* Posts by Ben Tasker

1673 posts • joined 23 Oct 2007

Slack slings crypto-keys at big biz, union gets worked over, VPN owners probed, trolls trouble vets, and more

Ben Tasker Silver badge

Why is this a big deal? VPNPro researchers note that with so much consolidation, users have far less choice than they think, and by hiding the owners of an app the chances of being exposed to surveillance increase dramatically.

This is a big part of why I run my own. It does mean, I don't get the benefit of having my traffic mixed in with that of other users, so it's "just" another endpoint for my traffic (meaning if I were individually targeted, they've still only got to look in one place).

But, it does mean I get my traffic out and past the logs the ISP's have to keep under the ISPA, as well as avoiding any name based filtering or throttling they might also be doing.

I can change the endpoint's IP at the click of a button, move to a new provider in minutes (thanks to ansible playbooks). Not quite as simple and transparent as clicking a button in a provider's app, but not a major headache all the same.

The problem with the VPN services really is transparency. There's so many options, run by a far fewer number of providers, some of whom may or may not be compromised. Ultimately, I'm just trying to avoid the trawling nets that our government is dragging through ISPs - whilst the VPN providers would allow me to do that, it means hopping to an endpoint which is almost certainly attracting a similar type of attention (and may also be keeping logs anyway). Out of the frying pan and into the fire and all that.

Brit Parliament online orifice overwhelmed by Brexit bashers

Ben Tasker Silver badge

Honestly, I don't think it's an age thing. But then, I can't pin-point exactly why I know it and when I learnt it, so /shrug

Ben Tasker Silver badge

Re: Wait, what?

I'm afraid so, yeah.

Ben Tasker Silver badge

In fact, if you look at where Guido tweeted it, there's a lot of people taking responsibility for some of those votes - all British citizens living overseas: https://twitter.com/GuidoFawkes/status/1108680088793636865

So I think my initial instinct was right, Guido Fawkes is talking bollocks.... again

Ben Tasker Silver badge

Taking a quick (heavily adblocked) look, they're relying on the JSON exposed on the petitions site.

It breaks down the number of signatures by country. For example, it's claiming 250 sigs from Finland

But, what Guido happily ignores is that British Citizens live across the world, or may be out of country on business.

But, ignoring that:

#!/usr/bin/env python

# -*- coding: UTF-8

import json

import urllib2

url='https://petition.parliament.uk/petitions/241584.json'

response = urllib2.urlopen(url)

s=response.read()

p=json.loads(s)

print(p["data"]["attributes"]["signature_count"])

x=0

y={}

for country in p["data"]["attributes"]["signatures_by_country"]:

if country["code"] <> "GB":

x=x+country["signature_count"]

y[country["name"]] = country["signature_count"]

print x

Currently gives:

848031

34333

So that's 34,000 out of nearly 850,000. Ignoring the fact some of those probably are citizens, as well as the fact I've only factored in GB so may well have missed out some British Dependancies (like Gibraltar) who will be just as affected.

Ben Tasker Silver badge

In some ways, it's worse than that though.

Having a new (binding, to avoid "best of" accusations) vote would be divisive, but there'd be a decisive outcome based on what we now know. It's not a politically clean solution, by any means, and there'll definitely be upset.

The problem is, lots of energy seems to be going into preventing that happen, to the extent it's quite possible a People's Vote won't happen.

The problem is, the alternative is no-deal (May's deal is shit). Because of the government's ineptitude in planning, there's a good chance that'll fuck us seven ways from sunday (well... friday I guess). If a PeoplesVote is blocked, the only alternative to no-deal would be Revoking.

That feels a lot more divisive, and a lot less democratic than holding a people's vote. Especially as it should not be run as a re-run of the original question, but a selection between the now known options.

Either way, everything May says about her course being the least divisive is bollocks being spouted by someone who looks a lot like a wannabe dictator. If the worst case no-deal's happen, that's going to be insanely divisive as people look for others to blame. Given her brinkmanship that's definitely a potential outcome.

From the very outset there should have been an attempt to resolve the partisanship and find a solution that the other side could live with. And we *should* have been planning for No-Deal from 24 June 2016, just in case.

Ben Tasker Silver badge

Given Guido's history with the truth, I'd take that with a fucking massive pinch of salt

Ben Tasker Silver badge

> How strange and childish.

