* Posts by Paul Crawford

3482 posts • joined 15 Mar 2007

Zombie webcams? Pah! It's the really BIG 'Things' that scare me

Paul Crawford
Silver badge

Access Denied

Thing is there is ABSOLUTELY no reason for any SCADA-style system EVER being visible on the Internet. It should be behind firewall and VPN like access, and with some 2FA system as well.

Sadly the most productive way of dealing with this risk is to make the bosses of companies liable for any serious failings, and more over to have some system in place where finding a SCADA system gets both the company fined AND the finder rewarded from that money, no questions asked.

Guess how many SCADA systems would still be visible a month after that law came in to play?

15
1

Apple accused of counter-revolutionary pricing in Russia

Paul Crawford
Silver badge

In soviet Russia the price fixes you.

3
0

Germany to Facebook, Twitter: We are *this* close to fining you €50m unless you delete fake news within 24 hours

Paul Crawford
Silver badge

Facebook share/like

..is the problem. Most crap on facebook that resulted in me deleting my old profile (used mostly to share photos of hill walking trips, etc) was not written by any of the "friend list" individuals, but it was re-posted by the share or like options. In fact very little original materiel, only maybe the day's bowel movement times, was written by many of them.

That is why crap spreads so fast: most of the asshats on FB don't bother to check what it is, who posted it, or what it might result in. I know one guy who was 'liking' posted by the UK's far-right Britain First mob, when I pointed this out he was surprised and apologised for spreading it. Then about a month later back to his asshattery by re-posting stuff without checking or thinking...

13
1

Time crystals really do exist, say physicists*

Paul Crawford
Silver badge

Re: How many Time Crystals are required...

Sorry, I don't have enough time to compute that just now.

5
0

Intel swallows Tesla-hating self-driving car biz Mobileye for $15bn

Paul Crawford
Silver badge

Yes, and Intel's acquisition of McAfee has brought so much to the world of PC security...

4
0

Facebook, Instagram: No, you can't auto-slurp our profiles (cough, cough, border officials)

Paul Crawford
Silver badge

"But the public stance by Facebook is a welcome one in increasingly worrying times for those concerned about internet privacy, or the lack of it."

Would any of those users be on Facebook in the first place?

12
1

MAC randomization: A massive failure that leaves iPhones, Android mobes open to tracking

Paul Crawford
Silver badge

Good point. If you do the birthday problem approximation for 16.8M address you get 1% probability of a clash at 579 addresses. That is still big by most single-point wi-fi coverage regions.

0
0
Paul Crawford
Silver badge

Its a physical layer thing - how many wifi spots can see anything even approaching 16M devices to worry about collisions?

4
0

Public IPv4 drought: Verizon Wireless to stop handing out static addys

Paul Crawford
Silver badge

So you get this static IPv6 address for your web server, OK.

Now how do customers in many places that have ISPs only offering IPv4 talk to you?

3
0

Brit ISP TalkTalk blocks control tool TeamViewer

Paul Crawford
Silver badge

And without even emailing their own customers in advance to keep them informed...how hard would that have been?

25
0

FBI boss: 'Memories are not absolutely private in America'

Paul Crawford
Silver badge

@Adam 52

You have a good point that there are various options, but none are scalable for tens of millions of devices sold to the public and not managed by some competent trusted IT group.

However, one approach that would answer some of the criticism is to make the cryptographic key stored in the chips in such a way that you could gain physical access by grinding down the package and using a scanning electron microscope to read it. The advantages of this approach are:

1) You need physical access, so its not a remote hack that anyone can pull off. Thus there is no master key to be leaked or shared with undesirables[*].

2) It is expensive and destructive, so you need a good targeted reason to use it. That puts it beyond trawling for evidence, and out of the reach of common criminals.

3) The customers of said phones, etc, largely have put faith in not losing the device, and if lost, it is not in the hands of a highly resourced thief, rather than a company that might be pressured to share master keys with practically every government and police organisation in the world.

[*] undesirables may vary, check your country and current political climate for the recent list.

