* Posts by Paul Crawford

3218 posts • joined 15 Mar 2007

Encryp-xit: Europe will go all in for crypto backdoors in June

Paul Crawford
Silver badge

This is the European Commission speaking, largely a mouthpiece for the various EU governments. As such the tech companies should call their bluff and force it to a vote on a law (with explanations of how such a back door won't be discovered and abused) to the European Parliament. Many MEPs don't share the same authoritarian streak and it might just get kicked back when the public realise how their own privacy is being screwed over.

12
0
Paul Crawford
Silver badge

It wont. Not one bit.

What it will do is try to pacify politicians screaming "something must be done!" to appease Daily Fail-style readers all over Europe.

17
0

Windows 10 Creators Update: Clearing the mines with livestock (that's you by the way)

Paul Crawford
Silver badge

When I read that my WTF meter went in to the "Oh, this is going to be fun (for a non W10 user)" region. Have we got enough popcorn standing by for those poor users who find they can boot their machine after some weasel-worded upgrade?

0
0

Virgin Media suspends 4 staff over misreporting connections

Paul Crawford
Silver badge

Re: My experience with Virgin Media has been reasonable

If you really want something stable and under your control - don't use any ISP-supplied router / wifi point.

Get something half-decent that supports an open firmware such as DD-WRT or Tomato (say Linksys WRT1900ACS or similar, maybe also a switch or fancier device to do both) and spend an hour or so reading up on it, installing and configuring it.

Don't forget to set up a separate IP range for "guest WiFi" so your visitors and any dodgy devices (like most Android phones...) are not on any moderately trusted internal LAN's range (also you can bandwidth limit that so they don't throttle your business use). You can also set up a VPN on such a router if you value your privacy, but depending on your usage it might be better to keep the VPN option for mobile devices and/or any machines you use for sensitive data and don't need top-speed or the fixed IP address.

0
1

BDSM sex rocks Drupal world: Top dev banished for sci-fi hanky-panky

Paul Crawford
Silver badge

Salem reunited

So we have an example of beliefs being used against someone, but because its not, for example anti-Semitic or anti-Muslim there is little legal challenge of it not any apparent need for those in charge to fully justify their actions. Even the accusation of witchcraft these days will get little mention.

Has his interest in Gorean role-playing caused any harm? Have there been any cases of play-partners presenting stories of abuse? If not the Drupal team should shut-the fsck up and get on with developing software, not acting as moral police for communities who are probably able to make their own minds up (no matter how odd it seems to most of us).

87
3

Ex-military and security firms oppose Home Sec in WhatsApp crypto row

Paul Crawford
Silver badge

Re: @ MNGrrrl

If I could up-vote you 100 times I would!

The sad thing is we are dealing with vain and ignorant politicians who want to appeal to the tabloid-reading masses and thing that a "technological solution" like backdoors will make that quick and cheap.

It won't, it will fail in its prime goal and cause untold damage to the millions of innocent law-abiding people who have a right to privacy and to secure business dealings.

11
1

Manufacturers reject ‘no deal’ Brexit approach

Paul Crawford
Silver badge

Re: It'll be fine

"European Council, in agreement with the Member State concerned, unanimously decides to extend this period"

And you can see all of the EU members doing this to help the UK out? Really?

26
0
Paul Crawford
Silver badge
Facepalm

Re: Speculating

EEA is the least-worst option for UK industry.

But it will piss off the right-wing voters who (largely) wanted Brexit and they are Mrs May' voter base for now.

What do you expect a politician to do? What is best for the country, or what keeps themselves on the gravy-train?

15
3

Trump's America looks like a lousy launchpad, so can you dig Darwin?

Paul Crawford
Silver badge

Re: Cubesats == more space junk

If put in low 250-350km-ish orbits they won't be up for so log to cause a junk problem.

Sadly many are in the 600-800km altitude range where they will be for decades or longer :(

2
0
Paul Crawford
Silver badge

Re: Fuel + oxidizer = thrust

If you look around you should find:

http://library.sciencemadness.org/library/books/ignition.pdf

Its an informal history of the development of liquid rocket fuels. It is an eye-opener of a read for anyone with interest and even a basic grasp of chemistry. Some of they stuff their considered and even tried just beggars belief! But given the original goal was to deliver terminal global nuclear destruction to the Earth I doubt the toxicity or handling problems were very high on the agenda of the day...

