* Posts by Ben Tasker

1325 posts • joined 23 Oct 2007

Page:

Windows 10 networking bug derails Microsoft's own IPv6 rollout

Ben Tasker

Re: Not that awful

> that's the only REAL advantage that I can think of. That and sharing the same connection with a single 'connected' device, but that part was a given...

Try this:

All my connections go out of the network over a VPN.

I have multiple endpoints in distinct locations with automatic fail-over between them

I want to be able to connect to IPv6 endpoints (but am far less worried about others being able to connect back to me).

With a single endpoint, I might just number the lan using a subnet that gets routed to the endpoint, and tell the endpoint to route packets for the relevant subnets back down the tunnel. It works, all's happy.

But then that endpoint fails and we fail-over to endpoint 2. It also supports IPv6, but obviously has different prefixes routed to it. The LAN now won't work without renumbering.

So, I have three realistic options,

- forsake the VPN and use the subnet assigned by my ISP (assuming they actually support it, which they currently don't). That's a crap option

- configure the LAN so it automatically renumbers following a failover. Do-able but needlessly fiddly

- Use NAT on the endpoints. Simple to set up

Guess which option I've gone with? Granted it's a bit of an edge case, but I don't think it's _that_ unusual a requirement

1
0

Virgin America mid-flight panic after moron sets phone Wi-Fi hotspot to 'Samsung Galaxy Note 7'

Ben Tasker

Re: InFlight Teammates

If you want to bring up linguistic oddities, how about the British use of "Bonnet" and "Boot" for the front and rear of a car? Its a *car*, not a woman! Though our "Hood" and "Trunk" are admittedly not much better, but less likely to be confused with clothing items.

They're actually both quite odd really.

You Yanks say "trunk" because there used to be a literal trunk strapped to the back of the car when travelling. We say boot because those were the storage areas on carriages

Feels obligatory - There's a fucking H in it

0
0

Did EU ruling invalidate the UK's bonkers Snoopers' Charter?

Ben Tasker

All the crowing yesterday about the fact that the ECJ had sent this issue back to the court of appeals seems to miss that, had the ECJ not had jurisdiction over this matter, the case would already have been settled in favour of privacy.

You mean if we weren't part of the EU and weren't party to the EU Charter on Fundamental Human Rights, AKA the very basis for this challenge.

Yes, it'd have been settled quickly, the courts would have said "Those EU rules don't apply here".

So, yeah, it's a good thing

7
1

Botched Microsoft update knocks Windows 8, 10 PCs offline – regardless of ISP

Ben Tasker

Re: Not just UK

> We've got internal alerts up for all agents who can read

What do you get the illiterate agents to do?

14
0

Renewed calls for Tesla to scrap Autopilot after number of crashes

Ben Tasker

Re: 98%

> Probably the same people who don't understand that a cup of coffee is hot, unless it says "WARNING ! CONTENTS ARE HOT !!!!!!!!!" on the label

To be fair, in that particular lawsuit the coffee wasn't just hot, it was scalding and far hotter than it ever needed to be. That and the resulting skin damage is what the lawsuit was about, not the fact they didn't mark it as hot, but that McD (IIRC) made it far hotter than any reasonable person might expect it to be (and IIRC didn't put the lid on properly)

As far as TFA goes, just change the name, not that big a deal

0
0

Cheap virtual box hosters – Amazon's Lightsail is out to destroy you (yes, you, Digital Ocean)

Ben Tasker

Re: Yawn

Amazon missed the point. Completely. The reason why people host with all of these providers is exactly that - flat pricing, no price shocks and permanently attached static IPs. So, no, no and no thanks.

Yep, exactly my view. I do have some stuff running in AWS, but those are there because AWS's pricing model is better suited for those requirements.

The digital ocean stuff is where it is because of the flat pricing. I know what it's going to cost every month, regardless of what hits it.

Lightsail as an offering, from my point of view, doesn't offer what'd be needed to move my DigitalOcean stuff over, and offers no benefit over having the other stuff in EC2.

