* Posts by Adam 1

919 posts • joined 7 May 2012

Page:

Farewell to Borland C++: Embarcadero releases Delphi and C++ Builder 10

Adam 1
Silver badge

> $3000+ freezes out

Ah, you have used it.

0
0

Ex top judge admits he's incapable of reading email, doesn't own a PC

Adam 1
Silver badge

Re: But don't try that story in his court

Meanwhile, with the shoe firmly on the other foot...

I didn't mean to front that protection racket your honour. I never opened the attachments to notice the connection. You can bet your bottom dollar that arguments are being rephrased to the same excuses here.

0
0

Boffins laugh at Play Store bonehead security with instant app checker

Adam 1
Silver badge

False positives? Number of detections isn't sufficient for evaluating the detection rate. It has to have a high detection rate without misidentifying benign apps as malware. That is the tricky part.

2
2

Google tells iOS 9 app devs: Switch off HTTPS if you want that sweet sweet ad money from us

Adam 1
Silver badge

Re: The problem, if any...

Nope, sorry.

It means that any man in the middle attack can change the resource you are sending to the browser. I can replace your ad with mine and you will still be the one to get the bill. I can redirect the URLs you embed to my dodgy phishing version of your site. I can inject some malicious JavaScript and you will be fingered and blacklisted very quickly but the major ad networks.

At least with https, unsavoury folk need to pwn your server to emulate you. Https everywhere. Google, stop being dicks. You understand the risks. Most app developers don't. I will happily criticise Apple on many things, but what they are doing here is completely right. (Although no doubt they enjoy the collateral damage to their competitor)

24
0

Perhaps the AIpocalypse ISN'T imminent – if Google Translate is anything to go by, that is

Adam 1
Silver badge

Re: Messe

African or European?

6
0

Motorola monsters Apple's swipe-to-unlock patent in German court

Adam 1
Silver badge

*cough* rounded corners *cough*

8
1

Telstra News spews banking trojan after malvertising attack

Adam 1
Silver badge

doesn't cut it

> Not Teltra's (sic) fault, but not a good look for the Big T either

I wasn't aware that Telstra were under duress to include unvetted third party resources?

You can complain that you are not responsible for the content of third party resources you load in your website.

You can complain that people run adblockers.

What you can't do is both.

0
0

Samsung smart fridge leaves Gmail logins open to attack

Adam 1
Silver badge

Icy what you did there.

6
0

Brit hydro fuel cell maker: our tech charges iPhone 6 for a week

Adam 1
Silver badge

So where does one get the H2 to squeeze down the headphone nossle thing? Do we all get to install an electrolysis kit on or kitchen bench? Or if it is coffee shop/service station distribution model planned, this would have to compete with a more simplistic swap and go style battery power pack.

0
0
Adam 1
Silver badge

Re: And what happens to the vapours?

You're, er, holding it in wrong?

4
0
Adam 1
Silver badge

But this is different. It is battery tech from a (relatively # unknown company. They always pan out!

4
0

PINs easily pinched with iPhone-attached thermal imaging kit

Adam 1
Silver badge

Re: Surely the solution is ...

Mmmm. An ATM machine that spits out bacon. What a brilliant idea!

0
0

Get whimsical and win a Western Digital Black 6TB hard drive

Adam 1
Silver badge

Spotify wants me to agree to what!?

0
0

Leaked images claim to show BlackBerry's first Android phone

Adam 1
Silver badge

Re: no longer synonomous with security then?

As late as this morning, I would consider BB as sitting in heaven's waiting room, reminiscing with Nokia about times of old....

Now I am not claiming they can dodge that bullet, it may be a case of too little too late, but looking at Google's inability to patch against stagefright et al on phones that are newer than and cost double my laptop, you have got to ask whether BB even realise the goldmine they own. I mean, a company, known for security and business use cases, with android app compatibility already, can't market their capability of keeping their devices patched. Consider the factually um stretches I'm a Mac ads if you want a good example of that working.

2
1

The Ashley Madison files – are people really this stupid?

Adam 1
Silver badge

Sounds like the next few BOFH episodes have just written themselves.

12
0

Anti-privacy unkillable super-cookies spreading around the world – study

Adam 1
Silver badge

Cudos to Vodafone AU

/hey, how often does one get to write that.

