* Posts by Nick Kew

650 posts • joined 16 Jan 2007

Page:

US standards lab says SMS is no good for authentication

Nick Kew
Silver badge

They're behind the curve

The BBC's investigative department has run a number of articles about criminals hijacking a phone number to get through a victim's SMS authentication. Fairly recently they persuaded one of the main banks (I forget which) to drop it after several verified cases.

That's why we have better technologies, going back as far as PGP, and forward to Milagro for the next quantum leap.

3
2

15-year-old security hole HTTPoxy returns to menace websites – it has a name, logo too

Nick Kew
Silver badge

Re: From the linked article

OK, that is a direct quote, and it's not even something that's completely different taken in context.

Does anyone have contact details for that httpoxy page? It really needs correcting. It's true that a Proxy: header plays no role in implementing HTTP, but it's absolutely wrong to suggest that a standards-compliant agent will never use it.

0
0
Nick Kew
Silver badge
Boffin

Re: From the linked article

Standards-compliant HTTP clients and servers will never read or send this header

Not quite correct. HTTP allows agents to define custom headers, so "Proxy" is allowed as such. To the bog-standard server, such as Apache or nginx out-of-the-box, it's as meaningful as "Vhjsrmwb" or "jasswe33d". And equally harmless.

The problem is that due to popular convention many web servers simply prefix HTTP_

That's not popular convention, it's the original CGI standard - which is inherited by all the CGI-imitators like PHP. A way to make headers available to applications that might be interested. All HTTP end-to-end or undefined headers except a few enumerated ones SHOULD be treated this way, but MAY be suppressed if they give rise to security issues.

The trouble arises where languages and libraries use HTTP_PROXY to mean something they shouldn't be taking from untrusted input. I haven't tested it, but I should imagine Perl used with taint-checking (as it always should be on the web) is safe. On the other hand, PHP is always vulnerable to everything, and more generally YMMV. Hence the web servers taking it on themselves to block an incoming Proxy header from propagating to the CGI environment.

The good news is that Apache and others are preventing the Proxy header specifically from being turned into an environmental variable, but we can't just automatically drop it because that is unexpected and somewhat rude.

Actually we can just drop it. If the backend application has a legitimate use for an HTTP_PROXY environment variable, it can be set in the server configuration, for example with Apache's SetEnv directive. But not from an untrusted source.

3
0

Brit chip biz ARM legs it to Softbank for $32bn

Nick Kew
Silver badge

Re: ARM is 10% cheaper than it was a month ago.

I bought at £8.55 earlier this year. It's not been above £10.75 until this morning and Independence served ARM well as most of their revenue is in dollars

Friday's closing price was £11.89, and that wasn't any sudden jump.

I bought ARM for under £1 (indeed, just under 80p at best). It stayed around £1 for a year or two, and only really took off when it leaked to the financial markets that it was in the Iphone. Someone is looking for a repeat performance with IoT, after a few years in the £10 ballpark.

2
0
Nick Kew
Silver badge
Alert

Do I get a vote?

ARM is still my biggest single shareholding. My inclination as shareholder is to vote against any loss of independence. It'll take more than a just a five-figure boost to my pot to change my vote: it'll need a convincing story about being a Good Thing for the industry (can't see that), or at worst a real fabulous "retire rich" premium (which I doubt even Apple could offer).

So, what will the big institutional shareholders do? Who's pulling their strings?

10
1

UK.gov flings £30m at driverless car R'n'D, wants plebs to speek their branes

Nick Kew
Silver badge

Mobility

Isn't one of the big motivators here supposed to be mobility? Reduce the number of people socially-excluded by virtue of being medically unable to drive.

1
0
Nick Kew
Silver badge

Re: "Some of the safest roads..."

It isn't something to be that proud of, when that safety comes at the expense of so many kids being stuck at home because their parents don't dare to let them out. Not to mention my late neighbour - who could walk only slowly on two sticks - being stuck at home because parked cars block the pavements and going round them was too hazardous.

De-facto house arrest for the vulnerable is a terrible price to pay for the relative safety of the more-privileged.

2
3

EU cybersecurity directive will reach Britain, come what May

Nick Kew
Silver badge

Re: Our server, thou art in the cloud, hallowed shall be your drives!!!!!!!!

We've had a UK Great Firewall for years. Google "Internet Watch Foundation". Hit the headlines in 2008 when it momentarily blocked wikipedia.

6
0
Nick Kew
Silver badge

You enforce it by making it illegal for a non-compliant company to do business.