0
0

UK Parliament waves through 'porn-blocking' Digital Economy Bill

Ben Tasker

Re: VPN sales are going to skyrocket around the world.

> Hmm, giving all my browsing information to the UK government vs giving all my browsing information to the Chinese government, decisions, decisions

Local copper who sees you drive by every day discovers you're into BDSM, vs's a government in a country you'll probably never visit?

The latter, every time.

There are, of course, occupations where that might not be the case, but for the average person it's far more difficult for a foreign government to get at you than the local branch of your own government (or as the case may be, dictatorship).

Move the details out of country, and UK Gov may still be able to get it, and others may possibly find a use for it. Don't and UK Gov definitely will get it. Outside of certain niche's/occupations it should be a no brainer

6
0

Mozilla hackers audit cURL file transfer toolkit, give it a tick for security

Ben Tasker

Re: Curl.

--- posts/3038156

+++ posts/3038156

- dObERManS

+ doberMans

Fixed your naming convention, please merge

2
0

WordPress auto-update server had flaw allowing anyone to add anything to websites worldwide

Ben Tasker

Re: And in related news...

> HTML and CSS combined with judicious usage of a JavaScript (aka JackassScript) and a server side language with a solid framework (Python/Django or Ruby/Rails, e.g.) might be smarter.

It depends. Aside from the learning curve for the average SMB owner, the problem with rolling your own is that you are then entirely responsible for maintaining it, including finding and fixing any vulnerabilities (or even just run of the mill bugs) you might have accidentally introduced.

It also makes things like server refresh a pain as you'll have to take your codebase into account.

That's more responsibility than your average SMB wants to take on. Off-the-shelf increases the number of people looking for holes and bugs , and someone else will likely fix those for you.

On the flip-side, of course, the obscurity it brings does have a little bit of benefit. You won't get pwned when someone starts a script to find WP sites and use their latest 0-day on them. But if you're specifically targeted then rolling-your-own might well lead to you being an easier target.

3
0

User needed 40-minute lesson in turning it off and turning it on again

Ben Tasker

Re: Can you hold down the power button

> You've told people not to use jargon, but I have no idea whatsoever what 'top-up the jets' means*.

I'd hazard a guess he's American and means topping up the screenwash, but it is only a guess.

24
0

British politicians sign off on surveillance law, now it's over to the Queen

Ben Tasker

Re: Working from home

> In a similar way, I'll be running 24x7 a random IP address generator that will then, for a random number of minutes, do a random number of GETs to that IP address and any subpages that are returned..... both massively increasing and poisoning the haystack with random data, and obscuring my actual surfing.

If you do, be very careful.

I did some work a little while back examining the effectiveness of cover traffic on encrypted links.

You'll need to pay attention to the size of the response body and adjust the time between that and the next page accordingly (but not proportionally).

The time a human takes to switch between pages isn't consistent (we might load a huge page, read 1 sentence and click off because it looks crap, or lead a tiny page and take 5 minutes to read because we went and made a cuppa). But that's very different to random intervals as there is some correlation between the amount of text and the amount of time we spend reading.

You also need to make sure that the start and end times of your cover traffic aren't particularly consistent. Having a sleep at the beginning of the script helps a little, but if the traffic always starts within 60 seconds of quarter past the hour, it quickly becomes identifiable

> In a similar way, I'll be running 24x7 a random IP address generat

Don't do that. You don't want it running 24x7, you want it vaguely aligned to your sleep/wake cycle (as well as taking into account things like you going to work all day). Any traffic generated when there's a high probability it wasn't you gives an observer further means to analyse your countermeasures.

If they decide they're going to capture HTTP Host headers (which really, they'll want to), simply connecting to a given IP and requesting pages isn't going to do anything except make the traffic identifiable too.

There's a lot of other things to be considered too.

When observed over time (which is what an ICR will effectively be) the little differences in behaviour between a script and the average human become readily identifiable, and that's when the traffic is using an encrypted link. It's even harder with plaintext (which, to some extent, includes HTTPS because things like SNI are in the clear)

TL:DR running effective cover traffic is fucking hard, assuming your aim is to thwart anyone with any more than a passing interest.

