FIPS 140-2 (Was Re: Cheap)
Considering that FIPS 140-2, IIRC, includes as part of the standard such ignominious technologies such as DUAL_EC_DRBG, that certification just doesn't have the same 'ol shine it used to, for some people..
169 posts • joined 26 Jul 2007
Considering that FIPS 140-2, IIRC, includes as part of the standard such ignominious technologies such as DUAL_EC_DRBG, that certification just doesn't have the same 'ol shine it used to, for some people..
Best be going now..
Mexico also being the second nation in North America which refers to themselves as "United States" (..of Mexico), for almost as long as the USA. (47 years less, to be exact. Almost 200 years now.)
I gleefully attract many cross-eyed looks and grimaces by pointing-out such inconvenient facts and using terms like "Yanks" or "USians" when referring to US residents.
Apple Cart Upsetter in Chief
I don't normally read Reddit. But the stuff I read yesterday on Reddit was like a bunch of petulant children that have already made their minds up that TeamViewer (you know, the company that's been giving away a fabulously useful, stable and reliable product to people for years now) is the Big Evil Satan.
As for the snippet you quoted: TV's new permission notification thing should stop any bruteforcing dead in its tracks.
Also do not forget that there was a trojan discovered last month that exploited the TeamViewer client by bundling it with the trojan and using it to create a proxy reflector. TV might want to look into how they can harden their client to make it more difficult for it to be exploited in that way.
I just read about what the "teamviewer trojan" is - seems that they were not just bundling Teamviewer with the malware, they seem to have exploited its functionality in a certain way to facilitate their hack:
Including hiding any obvious presence of Teamviewer on PCs so compromised machines are less obvious.
Perhaps its time for Teamviewer to add countermeasures to their code to make it harder to hijack it in this way.
I'm inclined to agree with this.
TeamViewer is a VERY widely used app, there are all sorts of ways it could be falsely implicated, including this KNOWN issue where some miscreants are bundling it with a trojan and then using it to further exploit the already-trojaned system.
TeamViewer has done the world a great service by allowing millions of people to use this excellent product for free for years now. But as with any widely-used free product that does things online, miscreants often exploit those tools for their own sleazy purposes.
SMDH that some people here immediately assume that TV is at fault with no actual specific evidence, and then talk about the "superiority" of tools like VNC which, for many years, had the worst security in the world. (eg, NO encryption whatsoever unless you created your own encryption tunnel to pass its traffic through, and most people never bothered)
Data breaches have become so ridiculously common lately that the likelihood of someone NOT having had their data compromised in one of them is getting smaller and smaller. The entire voting population of Mexico was one such recent example.
"Please allow an extra 2 days incoming transit time as all incoming shipments are routed through the NSA's logistics center."
Actually he described DDG as "Google scraping", eg, uses Google search results.
Which would explain that particular bit, but I was actually not of the impression that DDG used Google as a source. I thought they pulled their results from a variety* of sources, including their own spider.
*(~400 sources, was the figure I recall. Neither do I think Google is amongst them.)
Thanks. Well who knows, then. All sorts of complicated voodoo going on with Google's search, that much seems certain.
One thing I would have tried was just to use the acronym and see what kind of results show up. And then add additional terms until the results disappear.
The dumbing-down of search engines over the last 10+ years has left us with a situation where the majority of the popular ones (except Google, interestingly) completely ignore double-quotes as a way of trying to specify only a specific string of words in a particular order.
So the first problem is that the non-Googly services are likely interpreting your query entirely differently than how Google does.
And then of course there's the infamous "tunnel vision" issue with Google and others serving you customized results. Are you searching from a clean device/browser, cookies cleared, not logged-in to any other Google services/sites?
I just discovered that BBM is now offering "private chat" for free, which used to be part of their add-on privacy subscription. (Along with message retraction/editing, photo retraction, etc)
Private chat is a snapchat-like service where when you enter such a chat your username becomes invisible, history is not retained, timestamps are not visible, and screenshots are blocked or send a notification to the other party.
Perhaps Andrew mistook that for BBM Protected?
@AndrewOrlowski - in the article you claim:
"...making all of its goodies available for free, including secure encrypted chat."
Are you saying that BlackBerry Ltd is now offering BBM Protected for free? This would be news to me.
BBM has been encrypting its chats on the wire with real encryption (as opposed to the traditional BBM "scrambling") ever since they built BBM on BB10 and went cross-platform. But data-at-rest encryption, or the other additional BBM Protected layers of security, have always required some sort of subscription.