//still using a VPN though.

1
0

Adobe pays US$1.2M plus settlements to end 2013 breach class action

Adam 1
Silver badge

I've seen Kaspersky slap his staff with a walrus penis – and even I doubt the false-positive claims

Adam 1
Silver badge

Re: The Participant Observer Problem

The hash of the hash file has to be stored somewhere. That somewhere can also be compromised.

0
0
Adam 1
Silver badge

Lame. Walking to office*

*in Australia

0
0
Adam 1
Silver badge

Re: The Participant Observer Problem

> A hash for every Windows file

That wasn't the suggestion. It was system files. These would number in the thousands. Even if there were a million system files, that would only take 32MB of storage to hold every hash.

The bigger question is how you prove that your hash database hadn't been compromised.

0
0

Australian court slaps down Hollywood's speculative invoices

Adam 1
Silver badge

Re: I should be an account

Or a YouTube comment moderator.

6
0

Use QuickTime … and become part of the collective

Adam 1
Silver badge

Re: VLC

Heck, some ancient version of winamp would be better.

2
0

Google flubs patch for Stagefright security bug in 950 million Androids

Adam 1
Silver badge

Re: Monthly security updates will soon become a major PITA

Whether it is ART or Dalvik or whatever, it is an important point. The update process for me just took 20 minutes and at least 1/4 of the battery to spin through 141 apps. Further, if your device is encrypted then you need to enter your pass code in the middle of it, so you can't just run it unattended overnight. If it truly is optimising apps then they need to move it to a lazy load model and only optimise on first launch, and have a background process completing the job. Sometimes I wonder if they forget it is also a phone.

3
1

Watch out, Tokyo! Samsung readies a 15 TERABYTE SSD

Adam 1
Silver badge

HDD usually give the click of death on the way out. No such warning with SSD. Of course you have working backups so none of that really matters, right?...

If I look at the area most consumers need capacity, it is videos and photo storage. Both use cases get little practical benefit from faster seek time. One more I suppose is as a backup medium. Again seek time is not a benefit. SSD has a theoretical lower minimum cost (lacks motors and spindles and magnets etc that mean that a 100MB hard drive today would not be much cheaper than the smallest capacity manufacturers still bother with. A 128MB SSD would be by contrast much cheaper. HDD is a technology with an end of life (or at least a far more niched existence) but we aren't there yet.

0
0

Patching a fragmented, Stagefrightened Android isn't easy

Adam 1
Silver badge

Jeep runs* QNX. Never underestimate the ability of the universe to create idiots that can break anything.

*Autocarrot wanted to write ruins. Well played Google.

0
0
Adam 1
Silver badge

Re: Sony

> Sometimes manufacturer updates aren't what they're cracked up to be

True, but I don't think that updates need to be whatever new flavour of confectionary is out. We just want security patches to be delivered promptly for a period of around the expected lifespan of the computer that happens to sometimes make phone calls.. In fact, automatically changing the messaging app and moving the menus around when moving from ginger bean to ice kit pop is going to cause my folks all manner of confusion so I would prefer nothing visible.

0
0
Adam 1
Silver badge

Re: Google is taking the lead on revitalising the patching pipeline for the Android ecosystem

The problem with the carriers is that they have a vested interest in obsolescence. If you have to get a new phone then they get another 2 years contract out of you.

1
0

IWF shares 'hash list' with web giants to flush out child sex abuse images online

Adam 1
Silver badge

Re: Am I being a bit thick here

> changing at very least a byte or two of data in the source image

Wouldn't even take a byte. I mean, even changing as subtle as #FFFFFF to #FEFFFF would be very* unlikely to not have a radically different MD5 and SHA1 signature.

* it is possible that the signature wont change, in the same way you might win lotto, then on the way to pick up your winnings, an asteroid shoots down toward the spot you are standing only to be blown to smithereens by a coincidental lightening strike.

0
0
Adam 1
Silver badge

> The term 'collision attack' comes to mind where two values can produce the same hash.

A hash algorithm by definition MUST permit collisions where the size of the hash is smaller than the size of the input data.