0
0
Ben Tasker

Re: Am I an ISP?

> Will I, and many others like me, have to store these ICR thingies?

And will there be any specific requirements on how we store them? For example, if I write the ICRs out to an aged SSD and never run integrity checks (as to do so could be construed as unauthorised access), is it likely to be too big a drama when those records aren't available (because the SSD didn't start making whining noises to warn me it was going to fail)

Would at least be novel, advising on how to increase the risk of data-loss...

2
0

Firefox hits version 50

Ben Tasker

Re: Android

> unfortunately it's a bit flaky and likes to crash when I expand or move around the page.

That's been my main experience with it, it's just regular enough to be annoying but not so regular that it's forced me back to Chrome.

0
0

Swedish prosecutor finally treks to London to question Julian Assange

Ben Tasker

Re: The Swedes can save face

> The term "rape" is being abused. It normally implies violence or a threat of violence.

No, that would be "Violent Rape" or similar.

The term Rape is all about consent. Sex without consent is rape. Fairly simple.

> Some would say that a woman changing her mind after the event is "rape" because the man should have been more caring...

Some would say that if a woman says "yes, but only if you rubber up" means you've only got consent if you rubber up, and that consent wasn't given (in fact was almost explicitly denied) for bareback.

0
1
Ben Tasker

Re: Really?

> Not according to Swedish law, and however much Wikileaks and St Jules™ think of themselves, they're not important enough to switch Swedish law for.

I read an interview with Assange, about the Hilary leaks recently. It was good, interesting reading right up until the point the journo asked about this case, at which point it was an easy reminder of what a slimey toerag Assange can be

For example, "In Sweden I am not charged,". There's no way that Assange isn't acutely aware that Swedish law requires this interview before he can be charged, so whilst it's not technically untrue, it's a rather manipulative statement to make.

Can't blame the journalist for asking about it, but somewhat ruined an otherwise interesting interview for me.

15
3

Panicked WH Smith kills website to stop sales of how-to terrorism manuals

Ben Tasker

> Oh do fuck off. Warned by The Register indeed. When any twat knows that mixing [redacted] and [redacted]; both common household chemicals you can make [redacted] gas.

Don't tell them that. They're already going down the path of burning books, the next thing will be to burn any of us that actually learnt anything in chemistry for possession of banned knowledge.

6
1

Tesco Bank limits online transactions after fraud hits thousands

Ben Tasker

Re: Tesco bank headers missing

> I can promise you that none of these missing headers resulted in the funds of 20k customer accounts growing feet and walking away...

Agreed. It's much more likely that someone gained access to their internal systems (whether that's an internal job or otherwise)

>Or that any missing headers in a web server response ever resulted in something similar.

On this scale? Probably not.

It's certainly feasible on a smaller scale though. Cert authorities have been compromised in the past, and likely will be again. The authentication method LetsEncrypt uses when requesting a cert is known to be vulnerable to DNS poisoning, so there's a potential avenue to obtaining a trusted-but-fraudulent certificate there too.

What's the defence against an incorrectly issued, publicly trusted certificate?

Certificate pinning. Which none of the buggers is using. As mentioned earlier in the thread, configuring it isn't without it's risks, but it's just a case of needing careful management.

Incidentally, that LetsEncrypt issue I mentioned, can be mitigated by DNSSEC, which, again, none of the buggers is using.

Given that banks are "trusted" to hold our money, you'd think the bar would be somewhat higher for what they consider the bare minimum.

Personally, I think it'd be better if browsers got their act together and implemented support for DANE, but that's a whole other topic (and would require the banks to set up DNSSEC in any case).

2
0
Ben Tasker

Re: Tesco bank headers missing

> My immediate response was that the Barclay's app gets a bonus star for not working at all... no?