You presumably don't get the reference. He's saying you've asked a loaded question rather than a straight question.

It's asked as a yes/no, and contains the implicit assumption that you are (or have been) beating the wife.

Just as yours contained the assumption that none of the petition signers voted in the ref, along with the assumption that no-one who originally voted Leave would have signed the petition.

One is demonstrably false (I voted, and signed) and the other likely to be so too

Brexit text-it wrecks it: Vote Leave fined £40k for spamming 200k msgs ahead of EU referendum

Ben Tasker Silver badge

Re: Dodgy behavior by Vote Leave? @Snowy

I'm going to skip most of your post, largely because I sense we could probably argue for the next decade on it, as most of the remaining points are either opinion based or tangential.

But

> It will be interesting if remainers or leavers vanish as time goes on (especially if the EU continues as it is doing).

100% agreed. And for avoidance of doubt, if we do No-Deal, I really want to be proven wrong. I don't think I will be (otherwise I'd obviously agree more with you), but I'd be happy to be.

> They allowed such incompetent remain governments to sell us out too far and caused people to oppose the EU (restrict the blame to this country although the EU is pissing off its members big time right now) or failed to point out any positivity of being in the EU while leave could point to positivity in leaving.

That's not entirely accurate, but partly because it seems to be conflating the campaign with previous governments, so I'm going to split them out.

Campaign: I 100% agree, Cameron and co were so arrogant and sure they were going to win that they completely screwed it up. To the extent that I _almost_ view the referendum as having been theirs to lose rather that the other way round.

As you say, they focused heavily on the bad of leaving rather than the positives of staying. And people have short memories, so that tactic was clearly doomed to fail.

Governments: This is a lot more nuanced. Leaver's need to take some blame here too. It's a bit hard to justly complain of the EU's undemocratic influence over us, when we've not really been participating properly in EU parliament - instead, we've sent fucking UKIP MEPs over, who seem to turn up just long enough to film a short video and then leave.

Farage, for example, loves to talk about Fishermen, but fails to mention he was actually on the Fisheries committee, and just didn't bother attending (IIRC it was 1 in 42 meetings, over 3 years that he actually turned up to). Every Fisherman's problem that he points too he had opportunity to try and correct at source, and didn't even turn up. It's not like he tried and failed, he just didn't turn up to his job.

But, conversely, there's definitely some voter apathy to blame there. If we'd all cared more about EU elections then maybe those UKIP MEPs wouldn't have been MEPs and we'd have had someone actually working to push things in our favour.

As far as the UK Government's role goes, there's been some real cynicism. Things like pushing unpopular measures through the EU and then blaming them. I don't think that's constrained to "remain" governments. In fact, until recently, I'm not sure you can particularly easily categories governments by being leave or remain, because it just wasn't a question at that level. There are some leaders who were more EU friendly, of course.

> who are in multiple crises due to their handling of politics, economics and diplomatic relations

This isn't just an EU issue though, we've got plenty of that going on here in the UK too (as have other countries). Whether we now stay or leave, as a society we need to stop electing muppets. The recent rise in populism suggests that aspect is only going to get worse, at least for a while. That's fucking worrying in itself.

> Inept fuckers

As long as you're talking about the politicians, agreed

Ben Tasker Silver badge

Re: Dodgy behavior by Vote Leave? @Snowy

> The only out on offer or available to us is hard brexit because the EU have decided so (and that is their right to do so).

That's an unbelievably disingenous statement. We're where we are, in part, because May set red lines (without consulting with anyone, how very democratic) that people warned were incompatible with the EU's underlying freedoms.

We (well, she) chose to seek a deal that simply couldn't be attained. Which, isn't really an improvement over the deal's that various Brexiter's claimed we could get either.

> No hypothetical needed we have a quantitative result. Measurable and factual.

We do indeed have a result. What we did was took an incredibly complex subject, boiled it down to a simplified binary choice and then let politicians talk complete bollocks (both sides - I'll never forget Osbourne's smug face as he said he'd have to call an emergency budget. Cunt).

We've got a measurable result, and it's a fact that the result is what it was, but that does not mean it was a sound result.

> Worryingly the desperation to remain seems to have caused issues against such an outcome but still even after everything

Again, incredibly disingenous. Much of the issues have been caused by the warring factions (yes, that includes the Remain camp) within the Tory party, in particular. Along with a severe ineptitude on the part of the Government.