Let's use small numbers to illustrate. If your hash was just 1 byte in length, and your input was 4 bytes, you have 256 possible hashes to share amongst 4 billion odd input possibilities.. Sha1 is from memory 160 bytes, which gives 1.4615016e+48 hashes. That is a big number* but much much much smaller than the possible arrangements of bytes in a valid JPEG file.

* citation needed

1
0

Another day, another stunning security flaw in Android – this time hitting 55% of mobes

Adam 1
Silver badge

Re: Permissions?

On a serious note, as a developer (a real one not an app developer :p) being able to stipulate the permissions you don't need is quite a nice security layer. If I decided that the world didn't have enough photo editors and that I should release my own, I can stipulate that it should not access the contacts. If my advertising network started spewing out malware, perhaps a more conservative token collection may mitigate the malware.

1
1
Adam 1
Silver badge

Re: Permissions?

You think you are the phone owner. Cute.

6
2
Adam 1
Silver badge

Re: innocuous-looking app which, when installed

I give far more credence to the number of and nature of permissions requested than the number of g+ users who give it 5 stars and usually some indecipherable comment.

The raison d'etre of the permissions model is to limit what an app can do. If it fails to do this then it is a critical flaw. But imagine there was some bug in your phones PIN entry screen where pressing the volume rocker logged you in. I suppose you would argue that such a bug isn't too bad because one should expect that anyone who can physically access it could pwn it.

2
0

Hack a garage and the car inside with a child's toy and a few chips

Adam 1
Silver badge

Re: Driving the car

Yes, DOS is possible, but it is already possible. I remember visiting a scenic lookout tower about 10 years ago. It doubled as a communications tower. Upon returning to my car, the fob did not work. If you are going to DOS then the easiest and most effective technique is to flood the airwaves in those frequencies with white noise, not some elaborate fob emulator. The backup plan is to use your key. :)

0
0
Adam 1
Silver badge

Re: Driving the car

Sure. We move well past my knowledge of how they are implemented presently, but it really wouldn't be too hard to do. If each keyfob has an identifier that gets broadcast with the code, and the car ignores unpaired fob identifiers, then the brute force would have to emulate a particular fob. Then you can count brute force attempts by a fob id having too many wrong guesses and lock them out.

0
0
Adam 1
Silver badge

Re: Driving the car

Wouldn't a far simpler solution be if the door detected say 1000 open attempts that it is switches off the receiver for 5 minutes. Make brute forcing impractical.

1
0

Wait, what? TrueCrypt 'decrypted' by FBI to nail doc-stealing sysadmin

Adam 1
Silver badge

Re: Pretty obvious - a keylogger was installed

> except if you use something like Keepass then even a key logger is not useful without the db you unlocked,

Why do you assume the keyloggers are software based? That would seem overly complicated to me because you have to get them installed through some flaw, social engineering or physical access. The latter would seem to be the easiest for an organisation that in their normal day to day operation need to plant listening devices for suspects.

It would be much easier to swap out the keyboard with a bugged one for a few days and to brute force against the entered strings.

0
0

Microsoft's Windows 10 Torrent-U-Like updates GULP DOWN your precious bandwidth

Adam 1
Silver badge

Re: Security vulnerability waiting to happen

It's no more risky than https. The slithers would be validated with something like sha256 or 512. The hashes for all of the slithers would probably get downloaded over https or would maybe just rely on a digital signature to prove those hashes were decided by Microsoft.

1
0
Adam 1
Silver badge

Re: And sharing malware in 5 4 3

Someone doesn't understand how hashes work. Put it this way, If that was possible, don't you think Hollywood would be corrupting the torrents left, right and centre? For sure you could send my computer malware instead of the patch. Problem for you is that it won't be signed with Microsoft's private signature so my computer will file it to the Windows equivalent of dev/null

3
0

Edge out rivals? No! Firefox boss BLASTS Microsoft's Windows 10 browser brouhaha

Adam 1
Silver badge

Re: And there's more!

P2P is a completely sensible way to distribute large files. Do you not find it a bit weird that your laptop, PC and media centre* all independently download the same patches over your internet connection rather than sharing amongst themselves and only downloading it once.

I suggest you flag your network as metered..