1
0
Paul Crawford
Silver badge

"Top of the list was nation state hackers, he said, followed closely by international professional hacking groups that worked for money"

This is probably quite true, and he deserves some credit for putting terrorists at the bottom of the list on the reasonable grounds they have not (yet) achieved very much in 'cyberspace' actions.

But those top two in particular would make mincemeat of any backdoor or key escrow system and he really needs to get that point. Corporate/organisation-wide master keys simply don't scale to the government's desire because (a) nobody trusts them now, and (b) it would make everyone's device less secure when its found, not just a few hundred in any one department.

Defending the USA (or any other country's own) government and businesses interests means you need strong security, properly applied. Yes, it might make catching the odd smart criminal a touch harder, but it leads to less crime overall.

2
0

Kodi-pocalypse Now? Actually, it's not quite here yet

Paul Crawford
Silver badge

Re: As an example of availability problems

This is a key problem (they "you must pay a subscription"), as well as the "not available on your device / in your region" issue. Many surveys of pirate content consumer find two common threads:

1) Most believe that creators deserve some reward.

2) Most cite access restrictions as a reason for torrenting, etc.

While its hard to say Spotify or YouTube provide a decent or fair reward to artists, the appearance of such services has dramatically reduced music piracy. Same would go for movies if you could get them hassle-free and not dependant on where you live. But that geographical licence mind-set is so ingrained it is not moving as yet, just look how streaming services block paying customers using VPNs to avoid geoblocking!

8
0

CIA hacking dossier leak reignites debate over vulnerability disclosure

Paul Crawford
Silver badge

"Weaponizing everyday products such as TVs and smartphones – and failing to disclose vulnerabilities to manufacturers – is dangerous and short-sighted"

And sadly even if said vulnerabilities are disclosed, many supplies will do SFW about it :(

MS get beaten up over taking 90+days to patch (and rightly so given their size and budget) but they are one of the better players around!

2
0

Windows Server ported to Qualcomm's ARM server chip. Repeat, Windows Server ported to ARM server chip

Paul Crawford
Silver badge
Trollface

Re: Famous last words

Up-vote for some quality trolling. But you forgot to mention Windows RT... :)

Still, it is a jolly good thing to have diversity in CPU use (as for OS) as it tends to result in more portable future-proof code, reveals bugs quicker, and makes run-everywhere exploits a touch harder. And that is before we get in to the obvious benefits of a genuinely competitive market on price and service!

Even if MS develop the ARM server market primarily for their own cloudy usage, everyone benefits.

4
0
Paul Crawford
Silver badge

Open BIOS?

Will this mean we can get a server with a genuinely open BIOS so we have a bit more trust?

OK, it is obviously possible for the chips themselves to run opaque and suspect code (*cough* Intel SMM *cough*) but having some insight and control over the boot process would help a lot.

8
0

Look who's bailed out internet-satellite provider Intelsat? It's... Softbank?

Paul Crawford
Silver badge

WTF?

"connected cars ... latency requirements that are beyond satellite"

Does anyone else in the world think that a car that can't cope with slow on non-existent networking should NEVER be allowed on the road in the first place?

4
0

Success in the bedroom breeds success in the boardroom – research

Paul Crawford
Silver badge
Gimp

Then use some grinding paste instead of lube

3
0
Paul Crawford
Silver badge
Joke

Re: So about prostitutes...

Other way round, if they have a quiet night of answering polite emails and drinking coffee with co-workers...

0
0
Paul Crawford
Silver badge

As Woody Allen once remarked - at least it is with someone you love!

7
0

Redmond's on fire, your 365 is terrified: Microsoft email outage en masse

Paul Crawford
Silver badge

IMAP access to MS-provided email is still Ok in my backwater of the UK.

2
0
Paul Crawford
Silver badge

We will update this article when its spokespeople spokeslizard get back to us.

Fixed it for you...

19
4

That big scary 1.4bn leak was 100s of millions of email, postal addresses

Paul Crawford
Silver badge

"Bounce from SPF? That's new one for me. SPF as specified is meant specifically to suppress impersonation of sender."

True, but if you are impersonating someone you probably are a spammer. So a bounce to tell anyone of mis-configured system that is being spam-filter blocked is useful.