Have they really done away with that now?
The way I look at it, anyone who gives a rat's hindquarters about privacy has always been an idiot to use WhatsApp, because WhatsApp's user identities are directly tied to each person's phone number (like SMS), which means that (AFAIK) you are broadcasting your telephone number to the whole world whenever you use it. Furthermore, anyone who uses anything owned by FB and expects their privacy to be respected is an idiot of the highest degree.
Ergo, people of that persuasion who are miffed about sharing their contacts list with the FacePlex seem sort of quaint.
The only people who enjoy this sort of "protection" are the elite members of the ruling class like Bush, Sarah Palin, etc.
The rest of us can just go pound sand as far as law-enforcement is concerned, if someone guesses our lousy AOL password.
McAfee's credibility is several levels below the FBI's, at this point.
They did have an MDM solution at that San Bernardino agency, but apparently it was in "test mode" on Farook's phone and not fully enabled yet. Oops.
@Pott, I often vehemently disagree with your rants. This one I agree with 300%.
I'm enough of an old fart to imagine that I was in the biz' before the majority of the major players had turned into mendacious monstrosities that are seemingly comprised of 85% marketing BS and 15% technology, if you're lucky.
It would be hilarious as hell if it weren't so pathetic that I oftentimes will get some drivel in my mailbox that after reading over 4-5 times I still cannot figure out WTH they are supposedly talking about: 100% idiotic buzzwords, corporate double-speak and impenetrably abstract euphemisms for what I do not know.
Living through the days when HDDs failed a lot more frequently perhaps places a different light on these things.
The problem with SSD failures is that there is no "Plan B" where you can take it to a fabulously expensive outfit that will find a way to retrieve the magnetic bits, usually. If the chips fail, they fail. There is no resurrecting them at any price, usually.
And then there is that pesky problem where SSDs in powered-off state (particularly after they've been used a while), tend to "forget" what was stored on them, randomly. Oops.
I actually love that article layout.
My usual problem with the avalanche of data that exists to be absorbed in this field is when I see a long review of a bunch of products, I have this sense of dread that I have to slog through it, from beginning to end, looking for things of interest, and half the time I lose interest because of all the unrelated junk I'm forced to slog through to find a nugget or two. (Yeah, I do a lot of skipping to the "conclusion" page but oftentimes the info I'm looking for isn't there)
Not only was this article short and to the point, it allowed me to browse through each product description while simultaneously taking-in the performance measurements for the whole slate of products, which I thought made a much better use of my "eye-time".
Besides the "helium leakage" issue, I don't suppose enough people realize (and the industry isn't going around telling them, of course) that flash memory has this annoying problem of just getting amnesia over time.
One of the scariest aspects of SSDs and flash memory in general, to me, is the fact that data can just start randomly disappearing while they sit on the shelf, with no voltage applied.
Someone at Seagate who also is a member of the JEDEC standards-body wrote a highly publicized paper on this which was published last May, but the issue of offline flash/SSD data retention has been known-about for years.
The "all in one" approach to updating typically only works if every single executable is open-source and the developer is willing to relinquish control over the distribution of their product. And believe it or not, repositories sometimes get compromised, which is one reason why some software developers prefer not to cede control over that critical part of the chain to 3rd parties.
And while it's a nice utopian fantasy, the whole universe of software will not all become open-source in my lifetime. So, we are sometimes stuck with a bunch of proprietary updaters. Which I don't have a huge problem with if they are GOOD proprietary updaters. Pity how many unnecessarily lousy ones exist.
Some day some places may actually mandate a minimum level of software quality for some products, especially when its code flaws have a widespread effect on the well-being of the populace. Just like laws that attempt to ensure little things like the automobile you drive has brakes that actually work.
Looking at the previous Reg article about the $17M Symantec judgment, I couldn't help but guffaw at the almost perfectly appropriate surname of IV's legal spokesperson:
"“We are grateful to the jury for their hard work and for confirming the validity of these patents,” Intellectual Ventures chief litigation counsel Melissa Finocchio said in a canned statement.
Oh, well that anecdote proves it then, all A/V companies must be frauds. [rolleyes]
As for Google, clearly their talking-heads read Orwell - too bad they somehow took the wrong message from him tho.
The FCC has clear statutes that prohibit the interception or jamming of wireless telephony signals. This is why it is illegal to sell or own cellular jamming equipment in the USA, and why people who were caught snooping on the telephone calls of politicians in the past have been thrown in jail.