(Note the PDF won't show correctly in Firefox but looks OK in evince or probably other PDF readers of your choice)

10
0

Bloke whose drone was blasted out of sky by angry dad loses another court battle for compo

Paul Crawford
Silver badge

Re: I had my Glock on me

I suspect if you had just shot down some knob-end's toy you might be wary of a visit by said knob-end and some of his "hard when in a group" friends.

Personally I think America's gun laws are damn stupid, but when in Rome do as the Romans do...

8
0
Paul Crawford
Silver badge

Here was I thinking he was a simple knob for buzzing a family with his toy. Now it seems he has gone that extra litigious length to prove he is really a "grand knob of the 1st order".

152
4

Carnegie-Mellon Uni emits 'don't be stupid' list for C++ developers

Paul Crawford
Silver badge

Re: Oh, goodie!

"FORTRAN is basically a universal assembler"

Not really. While *ALL* compiled languages eventually result in assembly-level instructions, C is a slightly special case in that it allows quite easy means of arbitrarily addressing memory locations and interacting with asynchronous events such as signals/interrupts. It also has many bit-wise sort of options in terms of manipulating integers, bit fields in structures, etc, that are useful for hardware driver I/O, etc.

That is not part of the usual FORTRAN syntax nor (I presume, not used) COBOL. E.g FORTAN 77 had no memory allocation support, you had to define fixed-size arrays at the start.

0
0
Paul Crawford
Silver badge

Re: Coverity is decent

It is also available free to FOSS projects.

While there are numerous warning that can be ignored, the golden rule for all such code-profiling tools is to make sure you understand the nature of the warning before you fix it or ignore it.

Also worth a mention are some free (at least on Linux, maybe others?) memory checking tools like valgrind and the good old electric-fence library. While not checking your source code as such, they do help with detecting run-time memory errors such as double-free, leaks, etc.

1
0
Paul Crawford
Silver badge

Re: That's why an OS shouldn't be written in C/C++

Oh yes, most of the OS kernel should as it needs that sort of memory wrangling and I/O poking sort of thing.

Most of the user-land tools and utilises probably not...

3
0
Paul Crawford
Silver badge

Re: Oh, goodie!

Remember this: C is basically a universal assembler, created to allow an OS to be written in a largely machine-independent manner. As a result it allows all sorts of potentially dangerous actions (in particular pointers, but not helped by some of the more odd/obscure syntax that sticks around).

Rule #1) If you can't program in assembler with any degree of success then don't use C

Rule #2) C++ adds some better features, and adds some worse features

Rule #3) If safety is more important than performance or universal support use another language.

Rule #3.9999999) Don't use flaky Pentium FPUs

16
2

Microsoft loves Linux so much, its OneDrive web app runs like a dog on Windows OS rivals

Paul Crawford
Silver badge

Re: so why not just use Dropbox?

Because they can all spy on you?

If you are going to use cloud storage then go for one of the "zero knowledge" types like Sync, SpiderOak, etc, that allow you to hold the only encryption keys for your data.

7
1

Softcat purrs as customers buy early to dodge Microsoft hikes

Paul Crawford
Silver badge

In related news, sales of KY jelly reached record levels in December...

2
1

Error prone, insecure, inevitable: Say hello to today's facial recog tech

Paul Crawford
Silver badge

What?

" the faces of 125 million US adults have been stored in criminal facial recognition databases"

Is my arithmetic, etc, wrong or is that about half the US adult population?

1
0

Microsoft delivers secure China-only cut of Windows 10

Paul Crawford
Silver badge
Joke

Re: So...

Can we in the west get a choice of who spies on us please?

20
0

Linux-using mates gone AWOL? Netflix just added Linux support

Paul Crawford
Silver badge

Re: I would expect high quality ripping to be a problem for Netflix

Lets face it, you can already get high quality rips of practically everything on the torrent sites. This is unlikely to change those dedicated pirates one bit.

But for the rest of the world it makes sense, if you can get stuff legally and without hassle its worth paying a modest amount for.

15
0

Wang, bang, thank you, mang: Acer exec off to sell PCs for Lenovo

Paul Crawford
Silver badge

Good to see the crap-ware has not been forgotten by the decent press.

Maybe Lenovo could look at what users want and are willing to pay for, off the top of my head:

1) No crapware or shitty trials to clean off a new machine

2) Choice of OS perhaps? OK MS stopping Win7 ain't going to help.

3) Good screen size and resolution on laptops. None of the shitty <= 900 lines stuff.

