* Posts by Adam 1

1315 posts • joined 7 May 2012

Spinning rust fans reckon we'll have 18TB disk drives in two years

Adam 1
Silver badge

Re: Question

> why can't there just be a 2nd standard for double height drives?

If you are looking at changing the shape, double the width rather than the height and you would quadruple the capacity*

*roughly. The spindle still takes some space.

0
0

When to trust a startup: Does size count?

Adam 1
Silver badge

> I buy from startups all the time. Why? Am I being foolish in doing so?

No, as long as it's all DevOps you should be fine! ;p

3
0

Telstra being paid to fix Telstra's network for NBN – AGAIN

Adam 1
Silver badge

If we're honest, FTTP is passive between the home and the exchange. So upgrades don't involve sending trucks street by street so is much cheaper per premise. FTTN is basically a micro exchange every few hundred metres, so economies of scale are very hard to achieve.

1
0
Adam 1
Silver badge

FTTP doesn't need any HFC maintenance nor DOCSIS upgrades. Just saying ...

3
0

Dropping 1,000 cats from 32km: How practical is that?

Adam 1
Silver badge

Re: Russians are rumoured to be testing

Putin may be one volcano short of a Bond villain but even he knows the damage one of these filled with drop bears would do. M.A.D at work.

1
0

Britain is sending a huge nuclear waste shipment to America. Why?

Adam 1
Silver badge

Re: Why not send it into space...

> Has Donald Trump got a login for El Reg?

No. It is missing the tell tale phrase at the end of the sentence "and make the aliens pay for it"

1
0
Adam 1
Silver badge

Re: Odd Decision & Odd Timing

> Nuclear power is safe and if designed right, does have minimal waste, much less than coal or gas power

.... much less radioactive waste than coal power (on a per MW/hr basis).

TFTFY

Note: possibly also applies to gas but I don't know those numbers.

I guess coming out the top of a smokestack over time rather than leaving it in the bottom of a lap pool makes it OK?

3
0

That naked picture on my PC? Not mine. The IT guy put it there

Adam 1
Silver badge

Re: Something similar

How does the file system help or hinder your ability to remotely connect?

I remember dialing into various Windows 95 boxes with pcanywhete and later on vnc.

18
0

FBI Director defends iPhone 5C unlock tool that's obviously going to leak into wrong hands

Adam 1
Silver badge

Re: Who cares if it leaks?

I guess you are lucky enough to live in a free country. Yes a lot of those good points mitigate many threat models, but a big part of this is a march towards government intrusion (even in free countries) and intrusion above and beyond the level warranted by the alleged crimes of people.

It isn't going to leak so much to Eastern European mobs but firstly to other agencies. In the now famous iPhone debacle, there was a second request for the same assistance in NY for cracking some alleged drug lord's iPhone. Fair call, he sounds like a Bad Guy™. But sooner or later it becomes routine in all investigations. Next thing you know, a fishing expedition is launched whenever someone forgets to return a DVD.

Assuming that our friendly TLAs hadn't already cracked it and were just trying to set a legal precedent (that is a pretty big assumption there), if you can control the parts that retrieve and act upon the device key (ie not containing secure enclave) it is possible to pull the device key. Once you have that, brute force of any short password or PIN can be done for a few bucks of Amazon time.

7
1

US government updates secure email guide for first time in a decade

Adam 1
Silver badge

Re: Copy requested...

Herby's?

0
0

Elon Musk takes wraps off planet-saving Model 3 vapourmobile

Adam 1
Silver badge

Re: Tesla a greencar, really ?

> transport of somewhat heavy batteries

Diesel weighs somewhere between 850g and 1Kg per litre. They tend to be in the 5L/100km range. The average car is driven 15-20 thousand km/year. Picking the kindest of those numbers, that means you are burning north of 6 ton of diesel fuel per year if you are a typical driver in a typical car.

That's in the ballpark of 3x the weight of these entire cars (not just the battery pack) every year

1
1
Adam 1
Silver badge

Re: Tesla a greencar, really ?

