Shirley it would have been easier
... to tell them to call a guy to fix it like last week's printer guy and head back to bed?
1515 posts • joined 7 May 2012
... to tell them to call a guy to fix it like last week's printer guy and head back to bed?
Collisions are only one part of the overall threat model. An important part, but in this case an irrelevant part because the attack described didn't rely on any collision.
Password attacks (brute force and dictionary) defences rely on making it computationally infeasible to your adversary. That doesn't mean impossible, only that the compute resources required would be better employed (from the adversaries perspective) on other goals.
The main goal of running so many iterations is simply to make each guess more costly whilst still leaving it practical for a modest machine to derive the encryption key from the correct password. The change made here means that each guess is a much lower investment in compute than before. Although sha256 is more expensive than sha1 for a single iteration, it isn't 4 orders of magnitude more expensive (which is what would be needed to maintain the same resilience to brute force or dictionary based attacks).
My guess at what was wrong? The iterations argument/property value wasn't set so it picked the default value.
> "Apple have moved from pbkdf2 (sha1) with 10,000 iterations to a plain sha256 hash with a single iteration only," Thorsheim says.
They're hashing it wrong!
Would certainly have been cheaper
Come now precious. Don't let those privacy folk scare your pretty little head. Your data is secure. Even the Australian National Audit Office says so except for those times when it doesn't but we make the claim anyway. Your data was completely secure during the attack that then definitely wasn't an attack the next morning but is now an again in the senate inquiry submission. Sorry for the confusion. It was all IBM's fault. And our pesky advertising that was too successful. And the media. It was your fault too. And those awful privacy folks who wouldn't just take our assertions.
> Many a time I've seen a printer break and someone has had to fix it. In fact on more than one occasion a printer has broken and it has had to be replaced entirely.
I've personally witnessed a few printers displaying the dreaded PC LOAD LETTER error. Even a hard power cycle wouldn't fix that one.
Only a few more disastrous multi billion dollar losses and Microsoft might make them an offer (based on a valuation of their market cap during the dot com boom).
Looking at it from a purely economic point of view, the profitability is simply a function of (percentage chance of someone plugging it in times percentage chance of them running a vulnerable system times ransom revenue per infection) minus the cost of the USB sticks. The sort of scum that would do this would have no reason to avoid the 5 finger discount at officeworks/hardly normal so let's assume that is not a big factor.
The low key distribution then minimise the chance of detection as it is much less likely to hit the major mastheads or TV news.
Combined with some phishing, this is indeed a powerful attack vector. I mean, it isn't too hard to find some large company (eg Telstra), fake an envelope with their logo, a short cover letter advertising some new foxtel streaming tie in and say there is some previews on the stick. Then a cheeky final line saying that even if you don't wish to subscribe, we hope you enjoy this 4GB USB stick.
A few logo stickers on the USB stick and even a few of us commentards may have been fooled. Some delayed execution of the malware would make detection very difficult indeed.
> e.g alcohol) , a spark in the vicinity of the liquid is enough to trigger a chain reaction
Contrary to pretty much any action thriller you have ever seen, it is rather difficult to get an explosion from petrol. Hint: firing a few rounds into the fuel tank will make a bit of a mess, but if it catches fire you can probably blame the exhaust
A spark within proximity of a hydrocarbon is not setting the liquid on fire but the evaporated gas (which in turn may produce enough heat to encourage the puddle of fuel to turn into an inferno, but that is secondary to the spark.
In the meantime, forget the spark. Please don't let lithium come into contact with air. Or water. It is really happy to see the back of that electron.
> connect islands where locals just emerged from stone age
If they are after "only just emerging from stone age broadband", they should take a look at our FTTN NBN.
LOAD "$" ,8
Who hasn't been there...
But the advances in computer power mean that homer17 should be crackable someone next year. I'd go something more secure like homer21.
I don't even want a breaking system in my car. That should definitely be covered by warranty.
It is possible to construct a system that way, but anyone who does should stay well away from software development.
That sort of diagnostics should only be possible by plugging something via the OBD2 port. I can well imagine a company working towards autonomous driving vehicles needs a remote override to activate the brakes during testing, but this can be achieved pretty easily by relaying the command via an onboard laptop with a 4G connection plugged into OBD2. Then your hacking risk isn't to your customers' vehicles.
Activating wipers? Applying brakes? Not sure what apps you've been using but I don't want such a feature of any car I'm in.
Alternatively, something like
If you make it blue, then over 60℅ is fine
Barbra Streisand hadn't replied at time of publication.
> Full disclosure: This article's author uses Let's Encrypt to provide HTTPS encryption for his personal websites. And you should use it too.
Do you use it on the comments pages for your personal websites too? That would seem to be a good fit if for some reason you found yourself running a popular comments page on your websites.
It's a bit more complicated than that. It was Brandis in that Brandis introduced the bill that eventually passed. On that note, he demonstrably showed a lack of judgement that will come back to bite us in the future, so definitely no free pass for him.