Of course, us proles will never enjoy the sort of privacy protections that the parasi...er, politicians enjoy.
Of course these apparatchiks and technocrats don't seem capable of comprehending how a fundamental communication technology that has been part of the world for ~60 years can just be turned off in short order and not impact all the people who have this technology embedded in all sorts of devices and equipment that WILL NEVER get updated to be compatible with DAB. Just like the bimbos in the USA that thought that adding a few weeks to daylight savings time would "save electricity" (studies have proven this is nonsense now) while immediately obsoleting all sorts of equipment with embedded clocks which were pre-programmed with the old switchover dates. (Including minor little things like building control and security systems, etc.)
All the nonsense about questionable DAB audio quality and changing/incompatible codecs/ECC also demonstrates once more the tunnel-vision of people who couldn't fathom the need for eg software-definable radios that could adapt to the future codec-du-jour.
Which leaves us at the "savings" part - which of course in my country will undoubtedly translate into corporate $PROFIT$, not anything likely to benefit the average punter. And to those who say we will all just migrate to digital streaming - A) unicast streaming media is the most ridiculously inefficient way of broadcasting content to the public ever devised, and B) this just throws us even more at the mercy of the wireless data oligopolists, which of course are the very same entities eager to realize these "savings".
Most of the non-OS-specific vulns that apply to Webkit generally seem to apply to Blackberry 10's native browser.
The exception would be some aspects of the crypto library, which is unique to BlackBerry. (And FIPS 140-2 certified... though in the post-Snowden era I'm not sure that's something I'd be particularly proud about)
The problem BlackBerry has is that they cannot push mandatory, timely updates to their users because they are all gated through carriers. For example, the VAST majority of US Blackberry 10 users today are on devices where the latest official OS is some variant of 10.2.1 - which is riddled with security weaknesses.*
BlackBerry has also been notoriously slow at releasing security patches - their announcement in this case is notable for being much prompter than is their usual habit.
The issue of having to rely on carriers to push updates is not unique to BlackBerry (Apple is one of an extremely exclusive club not burdened by this), but their current market position most likely means that the leverage they have over carriers to "encourage" them to do so is far less than the 6-10 vendors who sell more devices that connect to carrier networks these days than they do.
*(Yes, enthusiasts can violate Blackberry's terms-of-service, find and install unapproved leaked versions of firmware on their devices, but even at that, I'd estimate of the total installed-base of devices, probably no more than 10% - at most - do this on a regular basis.)
"There was obviously a reason why the Secret Service made Obama give up his iPhone for a not-so-cool custom Blackberry when he became President."
Tidbit: Obama's device is, among other special customizations, a older BBOS device on Verizon's network - in other words - no SIM card. :D
I will admit, having hackable DNS for their core internet domain does call into question their corporate priorities.
It's a pity, because Lenovo is one Chinese company that I have historically had pretty decent faith in.
As a longtime IBM and Thinkpad user/recommender/supporter I was quite skeptical when the Lenovo takeover was announced. But over the years they have earned my trust for the most part. (Notwithstanding some of their product choices like not generally offering high-quality display panels on laptops these days)
Lenovo is not like most Chinese companies, they are highly globally diversified (in terms of ownership and workforce) - significant parts of top management are not native Chinese, with some important divisions outside of China - and they don't have major ties with the PLA or CPC. They also seem to treat their workers decently.
Thus I am inclined to think that this issue was mostly the result of attempts to squeeze extra revenue out of the mass-market product lines with the over-zealous use of "crapware", the impacts and implications of which were not fully grasped by the responsible parties. (Most likely, marketing types) Rather than some nefarious plot to spy on all their customers.
"The US dropped two bombs on Japan to end the war. They intentionally targeted cities that had civilian populations. (Oh and of course some military value.)
But the truth is that it would be considered a war crime. Yet what would have happened if we hadn't dropped the bombs?"
The Soviets would still have marched into Berlin and defeated the Germans (at far great human cost to their citizenry than the USA suffered) and the war would have ended just the same.
Thanks for playing.
BTW, you spelled "Kool-Aid" wrong. Strangely, some of us drank it as kids without even coming under its spell. :)
All you have to do is have proper equipment and provider that both support HD (eg G.722) and then it should all be fine.
So this "we still have the same low quality..." complaint in the scenario you described to be poor choice of hardware/provider, no?
I hated what Oracle did with a lot of the Sun products, including pulling support and even the ability to download a BIOS ROM for old workstations without buying a pricy service contract - but VirtualBox has become (remained?) probably the most useful Oracle software product to me, particularly because it is still accessible to anyone without having to pay a king's ransom, and it works well.