You think wanting to remain weakened out position? How about being seen not to have prepared at all for no-deal (I suspect you'll agree we should have been preparing from day one), to the point that we decide to have a show of power (let's have a jolly old traffic jam) and fuck that up. Not to mention the kerfuffle around non-existent ferries, oh and the lorry park that'll be used for no-deal Jams have unexploded *british* WWII ordinance buried on it.

People wanting to Remain has very little to do with what we've been offered, that's much more the result of preening ineptitude. Our politicians were too busy preening and posturing to actually show that we wouldn't end up desperate in a no-deal scenario, which gives the other side a shitload of leverage.

> But the platform of remainers was considerably false so the credibility of politicians isnt one I would want to try and argue.

Although only one side has been (repeatedly) found to have broken the law, I think we can agree that politicians on both sides lacked credibility. But you know what, if anything, thats more of an argument for double-checking with the population that this is still what they want.

> Very true. Those who lost democratically should accept that loss.

Conversely, those who "won" need to step up and own the mess. As a voter, you didn't cause it, but you did enable it. Despite the fact there were warnings, you sneered "Project Fear" and carried on.

Even if you ignore the "bad EU" conspiracy theories, our politicians are (and were) simply too inept to get this right, especially with the vote as tightly drawn as it was. For what it's worth, I suspect a lot of remainers would accept a Norway+ style arrangement.

At some point, some will probably start saying "this isn't the leave I voted for" - but as you've made very clear in your post, if you voted leave then you voted for this, and all variations of leave. So have the decency to stand up and accept that you enabled this mess. Stop finger pointing and trying to blame remainers and understand that a huge proportion of the issue has always been UK politicians, and you voted to give the inept fuckers more power.

Ben Tasker Silver badge

Re: Dodgy behavior by Vote Leave? @Snowy

> It is terrible the only way to get the democratic vote is to run down the clock.

Running down the clock gets No-Deal.

There's no evidence (either way) on whether No-Deal is what was preferred by the majority of leave voters (and it'd need to be a significant majority of leave voters in order to be the option preferred across all those who voted).

Based on the campaigning prior to the referendum, you can probably hypothesise that those who voted leave because they wanted no-deal were significantly in the minority. Certainly some of today's no-deal politicians stood on a platform saying we'd definitely have a deal.

So logically, running down the clock is quite possibly pandering to the "losers" of the vote - in that no-dealers were almost certainly the minority. Course, the term "loser" is a loaded term anyway, as the future of the country shouldn't be viewed as a competition.

Ben Tasker Silver badge

Re: Vote Leave fined for promoting Brexit

Whilst that's true, it seems odd that people are so happy to accept "Cameron said it would be binding" as "proof" that the referendum, contrary to the law, was actually binding. Yet, Farage introducing the idea of a second referendum in the event of a close result should be disregarded?

Ben Tasker Silver badge

Re: Dodgy behavior by Vote Leave?

What the Prime Minister said does not matter, what matters is what is in law.

Legally, the referendum was advisory. There are/would be politicial consequences to ignoring the vote, but not legal consequences. See the difference?

Also worth bearing in mind that a number of court cases in the UK have stopped *because* the referendum was not legally binding. Given what we now know about the behaviour on the side of the Leave camp (in particular), I'm sure there are actually more than a few people who wish it had been binding so that the courts could intervene and overturn the decision. But they can't, because it was only advisory

Google takes a page from Microsoft of old and revives browser ballot on Android

Ben Tasker Silver badge

Re: Apple too?

Do apple run a search monopoly? Do they have a monopoly on something else that they're using Safari to unfairly leverage that control?

Open-source 64-ish-bit serial number gen snafu sparks TLS security cert revoke runaround

Ben Tasker Silver badge

Re: Confusion due to lax use of terminology in RFC?

No, you're thinking of something more akin to an incrementing serial there.

So you might have

ourcert-1

ourcert-2

ourcert-3

etc.

That's the approach that *used* to be in place. But, it has a number of issues. You cannot guarantee that a situation will never arise where you mistakenly use the same serial twice - for example, if your process crashes mid-issuance, and then another cert is issued, you may have a part-issued cert, and a fully issued cert (for someone else) sharing serial number "3" (or whatever). There are various possibilities in that area.

It also potentially poses an issue if you're distributing your issuance system globally, though that's more easily addressable by inserting a region into the serial.

