* Posts by Paul Crawford

3400 posts • joined 15 Mar 2007

Oh Britain. Worried your routers will be hacked, but won't touch the admin settings

Paul Crawford
Silver badge

Re: Automatic firmware updates?

All are or have been solved. Signed updates? Yup, already done in all serious OS and no need for remote admin capabilities. Even Windows can do that.

Avoid crashing mid-update? Can be done so long as you have enough disk/flash to store the system image twice - create new system in the 'spare' half and finally swap the entry point as an atomic operation, that way you either boot to new or to old, but never to something half-arsed.

Or with less space have a simple boot loader that at least allows recovery from local file and is not updated so low risk of corruption.

2
0
Paul Crawford
Silver badge

Why the surprise?

If you said 53% of El Reg readers had done nothing, I would be shocked.

To find out that the majority of Joe Public have little knowledge or interest in *how* they access the internet is really no big surprise. This is where the law should be hitting the suppliers of piss-poor security devices, but somehow they all get out on EULA style arguments.

32
0

New Windows 10 privacy controls: Just a little snooping – or the max

Paul Crawford
Silver badge

Re: @Orv

For most people, what's fantastic about Outlook is it works with the systems provided by the people who pay them a salary.

So use MS Windows & Office at work only, and your employer pays to have their privacy violated. What is the big deal?

If you are doing your own PC then its up to you what you are willing to trade in terms of privacy versus compatibility with office work. Very few home users will be accessing Exchange, and as for calendering then you can get it free (with similar privacy violations) from Google - shared calendars and an email every morning outlining the day ahead, etc.

3
0
Paul Crawford
Silver badge

Re: "Just don't use Windows 10 on-line."

No problem AC just you go and ask MS to respect your privacy. Or maybe take them to court? Really you and anyone for whom you provide help have only a few workable choices:

1) Use windows and bend over for whatever MS decide to do.

2) Use an alternative arrangement and accept its more trouble for certain things.

3) ? Underpants & profit ?

If you actually have a better, more workable, suggestion than mine (Linux host, windows in restricted VM) please let all us commentards know.

6
2
Paul Crawford
Silver badge

Re: @ Triggerfish

You seem to have missed this bit:

"or you can run Windows in a VM that has no Internet connections if you meed Windows software in parallel with internet access."

7
0
Paul Crawford
Silver badge

Rule number 0

Just don't use Windows 10 on-line.

As already said, you can dual-boot with Windows configured for no network, since for web & email Linux is just fine, or you can run Windows in a VM that has no Internet connections if you meed Windows software in parallel with internet access.

11
2

It's now 2017, and your Windows PC can still be pwned by a Word file

Paul Crawford
Silver badge

For most people PC = single user, and so such a flaw can still encrypt their own files which is all that matters. The OS, etc, can be hosed and re-installed, but few have backups and most Joe Public find out when its too late.

6
0

Crumbs. Exceedingly good cakes, meat dressing price hike in wake of the Brexit

Paul Crawford
Silver badge

Re: @AC

For 2017 NI income is £127 billion (apparently http://www.ukpublicrevenue.co.uk/breakdown)

Expenditure is Public Pensions = £157 billion and National Health Care = £143 billion

So if you thought that NI alone covered it, and not a significant chunk of general taxation, you are in for a rude surprise.

10
0
Paul Crawford
Silver badge

Re: @ Cynic_999

So here is your politician's choice when faced with a tax shortcoming:

1) "Or we could keep those things the same and instead cut back on illegal wars, vanity projects such as millennium domes, excessive pay rises for civil servants and unnecessary HS railways"

2) Cut back on NHS and public pensions?

What do you really expect them to do?

13
0
Paul Crawford
Silver badge

Re: it's easy to resolve...

cut fuel duty as oil in any form is the root of just about everything in modern life

So much less tax for like paying the NHS and pensions, etc?

21
4

NGO to crowdfund legal challenge against Investigatory Powers Act

Paul Crawford
Silver badge

Re: Pledged...

Any spare cash you have could be spent on a decent overseas VPN! Some related site that might help:

https://www.bestvpn.com/

https://vpn-services.bestreviews.net/

https://torrentfreak.com/vpn-anonymous-review-160220/

First two are sort of advertorial, but have some useful guides and comparisons. Last is focused on BitTorrent file-sharing so anonymity to avoid the likes of ACS:Law from chasing you matters, or the draconian penalties being proposed in the Digital Economy Act where you can get more jail-time than, for example, glassing someone in an unprovoked pub fight.