I did think about that, but decided against. It's more than possible the failure to run was something I did (or didn't) think of, so probably shouldn't give them an additional point (which might be misleading) just in case the app is actually swiss cheese in reality. Given the much wider range of permissions their app asks for, I figured it was better to err on the side of caution

0
0
Ben Tasker

Re: Tesco bank headers missing

When I last looked they all did a pretty poor job of using the tools/techniques available. Granted I was looking at their apps, but the situation looked more or less the same for their online banking login pages.

Iornically enough, Tesco bank's holier-than-thou stance on security in one area was what prompted me to have a quick gander

8
0

Brexit may not mean Brexit at all: UK.gov loses Article 50 lawsuit

Ben Tasker

> Your thinking is backwards, the court isn't saying that elites can't just dictate and must put it to a vote,

Yes, yes it is.

It's saying that the Government cannot simply make the decision and bypass Parliament.

If you'd prefer it termed this way, it's saying the elite of the political elites cannot dictate.

> the court is saying that a fully democratic referendum

You missed out the word "advisory" there. And, before you take umbrage, make sure you read the numerous legal analysis that show referendums in the UK are advisory unless explicitly stated otherwise in the enabling legislation. It could always be disregarded (not that I'm saying it's necessarily a good idea)

They asked our opinion, and now they must vote on it.

Personally, I think Brexit is a fucking stupid idea, but for me this isn't just about that. The idea that the Prime Minister can make such a permanent, nigh-on-irrevocable decision without a complete mandate (see below) is insane and (given who the PM is) dangerous.

On the mandate front, OK, as a nation we voted in majority of Brexit. We didn't vote on losing access to the single market, and certainly didn't vote on coming out of the ECHR. One of those we know May wants, the other varies depending on who's speaking, but neither or which were actually voted on specifically.

14
1
Ben Tasker

As others have said, what did we vote on?

- Leave the EU?

- Leave the Economic Area?

- Leave the ECHR?

All or some of the above? Whats TM going for?

Strange though, an awful lot of Leavers I know were going on (pre-referendum) about how Parliament was no longer sovereign, and we need to get that back etc. We get a court ruling saying the elites can't just dictate and must put it to a vote and you're all upset?

> Have we realty reached the point at which we're abandoning democracy?

We're a parliamentary democracy and the legal system has just said that Parliament must be involved. If anything we've just re-affirmed that democracy not abandoned it.

> If so, then violence is inevitable.

Lucky we're going to have that extra money for the NHS so we can handle the casualties then... oh, wait

19
3
Ben Tasker

> I have no sympathy for those who are too stupid or lazy not to vote. Use your vote or lose it.

In the context of the referendum, that's the stupidest statement I've seen in a while.

You're asked for an opinion - should we stay, or should we go. You're not sure either way (because neither side is actually giving anything of substance).

Some people said "fuck it", picked one (because they wanted to be "part" of the referendum).

Others said, still not sure, so I'll not vote either way.

I've got far more respect for that latter group than for the former. I know people who voted Leave purely because they wanted to be "involved" and are now pissed that GBP has tanked etc. Frankly, they brought it on themselves, it's just pity they also helped bring it on the rest of us too.

The best reason not to vote is because you don't feel strongly enough in either direction. The worst reason to vote is simply to feel involved in that process, it's not a fucking lottery ticket.

12
1

Hm, is that a minefield? Let me just throw my magic bomb-sniffing spinach over there

Ben Tasker

Re: OK so let's see if I can find a use for it

> they are land mines how do you defuse/detonate them safely?

You take a step back and then spray the solution in your assistant's eyes

1
0

Hackers hustle to hassle un-patched Joomla! sites

Ben Tasker

> "If you have not updated your Joomla site yet, you are likely already compromised," Cid says.

Seems a bit sensationalist. I've checked logs for quite a number of sites and most of them haven't seen any attempts.

0
0

Microsoft: We're hiking UK cloud prices 22%. Stop whining – it's the Brexit

Ben Tasker

Re: Work the problem?

> Seems to me that every company trying to make a buck out of this opportunity should be met with a "no thanks." whilst we buy/use something else

Here's the thing. When you devalue your currency, the cost of things from foreign suppliers tends to rise as a result.

If MS didn't allow us to buy in GBP, and instead only sold in USD, we'd still be spending more.

