2 compression scheme?

When you burn a CD you get to choose whether to support multiple sessions on the disc to allow subsequent changes or whether to burn as a single finalised session for compatibility.

Very good compression with ultra low CPU overhead algorithms exist. The only reason I can see for wanting to avoid it would be for more efficient deduping.

2
0
Adam 1
Silver badge

Re: Obvious bull

Let's not confuse algorithm and file format. The language used seems very loose to me. The algorithms are simply the methodology taken to transform one byte stream to another. It stands to reason that different architectures will be better at some algorithms than others because of the various sizes of caches and buses involved. Some lend themselves to larger dictionaries and better parallelism than others. There's no reason other than priorities as to why they haven't switched to something more suited to x86 in newer versions.

23
0

Boffins coax non-superconductive stuff into dropping the 'non'

Adam 1
Silver badge

Well spotted.

I lower my hat to you.

18
0

Boffins one step closer to solving nanoscale computer challenge

Adam 1
Silver badge

Re: How high can you go?

And while they correct the challenge to reflect volume rather than area, they could correct the measurements to be a more meaningful nanograpefruits.

4
0

Topless in-car selfie attempt climaxes with rear-end bonking

Adam 1
Silver badge

just unbelievable

Why do people buy cars without autonomous braking systems?

1
2

Samsung are amateurs – NASA shows how you really do a battery fire

Adam 1
Silver badge

turtles

El Reg via Twitter via Engadget via popular mechanics via gizmido via wired via NASA

11
0

Blood donors' privacy anaemic after Red Cross data breach

Adam 1
Silver badge

Re: What ???

Troy did a blog post on it. Apparently some guy for reasons unexplained was connecting to random IP addresses on port 80 to find those with directory browsing which exposed database backup files and helped him(presumably)self to it. He then shared it with Troy who worked with AUSCERT to get it dealt with quickly.

Troy's argument was that since the organisation committed to actively contact those affected, since he had not shared it with anyone*1 and that the mystery guy promised he had not shared it with anyone else and promised to delete all copies he had personally*2, there were no further known copies of that data in the wild.

Now unless the mystery guy was some "friend of a friend", I'd be a bit doubtful that all copies were wiped securely. I would have preferred he treat it as a sensitive breach (even if he withheld notifications for a few weeks to let RC notify through official channels everyone they can still locate) but hey, his bat and ball, his rules.

*1 - I have completed confidence of that being true personally

*2 - I am somewhat less confident in that assurance.

1
0

Self-driving cars doomed to be bullied by pedestrians

Adam 1
Silver badge

Re: fun.apply(handbrake)

The point is valid but this paper makes a bit of a time jump. We are not going to swap over from meat bags to microchips overnight. Cars will automate more functions over time. Cruise control became adaptive cruise control became autopilot. Reversing sensors became reversing cameras became surround cameras and self parking. In the medium term, even self driving capable cars will allow meat bag control, so the pedestrian has to risk the fact that the car may not be under AI control.

In reality, many cars today come with autonomous braking systems that could equally be pranked by chicken players. In another few years, that'll be every car from energy level up (probably will become part of the highway codes)

I'm a bit more optimistic than the paper anyhow.

5
0

How Google's Project Zero made Apple refactor its kernel

Adam 1
Silver badge

And kudos to slurp for not trying any 90 day crap in spite of the fact that either iOS becoming unstable due to a rushed fix or remaining knowingly insecure would both commercially benefit them.

0
0

Forums