* Posts by Adam 1

1279 posts • joined 7 May 2012

NYPD anti-crypto Twitter campaign goes about as well as you'd expect

Adam 1
Silver badge

> crime victims and surviving family members have rights, too – namely, the right to have cases solved with the strongest evidence available.

Surely the strongest available evidence for orders of magnitude more crimes is kept from victims by the right to remain silent. Admissible evidence laws for many more. Should those be repealed while you are at it?

4
0

Furious customers tear into 123-reg after firm's mass deletion woes

Adam 1
Silver badge

Re: M-Web

I'm not sure that backups on their own would save the day here. It's one thing to have the said offline tapes. It's quite another thing to be able to restore many hundreds of TB in anything approaching "reasonable time".

1
0

How much faster is a quantum computer than your laptop?

Adam 1
Silver badge

Re: But...

Yes

and No

2
1

Australia's Dick finally drops off

Adam 1
Silver badge

Re: dropped off a *long* time ago

> I kept going back for a time, but eventually they lacked anything that I found interesting

That is freaking ridiculous. Entirely true, but freaking ridiculous.

The opportunities for aspiring geeks today are massive. From Arduino to drones, mesh WiFi devices, NFC activated automation and other IoT Pfaff, even computer controlled Christmas lights would have been a natural fit for their former self.

There was never a need for them to sell TVs. Their stores could only physically fit 2 or 3 options for each size. Go in looking for say a 40" and you would get a choice between a who knows what home brand with crap refresh rate and colour reproduction for cheap or some 4K 3D smart panel with a curve for about 8x the price. With only so much room in most their stores it was always going to struggle against good guys, JB or Harvey on selection.

2
0
Adam 1
Silver badge

dropped off a *long* time ago

Dick Smith of 25+ years ago was a very different store to that which finally closed down.

There was a time before they became a JB HiFi hardly normal wannabe when their catalogue looked more like jaycar's. Their sales staff would ask about your project and be able to suggest the part combination to solve your problem. The latter day "tech-sperts" could tell you which lightening or micro USB cable plugs into your phone. It really was a shell of its former self.

29
0

Canny Canadian PM schools snarky hack on quantum computing

Adam 1
Silver badge

Re: Are we in the end times?

Burr and Feinstein are all over this. In fact they describe a scenario where your data is simultaneously secure and available to TLAs via backdoors on the encryption...

3
0

US anti-encryption law is so 'braindead' it will outlaw file compression

Adam 1
Silver badge

The way that I am reading this, it would also outlaw the only recommended way of storing password information; a 1 way password hash. These by definition (AND GOAL) cannot be reversed* to the original content even if you know the hash and the specific algorithm(s) applied.

* and before someone points out rainbow tables, these are simply cached brute force attacks.

31
0

Australia should be the 'Switzerland of data', Cisco head hacker says

Adam 1
Silver badge

Would you really trust your IP to Brandistan?

2
1

Storage-class memory just got big – 256Mbit big, at least

Adam 1
Silver badge

Re: "the cost of hardening a server to keep RAM electrified"

That 'D' in ACID compliant for a start. Right now you can't flag a transaction as committed until the writes have hit the spinning rust or SSD, or at least until sufficient data has been written to a log somewhere to allow the data to be reconstructed in the event of a power failure. This makes that latency several orders of magnitude faster, which in turn reduces the duration of locks and the throughput boost that would provide.

I'm looking forward to it.

2
0

Samsung's dimmer Galaxies can make calls when locked, cabled

Adam 1
Silver badge

Not only that but anywhere that allegedly provides a USB socket for "free charging" (cafe / airport lounge / hotel conference room / etc) could just start firing commands down the line whenever it sees a new device and pwn a not insignificant percentage of phones.

As a side note, it is interesting how perspective of threats have changed over the last decade or two. In the late 90s, the ability to make a call or send a text when the device was locked would have been the story, and access to the internal storage would have rated meh.

