Posts by Frank Bitterlich

Let me see if I get this right...

So,

1. some people publish unsecured content,

2. use an URL shortener on the URL, and

3. believe that this protects the content they published.

Could somebody remind me again why these "researchers" think that the actual vulnerability is in the URL shortener? Just because they fail to keep the long URL "secret"?

Sure, go ahead and encourage stupid internet users to stick the blame on others when they're too dumb to protect their content because they have no clue about the hosting service they're using.

"We have to put our stuff on the internet." -- "Why?" -- "Don't know, the article didn't say that."

If you think that's the right solution...

... then good luck with that. If you don't want me to see your "quality journalism" without at the same time accepting you to push in-your-face jumpy noisy annoying ads down my throat, then I might not be part of your target group.

Good luck with those remaining visitors who apparently don't see a correlation between the advertising behaviour and the quality of the "journalistic" content that is trying to sell these ads.

"We can help you interact with businesses or services..."

Thank you for that kind offer, Mr. Zuckerberg, but I'm all grown up now and have a fully functional web browser, so I don't need your "help" with that.

But I suspect that the trend of companies and organizations thinking that having a Facebook page is more important than a real website will only get worse.

When I repeatedly state that I do not and will not ever have a Facebook account, some people still look at me like some kind of idiot who lives in the past. Good luck, mankind, with that level of ignorance.

Costing money? How?

So, we're talking about tracks that are not available for purchase. Which makes me wonder how "... would still have been costing the legitimate music companies money ..." could be working. Other than general "home taping kills music" arguments.

Oh, and I call BS on the "legitimate" attribute.

What's the point?

The article says:

This data included WhatsApp phone numbers, WhatsApp phone call establishment metadata and date-time stamps, as well as WhatsApp phone call duration metadata and associated date-time stamps. They also were able to acquire WhatsApp's phone call voice codec (Opus) and WhatsApp's relay server IP addresses used during the calls.

So, this "collecting" phone numbers, call duration and other stuff is clearly what WhatsApp needs to make the call.

Don't know exactly what the article is about. Somebody has looked into WhatsApp traffic and fails to find someone with their hand in the cookie jar?

I need the list of affected apps...

... just to compile a personal blacklist of app developers whose apps I'll never use or download again.

Because if their devs are so utterly clueless, their apps are dangerous even without this compromise.

@TeeZee: God help us. We really are truly f...ed. Indeed.

Sure, "human error"...

Once again, the blame will be on the individual making the copy-and-paste mistake. Or maybe their immediate supervisor.

And nobody will ask the really important questions. Like, why the hell are they using desktop email programs send out newsletters? And why do they have no safeguards in place (like leak prevention rules on their mailserver) to prevent this? They are working in the most privacy-sensitive medicine branch, why don't they have management-level data protection people? Or if they have them, what kind of qualification do they have?

But of course it's much easier to fire some secretary for "not following the rules."

Newspeak...

"Customer experience" => Data grabbing

consent.exe => "No need for you to consent, it's all in the EULA."

"By applying this service, you can add benefits..." => "That's benefits for us, not for you, of course."

Hardcoding the host address: "Preventing us from siphoning you usage data? Ha ha, nice try."

The MS legal department must be bored, so they're trying to pick a fight with various data protection agencies.

Good to read that they are considering...

... to remove the word "now" from the ads. Now the world is safe again.

In Russia, ....

In America, you download operating system.

In Russia, operating system uploads you.

(Yeeees, I know, that one was predictable.)

GPL == security?

... criteria being considered include whether the project is under an explicit open source license ...

OK, so choosing the right license will contribute to the security of my product?

Wow, I didn't know it was that easy...

Combine the useful with the creepy...

... as in "Combine an app that shows free parking spaces with a gadget that sniffs around in your car's data and your driving habits." None of the users will question whey these two things need to be combined or even understand that they are constantly being monitored.

I just wonder why the OBD-II gadget doesn't feature a CCTV camera and voice recorder.

The definition of "security"

So, some security agencies are trying to disable security software in order to keep us all secure (from whatever threat of the day may be). And some of these security software companies apparently don't need to be fought/hacked/persuaded for unclear (read: obvious) reasons.

Seems to me that there are a number of different definitions of "security" out there.

"I go down to Speaker's Corner I'm thunderstruck [...] Two men say they're Jesus – one of them must be wrong..."

This site is best viewed...

... with any browser other than Firefox.

Will be fun to see these statements popping up again just like in the old days.

Oh, and good luck trying to upgrade all these appliances with their built-in webservers to support HTTPS.

Obsolete? Upgrade?

Looks like Apple didn't send a batch of free watches to The Reg or iFixit. That would explain the weird arguments like "not offering an upgrade program". What was the last watch you bought that comes with a way to "upgrade" it? Or which smartphone, even (other than upgrading the software)?

And sure, if you can't upgrade it, it must be "obsolete" in 10 years. "Unlike most watches", of course. Who makes that stuff up? Any digital watch technology is outdated after 10 years (oh, and mechanical watch technology too, btw.) Would you call a chronograph built 20 years ago "obsolete" and toss it into the trash? Because you can't "upgrade" it? OTOH, Apple's watch is more closely related to a smartphone than to a watch, and of course you can (hardware-)upgrade smartphones. Right?

Reg, your Apple-bashing is funny up to a certain point, but at some point it's enough already.

Blame Game

I wonder why so much focus is put on the part that the router was meant for home use and not SMB. Would that have made a difference if it were a home network (not a few people use Asterisk PBX at home too) ? Yes, one difference: The SIP passwords would more likely have been "123456" instead of 256 bit.