1
0

Shopping for PCs? Ding, dong, the Dock is dead in 2017's new models

Paul Crawford
Silver badge

Re: So just like Apple then!

Unlike Apple they have not dumped USB-2 or HDMI.

Yet.

7
0

RadioShack bankruptcy savior to file for, you guessed it, bankruptcy

Paul Crawford
Silver badge

Re: Solder Repellant

I remember visiting London in the 80s when Edgeware Road (and nearby) had so many electronic shops, some dating back to the 30's (with knowledgeable staff that looked as if they also served then). Remember there was even one shop (Samson?) that specialised in transformers of all sorts of sizes, shapes and use.

Last time I wandered down there it was all gone :(

2
0

Sir Tim Berners-Lee refuses to be King Canute, approves DRM as Web standard

Paul Crawford
Silver badge

Re: And will this DRM realise its been run in a VM and is a chocolate teapot?

"They don't work with 4K discs because they use HDCP 2.0, which uses different keys and IINM forbids the use of splitters."

And yet this device offers HRDCP 2.2 splitting:

https://www.hdfury.com/shop/splitters/integral-4k60-444-600mhz/

(Cheaper than replacing an older 4K TV that lacks 2.2)

3
0
Paul Crawford
Silver badge

Re: And will this DRM realise its been run in a VM and is a chocolate teapot?

Companies like RedFox sell bluray ripping software. Not tried it as I don't have any need for it, but it seems the goal of DRM there has been comprehensibly broken. No mention of 4k capabilities though.

Sadly windows only.

Edited to add, here is a link about 4k ripping from Nov 2015:

https://torrentfreak.com/pirates-can-now-rip-4k-content-from-netflix-and-amazon-151127/

1
0
Paul Crawford
Silver badge

Re: DRM means you don't own your content

Funny how my books and artwork just keeps "working" even when the seller has gone.

Why should digital be any different?

31
0
Paul Crawford
Silver badge
Trollface

Which is why piracy is important, to keep the sellers honest

16
3
Paul Crawford
Silver badge

Re: And will this DRM realise its been run in a VM and is a chocolate teapot?

And yet most bluray/4k stuff appears on torrent site in no time.

That is the thing about DRM, generally it serves to piss of honest consumers and does not stop anyone really wanting to pirate.

43
0
Paul Crawford
Silver badge

Another evil

While the arguments about the need for interoperable DRM will run and run, one outstanding issue with a more universal DRM is the opportunity for advertisers to track your browser use via the DRM serial number/reporting mechanism. All they need is one little DRM-enabled bit on a page and there is a method to find out uniquely who visited.

Google being involved makes me fear the worst...

Sir Tim has a point, but the reality is DRM ought to have certain standards of interoperability and ethics about what is revealed before it comes in to use. For now you would need a plug-in for Firefox, but if it comes with Chrome/(IE|Edge) who is going to bet on always-on and always-reporting?

45
0

Microsoft wants you to plan a new generation of legacy systems

Paul Crawford
Silver badge

Re: Factory automation

A very valid point, but often you get in to a situation where you can't get drivers for the old OS to run new hardware (that happens in every OS by the way).

Problem here is it looks to be security updates only, so unless MS pressure the OEMs to support an older OS' HAL for new hardware, you don't get the advantage of an easy fix for failed hardware. I still use W2K in a VM for some old (and expensive) CAD software to get round this, but I have the luxury of not needing special HW drivers, so the VM delivers never-dying hardware.

But for any such restricted use, you really, REALLY, want to keep them of t'Internet. Privative VLANs only and damn few user's PC/phones/IoT-shit/etc on them...

1
0
Paul Crawford
Silver badge

Re: Satnad trainees under Ellison

"looking for new opportunities to screw their customers hostages"

Fixed it for you...

6
4

BT splurges £1.2bn on securing Champions League rights, Sky heads for an early bath

Paul Crawford
Silver badge
Big Brother

Re: "But he added that the latest move could result in costs being transferred to consumers"

" as I want/need a static IP which VM do not offer for residential "

You might want to check out non-UK VPN suppliers who could offer that (in addition to not having your every activity logged).