Another side note, it would be interesting to know whether the same tricks could be used to sideload some malicious apk. If so, this could get really nasty.

0
0

Lauri Love backdoor forced-decryption case goes to court in UK

Adam 1
Silver badge

Complain all you want about El Reg reporting on the issue but I read the BBC story and couldn't find any reference to DevOps. How can we take Aunty as a serious news source?

8
0

The future of Firefox is … Chrome

Adam 1
Silver badge

Re: don't get it

> It also means the whole world will be using the same, open source rendering engine, good for users, good for developers.

No. It creates a monoculture. I am not saying that there is anything horrendously wrong with chromium. There are certainly worse baselines that could have been chosen. I am saying that we already have a product with the specs they are proposing, that that product has around 50% market share depending on who's asking, that there is nothing so horrendous about it that will see a significant portion of that 50% jump ship so why bother. If the best defence is that monocultures rule, then mount an argument that there should only be one c compiler / one desktop environment / distro / in fact, one uber OS / and while we are at it, browser.

2
0
Adam 1
Silver badge

don't get it

So FF now looks like chrome and will soon be based on chromium. If that is what I wanted, I would have just installed chrome.

28
1

Russian boffins want to nuke asteroids

Adam 1
Silver badge

These things always start with "why don't we just nuke that little asteroid" and end up with "OK smart arse! How would you defend against a marauding horde of aliens"

2
0

Spinning rust fans reckon we'll have 18TB disk drives in two years

Adam 1
Silver badge

Re: Question

> why can't there just be a 2nd standard for double height drives?

If you are looking at changing the shape, double the width rather than the height and you would quadruple the capacity*

*roughly. The spindle still takes some space.

0
0

When to trust a startup: Does size count?

Adam 1
Silver badge

> I buy from startups all the time. Why? Am I being foolish in doing so?

No, as long as it's all DevOps you should be fine! ;p

3
0

Telstra being paid to fix Telstra's network for NBN – AGAIN

Adam 1
Silver badge

If we're honest, FTTP is passive between the home and the exchange. So upgrades don't involve sending trucks street by street so is much cheaper per premise. FTTN is basically a micro exchange every few hundred metres, so economies of scale are very hard to achieve.

1
0
Adam 1
Silver badge

FTTP doesn't need any HFC maintenance nor DOCSIS upgrades. Just saying ...

3
0

Dropping 1,000 cats from 32km: How practical is that?

Adam 1
Silver badge

Re: Russians are rumoured to be testing

Putin may be one volcano short of a Bond villain but even he knows the damage one of these filled with drop bears would do. M.A.D at work.

1
0

Britain is sending a huge nuclear waste shipment to America. Why?

Adam 1
Silver badge

Re: Why not send it into space...

> Has Donald Trump got a login for El Reg?

No. It is missing the tell tale phrase at the end of the sentence "and make the aliens pay for it"

1
0
Adam 1
Silver badge

Re: Odd Decision & Odd Timing

> Nuclear power is safe and if designed right, does have minimal waste, much less than coal or gas power

.... much less radioactive waste than coal power (on a per MW/hr basis).

TFTFY

Note: possibly also applies to gas but I don't know those numbers.

I guess coming out the top of a smokestack over time rather than leaving it in the bottom of a lap pool makes it OK?

3
0

That naked picture on my PC? Not mine. The IT guy put it there

Adam 1
Silver badge

Re: Something similar

How does the file system help or hinder your ability to remotely connect?

I remember dialing into various Windows 95 boxes with pcanywhete and later on vnc.

18
0

FBI Director defends iPhone 5C unlock tool that's obviously going to leak into wrong hands

Adam 1
Silver badge

Re: Who cares if it leaks?

I guess you are lucky enough to live in a free country. Yes a lot of those good points mitigate many threat models, but a big part of this is a march towards government intrusion (even in free countries) and intrusion above and beyond the level warranted by the alleged crimes of people.

