* Posts by Ben Tasker

1467 posts • joined 23 Oct 2007

Linux kernel community tries to castrate GPL copyright troll

Ben Tasker
Silver badge
Joke

Re: I'm confused

,,, 10K per violation. There's 100 of them, so thats 100 grand please. ,,,

You've missed a zero, mate. It is a million.

Nah, Theresa May made a speech while I was typing and Sterling plummeted again

Also, D'oh

2
0
Ben Tasker
Silver badge

He keeps his legal fees as low as possible by avoiding using lawyers as far as possible.

He had to withdraw one case that went to court because the judge had questions about an Affadavit he filed, and wanted to speak to his lawyer. The lawyer in question hadn't touched said affadavit, so they withdrew (I don't know exactly what was wrong with it).

His settlements tend to come in stages (a lowish first stage, which gives him the leverage for a subsequent higher claim) so I guess that fills the gaps a bit too

1
0
Ben Tasker
Silver badge

Re: After reading this I am still confused.

> Failed to provide copies of the source for the binaries, either with those binaries or on request from recipients.

Not always. His claims are rather inventive at times.

In at least one case, the offer of source was there, but it came from the distributors parent company rather than the distributor itself.

3
0
Ben Tasker
Silver badge

Re: How long before...

> How long before... All trace of his code is expunged from the Linux Kernel?

Already being discussed AIUI

2
0
Ben Tasker
Silver badge

Re: I'm confused

I'm confused too. In the UK, you'd normally be restricted to claiming the amount of your actual loss from the violation which in most cases would be close to zero. It would appear that the result of the German claims are not easily publicly obtained, so it's difficult to know what the basis of any settlement might be.

There's a link above that explains it better, but basically what he's doing is this

Stage 1:

Hey, ACME, you're not in compliance with the license, infringing my copyrights. Pay me 5,000 for my engineering time and I'll help you get it right.

OK, that's done, please sign this cease-and-desist to confirm receipt.

Stage 2:

Hey, ACME, me again. I've found some other violations. According to the terms of our contract (the signed cease-and-desist) that's 10K per violation. There's 100 of them, so thats 100 grand please.

ACME's companies look favourably on stage 1 because it's a cheap way to avoid costs, and seemingly low risk. Under German law, though, when that C&D is signed, it becomes a binding contract - and that's his money maker.

If you look at some of the claims he's made too, some of them are... inventive. At least one was on the basis that "ACME" was distributing GPL code, but the offer for the source came from ACME's parent company.

5
0

BlackBerry Motion lurches into UK stores

Ben Tasker
Silver badge

And it's got a headphone jack!

It actually looks like it's got some potential, they seem to have at least put some thought into security on the face of it. I'd probably have balked at the price a while back, but given the asking price of some of the more recent releases it seems a lot more reasonable.

Tech-Radar labelled it as "not exciting" (http://www.techradar.com/reviews/blackberry-motion) which kind of misses the point that I don't actually want my phone to be exciting. I want it to work, and not gradually grow into a bigger and bigger mobile security hole over time. Maybe that's just me?

6
0

uBlock Origin ad-blocker knocked for blocking hack attack squawking

Ben Tasker
Silver badge

Re: Hang on a minute

Terribly sorry, I'm with the "feature, NOT bug" crowd here. I feel no obligation to assist said website with any reports about anything,

The flipside of that, of course, is that the day you visit with a "fresh" browser (having forgotten to install Noscript/uBlock et al) and get pwned via XSS, it's partly your own fault as the site admin could have received warnings at an earlier stage if you'd only been prepared to provide them.

That said, that's a trade-off I'm willing to make - it's an issue of consent in my mind.

Though I'd describe this less as a "feature" of uBlock as lack of a feature - there should be a toggle so the user can choose to enable CSP reports if they want (rather than having to update the whitelist).

8
3

More and more websites are mining crypto-coins in your browser to pay their bills, line pockets

Ben Tasker
Silver badge

Re: Hijack the hijack?

You wouldn't want to run a Javascript miner, you'd want to get one written in C for greater efficiency, or better yet runs on a discrete GPU if you have one.

With Monero (which is what's being mined in most of these cases) there's very, very little advantage to using a GPU over a CPU - it was specifically designed to limit the advantage.

