Nexus 5 / Android 5.0.1 / Chrome 40.0.2214.109 - oops
Mine comes up with a nice fat "Warning! Your client is vulnerable to CVE-2015-0204".
102 posts • joined 6 May 2008
Mine comes up with a nice fat "Warning! Your client is vulnerable to CVE-2015-0204".
It is indeed. Run with SandboxIE and Ghostery/Adblock (as mentioned) it is quite the speedy thing....
To be fair, I hadn't seen any juddery images, although I do have a nice TV which does iron out a lot of crap (24Hz compatible TV, AMP and BD player have removed any jerky BD videos for example).
However, since Android Lollipop landed, my previously working (on 4.4.4) "Cast Screen" functionality has gone walkies. YouTube and other apps work, but I (and others, judging by the forums) can't cast screen anymore...
Way to go backwards!
Tom Selleck and a police unit in the style of "Runaway" immediately!
OpenRemote (www.openremote.org) - it's a free (for home use) server you can clap on a box at home (if you don't mind a JVM) with Android and iPhone clients, which lets you talk to anything that has an IP.
My *nix based installation serves custom screens and talks to Philips Hue, LightwaveRF, Globalcache iTach (IP2IR), and an IP enabled A/V receiver. Others have much more! Now both mine and my wife's phones (and our tablet) can act as unified remotes. My server also has a VPN so (if needs be) I can run things remotely/securely (OpenSSL/BASH vulns aside!)
Personally, having found Hue to be the easiest to work with, I'd love everything to speak JSON and use REST APIs - but as long as it has an API, I can wrap it in :)
So read this and went "eep".
However I checked my script, and it's #!/bin/sh, so that's ok then (and bash has also been patched on my box).
But I'm also using client certs, tls-auth files, non-default ciper algorithms and of course the auth-user-pass-verify. But if you've managed to get my certs, tls file and password, I suspect that's the least of my worries :)
Amen to that.
Google provide 2FA for their entire suite of apps (behind the "Google Account") - they also provide printable one time codes in case you lose your phone/flat battery etc.
Google Authenticator also allows other codes to be added from other apps. My Joomla installation and a NAS box (with PAM 2FA based auth) are sitting looking at me, under my Google Account.
Facebook also provide 2FA, which pops up on your mobile if you try to login on a PC.
Using the above has in no way been complicated, and it's reassuring knowing it's there.
Insert obligatory Dick Tracy reference here :)
If they made them chargeable from movement ala some 'normal' watches, and thinner I'd be interested - until then I have a very nice traditional swiss affair which shall continue to adorn my wrist :)
Not just YouTube. Some selective things seem to happen. I use OpenDNS, and performance to their servers (resolution time) went to hell recently. Use Google/VM DNS and all ok.
Diags from their end all showed ok, just "suspect routing" betwixt VM and OpenDNS...
Seems to have recovered more recently, but still...
We're about to "try to look inside that place you cannot look"....
Given the current tactic seems be "Block the IP resulting from a DNS query", I can see them shortly resort to "just redirect the whole damn domain", followed by "just block access to DNS".
Because they are that stupid.
Incidentally, the court order to block a site (ala BitTorrent) - doesn't that just apply "to the ISP", rather than it's customers? As (IANAL) customers are not subject to the order - although they are impacted by the ISPs compliance with it, gaining access via other methods (another DNS/IP, or VPN) is not the fault of the ISP, or a breach of an order against it's customers, because one doesn't exist.....?
"Why is your phone encrypted? Please meet RIPA. Hand over the decryption keys".
The Hue bulbs do have f/w and update - although Philips don't really tell you about this...
When I bought mine, when you turned them on, they went from 0% to 100% smoothly over about 1.5 seconds....then one day, one started turning on to 100% pretty much immediately.
I dig into the hub interface shows that the bulbs were being updated - the hub reports the bulb f/w to homebase and (I presume) proxies the s/w to the bulb over it's hybrid Zigbee interface. Works though, just a bit slow (the bulbs have to be powered on at the switch, even if you have them 'soft off').
The hub also does talk to the 'net and you can control lights remotely, although you can disable that and run them from LAN only - if you so desire/require.
I was really keen on LIFX, but every time I asked them about 802.1x capabilities (my WLAN runs TLS & cert auth) I never got a proper answer. Not even a "No, it doesn't do cert auth".
Philips Hue sidesteps this by having a wired controller using Zigbee - and was available, and has a nice REST API, so I went down that route....
Albeit only on/off control - but better than nothing :)
LightWaveRF controller, £60 (ish)
LightWaveRF relay (which can operate in volt free switching mode), £30.