1
0

St Jude patching Merlin@home heart kit

Paul Crawford
Silver badge

Re: How about we be given the option of audits…?

Both open and closed source projects have equally shitty histories when it comes to security, though at least with open source ones you have the *chance* to find/fix stuff even if its out of support or the vendor has lost interest, gone bust, etc.

Nope, sadly the only answer is to make legally enforceable standards for software that can have any serious physical or financial impact, and for those creating systems around them (e.g. putting plant controllers in t'Internet in order to save maintenance costs without a secure, tested, VPN systems in place, or an insecure radio connection, etc).

Once said PHB realises he could face jail-time for badly managing system security (e.g. not having it audited by someone competent and/or acting on said feedback) then action might be taken.

0
0

Like stealing data from a kid: LA school pays web scum US$28,000 ransom

Paul Crawford
Silver badge

Re: @d3vy

So you discover the infection three days in, your SAN has been encrypted for the last 72 hours and as a result the 3 backup sets you have for those days are also encrypted, your source control and all of the developer VMs are unavailable.

So your SAN has no (regular) snapshots? Generally I use/prefer NAS instead of SAN as few things need block storage and there is always iSCSI, and for that FreeNAS, which is free and pretty good, uses ZFS with easy options to enable snapshots and its a very valuable feature indeed.

Or your SAN (or snapshot mounting) is administrable from infected PCs?

While your point is valid - that if your are royally screwed then paying up might be the least-worst option, it is doubtful that having provisions for data protection are more expensive. Also what if your SAN had some KCL-style screw-up?

1
0
Paul Crawford
Silver badge

Re: Live and learn, the hard way

Well designed crypto ransomware can take out backups as well

Only on not-well-designed backup systems. For a start your backup machine should not be administrable by any account on any target machine, and ideally be of another OS (so simple privilege escalation tricks can't be reused all the way).

Secondly use frequent snapshots on a copy-on-write file system like ZFS on your fileservers - they take no additional space themselves, and if you do get a crypto attack you see the disk space plummet as everything gets changed. Due to the small space usually taken by snapshots and common file usage patterns you can often leave them for months. Such snap shots also make backing up to tape or rsyncing for replication to another server much easier.

Then if you do get attacked: Isolate infected machines, clean, and make a new snapshot from the good one (just in case it gets hosed a 2nd time), and finally resume.

2
0
Paul Crawford
Silver badge

That is a very good point, unless the payout was for the failure of a backup system to be working well enough to restore it (again, that ought to be based on it having been tested and so on to the insurer's satisfaction).

3
0
Paul Crawford
Silver badge

Live and learn, the hard way

So next question is who at the top gets fired for not having planned for and funded a working, tested, backup system? Or was the US$28,000 cheaper than having such a system (If so WTF)?

4
0

How Apple exploded Europe's crony capitalism

Paul Crawford
Silver badge

I think the biggest single point is that Apple saw the "phone" as a computer that made calls, while most others saw it as a phone that could do the odd bit of computer work. As Andrew pointed out, the main "customers" of Nokia, etc, were the mobile networks and they were adverse to anything that would *use* those networks to any useful degree and with poor bit rates we had WAP to make it usable, but that was really a misery to use.

13
2

FM now stands for 'fleeting mortality' in Norway

Paul Crawford
Silver badge

Re: @ Commswonk

That's a first; a "bandwidth ratio" expressed in dB

That is because human hearing is (more or less) logarithmic both in amplitude response (i.e. perception of loudness) and in frequency.

That is why music "works" with most instruments: the harmonics that characterise it (that are all ratio related) seem to be equal spacing in a tonal sense, and the note scale and corresponding chords have a set ratio.

So yes, for audio work specifying relative bandwidth in dB makes perfect sense.

2
1
Paul Crawford
Silver badge

Re: Considering that most digital radio is utter crap in quality...

Radio stations also use pre-emphasis to improve the upper audio frequency responses.

No, they do that to allow corresponding de-emphesis to scale back the FM noise, and given so little audio power is up there, its not a TX load issue.