But, yes, a miner written in C (or in fact, almost any other language) will be more efficient that one running within the browser, even as Web Assembler.

1
0

Dumb bug of the week: Apple's macOS reveals your encrypted drive's password in the hint box

Ben Tasker
Silver badge

Re: That's not even wrong

How do they even _have_ the plaintext password to display there?

They have it in plaintext at the time you enter it to create the volume. The root of the issue is that they've done something like

diskval.hint = null

diskval.pass = buildKey(password)

if (hint)

set diskval.hint = password

createVolume(diskval)

The root cause is probably a copy/paste of a block that checked for and set the password, and then they changed the conditional but forgot to change the name of the variable they were taking data from

15
0

European Commission refers Ireland to court over failure to collect €13bn in tax from Apple

Ben Tasker
Silver badge

> How much of this money goes to Ireland and how much to the EU?

AFAIK, it all goes to Ireland.

Whether it then gets factored into a percentage later in terms of what the EU gives/takes from Ireland is another matter, but the actual money under discussion goes to the Irish treasury.

13
0

Cloudflare coughs up a few grand for prior-art torpedoes to sink troll

Ben Tasker
Silver badge

There may be occasions where your patent is valid, but you come to realise that you're massively outgunned - the unauthorised usage of your patent may not outweigh the risk to your business from high legal costs for the duration of the case.

Having the patent invalidated because a bigger company said "fuck you, let's see whether you can last the whole case" probably isn't a good idea, as big companies will just ignore patents (as they do now) on the basis that you can't even really threaten them on the offchance of a settlement if it means invalidation when you can't risk following through.

Not that the current system doesn't allow for that risk anyway, and not that the current system is any good, but I think you're probably introducing more issues for "honest" companies there without actually doing too much harm to the trolls.

2
0

'Don't Google Google, Googling Google is wrong', says Google

Ben Tasker
Silver badge

"Content-Type"

Don't use when referring to types such as "application/json"; instead, use "media type."

Sod off Google, RFC2616 disagrees with you.

Media may well refer to actual physical media, so media type's a shitty selection too

7
0

Daily Stormer binned by yet another registrar, due to business risks

Ben Tasker
Silver badge

Re: Discrimination or not...

So when do businesses legally get to refuse customers without being accused of discriminatory behaviour?

When the basis of their discrimination is an attribute/quality that's protected by law. See, that wasn't so hard.

You can't be discriminated against for being gay, or for your race (and in some places, age), but you can be for being a jackboot wearing racist dickhead. It's actually quite simple.

8
0
Ben Tasker
Silver badge

Re: Quick note from easyDNS

> If they really wanted to, they could just publish an IP address - no DNS needed.

Or indeed set up a tor HS, or publish your own records into an alt dns zone,

0
0

HSBC biz banking crypto: The case of the vanishing green padlock and... what domain are we on again?

Ben Tasker
Silver badge

And though I moved to the smartphone app to generate codes, that was a debacle and a half. I didn't have a dongle so I couldn't change to the app, resulting in them sending me a dongle and then me having to use that to activate the app. When they didn't work, they deactivated the dongle and then they started telling me to "just enter the code from the dongle into the app" "the one that's deactivated now" "Yes" "Surprisingly that doesn't work" "No problem, just log in and order another." "Cool... how do I log in now that the dongle is deactivated..."

Heh, try sticking with the dongle.... I won't use the pile of crap that is their app, so want to stick with the dongle. Except, you can no longer order a replacement (when the battery gets low) through Internet Banking. Their site says to send them a secure message through Internet Banking to request a new one, so OK.... And you get the following response back

I regret that I am unable to replace the secure key via this messaging service. We were able to send replacement keys through the secure messaging service, however due to a change in policy and for security reasons we can no longer do this.

Instead you've got to phone them. So I can't order a replacement dongle using a service that I need access to the physical token in order to use, because that's insecure, but I can phone them and just give them my internet banking creds to do so.

Clearly I know the creds as I'm logged into Internet Banking to send the message, so all they're actually doing is removing a layer of security.

11
0

How the CIA, Comcast can snoop on your sleep patterns, sex toy usage

Ben Tasker
Silver badge

Re: Linksys EA7500 -- It's worse than you think....

> Then I reset the thing and took it to the local charity shop.