It's not just opportunism, it's a direct result of the devaluation of the pound, which has come about as the result of businesses having serious concerns about the UK's prospects post-brexit.

In my book, that's definitely something to dump at the feet of the leave crowd.

28
3

CloudFlare shows Tor users the way out of CAPTCHA hell

Ben Tasker

Re: nonce field - unfortunate choice of name

> As the actual value is irrelevant I guess that the name comes from a contraction of nonsense.

I've always assumed being a throwaway its just a contraction of "n" and "once"

Not sure though

0
0

Source code unleashed for junk-blasting Internet of Things botnet

Ben Tasker

Re: It would seem

The only thing to watch out for with that is manufacturer idiocy. IIRC when BT first moved from having a generic default WEP/WPA password on the Homehub they went with the serial number. Umfortunately it was possible to get the AP to tell you it's serial before you'd authenticated.....

You can almost guarantee at least one manufacturer will drop that info into the http headers, or body to aid in identifying the kit when they get a support call

1
0

Alleged hacker Lauri Love loses extradition case. Judge: Suicide safeguards in place

Ben Tasker

Re: Controversial

But, to stretch the analogy, you wouldn't get to claim the cost of installing an alarm as damages against the car thief either. The thief stole the car and gets done for that, you don't get to claim back the cost of doing what you should have been doing in the first place.

In other cases though, the US has tried to reach the bar for damages by including the cost of implementing security that should have been there in the first place.

So whilst he shouldn't get off scot-free he's not wrong when he claims it won't actually be justice that's metred out in the US

6
3

Swedish appeals court upholds arrest warrant for Julian Assange

Ben Tasker

Re: Very few commenters seem to know the facts of this case...

> 2. Assange has not been charged and he is not wanted for trial.

FFS, if by now you don't know why that's bullshit you're either being willfully ignorant or are just too plain dense to conceive that different countries have different legal systems.

He cannot be charged (and therefore cannot be wanted for trial) until after the interview they want to have with him. It's not a difficult concept, and it's not new.

> 4. Assange has not "refused to come to trial or indeed be questioned".

No, but he (the suspect) is trying very hard to dictate how and where that happens. What other suspects would you say could get away with that?

> 5. Assange did not "flee".

For a start, he's a bail jumper which most would consider fleeing. Secondly look up tje circumstances of his departure from Sweden. Not that whether he flee'd Sweden really matters, if he left to visit his Great Aunt Norma the requirement for him to go back wouldn't change.

Maybe try reading a wider range of sources and verifying facts a little more thoroughly. It might be a fact that he's not been charged, but there's another fact that explains why and that its not unexpected.

17
8

Bug of the month: Cache flow problem crashes Samsung phone apps

Ben Tasker

Re: Mono

Yes and Yes.

Xamarin bug is here - https://bugzilla.xamarin.com/show_bug.cgi?id=39859

Edit: clicky

10
0

We want GCHQ-style spy powers to hack cybercrims, say police

Ben Tasker

Re: on the rights of man and common sense

>> increase the risks criminals need to take

>

> struggling with ideas here that don't involve logging everything everywhere. fuck off.

Perhaps reduce the time wasted on fighting for things that harm us all and focus on doing some actual police work? More coppers doing what they're supposed to be doing should increase the risk of getting caught

>> ; remove the excuses for it

>

> Does anyone have any good excuses for cyber crime? Crap wars in foreign lands?

I've got a sinking feeling that in the future we may all have a good excuse - they've clamped down so hard on things that "normal" stuff like using https is now potentially a cybercrime.

4
0

Dropbox: Leaked DB of 68 million account passwords is real

Ben Tasker

Re: Can someone explain

With bcrypt, the salt is stored in the "hash". The output of bcrypt is essentially a string containing the actual hash - in effect ${cost}${salt}${hash} - so if you've got the bcrypt "hash" you've got everything you need except the real password.