4) Useful connector option: at least a couple of older USB-2 style, HDMI, Ethernet and maybe USB-C reversible types.

5) Some hardware switch to hard disable camera, microphone and wifi/bluetooth. Oh and status LEDs to match in a visible place (same for HDD activity and power LED - wtf were HP doing putting them on the side out of view?) so you know if on or off and don't arse around wondering what software is broken.

4
0

DNS lookups can reveal every web page you visit, says German boffin

Paul Crawford
Silver badge

Re: RaspberryPi + PiHole

Configurable, surely?

3
0
Paul Crawford
Silver badge

Re: How do you defeat against your own ISP recording your browsing history?

"But can you REALLY trust those VPN providers to actually have the servers located in the countries listed AND not talk to Five Eyes on the sly?"

In any absolute sense - no

But the probability that they do honour the privacy guarantee is much higher than the probability of my ISP preserving my privacy.

Also I don't really have much to fear from the "five-eyes" style of secret service spying, but I do have much to consider if I end up in some dispute with some petty local bureaucrat who can access my web history and I can't access theirs. That is the whole point - to reset that asymmetry in power that the snooper's charter provides.

3
0
Paul Crawford
Silver badge

Re: How do you defeat against your own ISP recording your browsing history?

very simple: use a VPN provided from another country, ideally one without odious retention policies.

Don't use the PPTP protocol as its pants in security, ideally use OpenVPN. Then check the VPN is doing its job by visiting one of the test sites (such as ipleak.net or check.ipredator.se etc)

But as others have pointed out, using DD-WRT or similar on your router plus ad-blocking will go a long way for this particular attack. You can even buy routers pre-configured with DD-WRT and VPN in there so all of your home devices get privacy (not too cheap though).

0
1

Google Spanner in the NewSQL works?

Paul Crawford
Silver badge

Re: What time is it?

Exactly, if you use NTP and lose the time server link you get drift, but if you have local stratum-1 servers (i.e. time-servers that get their time from an atomic clock either directly, or most commonly from GPS time-transfer) that simply should not happen.

Still, all that using 'time' as a marker does is reduce the window of uncertainty in any split-decision issues, its not like an atomic (computing sense) transaction counter or similar that could be used to eliminate it. After all, you will get some variation in packet delays from originator(s) to SQL-like server(s) so time is not an absolute marker for event order in this case, but if you know your worst-case error is only tens of microseconds then you can at least narrow the window of event/decision uncertainty to be resolved.

Also (back to another rant of mine) to Google time-smoothing - that is a bad idea, but only needed or possibly justified if you use time_t / UTC as your system clock. How do you guarantee drift at stable rates? Keeping all system clocks on atomic time (e.g. GPS, or TDT) avoid the leap-second issues and allows reliable syncing to an atomic-disciplined local clock.

1
0

A router with a fear of heights? Yup. It's a thing

Paul Crawford
Silver badge

Re: Less air to insulate a PSU

Nope, just checked and it is IEC 61000-4-5 for lightning and industrial surges. Category 4 is 4kV / 2kA surge typically modelled with a double-exponential 8us rise time and 20us decay time.

Somewhere I remember reading that generally normal 220V/240V main is limited to around 6kV peak in any case as the wiring and sockets, etc, tend to flash over if you get more than that incoming (say farm at end of long overhead wires).

0
0
Paul Crawford
Silver badge

Re: Less air to insulate a PSU

Its voltage gradient that matters, i.e. (volts)/(distance). Going from 2000m to 5000m typically involves a 48% increase in creepage and clearance distances for PCB design, etc.

Edited to add @imanidiot - its not just the operating voltage, which can easily peak to a significant fraction of 1kV in a SMPUS, but also the need to pass a 6kV lightning surge test for typical safety reasons. That is why most distances are several mm (e.g. 8mm or more) for mains clearance, etc.

3
0
Paul Crawford
Silver badge

Re: Less air to insulate a PSU

Wrong, the ionisation voltage drops with pressure until you get really low (like near-vacuum) when it rises again. Its a risk for satellite HPA design, for example, as high-Q filter coils and similar with high voltages can arc wile it de-gasses, but stops once it really is a space-level of pressure. Which is why neon bulbs are at low pressure...

https://en.wikipedia.org/wiki/Paschen's_law

Also of note is the Chinese safety standards (stop laughing at the back!) specify to 5000m, not the more usual 2000m for UL.