Same as any other regulation. If a company makes a car with no brakes, it would (I presume) not be legal to sell those for use on Europe's roads. Or all those lead-painted toys we used to import.

4
0

Paper wasps that lie to their mates get a right kicking, research finds

Nick Kew
Silver badge

Re: They didn't cheat

Agreed, they didn't cheat. Pleased to see mine is just one of many upvotes for that comment.

By contrast, El Reg did cheat. A clickbait headline suggesting a really interesting story, leading to this.

6
0

Israel's security minister suckers Zucker for Facebook'ed killings

Nick Kew
Silver badge
Big Brother

The UK was there first

... we blamed Facebook back in 2014. A high-profile case to coincide with Mrs May's 1984 surveillance bill.

I recollect blogging about it at the time.

4
0

Prominent Brit law firm instructed to block Brexit Article 50 trigger

Nick Kew
Silver badge

Re: Politicians

I like spineless gits. Imagine how bad things would be if the clueless twits did something.

W.S. Gilbert put that point rather well in 1882, taking a long historic perspective.

1
0
Nick Kew
Silver badge

Re: "No, No, No. Let me resign..."

I only hope that his leaving UKIP doesnt mean that he is defecting to the conservatives where he might end up in a position with some influence.

What, and be expected to kowtow to another leader? I think that calls for a milliner to do the catering.

0
0
Nick Kew
Silver badge

Re: And the house of lords?

The EU laws are decided upon and drawn up by an unelected council. The elected members only get to vote on whether it passes or fails (they might have a right to amend, I'm not sure).

Bit like Westminster then. Or would be, if "EU laws" existed.

People have tried to improve democratic accountability within the EU, but UK governments (of both parties) have blocked such attempts. Perhaps the reason we can get out now is because eastward expansion has made it unlikely they'll get agreement on that kind of reform any more even without the UK to block it?

18
5
Nick Kew
Silver badge

Re: From another angle...

Sorry but that is absolutely the case due to UK Parliamentary Sovereignty, whether you or I think it is right or wrong.

Isn't parliamentary sovereignty supposed to be the question at issue? Those who say a Prime Minister can act without it are denying that sovereignty.

Under UK law, only a court can say who's right. Not the PM, nor parliament, nor the people. Indeed (shock, horror) not even Reg commentards.

12
0

Parliament takes axe to 2nd EU referendum petition

Nick Kew
Silver badge

Re: The IP address is not a great way to decide validity

Funny definition of gerrymandered.

You miss the point.

The whole point of the referendum was to deal with the Tory party split. So many things were gerrymandered in favour of the maximum Out vote, so they'd have the maximum lack of credibility crying Foul.

Hence gerrymandering the electorate, the date, and the terms of debate.

Hence "negotiating" that worse-than-useless pretend-two-wrongs-make-a-right deal.

Everyone saw it as an internal Tory party row, which of course wrong-footed most of the non-Tory-party population and the rest of the world. Even the electoral commission played along, appointing the Tory Out faction rather than the Faragists as the official out campaign to keep things within the Party.

https://bahumbug.wordpress.com/2016/02/19/a-hollow-crown/

3
5
Nick Kew
Silver badge

Re: The IP address is not a great way to decide validity

Maybe the Vatican runs ISP and proxy services? Maybe the Vatican has licensed out some of its allocated IP numbers? Or other such explanations.

That would seem broadly equivalent to some of the places around the world - from Moscow to Minneapolis - that IP location services have placed me without any such thing as a VPN.

The referendum was gerrymandered, not least by reneging on the 2015 manifesto commitment to enfranchise Brits long-term abroad (as I pointed out back in February). If the same happens to this and other petitions, shouldn't that just be seen as par for the course?

10
7

Dutch court says BREIN should get e-book uploaders' names

Nick Kew
Silver badge

Isn't this a non-story?

Unless the ISPs defy the court order, this would seem a non-story. They're not taking any kind of a stand by refusing to hand over details without a court order.

Though it could become a story if something interesting happens after handing over the details. For instance, the customer was offering free wifi and can't be held responsible for its users. Or can it? Now the world is worried again over public wifi ....

6
0

Brexit: More cash for mobile operators or consumers? Pick one

Nick Kew
Silver badge

Re: UK legislation

They could. I have no insight into how such legislation might work in practice: whether there might be unintended consequences.

Maybe if the EU rules prove successful you could start to lobby the UK government to legislate along those lines for roaming outside the EU? Or maybe someone is already lobbying?