Considering how crap many stations on DAB are, and the fact that many of us no longer hear much beyond 15kHz (if that) nor that many loudspeakers ever did it justice when we could, I don't think the extra 1.25dB of bandwidth is significant.

6
0
Paul Crawford
Silver badge

Re: Ker-ching!

For in-car use you probably won't notice an audio difference on many channels and good reception areas, and really ought not to be arsing around with such comparisons while driving (passages could though)..

My parents have a DAB/FM radio and on all but Radio 3 the FM quality is better then DAB, again down to commercial decisions on bit rate per mux. Also in the last few years the number of DAB stations has plummeted.

5
0
Paul Crawford
Silver badge

Re: DAB+ DrXym

DAB+ is demonstrably better than FM in every way

Cost for transmitting with more TX per coverage area?

Cost/complexity for the receivers?

Cost for replacing radios in perfectly good cars that last 10-20 years but have non-standard fittings (like all fscking cars seem to have now)?

Battery life for receivers?

Ability to save money by degrading to shitty bit rates because more channels per mux appear to give more advertising revenues?

16
0

Insane blackhats behind world's most expensive ransomware 'forget' to backup crypto keys

Paul Crawford
Silver badge

Infection vector?

The Windows variant use an Excel spreadsheet emailed to the victim (I think) but what is the route for the Linux version?

9
0

Mattel's parenting takeover continues with Alexa-like dystopia

Paul Crawford
Silver badge

Adds a whole new dimension to the line in Monty Pythons' philosopher’s song:

"Aristotle, Aristotle was a bugger for the bottle"

7
1

Internet of Sh*t has an early 2017 winner – a 'smart' Wi-Fi hairbrush

Paul Crawford
Silver badge
Gimp

Re: Truly a hair-raising story...

"and an accelerometer and a gyroscope to log the number of strokes through your barnet."

Why would you use a hairbrush for hair? I though they were spanking paddles in disguise, so maybe there is a business opportunity for users of FetLife to "rate my spanking" automatically?

9
0

Prez Obama expels 35 Russian spies over election meddling

Paul Crawford
Silver badge

Re: The Facts?

Standard government activity. See the UK and the appalling treatment of Professor Nutt on drug risk, etc, we he dared not to give the answer the gov/tabloids wanted to hear.

12
0

US cops seek Amazon Echo data for murder inquiry

Paul Crawford
Silver badge

Re: Interesting...

Ms May has just had an orgasm

Probably the first for a long, long time...

11
5

2016 just got a tiny bit longer. Gee, thanks, time lords

Paul Crawford
Silver badge

Re: I don't see what the fuss is about

So the conversion routines will now need to know about and account for the new leap second? And all those old Unixes unaware of it will be off one second?

You are wrong on both accounts. Firstly you have to understand the various concepts of "time" that are in use, and that suggests you don’t. We have:

Calendar time, this is what time_t and similar operates upon and what most people think of, and here each day ALWAYS has 60*60*24 = 86400 seconds, and the calculation of date is based upon the Gregorian calendar for leap years. The application of leap seconds has absolutely no impact upon such calculations, in effect it is just a step adjustment of time-of-day to keep it within 1 second of mean solar time as defined from the Earth's rotation and orbit. The difference in time between points is computed ignoring leap seconds, so it is actually "wrong" if you need an accurate time difference across such an event.

Ephemeris time and all of its variants (GPS time, TDT, etc) where you have some defined epoch and time is measured in fixed seconds based on atomic time from that point. Each of such systems has no leap seconds and no discontinuities, so time differences are always right. However, to equate such a linear time to calendar time you do need to know the history of leap seconds and for that you would need a table of data. For web-connected machines you can get it from here along with the finer details of the Earth's orientation:

http://www.usno.navy.mil/USNO/earth-orientation/eo-products

Finally this is exactly the same for any OS, it is just that historically UNIX has handled time in a sane and correct manner (e.g. system clock on UTC, NTP adjustment slewing time normally to avoids steps and to minimise the error w.r.t several time servers, NTP signalling leap seconds before they occur, etc) even if code monkeys sometimes get it wrong. However windows has had pretty poor ways of doing things (e.g. CMOS clock keeping local daylight-adjusted time, time steps once per week by default based on just the MS time server to keep the lock within minutes of correct time, etc).