What the RFC requires is that CAs include a minimum of 64 bits entropy in the serial (some CAs weren't affected by this issue because they were already using more). The serial can be more than just that entropy though, so you might choose to keep your increment and append the entropy to the end

ourcert-1-xx:xx:xx.....

ourcert-2-xx:xx:xx.....

Now, if you have the same issue with a crash (or whatever) you may get two certs allocated "3" but the likelihood of their serials being identical is incredibly small.

> if its like other serial number would it not be partitioned

There's no partitioning no, there aren't ranges allocated out like with (say) Mac Addresses. It's literally the output of a RNG, the issue here is the reduced the namespace by forcing one bit to be a specific value (by discarding all results where that wasn't the case)

How to make people sit up and use 2-factor auth: Show 'em a vid reusing a toothbrush to scrub a toilet – then compare it to password reuse

Ben Tasker Silver badge

Re: urm, correction.

As I mentioned in the original post, I've already gone the application password route. Didn't work.

Well, technically, it did - once. The first run was fine, and then Google stopped accepting the password (because it should then have been swapped for a token).

Sounds like fetchmail have added support for Google's auth flow. Unfortunately there are reasons I'm using getmail and not fetchmail, though I really should revisit whether those are still valid

Ben Tasker Silver badge

thanks, though neither help in this case. Its a cronjob that logs in to pull specific mails down into a mhonarc archive.

Not a common use-case I admit. Google have never given a fuck about their auth scheme breaking things, even when thunderbird couldn't handle it.

I really should just stop using them, but lack the time to sit and think a replacement through properly

Ben Tasker Silver badge

> With less than 10 per cent of Gmail users logging in with two-step authentication, last time we checked, there’s clearly a long way to go

That, in fairness, is partly Google's fault.

They've sort of made provision for stuff you can't 2FA to log into your account - you can create a dedicated 'app password' for those. Except, that the flow is - app logs in with that password, exchanges it for a token and then uses the token going forward.

So, if something you need to use only speaks standard compliant stuff like IMAP and POP rather than google specific authentication bollocks, you cannot have 2FA turned on on that account. Backing your mail up with getmail being a prime example.

Which is patently fucking stupid. Yes the app password means there's a potential way to login without 2FA, but it gives limited access (i.e. just to the mail rather than to the account) and is easily revoked. Instead, you have to leave the entire account wide open across Google's services. That's Google letting perfect be the enemy of good there IMO.

Ben Tasker Silver badge

Re: Wanting to use 2FA is one thing...

> And does anyone really expect to plug a USB device into their phone, when you take your phone with you everywhere? What are you going to do, carry it on a keychain, so you have a bunch of keys hanging out the bottom of your phone? Yeah right. That's the problem with a special device right there - it can't be universal for your computer(s) and phone/tablet.

My Yubikey lives on my phone. It's got a USB interface for plugging into the PC/Laptop, and NFC support for the phone to communicate with.

It really need not be nearly as hard as you make out.

The problem with relying (just) on your phone is you're screwed if you break or lose it. So you already need to have a backup route. Mines a second yubikey that lives in my safe, as well as a couple of little U2F dongles that live in offsite locations

Dear Britain's mast-fearing Nimbys: Do you want your phone to work or not?

Ben Tasker Silver badge

Re: Could do with better coverage

> If you want to stay with EE and have reasonable broadband, get them to send you one of their signal boosters

Expect to argue, a lot, to get one though. Even then, only if you're on contract.

It took me quite some time to get one out of them, because their map said that my property fell within a "good" 3G coverage area. Which, actually, is sort of true. The problem was, it's a very marginal 4G area, so 4G would become available - the phone would switch to it, seconds later signal gone and the phone would wait a minute before falling back to 3G. Only for the 4G signal to re-appear again, rinse and repeat.

Plugging a signal box in meant the 3G signal was sufficiently strong and stable that the phone ignored 4G.

They really don't like sending them out though, as they'd much rather you bought an EE firmware'd phone that supports VoWiFi if you want to be able to use the service you're paying for.

Also, if you do get one, it'll handle up to 4 phones at once.That's _any_ EE phone with no pre-registration needed on the femtocell. So if you get home from work to find EE using guests, they may have taken up all your slots. Or if you've 3 kids and a wife etc

Ben Tasker Silver badge

Re: re: 2fa via sms

> If you still have any services that require this,

heh, you mean like a Visa card or mastercard?

