* Posts by Ben Tasker

1586 posts • joined 23 Oct 2007

Farewell then, Slack: The grown-ups have arrived

Ben Tasker
Silver badge

Re: "death of email" ? not until chat gets federation!

Because no-one ever receives chats from random bots pretending to be lonely young women on Skype and other chat apps?

Email has a spam problem, sure, but it's not like the centralised chat systems don't either. Worse, being centralised they should be more able to prevent it.

9
0

Fresh cup of WTF with lunch? TeamViewer's big in Twitter's domination-as-a-service scene

Ben Tasker
Silver badge

Neither.

They're paying a dominatrix (usually) to Teamviewer onto their machine and exert complete control. Based on some of the results for the hashtag, they commonly sit and watch, in front of the webcam whilst wearing lingerie.

The "thrill" apparently coming from the level of control being exerted. She could screencap the cam and then post it on their facebook page. Or log into Amazon and order a bunch of stuff, etc.

3
0

Banks told: Look, your systems WILL fail. What is your backup plan?

Ben Tasker
Silver badge

Re: That is not what should be regulated

If they don't, they pay the costs and if they pay too much, they end up dying.

Sure, there will be a bit of a mess, but in the worst case customers will take their government-guaranteed money elsewhere and that will be that.

You seem to be ignoring just how unpleasant that mess can be for customers. In that period between "Oops clicked the wrong thing" and the Government paying out you've got missed mortgage payments (or missed rent payments), missed bills, potentially an inability to feed yourself or put fuel in the car to get to work.

All because some profit chasing fucker cut corners.

These measures aren't there to protect the banks, they're there to help protect the banks users.

18
1

Things that make you go hmmm: Do crypto key servers violate GDPR?

Ben Tasker
Silver badge

I have previously received notifications because someone else uploaded my key, it was the result of a plugin in their MUA doing it on their behalf.

So yeah, they're not always there because the private key holder chose for them to be

8
0

So... where's the rest? Xiaomi walks away from IPO with less than hoped

Ben Tasker
Silver badge

"The problem is that compared with other internet giants, or even other hardware leaders like Apple, Xiaomi hasn't built a strong enough moat to keep users within its ecosystem."

Wrong. That's exactly why I like my phone (Mi Mix2 for anyone wondering) - it's not constantly trying to get me to use their services, or tie me in. Building stronger lock-in would not be a good thing

Is it perfection? No, but it's a damn good phone and cost a fraction of what Samsung are asking.

9
1

User spent 20 minutes trying to move mouse cursor, without success

Ben Tasker
Silver badge

Re: Training the trainer

> Except when the test is looking for the wrong answer taught in the course.

I remember nearly failing the European Computer Driving License (ECDL) course. Not because I couldn't work a computer, but because the "interactive" test expected you to achieve things exactly the way it was taught in the course (the long way round).

The one that really sticks in memory was "Create a shortcut to file foo.doc on the desktop". Explorer was already open in the directory, with foo.doc there.

Right-click. Wrong. Fuck. Left click, Edit menu, Copy. Right click on desktop. Wrong. Fuck.

Ultimately what the test expected you to do, was (using the menus in explorer), copy the file, paste as shortcut into the same directory as foo.doc, then relocate that shortcut to the desktop (via Explorer, not by minimising explorer and being on, you know, the desktop). So I got that question wrong, because you only got 3 opportunities to say fuck before it moved onto the next one.

In a weird way, it's one of the hardest tests I've ever sat. Not because the challenges themselves were in any way complex or difficult, but because they'd taken the view there was only one way to complete any given task, and that way was the most bone-headed inefficient way you could possibly think of.

12
0

New York State is trying to ban 'deepfakes' and Hollywood isn't happy

Ben Tasker
Silver badge

Plus, if they get an image of you in the street being rammed every which way by multiple cocks, it's because you were having an orgy in the street.

Taking a picture of someone walking down the street is somewhat different to having AI take existing innocent footage, build a model, and then almost seamlessly put your head and face onto the body of someone in a gay orgy clip.