On the other hand, every single time I install a Java JRE update, I am reminded of how much I hate Oracle, since they provide "fake" options to disable various annoying features which, like clockwork, re-enable themselves without notice every single time you do a bugfix update, or even before then. (One of my long-held pet peeves: SW that wants to "pre-load" itself and suck up continuous resources on a computer when it is not being used, simply because it makes the SW look less like a sluggish albatross when you eventually actually have a reason to use it and 80% of it is already sitting there in memory, playing "memory sponge".)
That is awfully strange, isn't it.
Yes, it's true that a large portion of ICANN's revenue comes from sleazy businesses that provide no value to anyone but a tiny handful of stupid opportunists.
Now that ICANN's CEO has just learned this obvious little detail, it's time to do away with the various ICANN policies that are anti-internet-user and pro-opportunist-value-destroyer.
Eh, where's my flying pig icon...
Actually there are some actual real deployments of LTE Advanced already in certain parts of the world, but not to my knowledge in the UK or USA yet.
Kudos on going to the effort to make those tweaks.
However unfortunately people often seem to forget that websites such as this one do not exist simply to provide a free service - they need to at least pay for their costs to produce it. And unless people want a paywall (highly doubtful), that generally means advertisements. So, removing all the advertisements everywhere they appear is not likely to happen on the default site for obvious reasons.
So, a good effort turning it back into something that looks straight out of 1994 (and believe me, I rather miss those days of straightforward websites that were 95% useful content that you could actually browse with Lynx without missing much), but let's not get our hopes up that the default site will look anything remotely like that any time soon.
The Register has always been somewhat simply designed, which makes it more attractive to return-to on a regular basis to read articles and news of interest without wanting to throw things at the screen the way I often do on other I.T. websites that are completely garbaged-up with pointless scripts, popup nag windows and miscellaneous non-textual content.
And so I noted in the latest missive about the redesign that "responsive" design will have to wait. As long as it's in the cards I can live with that for now. Especially if you do not resort to intolerant browser-sniffing tactics that penalize anyone who does not use the "Top Two" browser du-jour.
But since I often like to print out (or save to PDF) articles for future reference, I really mourn the loss of the "print" icon, or at least some sort of "read as single page" option, because printing ElReg articles is becoming more difficult as of late.
RSS is also important to me because this is the most convenient way to catch-up on news from my smartphone. However many of my mobile RSS apps struggle with the ElReg RSS content for various reasons.
As for the "brightness" thing - sure, one could use a stylish script or something to change that but that's a hassle in the long run. My fantasy is a button to change from the standard view to the "tired/hungover low-contrast view" on demand. (E.g., grey background instead of white. This is how I configure terminal screens on my systems.) Hope springs eternal. :)
When using the website, I historically used the "weekly" view here, it's just a pity that page is hidden by default these days - if I'm using a new system or device without a bookmark I have to dig for it.
Mea Culpa - looks like the link is at the bottom of the page now. Thanks.
Overall - thanks for your efforts to keep listening to your readers.
I agree it's incredible, but basically RIM fired 95% of the BBOS developers and had the QNX staff designing things they had no experience with, e.g. email, with little oversight from the few remaining BBOS devs. Ergo, they flubbed a variety of things, like basic RFC2822 email formatting errors and so on.
Luckily the most egregious of those errors have since been corrected over the last 1.75 years, but there are some omissions that remain. The Contacts app is one of the worst of those - clearly the devs had never designed any PDA apps before. At this point the only solution would seem to be completely abandoning the current codebase and starting over from scratch. I refuse to sync BB10 contacts with any other online/cloud entity (or even Outlook) unless I want a complete debacle on my hands.
That said, I'm actually considering a Classic as a secondary device to replace my current secondary device, especially since my carrier never offered the Passport. I'm still a sucker for a BlackBerry. :D
@usbac: I always avoid companies with a viscous culture, too sticky for me.
@dan1980: In fact, studies have been done (ie this one by New America: http://securitydata.newamerica.net/nsa/analysis) that essentially came to the conclusion that the widespread warrantless data-trawling and "metadata" collection done by the spooks as enabled by the various fear-mongering post-9/11 laws have resulted in virtually zero capturing and prosecution of any bad guys they claimed it was designed to target.
Some of us are not surprised..
@Christian Berger: my understanding is there are various grassroots efforts going on today specifically to address this issue of cellular base station hacking / rogue base-station operation - often named for the devices most famously used to perpetrate this, the "Stingray" from US company Harris.
