* Posts by Donn Bly

203 posts • joined 10 Jan 2008

Page:

Dev writes Ethereum code for insecure SHA-1 crypto hash function

Donn Bly

And I'm sure there are performance and/or compatibility scenarios where SHA1 or MD5 is preferable to more modern algorithms when you don't have any security considerations.

It comes down to fitness of purpose. In many case, a CRC-32 check is sufficient, let alone a MD5 hash. For McCorry or someone like him to claim that a hashing function shouldn't be written because it doesn't do what HE wants to do is not only short-sighted, it is pretty egotistical. His purpose and your purpose may be totally different, and he does not know your purpose.

Additionally, while there are examples of intentional collisions for both SHA1 and MD5 there has yet to be an example of a simultaneous collision for both. If I give you a file, and supply you with both the SHA1 and MD5 hashes, you are going to be very hard pressed to create a new file that has the same hashes. To that end, with both SHA1 and MD5 being so computationally inexpensive to generate they still have a viable role to play in modern computing -- they just shouldn't shouldn't be relied upon individually in a security context.

It took Google and researchers YEARS to create a single intentional SHA-1 collision, and they could control and modify both files until they got it. Yes, it proves the theory that an intentional collision is possible, but collisions are mathematically possible in ANY hash.

1
0

No, the FCC can't shut down TV stations just because Donald Trump is mad at the news

Donn Bly

Re: Actually

You are seriously going to use Wikipedia, the "encyclopedia" that anyone with an axe can grind can edit, as a source on anything political or controversial?

6
42

Facebook, Twitter slammed for deleting evidence of Russia's US election mischief

Donn Bly
Mushroom

Re: AAAHHH MOTHERLAND!!!!!

and it also is illegal for foreigners to engage in direct advocacy for or against candidates or issues

No, it is NOT illegal. If it was, then The Reg (and many other non-US publications) would be in a heap of trouble for advocating for or against issues. If it was, then when a Prime Minister says that the USA is making a mistake on a given issue, then that Prime Minister would be breaking US law -- and that is certainly NOT the case.

In a free country It is nether illegal nor unethical** for someone to advocate for or against an issue or candidate, regardless of citizenship. The USA may not be as free as it once was, but those freedoms are still intact.

** I may disagree with you, but I will defend your right to say it. Even if the content of one's "message" may be considered by some to be unethical, it is not unethical for you to deliver that message.

3
2

Apple's iOS password prompts prime punters for phishing: Too easy now for apps to swipe secrets, dev warns

Donn Bly

Re: One way ...

Actually, if I had your email address and was doing a targeted hack, all I would have to do is go to the login screen at your bank ahead of time and it would present me with your chosen image and personal phrase -- which I could then duplicate and present to you in a spoof.

Making it more generic, all I would have to do is create a "man in the middle" proxy using a visually similar domain name that accepts your information and validates it against the bank -- querying the bank to get your site identifier and passphrase to echo back to you. Basically the same principle as a reverse proxy isolating backend systems in a DMZ from direct internet access. Once I got a valid confirmation I could display a "password error" and redirect you to the real site, and when your password worked the second time you would just pass it off as a typo and forget about it.

Using user-defined site identifiers is certainly better than nothing, but it is far from "phishing proof". Always be vigilant. :-)

Personally, I protect myself against phishing by having each of my banking sites bookmarked, and only visit them from the bookmarks and not manually entered addresses (that way I cannot possibly typo and end up on a site run by a typo-squatter) and never EVER by following a link in an email.

5
0

How much for that Belkin cable? Margin of 1,992%?

Donn Bly

Based on those prices, sounds like you got solid wire, and connectors for stranded. Those connectors will fail with breaks in the copper over time -- even heat expansion/contraction will be enough, without even introducing vibration or cable movement.

There are reasons why we use stranded wire for patch cables, and why special RJ45 connectors for solid wire exist.

4
0

Russian spies used Kaspersky AV to hack NSA staffer, swipe exploit code – new claim

Donn Bly
Flame

FTFY

The strong ties between Senator Jeanne Shaheen (D-NH) and Kim Jun Un are extremely alarming and have been well documented for some time, it's astounding and deeply concerning that the North Korean government continues to have this tool at their disposal to harm the United States.

Hey, it is just as well documented as Kasperskey's supposed ties to the Kremlin.