Also, there are more than enough valid reasons to use SIP on the same subnet. One of them being that you might want to use software-based SIP clients.

To me, the router is broken. A firewall is not a firewall if it doesn't obey its configuration. And enabling UPnP funtionality when UPnP is off (if it is true that the router actively searched for a SIP device, then it's probably not really UPnP, but even more troubling), in my eyes, is "broken" too.

"Sure, Sir, that belt you just bought doesn't work, but it's you own fault that you didn't wear suspenders too."

I wonder...

... how compatible it is with the DMCA rules to make a complainant accept arbitrary conditions in order to "accept" a complaint.

"By submitting this complaint, you agree to your SSN and credit card details being sold on a chinese black market website. And also, we sign you up to our newsletter."

Keyless Vehicle Theft...

This story has a less technical viewpoint than expected (for me at least). "Keyless Vehicle Theft" means theft without a key (which I'd guess covers at least 95% of all car thefts). Not necessarily a keyless car. While the Met police article links to another one on the methods of stealing keyless cars, I'd guess this is the exception rather than the rule.

So, read "keyless" as "jamming a screwdriver into the ignition lock" rather than "mad scientist cracks OBD encryption key using an abacus and duct tape" in most cases.

I still wonder how complicated it really is to forge wireless keys from the available data (via OBD).

Does not compute...

Can anybody enlighten me on how anybody who has been on this planet for longer than six weeks would ever invest large sums of money into a Hong Kong-based sub-company of another company that has a "sole director" (who apparently does more successful business on Virgin Islands), promises extraordinary large gains, and that requires you to bring new marks into the game (sorry, "sign up new investors") in order to get your money back?

And how these people have made a fortune (apparently) while being that stupid? I mean, come one, they cannot *all* have inherited their wealth, can they? Lottery winners, maybe?

Metrics?

I suspect that what they do is to scan the black app markets for anything malicious that uses the name or look of any of the top apps, and if they find one, voilá, "WhatsApp has been HACKED!!!111!!!"

Try to offset the actual number of malicious or really "hacked" instances of downloads to the total number of (legit) downloads of those top 100 apps, and come back when you have real numbers. Thank you.

I'll take that report for what it is: advertising disguised as a "press release."

Really? Again?

That would be the Apple Death Knell™ #65, right?

"In other news, Fred Wilson announces new startup that has something to do with the cloud and does think about data."

Visibility - WTF?

"...that if visibility is reduced to three metres, [...] even top end cameras couldn’t see beyond 10 metres."

No, dude. If the visibility is reduced to three metres, then top-end cameras can't see beyond 3 metres. That's what "visibility" means. OTOH cameras tend to be mounted a bit higher than eye level which sometimes improves visibility in smog a tiny bit.

But to me the idea of improving visibility by software sounds a bit like "24": "Can you zoom in a bit on that pre-recorded QVGA CCTV picture?" - "Sure, here it is, I've converted it to 4k resolution for you. Would you like me to switch on 3D?"

Works as designed

A good voting app should show the results as soon as they have been determined. If the results have been <del>fixed</del> determined that early, why not let the public know... The OECD will be impressed with this level of transparency.

So just to make sure I get it right...

... the traveller is supposed to (a) pay a premium and (b) *list* the contents of their luggage (guys, looks like you need to add a few fields to the Passenger Name Record), and as a reward the airline won't lose your luggage. Or at least, they'll notice when they do.

"What a nice suitcase you have... would be a shame if anything happened to it, no? How about joining our new RFID-tagging program for a small fee, and we'll make sure nothing... "bad"... happens to your luggage...?"

Want to make this guy go mad?

Anybody want to mail him this URL?

http://www.google.com/search?q=Slonopas+666

He'll probably sue Google afterwards.

Some Math...

OK, if they really sent out up to 840k messages per day (which seems a bit high to me), let's assume they did on average 100k messages per day and operated this for, say, one year, roughly 200 days (without the weekends and such). That makes some 20 million illegal text messages. A fine of 440k makes the steep price of £0,000022 per message. This is probably less than 1% of what they paid their operator.

So that's what "new powers to levy heavy fines" means. That will teach them. They will probably never do this again.

No purpose?

So, "relevant authorities" said that "no purpose was served by notifying members". Oh, OK then. After all, they are authorities, and relevant. So they must know best. After all, who wants to know that crooks have lifted your debit card details and all kinds of personal info...

Unbelievable.

Great idea...

"... or record how someone connects manually for the benefit of other users."

I don't see what could go wrong with that technique... until one day a not-so-public, not-so-free Wifi AP somehowm manages to get onto their list of "Wifi Hotspots" and <del>snitches</del> records the login of some poor soul.

Not the best "naming convention"?

Well, duh, it's called a "language", not "naming convention." Get yourself a Farsi dictionary, Mr. Kemp.

So, they were "stealing"...

.. the kit, not buying it, for export?

"The defendants tried to take advantage of America’s free markets to steal American technologies for the Russian government."

Well, the music industry has already tought us that "stealing" does not mean "take something away from someony without paying", but rather "buy something, pay for it, and then do something with it that the seller [or a third party] doesn't like." Looks like the DoJ likes this particular piece of newspeak.

Next up: Classify the purchase and smoking of Cuban cigars as "arson". Or, better yet, as "terrorism".

Messy affair

I once had a can (same stuff of a different brand) exploding due to corrosion on the bottom edge of the can (apparently caused by the leaked stuff slowly eating away on the can's paint.) Anyway, the artful pattern on the wallpaper in my living room was a thing to behold.

It happened at night, though, so my eyes are still fine. Anyway, since then I keep that can in a plastc bage when not in use, just to be sure.