You may have done someone a serious dis-service there, would probably have been better to bin it

3
0

Google bins white supremacist site after it tries to host-hop away from GoDaddy

Ben Tasker
Silver badge

Re: As much as I hate nazis...

This isn't about hosting the objectionable material, it's about their domain name registration. So this is more analogous to being denied a corner to screech from, because you don't have the documentation that will allow you out on the street.

No it's not. They could still stand on that corner - after all you can host a site and have it accessible without DNS at all.

If you want to analogise it to standing on a street corner, not being able to get a Domain Name registration is more like someone refusing to list you in their directory of who's speaking where so that people can come and find you. Instead you have to rely on word of mouth.

2
1

GoDaddy gives white supremacist site its marching orders after Charlottesville slur

Ben Tasker
Silver badge

The Stormer has been spewing hate for four or five years.

True, but having dug out the article in question.... fucking hell.

I wouldn't have given them 24 hours to be honest

3
1

FBI's spyware-laden video claims another scalp: Alleged sextortionist charged

Ben Tasker
Silver badge

Re: Fingers crossed he rots somewhere horrible for it...

> Recent events elsewhere suggest that might be an overly optimistic point of view.

Aye, that's a fair point.

> What would happen if a scumbag just disconnects from the internet before accessing any media?

It depends on the mechanism used to be honest. If you're using the old-fashioned tell the player it's a DRM encumbered file and please fetch the license from URL, then depending on the player, it'll fail to play and tell them they need to be online.

That might scare the scumbag off playing it, or if they're suitably stupid (or so horny at the thought of the video they're not thinking straight), they may go online again to play back.

Some players may realise that the video isn't actually encrypted and play it back anyway.

Other techniques, though, may simply queue a request in the player, which'll be placed when said scumbag reconnects.

All that, of course, is assuming they don't write it to a USB stick and take it to an airgapped PC with a player on it.

0
0
Ben Tasker
Silver badge

Re: Fingers crossed he rots somewhere horrible for it...

> 'list of things to be careful about' : don't use windows media player*

> ....

> * I mean, if it doesn't play in VLC you don't touch it anyway right?

I've got bad news for you :)

At least one of the techniques that can be used for this works just fine in VLC too. You'd be better off sticking with something like ffplay and using various flags to lock things down (or inspecting the file with ffprobe first). Obviously the 100% certain way, though, is not to be an exploitative scumbag in the first place.

6
0
Ben Tasker
Silver badge

Re: OMG. Feds gather evidence of actual crime, get court warrant and arrest actual suspect

> OMG. Feds gather evidence of actual crime, get court warrant and arrest actual suspect

Yup, it's actually quite a nice use of the tool to be honest. Especially as his demands for video made life much easier for them - they didn't need to trick him into opening a file, just provide something that appeared to be what he'd asked for.

9
0

Marcus Hutchins free for now as infosec world rallies around suspected banking malware dev

Ben Tasker
Silver badge

Re: Blind support

. For example, if the guilty person you release goes on to murder a dozen innocent people, that's 12 people who have been killed plus all their family/friends etc.

That, however, is likely the status quo if you hadn't caught them in the first place. Unpleasant, but still.

Convicting and punishing an innocent person though isn't something that wouldn't have happened without your involvement, and therefore is arguably far more unjust.

1
0

Microsoft bins unloved Chinese cert shops

Ben Tasker
Silver badge

> WoSign has labelled Microsoft's post “misleading”. In a post we've shoved through online translation engines, the company says its replaced its root certificate in November and that its recent certificates present no risk to users

They said the same about the Firefox/Chrome de-trust.

When I was looking at it last, I didn't find a conclusive answer on the truth of it, although they have submitted a new audit to try and get re-included in both Firefox and Chromium. But, crucially, the Chromium bug says they don't expect the audit to complete until October, so that's after the certs will have been distrusted.

So my conclusion for anyone relying on WoSign was basically - ignore what they're saying, there's a greater than acceptable chance they're wrong and the certs won't be trusted.

1
0

WannaCry kill-switch hero Marcus Hutchins collared by FBI on way home from DEF CON

Ben Tasker
Silver badge

Re: Phew

> It would not be an obvious burner phone. Just a 2nd hand one with a new SIM.