30
7

Amazon told to repay €250m in 'unfair state aid' from Luxembourg

Donn Bly

TVU -Have you ever taken tax into consideration when making a purchase or investment? Have you ever NOT bought something because you didn't want to pay the tax on it? If so, then you are a tax avoider.

4
3
Donn Bly

re: are rampant tax avoiders and they really need to uniformly penalised

No. Tax EVASION is wrong, and should be prosecuted, but tax AVOIDANCE is not only legal and ethical, in most cases companies are required by law to engage in it because they have a fiduciary responsibility to maximize value for their stockholders.

The problem isn't the companies, the problem is the tax law. Fix the tax law, and you have solved the problem.

Tax avoidance is merely playing by the government's rules. If the government doesn't like the results, then they need to change the rules so that they get the results that they want, not penalize people and companies that followed the rules.

11
4

ISIS and Jack Daniel's: One of these things is not like the other

Donn Bly

Ignorance knows no borders

My guess is that the anonymous complainer could read neither Arabic nor English, and is so ignorant of the two languages that they cannot distinguish the two when compared side by side. Since neither is the official language of Switzerland it isn't that far out of the realm of possibility.

21
5

Firemen fund sues Uber for dousing shares with gas, tossing in a match

Donn Bly
IT Angle

Re: Err, yes....

I am rather leery about lawsuits of this type. Any COMPETENT investor knows that the stock market is not a guarantee of growth, and that loss of valuation does not equal a loss of investor capital. In this case, Uber is private and untraded - thus public market valuation is in essence meaningless and until they sell their private stake they have not suffered an actual loss. As a privately held company transfers probably require approval of the board, which they won't give, thus they can't sell the stock and thus prove a loss. Even if they did, they would voluntarily be taking the loss so the onus would still be on the firefighter's union.

Such is the nature of private equity - there is no sure thing and they gamble with someone else's money. The payoff can be huge -- but you are far more likely to lose money than to make it.

Yes, Uber had some dark secrets behind closed doors, but as it is a private sale it is up to the buyer to do due diligence - diligence that by the nature of the lawsuit they apparently failed to do. They will have to show that Uber's public written statements were knowingly and materially false AND that they relied upon those false statements to invest the money. The burden of proof is on the Firefighter's union, and by going on record like this they have actually opened themselves up to lawsuit by the members whose money they invested. Time to break out the popcorn.

24
0

Facebook U-turn: React, other libraries freed from unloved patent license

Donn Bly

Do you have software patents?

In this case, the difference in license only comes into play if you have patents that you and you accuse Facebook of violating them. If you don't have patents, and most software developers don't, then there IS no difference between their derivative license and the OSI approved one.

I see this more of a poorly executed way to preemptively protect themselves against patent trolls, but since it could be used as a weapon against legitimate patent holders it is bad news and should go away in its current form.

1
0
Donn Bly

A license does not need to be "approved" by the OSI

A license does not need to be "approved" by the OSI for a project to be open source. Open source refers to transparency and the ability of a third party to review the code, and is separate from providing a license to USE the code.

I personally prefer to release my code under a derivative of the MIT license, but as long as ALL of the source code is available for review by third party the software is open source whether the license to USE the code has been "approved" by the OSI or not.

1
0

Driverless cars will make more traffic, say transport boffins

Donn Bly

Re:I must be lucky.

Yes, you are lucky.

I have a large collection of tools -- much larger than the average guy. Whenever I need a tool the decision is not whether I borrow or buy, but whether I will buy the cheap one or the good one. As such, I'm the guy in the neighborhood that everyone comes to when they need something, and while I'm not opposed to loaning something out experience has shown that if I do I only have a 50/50 chance of it coming back in good condition.

Of course, there are a few people that I do consider trustworthy and I know that I will get it back in good condition, but they aren't very common anymore. I think the biggest problem is that fewer people actually know how to use the tools correctly -- like the guy who wanted to borrow my post driver AND sledgehammer. Instead I told I would stop over in a bit and show him how to use the driver so that he didn't ruin it.

0
0

Ah, good ol' Windows update cycles... Wait, before anything else, check your hardware

Donn Bly

Re: Bunch of management-speak garbage.

I hope El Reg got paid a lot to push this drivel at us. Because it sure as hell dented their reputation.