11
1

WannaCry reverse-engineer Marcus Hutchins hit with fresh charges

Ben Tasker
Silver badge

Re: Who do you trust?

> Make no mistake, the UK legal system is just as bent and crooked as the US one.

And now, of course, severely under-resourced. If you need a duty solicitor you might be lucky to find one, and may end up sat in custody for 20 odd hours while they try to arrange transport for the custody hearing because the local court has been closed.

The american legal system is a heap of shite, but you're right in that ours really isn't far behind in many different ways

1
0

Dems push Ryan to vote to help save America's net neutrality measures

Ben Tasker
Silver badge

Re: 86% of Americans agree with *THEM*? Since *WHEN*?

That's probably also why it's not been allowed to go to a vote. They don't want to let this pass, but also don't want to be seen, quite so visibly, to be screwing consumers over.

8
0

ICO smites Bible Society, well fines it £100k...

Ben Tasker
Silver badge

Re: OK if they pro-rata the fine when its applied to big business

> The idea is that the government can't create a new law and then backdate its effect to shaft someone who has offended them,

Unless, of course, they've realised that a department... say GCHQ... wasn't actually exempted from, I dunno, lets say the Computer Misuse Act and so passed an amendment and applied it retrospectively in response to that department being sued.

That's totally different, you understand...

12
0

Oddly enough, when a Tesla accelerates at a barrier, someone dies: Autopilot report lands

Ben Tasker
Silver badge

Re: Fire Department

The water is used to cool the packs. They actually used foam to try and extinguish the fire.

4
0
Ben Tasker
Silver badge

To be fair, what you seem to be talking about is AEB - which Tesla's do have.

But, most (if not all) models of car with AEB disengage it above a certain speed (usually about 30) so that false alarms don't lead to cars braking sharply in the middle of the motorway, causing a hazard in themselves.

So it's not too surprising that AEB didn't trigger in this case. Though as you say, it's concerning that the car appears to have done precisely nothing, even in the final moments to suggest it even knew what was coming.

As concerning as that is, though, Tesla's response is far more worrying. That habit of blaming everyone but themselves does not inspire confidence. Yes, the impact attenuator was missing, but it was only needed because Tesla fucked up. It's absence potentially worsened the accident, but did not cause it. Yes, his hands were off the wheel, just as the hands of many people using Autopilot are off the wheel sometimes (his hands were, however, on the wheel for than 50% of the preceeding minute).

Tesla do a massive disservice to the autonomous car industry (outdone only by Uber, in some respects). Their cars lack hardware that would dramatically improve safety, and their attitude as a company towards accidents and safety is one of a company that should no longer exist.

5
0

Cloudflare experiments with hidden Tor services

Ben Tasker
Silver badge

Re: Confused

Currently, not that much.

So far, they've only launched Hidden Service support for their DNS over HTTPS (DoH) service.

What it means is that rather than transiting the open internet (whether directly or passing through Tor first), your lookups can go to their resolver without leaving the Tor network. That's a good thing (reduces usage of the limited exit node bandwidth, provides strong authentication that you're talking to an authorised server etc).

What they haven't launched (I suspect the word yet applies here) is support for hosting hidden services via Cloudflare. Though why anyone would want to....

2
0

IPv6 growth is slowing and no one knows why. Let's see if El Reg can address what's going on

Ben Tasker
Silver badge

Re: GDPR

That makes *0* sense. If the website didn't support it, there would be no AAAA record in the DNS reply, and so IPv6 would never be attempted in the first place.

Technically, you'd still see a small increase in perceived time to first byte as you'd have a second round trip to your DNS server to fetch the A records. But I'm just splitting hairs, because if that's noticeable you probably want to be thinking about using a better performing recursor.

3
0
Ben Tasker
Silver badge

Quote: "...You go to your ISP and ask them to open up a certain port.."