Yup, exactly. If you've engraved 'burner0001' into it, you're probably doing it wrong

0
0
Ben Tasker
Silver badge

Re: Phew

Not sure why I'm bothered, but being in IT might make me a target for some reason

To be honest, the way things are going over there, being bothered is entirely sane. It's just not worth the potential hassle to travel over there, particularly if you're going somewhere that may raise your profile (like defcon).

There aren't many countries I'd outright refuse to travel to for work, but the US is currently top of that list. To be honest, I'm not convinced I'd be too pleased about travelling to the UK if I didn't already live here, but we are, at least a long way behind the US in the arresting-for-the-fuck-of-it stakes.

If I *had* to go, it'd be with burner phone, laptop etc with no credentials to access anything until they're communicated to me once I'm safely into the country (and deactivated before I leave). Even a few years ago that'd sound incredibly paranoid, and it's scary how increasingly rational it seems to have become

92
3

Send mixed messages: Mozilla wants you to try its encrypted file sharing

Ben Tasker
Silver badge

Yeah, basically they've fallen in the same trap that many others have. They've done the easy bit - encrypting the files, and left the users to deal with the much harder challenge: securely exchanging keys (or in this case, the URL). Compromise of that URL means compromise of the file.

I've got a BASH script that'll generate a one-time pad for any given file, and then encrypt it with it. But because of the difficulties in securely exchanging keys it's next to useless in practice.

The medium you use to exchange the key needs to be at least secure enough to send the file (if it's not, you risk compromise of that file). If you consider (say) skype IM secure enough to send the key you may as well just send the file (or break it into chunks and send each using different services).

What this might do, though, is mean that users who wouldn't normally encrypt files they're sending start doing so, because it's all but transparent to them. More encrypted traffic flying around is a good thing for all of us as it increases the size of the haystack.

Basically, I think the functionality misses the mark a bit. But, because it's conveniently located in a popular application it may still have some positive benefits.

7
0

WannaCry-killer Marcus Hutchins denies Feds' malware claims

Ben Tasker
Silver badge

Re: Oh dear... maybe

> It's not about some piece of code. One can opt to use pseudo-code or plain English sentences to explain one's findings.

When explaining how a bug can be triggered/exploited, psuedo code is precisely fuck all use. And english explanation may not be sufficient to repro the issue, and if it is then the 'bad guys' can use that to build their own weaponised exploits.

Your solution does nothing other than either prevent the sharing of information, or add a single step

5
0
Ben Tasker
Silver badge

Re: So where will DEF CON move to?

They are apparently planning to hold one in Shanghai next year (as well as Vegas). Worrying that mainland China actually feels like a safer bet at the moment

14
0
Ben Tasker
Silver badge

Re: GPS ankle bracelets

> As I already posted, I can fool my GPS watch just fine. I have the tools, unlike the Drooling Fool whose Uncool Tools also Drool...

It'd be spectacularly unwise to do so, unless combined with scarpering out of the country. Not only is it a breach of bail conditions (welcome back to prison), but they tend to use it as an excuse to charge you additional 'administrative fees'.

The US is, for all intents and purposes, a corrupt state. As someone else noted above, many of the court ordered 'privileges' such as bail bracelets are non-optional and charged to you at extortionate rates (have a google for the racket involving drink drivers and in-car breathalysers). Even posting bail incurs (high) non-refundable costs.

Most of it isn't so much justice as naked profiteering to the benefit of the Justice Dept's chosen suppliers. That's not justice, it's extortion with a judicial veneer. Of course, before you even reach that point you've got to contend with the cops taking what they please and calling it civil forfeiture.

America, the country where bankruptcy can come as a result of getting ill, or having to defend false and flimst allegations in criminal court.

There are things in the US I'd like to have seen, but they're very firmly on my Do Not Visit list, and it's hard to forsee a future where that might change.

24
0

Sorry, psycho bosses, it's not OK to keylog your employees

Ben Tasker
Silver badge

Re: So he'd been a good employee

Isn't it rather naive to assume that the legal justification for dismissing someone (or not quite legal in this case) is likely to be the actual reason they want someone out of the door? I can think of two or three cases in a place where I used to work where allegations of some sort of misconduct were blatantly really a way to try and get rid of someone whose face no longer fitted.

You're right, I made the assumption that he was fired on that basis alone.

