* Posts by Ben Tasker

1612 posts • joined 23 Oct 2007

US cities react in fury to FCC's $2bn break for 5G telcos: We'll be picking up the tab, say officials

Ben Tasker
Silver badge

Re: Pronunciation

> So how exactly do you pronounce Pai?

I believe it's generally pronounced as /kʌnt/ or Kor-Upt

5
0

Trump shouldn't criticise the news media, says Amazon's Jeff Bezos

Ben Tasker
Silver badge

Re: Poor Jeff is so right, nobody takes his leftist hate pamflet seriously anymore

> I see you didn't reference the Washington Post article itself anywhere, so let me help:

I see much like the referenced article, you didn't bother to read the rest of my comment given that I did reference it, including providing a URL.

> Regardless of what the article might say,

Strangely, when discussing the written word, it tends to matter what those words say.

> I'm not sure that the last two years over-rides everything that has happened since the industrial revolution began. But maybe it does, maybe he is the evil god of hurricanes.

You seem unable to grasp that there's a difference between "He's complicit" and "He's the root cause". You can be complicit in a crime without being the one to commit a crime, for example.

5
0
Ben Tasker
Silver badge

Re: Poor Jeff is so right, nobody takes his leftist hate pamflet seriously anymore

> That's what Bob was alluding to in his admittedly florid prose.

It was Naive who posted it originally ;)

> It's a well-known tenet of the Left that those who "deny" global warm... excuse me, "climate change" have the blood of future billions on their hands,

Well, yes. If we as humans are impacting the climate - which looks damn near certain - those who try to deny it (particularly those who do so in pursuit of short term profit) do potentially have blood on their hands. It might even amount to the blood of billions, in a worst case scenario.

You can try and make this a left and right thing if you want, but the actual differentiator is that those who seek short term profit by denying climate change do not give a fuck about what happens to future generations. It really is that simple. That the feckless, money driven sociopaths seem to be drawn to the American right is an ancillary point - I don't think being right wing makes you one of them, but being one of them probably does make you lean heavily right.

Then you've got the feckless idiots who listen to these profit driven feckers. A good number of whom fall in demographics where (outside of lottery wins, strokes of luck) their descendants will be more heavily impacted by climate change (not being rich enough to protect themselves more).

So yeah, they potentially are complicit. Needing to be punished is something else, of course, but only a complete moron would deny that those people are complicit if it later turns out they were not only wrong, but knew it and were lying to make money.

15
3
Ben Tasker
Silver badge

Re: Poor Jeff is so right, nobody takes his leftist hate pamflet seriously anymore

> Washington Post claims president Trump is a sorcerer creating storms.

That is nuts

> https://www.breitbart.com/big-journalism/2018/09/13/nolte-from-terrorist-hurricane-creator-wapo-ramps-hate-campaign-against-trump/

Oh wait, that's your source?

OK, I put my internet condom on and followed your link into the stink.

Brietbart claim this - https://www.washingtonpost.com/opinions/another-hurricane-is-about-to-batter-our-coast-trump-is-complicit/2018/09/11/ccaed766-b5fb-11e8-a7b5-adaaa5b2a57f_story.html - is blaming Trump for the storm.

What is actually says is Trump is actively trying to downplay human-caused climate change, which is capable of increasing the severity of weather events.

At no point does it suggest Trump is a "sorcerer creating storms", just that he's a callous cunt who tweets semi-sympathetic stuff whilst laying waste to stuff that might help reduce the impact. That is, when he's not busy tweeting about himself in the aftermath.

Of course the Washington Post article is quite long, so it's no surprise that a Brietbart dweller might not bother reading it, even if the basis of it is only one paragraph long

Yet when it comes to extreme weather, Mr. Trump is complicit. He plays down humans’ role in increasing the risks, and he continues to dismantle efforts to address those risks. It is hard to attribute any single weather event to climate change. But there is no reasonable doubt that humans are priming the Earth’s systems to produce disasters.

61
4

UK.gov finally adds Galileo and Copernicus to the Brexit divorce bill

Ben Tasker
Silver badge

Re: To anyone pro-Brexit

> But the cost to trust in politics would be massive.

The cost to trust of screwing up implementing Brexit is also huge too though. For all the shit May has pulled, there's no denying she's in a fecking awful position.

6
0
Ben Tasker
Silver badge

Re: Remind me...