Time taken to wire relay to my boilers volt free thermostat switch, about 5 mins. Time taken to mount relay in a box on the wall and spur power to it, about 10 mins.
LightWaveRF's app works remotely, so you can turn it on/off remotely, or set timers etc - or (as I also have) control it via other systems, in my case OpenRemote.
My boiler has usefully currently got a fault (suspect air pressure switch) and is 14 years old - so if I do upgrade the boiler, I may well go down the thermostat route however!
So, I'm in the UK and I place a call (on a landline) to someone in the US (or anywhere outside the UK and it's associated territories).
That call is routed over UK based equipment. Intercepting it (and "interception" is the word used in the article" requires a warrant. Why is the same not true of anything in transit to an internet site?
Granted once it's arrived at said destination, if said destination is outside the UK, and/or set to be public, then fine, look at it all you want....but snarfing it "in flight" still counts as interception within the UK.....doesn't it?
It always irks me how many people (or their companies) can afford (them) to be driving around in high class Beemers, Mercs, Audis etc, and they either haven't got Bluetooth (either as standard or retrofitted). Not really any excuse anymore other than "I didn't want to spend the cash". Or worse, I HAVE spent the cash, but I'm too lazy to switch Bluetooth on.
I am seeing more and more people with headphones on in the car, presumably either to listen to music and cut out road noise, or because they're using the headphones with mikes to make calls. Either way, that's also cutting down on situational awareness a bit.
I've got in-dash GPS now (current and last cars) - but they are expensive, and both mine are "2nd user" cars :) I'm quite surprised more manufacturers haven't released/announced Miracast (or other wireless display) capable displays. Got a smartphone? You'll invariably have some form of Nav, so why not just have it sent to the car....?
That would cut down on the cost of providing a car with GPS antennae and systems, the in car nav updates, re-use owners phone tech, get screen mounted tat off the screen/out of view. Even providing a mobile "slot" with an NFC tag to help auto activate Miracast is possible.
I posited something similar a while back (http://forums.theregister.co.uk/forum/1/2014/01/09/yahoo_always_on_crypto_unstrong/#c_2074093) - so I'm pleased to see it.
My only 'concern' would be that (as mentioned above) I'd like to see it opensourced (with deterministic build instructions) and audited to show that the plugin doesn't harvest and send back your private key & passphrase (regardless of who authored it!)
Just let it scan the el Reg forums and comments. That should keep it busy until the end of time...
ISTR that the problem was that no-one could generally get it to build correctly from source....
From : http://istruecryptauditedyet.com/ :
"Implement deterministic/reproducible builds. Many of our concerns with Truecrypt could go away if we knew the binaries were compiled from source. Unfortunately it's not realistic to ask every Windows user to compile Truecrypt themselves. Our proposal is to adapt the deterministic build process that Tor is now using, so we can know the binaries are safe and untampered. This is really a precondition to everything else. And it's not an easy process"
Works for me - Android & iOS clients - and speaks to almost anything that accepts a TCP/UDP connection. Has event driven scripting too. Granted it's not going to be simple for the man on the street, but I had mine talking to Philips Hue, LightWaveRF, GlobalCache IP2IR and an Onkyo A/V receiver, with a nice custom tablet interface in a week. All different standards/interfaces, one controller. Sorted.
Chuck in Tasker and Autovoice, and it's voice controlled too....
It was initially tape with my ZX Spectrum. Then a micro-drive - with extra capacity added by stretching the tape :)
The a move to PC - we had 5.25" and 3.5" floppy drives. Then acquired a ZIP100 drive, then eventually a ZIP250. And then an LS-120 Superdisk which was backward compatible with 3.5" disks - but that annoyingly died, so I got another - which eventually did the same... :(
Since then it's all mostly been USB and/or flash card storage - although an Ultrium 1 and now Ultrium 3 drive kick about for the really big backups :)
I say that as the heating controls have been "coming soon" for quite some time.
I've got LWRF for some devices (couple of lights and a relay to override the central heating system) - but have a variety of gadgets now running in the house on various protocols, and used OpenRemote to tie them all together - have a look (www.openremote.com for the commercial app, and www.openremote.org for the opensource variant). Note that it's a command interface/state tracker, not an actual controller, but it can talk to almost anything you throw at it - and they can sell you a box to run it on (I have mine on an HP microserver).
I started out with HomeEasy kit for lights, and now have Philips Hue, LightwaveRF, Globalcache iTach and other IP enabled kit all talking to it happily :)
I too saw the possible acquisition message in source.