That said, if you're trying to get rid of someone and need to find an excuse, then you really need to examine the legitimacy of your own actions. There's a vast range of reasons you can dismiss someone, and if your reasoning doesn't fit those then there's a good chance you actually deserve an unfair dismissal claim.

Most of those protections are there to protect us as workers. You can't simply turn a blind eye to shitty behaviour because it's directed at someone you don't like. Are they doing the job they're paid to do? Are they preventing others from doing the same, or otherwise harming the business? If the answer to those is yes, no then by trying to find an excuse to sack them the only justification that you likely have is that you yourself are a cunt. If they're not doing their job (or preventing others etc) then theres a procedure to follow and then they're gone. Keep in mind you can still use that procedure for "there've been complaints that you act like an arrogant arse"

We've all worked with people we wish would just go, but if you look at it closely, removing someones livelihood just because you don't particularly like them is a shitty and indefensible thing to do.

So as far as this case goes, he probably had been a good employee for years, at least in terms of anything with legal relevance. He may have been a complete dick at the same time, but if his employer simply used this as an excuse to get rid of him then they've outdicked him.

10
0
Ben Tasker
Silver badge

Re: Play the game

So he'd been a good employee for years, then spent a few hours, spread over the course of months on a personal project and you'd sack him?

Well done, you just lost years of experience and a good worker for no good reason (and are going to have to pay recruitment and training costs for his replacement). Had you instead talked to him to give him a warning you'd have kept that experience and skillset, avoided the replacement costs, and he'd probably not have repeated the behaviour once he knew how seriously you viewed it.

I'll never understand the mindset of those who think firing should be the primary course of action following a mistake. You might feel right and just doing it, but 99% of the time what you're actually doing is hurting the business.

58
0

Browser trust test: Would you let Chrome block ads? Or Firefox share and encrypt files?

Ben Tasker
Silver badge

Re: including El Reg

Yep that's also why I started blocking ads on el reg. Most of the others I could just about tolerate (auto-play vids aside, that's an instant block), but the background ad had a nasty habit of eating my cores.

If those have gone away, I'd be more than happy to put el reg back on the whitelist

5
0

'App DDoS bombs' that slam into expensive APIs worry Netflix

Ben Tasker
Silver badge

Re: Uhm..

Glad I'm not the only one who thought this, and presumably not the only one who took slight umbrage at the quotes arpund the term application DDOS as if Netflix had coined a new term.

It's great they've released a tool to help, but the attack vector is far from new and a sane developer should already be considering it when designing a new system. If anything, it's a little worrying that Netflix seem not to have thought about it from the outset. Sometimes it's inavoidable, but the tone of the article does make it sound like it came across as a slight surprise.

It does sound like their performance testing may have been limited to using response times as a metric rather than doing proper scalability focused testing.

1
0

Autonomous driving in a city? We're '95% of the way there'

Ben Tasker
Silver badge

Re: I already have written software that drives like a human...

As to the commenter that said he needs a car.. as he may realize that 10 minutes before closing he is in need of transport to the local shop.... That is what AI is for.. and Event Driven Commerce... The system should know you have no food, you are always last minute... and ... you have not eaten today.. so.. PRESTO.. the goods you just realized you want at your door 10 seconds after you realize that you need to get some grub....

Twas me, but you've missed an important detail.

I never said the cupboards were bare, I said I (strongly) fancied a kebab. So the AI would believe I've got plenty of grub, and its the human whim thats generated my need. Thats not a good fit for AI (assuming it is whim rather than an every friday night thing).

So I'd still need to have a car sat on the driveway, ruling out dial-a-ride type solutions. Saying I'll just have to go without that kebab also isn't an appropriate answer - autonomous cars are supposed to be an improvement and that's a regression against the status quo.

I could, of course, buy a self driving car, but in the early stages of the market the price is likely to be high, and I actually enjoy driving (even in traffic), so why would I?

Even if the above weren't the case, your solution of AI only patches over the issues with the dial-a-ride model by introducing a seperate component. Even then it doesn't get all of them, my trip to the kebab shop will cost me a few pence in petrol, whats the dial-a-ride trip going to cost me?

Like I said earlier, I'm not saying that it couldn't mean the end of private car ownership, just that that model really doesn't look at all compelling to me.

1
0
Ben Tasker
Silver badge

Re: Strong push?

The end of private personal transport, the start of a new public transport system..

