* Posts by Kanhef

601 posts • joined 3 Nov 2007

Page:

Tesla autopilot saves driver after he fell asleep at wheel on the freeway

Kanhef

Re: Self-driving cars don't need to be perfect to be deployed

An immediate slowdown or emergency stop at any uncertainty is extremely reckless and will kill people. Not could, will. It sounds like a great idea for a car on an empty road or test track, but think about the consequences if you're being tailgated, or are in dense 70 mph freeway traffic, or have a passenger who isn't wearing a seatbelt.

Remember that the majority of collisions with Google's self-driving cars occurred when they followed the rules of the road as written, but the person behind them wanted to run a yellow/red light.

Here are another 45,000 reasons to patch Windows systems against old NSA exploits

Kanhef

Numbers

1.7 million hosts behind 45,000 routers comes out to an average of almost 40 hosts per router. Seems like someone's been targeting larger corporate networks, which really have no business using UPnP.

Groundhog Day comes early as Intel Display Drivers give Windows 10 the silent treatment

Kanhef

WINE is also a volunteer project, made by people in their spare time. They also had to reverse-engineer the entire Windows API, including its many, many quirks. Considering that, they've done pretty well.

Rather than re-implementing the same, 30+ year old, crufted together API, I'd rather see them design a new, modern OS with a WinAPI virtualization layer. Somewhat like what Apple did with OS X and the Classic environment.

Microsoft Windows 10 October update giving HP users BSOD

Kanhef

Re: Shove It Out The Door

In addition to an interest in computers, I spend a lot of time dealing with structural steel fabrication. It's astonishing how different the attitudes in these two worlds are. Computer programmers tend to take the approach of "it compiles - ship it". Security, efficiency, quality in general seem to be an afterthought at best. Structural engineering is governed by various industry codes, which make frequent use of the word 'shall', and often have the force of law. If a structure fails, and the designer or fabricator did not follow the relevant code(s), they can be held liable for that failure. I wonder if something similar is needed to tame the Wild West of programming: an RFC or ISO standard that establishes requirements for the design and testing of quality software. I wouldn't want it to be too restrictive, to allow development of new languages and methods of development, but at least set a minimum standard for proper engineering of software, extent of testing, what sorts of bugs identified during testing must be fixed before shipping.

It's probably impossible to prevent all bugs and security flaws, but we ought to be able to do something about this chronic parade of embarrassingly bad mistakes from companies that have the resources to do better.

'Oh sh..' – the moment an infosec bod realized he was tracking a cop car's movements by its leaky cellular gateway

Kanhef

Re: Default passwords? In this day and age?

And not only that, but 12345? Have people not seen Space Balls?

Boffins build the smallest transistor, controlled by an atom

Kanhef
Coat

Of course it has potential

they applied voltage to it.

How evil JavaScript helps attackers tag possible victims – and gives away their intent

Kanhef

Re: Obfuscated JavaScript and browser useragent redirects

Virus writers have been doing similar things for years. Over a decade ago, I found an infected website that used similarly obfuscated code to extract the browser and JS engine version numbers and sent them as part of a GET request to another domain, which presumably delivered the actual virus. Visiting that domain without providing a vulnerable version returned an empty document. Not too surprising that they'd be looking for other, more subtle ways to identify browsers.

Google Chrome: HTTPS or bust. Insecure HTTP D-Day is tomorrow, folks

Kanhef

Re: Not about encryption

Because they're worse than useless: they make a site look secure, but don't actually make it any more secure than an HTTP-only site. Anyone can write a self-signed cert for any domain, so MITM attacks are easy: the attacker just makes their own self-signed cert, and it looks just as valid as the original.

Kanhef

Re: Money talks...

What happens if and when someone is able to hijack the DNS record? By changing the public key, they can redirect traffic to a site they control which will be 'verified' as the real thing. Putting both address and authentication information in the same record creates a single point of failure.

Y'know... Publishing tech specs may be fair use, says appeals court

Kanhef

How far should it go?

Many specifications reference other standards. For example, say you want to build a data center. Most jurisdictions will require that you follow the International Building Code (IBC) for the structure, and I'm not even touching fireproofing, electrical, HVAC, etc. here. For the steel frame of the building, IBC says it shall be constructed in accordance with AISC 360. That will in turn require you to follow AWS D1.1, which invokes other standards for several things. Then you have steel decking, rebar, concrete, soil preparation, and so on. Even if the standards incorporated into law themselves are made available, they directly and indirectly require the use of dozens of other standards. Should all of those be made freely available as well?