Indirectly, the ALP is tarred with the same brush here. There are times when you could argue that positions were changed by compromise and negotiation. For example, a party may claim to be against a particular service cut/tax hike but negotiate it through in such a way that the constituency that they are concerned about is compensated for that change. Sometimes it is a pragmatic decision to take a lesser of two evils on offer. That wasn't the case here though. The alternative "do nothing" was indeed a live choice and the preferred position of a significant minority of both major parties.
More directly though, there were definitely rumblings back in 2010 and 2012.
Here is a link to a senate investigation on the matter.
So Conroy is knee deep in it, even if he himself didn't pull the trigger.
Conroy was more of a tapper than a tappee given the sway his faction has.
I'm a bit mixed really. NBN; brilliant idea in its original guise. Metadata retention? Made as much sense as his red underwear gag except it is dangerous and expensive.
I would have really liked the parliamentary raid privilege issue to have been resolved though.
Regarding the backdoor key. I'm going out on a limb here and assuming that we're restricting it to "the good guys".
Who are the good guys? NSA? Five Eyes? EU? The Philippines? Turkey? Saudi? Russia? China? North Korea? Seriously, who are you going to trust this to?
Have we developed a branch of mathematics that only works when one of the said good guys is doing it?
On what occasions will this backdoor key be utilised? Terrorism? Major fraud? Dude of colour walking down the street (that seems to be a capital offence in some parts of the land of the "free")? Murder? Kidnap? Tax avoidance? DUI? Didn't pick up your dog's turd? Where is the line?
I think protecting the key is not a problem. It's not like the US ever had nuclear secrets stolen by the Russians when they were first trying to develop them? It's not like the organisation responsible for security clearances for government employees was hacked leaking details of 10s of millions of Americans and journalists who had applied for them. Pretty sure nothing could go wrong with that escrow.
>However, PPTP has been known to be flawed for years.
Your post is confusing two issues together; the security vulnerabilities in the protocol (which to my mind justify the decision to sunset it) and the length of time that is reasonable for people to get their backsides into gear and use a proper protocol.
To my knowledge, there has been no amazing breakthrough that has come to light in the past month or so that means that today is the day it's got to go. These vulnerabilities have been publicly known to exist since before Mountain Lion, but they didn't announce their sunset plans any time in the past 3 years to anyone who doesn't visit some obscure forum.
As a better model, look at how other companies are handling the transition away from sha1 certificates. Whilst the attacks against them are still believed to be impractical, we are coming close enough to realising them that we know they shouldn't be used. The big browser makers no longer accept as secure any sha1 certificate signed after a certain date and once that period has elapsed they won't be trusted at all. Sure owners don't like hearing about broken padlock icons so get properly signed ones.
Did they not consider popping up a warning whenever you connect to such a VPN for the post 6 months. I mean if a protocol is bad enough from a security perspective to drop entirely, Shirley you can justify nagging anyone still using it and retire it gracefully.
It doesn't install it. It just updates it if you're "brave" enough to still have it installed.
That dude is tiny!
All that matters from an efficiency perspective is how much fuel was used over a specified distance.
Unless your driving pattern involves continuously driving at 35Mph without ever braking until your fuel tanks are dry, your economy will benefit from kinetic energy capture systems. Anything reclaimed is fuel that doesn't need to burn.
I'm not going to make a case for or against a phev. It is largely dependent on a combination of your local energy mix and your driving distance requirements. But your complaints about well to wheel efficiency of them would hold a bit more water if you stop assuming that we drill for gasoline and start to understand the huge amount of energy required to refine it to something useable. It is not beyond possible that your gasoline car consumes more electricity via that one refining step than some EVs.
> where do you think hybrid cars get their energy from, either from the ICE engine or from regen energy from the brakes, ultimately, the ICE engine...
In the end they reuse energy that non hybrid cars waste as heat (primarily through the brake pads) and by supplementing the performance with an electric motor they can use a smaller engine and run an Atkinson cycle and still keep up in traffic.
Even if all their energy is ultimately derived from the ICE, efficiency is not measured by quantity used but as a quantity used per unit of work. By reclaiming a proportion of kinetic energy that is otherwise going to heat, you can achieve more work for the same input.
Plugin hybrids can in many cases forgo the gearbox entirely using direct drive only at higher speeds.
We have no problem in you opting in to sharing such information with any organisation that you choose if you are happy to do so. Is it really so offensive to you that some people think that a macca's menu isn't enough of a "pro" vs the "con" of slurp watching you 24/7?
The "horror" is that he explicitly said he didn't want to share his location data and it didn't respect that.
A few months back I was
attempting to explain why a daft byod geo-fencing suggestion was fundamentally flawed politely suggesting an alternate suggestion to an otherwise perfect idea from the PHB. Didn't succeed, so when the feature proof of concept arrived, I made sure that my geo-fence violation came from Buckingham palace (context: not my hemisphere).