But that's fine, because a salt isn't intended to be secret, it's intended to make it more expensive for an attacker to try and bruteforce hashes

2
0
Ben Tasker

I emailed them back in 2012/2013 to ask if they'd been compromised because the alias I'd used for them started receiving spam. They said no

Feeling a little vindicated now

3
0
Ben Tasker

Re: Ummm

> I am also not sure the attacker "would need the salts". Generally they are right next byte to the hash, possibly after or before a separator...

Absolutely correct - with bcrypt the salt is stored within the "hash", along with the cost used and the resulting cipher text. The cost and salt get split out of the stored string when testing a submitted password.

1
0

£1m military drone crashed in Wales after crew disabled anti-crash systems – report

Ben Tasker

> Millions of pounds of hi tech equipment destroyed for want of a £1 microswitch.

By the time it's been rated "aviation safe" it'll cost much more than £1. I remember seeing £20 spanners coming into the aviation workshop still carrying a price tag that indicated they'd cost 10x as much. Partly because Government contract, partly because they'd been rated as OK for use on aircraft.

So that £1 microswitch may well cost hundreds, if not thousands from the supplier

3
0
Ben Tasker

Re: The Real Lesson

> Is that this drone was of a horrible design.

Pretty much my takeaway as well.

> if Master Override is activated and one of the altimeters is malfunctioning, the Watchkeeper opens up its “ground touch” window from 1m sensed altitude to 20m sensed altitude. In other words, the drone might decide it has landed even when it is still 65 feet up.

Clearly whoever designed this was trying to solve a specific issue they predicted might happen, but didn't give enough consideration to what the actual ramifications might be

13
0

Thieves can wirelessly unlock up to 100 million Volkswagens, each at the press of a button

Ben Tasker

Re: Quick Release or build it like it is in my head

Inevitably leading to someone having to stand at the tobacco counter at Tesco's as their icecream nelts and say, errr... has anyone handed in a steering wheel? I'm sure I had it when I paid, but can't find it anywhere

Not that I once realised I'd left my wallet on the counter once I'd driven 100 miles. Thankfully there was enough diesel in the tank to get back

12
0

Idiot flies drone alongside Flybe jet landing at Newquay Airport

Ben Tasker

Re: Ban Them!

> Me neither. *shakes fist at pesky adblocker*

Same here. Was only yesterday I was debating whether to whitelist the Reg so they could earn some income from my views. Guess that settles it.

11
0

Hilton hotels' email so much like phishing it fooled its own techies

Ben Tasker

Re: Banks are just as bad

Perhaps if you'd clicked it it would have resent the email, but in a larger font this time to try and get the information to sink in?

But yeah, I've had similar from my bank - we take account security very seriously, click this link to a random looking domain to find out how to avoid getting scammed

12
0

Julian AssangeTM to meet investigators in London

Ben Tasker
FAIL

Re: He's on Ecuadorian Soil...

> Assange is not in the EU or the UK, he's on Ecuadorian Soil,

No, he's on UK soil.

The whole "an embassy is foreign soil" is a Hollywood thing, not a real-world thing.

The Vienna convention prevents us from going in without very good cause, but to do so wouldn't be an invasion of foreign soil. The real risk is that failing to respect someone else's embassy would lead to British embassies suffering the same.

> No one has come off well in this, least of which the UK Government. The original offence (if there ever was one) has long been served, by his self imprisonment.

Except it's self-imprisonment so it doesn't actually count. If you're expecting that you'll be convicted of something you can't just hole yourself up somewhere of your choosing and then claim time served, that's just not how it works.

16
0

The developer died 14 years ago, here's a print out of his source code

Ben Tasker

Re: Mr Robot

>  when you see people in DC doing whatever they're doing, while wearing t-shirts but not seeming to feel the cold.

I don't think I've ever felt the need to layer up in the DC. I have occassionally had to leave the hot aisle because I was getting too warm though. A tshirt is otherwise normally fine, but its possible Ive built a tolerance since the smoking ban exposed me to the elements more frequently

Oh, and Ill usually have something in/over my ears if Im going to be in there for too long. Not so much the volume as the constant exposure that gives me a headache.