Hey cool, you went serverless. Now you just have to worry about all those stale functions

Kanhef
FAIL

Article reads like

someone had £10,000 to spare.

In the last 20 years, I've come to expect quality from The Reg, not 'articles' that are just dressed-up industry PR pieces.

Wish you could log into someone's Netgear box without a password? Summon a &genie=1

Kanhef

That's no vulnerability

It's a deliberately coded backdoor. Time to start investigating why it was added to the firmware, and who was behind it.

Portland posts full report on Uber's dirty dealings with Greyball

Kanhef
Joke

What employees? They're all independent contractors.

How to pwn phones with shady replacement parts

Kanhef

Most shops don't have the ability to fabricate or program components like this; I'd worry about problems starting much higher in the supply chain. I can see a (probably Chinese) component manufacturer being paid to include ad-injection code. Not terribly different in principle from the bloatware cruft that PCs come preloaded with so often, but much harder to get rid of.

Overcharge customers, underpay the serfs. Who else but Uber (allegedly)

Kanhef

As far as user experience, this wasn't a bad idea. It's fairly common in some industries (e.g., restaurants) to provide worst-case estimates of wait times, so that when customers are provided service sooner than estimated, they are pleasantly surprised. So it's not unreasonable to give the passenger one estimated arrival time, while giving the driver a route that will get there slightly earlier, barring unexpected traffic delays.

What will get them in trouble is if they have been calculating charges and payments separately, as the lawsuit alleges. Without highly-improbable macroscale quantum effects, both routes cannot be taken at the same time, so either passengers are being charged for more time and distance than they actually spent in the car, or drivers are being paid for less time than they actually spent driving. Whichever one it is, that's a pretty strong case for fraud.

Bluetooth-enabled safe lock popped after attackers win PINs

Kanhef

Re: Bluetooth lock reasons...

It's the same reason many companies have switched to electronic door locks. When properly implemented, each person has a unique access code. Hard to duplicate, usage can be tracked, access can be revoked without affecting anyone else. Of course, when it's not properly implemented – as in this case – it ends up weakening security.

Windows 10 Anniversary Update completely borks USB webcams. Yay.

Kanhef

Re: Just a thought

I've been struggling to come up with a reasonable situation in which one would do this.

If you're sending video from one webcame to multiple recipients, you're probably using a single program to do it.

Using multiple programs for multiple video sources could make sense (for example, videoconferencing on a webcam while sending security camera footage to archive storage), but that situation is unaffected by this change.

I suppose you might want to split a video source if you want to stream live footage over the internet and record it at the same time, but only if you're using brain-damaged programs that can't do both.

Classic Shell, Audacity downloads infected with retro MBR nuke nasty

Kanhef

UAC limitation

A lot of FOSS isn't signed – many developers don't seem to want to bother with the hassle – so the warning isn't too unusual. The only way it would have prevented an infection is if someone had installed the program enough times to notice that it's usually signed, but this time it wasn't.

VC vampire: Peter Thiel wants to live forever

Kanhef
Boffin

Garlic is not an onion

They are both alliums, but they are not interchangeable.

TechCrunch defaced by self-professed 'white hat' hackers

Kanhef

Probably not even hacked

The 'we never change our passwords' bit suggests that they found his login information in a data dump from a years-old breach and decided to see if it still worked.

Microsoft's 3D Jedi phone explored

Kanhef

Interesting idea. Since it seems to have trouble with too many things moving at once, I wonder if it would work better for desktop monitors and large, fixed displays rather than phones.

Microsoft's cringey 'Hey bae <3' recruiter email translated by El Reg

Kanhef

Re: What could go wrong?

At least Microsoft has helped answer the question of why women don't want to work in the tech industry.

FBI's iPhone paid-for hack should be barred, say ex-govt officials

Kanhef
Black Helicopters

Obvious loophole

As long as they keep at least one ongoing investigation using a given vulnerability, it never has to be disclosed. If they're only using an exploit on one person, drag out that investigation until they can get another one started.

Astroboffins' discovery gives search for early life a left hand. Or right

Kanhef
Boffin

Re: As Science notes, propylene oxide isn't an organic molecule;

To be pedantic, organic chemistry originally was the study of compounds found in living things, and inorganic chemistry was everything else. After Friedrich Wöhler demonstrated that urea (a known organic chemical) could be synthesized from inorganic compounds, they had to scrap that definition and redefined organic chemistry to be about carbon instead.