> I would suggest the current crop of MPs carefully consider their actions in the last few years and those to come, if they fail to keep their promises

There was a column written fairly recently suggesting that _if_ Brexit goes really badly wrong, and unrest spills out into the street, it might be unwise to be in the country for some of the more visible/memorable Brexiters. Particularly if those who are rioting used to support your position.

Hopefully it's not going to get anywhere near that bad, but if I was Boris (in particular), I'd be giving it long hard thought.

5
1

Redis does a Python, crushes 'offensive' master, slave code terms

Ben Tasker
Silver badge

Re: Reality check

Further up the thread, someone linked to the case of "Brainstorming" being termed politically incorrect.

Within the results of that statement is something that really underlines your point:

> However, in the survey, 93 per cent of people with epilepsy did not find the term derogatory or offensive in any way and many felt that this sort of political correctness singled out people with epilepsy as being easily offended.

The knee-jerk "we must protect them" without giving them any say, is itself potentially offensive.

I try not to offend, and will apologise if I have legitimately offended, but I never try to judge what might and might not offend someone else beyond the bleeding obvious.

9
0

Do not adjust your set, er, browser: This is our new page-one design

Ben Tasker
Silver badge

Re: Next change in line

This.

There's too much white on the frontpage (and on the site in general). Let me choose a dark design and it's less likely to strain my eyes when I'm just barely woken up.

Not sure I like the borders on the tiles either. But again, might look better with a dark theme.

12
1

First it was hashtags – now Amber Rudd gives us Brits knowledge on national ID cards

Ben Tasker
Silver badge

Re: "people already hand over masses of info to private firms"...

> Quite possibly but the key point to remember about this is that data taken in this way is taken by force. It was not voluntary.

If anything, her observations are arguments on why Governments should clamp down *more* on this data collection, rather than arguments for the Gov joining in.

9
0
Ben Tasker
Silver badge

Re: "people already hand over masses of info to private firms"...

> I rather fear that the reality is that you have handed over more data than you think.

The wise position for any privacy-conscious person to take is to assume that that is in fact true. They've already collected unknown data, so be aware that anything you let slip - however innocuous - could be used in combination with that unknown data.

For me, it's basically the same mindset as when dealing with security systems. It's not IF there's a breach, it's WHEN.

34
0

It's September 2018, and Windows VMs can pwn their host servers by launching an evil app

Ben Tasker
Silver badge

Re: So adblockers are now strictly necessary

>you must block all adverts.

And images. The site your one might be malicious, and one image is all it takes.

In fact, to play it safe, find a windows build of Lynx and be done with it.

0
0

Python joins movement to dump 'offensive' master, slave terms

Ben Tasker
Silver badge

Re: Brain-dead

> No, Client/Server is not the same as Master/Slave.

To be fair though, "Primary" and "Secondary" is not the same as Master/Slave either. Primary implies that it'll be used first (say by a front-end), which isn't necessarily true. You may in fact spread your reads across a Master/Slave.

Parent/Child is also different to Master/Slave in some instances, as it implies that the "child" was spawned by the parent. If you've got Master/Slave replication on your database instances (for example) that's almost certainly untrue. For processes we already tend to use parent/child anyway.

I'm not opposed to the discussion as such, it's just I think it's a bit of a waste of time - especially given the "improved" replacements don't seem to apply nearly as broadly.

9
0
Ben Tasker
Silver badge

> Fifty years ago, people missing a leg, or an eye were called "cripples".

FWIW, I still refer to myself as a cripple (though my leg is faulty rather than missing). That's unlikely to change either - I have had people tell me I should refer to myself using different terms, but they never seem able to explain how it *isn't* offensive to tell me what terms I can use to refer to myself.

31
0

Conference alert: Think you can save money by going Serverless?

Ben Tasker
Silver badge

> You still need to pay for the same capacity with the other company, plus their profit margin.

And factor in that prices will rise whenever they need to show "growth", or otherwise please the shareholders.

3
0

Lyon for speed, San Francisco for money, Amsterdam for fun: the best cities to be a techie

Ben Tasker
Silver badge

Re: Are electric car charging points that important?

> I would have thought 'adequate parking space' and/or 'cost of parking' would have much more relevance. It is no good being able to charge your green statement if you can't then park it,

Seems fair to me. But, in that case, a high number of charging points should probably detract from a cities score - the more charging points there are, the more spaces have been effectively dedicated to leccy cars and are unavailable for you with your ICE.