I fail to see how a full-page ad, clearly marked as such, somehow dents their reputation. If they tried to sneak it in as an editorial then maybe, but it is CLEARLY labeled as sponsored content.

4
2

Crypto-busters reverse nearly 320 MEELLION hashed passwords

Donn Bly
Boffin

@petethebloke Re: Not really correct, but close

Close but no cigar -

First, because of password reuse and poor password storage methods - the entire POINT of this exercise - it is most DEFINITELY LIKELY that a password extracted from a hash collision is still likely to work on other sites, because an unsalted hash one one site is going to match the same unsalted hash on another.

Second, when you take a 4K block of code (or 1K, or even 256 bytes) and reduce it into a hash, you are ALWAYS going to have the possibility of collision between other blocks of unrelated code. In fact it is actually such a high probability that the hash CANNOT be used for authentication in an of itself. If you can't rely on the hash on a string of thousands of characters for collision-free authentication, then a string of 8 to 10 is even less reliable.

The hash can, however, be used with a high level of certainty to detect changes in the source code, taking a hash of a block of code and comparing it to a hash previous block to see if it changed. taking two hashes using different algorithms is even better. In this use case, the hash algorithm doesn't really matter - it can be sha1, sha256, or even a CRC32 or something else -- and that is why it doesn't matter for Git.

1
0

NYPD head of IT doubles down on Windows smartphone idiocy

Donn Bly

Re: Hold on, if I read this right

The second-system effect is the tendency of small, elegant, and successful systems, to be succeeded by over-engineered, bloated systems.

However, as we are talking about Windows 8.1 applications, they don't meet ANY of those three criteria, as they are most likely NOT small, NOT elegant, and NOT successful. As such, using them as a prototype and developing version 2 sounds like a very viable plan.

23
4

Hate it when your apartment block is locked to Comcast etc? Small ISPs fight back

Donn Bly

Re: As a building owner...

How about you wire the damn thing properly when it's built?

Perhaps because the buildings were built before the transistor? Even electricity, hot water, and indoor toilets were retrofits.

Failing that, how about when someone asks the maintenance people to do cable drops, they do it in a timely and competent manner?

As these are old buildings, they were not built with structured wiring in mind and running surface molding down the halls looks tacky. Some conduits were added in the last major remodel, but obviously not enough -- and I'm not tearing out walls, floors, and ceilings to add more because (1) it costs money (2) I would never recoop the costs. If you don't like it, buy your own building.

2
0

Did ROPEMAKER just unravel email security? Nah, it's likely a feature

Donn Bly

Prime Time TV?

I think someone at Mimecast has been watching too much prime-time TV, because if this is the quality of "security research" that they do then they are just as credible.

First of all, no reliable email client allows remote resources by default. While we normally think in terms of linked images, tracking bugs, etc. this also applies to linked CSS stylesheets.

Second, CSS can change how HTML is displayed, but it cannot change the contents of a link. CSS does not have the capability of changing an HREF attribute. The best they could do is put two links (both good and bad) into the body of the email and hide one. They wouldn't even be able to change the target of the bad link once the message was sent.

Third, while CSS does have the capability to INSERT text content, it does not have the ability to change it or remove it. The best it can do is hide it from display.

What's next, are they going to claim that they just discovered the javascript is insecure and that malware can be injected via an iframe?

In summary, if Mimecast services were affected by this to the point where they had to put in a patch or filter to compensate, then their services were already broken.

7
1

US cops point at cell towers and say: Give us every phone number that's touched that mast

Donn Bly
Boffin

Re: Cellular Coverage

For example, where I live, during the evening rush hour out of the city, I have calls dropped, even though our building has a telco's mast.

Your phone is not connecting to the mast on your building. Being under a mast, or within a half kilometer of one, is one of the worst areas you can be for cellular coverage. A base station antenna is something like a lighthouse -- you have to be some distance from the the tower to see the light directly.

Typically the beam width on a base station antenna is 15 degrees or less with a downtilt aiming the center of the lobe down below the horizon. At 60 meters high you need to be over 400 meters away before it can "see" your phone. Any less and you are picking up a reflection or side lobe which will be unreliable for communications. Shorter towers of course lower those numbers, but being below the antenna is still the worst place to be.