Misleading. Three steps are needed and ANYONE can run an external ftp service on their home network:

I think he was referring to a user behind CG-NAT and not simply referring to NAT on their home router ;)

4
0

Tech support made the news after bomb squad and police showed up to 'defuse' leaky UPS

Ben Tasker
Silver badge

Re: Boom!

> Other activities were far more dangerous at that job though

If you want to see something equally scary, try googling for how to de-sulphate a lead acid battery.

I guarantee you'll find more than a few people recommending that you do the following

- Put the battery on a bench

- Get your arc welder and clamp the cathode onto the positive terminal

- Turn the welder on

- Repeatedly tap the anode against the negative terminal

The theory being that the (high) charge going through should shake the suplhate back off the plates.

Of course, that'll lead to a release of hydrogen, and it's not as if the primary fucking task of an arc welder is to create an arc/spark hot enough to melt metal (let alone ignite hydrogen)....

11
0

Consent, datasets and avoiding a visit from the information commissioner

Ben Tasker
Silver badge

Re: Commercial relationship?

> If you had consented, then there is no need for these GDPR related consent emails.

To be fair, there is if they feel they don't have sufficient records of your consent. Remember they've got to record the exact terms you consented to as well as the fact that you consented - that's a gap for an awful lot of companies

3
0
Ben Tasker
Silver badge

Re: Commercial relationship?

> For a one-off purchase, there is no legal reason to keep details of the customer, and the old practice of requiring that someone set up an account before being able to buy something will no longer be tenable.

That's also not strictly true.

You may need to retain the customer's details (in the form of your invoice) for tax purposes. GDPR provides for this with Section 6(1)(c) Compliance with a Legal Obligation.

Course, you need to actually show that you are obliged, but the user/customer can also not withdraw consent (as it's not held/processed on the basis of consent for this). They can still ask you to provide details of everything you've got stored for them.

But the details you'd be holding should, at most, be those that are essential for the invoice and nothing more. And you can't then scrape data off your invoices and go off and send marketing emails as that's processing for a purpose other than that stated.

6
0

Password re-use is dangerous, right? So what about stopping it with password-sharing?

Ben Tasker
Silver badge

Re: Overhead

My guess is that their reference to overloading auth servers probably relates to requests coming in from other services saying "hey, can you check if this password has been used?" rather than those going out as a result of a user changing their password on that service.

Which is a valid concern, imagine if you signed up you're relatively small site to it (for security, you understand) and then Facebook also joined and you had to handle a request whenever one of their users changed password (or created an account - including all the bots).

There are limits to how cheap you can make the processing too, so the only way you'd get around that, really, is to have some third party act as a middle-man for answering other's requests. Which means they'd need to hold a copy of your hashes, painting a big fat target on their backs and raising a number of other concerns.

Of course, at some point, someone will suggest sticking the hashes in a blockchain so that a network of nodes could handle the requests - they may even get rich/lots of funding off the idea, but it isn't necessarily a good idea for numerous reasons.

3
0
Ben Tasker
Silver badge

Re: Salt

When you've got the password available (so when they're setting a new password, or just after a login in the switchover period) you'd need to generate and store a representation of it in a format which could be used for this.

Hopefully no-one would be stupid enough to suggest plaintext or using reversible encryption, but there'd need to be some kind of shared format (I guess probably a cryptographic signature using publicly known keymatter, or some other derivation). You'd then use that for comparison whenever you receive a request to see if any of your users are using that password.

It does mean you'd essentially be storing a value derived from the password twice (your normal hashing mechanism + one of this) which could potentially open up some new and interesting brute-forcing tactics (attack the weaker of the two hashes, when you get a match, pass it through the stronger mechanism to see whether you got the actual password or just a collision - the latter is fine for logging into that service, but getting the actual password is more valuable if you want to try their password on other services)

2
0
Ben Tasker
Silver badge

Re: Why not make the browser hash passwords.

The problem with doing that, though, is it introduces issues of it's own.

If the hashing mechanism for your "HashedPassword" standard turns out to be a bit collision prone (as they often do after years of use), then it doesn't matter what hashing mechanism (if any) is being used on the server as a brute forcer now has a weak point that can be targeted.