Maybe in cities, but even that's a stretch. Out in the sticks? Not a chance. If I fancy a kebab, or any other take away, it's a drive. With my car sat in the garage I can hop in and go, with book-a-ride I've got a lead time because the car's got to get to me first. Not much use when I've realised it's 10 til closing.

Even in cities, I'm not sure that'll take hold. You've already got taxis and buses etc, yet there's still plenty of car ownership. Autonomous cars may mean not paying a driver, but you really think a journey in them is going to be much cheaper than a taxi (particularly in the long term)? The company still has to recoup maintenance costs as well as the capital costs of buying the fleet.

I'm not saying it couldn't be the end of privately owned personal transport, just that I don't think it will be

4
0
Ben Tasker
Silver badge

Re: Strong push?

Its a revenue stream - if you buy your own autonomous car then you only pay once.

I suspect that history should give us a clue that that may not be the case. You'll buy the car and then pay a subscription for the cloud-based processing. We used to have this idea that you buy software once and then only pay if you want a newer version, but thats gone out of the window with subs being preferred, why would a brand new market start with the less profitable option?

I suspect, at most, you'll see the first n years of that sub being rolled into the purchase price.

Autonomous driving is definitely progressing fantastically well, but for my part I'm still far from convinced that where we're heading will actually be better.

6
0

The eyes have IT: TSB to roll out iris-scanning tech for mobile banking

Ben Tasker
Silver badge

Re: I wasn't scared before...

> I never did get the idea behind biometrics for two reasons: you can't hide it and can't change it.

It's actually pretty good as a replacement for your username (which should be considered near public anyway), i.e. identification, other than that you can't change it (so not quite so convenient for forums as the like).

The problem with that, though, is there will always be the eejits who think biometrics are a good replacement for authentication. So, if you use it for identification, and someone else uses it for authentication, you get an overlap between data that can be public (i.e. usernames) and data that should be secret (i.e. passwords). Not quite as trivial to steal and use as a simple username string, but it does open the possibility of it happening - historically there's not been much effort put into protecting handles because they're considered publicly available knowledge.

So using biometrics for authentication is stupid (can't be changed if/when it leaks, currently technology is good but far from perfect etc), and using it for identification is a potentially bad idea too.

20
0

No one still thinks iOS is invulnerable to malware, right? Well, knock it off

Ben Tasker
Silver badge

Re: Jailbroken iPhones?

> It is all a matter of risk. IMHO, iOS is a lot less risky that Android.

Part of assessing the risk, though, isn't just weighing the probability that something will happen, but also of assessing the scale of the consequences if it does happen, despite the odds.

Clearly they're overstating the probability (or, at least, being very vague and misleading on it), but it does raise an interesting point. Assuming their stats (such as they are) are correct - the primary iOS target is enterprise devices. Meaning the malware is more likely to be targetted at exfiltrating data from, or getting a foothold in enterprise networks.

That's potentially much higher consequences than if you get one of the many, many, many ad serving android malware variants. And there's probably a much lower probability, if you get iOS malware, that it'll simply serve ads.

Basically, what I'm getting at, is advertising article not-with-standing, iOS has a lower probability of malware, but for a business the risk may be higher. So you should at least have plans in place.

6
1
Ben Tasker
Silver badge

Re: Hmmm...

> It's rather telling that they refused to provide actual figures to back-up their claims, especially the "percentage of enterprise iOS devices with malware tripled over the last two quarters while the rate of Android malware stayed relatively flat over the same period" one.

That's probably the one claim in their piece that I can believe

> It could've gone from 1 infected device to 3, whereas Android could've stayed flat at 20 million infected devices.

And that's why :)

12
1

UK government's war on e-cigs is over

Ben Tasker
Silver badge

Re: One has to wonder who is paying those guys off

Someone I used to work with brought kippers into the office for lunch once, we kicked him back out within seconds.

0
0
Ben Tasker
Silver badge

Re: No vaping in the workplace please(@Mephistro)

> This is exactly what vapers do, but they exhale a cloud that carries their exhalation a lot further,

Not really. The cloud makes it visible for a lot further, but their actual exhalation probably isn't travelling much (if any) further than a non-smoker breathing out when they've got a chest infection.

I'm not saying that certain vapers don't need to be a bit more aware of others, but it doesn't make what you've said any more correct.