1
0

Judge yanks plug out of AT&T's latest attack on Google Fiber

Donn Bly
Boffin

re: More Google Ads

Faster internet means more people seeing Google Ads, especially on Youtube

Actually no, it wouldn't. If I spend an hour wasting my time on youtube, it doesn't matter whether I am on a 2 mb circuit on a 100 mb circuit, I'm going to see the same number of ads. Once you are above the bandwidth threshold to have streaming vs buffering, no additional bandwidth is going to matter.

0
0

Manchester firm shut down for pretending to be Google

Donn Bly

Re: Rampant in the US

Intentionally making false statements (such as fake caller id) for the purposes of getting something to which you are not entitled (my money, my business, or even my time) is already fraud.

I don't advocate having the company stop the call - they have insufficient information to make a fraud determination - but I do advocate holding companies responsible for facilitating criminal activity. If there were any teeth in that, the legitimate voip providers wouldn't let clients pick whatever number they wanted to display on outgoing calls, or might actually monitor their own networks and when the same client makes repeated calls with different numbers it should throw up a flag.

The most prevalent nuisance calls around here right now are from fake travel companies, calling from spoofed numbers in the same npa-nxx as the target victim so that the intended victim thinks it is a local call - and more than once I have had to explain to people that no, the number on the caller id isn't accurate and that I didn't call them.

2
0

Hotspot Shield VPN throws your privacy in the fire, injects ads, JS into browsers – claim

Donn Bly

I haven't seen the claimed behavior

I use HotSpot Shield vpn on my malware sandbox machine so that I can make it appear to be sitting in another country, and have been using it for well over a year. In that time, I have NEVER seen it inject ads or javascript into a web page -- and as this is a machine that I use to test suspicious files and intentionally infect from time to time I am generally LOOKING for such behavior.

I wonder if they are referring to Hotspot Shield's "free" browser toolbar, which is not a VPN (nor do they claim it to be). While they do claim that it gives some level of obfuscation, it's a different product, and not one that as a VPN user I have ever had reason to install.

1
0

DJI drones: 'Cyber vulnerabilities' prompt blanket US Army ban

Donn Bly
FAIL

Can't have it both ways

Quite often when making regulations there are unintended consequences.

The US Government wants drones to check in realtime to make sure that end users aren't flying in a restricted zone, have the ability to add restricted zones quickly, and make it impossible for end users to modify the requirement. By definition, that means that the drone has to send its location SOMEWHERE to be vetted, unless it were to download and synchronize a locally cached mirror of the worldwide no-fly zone database each time it is turned on (and presumably periodically while it is flying as well)

Mirroring the database has its own security concerns, as people will look for changes to know exactly where "interesting" things are happening.

This is an example of where you can have security, or you can have privacy, but you can't have both - and it is the government's own demand for "security" that is the root cause of the loss of privacy.

14
1

Revised 'Broadband 2.0' report: 6.7m Brits suffer 'sub-10Mbps' speeds

Donn Bly

Re: Yeah...

Six miles isn't "way out". That's considered walking distance around here.

1
1

Boffins throw Amazon Alexa on the rack to extract hidden clues

Donn Bly

Re: Sales of these are going to crash at some point

Close -- yes, the echo is always listening -- but not Amazon's servers. The Echo doesn't start recording until it picks up on the hardcoded keyword (the only two available are "Amazon" and "Alexa") and until then no voice traffic is sent up to the servers for processing. If you don't believe me you can dig out Wireshark and see for yourself -- just like I did after I bought my first echo.

Apple devices listen for "Siri", Google devices listen for "Google", Microsoft devices listen for "Cortana", and Amazon devices listen for "Alexa". If sales are going to crater for the reason you give, then sales for all of them would crater at the same time -- and for better or worse I'm pretty confident that the demographic of the population that uses these devices aren't going to give them up.

By the way, you CAN mute the microphone. In fact, on the Echo Tap displayed in the article photo the default behavior forces you to "tap" the button instead of using a wakeword - so that you can have a voice controlled device that ISN'T listening all of the time if that is what you want.

10
0

Marketing giant Marketo forgets to renew domain name. Hilarity ensues

Donn Bly

Re: SSL & DNS

Quite true. Which is why I use Nagios monitor the internet-facing SSL certificates for all of my clients, whether they bought the certificates from me or not, and whether they host with me or not. More than once I have contacted a client or former client to inform them that the SSL on their ecommerce shopping cart at [insert-ecommerce-as-a-service-platform-here] was about to expire.