* yes, sadly dead now

3
1

US to rethink hacker tool export rules after mass freakout in security land

Adam 1
Silver badge

Re: The pen is mightier than the sword.

Tin foil? Like those military/citizen blankets for treating people for hypothermia?

3
0

Telcos given a breather to meet Oz metadata retention laws

Adam 1
Silver badge

So $127 million to setup collection for about 7.5 million connections. So $17 ish per household. For something that can be bypassed for the price of a cup of coffee a month.

/posted from Romania, because why not, it demonstrates just what a stupid waste of money this is.

0
0

MORE Windows 10 bugs! Too many Start menu apps BREAK it

Adam 1
Silver badge

Re: I have 600

Also, 2^9? Really? You could kinda understand some numpty using the wrong type and ending up with a 256 limit. 512 is quite creative though.

1
0

Got an Android phone? SMASH IT with a hammer – and do it NOW

Adam 1
Silver badge

Re: filter at the telco level?

OK, assuming some sort of signature based pattern can identify the infected video, why involve the telco at all? That would mean that the hangouts app itself could perform the scan before sending it off for preview. This is important, because hangouts can be pushed through Google play as an update.

Although it wouldn't eliminate the attack vector (too much insufficient storage-esq errors on old devices), the attack surface would easily and quickly halve.

OK Google, you've got 90 days.

3
1

Australia to tax ALL international online purchases

Adam 1
Silver badge

Re: Won't affect my spending habits.

THIS.

The eBay's and Amazon's of this world aren't used as some sort of GST avoidance scheme. They are substantially more than 10% cheaper in most cases, are available at 10:30 at night, have detailed information about their products, user reviews and the like. No checkout queues (have you actually been to one of your shops Gerry? Do your sales team know what is available in the market or are they too busy pushing the lines offering the best bonus that month?)

Take something simple like a phone case for some modern smartphone. How much change do you get from $ 35? Now go to eBay and do the same. If you are paying more than $10 you probably weren't looking very hard. Jumping from $10 to $11 doesn't change the equation.

By all means, include online purchases for GST (and add healthcare and education while you are there). Then fix up the super tax concessions, CGT and negative gearing avoidance schemes. That'll fix your revenue problem.

4
0

Sydney adopts 'world's first' e-ink parking signs

Adam 1
Silver badge

Next micro business, some kid with Photoshop charging 20 bucks to change the times on the sign for your fine protest letter.

13
0

Crazy Chrysler security hole: USB stick fix incoming for 1.4 million cars

Adam 1
Silver badge

Iot must die

The sooner that we stop stumbling around the opportunities and take the threats with the same level of consideration, the safer we will be.

It just struck me about a discussion I have been having with someone who was complaining about their browser of choice's decision to block a certificate signed with an old broken algorithm. The inconvenience is real, but so is the threat. I was struck because I know they get the same emails as me and that they were again flooded with iot development technology's marketing. A lot of energy went into pushing people into such devices, but there is really nothing on security.

You wouldn't feel safe with a windows vista machine with no patches applied, yet we are building impossible to update firmware into all sorts of gadgets with life expectancies above and beyond. It is a weird world sometimes.

4
0
Adam 1
Silver badge

Maybe not, but assuming the very long bow that such connectivity of the core systems of your car is needed, why were they not NAT'd inside some walled garden?

2
0

Get root on an OS X 10.10 Mac: The exploit is so trivial it fits in a tweet

Adam 1
Silver badge

Re: Congratulations on repeating exploits before they can be fixed

You're reporting it wrong....

0
0

Your gadget batteries endanger planes, says Boeing

Adam 1
Silver badge

Re: Temperature

Stackexchange; is there anything you don't know?

0
0

Mozilla's ‘Great or Dead’ philosophy may save bloated blimp Firefox

Adam 1
Silver badge

Re: Agree - don't run scripts without permission. mMatrix and mBlock are good for chrome.

>Why can't they bring these libraries under their own domain and take responsibility?

1. They would then have to pay for that bandwidth.

2. Chances are that their site is not the first you have visited that includes that particular framework. They can therefore leverage the cached (possibly even precompiled) version for better load times.

3. A website is never going to take responsibility for the resources your computer asks for.

1
0

Page:

Forums