They're changing the way online purchases over (IIRC) £30 are handled, so that you have to receive a message and confirm a code back. For most, that'll be via SMS - though for some banks you can install their App and receive it that way

Buffer overflow flaw in British Airways in-flight entertainment systems will affect other airlines, but why try it in the air?

Ben Tasker Silver badge
Joke

Re: Entertainment system pen testing

If he breaks the IFE for the whole plane, and an angry passenger throws him out of the front door, he could damage a wing (or maybe an engine) on the way out.

Network seperation's not so helpful there is it

You. Shall. Not. Pass... word: Soon, you may be logging into websites using just your phone, face, fingerprint or token

Ben Tasker Silver badge

Re: Bill Gates 0 - 1 xkcd.com

> Adding biometrics adds a third (something you know, something you have and something you are),

No. As you point out later, body parts are still just something you have. An assailant can take possession of your eye, or your finger as they see fit - whether they remain attached or not.

It's a second 2nd factor, nothing more.

I prefer the convenience of U2F to TOTP, but either is acceptable. What isn't OK (IMO) though is what's proposed - moving back to a single factor. Particularly when that single factor can be stolen (giving access).

SPOILER alert, literally: Intel CPUs afflicted with simple data-spewing spec-exec vulnerability

Ben Tasker Silver badge
Joke

Re: Well I never ...

Just wait though, at some point someone'll prove that Homeopathy really works, and then they'll figure out how to combine that knowledge with TEMPEST to steal your private keys from the fluid in your cooling system.

I'm having a weird day.....

Harassment, hate and bile, suicide instructions for kids... anything else social media's good at? Ah yes, cybercrime

Ben Tasker Silver badge

Re: But, but,,,,

But, but, we encourage users to report problematic content after theyve been exposed to it

Musk is in contempt of court, screams SEC after Tesla boss brags about car production rates

Ben Tasker Silver badge

Re: "Rant"

So you think a reasonable and proportionate response to being told to shove something up your ass is to tell the world someone is a pedo?

You don't need to have any respect for the diver to see that Elon went a long, long way past the line.

Goddamn the Pusher man: Nominet kicks out domain name hijack bid

Ben Tasker Silver badge

Re: How about some grace time after expiry?

There effectively already is this embargo.

After your expiry date, they tend to wait 30 days before dropping your glue records. Then 60 days after that your registration is deleted. During that time you can renew, but no-one else can buy the domain - however, in the final 60 days you may have to pay an additional fee.

So that's 90 days after domain expiry, and after 60 days of outage that the opportunity arises for someone else to buy your domain.

And you get multiple, regular emails telling you that your domain is coming up for expiry, has expired and is in the grace period, is now in the redemption period, will be released, gone.

The timings are different (tighter) for .com and other TLDs.

I recently had all that with a domain I _wanted_ to let lapse. The repeated emails are kind of frustrating in that scenario, because you can't really miss them

My guess is that they hit the redemption period, didn't want to pay an additional £60 fee, so figured they'd wait for it to hit the market and then renew for 15.99 and lost that gamble.

More nodding dogs green-light terrible UK.gov pr0n age verification plans

Ben Tasker Silver badge

Re: Just like buying a magazine.

> Sexually explicit videos and photos of *themselves and classmates* are routinely swapped at school.

And making me give Pornhub a copy of my passport solves this how exactly?

This is *exactly* the point. The measures are invasive but will be completely ineffectual. Kids already pass porn around on Facebook (not affected by the changes) and in the playground (not affected by the changes).

As you say, the focus should be on education not on wholesale blocking and privacy invasion.

It's a Christmas miracle: Logitech backs down from Harmony home hub API armageddon

Ben Tasker Silver badge

Re: "Harmony" ? Are you f**king kidding me?

> Either the system needs these calls to run properly (so why are they hidden?) or they don't, so why was any effort spent in writing them in the first place?

There's a massive difference between required to run properly and must be remotely callable.

Given they were able to stop the API from being remotely callable, in its entirety, it's probably safe to assume that while the endpoints may be needed, they're only needed for the box itself to call

Ben Tasker Silver badge

Re: Logically...with tech ....

> If you make an API available for external use, then you should expect it to be used. I not, then secure it appropriately to prevent its use in other manners. This is not misuse !!

I mean, I agree it should have been secured, but there is a counter argument here.

