* Posts by nagyeger

137 posts • joined 2 Feb 2008


WWW = Woeful, er, winternet wendering? CERN browser rebuilt after 30 years barely recognizes modern web


Re: Sigh. Those were the days.

Remember when there were books (you know, those things with paper) that told people about all "the best" websites?

Want to create fake web profile pics? This creepy AI tool makes them on demand. Plus predictive policing, and more


Usage rights?

by generating fictitious people you can get past the problem of having to put faces in presentations without violating anyone's privacy.

Anyone know what usage rights thispersondoesnotexist images are out there under? I just know I'm going to be asked if I suggest this to a few people.

It's now 2019, and your Windows DHCP server can be pwned by a packet, IE and Edge by a webpage, and so on


Re: Job security

but nobody is hand ploughing the fields any more

Maybe not where you live. And truth-be-told, it's not as common as it was a decade ago here, but it still happens. Judging by how long the neighbour spent trying (failing) to get his tractor going at the weekend, he might be tempted to go back to hay-power.

Disk drives suck less than they did a couple of years ago. Which is nice

Thumb Up


Serious kudos to them for publishing these stats. A few years ago you never got anything like this, with everyone citing commercial confidence and such like,

Heads up: Debian's package manager is APT for root-level malware injection... Fix out now to thwart MITM hijacks


Re: "Supporting HTTP is fine,"

Oh.... just read the original problem report... It's NOT tampering with the checksums, it's bypassing them, because (A) the inter-process channel (between apt-aquire and apt) quotes some progress stuff literally from the HTTP communication. and (B) the signature file can include pre-signature junk. e.g. an entire .deb!

Thanks to the extra junk in the channel, the master process gets fed the wrong signatures and dpkg gets told to install the signature file not the verified package, and I guess it ignores the trailing signature.

So it's really an out-of-band data / injection attack that sneaks in an extra payload after the cryptographic checks have passed, and it basically means that someone controlling a mirror can inject anything she likes to her users.

To my mind the roles of master/worker roles probably need rethinking, so that the type of filename replacement used here and such-like aren't possible in future versions, not to mention that the downloader shouldn't be responsible for only half of the security checks.


Re: "Supporting HTTP is fine,"

Yes, they are, but the checksums are equally unsafe, because ... they're downloaded via HTTP :)

But the checksums are in files which are themselves digitally signed, aren't they? That's why you can't just start using any old repo, but need to tell GPG about the repository signing key too.

And the public key arrives over https, from a keyserver.

Are they saying that despite requiring a key they're not using it properly? I don't understand...

Core blimey... When is an AMD CPU core not a CPU core? It's now up to a jury of 12 to decide


Re: Another frivolous lawsuit

I thought hyperthreading was basically a set of alternative registers for the same hardware?

My definition of core is probably wrong, but I'd have thought a core was defined by a patch of silicon that would continually (barring interrupts) burn cycles given "NOOP; JMP -1" and had a its own set of general purpose registers.

Hyperthreading fails at "continually" bit. it's just clever time-sharing. branch prediction units, etc. don't have a complete set of their own registers (unless I'm wrong), so they're not cores either. On-chip caches, FPU, prefetch and all the rest of the fluff that keep the bits flowing and feed spectre/meltdown so well cannot be part of the definition of a CPU core, otherwise you're saying that a 6502 / Z80 / 286 / atmega-328p don't have a core.

They bought X houses, and it turned out they were semi-detached. Sorry, you should have read the spec, it's still a house. Round here you can't even guarantee indoor plumbing in a house. Maybe you want it, maybe (because of where you're from) you expect it, but it's still a house without it.

The D in SystemD stands for Dammmit... Security holes found in much-adored Linux toolkit


Re: what?

It needs to be able to bind to a privileged port for remote logging.

Attention all British .eu owners: Buy dotcom domains and prepare to sue, says UK govt


Re: Don't worry, it's only money

wake up, its 2018

I thought 2018 had recently been voted out of date and out of fashion, and we had to party like it was (20 years after) 1999 again?

Ticketmaster tells customer it's not at fault for site's Magecart malware pwnage


Re: Offsite scripts GAH!



Why does my bank use 3 different off-site script sources on their login page? Do they want everyone's bank account hacked?