It also adds some complexity to the browser too, of course, but no-one seems to give a fuck about that anymore anyway :)

2
0
Ben Tasker
Silver badge

Re: A site might know if two visitors to that site have the same password

Yeah, I've always preferred to have an independent per-user salt for that reason. Using the user-name opens you up to exactly the issue you suggested - password re-use on another site using the same mechanism will result in an identical hash.

The salt is just a randomly generated string stored alongside the user data in the user's table, one per user. People forget that a salt is not a secret, and treating it as such just leads to complexity in your code (which'll get unravelled soon enough). It's primary aim is to tip the cost/benefit balance of generating rainbow tables.

Site-wide salt = Generic rainbow tables don't apply, but for a high value target you could generate a set for the site. Likely better to fallback to hash bruteforcing unless you're planning on exfiltrating the users table regularly

Per-user salt = Generic and site specific RT's don't apply. Generating per user is possible, but time consuming, expensive (from a storage PoV) and not really worth the effort. Fall back to bruteforcing the hashes instead.

No part of either of those requires the salt to be secret. Making it secret might add a few hours fact-finding into the process, but that's nothing compared to the time & computing effort the presence of a salt has already added.

4
0
Ben Tasker
Silver badge

Re: How would two sites know that passwords are the same?

I would guess that for the purposes of this, there'd be an agreed format for it to be stored in.

In fact, for this use-case, you probably wouldn't use a salted-hash in the way you would for credential storage - this stuff would only be triggered when a password is _set_ so you could afford to go for something a bit more expensive in processing terms. So, you'd probably generate a cryptographic signature using a shared/known key.

The problem is, with a globally shared key, you could _potentially_ still try and bruteforce signatures (the tables you generated would be applicable to every platform using the comparison service - essentially losing the benefit that a salt traditionally provides).

The alternative, as you say, is probably that services need to keep the password in some reversible format so that they can answer similarity requests. There are ways other than simply storing plaintext (or an encrypted version of, which is no better) but I don't know how strong they are against a determined analysis.

1
0
Ben Tasker
Silver badge

Re: 2 part Authentication - more data slurping

Skype's slurping up dates of birth too - forced me to enter before I could load the client the other day.

My guess was that one was more to do with GDPR and what they can do with your data, so obviously I told Skype I'm 9 years old.

> Twitter is currently collecting the mobile phone numbers of it's users. How safe is that info with them? They're not allowing any accounts without phone numbers, so sod 'em.

They prompted me a while back to enter my mobile number to prove I wasn't a bot. So while I was in Tesco's I picked up a PAYG SIM and gave them that number. Once in, I deleted it back off my profile. It'll only ever go in a phone when I need to "verify" myself.

At first it felt a bit overly paranoid, but actually - they're insisting on my number (which they don't need on a routine basis) and asking me to trust them not to lose or misuse it. Once it's out, it's out, so why would you give them your regular number?

3
0
Ben Tasker
Silver badge

It used to be that most sites would have a "continue without registering" option (even if it was a tiny link you could easily miss), but that seems to have fallen out of fashion.

Like you, I just move on to another, or if no other choice, setup the account with the bare minimum info possible (an incorrect info for anything that's inconsequential to the order). Once the order's arrived, I'll either use "Delete my account" (if present), or edit out the real data, set a stupidly strong password and not record it.

The real data might still live in a backup, or revision history somewhere, but that's at least lower risk than leaving them with the correct details.

8
0
Ben Tasker
Silver badge

Re: Holy crap

> At the other end of the scale, there's dozens of tinpot little blogs (El Reg, I'm looking at you) that require me to log into something to post on them, and don't allow OAuth because

Conversely though, if El Reg ever went "sod local logins, you can log in with Facebook, Google or Twitter and no other way" that'd piss me off.