If you're implementing something that relies on an API that isn't officially supported (i.e. it's not listed in the public documentation) then you should expect that at some point it *will* change or be removed without any notification to customers.

Using private or internal APIs for your own ends can lead to some fun results and interesting implementations, but by definition they are not made, designed or maintained for your consumption.

It being exposed at all was one of the bugs they fixed. Them recognising the demand and working on making it available in a more supported manner is also the correct behaviour IMO.

A year after Logitech screwed over Harmony users, it, um, screws over Harmony users: Device API killed off

Ben Tasker Silver badge
Joke

Re: No more lock-in

Yes but his requirement was that it worked OOB, not that it would continue working.

So, requirement fulfilled and Logitech wins the contract. Anything else (like continued operation) is a chargeable change request.

That approach seems to work for Capita anyway

Lenovo tells Asia-Pacific staff: Work lappy with your unencrypted data on it has been nicked

Ben Tasker Silver badge

Re: Meet our CSO, Mr. Hindsight

Isn't hard drive encryption literally one of the features of many of the products Lenovo sell?

Good to know they're dogfooding it. Next we'll find out that it was in fact a Dell laptop

Ecuador says 'yes' to Assange 'freedom' deal, but Julian says 'nyet'

Ben Tasker Silver badge

> You don't have to like the guy to recognise that the only solution is for the UK government to promise not to extradite him to the US.

No Country can realistically promise that when a request has not even yet been received. It's effectively putting your diplomatic relationship with another country at risk all to benefit one man, with no certainty of what the request is actually going to be.

If the US turn up and say "Him, he's a bit of a prick - give him here", then you'd feel more comfortable saying "yeah, he is. But no, can't have him from us" than if they turned up and said that some information he'd leaked had resulted in an attempt on the president's life, and he's being treated as an accessory.

Unlikely as the second one is, the point is that if you promise in advance not to extradite to the US, you run the risk of causing yourself a serious diplomatic incident because you have no idea how severe the charges are going to be in the eyes of the other state (or in fact their people).

That's why extradition requests are generally assessed on a per-case basis, and factor in the likely punishments.

Sweden couldn't possibly have issued a guarantee, and nor can the UK. It's a trope trotted out by Assange and his supporters to try and justify his position, when the reality is probably summed up this sentence in the article:

> wouldn't have guaranteed Assange's freedom outright

Unless he can walk out with a guarantee not to be arrested, much less do any time, he's going to stay put.

Tesla autopilot saves driver after he fell asleep at wheel on the freeway

Ben Tasker Silver badge

Re: "Socially acceptable levels"

And there is the problem - the acceptable levels to the public will be zero casualties..... where what we should be setting the bar at is as good as a human driver.

I'm not entirely convinced that that is where the bar is set. I think it's more the expectation that self driving vehicles should be as good (or better) than human drivers perceive themselves to be.

If you've been driving (say) 20 years and never had an accident, that's as much luck as anything. But most humans will assess that and see it as evidence of their own driving acumen (ignoring the fact that even the best driver can still be rear-ended - or worse - by a total pillock). Or, of course, they have been in accidents but it was totally the other guys fault (even if it wasn't).

So it's a high bar to meet.

I think the best you'll get in terms of acceptance for now, is there'll be 3 classes of driver

- Those who don't want self-driving cars full stop

- Those who want other drivers to be in self-driving cars (because other drivers are idiots)

- Those who want self-driving cars now (because they hate driving, or want safety improvements etc)

I'd hazard a guess that the majority of drivers probably fall into that middle group. They view their own driving as better than average, so you're going to have a really hard time selling to them on safety improvements because they expect the car to be better than their image of themselves - which means near perfect.

I actually have similar concerns to that but it's not so much an assessment of my own driving abilities that drives it. It's partly more based on observations of the quality of the code we see released in other areas by some of the companies involved (e.g. Google and Android) and much more driven by concerns about skanky companies cutting corners to make money (see Uber).

It doesn't mean we won't get there in the end, but it's a rocky path, and I think it's a lot further off than most of the players/advocates would like you to believe.

Microsoft: You looking at me funny? Oh, you just want to sign in

Ben Tasker Silver badge

Re: I Don't Get It...

> . You can have more than one key linked to an account, so do this

Unless you're using some tiny, idiotic service no-ones heard of like.... Twitter.... who've decided you can have just one registered at any time.