1
0

Bloke cuffed after 'You deserve a seizure' GIF tweet gave epileptic a fit

Paul Crawford
Silver badge

Re: settings-autoplay=off

There was a time, I distinctly remember it, when web browsers had simple menu options to disable autoplay and animations. Opera was very good at that sort of nicety.

Until the went as a chrome re-skin, of course. And Mozilla decided to chase Google in the "lets dumb down the browser" competition.

14
0

An under-appreciated threat to your privacy: Security software

Paul Crawford
Silver badge

Pays your money, places your trust...

Same for many aspects of security & privacy, a lot comes down to who you can place some trust in to help keep your own stuff safe.

When using a VPN then do you trust the provider more than your ISP? Maybe, depends on your ISP and gov of course. More than "free wif-fi"? Almost certainly if its a half-decent paid provider. But in every case you would still use an encrypted link like https or SSH, wouldn't you?

When using any AV or end-point service capable of seeing inside your network and gathering data with admin privileges? It a much higher bar to meet, you really have to trust them to:

1) Not screw up and bork the OS

2) Actually stop malicious actors with a high probability

3) Not to leak your secrets deliberately or through incompetence

7
0

Intel touts bug bounties to hardware hackers

Paul Crawford
Silver badge
Joke

"Intel Security (McAfee) products are not in-scope of the Intel bug bounty program"

Why the surprise? Probably would have bankrupted them...

1
0

Canonical preps security lifeboat, yells: Ubuntu 12.04 hold-outs, get in

Paul Crawford
Silver badge

Re: On the plus side

They only support version to version, or LTS to LTS, so you can't skip one.

So 12.04 -> 14.04 works, but not 12.04 -> 16.04

Or 12.10 -> 13.04 but not 12.10 -> 13.10

0
0
Paul Crawford
Silver badge

Re: On the plus side

The distro-upgrade usually only works if you have a fairly simple mount arrangement, I have tried it and sometimes it works a charm, other time it failed miserably on machines with odd mounting setups and/or MD RAID in use.

My advice is always put /home on a separate partition, and if you have the space leave a blank ~50GB one as well. Next distro comes along, install it in the unused partition, and once working edit its /etc/fstab file to mount your old /home partition again.

Once happy, you can overwrite your old root partition when yet another new distro is available.

1
0
Paul Crawford
Silver badge

Re: Same old story

16.04 is the obvious way to go...but it has stupid systemd-related problems that are still not fixed "out of the box" a year on. Such as:

NTP failing because ntpdate is taking longer https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1577596

Shut-down/reboot scripts hanging for ~1m30 https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1594658

Stuff added in /etc/modules being ignored because its in a blacklist (e.g. watchdog drivers) which is fscking stupid - blacklisting is supposed to only apply to auto-detected modules. https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1535840

2
0

Zombie webcams? Pah! It's the really BIG 'Things' that scare me

Paul Crawford
Silver badge

Re: @ Solarflare

Ah, so that is where all those Martian packets are coming from...

6
0
Paul Crawford
Silver badge

Access Denied

Thing is there is ABSOLUTELY no reason for any SCADA-style system EVER being visible on the Internet. It should be behind firewall and VPN like access, and with some 2FA system as well.

Sadly the most productive way of dealing with this risk is to make the bosses of companies liable for any serious failings, and more over to have some system in place where finding a SCADA system gets both the company fined AND the finder rewarded from that money, no questions asked.

Guess how many SCADA systems would still be visible a month after that law came in to play?

15
0

Apple accused of counter-revolutionary pricing in Russia

Paul Crawford
Silver badge

In soviet Russia the price fixes you.

2
0

Germany to Facebook, Twitter: We are *this* close to fining you €50m unless you delete fake news within 24 hours

Paul Crawford
Silver badge

Facebook share/like

..is the problem. Most crap on facebook that resulted in me deleting my old profile (used mostly to share photos of hill walking trips, etc) was not written by any of the "friend list" individuals, but it was re-posted by the share or like options. In fact very little original materiel, only maybe the day's bowel movement times, was written by many of them.

That is why crap spreads so fast: most of the asshats on FB don't bother to check what it is, who posted it, or what it might result in. I know one guy who was 'liking' posted by the UK's far-right Britain First mob, when I pointed this out he was surprised and apologised for spreading it. Then about a month later back to his asshattery by re-posting stuff without checking or thinking...