2
0
Nick Kew
Silver badge

Not a zero-sum game

If we vote for isolation, the total pot of travel is likely to be a little subdued as the UK and to a lesser extent the rest of the EU (and indeed world) take an economic hit. Though perhaps the gap will be filled with more rest-of-world visitors taking advantage of cheaper currency.

Low prices will of course also drive volumes, regardless of anything the EU and the vote may do. I tend to treat roaming data as emergency-only, and stick to wifi spots for connectivity (including VOIP for voice calls). That kind of decision by millions of individuals reacting to high charges makes for a non-zero-sum game.

5
0

Patent trolls, innovation and Brexit: What the FT won't tell you

Nick Kew
Silver badge

Trade with the US

The EU has history of standing up to US bullying. Even if it has, at times, hinged on a single courageous member (remember ThankPoland?). UK is more likely to roll over and take it from Uncle Sam.

A post-brexit UK, in need of trade agreements with anyone who'll play, will be desperate for whatever it can get. So that'll be US patents automatically enforceable here. Along with all those other little things - like no question of labelling US food imports that might contain growth hormones illegal here, lest such labelling be prejudicial to their ability to sell (and of course the corollary, nothing to be labelled as free of such things, or GM, or whatever).

7
1

Microsoft and LinkedIn: What the CEOs are planning

Nick Kew
Silver badge
Facepalm

"Microsoft SEO Satya Nadella" (sic)

A Freudian slip for our times?

1
0

No 10's online EU vote signup crash 'inevitable' – GDS overseer

Nick Kew
Silver badge

Re: “I am very surprised that it crashed” - Liam Fox MP

I take it you're not one of the many reg commentards who would've screamed loudly about UK citizens' personal data being outsourced to a commercial entity and to servers in jurisdictions lacking our level of data protection?

There are a lot of people who care about that kind of thing, and would take a dim view if it happened. They might very well seek and get a court order declaring it illegal.

Anyway, a sufficient DoS attack can bring any server down for a while (see my post below for thoughts on who might've expected to benefit from that).

2
1
Nick Kew
Silver badge
Alert

Conspiracy?

Can we say one way or the other whether anyone might have deliberately DoSed the system? Cui bono?

The alacrity with which a minority of "out"ers jumped on it with cries of Judicial Review tells us someone thinks they may have something to gain from what happened: they're preparing the ground for a "vote again until you get it right" scenario. If the deadline hadn't been put back, they exclude a bunch of voters who everyone supposes to be predominantly-young, predominantly-in. A win-win for a DoS attack.

If it was regular cockup - lack of capacity - it would seem more than likely it should've gone down again before the extended deadline. As noted on Wednesday (before the event), whether it survived Thursday would provide cockup-vs-conspiracy evidence.

2
1

England just not windy enough for wind farms, admits renewables boss

Nick Kew
Silver badge

Re: Tidal?

Tidal is what we (UK) should be concentrating on above all else. Our geography more than any other country[1] gives us a huge resource to tap.

The downside there is, those countries which have committed more seriously to renewables (from China to the USA to more enlightened Europeans) have proportionally less of it and more of other sources. So noone has taken the lead in developing it. We have some pioneering projects, but only in Scotland have we got a government more-or-less prepared to back their pioneers.

And there still seems to be a lot of ignorance. Generic anti-green knee-jerks and a claim that greens don't like it have already popped up in this thread.

[1] With possible exceptions amongst tiny island countries whose total needs might be a the size of single UK power station.

1
2

Bloke flogs $40 B&W printer on Craigslist, gets $12,000 legal bill

Nick Kew
Silver badge

Re: Vexatious little ...

Welcome to the Real World.

Though I find your size-ism disturbing.

0
3
Nick Kew
Silver badge

Pirate Dave, that's usual. Something a bit like that happened to spamhaus a few years back, when some spammer sued in a 'merkin court - to take one example. For the worst abuse of all - albeit not quite the same - see the story of the pirates who used bogus patents to choke Blackberry. Courts look after their own, and 'merkin courts often have global reach.

3
2

Will you get reimbursed if you're a bank fraud victim? Brits think not

Nick Kew
Silver badge
Trollface

Re: And what can you do...

Perhaps they should blacklist the real sources of confusion. Headed by I, l, 1, and maybe |.

0
0

Arrests for 'offensive' Twitter and Facebook messages up by a third

Nick Kew
Silver badge

Re: Freedom of speech is dead in the UK

Freedom of speech without the freedom to offend is worthless.

Not worthless. Just nonexistent: it simply isn't free speech.