2
0

Chap asks Facebook for data on his web activity, Facebook says no, now watchdog's on the case

Ben Tasker
Silver badge

Re: @AC 'Facebook: Information in Hive not readily accessible'

Subject access requests aside, it may be worth remembering that from FBs point of view , the "service" is providing advertisers with as much targeting data as possible.

And from the law's point of view (i.e. the PoV that matters), the service is providing users with, well, Facebook. That's the service being provided to the user.

It doesn't matter that Facebook's customers are the advertisers, their data collection should be minimised based upon the service provided to users.

1
0
Ben Tasker
Silver badge

Re: @AC 'Facebook: Information in Hive not readily accessible'

Yes the information in Hive is readily accessible. However the queries will suck up quite a bit of resources doing full table scans.

You seem to think this lack of resources should be the user's problem. It's not. If Facebook cannot comply with the legal requirements of GDPR then it's very much their problem. At the very least they'll need to start working towards an architecture that does allow them to comply (because, let's face it, they're not going to stop collecting that data in the first place).

Who ever peddled this story is hoping that there aren't people reading it who actually know Hadoop or FB's internals.

If you read the article it addresses the GDPR related aspects of the difficulty in gaining access to the data, in various places including this:

Moreover, he pointed out that if the request is excessive, it is only because the amount of data collected and sent to Facebook is too large for one of the biggest companies in the world to retrieve.

"Which seems to be a breach of [GDPR's requirement for] data minimisation rather than my fault as a data subject requesting this data," he observed.

If Facebook are collecting reams of data, so much so that it's almost impossible for them to fulfil an access request for it, then that has connotations about whether they're actually collecting the bare minimum required to provide their service.

They've also rendered themselves unable to fulfil a legal requirement, so of course there will be an investigation. Rightly or wrongly, the internals of Hadoop are largely irrelevant to the law - if it means you can't comply, the view will likely be you should use a technology that _does_ allow you to comply.

5
0
Ben Tasker
Silver badge

Re: @AC ... The article confirms why Zuck acted so naive / dumb in-front of EU / US lawmakers

The only solution is for regulators worldwide to force Zuck to purge the HIVE from day-zero to now.

Uhm... easier said than done.

Data stored on HDFS (including HBase) is not mutable.

He said purge all the data. That's fairly straight forward: hdfs dfs -rm -r "/*"

If they want to keep specific bits of data, then yes that's trickier, but that's explicitly not purging from day-zero to now.

6
0
Ben Tasker
Silver badge

The ICO has issued a number of flawed decisions, but an ICO decision is far from the end of the line - it's not even precedent setting on the NEXT decision they make (never mind they're not a court of law).

Not to mention the complaint has gone to the Irish Data Commissioner, so the ICO are entirely irrelevant here anyway.

6
1

Spies still super upset they can't get at your encrypted comms data

Ben Tasker
Silver badge

Re: Too stupid and too late

> What about code or software outside the 5-eyes countries?

What about those within the 5-eyes countries? How many people here would stop working on encrypted stuff? I certainly wouldn't.

> What if you tunnel your encryption over HTTPS (443)?

To be fair, there are DPI solutions which can run pattern analysis on connections and predict whether it's likely to be web browsing, video streaming, IM style traffic etc inside. They also look at the handshake and fingerprint it to help identify Tor (for example). Not bullet proof, by any means, but simply sticking something on 443 isn't enough.

> Too stupid and too late. The 5-eyes Panopticon is dead.

The problem they have is they've taken a position that they cannot easily now back away from. They seem to have assumed that they'd be able to force their way of doing things, and completely underestimated the industries view of them once the Snowden leaks made it clear that you cannot trust these people with anything.

Want to collect intel on terrorists? Then maybe don't record and store anything and everything you can find. Don't push for (and get) Bulk Interference powers so that you can legally pop my router on the basis that a terrorist might be using that model somewhere. Don't push for (and get) powers requiring ISPs to record my internet browsing behaviour, and *definitely* don't try and shrug it off with "it's just metadata, harmless, honest guv".

They had a chance and they pissed it up the wall. Encryption is on the uptake, even in areas where it wasn't traditionally present, and long may it last.

21
0

As porn site pounds hard on piracy laws, Cox pulls out prematurely

Ben Tasker
Silver badge

Re: Who cares ?

> The only thing keeping it from being even more damaging than it already is is the safe harbor exemption.

^ That.