Refining petroleum takes somewhere between 1.5 and 2.5 KWhr/L by the way. A 60L tank therefore has a 90+ KW/hr electricity penalty just from the refining step.

And those 60L didn't just pump themselves from the well to the refinery nor do they pump themselves into tankers to your local service station running on air.

8
2

William Hague: Brussels attacks mean we must destroy crypto ASAP

Adam 1
Silver badge

> whatever the problem is, the solution is more surveillance and no judicial over-site

Now there. He doesn't have any problem with judicial over-site. It's judicial oversight that he has the problem with.

0
0

Bash on Windows. Repeat, Microsoft demos Bash on Windows

Adam 1
Silver badge

other way round isn't it

Pretty sure systemd just outsources to svchost.exe these days.

7
4

X-ray scanners, CCTV cams, hefty machinery ... let's play: VNC Roulette!

Adam 1
Silver badge

Re: Or a simpler (than SSH) solution

@chemist

Wasn't quoting your post so not quite sure why you would take my comment to be about you and your process.

I was quoting AC whose argument seemed to be that because people (not you obviously) choose crap passwords then running on a non default port gave the same security. I worked out the equivalent entropy it gave to point out that you really need a bad password for that to be equivalent.

I thought my post was pretty clear that this does not preclude taking additional steps such as non default ports or port knocking or timed activation for ports. That will improve your security or at worse make no difference and doesn't really make your life harder so go ahead with my blessing. It is a great additional step, not a replacement.

0
0
Adam 1
Silver badge

Re: Or a simpler (than SSH) solution

> but there's only so many ports that can be used.

65536 to be precise.

So as a password it is comparable to a 3 to 4 digit numerical PIN; or comparable to a password made up of a single English word that is in common use. It just isn't enough as a substitute method.

0
0
Adam 1
Silver badge

Re: Or a simpler (than SSH) solution

It may be what you meant but it isn't what was written and what I responded to

> Or a simpler (than SSH) solution

This implies that the proposed solution is a replacement.

I simply suggested that for me to accept such advice, I would have to then accept security through obscurity on equal argument.

Note that I am not arguing that obscurity doesn't have a part to play. When I was younger and actually went bush walking, we would often park the 4wd off the fire trail behind some shrubs or an embankment where it wouldn't be easily visible from the said fire trail. It didn't substitute for locking your doors, but it did reduce risk from the opportunist smash and grab. By all means, run on non-default ports or use port knocking; but call it a suplementary measure not a solution in its own right.

0
0
Adam 1
Silver badge

Re: Or a simpler (than SSH) solution

You are basically arguing the merits of security through obscurity there...

3
0

Gumtree serves world's worst exploit kit to scores of Aussies

Adam 1
Silver badge

So ....

Any chance Gumtree or their ad slingers will cough up for the cost of scanning and cleaning those visitor's PCs, or for some sort of identity theft monitoring service for those users?

Thought not.

Ublock origin people.

6
0

US govt says it has cracked killer's iPhone, legs it from Apple fight

Adam 1
Silver badge

Re: And now this is the worst

> The basic premise is any secure system with enough time and effort will be broken

Realistically that is correct, but only because developers are humans with SNAFUs like in every other endeavour. Usually it is flawed implementations which are attacked.

For example, it is possible to choose a key size such that even allowing for Moore's law to continue and the entire GDP of the world dedicated to breaking it would still take longer than our sun has left in it. But all that is based on our assumptions about the trapdoor functions that we rely upon. We assume that factorising the multiplication of two huge primes is really hard. We assume that the discrete log problem is really hard. But find some new mathematical construct then maybe it can be done with less effort. In fact if you look at the logjam attack it takes advantage of being able to precompute millions of CPU hours worth of computations and reuse that to simplify the computations for subsequent keys.

But I digress. My point is that the goal is impossibility without the key. Good enough means uneconomical to crack (I think your point) but with the proviso that hardware reduced the cost per operation over time (in both time and power consumption), and sometimes your enemy is a miscreant who is paying for neither (malware / stolen Amazon keys / etc). If you accept the good enough argument, you need to make sure you adequately measure the economics rather than just trying to figure out what it would cost you to do.