2
1

Dying satellite sends boffins one last surprise before disappearing

Ben Tasker

Because if you kick the mistake makers too hard, by firing them or making it impossible to continue with their jobs, then you lose not only the skills you've invested in but also the learning from the mistake. Do something wrong in the armed forces and you're often demoted - you have to earn your way back up.

Yup, an employee who's fucked up and been punished is usually still a more productive and useful asset to the company that an employee who hasn't yet fucked up and hasn't learnt to exercise a little more care. I'd rather someone who didn't fuck up because they'd learned to be careful than someone who's just got lucky so far.

Firing is for the willfully incompetent/negligent and for those who never learn to exercise care. Everyone else should get the chance to learn from mistakes.

And firing someone to "make a statement" (i.e. for political purposes) should probably be a sackable offence too IMO, as it's throwing away the company's investment in that person for no good reason.

4
0

Meet the 1,000 core chip that can be powered by an AA battery

Ben Tasker

Re: Why?

It's part of Skynet:

....the chip can execute 115 billion operators a second while....

But seriously, as others have said - does there need to be a "why" for trying everything new? Once a technology is developed, uses will generally be found for it, and otherwise unthought of technologies sometimes grow up around them

0
0

Tor torpedoed! Tesco Bank app won't run with privacy tool installed

Ben Tasker

Tesco are using DNSSEC for their financial arms right? right? Oh wait, no they're not. Hell, they're not even using HSTS or HPKP

Got curious, turns out they're not the worst of the lot, even if far from great.

1
0
Ben Tasker

Also considering the risk of poisoned exit nodes & MITM, while TOR is great for anonymising your origin you probably can't trust it to protect your identity and personal details that you transmit

Well, how about the App actually verifies the certificate it receives, and they use DANE to ensure that the fingerprint of the provided certificate matches the certificate they _know_ to be real.

Then the exit not only has to MITM the SSL connection (using a publicly trusted certificate), but also has to find a way to return a valid, _signed_ response to the DNS query.

Tesco are using DNSSEC for their financial arms right? right? Oh wait, no they're not. Hell, they're not even using HSTS or HPKP

Implementing actual checks on the certificate being provided would benefit all users, tor and non-tor. Instead, they leave their app checking the local system whilst ignoring the large expanse of network between the client and the server.

6
0

Mark Zuckerberg's Twitter and Pinterest password was 'dadada'

Ben Tasker

Re: As for username and password,

Personally, I don't know the answer to any of my secret questions. I generate a random string and paste that in.

Passwords are in a manager so the questions shouldnt ever be needed, and if they are Ive bigger things to worry about.

Does mean it's a right shit when a site suddenly updates login to include "enter character 6 of the answer to your security question" though.

0
0

Jacob Appelbaum quits Tor Project amid 'sex misconduct' accusations

Ben Tasker

Re: The blog ppst

> No, I linked to a page on the Tor Project blog only, not the website Appelbaum mentions.

Strange then, the second paragraph of the statement is a bit unnecessary IMO, but otherwise not quite sure it'd fall under defamatory, even if the language is a little woolly

0
0
Ben Tasker

IOError's Statement

Jake has (just) published a statement - http://www.twitlonger.com/show/n_1soorlp / https://twitter.com/ioerror/status/739731362404536320

2
0
Ben Tasker

Re: The blog ppst

I don't know, but I suspect at least one of the deleted comments probably linked to the domain that's been, err, dedicated to ioerror - which very definitely does contain a lot of defamatory stuff.

No idea whether the allegations are true (other than that he can be a knob at times), but that site and the social media witchhunt make me sad to be part of the community. There's no reason for everything to have been done quite so publicly (the site in particular), particularly at this stage, and for a privacy loving community to seemingly take so much delight in a public burning doesn't sit well.

5
0
Ben Tasker

> I take it you're British? No freedom of speech, your votes don't count,

Funny, those first 2 seem to apply to the opposite side of the pond too.

As far as the monarchy goes, it seems at last check, they bring in more money that we pay to support them, which seems to be in line with the capitalist dream, no?

7
1

Page:

Forums