The DMCA is, and always has been a consumer hostile clusterfuck of legislation. It's (ab)used again and again in order to shut down things that should be legitimate - particularly in areas where there is no safe harbour or similar defence - circumventing technical measures for example. As an example, there's currently a hard-won exception to the DMCA so that you can legally root your phone (but not your tablet).

That exemption's only good for 3 years, and then it'll have to be fought for again (and again, and again). In 2013(ish) the exemption that allowed you to unlock your phone to another carrier (without your original carrier's permission) expired.

The fact there's even a hint of them reviewing the DMCA, much less at rights holders behest, should worry you greatly, whether you're in the US or not. Like it or not, our industry tries to follow the Septics, and they're potentially about to get fucked over again.

33
0

Keep yer plastic, says analyst: eSIMs aren't all they're cracked up to be

Ben Tasker
Silver badge

IIRC the US networks tried very hard (and may have succeeded) to have a "lock" included in the e-SIM spec so that they could network lock the e-SIM itself, rather than just the phone.

Ah, here we are, they even (allegedly) managed to get the GSMA to go along with it.

0
1

Porn parking, livid lockers and botched blenders: The nightmare IoT world come true

Ben Tasker
Silver badge

Re: What exactly is the Internet-of-Things?

I recently got fed up of explaining _again_ why I'm not having Alexa in my house. So I ended up writing this and just send people a link when they ask

Edit: make clicky

8
0

Basic bigot bait: Build big black broad bots – non-white, female 'droids get all the abuse

Ben Tasker
Silver badge

Re: Last time I checked Spain was in Europe...

> US racists can be really strange. A friend of mine is black in the UK but in the US he is English.

That reminds me of a reddit thread a while back (not the first) where a black British guy got into an argument with an American who was insisting that he (the black guy) was African-American. It's the sort of argument that you'd hope would end with "firstly I'm British, so you're at least half wrong", but the yank doubled down and carried on insisting.

I always found the term African-American a bit weird to begin with, it's not like the white americans are referred to as "European-American" or "Caucasian-American" after all.

30
2

I predict a riot: Amazon UK chief foresees 'civil unrest' for no-deal Brexit

Ben Tasker
Silver badge

Re: "Where is the evidence to suggest that would happen?"

> It's something the Leavers ignored.

They didn't ignore it, they claimed it was ridiculous and "Project Fear" that the Irish Border could become an issue in the event of a Leave vote.

16
1
Ben Tasker
Silver badge

Re: I was pro-remain, but this really is "Project Fear" at work.

> Because we know the the alternative of Labour would let the unions destroy the economy like they did in the early 70s?

So instead you vote for Brexit, which even Rees-Mogg now claims will take 50 years to show any economic benefit (with hard economic times until then).

If you're not trolling, you're too damn stupid to vote

23
7

Farewell then, Slack: The grown-ups have arrived

Ben Tasker
Silver badge

Re: "death of email" ? not until chat gets federation!

Because no-one ever receives chats from random bots pretending to be lonely young women on Skype and other chat apps?

Email has a spam problem, sure, but it's not like the centralised chat systems don't either. Worse, being centralised they should be more able to prevent it.

10
0

Fresh cup of WTF with lunch? TeamViewer's big in Twitter's domination-as-a-service scene

Ben Tasker
Silver badge

Neither.

They're paying a dominatrix (usually) to Teamviewer onto their machine and exert complete control. Based on some of the results for the hashtag, they commonly sit and watch, in front of the webcam whilst wearing lingerie.

The "thrill" apparently coming from the level of control being exerted. She could screencap the cam and then post it on their facebook page. Or log into Amazon and order a bunch of stuff, etc.

3
0

Banks told: Look, your systems WILL fail. What is your backup plan?

Ben Tasker
Silver badge

Re: That is not what should be regulated

If they don't, they pay the costs and if they pay too much, they end up dying.

Sure, there will be a bit of a mess, but in the worst case customers will take their government-guaranteed money elsewhere and that will be that.

You seem to be ignoring just how unpleasant that mess can be for customers. In that period between "Oops clicked the wrong thing" and the Government paying out you've got missed mortgage payments (or missed rent payments), missed bills, potentially an inability to feed yourself or put fuel in the car to get to work.

All because some profit chasing fucker cut corners.

These measures aren't there to protect the banks, they're there to help protect the banks users.

18
1

Things that make you go hmmm: Do crypto key servers violate GDPR?