2
0

Is iOS 9.3 Apple's worst ever update? First it bricks iThings, now Safari is busted

Adam 1
Silver badge

exaggeration much?

Don't get me wrong, bricking a device is bad but it could be worse.

2
10

Confused by crypto? Here's what that password hashing stuff means in English

Adam 1
Silver badge

> A hash function, in a cryptographic sense, takes a chunk of data and makes it into another anonymous-looking chunk of data that is, to all intents and purposes, impossible to revert back into the original form

Using the phrase that is to all intents and purposes impossible to revert hits pretty close to the complaint.

It implies that maybe some TLA has enough resources to do it but no bad guys can. It is the wrong way to think about hashing. It is absolutely impossible to determine the source value. The process is deliberately lossy so it isn't just a matter of CPU power. It isn't just a trapdoor function like prime factorisation (hard) vs multiplication (easy) or the discrete logarithm problem.

Literally the only way to find the source is to try and brute force or dictionary attack the hash. But in any case, a reversal isn't normally the goal. An attacker is usually only after a reversal or collision because either way you can authenticate with it.

0
0
Adam 1
Silver badge

Re: SHA1

For some perspective, the cost of generating a collision for md5 is less than a dollar. Generating an sha-1 collision is in the order of 75,000 dollars.

For most threat models, collisions on sha-1 are not a real world issue just yet; but it takes a while for it to work its way through the system. If you keep using sha-1 certificates, then by the time those new certificates expire then the collisions will probably be heading towards half that price. The point was to sunset it before it got to the point of actually being insecure.

1
0
Adam 1
Silver badge

Re: Salts?

For unsalted hashes, you can usually get the raw password in 2 seconds by simply googling the hash.

2
0

Stagefright flaw still a nightmare: '850 million' Androids face hijack risk

Adam 1
Silver badge

Re: Too risky to use Android browsing the web.

> with extra safeguards such as NoScript and Adblock.

All of which are available on android too.

1
0

Error checks? Eh? What could go wrong, really? (DoSing a US govt site)

Adam 1
Silver badge

At least the keyboard not found press any key message has a bit of logic behind it; after resolving the problem you can actually follow the instruction.

0
0
Adam 1
Silver badge

> 1990s: a user prompt from global logistics system developed internally and rolled out to 30-plus countries.

Are you sure you want to cancel the shipment?

Yes / No / Cancel

So kinda like the HP Print Service plugin for android that in 2016 asks whether you are sure you want to cancel your print job.

OK / Cancel

4
0

Apple stuns world with Donald Trump iPhone

Adam 1
Silver badge

Re: Imagine Siri with the Donald Trump option...

... and make them pay for it!

4
0

ACCC goes beyond recall, bans 'hoverboards'

Adam 1
Silver badge

seems a bit confused

Firstly, there is nothing special about a hoverboard in the way it utilises batteries. It is not any more or less explosive than a laptop or an electric bike.

Unlike lead acid (the more common predecessor for electric bikes and scooters), you can't just pump in energy at full pace until it's full as the reducing efficiencies allow runaway waste heat to build up. So it is quite conceivable that cheap no brand companies based, er, in countries that lack strong safety regulation frameworks* would take dangerous shortcuts.

Blaming the product category is counter productive**. We need to call it for what it is. Products from specific vendors do not meet our electrical safety standards. Those products must not be sold and already sold units must be urgently and actively recalled.

Now I'm not drawing the same conclusion as the subby here, at least not from the article itself. All I am seeing is (from an IANAL perspective) is that the manufacturers who don't meet these safety regulations can't sell their wares here and people who otherwise acquire the said wares can't use them here. Makes sense. Li fires aren't much fun.

*which suddenly become very good once it causes embarrassment for the establishment.

**the legitimate vendors get caught up in the ban but the fly by night ones that are causing the problem are trading with a different name later the same week.