2
0
Paul Crawford
Silver badge

Re: I don't see what the fuss is about

Thing is, slewing time give the wrong time. It might avoid such time-steps, but the real answer is to apply a leap-second forwards and backwards every 10 minutes to software developer's machines so they get the message - test and fix your damn code!

1
0
Paul Crawford
Silver badge

Re: Google smear

All very well if you have shit software to manage, but it means they have the wrong time for most of that day. Now they might not care, you might not care, but there are many cases when you need to know the right time to millisecond or better accuracy.

Ironically folk who program for Windows have learned to be tolerant of time-jumps because typically they are updated one per week or so by SNTP which applies a time-step. Where as UNIX/Linux has an OS that handles it properly (except when someone changes code and does not test it) but many code monkeys who never test/debug their code against time steps because they don't see it often.

1
0
Paul Crawford
Silver badge

Re: There have been 27 of them since 1971

No, they only need programmed in to stand-alone computers, anything using NTP gets the updates automatically as NTP announces the pending leap-second for 24 hours before it happens.

Similarly if you get time from GPS it has a field that tells you of the coming leap second for days, maybe months, before it is due. Assuming of course you don't have some shitty GPS receiver that hides the information from you because the firmware monkeys just don't understand it...

0
0

Raspberry Pi Foundation releases operating system for PCs, Macs

Paul Crawford
Silver badge

Re: AC

Funny that, we explicitly switched wholesale to LibreOffice because it did that (a) across all of its versions and (b) across all platforms (we mainly use macOS and Linux, but a few less fortunate souls have to use Windows for customer experience testing of our service :) ).

If you can get other in multi-company to change - yes!

But if they are wed to MS Office then you are forced to use the same to get consistency :(

0
0
Paul Crawford
Silver badge

Re: And it appears to be 3D skeuomorphic!

I don't use Office where I work either and nobody that I respect technically in the IT business uses it.

Technical people are not the major use-case for Office, it is business that demands it. Now we can compare its good and bad points relative to LibreOffice and for many jobs I use the free one.

But sadly I have to use MS Office for some projects as its the only one that maintains correct layout. And that also means using the more recent ribbon-infested version because even MS can't achieve true portability between versions of its own damn suite!

32
2

Snapchat coding error nearly destroys all of time for the internet

Paul Crawford
Silver badge

WTF is an App doing quering network time?

Really, what is the Snapchat app doing? Timekeeping is an OS-level task, and only that should be syncing the server/PC/phone/telidildonic dildo/etc to real-time, and user level programs can get their time from the OS by whatever means the OS supports.

44
1

Non-existent sex robots already burning holes in men’s pockets

Paul Crawford
Silver badge
Coat

Re: I want one.

"I don't trust maids."

But you would trust an android sex robot cum cleaner instead?

Just imagine what extra info Google will be able to slurp from its users?

Yes, it is well past the time I should be getting my coat =>

1
0

Did webcam 'performer' offer support chap payment in kind?

Paul Crawford
Silver badge

Re: Love a good pr0n investigation

"Is that like an in-depth analysis?"

Probing deeply in to the nether regions of the PC?

0
0

Strong non-backdoored encryption is vital – but the Feds should totally be able to crack it, say House committees

Paul Crawford
Silver badge

Other option is you make it so the phone's key, for example, is held in an accessible manner internally, but that needs hours of careful, destructive, and expensive time to read out using a scanning electron microscope.

That way if they REALLY need to get in to a phone they can, but the time and cost and physical access needed makes it utterly useless for panoptican surveillance or fishing trips when someone is stopped for a trivial reason.

14
0

Why does Skype only show me from the chin down?

Paul Crawford
Silver badge

Re: @Orv

"In some ways the really old code is easier, because it's less likely to rely on large libraries"

Another factor is they often had all the code on CD or tape, etc. Now if you try to create an old-ish machine often you simply can't get the code from that era because it was all on-line and downloaded then and not archived. Or was, and now has been replaced. Because no one needs to maintain old stuff do they, it has to be new, new, new? And more or less incompatible...

3
0
Paul Crawford
Silver badge

Re: Incompetent admins and migration saboteurs

Even if you can provide better alternatives for everything it offers, people get very fond and possessive of such old systems, and decommissioning can be a nightmare.

More often than not, the problem is it is running some old OS/libraries that special code needs, and that is why you get serious resistance to change. If you can offer it on a VM then mostly its a non-problem, but alas few can run up VMs that emulate old VAX hardware/software, etc.