Ben Tasker
Silver badge

I have previously received notifications because someone else uploaded my key, it was the result of a plugin in their MUA doing it on their behalf.

So yeah, they're not always there because the private key holder chose for them to be

8
0

So... where's the rest? Xiaomi walks away from IPO with less than hoped

Ben Tasker
Silver badge

"The problem is that compared with other internet giants, or even other hardware leaders like Apple, Xiaomi hasn't built a strong enough moat to keep users within its ecosystem."

Wrong. That's exactly why I like my phone (Mi Mix2 for anyone wondering) - it's not constantly trying to get me to use their services, or tie me in. Building stronger lock-in would not be a good thing

Is it perfection? No, but it's a damn good phone and cost a fraction of what Samsung are asking.

9
1

User spent 20 minutes trying to move mouse cursor, without success

Ben Tasker
Silver badge

Re: Training the trainer

> Except when the test is looking for the wrong answer taught in the course.

I remember nearly failing the European Computer Driving License (ECDL) course. Not because I couldn't work a computer, but because the "interactive" test expected you to achieve things exactly the way it was taught in the course (the long way round).

The one that really sticks in memory was "Create a shortcut to file foo.doc on the desktop". Explorer was already open in the directory, with foo.doc there.

Right-click. Wrong. Fuck. Left click, Edit menu, Copy. Right click on desktop. Wrong. Fuck.

Ultimately what the test expected you to do, was (using the menus in explorer), copy the file, paste as shortcut into the same directory as foo.doc, then relocate that shortcut to the desktop (via Explorer, not by minimising explorer and being on, you know, the desktop). So I got that question wrong, because you only got 3 opportunities to say fuck before it moved onto the next one.

In a weird way, it's one of the hardest tests I've ever sat. Not because the challenges themselves were in any way complex or difficult, but because they'd taken the view there was only one way to complete any given task, and that way was the most bone-headed inefficient way you could possibly think of.

12
0

New York State is trying to ban 'deepfakes' and Hollywood isn't happy

Ben Tasker
Silver badge

Plus, if they get an image of you in the street being rammed every which way by multiple cocks, it's because you were having an orgy in the street.

Taking a picture of someone walking down the street is somewhat different to having AI take existing innocent footage, build a model, and then almost seamlessly put your head and face onto the body of someone in a gay orgy clip.

11
1

WannaCry reverse-engineer Marcus Hutchins hit with fresh charges

Ben Tasker
Silver badge

Re: Who do you trust?

> Make no mistake, the UK legal system is just as bent and crooked as the US one.

And now, of course, severely under-resourced. If you need a duty solicitor you might be lucky to find one, and may end up sat in custody for 20 odd hours while they try to arrange transport for the custody hearing because the local court has been closed.

The american legal system is a heap of shite, but you're right in that ours really isn't far behind in many different ways

1
0

Dems push Ryan to vote to help save America's net neutrality measures

Ben Tasker
Silver badge

Re: 86% of Americans agree with *THEM*? Since *WHEN*?

That's probably also why it's not been allowed to go to a vote. They don't want to let this pass, but also don't want to be seen, quite so visibly, to be screwing consumers over.

8
0

ICO smites Bible Society, well fines it £100k...

Ben Tasker
Silver badge

Re: OK if they pro-rata the fine when its applied to big business

> The idea is that the government can't create a new law and then backdate its effect to shaft someone who has offended them,

Unless, of course, they've realised that a department... say GCHQ... wasn't actually exempted from, I dunno, lets say the Computer Misuse Act and so passed an amendment and applied it retrospectively in response to that department being sued.

That's totally different, you understand...

12
0

Oddly enough, when a Tesla accelerates at a barrier, someone dies: Autopilot report lands

Ben Tasker
Silver badge

Re: Fire Department

The water is used to cool the packs. They actually used foam to try and extinguish the fire.

5
0
Ben Tasker
Silver badge

To be fair, what you seem to be talking about is AEB - which Tesla's do have.

But, most (if not all) models of car with AEB disengage it above a certain speed (usually about 30) so that false alarms don't lead to cars braking sharply in the middle of the motorway, causing a hazard in themselves.

So it's not too surprising that AEB didn't trigger in this case. Though as you say, it's concerning that the car appears to have done precisely nothing, even in the final moments to suggest it even knew what was coming.