I have no coins, but surely it's a poor way to handle things either way!
Nah, Wago connectors :)
Whilst refurbing, I wanted to kit out the house with some Hue bulbs, and needed to replace the light fittings as (at the time) only ES27 Hue bulbs were available. Terminal/chocolate blocks were mahoosive given the flush(er) fittings I wanted, and then I stumbled across Wago connectors - push fit and lever/clamp - and they're really tiny.
No more trying to hold a fitting *and* chocolate block *and* wires in one hand whilst trying to tighten a fiddly tiny bl**dy screw with the other for me :)
Check all your in-path devices.
I had "sideways" jerk (particularly with horizontal panning) on some films - being played by a PS3. It had 24Hz enabled automatically (depending on content), my A/V receiver passes through 24 Hz and the TV is 24Hz capable.
And the "capable" word was the problem - as I was blaming the telly. I had to enable "movie mode" on the TV to get 24Hz behaving, which has now eliminated the stutter. This differs from the 100Mhz "Trumotion" stuff, which makes everything slide around sickeningly :\
The stupid thing is the TV was telling me it was a 24Hz signal, but it didn't deal with it "properly" until an option was enabled. Le sigh.
What about kit that "upscales"? It's not entirely clear if they just upscale, or can actually handle 4K content too (and just relay it).
I recently swapped out my Onkyo TX-SR609 for a TX-NR609 - basically the same model A/V, but with (and the reason I bought it) a shiny CAT5 port and DLNA etc, and also 4K upscaling. Most of the docs only say "upscaling", although one says "Upscaling and processing" - so it's not clear if it could actually cope with 4k content natively. They do say it will upscale to 4K2K (3840 x 2160) - so if it can output, I'd assume it could relay it?
Still ,anyone who buys this beasty : http://www.costco.co.uk/view/product/uk_catalog/cos_1,cos_1.1,cos_1.1.7/142976
will be a bit narked if it doesn't work, won't they? :)
Just because you can't see a problem (presumably because you're far too stupid to see the several blindingly obvious ones), doesn't mean there isn't one.
I do wonder what'll happen with those people who (like me) have disabled the priority and other inboxen though. Hopefully there will be some subject based identifier to allow a filter....
"Interestingly (this is GMAIL) the message is not encrypted when sent to me from the GMAIL server via an unroutable private address 10.x.x.x, therefore not encrypted within Google's walls. "
Again - HTTPS is being (in some quarters) taken as a panacea. It's not. It covers your data in transit, and depending on it's implementation may be doing a reasonable job.
Once it hits your email provider (or the recipients) it may well be stored unencrypted, or fired around their networks unencrypted. As has been shown on various slides, if the NSA (or other groups) are sniffing inside the firewall/entry point, HTTPS is irrelevant. If they can access the data (via warrant or nefariously) due to it being plain text "at rest", it's irrelevant.
Outlook/Outlook Express used to allow for x509 certs, which whilst a pain to get hold of and install, where near transparent when used. As long as your cert/password were secured, your mail was neatly encrypted in transit and at rest.
I'd love to see the following adopted :
a) Sign into email client (local or web)
b) Be forced to generate x509 keys - storing private key locally (or, worst case, the passphrase - and let's skip the "do we trust the mail provider?" question for now)
c) Start to compose new mail
d) Enter recipient address
e) Mail client checks PGP/GPG/keystores for a current public key for recipient
f) If key found, carry on - just automatically and silently encrypt the mail
g) If key NOT found - display mahoosive warning that the email can't be secured - don't type secure things!
(NB: I'm aware Thunderbird/PGP do bits of the above, but not all of it, and it's client/user specific - rather than something that *could* be flicked on for everyone)
Obviously the snag comes with key expiry/rotation - methods need to be employed to (ahead of time) archive email securely
If Google/MS/Yahoo built the above in, and let you either use your own keys or generate them for you, it would probably gain faster uptake - and the inherent security in x509 would (or should!) show if your emails were encrypted for anyone else other than the recipient (i.e. "Google archive key") - or if a key generated by them was "downstream" of another trusted key - you can raise eyebrows accordingly.
The minute you enter a passphrase you've no guarantee it's not being logged, so you can only really go "so far" with bolting things down - but ultimately, if something is "that" secure - don't put it on email, or better yet, keep it offline!
We recently had the lounge redone, inc new carpets. This let me hide and trunk my surround cables nicely.
On the remote side, I'd previously used Philips Pronto RU990 and Marantz TSU9000 remotes (IR & RF 433Mhz) to drive most devices.