Got some pretty weird Google now updates for the next week or so.
Could even be simply looking at the SSIDs it can see and correlating that with it's street view WiFi packet sniffing (remember that) or even just looking at other android users seeing the same APs but who had location services on.
My Nexus 5 has a great GPS activation detector. You simply glance at the battery level and if it has dropped 50% in the past hour you know that something's activated it.
At least with marshmallow or above you can retrospectively deny permissions (even if the app claims it needs them). YMMV but after installing any new app I religiously deny things that serve no apparent purpose to the app. Very few apps actually crash, and those that do get uninstalled.
Just like how pilots get to cruising altitude, activate autopilot, then flick on harry potter I guess.
Jokes aside, there is a colloquial usage when you start driving the wrong direction for where you are actually intending going so it does risk drivers believing they can stop paying attention.
road safety experts physicists have said for decadesmillennia, the slower you have a crash, the better.
The problem isn't with the system per se. The problem is with the complete failure of any commentator or cricket show etc to seriously attempt to explain why the numbers fall the way they do. There are a myriad of factors that come together to decide the adjusted target, the scoring rate averages, wickets in hand, overs remaining, the price of cheese and Schrödinger's cat's life expectancy. It tries to balance out the reduced overs so that neither team is advantaged by the target but you are looking at a game where a few runs can matter a lot. For me, the confidence interval for likely scores has got to be too wide for this sort of protection to be reliably made.
When there's only a few overs truncated I am probably exaggerating the problem, but i would as an engineer like to see the relative weightings displayed in the stats rather than just be told that's the number because we're clever.
> Duckworth and Lewis were English statisticians and their Method is very robust, but occasionally turns up oddities that get fans scratching their heads
I don't recall ever watching a D/L score where the numbers didn't leave me scratching my head.
All but guaranteed to be used in a betting capacity. Allows the controller of that data to figure out the betting odds before the revised targets are otherwise announced and effectively short other punters when the conditions are right.
Last summer some Indian guy was kicked out of various Aussie grounds after sitting there on his laptop working with the telecast delay (~10 seconds) to make bets about batsmen getting out after it was lollipoped but before it was caught. If it was an iPhone app, he could do it undetected.
It's a mugs game.
In the same way, you really going to blame the OS for a bad/kernel panic when the RAM or PSU starts to give up the ghost? It's still funny as when the resulting dump lands on a giant public display (proceed with this silliness at full steam) though, no matter what the OS.
> Cats slash bag of biscuits open (I'm sure ths inspiration for Wolverine and his adamantine claws came from a cat owner as byproduct of cats is scratches & looking like you self harm) and happily eat food, and wait for next combo food and play installment
Never happen. Once the bag was opened, it would take one sniff and decide that it doesn't eat that brand anymore even though it's been their favourite for weeks. Seriously, their mates are probably around the corner ROTFLMAO at our feeble attempts to guess what to order next time.
Wait, are you expecting me to believe that the Bush administration lied about things? Shirley you jest?
> HTTPS is really, really slow
No. Not even close. When Google switched on HTTPS for Gmail by default 6 years ago, they found it increased CPU load by less than 1℅ and network traffic by 2%
With multiplexing in HTTP/2, HTTPS more often than not outperforms HTTP.
If there is a difference it is in transparent proxies.
I do however add my +1 to some sort of digital signature standard for delivering non private pages in a way that the client can tell they haven't been tampered and where the transparent proxies can still operate.
1. People are lazy and use the same handles and passwords elsewhere. Think of all the people who are not as security literate as yourself but come here often because they like DevOps.
It's also just the last endpoint. It tells you nothing about what happens after that server receives your credentials.
Tip El Reg:
If you want to want to stop our narky comments about this forum's lack of HTTPS, just hide behind cloudflare or equivalent. They'll serve us HTTPS then talk to you over HTTP. Defeats part of the purpose of HTTPS but at least we get a padlock icon hey.
I'm sure it's not to thwart network level (ISP level) ad blockers. Clearly that is an unintentional side effect.
That way when you get your FTTP ramping up, we can trade you the ability to convert it to a FTTN cluster explicative which will cost just as much to build but run out of capacity at about the same time the build completes.
> I think you have that the wrong way round.
Yes I do. Ended up with an extra not in that sentence which changes the meaning. Also, autocarrot changed one of my words to bakery which reads pretty random.
But I think you picked my basic point; that if your engine bay contains an engine block, you have to try to jettison it under the safety cell. But it is still going to crush your feet on the way through because you can't quickly change the direction of many hundreds of Kg. The more energy that can be absorbed in front of the safety cell, the slower the rate of deceleration experienced by the passengers.
> You've got digital ears? Wow
Yes, 10 of them with self evidently 0 in between.
sudo killall -9 Autopilot