As concerning as that is, though, Tesla's response is far more worrying. That habit of blaming everyone but themselves does not inspire confidence. Yes, the impact attenuator was missing, but it was only needed because Tesla fucked up. It's absence potentially worsened the accident, but did not cause it. Yes, his hands were off the wheel, just as the hands of many people using Autopilot are off the wheel sometimes (his hands were, however, on the wheel for than 50% of the preceeding minute).

Tesla do a massive disservice to the autonomous car industry (outdone only by Uber, in some respects). Their cars lack hardware that would dramatically improve safety, and their attitude as a company towards accidents and safety is one of a company that should no longer exist.

5
0

Cloudflare experiments with hidden Tor services

Ben Tasker
Silver badge

Re: Confused

Currently, not that much.

So far, they've only launched Hidden Service support for their DNS over HTTPS (DoH) service.

What it means is that rather than transiting the open internet (whether directly or passing through Tor first), your lookups can go to their resolver without leaving the Tor network. That's a good thing (reduces usage of the limited exit node bandwidth, provides strong authentication that you're talking to an authorised server etc).

What they haven't launched (I suspect the word yet applies here) is support for hosting hidden services via Cloudflare. Though why anyone would want to....

2
0

IPv6 growth is slowing and no one knows why. Let's see if El Reg can address what's going on

Ben Tasker
Silver badge

Re: GDPR

That makes *0* sense. If the website didn't support it, there would be no AAAA record in the DNS reply, and so IPv6 would never be attempted in the first place.

Technically, you'd still see a small increase in perceived time to first byte as you'd have a second round trip to your DNS server to fetch the A records. But I'm just splitting hairs, because if that's noticeable you probably want to be thinking about using a better performing recursor.

3
0
Ben Tasker
Silver badge

Quote: "...You go to your ISP and ask them to open up a certain port.."

Misleading. Three steps are needed and ANYONE can run an external ftp service on their home network:

I think he was referring to a user behind CG-NAT and not simply referring to NAT on their home router ;)

4
0

Tech support made the news after bomb squad and police showed up to 'defuse' leaky UPS

Ben Tasker
Silver badge

Re: Boom!

> Other activities were far more dangerous at that job though

If you want to see something equally scary, try googling for how to de-sulphate a lead acid battery.

I guarantee you'll find more than a few people recommending that you do the following

- Put the battery on a bench

- Get your arc welder and clamp the cathode onto the positive terminal

- Turn the welder on

- Repeatedly tap the anode against the negative terminal

The theory being that the (high) charge going through should shake the suplhate back off the plates.

Of course, that'll lead to a release of hydrogen, and it's not as if the primary fucking task of an arc welder is to create an arc/spark hot enough to melt metal (let alone ignite hydrogen)....

11
0

Consent, datasets and avoiding a visit from the information commissioner

Ben Tasker
Silver badge

Re: Commercial relationship?

> If you had consented, then there is no need for these GDPR related consent emails.

To be fair, there is if they feel they don't have sufficient records of your consent. Remember they've got to record the exact terms you consented to as well as the fact that you consented - that's a gap for an awful lot of companies

3
0
Ben Tasker
Silver badge

Re: Commercial relationship?

> For a one-off purchase, there is no legal reason to keep details of the customer, and the old practice of requiring that someone set up an account before being able to buy something will no longer be tenable.

That's also not strictly true.

You may need to retain the customer's details (in the form of your invoice) for tax purposes. GDPR provides for this with Section 6(1)(c) Compliance with a Legal Obligation.

Course, you need to actually show that you are obliged, but the user/customer can also not withdraw consent (as it's not held/processed on the basis of consent for this). They can still ask you to provide details of everything you've got stored for them.

But the details you'd be holding should, at most, be those that are essential for the invoice and nothing more. And you can't then scrape data off your invoices and go off and send marketing emails as that's processing for a purpose other than that stated.

6
0

Password re-use is dangerous, right? So what about stopping it with password-sharing?

Ben Tasker
Silver badge

Re: Overhead

My guess is that their reference to overloading auth servers probably relates to requests coming in from other services saying "hey, can you check if this password has been used?" rather than those going out as a result of a user changing their password on that service.

Which is a valid concern, imagine if you signed up you're relatively small site to it (for security, you understand) and then Facebook also joined and you had to handle a request whenever one of their users changed password (or created an account - including all the bots).

There are limits to how cheap you can make the processing too, so the only way you'd get around that, really, is to have some third party act as a middle-man for answering other's requests. Which means they'd need to hold a copy of your hashes, painting a big fat target on their backs and raising a number of other concerns.