Nice to have as an option for those who want it, but an increasing number of sites (and apps particularly) seem to be making it the only way. Call me paranoid but I don't want the big providers tracking me around the net. You can block 'like' buttons etc reasonably well and easily, but it becomes an issue if you want to actually login somewhere.

I'd rather have a throwaway'ish password for El Reg than use any of the common OAuth mechanisms.

25
0

Pentagon in uproar: 'China's lasers' make US pilots shake in Djibouti

Ben Tasker
Silver badge

Re: @AC

> planes are very un-aerodynamic when flying in reverse.

Not being very aerodynamic is an effective way to get back on the ground though

6
0

Cookie code compromise caper caught and crumbled

Ben Tasker
Silver badge

Re: Explain It To Captain Stupid

> I can't find a way to include alcohol in this discussion, but node doubt it's "in there" somewhere.

The alcohol comes in when you're left troubleshooting a node app that someone else cobbled together just before they fucked off, and seemingly whilst under the influence of something.

3
0

Amazon and Netflix join Hollywood to lob sueball at 'Kodi' service SetTV

Ben Tasker
Silver badge

It's like suing VLC for it letting you play RTSP streams of Hollywood movies

I know it's completely unrelated to the point your making (which I agree with), but feel the need to say this.

Those who stream in RTSP deserve everything they get.

4
1

Time to ditch the front door key? Nest's new wireless smart lock is surprisingly convenient

Ben Tasker
Silver badge

Re: "It's going to take a pro to get past it"

> I'm going to laugh when in a few years people start having their house robbed due to a security issue with a no longer supported smart lock, and insurance companies deny those claims because they failed to properly secure their house.

Not to mention that there may potentially be a lawsuit against Google pointing out that the information the intruder needed was the top result in a Google Search, and that Google therefore helped the intruder defeat Google's security product.

4
0
Ben Tasker
Silver badge

In previous houses where we've had a Yale, I've found that even that level of effort hasn't been necessary when I locked myself out.

Find long stick and push it through the letter box, getting your arm as far through as possible, then manouevre to find and operate the release on the inside. Obviously much easier if you've got glass in or near the door so you can see, but perfectly possible without too.

Much prefer a good multi-point system, though you do have to break into the habit of remembering to actually lock it. That said, a family member has one where locking is simply a case of pulling the handle up. Seems like the worst of both worlds to me, as you can trivially lock yourself out without a key, or in fact, lock yourself in without a key. Some might view having to put a key in the lock and turn it as an inconvenience, personally I see it as a good sanity check to make sure you've actually got the means to re-enter when leaving

4
1
Ben Tasker
Silver badge

> You can either press the Yale button at the top, or leave it to lock itself. If, for whatever reason, it doesn't lock, it lets you know immediately with big yellow warnings on your phone and an LED on the lock.

That LED, I hope, is on the inside right? Otherwise, your lock is sat there telling anyone passing that it failed to lock after you drove off because you were running late.

> If you are a paranoid or security-conscious person you will have already decided that the idea of a smart lock is a horrible, terrible thing.

I'm not convinced it's a sign of paranoia to point out the flaws with these things. The write-up focuses primarily on usability, and it's seldom the usability that draws the criticism.

> The Nest+Yale lock uses Google's Thread IoT protocol to communicate with its Connect bridge – or its Secure home station if you have that. This is a smart move as it puts a buffer between the lock and the internet. It's going to make hacking the door to open a much harder affair.

Or, potentially, has just increased your attack surface.

Not having it talk directly to the internet is a good move (and one I wish more would follow), but it alone doesn't automatically mean you're now much safer. The bridge/home station is now part of your attack surface, and it might still be possible (somehow) to convince the lock to communicate with the wider world. You could actually be worse off, especially in the wider market where certain manufacturers may well think "it's never going to talk directly to the internet, so don't put any effort/expense into fixing that bug"

It's good the lock works for the author, but they're definitely not for me and likely never will be. There are just too many issues that need to be addressed in the wider world of IoT. One of those issues - manufacturers actually supporting their kit for prolonged periods - is addressable, but is just the very first stage.