FFS, Twitter. It's not that hard

Kanhef

Conversation-based ads

Ads based on a celebrity event, or sports game, or TV show are reasonable. Nobody really likes ads, but they can understand why they're there and no one will raise a fuss about it.

Then someone like David Bowie dies, and everyone talking about it sees ads for Bowie-themed merchandise, and it looks like a crass attempt to cash in on someone's death.

Then you get an incident like what's currently going down in Orlando, Florida, and everyone sees ads for guns. People get upset, looks like Twitter is happy to profit from a tragedy, lots of drama and PR damage control.

So maybe this isn't the best idea.

RIP ROP: Intel's cunning plot to kill stack-hopping exploits at CPU level

Kanhef

The problem with having a software-defined return address stack is that there's nothing to keep malicious code from manipulating it; as far as the processor is concerned, it's just another region of the process' memory. A hardware-defined shadow stack can more effectively restrict access: the processor itself is the only thing that should manipulate this area of memory (as a side effect of call and return instructions), so any attempt to alter it directly can trigger an exception.

I'm not intimately familiar with x86 instructions (I'd rather be dealing with Power or ARM), but it looks like this could be defeated if there's a way to write arbitrary data to the EIP register. Overwrite EIP, call the next instruction, and you've put your desired return address on the shadow stack.

Mark Zuckerberg's Twitter and Pinterest password was 'dadada'

Kanhef

Re: Making a hash of things

If someone steals the database, they don't need to reverse the hashes. They'll just throw a dictionary file at your hashing algorithm and look for matches. Doesn't take too long to brute-force every password up to 6 or 8 characters long as well. This is why you should be salting the passwords before hashing them, and forcing users to have sufficiently long passwords.

Game of P0wns: Malvertising menace strikes Pirate Bay season six downloads

Kanhef

I suspect the ad networks' inaction is a deliberate strategy, even though poisoned ads have been a known problem for years. As long as they act as a neutral host without filtering anything, they can claim they're not liable for anything that happens. If they try to block bad ads, they could be blamed for anything that they don't catch.

Corporate lawyers can suck snozzberries.

Nest's bricking of Revolv serves as wake-up call to industry

Kanhef
Joke

Unfair comparison

A tub of hummus is quite useful – and delicious.

Confused by crypto? Here's what that password hashing stuff means in English

Kanhef

Re: Question

I think it's just a matter of efficiency: the hash is much shorter than the original message, so encrypting and decrypting the hash takes less time than double-encrypting the entire message.

Norman Conquest, King Edward, cyber pathogen and illegal gambling all emerge in Apple v FBI

Kanhef

Thirteenth Amendment

bans both slavery and involuntary servitude (except as punishment for a crime), so it's actually quite relevant here. The judge may not agree that it's a good argument, but it's not unreasonable to try to make that argument.

'Boss, I've got a bug fix: Nuke the whole thing from orbit, rewrite it all'

Kanhef

The biggest problem I see with the OpenSSL code is that it leaves you at the mercy of your compiler/optimizer. You have to trust that the optimizer will properly traverse all possible code paths and not strip out the entire if (0) block as unused/unreachable code. It may work fine for whichever compiler and optimization settings the developers used, but there's no guarantee it will work for everyone else.

Google to snatch control of Android updates from mobe makers – analyst

Kanhef

Re: And the FCC will say ... exactly what to this?

If Nokia hadn't sold out to Microsoft and killed Symbian, there might still be a viable alternative for manufacturers to switch to. Ironically, it probably would be easier for Win10 to get a foothold in the market if it was more fragmented between iOS, Android, and Symbian.

Socat slams backdoor, sparks thrilling whodunit

Kanhef

Re: Interesting point.

Definitely not obvious - at least it didn't end in a 5 - but at the same time, any decent factorizing program would have reached 271 fairly quickly, so it's clear they didn't double-check the number in the code for primeness. Since one of the factors is so small, my guess is there was a typo of some sort; if I wanted to backdoor an encryption routine, I'd use a semiprime whose only two factors are roughly equal in length (~150 digits in this case), so it would take some significant number crunching to discover that it's not prime.

Sorry slacktivists: The Man is shredding your robo responses

Kanhef

As I recall from when the FCC was soliciting comments on net neutrality, they essentially analyzed responses for uniqueness and discarded duplicates. Seems like a good way to keep form letters from dominating the responses without having to scrap the entire thing.