I've worked with people who claimed to be sensitive to vape, and I've worked with people who didn't want to go outside to vape (days where the two overlapped were occasionally interesting). About the only conclusion you can reliably draw is that different people are... different. Well, that and some non-smokers (or worse, ex-smokers) can be incredibly and unnecessarily judgemental.

When you go out in public, you're breathing in whatever everyone else has exhaled, whether you can see it or not. Frankly, vape should be the very least of your concerns.

3
0

FREE wildcard HTTPS certs from Let's Encrypt for every Reg reader*

Ben Tasker
Silver badge

If you use shared hosting, you cannot use your own cert - and must pay your hosting company to add a cert.

Actually, a good number of hosting providers have been enabling LetsEncrypt support in CPanel (or whatever interface they expose to customers), so whilst this is true for some, it's no longer a hard and fast rule.

I get "free" hosting with my internet service, but this does not support SSL at all - so yes "all I have to do" is switch hosting which means paying someone else for something that is currently included in my internet package.

To be fair, that's not so much a cost in SSL as a limitation in the hosting you're using

If you host more than one site, then you have to use SNI - which puts restrictions on the software you can use and also locks out older clients.

There're very few restrictions on the server side software nowadays, because most things now support SNI. The number of distinct older clients that don't support SNI in the wild is also now quite low (though, as you note, still with a *lot* of users behind them)

So yes, it's now really cheap - but it is not "free" in general.

It is (or can be) entirely free in the fiscal sense. You can get a cert for £0.00 (and have been able to for a long time).

But, you're right in that there are associated costs - additional processing overhead (however small, it's still there), the need to balance pissing off users with old software vs maintaining security.

But, on the other hand, if you're on cheap (or free) shared hosting, you probably don't have the user volume to have to worry too much about pissing the users off, and the additional processing overhead is your hosts problem.

2
0
Ben Tasker
Silver badge

Re: There is a dark evil danger to the big uptake of HTTPS

Hopefully can find more soon to say whether this is something I can trust with banking app etc or not, don't suppose anyone here at El Reg has more enlightenment than I can find thus far?

Has generally worked well enough for me. It was a while ago I set it up, but this is the setup I went with https://www.bentasker.co.uk/documentation/mobile-phones/277-android-protecting-your-network-data-from-local-snooping

I've not had any issues using banking (though I only do it in browser, as I'm not too comfortable with the state of banking apps (though they may have improved in the meantime).

That's assuming, of course, that you control the VPN server, and trust (to a given extent) the hosting provider. You also need to think about what type of server you're using, if it's an OpenVZ slice (for example) there's slightly more risk of someone in another slice on that server being able to jump slices. Probably still lower risk than random public wifi APs though.

The DNS misbehaviour you saw with Opera mini, was it just that you didn't see the queries transit the tunnel? IIRC it forwards all requests (including the initial DNS lookups) via one of Opera's servers, and hopefully that connection was going via the VPN?

2
0
Ben Tasker
Silver badge

Re: Multiple servers?

Let's Encrypt wildcard certs are probably tenable if you're going to use them on only one server. If you have more than one server, I suspect you'd have to nominate one server as the wildcard renewal server and then after a renewal, have it copy the new cert files to your other servers that need it

More or less what I do. Certbot writes the cert out into a git repo, and my wrapper script commits and pushes. Other machines on my edge poll periodically to see if the repo has new commits, if it does, git pull and then reload nginx.

One obvious trick is to buy a 3 years wildcard cert so you don't have to renew/re-install the certs on multiple servers too often.

As of CAB Forum Ballet 193, the maximum validity of a certificate is being capped again. So from next year (March IIRC), the maximum length of a cert will be 825 days (basically 2 years with a little padding to allow for renewal times).

There was a previous attempt to bring the lifetime down to 13 months, but it didn't pass. All the same, expect that 2 years to drop further at some point in the future (especially as it's Google who wanted 13 months, so changes may come via Chrome rather than a ballot).

1
0
Ben Tasker
Silver badge

doesn't this mean that the assurance level (or trustworthiness) of any HTTPS web site has just dropped a notch?

Not really. For DV level certs, you still just needed to exercise proof of control over the Domain (depending on the CA, that might be clicking a link in an email, creating a DNS record, or creating a specific page on the site).