13
1

Time crystals really do exist, say physicists*

Paul Crawford
Silver badge

Re: How many Time Crystals are required...

Sorry, I don't have enough time to compute that just now.

5
0

Intel swallows Tesla-hating self-driving car biz Mobileye for $15bn

Paul Crawford
Silver badge

Yes, and Intel's acquisition of McAfee has brought so much to the world of PC security...

4
0

Facebook, Instagram: No, you can't auto-slurp our profiles (cough, cough, border officials)

Paul Crawford
Silver badge

"But the public stance by Facebook is a welcome one in increasingly worrying times for those concerned about internet privacy, or the lack of it."

Would any of those users be on Facebook in the first place?

12
1

MAC randomization: A massive failure that leaves iPhones, Android mobes open to tracking

Paul Crawford
Silver badge

Good point. If you do the birthday problem approximation for 16.8M address you get 1% probability of a clash at 579 addresses. That is still big by most single-point wi-fi coverage regions.

0
0
Paul Crawford
Silver badge

Its a physical layer thing - how many wifi spots can see anything even approaching 16M devices to worry about collisions?

4
0

Public IPv4 drought: Verizon Wireless to stop handing out static addys

Paul Crawford
Silver badge

So you get this static IPv6 address for your web server, OK.

Now how do customers in many places that have ISPs only offering IPv4 talk to you?

3
0

Brit ISP TalkTalk blocks control tool TeamViewer

Paul Crawford
Silver badge

And without even emailing their own customers in advance to keep them informed...how hard would that have been?

25
0

FBI boss: 'Memories are not absolutely private in America'

Paul Crawford
Silver badge

@Adam 52

You have a good point that there are various options, but none are scalable for tens of millions of devices sold to the public and not managed by some competent trusted IT group.

However, one approach that would answer some of the criticism is to make the cryptographic key stored in the chips in such a way that you could gain physical access by grinding down the package and using a scanning electron microscope to read it. The advantages of this approach are:

1) You need physical access, so its not a remote hack that anyone can pull off. Thus there is no master key to be leaked or shared with undesirables[*].

2) It is expensive and destructive, so you need a good targeted reason to use it. That puts it beyond trawling for evidence, and out of the reach of common criminals.

3) The customers of said phones, etc, largely have put faith in not losing the device, and if lost, it is not in the hands of a highly resourced thief, rather than a company that might be pressured to share master keys with practically every government and police organisation in the world.

[*] undesirables may vary, check your country and current political climate for the recent list.

1
0
Paul Crawford
Silver badge

"Top of the list was nation state hackers, he said, followed closely by international professional hacking groups that worked for money"

This is probably quite true, and he deserves some credit for putting terrorists at the bottom of the list on the reasonable grounds they have not (yet) achieved very much in 'cyberspace' actions.

But those top two in particular would make mincemeat of any backdoor or key escrow system and he really needs to get that point. Corporate/organisation-wide master keys simply don't scale to the government's desire because (a) nobody trusts them now, and (b) it would make everyone's device less secure when its found, not just a few hundred in any one department.

Defending the USA (or any other country's own) government and businesses interests means you need strong security, properly applied. Yes, it might make catching the odd smart criminal a touch harder, but it leads to less crime overall.

2
0

Kodi-pocalypse Now? Actually, it's not quite here yet

Paul Crawford
Silver badge

Re: As an example of availability problems

This is a key problem (they "you must pay a subscription"), as well as the "not available on your device / in your region" issue. Many surveys of pirate content consumer find two common threads:

1) Most believe that creators deserve some reward.

2) Most cite access restrictions as a reason for torrenting, etc.

While its hard to say Spotify or YouTube provide a decent or fair reward to artists, the appearance of such services has dramatically reduced music piracy. Same would go for movies if you could get them hassle-free and not dependant on where you live. But that geographical licence mind-set is so ingrained it is not moving as yet, just look how streaming services block paying customers using VPNs to avoid geoblocking!

8
0

CIA hacking dossier leak reignites debate over vulnerability disclosure

Paul Crawford
Silver badge

"Weaponizing everyday products such as TVs and smartphones – and failing to disclose vulnerabilities to manufacturers – is dangerous and short-sighted"

And sadly even if said vulnerabilities are disclosed, many supplies will do SFW about it :(

MS get beaten up over taking 90+days to patch (and rightly so given their size and budget) but they are one of the better players around!

2
0

Forums

Biting the hand that feeds IT © 1998–2017