Je suis some-poor-bugger-probably-not-called-Charlie. 'Cos Charlie Hebdo published things far more offensive than I (or I expect many of those arrested) ever would, but got all the sanctimonious hypocrites lining up to support it.

My personal view? I'm with Voltaire: I support the right to say despicable things. I may also despise those who gratuitously abuse that right, but that doesn't mean sending the heavies after them.

15
0

Google is the EU Remain campaign's secret weapon

Nick Kew
Silver badge

There are many reasons a site might move up or down your google results. Some may be sinister, others realistic, but I don't think any fit both descriptions.

In the case of a political hot topic, it's almost certainly other sites moving up rather than your favourite moving down. Sites that google users click on and appear to stay on (google can see if you return to its results page and try another link after 30 secs). Sites that other people link to in relevant discussion. Etcetera. They've spent 20 years perfecting the engine to bring up the most relevant and interesting results for the most of their users, and doing constant battle with "SEO" spammers who try to subvert that.

8
0

Are EU having a laugh? Europe passes hopeless cyber-commerce rules

Nick Kew
Silver badge

Are you making problems?

If your spanish vendor won't ship to Poland, then they won't have Polish customers. That problem is theirs, and the remedy entirely in their hands. No business of the legislators: that's a complete red herring introduced in your article. No different to a Bristol vendor who declines to ship to Brighton.

If there's a point I'm missing, why not make it instead of introducing such feeble non-arguments?

2
6

German boffins' clock drops 10 seconds in a billion-and-a-half years

Nick Kew
Silver badge

Re: Not good enough

I'll sell you a clock with altogether less drift than that. Absolutely accurate twice a day, every day.

5
0

Shared services centres supposed to save £128m saved £0... and cost £4m

Nick Kew
Silver badge

Surely the Cabinet Office isn't the government, it's Sir Humphrey.

A man who shows clear leadership when it suits him, and not always in the direction of the government.

3
0

They take to it later, but when women FLOSS, they mean it

Nick Kew
Silver badge

FLOSS has older people, some of them grandparents.

But we didn't start as young as today's generations. We didn't have computers, let alone incentives like Google's Summer of Code. When RMS started in the 80s you had to be pretty well-off (or a kid with rich parents) to go anywhere near it. Even much later, getting online could be something of an adventure.

(Peak age 21 is plausible, as a direct effect of GSoC).

2
0
Nick Kew
Silver badge

Sample size is the least of their problems. Wouldn't be a problem at all if it were properly sampled.

But an online poll with self-selecting sample can never lead to meaningful results. Unless the study is all about bogus sampling methods.

I think most of us who've been doing open source for a while have also answered enough of those surveys for one lifetime, and just bin the requests to do yet another. Perhaps the results tell us that women have more patience with the d*** things and a higher boredom threshold, no doubt endowed on them by biology to deal with the endless repetition involved in caring for very small children.

0
3

Sainsbury’s Bank insurance spam scam causes confusion

Nick Kew
Silver badge

What's new?

All sounds perfectly normal to me. I get lots of such acknowledgements, and usually the most immediate indication that it's bogus is never having done business with the organisation in question.

Big-name online retailers like ebay and amazon seem to be regular favourites. Along with banks, airlines, etc.

2
2

US work visas for international tech talent? 'If Donald Trump is elected all bets are off'

Nick Kew
Silver badge

Don't get hung up on geography

Working for Silicon Valley doesn't require any kind of visa for anyone.

Just regular broadband.

7
0

Must listen: We've found the real Bastard Operator From Hell

Nick Kew
Silver badge
WTF?

Re: The Original song

Wow! It really is! So not the BoFH's own invention. Are they paying royalties, since it's not original?

Definitely sounds much better than the stuff they play in DIY stores, and distressingly often in supermarkets. Or indeed anything on the BBC's monument to mindlessness, Radio 2.

0
0
Nick Kew
Silver badge
Megaphone

Four Yorkshire Railwaymen

Just down the tracks from here is a maintenance depot. So at night (when there are long gaps between passing trains) we get the trains shunting out really slowly from the depot and stopping right here to go through quite a range of maintenance regimes. The noises have to be heard to be believed.

2
0
Nick Kew
Silver badge
Thumb Up

Re: Am I the only one?

I've never heard X-Idol-Voice-Talent-Thing or Justin Beiber. At least, not knowingly: I wouldn't have a clue if I did.