1
1

Snowden WAS the Feds' quarry in Lavabit case, redaction blunder reveals

Adam 1
Silver badge

Re: One good point to emerge...

Wow that's dumb. Surely they know that highlighting the text changes the background colour so you can read it and therefore the safest way is to draw a solid box over the offending text...

1
0
Adam 1
Silver badge

Re: Yah think?

I'm sure that they would have no such problems with keeping our back doored crypto's key escrow thingy away from the bad guys™.

0
0
Adam 1
Silver badge

> How much more credibility will the Feds loose

They probably figure that they can tight it later?

0
0

Apple engineers rebel, refuse to work on iOS amid FBI iPhone battle

Adam 1
Silver badge

Re: The end of Apple

> if they decided to slow-play or sabotage

This.

The rate limiter self destruct thing is easily defeated if you forget to submit the PIN to actually test it.

Maybe a couple of GOTO fail lines too many?

1
0

Stevie Graham: Why I hack mobile banking apps

Adam 1
Silver badge

Re: security through fragmentation vs an API monoculture

API monoculture isn't what is described though, at least not in the openSSL sense.

Heartbleed was two flaws; a stupidly designed API call and a buggy implementation of it. The stupid design was to allow the caller to independently mention the size of the buffer and the amount of data to read when it should have derived one of those pieces from the other. But the stupid design only matters because of the implementation bug whereby the server failed to validate that an untrustworthy client could manipulate those numbers to read additional information from memory.

Unless I misread the article, all that is proposed is a common API that each bank would independently evaluate the best way of implementing. So if the design was flawed, some banks would be caught pants down and others would return an error.

It's more similar to ART vs Dalvik vs Oracle implementations of the same method calls (but no points for guessing which of those would have the crap security implementation)

2
0

A third of Australians lose mobile services after Telstra outage

Adam 1
Silver badge

Re: Antipodeans?

Yes. Problems were reported from Longreach down to Melbourne, so Bondi was affected too.

1
0

HTTPS is not enough: Boffins fingerprint user environments without cracking crypto

Adam 1
Silver badge

Re: Side channel attacks

> Secure. Efficient. Cheap

> Pick two.

In this case, that doesn't apply. You cannot pick both secure and efficient even if you don't care about cheap.

The point is that simply knowing that two parties are communicating at a given time does leak some information. You can only counteract this by (at least occasionally) communicating with the other party either nonsensical data (eg randomised bits) or misleading data (eg legitimate looking real message that both sides of the communication know is to be ignored). Either way, that is less efficient than if you only sent bits when you wanted to say something.

1
0

'Millions' of Android mobes vulnerable to new Stagefright exploit

Adam 1
Silver badge

Re: Pretty easy to get people to visit a 'hacker' website

You can also install ublock origin on android Firefox without root.

4
0

'Just give me any old date and I'll make it work' ... said the VB script to the coder

Adam 1
Silver badge

Re: Prisoner release dates

I'm not sure that I'm comfortable with someone of your handle writing the code to figure out the release dates...

7
0

Former Nokia boss Stephen Elop scores gig as chief innovator for Australia's top telco

Adam 1
Silver badge

Re: Elop possesses two inimitable qualities

At first I was thinking wtf were they thinking, but you raise an excellent point. Those qualities are really a perfect cultural fit.

4
0

NIST set to shake up temperature with quantum thermometer

Adam 1
Silver badge

big problem with quantum thermometers

... Once you check the temperature, the temperature changes.

/I'd grab my coat, but how would I be sure whether or not I needed it?

12
0

Swedish publishers plan summer ‘Block Party’ to thwart ad blockers

Adam 1
Silver badge

Re: Dear Swedish publishers

> do not try to sell peopole what they have already bought

I expect them to continue trying to sell me what I have already bought. Otherwise, stop tracking me.

0
0

Mozilla will emit 'first version' of Servo-based Rust browser in June

Adam 1
Silver badge

Some tools are sledgehammers though.