0
0

No time for nap, update your QNAP: RAIDed NAS data corruption bug squashed

Donn Bly
Boffin

Re: "There is never a case when RAID5 is the best choice, ever!"

I've read that thread before -- a number of incorrect assumptions are made resulting in the math being wrong. There are reasons for not using RAID5 but his reason is not among them.

Basically, he states that the 10^14 bit error rate means that if you are reading 12.5TB from any single drive or collection of drives you have a 100% chance of an unrecoverable read failure that results in data loss. This not a paraphrase, it is an explicit statement that is used to justify the rest.

So, according to him, if I have a 2 TB drive and read it from end to seven times then at some point in there the drive will have failed - or If I have seven separate 2TB drives and read each of them from end to end at least one of them will fail. Not just might fail, he states that it is a 100% statistical certainty.

If drives were truly that unstable and unreliable none of us would ever be able to boot an operating system and use it for a week.

If drives were that unstable and unreliable then we would never be able to back up a data store larger than 12.5 TB, and any smaller data store could never be backed up reliably.

1
0

Google goes home to Cali to overturn Canada's worldwide search result ban

Donn Bly

Re: Extra-territorial control

I fully recognize the distinction, and yes The company has to make a commercial decision. The point is that the company shouldn't have to make such a decision if the "banned' services aren't being offered in the country doing to banning.

0
0
Donn Bly
Pint

Extra-territorial control

This isn't a piracy issue - this is an issue of a country exhibiting extra-territorial control. Canada says that a company operating in another country must do something, or more specifically CEASE from doing something, even though it is legal in that company's home country.

Lets pay a small game of noun replacement. Instead of company lets call it a person (you). And instead of serving up search results lets call it "drinking beer".

Should a country such as Saudi Arabia be able to tell you sitting in somewhere in the UK, the US, or ANY OTHER COUNTRY IN THE WORLD that you can't drink beer?

If they want to do it in their own country, fine, they can go without and leave more for the rest of us - but they don't have any right to tell me or you or anybody else that is outside of their country that they must obey their laws.

Google excluded the results in the Canadian search engine. That wasn't a problem - they may not have liked it but they complied. But to remove all results worldwide? How about if Saudi Arabia said that Google had to remove all references to "beer", or any business advertising beer, or any search result from any country where beer is served -- from search results worldwide? How about if they passed a law that said that all search results must be returned in Arabic? This is a slippery slope - if you say that Canada has the right to demand compliance even on web sites that aren't Canadian, on search engines that target countries outside of Canada, on servers that aren't in Canada, serving results to people who aren't in Canada (even in languages that aren't even commonly spoken in Canada) -- then every other country has the same right of censorship and what they consider right may not be the same as you.

Basically, if Canada has the right to tell Google to remove the entries from their non-Canadian search engines and fine them if they don't, then Saudi Arabia has the right to tell you not to drink beer in your own home and to extradite, flog, and imprison you if do.

25
23

Stop this crazy crusade! Google, Facebook, Microsoft, Amazon scold FCC over net neutrality

Donn Bly

Re: illegal to ask you to pay more for your shoes because you got a bonus last week...

Are you sure about that? Asking me to pay more is EXACTLY how the American Income Tax system works. The more I make, the higher the percentage that they take.

0
1
Donn Bly

Re: Squeeze the lemon

The internet grew and flourished without government intervention via the current net neutrality regulations. Investments in expensive infrastructure were made, broadband coverage expanded, speeds to consumers were increased, and life was good -- so to argue that without the regulations that it would all go away is to also argue that it doesn't already exist and that we are communicating over an illusion.

The Internet started out as being funded through public dollars, but it grew through private investment in a free-market system. The NN rules changed the field, but the free-market system compensated and the Internet grew even DESPITE the government interference. Companies did leave the market because of NN and other regulation. That is a fact. However other companies started and expanded to more than compensate for that loss -- which is exactly how a free market is supposed to react.