Most services are a bit more sane though, I've been using a set of KEY-ID devices for a little while too. My only complaint with them is how bright they decided to make the LED, so when you shift slightly you end up with a bright spot in your vision for a little while.

Scumbags cram Make-A-Wish website with coin-mining malware

Ben Tasker Silver badge

Is it me

Or does this article feel a bit more Daily Mail than El Reg?

> The time of year might also have had something to do with the filth choosing Make-A-Wish as their target

To be honest I'm not used to hearing "the filth" in a context that doesn't mean the Old Bill. In any case, doesn't feel very El Reg, and reads more like a Daily Mail outrage piece.

Court doc typo 'reveals' Julian Assange may have been charged in US

Ben Tasker Silver badge

> so its taken the US 8 years and a change of president to charge him in secret? It took weeks to tey to get snowden.

As others have noted in the thread, it's more than likely this charge relates to the Mueller investigation rather than Assange/Wikileak's earlier antics. It's in the right district to be related, and the timing's right (rather than years late).

But, yeah, either way, he's never going to shut up now. But then, he never was

Ben Tasker Silver badge

Re: Meh

> Too bad people judge him for the character he is and not for what he has done.

Or to put it another way, it's too bad that Assange took something good like the ideal of transparency driven by Wikileaks and then tainted it horrendously with his own character.

Facebook quietly admits role in Myanmar killing fields – but fret not, it will do better next time

Ben Tasker Silver badge

Re: Ethnic cleansing?

> So basically a rohingya militant group (aka terrorists) attacked the authorities, and the result of this is military intervention. Any country in the world would react in the same way,

Maybe go have a read of what's actually been happening.

And then have a think on how you, as a dictator, might also call it a "military intervention" in response to "terrorists" rather than use the term genocide.

There was an attack by Rohingya terrorists. The response seems to have been to go into villages and execute women and children, along with the men. And not always directly. They've also reportedly been going to non-Rohingya villages and encouraging the people there to go and do the dirty work instead.

In the first month, they managed to kill at least 730 children under the age of 5. There's also something of a tendency towards rape by the military too.

This isn't some justifiable security operation with a bit of collateral damage, it's an out and out clearance operation.

> Assuming this is correct, killing 25,000 and allowing 14 times more (700,000) to escape doesn't sound like very successful ethnic cleansing

It doesn't need to be successful to be ethnic cleansing, and it doesn't need to be successful to be wrong.

Dutch cops hope to cuff 'hundreds' of suspects after snatching server, snooping on 250,000+ encrypted chat texts

Ben Tasker Silver badge

Re: Oooh, clever !

> You don't NEED to put backdoors into encryption if you do it the way the dutch system was setup

Yup, if anything, this is an argument for why backdoors aren't needed.

Ben Tasker Silver badge

Re: "End-to-end encryption" isn't?

> So, not only were the comms not encrypted end-to-end

It's quite possible they were end-to-end encrypted *before* the Dutch Police got their hands on it, but relied on the server to aid in key exchange (or perhaps to specify some other important element).

If that's the case then they may have adjusted the server so that the client's unknowingly did KEX with the server instead (so that it could MiTM).

Even then, though, you'd hope that 2 clients that had seen each other before would then warn their owners that the other ends key seemed to have changed. The various "standard" OTR plugins you get for various apps all do at least that

> if I understand correctly, there was no way to securely exchange encryption keys, e.g., at a personal meeting between Alice and Bob, to prevent MITM.

I read it that way too - or at least, if there was a way it wasn't widely used (and probably wasn't the default).

That's fairly common amongst OTR libraries though, some won't even let you import keys from another system (so if you have multiple devices you end up with multiple 'identities'), so probably not too surprising.

Most, though, do provide a fingerprint for you to verify out of band, others let you use a challenge/response mechanism (again, out of band), and would show the fingerprint as unverified until you've told it otherwise. Perhaps that got dropped while they were customising it?

Can't find an awful lot of information on their implementation on the net, but with the very limited information that is available it does sound like they customised OTR and made it worse.

HSBC now stands for Hapless Security, Became Compromised: Thousands of customer files snatched by crims

Ben Tasker Silver badge

Re: There's no excuse...

So how many tokens do you carry around with you? I would change banks if I had to carry around a card-reader or token just to do everyday transactions

That, I think, is a big part of the problem/annoyance. If they'd all just agree to use something standard, whether a U2F token, TOTP or something else like that so that I can carry one dongle to rule them all it'd be much simpler.