Even without that, I'd much rather a multi-point lock.

14
0

Machines learned to assemble IKEA’s semi-disposable furniture

Ben Tasker
Silver badge

Re: I have to say....

Yeah it tends to be the Ikea-wannabe's that I've had issues with.

But that's often not so much the assembly procedure as general product quality. Turning up with missing hinges, or the holes drilled in the wrong place (despite the marks in the correct place still being visible).

IKEA stuff I've never had any issue with

4
0

Europe wants cloud giants to cough up data from anywhere in 6hrs

Ben Tasker
Silver badge

Re: I wonder what happens when they come up against that old chestnut...

> You can see the dress rehearsal for that in Telegram vs Roskomnadzor. 2 years until we have this play centre stage on our scene.

Hopefully, though, our lot will learn the fruitlessness of it from Russia's embarassing act yesterday. Blocking all of AWS' ranges, taking down Roskomnadzor's own site in the process and yet Telegram continue working.

Oh, and for double-bubble points, in the process, they accidentally unblocked all the sites they'd previously blocked.

Ultimately, they made themselves look incapable of enforcing their demands, and all for what was presumably meant to be a show of power.

No way our politicians would see that and repeat it.... never mind, I just realised who we've got in power and who's waiting in the wings. They totally would, wouldn't they

3
0
Ben Tasker
Silver badge

Re: The onward march to the underground!

> yet another "undemocratic action of the Putin authoritarian regime". Every time they have done something - we copy it.

It's a two way street though too.

They tried (and failed miserably) to block Telegram in Russia in the last couple of days, because the wouldn't/couldn't give them access to messages. The UK, the US and the EU were specifically mentioned as examples of countries "normalising" access to this data to make it sound like they weren't being that unreasonable.

There's an echo chamber with some very severe ramifications.

1
0

Whois is dead as Europe hands DNS overlord ICANN its arse

Ben Tasker
Silver badge

Re: I think its fine to not have details public

> You're probably not old enough to remember something called a "phone directory". These were very handy back in the day, you could look up a person's address and phone number in them.

You still can, if they've chosen to have their details published in there. Just like WHOIS will be.

0
0
Ben Tasker
Silver badge

Re: Stating the obvious.....

> Which is why WHOIS exists, which is why organizations can set contact information which is valid for their particular logistical model.

Which they'll still be able to do post GDPR, it just won't be mandatory for individuals to do so.

> The problem is MOST PEOPLE don't know how the fuck the internet works and they don't understand this stuff is critically important. Disabling a system like WHOIS is similar to knocking out the support columns of a large bridge and hoping it doesn't collapse.

Be wary of telling people they know fuck all when you clearly know so little about the subject you're discussing. If WHOIS was turned off tomorrow, everything would keep working.

It's more like publishing the name, address and telephone number of the bloke who built the bridge on a sign under the bridge. Take that sign away and the bridge won't collapse. If there are issues with the bridge, the council (or DFT) still have that blokes details so he can be contacted, just not by every tom, dick and harry that wants to sell print cartridges to him for specious reasons.

4
0
Ben Tasker
Silver badge

Re: Stating the obvious.....

A simple abuse@ address is more than sufficient for contact. Those who'd ignore it are going to ignore your other contact methods too.

Registrars will still hold the details so in serious cases the old bill can get the contact data.

Publicly publishing that information does little to nothing to protect customers.

13
2
Ben Tasker
Silver badge

Re: "willing to make a special exception for ICANN"

> decided everything in its own time and manner, procedures and laws

To be clear it's not just national laws they ignore, it's also their own smegging byelaws and procedures.

I agree, refuse the exemption, point out just how long ago this was flagged (similar requests pre-date GDPR btw) and fine the fuckers so hard they regress back into the reasonable, almost competent entity that they once were.

It's been a long time since ICANN could be described as even near fit for purpose. They've wholly brought this mess on themselves

15
1

Schrems' Facebook case edges closer to ruling over EU-US data flows

Ben Tasker
Silver badge

> Is this even possible now that the US has passed legislation that allows a simple internal US-issued warrant served on a company in the US to force that company to turn over data stored in foreign jurisdictions?