That said, there are some small parts of the NN regulations to which I am specifically opposed, such as the "no fast lanes" rules. I understand the ideology behind them, but they create artificial barriers that aren't really needed and drive innovations that need them outside of the sphere of the US, taking jobs and investment with them. However any game requires rules to establish a level playing field, and you don't need to agree with all of the rules in order to abide by them and play the game. The level playing field established by the rules that allows companies to interact and grow with a lower level of uncertainty is a far better alternative, has allowed businesses to overcome the negatives, and for that reason I am opposed to dropping them.

Uncertainty is the real killer. Uncertainty is the difference between investment and speculation. Businesses and investors do both, but steady growth is more preferable.

1
5

Judge uses 1st Amendment on Pokemon Go park ban. It's super effective!

Donn Bly
WTF?

Re: OK, I'll bite ...

What you, and some local governments, seem to have forgotten is that the people using the parks aren't the game makers, but the LOCAL TAXPAYERS who already pay for the parks upkeep.

The only thing that the game makers did was use public mapping data.

Your argument basically states that GPS manufacturers cannot include your town and the streets therein because you consider it "yours".

5
2

Don't panic, but your Bitcoins may just vanish into the ether next month

Donn Bly

Re: "virtually zero" How are Morgan Stanley counting?

Bitcoin may or may not be a viable currency (I'm not vested in it in any way or fashion myself), but I find your argument that Bitcoin is "structurally incapable" as operating as a mainstream currency based upon its scarcity to have a very serious flaw.

If we took the same argument and applied it to a precious metal such as gold, when there isn't enough of it to go around to pay any more than a minuscule fraction of the gross world product, it would mean that gold is also worthless as a currency.

Instead, I think you will find that a great many people value gold for its monetary value and not its physical properties.

Something is only worth something if someone else wants it. That demand imparts value. That goes for your house, your art, your car, your gold, or even your Bitcoin. If it is portable and uniform then it can easily be used as currency - just as cigarettes are used among inmates in prisons.

Bitcoin is portable, uniform in nature, and demand has imbued it with value. For better or worse it is for all intents and purposes a currency, and as long as there is a demand it will continue to be viable as a currency.

1
0

Microsoft boasted it had rebuilt Skype 'from the ground up'. Instead, it should have buried it

Donn Bly

Re: Remember, this is the company that came out with the Ribbon

you forgot "Bob" and "Windows Me" - they make the Windows 8 UI look good by comparison....

3
1

50th anniversary of the ATM opens debate about mobile payments

Donn Bly

Re: merchant cannot discount payments made in cash

Actually those laws, and the restrictions, changed years ago. As of January 27, 2013 US businesses were allowed to charge up to 4% more for credit card transactions than cash, provided that they have clear signage about the policy.

Many businesses in highly competitive, low margin trades such as Gas Stations (Petrol for the rest of you on the other side of the pond) have separate prices for cash and credit.

When you only have a 5% margin, 3% in card fees amounts to 60% of the profit!

3
0

Walmart tells developers to stay away from AWS

Donn Bly

Re: There are alternatives

My condolences on your employment situation.

23
0

Banking websites are 'littered with trackers' ogling your credit risk

Donn Bly

Maybe degrade it back to using a series of dropdowns

And how do you propose to degrade it without client-side scripting? The server could guess based on user-agent, but then it would have to know the capabilities of every version of every browser ever made or yet to be made -- which is why solutions like browsercaps and server-side browser detection were broken from the very beginning and aren't used by anyone with a brain - if you need detection then it is done on the client side based upon capabilities and not some arbitrary text string.

And if you did use your dropdowns, without client side scripting you couldn't even limit the number of days based on month selected - so you would HAVE to allow the user to enter February 31st and then reject it as an error after form submission, making them correct and it resubmit it again. Not a very user-friendly solution.

0
0
Donn Bly
Thumb Down

Re: Are there any legitimate uses for client side scripts on a banking website?

I take it that you don't have a lot of experience in UI implementation?

You ALWAYS do server-side validation, no matter what validation you have on client side, however, if you can eliminate the round-robin trip then why not -- or would you prefer to return the web back to 1990's? In my example you prevent the user from even entering the slash - a simple regex on the keyup is all that is required - not some clunky onsubmit validation.

In your solution, the entire page would have to be re-transmitted and re-rendered. With client validation you don't even have the opportunity for the error.

In your solution the client couldn't even know that they had made an error until after they had tried to submit the request.