I'd also be less worried about losing/breaking it because I could buy a second one and register it then keep it somewhere safe.

I do use 2FA, but the banks seem to have done a wonderful job of making it as inconvenient as possible without actually gaining much over other routes they could go.

Hell, some of them (cough HSBC) are trying to make it worse. When the battery ran low on my dongle, I had to fight them to get a new one because they wanted me to install their crapware on my phone to generate codes instead. And the HSBC app aint just a code generator, it's full access to your account. Fuck.... Right.... Off.

It's been a week since engineers approved a new DNS encryption standard and everyone is still yelling

Ben Tasker Silver badge

Re: The whole thing is just utterly depressing

> I'm sorry but that is the exact purpose of DoH, to take control away from the network operator and give it to the user, and to make inspection harder and more expensive.

>

> In your case as you are the one doing the snooping it is going to make things harder, but that doesn't make DoH bad for users.

And how's that aim going to be achieved when networks at Schools, Universities and Businesses all start intercepting HTTPS traffic?

If you haven't got their CA installed, you'll get a cert warning and have a choice - proceed with everything visible to a man in the middle, or don't access whatever you were trying to access. If you have got their CA installed, you won't even get that.

From a user's perspective, I'd say that's a pretty fucking bad outcome either way.

And as a home user, I potentially still don't gain anything. My ISP partners with Google and has some of their kit on-net, so when my DoH request hits that PoP, and a plain query then goes out from that (with ECS information attached, so they can see which subnet the query originated from), they're still going to know what I was querying if they're bothering to watch.

Ben Tasker Silver badge

Re: where are the implimentations ?

And what if you're doing split horizon routing? (Yeah, yeah, I know, I don't like it either).

Ben Tasker Silver badge

Re: Doh.....

For all the "but it looks like HTTPS" arguments, it's still fairly trivial to block the ones that are most likely to be used by the majority of people (i.e. Cloudflare etc). Block TCP 443 to 1.1.1.1 and any others you can find on the net.

You don't, for a second, have to block everything. If you block enough to be inconvenient then users will likely start turning TRR off.

I'm not saying I support that approach, just that claims it's unblockable because it just looks like https are crap. A good traffic profiler will probably be able to start picking out likely TRR destinations too, so you could even auto-populate an ACL if you're willing to accept occasional overblocking.

The Chinese are here: Xiaomi to bring phones to the UK next month

Ben Tasker Silver badge

Re: Proud owner of a MI Max 2

Yup, I've got a Mi Mix 2 and it's probably the best phone I've had in quite some time. It's predecessors were all Samsung at a considerably higher cost.

As other's have said MIUI can be a bit quirky at times though

London flatmate (Julian Assange) sues landlord (government of Ecuador) in human rights spat

Ben Tasker Silver badge

Re: Devious masterplan?

> Are the Ecuadorans going to give him diplomatic protection to stop him being nabbed for bail jumping on the way?

They already tried/discussed reportedly, and failed, because the UK rejected it.

Remember, a country only *nominates* someone as a diplomat, the host country has to approve it. Funnily enough in Julian's case, that approval isn't likely to be forthcoming.

Ben Tasker Silver badge

Re: Lets Get Real

> Also he should consider that self-imposed incarceration "time served".

From his filings, he does consider this time to be "time-served".

But no judge will, or should, agree with that. It's self-imposed incarceration at a location of his choice, and the accused doesn't, and shouldn't get to call the shots. At the far more extreme end of that, you could murder someone and then go live in an embassy (hopefully a more luxurious one) for 30 years then walk out and claim time served. Would anyone agree that was right?

I wonder if there's a risk that a judicial review of his current circumstances in Ecuador could in fact result in a conclusion that there's no grounds for offering him asylum, and that that offer should be withdrawn? Seems a bit dangerous to play whos-cock-is-bigger with the government that's providing the walls between you and arrest.

Congrats from 123-Reg! You can now pay us an extra £6 or £12 a year for basically nothing

Ben Tasker Silver badge

Re: Was on 123, moved to FreeParking, then to Heart Internet

> Heart Internet are another part of the GoDaddy Hydra along with 123.

Indeed. In fact, if you look closely, you'll see they even use the same VAT number :)

Biting the hand that feeds IT © 1998–2019