4
0

Mechanic computers used to pwn cars in new model-agnostic attack

Adam 1
Silver badge

Re: Signed firmware

> It wouldn't protect against a dealership unwittingly distributing hacker created firmware.

You're right if the dealer intended to flash the firmware, but if they were only intending on reading the reports from the computer to work out why whatever warning light was flashing then there would be no need to write anything.

1
0
Adam 1
Silver badge

Re: Signed firmware

> I assume it would 'auto toggle' under a certain set of conditions

Not auto toggle. Auto toggle off. There is an important difference. There should be no way to activate writeable mode without physically moving a switch.

There are heaps of ways to auto switch off, from a simple timer to hooking it up to the ignition key removal to locking the doors to immediately doing it when whatever JSON or whatever writes the binary image then restarts the computer.

1
0
Adam 1
Silver badge

Re: Signed firmware

How about a read-only/writeable switch that auto toggles back to read-only once finished.

Would certainly cut down on the attack vectors.

3
0

Computer says: Stop using MacWrite II, human!

Adam 1
Silver badge

Re: Gragh, students and their sodding games

A USB stick. Falling out someone's pocket? On a bus? Nope, can't see that one ever happening.

1
0

You say I mustn’t write down my password? Let me make a note of that

Adam 1
Silver badge

Re: XKCD

> Actually breaking a password made up of a sentence containing several words is straightforward - random letters, numbers and non-alpha characters are much harder. Can't remember where I read that though...

It's probably good you can't remember where you read that because it is bad advice. Your password strength is log base2 of alphabet size to the power of the length of the password. Bigger is better.

For example, consider a 4 digit PIN for an ATM card. The alphabet size is 10 (0 through 9) and length is 4, so the strength is log2 of 10^4 = ~13 bits of entropy

If you jump to say a 10 character random password, we have to agree on the alphabet first. Say 26 lower case + 26 uppercase + 10 digits + 30 symbols (the ones I can easily type with my keyboard here) + 1 space = 93. log2 of 93^10 gives ~65 bits of entropy.

Now consider a password made up of 4 randomly selected words**. In this case, it is disingenious to consider the alphabet to be the same size as the random password (although in practice it would require the attacker to know that you didn't use such symbols). Let's assume they know your technique for the minute, and let's assume English only for simplicity, and lets assume you capitalise the first letter of each word. In this case your alphabet is about 350,000 and your length is the number of words you use. log2 of 350000^4 gives ~74 bits of entropy.

So RinseBubbleOvalBounce is ~500 times harder to crack than GV45#5kd3;

Both passwords offer excellent protection, but I know which one you would have to write down.

**Of course if the words are not chosen at random (eg a verse or quote or meme or something) then it will be no more secure.

9
0

'Microsoft Office has been the bane of my life, while simultaneously keeping me employed'

Adam 1
Silver badge

Re: MS Orifice - so aptly named

Produced a flat CSV file to push some data into a third party system. User has Excel and proceeds to double click the file. Excel helpfully and silently truncates any leading zeros. User closes and is prompted to save changes, of course answering yes. Now file won't import (best case) or imports wrong data (which is really hard to recover from in this case). Total PITA.

0
0

Boffins bust biometrics with inkjet printer

Adam 1
Silver badge

Re: Not Surprised

Biometrics are by definition observable and something you are so can't fulfill the concept of something you know like a password. In some ways that makes them worse choices because you can't just change them if they get stolen and they can get lost if you have to bandage up your digit due to an injury. Some materials actively erode the ridges (things like pineapple or beer believe it or not) so people working in certain industries can have trouble getting something unique anyway.

But if you consider them like a 2FA rather than an authentication in their own right, it is better than what it replaces. PINs can be viewed by people standing behind you. Whilst lifting a fingerprint off a surface is reasonably trivial, you also need the device. A fingerprint door latch for example could be argued as insecure, but is it less secure than the pin and tumbler it replaced?

1
0

'You've been hacked, pay up' ... Ransomware forces your PC to read out a hostage note

Adam 1
Silver badge

Re: "Eastern Europeans go free"

African or European?

0
1

Forums