Including efforts by the platform vendors to include methods of detecting such rogue base stations right from the native mobile OS itself.
@tom dial: "...to a significant degree". Heh. I'll have to remember that handy phrase. :D
Making a lot of assumptions there about legality and appropriateness that I daresay you're not in a position to make. Unless you're truly a national intelligence insider with special personal access to details the rest of us do not have. The evidence *I've" seen - as just one of the perhaps slightly more informed than most riff-raff - suggests otherwise.
What Manning exposed was widespread breaches of both US/military policy as well as international law. The evidence *I've* seen is that this "embarrassment" was a good thing, and virtually no one in the domestic intelligence field, military or civilian sphere were physically harmed by those revelations either. As for whether or not it "promoted peace" - I'd say it certainly had some positive impact since revealing the duplicity of the USA in such matters is important for the other parties to know about in order to make sound decisions. And oftentimes those sound decisions do not go the way the USA would like them to go. Oh well.
Assange may as well have been be in jail for the last 2 years. The amount of money the UK spends making sure he stays there is surely at least a couple of orders of magnitude higher than what would be spent keeping him in prison, too.
The bottom line is that digital technology has been an enabler of many things, and a catalyst for societal paradigm-shifts in many areas, including law-enforcement and surveillance. Unfortunately the dimwits in the USA who write and enforce the laws are mostly either A) clueless about the serious societal implications about the implications of this paradigm-shift especially wrt to individual privacy and freedom and its effect on a democracy in general, and/or B) so indebted and/or entrapped by larger powerful military-industrial-political forces that they simply are afraid to say "No" to them. The net result is a disturbingly quick descent into the kind of dystopian society that was formerly only written about in science-fiction.
@Graham Marsden: In addition to the sweeping laws, we have the special "secret FISA court" that even if they were acting outside those sweeping laws, very few if any of us proles would even be able to find out about it. And if someone did, they would probably go to jail. Like Chelsea Manning, Julian Assange, et al.
At the UN, the primary qualification to being on the Security Council seems to be the fact that you possess lots of nuclear weapons.
I'd imagine in this scenario the "nukes" would basically amount to access to lots of wealth. Eg the "World Economic Forum", the true champions of the commonfolk!
It must be so reassuring to live in a world where all the regimes on "our" side are good, and all the regimes on the "other" side are bad.
A monkey could tell you that performance on most things improves with an SSD. That's the easy part.
The less obvious part is what happens when an SSD fails. As others here have mentioned, with HDDs you often get some kind of warning, and that can be in the form of SMART statistics, slower performance or just good 'ol "funny noises" emanating from the vicinity.
Whereas not only is it less likely you'll get any advance warning of an impending SSD failure, when it does fail, what do you do? There is likely no expensive practitioner to send it off to to replace the controller board or swap the platters into another HDA and read the imperiled data that your hardware suddenly became incapable of interacting-with. If the NAND goes bad, I'd imagine in most cases you are simply SOL.
In the course of my work I have had many cases of data on failed HDDs being recovered in precisely that way, so this is not a theoretical question for some of us in the biz.
At the very least, I think it is more critical than ever to have an effective and tested backup strategy in place, if one is storing important data on SSDs.
No, it doesn't bridge with the Playbook (device was end-of-lifed last year) but it does BLEND with either an Android or iOS tablet, as well as Windows or OS-X desktops. (I've personally been waiting for Blend for a long while as among other things I really want to have a desktop client for BBM, which I believe it will provide)
And to the person who claimed OS 10.3 is running "ICS" - no actually, it runs 4.3, which is a version of Jellybean, and has one feature that even newer Android builds like KitKat do not: "App Ops", which allows selective revoking of Android app permissions - one of my longtime serious gripes about Android. (It's a 'hidden" feature but various tools exist in the form of free Android apps to enable this functionality)
So what was that particular PR hack expecting, a nice fresh cookie on his pillow for being a fraudulent, deceptive twit?
I suppose when you've been covered in excrement for such a long time, your sense of smell stops working.
What I particularly "enjoyed" was how these charitable advertising organizations developed a system to "opt out" of their industry's tracking.... but only by setting cookies in your browser, requiring cookies to be enabled, of course.... :D
Right now technology is running a couple of decades ahead of brain-dead politicians, who are either clueless about how they are allowing technology to invade traditionally-sacred personal/political liberties, or in such service to the monied interests that the result is the same.