Andrew Findlay • User • The Register Forums

Cunningly camouflaged cable routed around WAN-sized hole in project budget

Monday 5th June 2023 09:59 GMT Andrew Findlay

Re: Was it STP?

This is why current UK wiring regulations require equipotential bonding of all metallic services at the point that they enter the building. In a domestic situation that usually means a continuous 10mm^2 copper cable from the main earth terminal to bonding clamps on each pipe etc. The main earth terminal is provided by the Distribution Network Operator, and in most UK houses is either connected to the steel armour of the supply cable or directly to the neutral conductor. As noted above, the actual ground is not a very good conductor so earth spikes tend to be regarded as inferior, though there is now a move to install them as well to provide backup.

Services in this context include drain pipes, gas mains, water pipes, SWA ethernet, and the frames of steel buildings - basically anything that could bring in a potential difference from somewhere outside the building.

2 0

IPv6 is built to be better, but that's not the route to success

Wednesday 9th February 2022 09:27 GMT Andrew Findlay

Very simple

The router/firewall should have a default-deny rule. Job done.

1 0

Tuesday 25th January 2022 11:55 GMT Andrew Findlay

Re: Won't happen in my lifetime

Every room in your house has an OS grid reference. That does not mean that I can walk in and eat your porridge. Security depends on locks, not on keeping the larder in some parallel universe.

0 3

Tuesday 25th January 2022 11:51 GMT Andrew Findlay

Re: But it will happen

You don't even need hand-managed DNS in most SOHO networks. Multicast service location has been built into printers etc for years, so just connect the printer and wait for it to show up in your print menu...

OK I will admit to having 'proper' DNS for my SOHO setup, but that is because our business is network management and we need it for other reasons.

2 0

Tuesday 25th January 2022 11:39 GMT Andrew Findlay

Re: in IT for 27 years

Snake said:

The IPv6 addresses are overly complicated for the sake of being overly complicated, a far easier to read, human-parsable format could have easily been selected (add more tuples? No! Of course not, too easy! We'll remake the entire address paradigm with colons and hex, because we're engineers!!)

If non-engineers have to deal with numeric IP addresses of either sort then someone has messed up badly. DNS, DHCP, and IPv6 autoconfiguration should hide all of that - and in almost all end-user networks they do it perfectly.

2 1

Tuesday 25th January 2022 11:17 GMT Andrew Findlay

Re: NAT isn't your first line of defense, the stateful firewall is.

NAT is not a firewall. It just happens to make it hard to originate connections from 'outside'. Any competent end-user router should have a default-deny rule on the Internet connection for both IPv4 and IPv6: if you want incoming connections you can then choose what to allow (and it will be much easier on IPv6 than on v4 single-address NAT).

IPv6 has client privacy built in. Most end-user devices have this turned on by default, so they choose a new random address to originate connections from every few minutes (tunable parameter). Every IPv6 subnet has 64 bits of address space so there is LOTS of space to hide in :-) Obviously you don't do this for servers, and probably not for corporate desktops either.

1 4

Navigating without GPS is one thing – so let's jam it and see what happens to our warship

Wednesday 22nd September 2021 10:07 GMT Andrew Findlay

It's worse than you think...

> and in some circumstances it's possible for the ship's true position to be outside the cocked hat.

The actual position is most likely to be *outside* the cocked hat...

Each of those lines is a bearing to some known object, and if done carefully there is an equal chance of being to the right or to the left of the line. Being inside the cocked hat has a probability of about 1/8 to a first approximation. The size of the hat does give an indication of how good your fix is, but don't assume that you are in the middle!

[ Credit to Prof Edward Stansfield for explaining this a few years ago - his inaugural lecture at Reading University was titled something like 'In My Cocked Hat'. ]

24 0

Fancy some post-weekend reading? How's this for a potboiler: The source code for UK, Australia's coronavirus contact-tracing apps

Monday 11th May 2020 09:30 GMT Andrew Findlay

Re: Am I missing one huge thing.

The UK app requests the first part of your postcode. That gives enough location data for NHS resource planning.

As for who gets advised to isolate, the algorithm for that is not simply 'have you pinged an infected person'. It will undoubtedly evolve as more experience comes in, but the suggestion is that the initial version will include factors for proximity, time, number of contacts with potentially infected people and so on. It will also have a manual check on any particularly large cascades of notifications, to reduce the risk from unexpected events and from malicious actors. This seems to be the main justification for the UK app being partly centralised rather than completely peer-to-peer, and it does make some sense. This also allows for the possibility of it telling you that you had received a false alarm and can go back to life as normal.

There are good articles on the NCSC website by Ian Levy:

https://www.ncsc.gov.uk/blog-post/security-behind-nhs-contact-tracing-app

and more tech detail here:

https://www.ncsc.gov.uk/files/NHS-app-security-paper%20V0.1.pdf

It is worth pointing out that your data only gets sent to the central site if you declare yourself to be infected. You may also show up in uploads from infected people that you have been near.