Do you want a form to change based on whether a checkbox or radio button is selected? Then you need JavaScript. Even if you do everything on the server and resend the entire form, you need JavaScript in order to SUBMIT the form since without it you need an actual submit button (and of course the form will submit if they happen to hit enter without filling out the form). Over a high-latency connection this type of site design would be a customer-service killer. If you are going to have that poor of a design, why bother to have a web page at all?

Not to say that JavaScript isn't over-used with lots of heavyweight libraries that aren't needed - but to say that there is NO legitimate use is clearly incorrect to anyone with any web development knowledge.

0
0
Donn Bly

Re: Are there any legitimate uses for client side scripts on a banking website?

A third is filtering characters, so that non-numeric characters aren't entered into a numeric field. Sure, you could do it server-side, but then when someone enters "100/23" they may try to transfer 10023.00 instead of 100.23

There are a lot of things that are far better done on the client than on the server.

3
2

FOIA documents show the Kafkaesque state of US mass surveillance

Donn Bly

Re: To Constitute or not to Constitute...

The matter at issue would have been known in full to the litigants on both sides, and to the court.

Bullsh*t. The matter was certainly NOT known to both sides, as one of the major points is that one side (the company) was denied access to relevent case law and prohibited from mounting an informed defense.

In my opinion, In a free society any court decision that cannot be published cannot be construed to be binding. These "secret courts" are one of the biggest blemishes on the once-free American society.

36
0

Don't all rush out at once, but there are a million devices ripe to be the next big botnet

Donn Bly

News?

Isn't this old, recycled news? Flashpoint published this last October. "Pen Test Partners" is a bit late in the game. IPVM titled their take on it "Move Over Dahua, Xiongmai Is The Real Botnet King"

I don't find the original article on Flashpoint anymore ( was titled "when-vulnerabilities-travel-downstream" ) but you can find plenty of places that quote it, just do a google search with one of the quotes "countless DVR manufacturers buy parts preloaded with Linux and rudimentary management software from a company called XiongMai"

1
0

Google to give 6 months' warning for 2018 Chrome adblockalypse – report

Donn Bly

Re: Would you allow your website to serve ads that you would be held responsible for?

I already hold the sites responsible for the ads they serve, even if they are are using ad networks. If they serve intrusive ads, or if they trip the antivirus/malware scanners on the systems that I support, I just block the sites or don't come back depending on severity. Whether their servers served up the ad is immaterial -- they allowed their website to be used for the purpose and that is enough for me.

22
0
Donn Bly

Re: I would even be prepared to turn off my ad blocker

Since the ads wouldn't be intrusive they probably wouldn't trip the ad blocker, so you wouldn't even have to turn it off. Sounds like a win-win for everyone.

1
0

New York Attorney General settles with Bluetooth lock maker over insecurity claims

Donn Bly

Equipment Lockout != Security

It comes down to fitness for purpose. Standard equipment lockout locks are not generally all that secure, are easily defeated, and often don't even have unique keys. Lockout locks are even less secure than TSA locks! It sounds like these Bluetooth locks are actually MORE secure than the existing standard mechanical locks that they are replacing.

The reality is that anybody that says that they won't be using the locks based on this report would most certainly never have been using these locks anyway, thus their boycott or threat of one is empty and meaningless.

That said, there is no additive production cost for encryption. If they are using wireless communication such as Bluetooth then it should have been baked into the design from the beginning. Even though it sounds like the software they generally provide is a "reference design" not intended for production use, we all know just how often those reference designs get implemented with little more than a branding change.

6
0

Ransomware scum have already unleashed kill-switch-free WannaCry‬pt‪ variant

Donn Bly
Mushroom

Re: If they're selling their operating system to clients for use in everything

Debian derivatives are used in dozens of pieces of equipment around my office -- when there is a flaw who is the one responsible for getting all of the that equipment updated? Should Public Interest be blamed for a unpatched hole in a 10 year old router and expected to fix it -- even when newer versions that fixed the flaw have already been shipped? Of course not.

So why should Microsoft be blamed for the same situation? They sold operating system, but they aren't the one putting it in medical equipment. That was done by the manufacturer of the equipment, which, by the way, as an OEM assumed all ongoing support. The end-of-life date on the OS was well known before it was installed. It is the equipment manufacturer that screwed you over, not Microsoft.