Yes, sort of.

You'd need to make sure that the US arm/parent/whatever did not have the ability (in any way) to access that data for itself. Access to the data would need to be totally reliant on the EU entities co-operation.

The EU entity would refuse (as it'd break EU law) and the US entity would be unable to comply.

But, it'd mean you'd need to be willing to accept whatever penalty the US entity then gets hit with for non-compliance. From what I've seen though, that's still significantly less than the fine you could get under GDPR, so from a pure financial sense it makes more sense to tell the US to fuck off.

> According to the US government, they no longer need to issue an international warrant under their various treaties and get the co-operation of the government of the nation where the data is located.

Yeah that's what they say. It's unlikely to work well for them in most countries though. It's not that different to the Kremlin passing legislation stating that they are now cleared for unescorted access around the Pentagon and that interfering with their passage within the building is a capital offence.

You can pass whatever law you want in your own country, you can even say you're not going to use diplomatic channels. The other side, though, doesn't have to accept it. Where the other side has the ability to punish your middle-man for compliance, it'd be foolhardy to push it too far.

2
0
Ben Tasker
Silver badge

Re: I'm prepared for a whimper

> The recent US law makes it very clear that as long as Facebook US keeps control over the place where the data is stored, they have to cough it up to Uncle Sam whenever he asks.

That's a completely separate issue though.

In the Microsoft case (where the CLOUD act is relevant) I suspect the EU have already started the paperwork to start punitive action should MS Ireland comply with the US's orders.

The US can pass whatever law they like, but no company is going to enjoy the consequences complying once GDPR comes into force.

I'm not sure what the ultimate outcome is going to be, but privacy is one of the areas where the EU tends not to back down. And Europeans in general aren't going to quietly accept having our privacy levels dragged down to match the level afforded in the US market. On the flip-side, the US aren't going to back down and rescind CLOUD either, so my guess would be that there'll be a stand-off for a while where the US demands something and the EU fines the company for complying.

Somewhere in amongst that mess, of course, will be US politicians crying foul when other countries pass similar laws and start demanding data from companies operating in the US.

2
0

Data exfiltrators send info over PCs' power supply cables

Ben Tasker
Silver badge

Re: Meh

I've been in more than a few buildings where the server rooms are heavily secured, but the plant is not (it's just machinery etc, etc....). So access to the plant is undoubtedly a lot easier a good %age of the time.

You do need to get the malware onto your target computer somehow, but that can potentially be done remotely via social engineering or chaining exploits to get RCE.

When you're talking about this level of sophistication, it's not unreasonable to think that your victim's network might already have various systems in place trying to detect (and block/report) the more traditional methods of exfiltration. It might be an inconvenient approach (with plenty of issues), but it is potentially a way around those.

I've certainly worked in places where this research will have been noted and they'll be watching for any developments and discussing whether there are any *easy* mitigations they can put in place (like better securing the plant rooms). Most of those tend to have strong physical security around the site, but the assumption is always that that could be overcome and so should be treated (to some extent) as not being there

5
0
Ben Tasker
Silver badge

Re: Seeing the light

> Totally irrelevant theatre-style security, u prats.

See, I prefer to look at this another way.

There will always be those (whether it's management, customers or someone else) who will insist that it's possible to be 100% secure, and that you absolutely must be. That normally results in a near-unusable service/product because of all the crud that's been added to it to cover edge-cases. Worse, sometimes you find out a customer has been sold an SLA based on the idea you're 100% secure against all vectors.

This and other research like it is just another example you can give for why that could never be possible, and more importantly (from a business standpoint) should never be claimed nor promised.

A few people above have suggested possible solutions for this issue, so what you'd then do (having confirmed they should work) is go and work out the price of implementing - almost certainly so high that those demanding 100% security will refuse to pay the cost.