But I've now amended that, and gone with OpenRemote on my Android devices. I can design the GUI on line, build the logic myself and run the server on my little NAS. And it works. Although it is beta and can do odd things.
A cheap (sub £150) Onkyo network enabled A/V receiver let's me power on the TV and PS3 (via HDMI) and, more importantly, control the PS3 via HDMI entirely - no more IR/Bluetooth or proprietary remote. And the Onkyo is DNLA enabled, so it can play NAS stored tunes, or indeed (if I use the Onkyo app) play anything on the Android devices.
Throw in a comparatively cheap LightwaveRF controller and some a relays and the lights (or in my case, heating) are in the game. I've also gone nuts with Philips Hue and OpenRemote is doing the lot.
Have a look, it's quite nice :)
I originally took out a 512K connection with Telewest, at £25 a month.
I then added XL TV at £25 a month on top.
And then a phoneline (yes, I should have bundled) and wound up paying £60 a month. This was all about 10+ years ago.
Since then I've been upgraded to 1MB, 10MB, 30MB and now 60MB at the same price, and enjoyed a SB4100 Surfboard CM and now a SuperHub 1 (2nd one, as the 1st one had a fault).
Had a V+ HD box, and since migrated out Tivo (got on the pilot, having had a Series 1 Thomson TiVo). VM also lobbed in a £10 pcm mobile SIM for being a long term customer, giving us a £9.50 pcm credit. They've now modded that to include data.
So, overall, especially now they've made TiVo menus much faster, I can't really moan that much. In terms of costs, I've done quite well. Although the additional few quid may make me reconsider buying Netflix, which we have on trial again - but it's rare the bill hits touches £70-75 with bills (we don't pay for inclusive calls)
NB: I do NOT work for VM, and my phone line does buzz like a sod and probably annoyingly needs a repull, but overall - could have been a lot worse....
But will it make it into/remain on the Chrome extension store once "sideloading" is blocked?
Guess I'm stopping with Iron....
My NAS inbuilt AV scanner (ClamAV) lit up this morning with a bunch of TIFFs.
I suspect false positives, as these are TIFFs which (in two cases) have been sat idle for a few years and last touched as part of an archive/backup.
Jotti and VirusTotal also only showed ClamAV reporting those files with the 'issue', so if you are running ClamAV, I'd consider a pinch of salt with your virus scan reports this morning....
I read this and my eyebrows and chin parted company in opposite directions.
After reeling them back in, I do ponder the sanity of this, or if it's a REALLY badly worded "at launch" statement, to indeed be followed up with "coming via updates".
Our PS3 plays games, watches Netflix, plays BD, DVD and occasionally CDs (although mostly was used to rip CDs for later digital playback), plays music from the NAS via DLNA. The only thing I never did with my (old) PS3 was put Linux on it. I did use it for PS2 games, which the Slim can't do, sadly....
ISTR the Wii didn't playback DVDs due to licence/BoM cost issues - and I'd be (sort of) ok with PS4 users being told "Pay as little as possible for the 'machine'" and then add the components you need later (i.e. transcoding/decoding licences, if not free), and download a DLNA "app" from the PS Store - but for Sony (who built their entire history on audio) NOT to include CD playback by default is a bit odd...
And after the whole "always on" furore, the idea of streaming music might be an issue for some there too. I may have signed up for PS+, but I've not signed up for Spotify, Music Unlimited or the Google Play offering.
I'm also surprised that DualShock 3's just "won't work" (or have been made not to). Put Sony's on PS3 keyboard on the DualShock and lo, you have a touchpad. As mentioned before, if Move works, the others should too....
And PlayTV (whilst not HD) will be another dead duck to add to the pile.....
Quite. They clearly did all their testing in the lab, wearing trunks. Didn't they check what floats?
...I wouldn't be looking at SSIDs, precisely *because* they change.
The BSSID (MAC) however is highly unlikely to change (unless the owner has/is tweaking their router firmware) - and thus if you show up on BSSID/SSID pair 1 one day, but change the SSID the next, you'll still likely have the same BSSID. And given that a BSSID is visible regardless of the SSID visibility, it's going to be "visible".
You could use something like DD-WRT and script a router reboot and MAC change every day, which doesn't affect your SSID and thus need client reconfiguration, but that may be a teensy bit extreme!
I was given a 'Parking Charge Notice' by this lovely brigade.
I had a very amusing afternoon taking some pics, and systematically destroying every single one of the points raised in their charge notice. Account closed.
Interesting reading about them on Pepipoo and Legal Beagles forums too....