The systems integrator that put Windows on Warships is the one who made the claim of fitness for purpose, not Microsoft. THEY are the one who should be held accountable. If that integrator needs to go back and pay Microsoft for ongoing support that's their problem -- they made the choice to integrate Microsoft and they have the live with the results of their decisions.

10
0

Amazon's Alexa is worst receptionist ever: Crazy exes, stalkers' calls put through automatically

Donn Bly

Re: Why would anyone buy this junk?

Everything about it sounds creepy

Perhaps the reason that eveything sounds creepy is because most of what you read is from people who have never used the device, don't really know how it works, and whose knowlege is limited to the mostly inaccurate information that they have read on the Internet.

I have several Echo devices, at both home and office. They are limited in what they can do, but even in their limited form they provide sufficient value for me to keep them around.

When the last software update asked if it could have access to my contacts, I declined. I didn't intend to use the calling features so I didn't see the need - but the point is that it ASKED me, it didn't just go out and grab them. As the user I had the choice.

2
6

No more IP addresses for countries that shut down internet access

Donn Bly
Childcatcher

attempt, failed or successful, to restrict access to the internet to a segment of the population

That definition as written includes any attempts at censorship - including mandatory or opt-out filtering.

I kind of like it ;-)

11
0

Startup remotely 'bricks' grumpy bloke's IoT car garage door – then hits reverse gear

Donn Bly

Re: Why would you need to control your garage door

Perhaps to let my brother-in-law into the garage to borrow/return a tool. Perhaps to know when the garage door went up so I know when someone got home. Perhaps to make sure that the garage door is closed if I am out of town. There are LOTS of reasons for these types of devices, just because none of them apply to you doesn't mean that valid reasons don't exist.

My last garage door opener came with this capability as a free add-on. It was an interesting toy, but I unplugged it from the network long ago because I didn't trust it and it didn't integrate into anything else that I have. I have other ways to remotely unlock a door so it wasn't that important to me.

2
5

'Sorry, I've forgotten my decryption password' is contempt of court, pal – US appeal judges

Donn Bly
Holmes

Re: Actual case aside

<quote>That's where you are absolutely wrong. Evidence on an encrypted drive is the same as evidence in a safe - you have no right at all to keep that evidence unknown to the police if they have a search warrant, and no right to keep it secret from the court.</quote>

While you have no right to keep that evidence unknown, similarly the court has no right to force you to give them the combination out of your mind (although they can order you to produce a physical key). If they want access they are required to gain access to the safe via other means.

The police now have physical possession of the drives, and that is the full extent of cooperation from the defendant they are entitled to demand. Interpreting the encrypted 1's and 0's they have to do on their own.

If it were a physical safe, and they used a torch or grinder to cut the lock to gain access and found documents encoded with a one-time cipher pad, they would still be on their own to decode them and they aren't entitled to demand that the defendant give up the cipher. This situation is no different. The government is NOT entitled to suspend the constitution whenever they like.

8
0

Amazon relinquishes data from Echo that could have dropped eaves on a killing

Donn Bly

Re: It is quite disturbing that Amazon has the ABILITY to satisfy this request

Voice recordings are kept longer than a minute so that you, the user of the device can go into the web interface, provide feedback, and train the voice recognition. You don't anonymize the recordings as they are tied to your device and your voice. If you anonymized them then you make them worthless for tuning the voice training. Of course you have the ability to dump the voice recordings - but that would reset you back to defaults and hurt the accuracy of your voice recognition.

It is also VERY helpful when adding things to lists. Your "Shopping" and "To Do" lists are available on your phone, so If I tell Alexa to add something to my shopping list and the voice recognition doesn't decode it properly (or I misspoke something when I added it) when I'm in the store I can actually play back the recording on my phone to hear exactly what I said instead of relying on an interpretation of what it thinks I said.

Early on Amazon provided the police with credentials that allowed them access to the accused Amazon account - including the voice data. So either the cops were too ignorant to know how to use it, or they found something and wanted Amazon to provide it so that there was a pristine chain of custody. I would like to think the latter, but the former is much more likely -- because if it was the latter they would have asked for specific information, not presented an overly-broad blanket order.

3
0

Page:

Forums

Biting the hand that feeds IT © 1998–2017