3 1

TSB's middleware nightmare: Execs grilled on Total Sh*tshow at Bank

Thursday 3rd May 2018 15:23 GMT Andrew Findlay

Re: Talk to the techies

Disaster management 101:

The last thing we need right now is to expose the techies to public scrutiny. They are the only people who can fix the problem and they will already be stressed out and short of sleep.

At this stage it is the CEO's job to take the flak while making sure that the people doing the real work are looked after and protected. It helps a lot if he can say useful, true things about what went wrong and what is being done to fix it, but that is very much secondary.

Disasters are fascinating and we can learn a lot from them, so I hope to see a few good technical papers come out of this in the next year or two. Parliament won't get the level of detail that Reg readers appreciate, so leave them to talk to the suits...

17 0

.UK overseer Nominet abandons its own charitable foundation – and why this matters

Monday 22nd January 2018 12:50 GMT Andrew Findlay

.uk is a public good

Top-level domain names should be treated as 'public goods'. Allowing the Government to sell them off to the highest bidder will just turn them into part of the tax system: prices will go up to fund the Treasury take, and the operators will occasionally go bust because they had to over-bid to get the business - just look at the passenger rail franchises for recent examples.

Public-Interest Company or Charity would seem to be the safest ownership structure, but even those have potential for capture by bad actors. Maybe we should go further and make this a Royal Charter Company (like the Royal Mail used to be and most pre-1970 universities still are). That would require the consent of the Privy Council to any changes in aims and objects, which should slow down the moneygrabbers quite well.

1 0

Hackers actively stealing Wi-Fi keys from vulnerable routers

Thursday 8th December 2016 11:50 GMT Andrew Findlay

Physical proximity not needed

As in several other articles on this subject, the author has accepted the idea that "The hacker has to be physically close to the router to compromise the Wi-Fi". That is not true: they just need to have control of a nearby device; they don't even need to know *where* the device or network actually is.

Imagine a row of houses with compromised WiFi keys where one of them contains a device that is part of a botnet. That device can probably see the networks belonging to several other houses, so all it has to do is to look them up in some central database and it can get inside another net, making it *much* easier to compromise more devices, steal traffic etc. Repeat.

0 0

Go on, corporate drone, log in... We'd recognise your VEINS anywhere – Barclays

Monday 8th September 2014 09:21 GMT Andrew Findlay

Tamper-resistant hardware?

Biometrics are only safe where the scanner and the entire data path can be trusted. That should not be too difficult if it is part of an ATM, as those are well-defended bits of hardware. It is much harder in a device handed out to consumers.

In this case, the finger scanner would have to authenticate itself securely to the bank, encrypt all communication, and be tamper-proof to the extent that nobody could feed recorded data into it in place of the output from its own sensor. Quite hard in a cheap lightweight device...

It might be OK if the device itself is tied to the account, as then a criminal would have to modify my own scanner to access my account and I would probably notice that quite rapidly.

0 0

FSA: Of course customers don't read contracts

Tuesday 22nd June 2010 09:24 GMT Andrew Findlay

Timed Out

On most e-commerce sites that I have used, if you actually stop to read the Tc&Cs the site will time out and throw away your transaction. This says to me that the site owners do not actually expect people to read the legalese, and that nobody did so during the usability test.

Old Scots law had an interesting approach to contracts: to be valid they had to be handwritten *by the person accepting the contract*. This put a real limit on the length... Eventually they gave in to the idea of printed contracts, and required people to write "accepted as holograph" in lieu of copying the whole thing out longhand.

The real answer is for the courts to always find in favour of the (reasonable) consumer if the time taken to read and understand the terms is out of proportion to the transaction. In most cases this would limit the text to thee very short and clear paragraphs.

0 0

Root-locked Linux for the masses

Saturday 15th September 2007 21:04 GMT Andrew Findlay

It's a good plan

This needs doing. As the original article said, it is "Linux for the non-techies". More to the point, it is a *managed computing service* for non-techies.

When you look at what most people actually *use* computers for, you find web-browsing, email, a bit of word-processing, and maybe the holiday snaps from the digital camera. If the machine can do all that while relieving the owner of the problems of software updates, anti-virus subscriptions, and Patch Tuesday panics then there should be a market for it. The market is clearly not geeks and gadgeteers, so readers of The Register may not be big purchasers. On the other hand, I would certainly recommend these things to friends and family - it would reduce the amount of casual IT support that I get asked to do when visiting people!

Trust must be earned. A well-managed service using carefully locked-down boxes has the potential to earn that trust. Using open-source software as the basis makes it easier to audit what the supplier is doing, though it also makes it easier to set up in competition. Maybe we will see services competing on trustworthiness in future - it will certainly make a change!

0 0

Topics

Special Features

Vendor Voice

Resources

User topics

Article topics

Posts by Andrew Findlay