3
0

America halts fast processing of H-1B skilled worker visas

Paul Crawford
Silver badge

Re: why was this called 'discrimination'

"Quite happy to get us to guarantee the rights of EU citizens in the UK, before getting any assurances of the future of UK citizens in Europe."

So punishing people who perfect legally live, work and now have families here, if their own governments don't play your political football nicely is a good policy?

20
8

Linus Torvalds lashes devs who 'screw all the rules and processes' and send him 'crap'

Paul Crawford
Silver badge

Re: "Does the chip vendor publish enough to let someone write a driver?"

"And why should they? It's their IP, not yours."

To make it work?

The IP is in the chip, not in the API. Unless of course its a bug-riddled pile of sh*t that has many workarounds in the driver code and they don't what that available without a NDA?

30
2

Frustrated by reboot-happy Windows 10? Creators Update hopes to take away the pain

Paul Crawford
Silver badge

Re: Serious question here...

There are probably other fine points I am not aware of, but one fundamental difference is that Linux (and most UNIX) file systems allow a file to be replaced via a move operation while the file is open/in-use. So with a typical Linux update you unpack the update, then move it over the "live" version, and if possible you restart that process.

Now not all processes can be restarted while live, most obvious is the kernel (and related in-use drivers like file systems, etc) and the user log-on system for the desktop, active SSH sessions, etc. In these cases you have a patched machine but the previously running process are not yet updated. So if you start another instance of such a process (OK, not the kernel!) such as a new SSH log-in then you get the patched version.

So to finally apply ALL updated you need a reboot, but at that point in time everything is already done, so you don't get another couple of minutes of "applying updated ... configuring computer" or whatever you see when restarting Windows after it said it was done.

There are also a couple of options for patching the Linux kernel while in-use, but they are not universally in use yet and probably have some limits on how big a change can be done (e.g. basic changes to structures, etc, on major updates) without a reboot.

15
0

Prisoners' 'innovative' anti-IMSI catcher defence was ... er, tinfoil

Paul Crawford
Silver badge
Joke

Re: Look at the bright side...

So cold turkey in both senses?

8
0

Fireball in Tasmania: Possible CubeSat re-entry sparks alien panic

Paul Crawford
Silver badge

Re: Seeking expert knowledge

Same thought here - that looks awful big to be a cubesat of a couple of kg and shoe-box size.

4
0

Uber: Please don't give our London drivers English tests. You can work out the reason why

Paul Crawford
Silver badge

The Knowledge

The original reason for the introduction of "the knowledge" to be a taxi driver in London was the piss-poor performance during some Victorian trade fare around 1865 when visitors got buggered around and generally the drivers failed to get them where they needed to be.

Now you could argue that the in-depth knowledge of London's roads is a bit obsolete in these satnav days, but still many people won't know the postcode or street name of where they want to be, maybe hotel name, or major shop, etc. So it still has some value. But ultimately if the driver can't understand what you are saying it is simply not a safe or satisfactory situation. And that is not specifically about Uber, but they seem to always be scraping the barrel in terms of screwing over thier drivers, etc.

45
0

Germany, France lobby hard for terror-busting encryption backdoors – Europe seems to agree

Paul Crawford
Silver badge

Re: Some things can be done

This really nails one aspect on the head - I don't trust those in power (politicians or civil servants) to either by honourable in their use of such vast powers, nor do I trust them to be competent not to leak the lot on some train, etc, or through bribery or corruption.

And that is before we get in to the practical business of how you make such a system that is technically workable and resistant to criminals (private or state-sponsored) who we have seen to have already broken in and looted massive gov data sets that ought to have been secure.

5
0
Paul Crawford
Silver badge

Better still - make those two come up with a workable solution, one that is passed by those with knowledge in the technical community. Start by laying down the simple rules such as:

(1) that it must remain secure against other nations and any criminals

(2) be scalable and applicable to open-source projects like web browsers, etc

(3) cost less than 0.1 Euro per user to develop, implement and manage.

Should keep them occupied until the heat death of the universe...

19
0

You're Donald Trump's sysadmin. You've got data leaks coming out the *ss. What to do

Paul Crawford
Silver badge

@ Farnet

Citations required I think...