It isn't going to leak so much to Eastern European mobs but firstly to other agencies. In the now famous iPhone debacle, there was a second request for the same assistance in NY for cracking some alleged drug lord's iPhone. Fair call, he sounds like a Bad Guy™. But sooner or later it becomes routine in all investigations. Next thing you know, a fishing expedition is launched whenever someone forgets to return a DVD.

Assuming that our friendly TLAs hadn't already cracked it and were just trying to set a legal precedent (that is a pretty big assumption there), if you can control the parts that retrieve and act upon the device key (ie not containing secure enclave) it is possible to pull the device key. Once you have that, brute force of any short password or PIN can be done for a few bucks of Amazon time.

7
1

US government updates secure email guide for first time in a decade

Adam 1
Silver badge

Re: Copy requested...

Herby's?

0
0

Elon Musk takes wraps off planet-saving Model 3 vapourmobile

Adam 1
Silver badge

Re: Tesla a greencar, really ?

> transport of somewhat heavy batteries

Diesel weighs somewhere between 850g and 1Kg per litre. They tend to be in the 5L/100km range. The average car is driven 15-20 thousand km/year. Picking the kindest of those numbers, that means you are burning north of 6 ton of diesel fuel per year if you are a typical driver in a typical car.

That's in the ballpark of 3x the weight of these entire cars (not just the battery pack) every year

1
1
Adam 1
Silver badge

Re: Tesla a greencar, really ?

Refining petroleum takes somewhere between 1.5 and 2.5 KWhr/L by the way. A 60L tank therefore has a 90+ KW/hr electricity penalty just from the refining step.

And those 60L didn't just pump themselves from the well to the refinery nor do they pump themselves into tankers to your local service station running on air.

8
2

William Hague: Brussels attacks mean we must destroy crypto ASAP

Adam 1
Silver badge

> whatever the problem is, the solution is more surveillance and no judicial over-site

Now there. He doesn't have any problem with judicial over-site. It's judicial oversight that he has the problem with.

0
0

Bash on Windows. Repeat, Microsoft demos Bash on Windows

Adam 1
Silver badge

other way round isn't it

Pretty sure systemd just outsources to svchost.exe these days.

7
4

X-ray scanners, CCTV cams, hefty machinery ... let's play: VNC Roulette!

Adam 1
Silver badge

Re: Or a simpler (than SSH) solution

@chemist

Wasn't quoting your post so not quite sure why you would take my comment to be about you and your process.

I was quoting AC whose argument seemed to be that because people (not you obviously) choose crap passwords then running on a non default port gave the same security. I worked out the equivalent entropy it gave to point out that you really need a bad password for that to be equivalent.

I thought my post was pretty clear that this does not preclude taking additional steps such as non default ports or port knocking or timed activation for ports. That will improve your security or at worse make no difference and doesn't really make your life harder so go ahead with my blessing. It is a great additional step, not a replacement.

0
0
Adam 1
Silver badge

Re: Or a simpler (than SSH) solution

> but there's only so many ports that can be used.

65536 to be precise.

So as a password it is comparable to a 3 to 4 digit numerical PIN; or comparable to a password made up of a single English word that is in common use. It just isn't enough as a substitute method.

0
0
Adam 1
Silver badge

Re: Or a simpler (than SSH) solution

It may be what you meant but it isn't what was written and what I responded to

> Or a simpler (than SSH) solution

This implies that the proposed solution is a replacement.

I simply suggested that for me to accept such advice, I would have to then accept security through obscurity on equal argument.

Note that I am not arguing that obscurity doesn't have a part to play. When I was younger and actually went bush walking, we would often park the 4wd off the fire trail behind some shrubs or an embankment where it wouldn't be easily visible from the said fire trail. It didn't substitute for locking your doors, but it did reduce risk from the opportunist smash and grab. By all means, run on non-default ports or use port knocking; but call it a suplementary measure not a solution in its own right.

0
0
Adam 1
Silver badge

Re: Or a simpler (than SSH) solution

You are basically arguing the merits of security through obscurity there...