So it's no harder to provide the proof for a cert. The only thing that's gone is the payment trail (but then, if you were that way inclined, you'd use stolen details anyway. Cert might get revoked eventually, but Chrome doesn't check CRLs and it'd take long enough for you to catch a few people out anyway).

So the assurance level hasn't really changed. What might be changing though (hopefully) is people's understanding of just what level of trust having a DV certificate actually implies (very little other than that you appear to have connected to the correct server)

0
0
Ben Tasker
Silver badge

Re: HTTP has got to go

You typed all that just to be wrong? Wow.

HTTP is acceptable for nothing, not even static pages.

Only a sith deals in absolutes.

There are in fact usecases where plain HTTP is acceptable, and in fact entirely unavoidable. Thankfully they're becoming less common, but they do exist.

For example, I have a script/service that checks whether your ISP is intercepting HTTP connections (by, for example, passing them through a transparent proxy), whether they're messing with the data in any way, whether they cache (and if so, have they protected against cache poisoning attacks etc). That absolutely has to happen over port 80, because it's HTTP traffic that they fuck with.

Now, obviously that's a fairly obscure use case, but my point is this: When it comes to IT Security, if you speak in absolutes then you're likely as much of an idiot as you think the guy you're "correcting" is.

HTTPS is too easily brushed off by many people, but you do no-one any favours by being a die-hard about it. Especially when your response seems to not only assume that Port 80 is only ever used by a browser, but completely misreads the apparent intent of the post you were responding to.

Security starts by not blindly trusting on automated tools, and using that grey blub between your ears to think things through instead. Too much reliance on security tools such as HTTPS can create a massive risk in itself.

He's more right than you are ;)

Simply enabling HTTPS isn't enough (though it should be a first step in the absence of a strong case against it), but we've got to break this idea that users have developed that HTTPS means the site is safe. It's a dangerous false sense of security.

All the cert check actually does is verify that the server you're speaking to is authorised to speak for the domain you connected to. It doesn't make hs.bc any more legitimate.

3
0

Google Chrome's HTTPS ban-hammer drops on WoSign, StartCom in two months

Ben Tasker
Silver badge

Re: EU Anyone

Bloody ages if the affected entities are not complying with obvious independently created security standards not just upsetting Google.

I agree, they're probably OK as it's not Google (alone) who've set the standard.

It does raise an interesting question though (albeit largely hypothetical). Google is currently at odds with the rest of the CAB Forum on the subject of certificate validity periods. They've just been reduced to around 2 years max, but Google wanted 13 months in their ballot (which got voted down).

It wasn't so much the period, as how quickly Google wanted to switch that the other members objected to AIUI.

So, if Google were to go it a alone, and simply distrust anything older than 13 months in Chrome, at what point would that be considered an abuse of domination, if at all?

They haven't actually shown any sign of intending to do that, and it'd be a bloody stupid thing for them to do (though if they did, it'd more or less force the industry to comply), but I thought it was an interesting thought exercise.

4
0

Microsoft boasted it had rebuilt Skype 'from the ground up'. Instead, it should have buried it

Ben Tasker
Silver badge

Re: I got gify tho

9 times out of 10, if I type /gify [term] it gives me a gif that's seemingly completely unrelated to the term I gave it.

0
0
Ben Tasker
Silver badge

Re: So why then does Slack launch Skype if I click on a number?

That sounds like the file associations rather than the protocol ones.

On Win 10 it's called "Choose default apps by protocol" and then you'll see a TEL: entry, There's a guide here - https://www.howtogeek.com/223144/how-to-set-your-default-apps-in-windows-10/

It was oh so very, very helpful of Microsoft to break those up...

1
0
Ben Tasker
Silver badge

Re: Social disease

You've got to wonder if all the old software engineers haven't retired and it's the under 35s who've taken over product design ,

Oi, I'm under 35 and you can fuck off if you're going to try and lump me in with the kind of cretin that thinks that kind of design is an improvement.

It's possible I'm just odd for my age, but there's very little that get's released nowadays that I like the look of. It's more common that I'll be screaming blue murder at something because some fuckwit has dumbed down the interface and hidden/removed a config setting that I want to get at. Skype's update is a low even by that standard though

5
0

Forums

Biting the hand that feeds IT © 1998–2017