Of course, at some point, someone will suggest sticking the hashes in a blockchain so that a network of nodes could handle the requests - they may even get rich/lots of funding off the idea, but it isn't necessarily a good idea for numerous reasons.

3
0
Ben Tasker
Silver badge

Re: Salt

When you've got the password available (so when they're setting a new password, or just after a login in the switchover period) you'd need to generate and store a representation of it in a format which could be used for this.

Hopefully no-one would be stupid enough to suggest plaintext or using reversible encryption, but there'd need to be some kind of shared format (I guess probably a cryptographic signature using publicly known keymatter, or some other derivation). You'd then use that for comparison whenever you receive a request to see if any of your users are using that password.

It does mean you'd essentially be storing a value derived from the password twice (your normal hashing mechanism + one of this) which could potentially open up some new and interesting brute-forcing tactics (attack the weaker of the two hashes, when you get a match, pass it through the stronger mechanism to see whether you got the actual password or just a collision - the latter is fine for logging into that service, but getting the actual password is more valuable if you want to try their password on other services)

2
0
Ben Tasker
Silver badge

Re: Why not make the browser hash passwords.

The problem with doing that, though, is it introduces issues of it's own.

If the hashing mechanism for your "HashedPassword" standard turns out to be a bit collision prone (as they often do after years of use), then it doesn't matter what hashing mechanism (if any) is being used on the server as a brute forcer now has a weak point that can be targeted.

It also adds some complexity to the browser too, of course, but no-one seems to give a fuck about that anymore anyway :)

2
0
Ben Tasker
Silver badge

Re: A site might know if two visitors to that site have the same password

Yeah, I've always preferred to have an independent per-user salt for that reason. Using the user-name opens you up to exactly the issue you suggested - password re-use on another site using the same mechanism will result in an identical hash.

The salt is just a randomly generated string stored alongside the user data in the user's table, one per user. People forget that a salt is not a secret, and treating it as such just leads to complexity in your code (which'll get unravelled soon enough). It's primary aim is to tip the cost/benefit balance of generating rainbow tables.

Site-wide salt = Generic rainbow tables don't apply, but for a high value target you could generate a set for the site. Likely better to fallback to hash bruteforcing unless you're planning on exfiltrating the users table regularly

Per-user salt = Generic and site specific RT's don't apply. Generating per user is possible, but time consuming, expensive (from a storage PoV) and not really worth the effort. Fall back to bruteforcing the hashes instead.

No part of either of those requires the salt to be secret. Making it secret might add a few hours fact-finding into the process, but that's nothing compared to the time & computing effort the presence of a salt has already added.

4
0
Ben Tasker
Silver badge

Re: How would two sites know that passwords are the same?

I would guess that for the purposes of this, there'd be an agreed format for it to be stored in.

In fact, for this use-case, you probably wouldn't use a salted-hash in the way you would for credential storage - this stuff would only be triggered when a password is _set_ so you could afford to go for something a bit more expensive in processing terms. So, you'd probably generate a cryptographic signature using a shared/known key.

The problem is, with a globally shared key, you could _potentially_ still try and bruteforce signatures (the tables you generated would be applicable to every platform using the comparison service - essentially losing the benefit that a salt traditionally provides).

The alternative, as you say, is probably that services need to keep the password in some reversible format so that they can answer similarity requests. There are ways other than simply storing plaintext (or an encrypted version of, which is no better) but I don't know how strong they are against a determined analysis.

1
0
Ben Tasker
Silver badge

Re: 2 part Authentication - more data slurping

Skype's slurping up dates of birth too - forced me to enter before I could load the client the other day.

My guess was that one was more to do with GDPR and what they can do with your data, so obviously I told Skype I'm 9 years old.

> Twitter is currently collecting the mobile phone numbers of it's users. How safe is that info with them? They're not allowing any accounts without phone numbers, so sod 'em.

They prompted me a while back to enter my mobile number to prove I wasn't a bot. So while I was in Tesco's I picked up a PAYG SIM and gave them that number. Once in, I deleted it back off my profile. It'll only ever go in a phone when I need to "verify" myself.

At first it felt a bit overly paranoid, but actually - they're insisting on my number (which they don't need on a routine basis) and asking me to trust them not to lose or misuse it. Once it's out, it's out, so why would you give them your regular number?

3
0

Forums

Biting the hand that feeds IT © 1998–2018