India just about accuses Facebook of faking Free Basics fandom

Kanhef
Mushroom

Re: Free Basics?

They were also just the right size to use as blast shields for model rockets.

Microsoft: We’ve taken down the botnets. Europol: Would Sir like a kill switch, too?

Kanhef

ISP filtering makes a lot more sense. If malicious traffic is detected coming from a particular IP address, they can sinkhole anything coming from it until the issue is fixed. Redirect any webpage requests to an information page explaining the issue and how to obtain tech support to fix it. No backdoors needed, and if they ever finish rolling out IPv6, individual devices can be blocked rather than cutting off an entire household.

Basho bashed by bolshy backer, ex-boss claims in court brouhaha

Kanhef
Paris Hilton

Business logic

"The company I started lost money, so I'm going to sue them to take even more of their money, because somehow that will fix things."

Microsoft's 200 million 'Windows 10' 'devices' include Lumias, Xboxes

Kanhef
Holmes

Maths

11 billion device-hours in December using Windows 10. 200 million monthly active Windows 10 devices. 31 days in December.

On average, each device is being used for 55 hours per month; less than two hours per day. Of course, some get used much more than that, which means many of their 'monthly active devices' are hardly being used at all. Not exactly encouraging numbers.

Riddle of cash-for-malware offer in new Raspberry Pi computers

Kanhef

Disappointed

that they redacted the email. Would be nice to expose some of the people who are behind this crapware.

Hello Barbie controversy re-ignited with insecurity claims

Kanhef

Re: The whole problem is the cloud mentality

Another problem: I'll bet the URI the voice data is sent to is hard-coded in that firmware. Hack the home router (and frequent Reg readers will know how secure those are), set a rogue DNS, and a malicious server can intercept everything it transmits. Knowing how well IoT devices are designed, there probably isn't any attempt to verify the identity of the server it's talking to.

The manual says it will automatically download and install software updates. Hopefully that process isn't vulnerable to the same sort of MITM attack.

Don't flip your lid: The Internet of Helmets has arrived

Kanhef

Might work well in welding helmets; the autodarkening ones are already powered by photoelectric cells.

Alumina in glass could stop smartphones cracking up

Kanhef

Re: It may be stiff enough (snigger)...

The article talks about how hard and stiff this glass is, but for a screen you really want toughness and a bit of elasticity. When a phone is dropped, it should be able to flex slightly to absorb the impact without cracking.

Linus Torvalds fires off angry 'compiler-masturbation' rant

Kanhef

Re: There is code smell in here

2) The size of a struct can be determined at compile time, no need to store it in a variable. Hardcoding the value isn't a good idea, as it reduces platform independence, maintainability, and readability.

3) I'm not familiar with the code in question, but 'mtu' is probably a local variable, initially set to the MTU size and decremented as a packet is processed. You could use a 'packet_size' variable instead, but then you'd have to look up the MTU size every time you check for overflow, whereas this way you just check if 'mtu' is negative or not.

Ruin your co-developers' life with Mimic, the Unicode substitution tool

Kanhef

A variation

Write a program that makes substitutions only in variable names and classes/structs/etc. (but not standard library ones). The code will still compile and run the same, but trying to change it would be a nightmare. Might be useful if you have to let someone see your code, but don't want them to steal it.

Hats off to Nintendo’s platform supremo Super Mario Bros at 30

Kanhef

Re: There's no save in Super Mario 3

There's a save feature in the Virtual Console version on the Wii/3DS, but definitely not in the original.

Amazon to trash Flash, as browsers walk away

Kanhef

Re: Hading a good time reading El Reg

Even with that typo fixed, it still doesn't make sense gramatically: "since [they] have decided Flash into either won't play or won't play automatically". Seems like someone started writing one sentence, got distracted, and came back and finished a slightly different sentence – I've done this myself more than a few times.

Also, the badness of Flash has been discussed to death here already. Mocking typographical errors is more entertaining than reading the same comments over and over again.

Enjoy vaping while you still can, warns Public Health England

Kanhef

Re: Middle way is of course, as always, the right way.

Someone showing common sense and decency? Have an upvote!

John McAfee cuffed by Tennessee cops, faces drug-driving, gun rap

Kanhef

Isn't it past time

we stopped giving people attention for being stupid?

We tried using Windows 10 for real work and ... oh, the horror

Kanhef

'HERE' is actually the name of the map company: here.com . Still could use a link, though.

Page:

Biting the hand that feeds IT © 1998–2018