There is always the Tempest-style of scanning for any active electronic device's leakage, but that would be hard to do in most working environments with numerous phones and PCs and a general lack of screening causing "electronic fog".

5
0
Paul Crawford
Silver badge

A couple of random thoughts:

1) If you are planning on using a non-company phone to steal stuff, would you not put it in air-plane mode before brining it in? So cell phone scanning won't do much for anyone that dedicated.

2) If data security and privacy matters then the only type of cloud storage in use should be the zero-knowledge type like Sync, Boxcryptor, SpidreOak, etc, and certainly not MS/Google/DropBox and similar.

3) So many data loss incidents seem to be accidental emailing to world+dog, that ought to be a lock-down by default in anyone's system, with special hoops to jump through before you can email more than a few folk (or list) and more so if it has any attachments.

It might just stop corporate drones emailing a multi-MB word document, PDF or power-point slide to everyone in your organisation to say 3 bullet-points as well...

12
0

Git fscked by SHA-1 collision? Not so fast, says Linus Torvalds

Paul Crawford
Silver badge

Re: Common sense approach

I do not quite follow. What exactly would an attacker manipulate in a git repository?

To be honest, I'm not sure. But time after time people find cunning ways of gaming systems that nobody had thought of before that.

Off the top of my head, the obvious thing is you could manipulate somebody's private GIT repository to change code but still have it appearing to match a public trusted one. Sure, if you have that level of access there are a hell of a lot more nefarious things you might do to them, but that would be one possible way of getting a back-door in to a specific company's system based on a otherwise trusted code base.

2
0
Paul Crawford
Silver badge

Re: Common sense approach

Both sides have a valid point:

- SAH-1 is not used as a sole measure of correctness, so no immediate panic.

- Sooner or later, someone will find a way to compromise at least some aspects of some GIT-based project if other attributes of generating a hash collision become easy enough that length and position of fix-up crude become easy to manipulate.

1
1

Autonomous cars are about to do to transport what the internet did to information

Paul Crawford
Silver badge

The point here is the "labour" will be further split, a few very wealthy fleet owners and very poorly paid cleaners who don't need to speak your language (car does that) or have any skill level like a driver's license/ taxi license (hence they can't get a better job).

Welcome to the 21st century's satanic mills...

As for buying an autonomous car, why? It will cost much more to buy, it will have (probably) onerous running costs due to the safety criticality of all those sensors, etc and the need for on going software support. Probably bugger-all resell value as well: Welcome to automotive XP - can't take that on the road sonny, its no longer got manufacturer’s support. Maybe at some point insurance will push you over to autonomous vehicles, but rent-a-fleet makes more sense when your own one is going to sit most of the day and night doing nothing while the rental ones are being paid off in that period.

4
1

Pai, Pai, Mr American spy: FCC supremo rips up privacy protections for broadband punters

Paul Crawford
Silver badge

Re: https

They still see which web sites you visit, even if the page content is hidden. That alone is valuable.

Also they have been guilty of interfering with email security protocols (and others) before:

https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks

https://www.eff.org/testyourisp

Sort answer - if you are in the USA you damn well need a VPN as much, if not more than, us poor suckers in the UK (assuming you value your privacy).

13
0

Mysterious Gmail account lockouts prompt hack fears

Paul Crawford
Silver badge

Re: Happened to me.

Same here this morning, and this if for my phone and I practically NEVER use that gmail account for anything else. Certainly not in the last few months.

Just wondering - are they migrating password hash algorithms and this is a route from SAH-1 to SAH-256 or similar?

4
0

New UK laws address driverless cars insurance and liability

Paul Crawford
Silver badge

Re: Appropriate

I wondered about that, what exactly will those restrictions be?

Some 512 page EULA from the car company about not one roads without XYZ accuracy of GPS maps being created, etc, that you can't practically verify yourself? Or with snow or ice on roads, etc?

Really, it should be simple:

1) It is manual - drive it yourself

2) It is motorway use only where simple lane tracking is OK (i.e. enhanced cruse control)

3) It actually drives itself and you don't have ANY responsibility for its actions beyond setting the destination.

5
0

Forums

Biting the hand that feeds IT © 1998–2017