3
0

Gumtree serves world's worst exploit kit to scores of Aussies

Adam 1
Silver badge

So ....

Any chance Gumtree or their ad slingers will cough up for the cost of scanning and cleaning those visitor's PCs, or for some sort of identity theft monitoring service for those users?

Thought not.

Ublock origin people.

6
0

US govt says it has cracked killer's iPhone, legs it from Apple fight

Adam 1
Silver badge

Re: And now this is the worst

> The basic premise is any secure system with enough time and effort will be broken

Realistically that is correct, but only because developers are humans with SNAFUs like in every other endeavour. Usually it is flawed implementations which are attacked.

For example, it is possible to choose a key size such that even allowing for Moore's law to continue and the entire GDP of the world dedicated to breaking it would still take longer than our sun has left in it. But all that is based on our assumptions about the trapdoor functions that we rely upon. We assume that factorising the multiplication of two huge primes is really hard. We assume that the discrete log problem is really hard. But find some new mathematical construct then maybe it can be done with less effort. In fact if you look at the logjam attack it takes advantage of being able to precompute millions of CPU hours worth of computations and reuse that to simplify the computations for subsequent keys.

But I digress. My point is that the goal is impossibility without the key. Good enough means uneconomical to crack (I think your point) but with the proviso that hardware reduced the cost per operation over time (in both time and power consumption), and sometimes your enemy is a miscreant who is paying for neither (malware / stolen Amazon keys / etc). If you accept the good enough argument, you need to make sure you adequately measure the economics rather than just trying to figure out what it would cost you to do.

2
0

Is iOS 9.3 Apple's worst ever update? First it bricks iThings, now Safari is busted

Adam 1
Silver badge

exaggeration much?

Don't get me wrong, bricking a device is bad but it could be worse.

2
10

Confused by crypto? Here's what that password hashing stuff means in English

Adam 1
Silver badge

> A hash function, in a cryptographic sense, takes a chunk of data and makes it into another anonymous-looking chunk of data that is, to all intents and purposes, impossible to revert back into the original form

Using the phrase that is to all intents and purposes impossible to revert hits pretty close to the complaint.

It implies that maybe some TLA has enough resources to do it but no bad guys can. It is the wrong way to think about hashing. It is absolutely impossible to determine the source value. The process is deliberately lossy so it isn't just a matter of CPU power. It isn't just a trapdoor function like prime factorisation (hard) vs multiplication (easy) or the discrete logarithm problem.

Literally the only way to find the source is to try and brute force or dictionary attack the hash. But in any case, a reversal isn't normally the goal. An attacker is usually only after a reversal or collision because either way you can authenticate with it.

0
0
Adam 1
Silver badge

Re: SHA1

For some perspective, the cost of generating a collision for md5 is less than a dollar. Generating an sha-1 collision is in the order of 75,000 dollars.

For most threat models, collisions on sha-1 are not a real world issue just yet; but it takes a while for it to work its way through the system. If you keep using sha-1 certificates, then by the time those new certificates expire then the collisions will probably be heading towards half that price. The point was to sunset it before it got to the point of actually being insecure.

1
0
Adam 1
Silver badge

Re: Salts?

For unsalted hashes, you can usually get the raw password in 2 seconds by simply googling the hash.

2
0

Stagefright flaw still a nightmare: '850 million' Androids face hijack risk

Adam 1
Silver badge

Re: Too risky to use Android browsing the web.

> with extra safeguards such as NoScript and Adblock.

All of which are available on android too.

1
0

Error checks? Eh? What could go wrong, really? (DoSing a US govt site)

Adam 1
Silver badge

At least the keyboard not found press any key message has a bit of logic behind it; after resolving the problem you can actually follow the instruction.

0
0
Adam 1
Silver badge

> 1990s: a user prompt from global logistics system developed internally and rolled out to 30-plus countries.

Are you sure you want to cancel the shipment?

Yes / No / Cancel

So kinda like the HP Print Service plugin for android that in 2016 asks whether you are sure you want to cancel your print job.