It doesn't apply to every bit of research done, but it's still useful to have. Plus, obscure things like this (once disclosed) sometimes provide inspiration for someone to find a related approach that's much more practical in the real world. Plus, frankly, some of it is really fucking interesting to work on and tinker with even if there's no direct tangible real-world application to the vector.

8
0

No password? No worries! Two new standards aim to make logins an API experience

Ben Tasker
Silver badge

Re: OpenSSL

> Why can't we have this instead? You could even automate the certificate creation part and there would be no need for any centralized user tracking center.

That's basically what this is, just wrapped up in some sort of hardware token.

In fact, that's basically what your Yubikey or FIDO key is too

2
0
Ben Tasker
Silver badge

Re: So if I understand this correctly?

> So does this mean that if someone mimics the behaviour of the local API and protocol used to communicate with the server, they could fraudulently send bogus authentication messages to the server?

AIUI The server holds a public key for your auth device. The auth device then signs a server-provided nonce with the private key to prove it has control.

That private key might in some way be derived from your gesture or fingerprint, but is more likely to simply be unlocked with it.

So to do what you suggest, the attacker would need to have gained a copy of the private key on your authentication device. If someone lays hands on your private key then it's game over anyway.

I suspect where this will probably fall down in practice though (aside from uptake) is there will inevitably be some crap authenticators hit the market (for example who's fingerprint reader can easily be fooled)

2
0

Twitter API overhaul threatens to seriously shaft apps... again

Ben Tasker
Silver badge

Re: Web?

> If you need an app to duplicate phone access for a website, then the website is developed badly.

I think in Twitter's case you're dead on the mark there - it's developed badly.

One of the things you commonly see people saying "use App x" for lately is a result of a change Twitter have made. If you follow someone and they "Like" something, then it'll likely show up for you marked as "so and so liked".

The person you're following clearly didn't give enough of a fuck about it to re-tweet it, so not quite sure what the logic is that it should appear.

A number of the 3rd party apps allow you to roll that functionality back, where Twitter itself doesn't (at least not without turning off some other, potentially beneficial functionality).

1
0

Sysadmin shut down the wrong server, and with it all European operations

Ben Tasker
Silver badge

> Soldiers take things very literally. Never EVER label anything as "BOOT"

Yeah, to be fair to him he was just having a bad day. He knew more than enough about the systems to have not made that mistake, just wasn't really with it that morning.

Not that that made it any easier to explain up the chain, of course.

13
0
Ben Tasker
Silver badge

I've known more than a few people to do this.

I once told a soldier the portable version of a server was ready to be shut-down and packed up for deployment, he dutifully walked into the server room up to a (very) non-portable 42u rack and shutdown the servers in that. Cue calls to my phone from across Blighty asking why systems were down. Thankfully, they didn't take too long to bring back up, but I did have to explain what had happened to some much higher levels.

That was before the days of mollyguard, but I now make sure it's on everything to help avoid accidents (not sure it'd have helped in that case though)

28
0

Microsoft: Yes, we agree that Irish email dispute is moot... now what's this new warrant about?

Ben Tasker
Silver badge

Re: US legal position

> 3. Is there a limit to what they could be fined? Basically, on a pure buiness costs basis, what makes more sense, breaking GDPR or braking CLOUD?

I would guess, breaking CLOUD makes more sense. If they breach GDPR then there's obviously the whopping fine, but there's another element to it. If they show that they simply cannot abide by GDPR (due to US domestic laws) there's also the loss of business to factor in.

No European business could use theire services for anything which might fall under GDPR without putting themselves at risk. Taken to the extreme, it'd essentially push them out of the European market completely.

19
0
Ben Tasker
Silver badge

Plus, if MS take a while to evaluate the warrant, and then object to some or all of it, it drags the timeline out.

Meaning, GDPR would likely be in force when they complied with the warrant. The only way they could avoid that, would be to comply swiftly and fully, but they've then set a precedent for themselves with any future warrants.

Rock and a hard place I'd say

20
0

Forums

Biting the hand that feeds IT © 1998–2018