But that track was a lot more entertaining than a lot of the pop that's all-too-regularly inflicted on us by the likes of the BBC. Most recently 'Prince'. When a star is celebrated, why can none of the fawning sycophants ever play us any track that varies in the slightest from a formulaic pop 4/4 allegro tedioso with all the musicality of a pneumatic drill? This track is rather fun by comparison.

4
3

When to trust a startup: Does size count?

Nick Kew
Silver badge

Um, a company of any size can lose interest, stop supporting whatever they've flogged you. Whether it's a tech that's failed in the market like betamax, or just a winding down as with windows versions reaching a certain age.

Open source offers some protection. Open source with a thriving and diverse development community is the gold standard for ensuring your investment won't prove a dead end. Invest in a startup delivering an Apache project and you have two layers of assurance beyond the company itself: the source to work with, and independent developers to give continuity if the startup itself dies.

6
0

Barbie-brained Mattel exec phell for phishing, sent $3m to China

Nick Kew
Silver badge

Cross-border cooperation

Sounds like it didn't take too much effort to persuade the chinese bank in question to block its dodgy client.

What's the chance a US bank would be so cooperative in response to a request from a Chinese victim?

12
1

Internet users don't understand security or privacy, says survey

Nick Kew
Silver badge
Thumb Down

I was about to post that. Though with the added caveat that this survey doesn't have to have been half so devious as Sir Humphrey to get the answers it wants.

The Reg should be ashamed of publishing vague articles like this. It's simply meaningless without telling us the actual questions asked.

4
1

Confused by crypto? Here's what that password hashing stuff means in English

Nick Kew
Silver badge

Re: "To obtain a certificate from a CA you have to convince them of your credentials"

The CA model is broken, as demonstrated by a fair few incidents reported in El Reg and other techie media.

In the absence of a WoT made simple enough for Joe Public, a move to a distributed trust authority is overdue. M-Pin gives us the framework for that.

2
0

London's $40m 'flash crash' trader is to face extradition to the US

Nick Kew
Silver badge

If there's a crime exposed by this, it's the bots that saw his orders and front-ran them. And the system that allows orders to be seen by third parties in time for that to happen! The fact he could make millions tricking them just goes to show how much those parasites bleed out of honest investors, such as our pension funds.

But the beneficiaries of those keep the judiciary in their pockets, both sides of the atlantic. This poor bugger failed to grease the right palms.

Once upon a time, I heard a story of someone who had baited a 419 scammer. He could help a fellow-member of his church and suggested the scammer join and he'd help. So he got a joining fee out of the 419-er. Seems to me what this guy did is morally much the same as that!

5
0

Hands on with the BBC's Micro:Bit computer. You know, for kids

Nick Kew
Silver badge

Re: The same memory as the BBC Micro Model A of 15 years ago...

But will it still run Elite?

I want The Valley!

(seriously, I'd love to play with that again, if only to see how something that looked so infeasibly huge to have fitted into 32Kb then looks in an era of gigabytes).

1
0

Mystery Kindle update will block readers from books after Wednesday

Nick Kew
Silver badge

Re: Not very user friendly

Damn, I can just see the headache as I sort my dad out, while he moans on and on about technology never working.

7
0
Nick Kew
Silver badge

Re: Non-cloudy thinking

Cloud is extra specially pointless for books. You could carry all the books you'll ever own on one microSD card.

Yeah, I love having my precious collection all on a single point of failure.

4
43

HERE: We're still, er... HERE

Nick Kew
Silver badge

Re: Quite an uphill battle on iOS and Android

Google maps are still at best a pain forcing you (at best) to jump through hoops if you want to use maps without a data connection - and a huge bill to use them internationally.

I'd call that a killer advantage for Nokia maps as was. I still have an old Symbian 'phone which I take with me abroad just to have decent maps which I know won't slurp data unbidden. Using it on the android 'phone would leave me vulnerable to launching google maps accidentally in a "senior moment".

2
0

Snowden WAS the Feds' quarry in Lavabit case, redaction blunder reveals

Nick Kew
Silver badge
Big Brother

Scope for conspiracy theory.

Failure to run that search until it returns a blank ... implausible.

A fat-finger final search for Snodwen. Or an over-used search function in Word/whatever failing silently with EALLOC after the previous ten thousand searches in the session. Don't say there isn't a second person to double-check something like that independently? Oh, right, the PHB checked it, found the error, corrected it, then published the uncorrected version.

Or a false flag? Give the world what it expects to find so they won't look deeper and just possibly stumble upon .... [fill in the blank]. Smiley would see that as perfectly mundane.

12
0

Page:

Forums