OK / Cancel

4
0

Apple stuns world with Donald Trump iPhone

Adam 1
Silver badge

Re: Imagine Siri with the Donald Trump option...

... and make them pay for it!

4
0

ACCC goes beyond recall, bans 'hoverboards'

Adam 1
Silver badge

seems a bit confused

Firstly, there is nothing special about a hoverboard in the way it utilises batteries. It is not any more or less explosive than a laptop or an electric bike.

Unlike lead acid (the more common predecessor for electric bikes and scooters), you can't just pump in energy at full pace until it's full as the reducing efficiencies allow runaway waste heat to build up. So it is quite conceivable that cheap no brand companies based, er, in countries that lack strong safety regulation frameworks* would take dangerous shortcuts.

Blaming the product category is counter productive**. We need to call it for what it is. Products from specific vendors do not meet our electrical safety standards. Those products must not be sold and already sold units must be urgently and actively recalled.

Now I'm not drawing the same conclusion as the subby here, at least not from the article itself. All I am seeing is (from an IANAL perspective) is that the manufacturers who don't meet these safety regulations can't sell their wares here and people who otherwise acquire the said wares can't use them here. Makes sense. Li fires aren't much fun.

*which suddenly become very good once it causes embarrassment for the establishment.

**the legitimate vendors get caught up in the ban but the fly by night ones that are causing the problem are trading with a different name later the same week.

1
1

Snowden WAS the Feds' quarry in Lavabit case, redaction blunder reveals

Adam 1
Silver badge

Re: One good point to emerge...

Wow that's dumb. Surely they know that highlighting the text changes the background colour so you can read it and therefore the safest way is to draw a solid box over the offending text...

1
0
Adam 1
Silver badge

Re: Yah think?

I'm sure that they would have no such problems with keeping our back doored crypto's key escrow thingy away from the bad guys™.

0
0
Adam 1
Silver badge

> How much more credibility will the Feds loose

They probably figure that they can tight it later?

0
0

Apple engineers rebel, refuse to work on iOS amid FBI iPhone battle

Adam 1
Silver badge

Re: The end of Apple

> if they decided to slow-play or sabotage

This.

The rate limiter self destruct thing is easily defeated if you forget to submit the PIN to actually test it.

Maybe a couple of GOTO fail lines too many?

1
0

Stevie Graham: Why I hack mobile banking apps

Adam 1
Silver badge

Re: security through fragmentation vs an API monoculture

API monoculture isn't what is described though, at least not in the openSSL sense.

Heartbleed was two flaws; a stupidly designed API call and a buggy implementation of it. The stupid design was to allow the caller to independently mention the size of the buffer and the amount of data to read when it should have derived one of those pieces from the other. But the stupid design only matters because of the implementation bug whereby the server failed to validate that an untrustworthy client could manipulate those numbers to read additional information from memory.

Unless I misread the article, all that is proposed is a common API that each bank would independently evaluate the best way of implementing. So if the design was flawed, some banks would be caught pants down and others would return an error.

It's more similar to ART vs Dalvik vs Oracle implementations of the same method calls (but no points for guessing which of those would have the crap security implementation)

2
0

A third of Australians lose mobile services after Telstra outage

Adam 1
Silver badge

Re: Antipodeans?

Yes. Problems were reported from Longreach down to Melbourne, so Bondi was affected too.

1
0

HTTPS is not enough: Boffins fingerprint user environments without cracking crypto

Adam 1
Silver badge

Re: Side channel attacks

> Secure. Efficient. Cheap

> Pick two.

In this case, that doesn't apply. You cannot pick both secure and efficient even if you don't care about cheap.

The point is that simply knowing that two parties are communicating at a given time does leak some information. You can only counteract this by (at least occasionally) communicating with the other party either nonsensical data (eg randomised bits) or misleading data (eg legitimate looking real message that both sides of the communication know is to be ignored). Either way, that is less efficient than if you only sent bits when you wanted to say something.

1
0

Forums