Yes, I know you should not end up in that position, but academics like to solve something once and move on. At least its not IE6 based...

8
0

China gives America its underwater drone back – with a warning

This post has been deleted by a moderator

US voting machine certification agency probes potential hack

Paul Crawford
Silver badge

"liberal anti-people propaganda"

Now boy, keep taking them there dried frog pills...

18
1

Oracle finally targets Java non-payers – six years after plucking Sun

Paul Crawford
Silver badge

Come now! Oracle's strategy has always been to make sure your balls are in one of its vices and then to turn the screw every so often to extract more money.

It worked so well for large databases when there was limited competition of any sort, so why would Larry think it wont work again?

34
1

Macbook seized or stolen? But you've set a FileVault password, right? Ha, it's useless

Paul Crawford
Silver badge

Re: Clickbait

Well you could follow the link to the article (PDF hosted on GIThub) and read it there?

However, this attack is not OS-specific in that *any* machine with externally controllable DMA enabled at any time is vulnerable to having the OS and program memory read out for analysis.

In fact the UK gov security advice[1] is to try and buy machines without that feature. I guess Apple are a special case in that they control the UEFI boot loader and so are able to turn off external DMA access until the machine is booted and access is under OS control.

[1] For example https://www.ncsc.gov.uk/guidance/end-user-devices-security-guidance-ubuntu-1404-lts#risk-owners-summary

2
0

Yahoo! says! hackers! stole! ONE! BEELLION! user! accounts!

Paul Crawford
Silver badge

I believe the author is referring to a milliard, a term that is unambiguous unlike our American cousins "ten gallon hat" scale.

9
1

Give us encrypted camera storage, please – filmmakers, journos

Paul Crawford
Silver badge

Re: Would still be useful

IMHO, storing it on the camera except at the moment of taking pic is wrong idea anyway.

This is exactly what the cameras should be 'avoiding' - the SD card should look like noise no matter what was stored there, or nothing at all. Add to that a plausible deniability of more than one password to reveal different photo sets and it becomes very difficult to establish if the camera has anything on it at all. For example, if I am going out to take any photos of importance I format the SD card first and take a spare just to have more chance of it storing things properly and not having corrupted FAT, etc. So a camera showing no stored photos is not unusual.

As for speed of taking photos, if for example, it was using an asymmetric key arrangement the camera can always encrypt the files without your (stored) public key so no need for PIN/password at switch-on, and only that private key can decrypt it later. It can show the in-RAM copy briefly after taking it for you to check composure, focus, etc, and then its wiped and you need the private key to recover the on-disk copy.

3
0

Reschedule the holiday party, Patch Tuesday is here and it's a big one

Paul Crawford
Silver badge
Trollface

Re: @ Patrician

Or they're are a home user that just doesn't want to spend hours in a Linux command line trying desperately to get some software working

What you mean like:

"ipconfig /release"

"ipconfig /renew"

To get DHCP working again?

3
0

Men! If you want to win at board games this Christmas, turn off the rock music – scientists

Paul Crawford
Silver badge

Re: Says it all

The players were on the highway to hell?

0
0

HPE 3PAR storage SNAFU takes Australian Tax Office offline

Paul Crawford
Silver badge

What was that Skippy? Was it 3PAR kit you say?

Were they taking a leaf from Kings Collage London on this? Unlike KCL they probably will want users to keep thier own records:

http://www.theregister.co.uk/2016/11/15/after_kcl_kills_uniwide_backups_staff_get_order_to_never_make_their_own/

7
0

US-CERT's top tip: Hack your crap Netgear router before miscreants arrive

Paul Crawford
Silver badge

Re: They are running the webserver as root?

Indeed, the 1990s called and want their security blunders back...

2
0
Paul Crawford
Silver badge

Re: Put PR at stake

Welcome to the world of shitware, when every device you buy from $SUPPLIER comes with half-arsed software and bugger-all updates even months after the manufacturer has been told (probably twice, 2nd time in crayon and big pictures) of how crap they are.

5
0

P0wnographer finds remote code exec bug in McAfee enterprise

Paul Crawford
Silver badge
Trollface

Reassuring to see McAfee's software for Linux is just as crappy as their software for Windows.

19
0

Forums

Biting the hand that feeds IT © 1998–2017