Quite. Back in 2010 IIRC (and as this link points out) : http://readwrite.com/2010/06/25/google_activates_android_kill_switch_zaps_useless_apps
I'd have thought they could remove the app from the phone, unless there are paid for app issues - but if you don't "return/uninstall" an app after 15 mins nowadays, you're money is gone anyway.
service credit? No, thought not....
My phone actually wasted more battery than normal as it spent most of the day looking for a signal....
<Joly> "HELLO! I'M ON THE PHONE!" </Joly>
Marvelous article, but missing the marvel that was the Sinclair Microdrive! Where else could you tease out a few more K of storage by stretching the tape? :)
Not withstanding the joy of VPN, utilizing DNSCrypt will (or bloody well should) entirely stuff your ISP from viewing your DNS traffic, unless they get all MITM capable...
Then all that can be done is IP blacklisting, which, as mentioned, will block "quite a few" sites. HTTP Host Headers anyone?
re: Vimes' & J G Harston's comments - OpenDNS sort of do this now - it's crowd sourced reviewing, and sites may well find themselves "categorized" incorrectly, with all fun that ensues. See here for an example : http://www.techpavan.com/2009/07/14/website-blocked-opendns-wrong-category-unblocking-solutions/
I suspect various legal beagles will (again) be employed to ensure the wording used on any ISP block carefully avoids libelous comments, and that all blocks are for "suggested" content....
The thought of someone from CSC ru(s/i/n/)ning Microsoft amuses me.
As per my recent post (http://forums.theregister.co.uk/forum/containing/1951457) - this now sort of covers "data at rest" (albeit 128 bits is, as mentioned, not entirely 'weapons grade').
Box (not sure about GDrive) allow for WebDAV style access (GDrive does periodic sync?) - so I suspect some people will use local encrypted containers (think Truecrypt, ZipFolders, etc etc) mapped as local drives, and sync the container archive (encrypted file) to GDrive/Box.
Thus, even if a provider hands over keys/access to those files, the files are still encrypted - assuming of course the container encryption method utilized isn't comprised as well.
The true tin foil hat wearers will of course access their data via a virtualized/LiveCD machine, via a (decent) VPN - giving three layer encryption. Four if they use VPN and decryption certificates held on another device entirely.
It drives the vector back to being the endpoint, and thus (you'd hope) warrants/process of some kind.
That "back door" is more than likely "on the wire" and/or an access gateway in a providers DC(s). Nearly all the mechanisms out there (GSM, HTTPS etc) are "data in transit" methods, not "data at rest".
Once at rest, data is much easier to manipulate. If it's encrypted at rest, handing over keys is also easier as there is no session "fun" to play with (or your data is signed with 'your' key, the providers key and 'any other key duly requested to be included').
As per the article, you go for the point of least resistance/easiest entry - in the iPhone example, it's the attached computer. In other darkened rooms, it's a rubber hose.
I wonder when "utilizing encryption for the hell of it" will become "obstructing officers in the course of their duties".....(never mind being asked to hand over keys under RIPA)
This reminds me of Jimbo & The Set Jet back in 80's kids TV land...
"The premise of the cartoon is that Jimbo was originally intended to be a Jumbo Jet, but his designer could not tell the difference between inches and centimetres, resulting in his diminutive size"
"Vanilla" OpenDNS (or indeed, use of ANY non-ISP based DNS service) will use port 53, and your ISP can easily "hijack" that and force it to their own servers.
OpenDNS DO provide DNSCrypt for exactly that - it (a) runs on different ports and (b) is encrypted and (c) certificate based - so it's going to be a sod for the ISP to get around.
The DOWNSIDE of any of the above is DNS is just a resolver - if the block is at IP level, then you're still hosed.
The only solution's are then a proxy, or a VPN.
As I've said before, with my tin foil hat on, I predict that someone will call for the outlawing (read: revocation) of ALL existing SSL certificates, with new ones being issued by Government signed keys, and any traffic which cannot be 'inspected' getting blocked....
Not quite. All the ISP has to do is intercept and re-route all port 53 traffic, then regardless of which DNS IP you *think* you're talking to, you're not.
I do this at home, to ensure anything on my LAN *cannot* bypass my OpenDNS settings.
If you want to get around it, go investigate "DNSCrypt", as that encrypts your DNS and allows you to point to an upstream server which isn't on port 53.....
(and moving on beyond DNS resolution, any IP which is blacklisted will still be blacklisted, so regardless of how you lookup/get the IP resolved, a filtered site is still a filtered site. Unless you start using a VPN...)