Microsoft polishes up Chromium as EdgeHTML peers into the abyss


Re: I'm possibly not alone here.

Someone who's endpoint IP address said they're in the Ukrainian Republic has told their browser it's a

googlebot.... Which shows an odd attitude to security, since they' were about the only browser that can't talk TLSv1.2. connecting to a site I administer. They need to pretend to be something different or update their browser if they want to pretend that now.

Blockchain study finds 0.00% success rate and vendors don't call back when asked for evidence



I'm told that there are those who think the market is seeking the stuff's true value which is very likely $0.

I'm looking forward to the time when owning bitcoin is taken as strong evidence of operating some kind of bot-net, selling something illegal or dining on the blood of polar bear cubs (or other global-warming victim), and thus the value in several sectors of society is negative.

Then I can say 'told you so' as I get my coat.

Warning: Malware, rogue users can spy on some apps' HTTPS crypto – by whipping them with a CAT o' nine TLS


local code

Can 'local code' mean javascript / web-assembly/ etc, or are we talking precise hand-crafted assembler here?

Talk in Trump's tweets tells whether tale is true: Code can mostly spot Prez lies from wording


Re: Ecole Normale Superieure

Long time since I did french, but Ecole Superieure (can't spell even when I copy and paste) probably means something at university level. Ha! Wikipedia agrees. ... "ENS has the highest ratio of Nobel laureates per alumnus of any institution worldwide"

Super Micro chief bean counter: Bloomberg's 'unwarranted hardware hacking article' has slowed our server sales


Re: NSM - follow up?

Urm... NSM?? Google gives me lots of links about Naval Strike Missiles.

Another Meltdown, Spectre security scare: Data-leaking holes riddle Intel, AMD, Arm chips


Just imagine...

Just imagine that inside your box there were 2 devices. One which you trusted and only ran code that you'd actually installed yourself, and anything that ran anything else (e.g. Javascript) ran on "untrusted" hardware. Then you'd need need to have a way of communicating safely between the two, with some user interface devices and the ability to send data from one to the other, and a fast bus/network between the two. And some machines would have all the oomph in the trusted box and others in the untrusted box for games and stuff, and there'd be a hardware video multiplexer doing it's clever stuff, like an updated version of what we had back in the days of video overlay cards on VGA, so that you don't need to try shoving 120fps video down the network pipe.

Then high spec machines would include extra separate modules hanging off the bus/network so that eg. game engines didn't interfere with google docs.

And there'd be a some kind of manager thingy on the main computer to make sure that let you interact with the different untrusted-compute devices while maintaining isolation. Actually, maybe the display/HID ought to be a separate device, maybe with a really simple RO filesystem, and everything work via that main UI box too. ...

Oh. prior art, my UI box has just basically become an X server hasn't it?

It's been a week since engineers approved a new DNS encryption standard and everyone is still yelling


kid control / smut filtering

As a parent of teenagers and youger, it's quite handy knowing that my kids are not going to be able to do some involuntary bitcoin mining for nasty.smut.site without going to extreme measures, nor stumble on disturbing rubbish. Blocking DNS except via trusted (blacklisting) servers does that for me, has done that for me, and I hope will keep doing that for me.

Except that firefox has now published a 4 step process to break that entire model.

Given that practically everything uses SNI and so sends the destination host out as plain text these days, the 'poor guy in china' security red-herring is just that, unless he's also using a VPN. In which case, why are we having this conversation?

To my mind this is at least 95% about ensuring that the smut industry can deliver their filth. I really cannot see any other party that benefits from it.

Need a modest Arm Cortex-A CPU in your custom chip? Just apply online. Plus $125,000


Re: Thumbs Up!

Now I've got that theme tune going round my skull.


Decoding the Google Titan, Titan, and Titan M – that last one is the Pixel 3's security chip


No lineage?

Given the last paragraph, does this mean we can or can't install something like lineageOS on

a phone containing one of these chips?

Super Micro China super spy chip super scandal: US Homeland Security, UK spies back Amazon, Apple denials


works for me...


Link Works from Romania

Decoding the Chinese Super Micro super spy-chip super-scandal: What do we know – and who is telling the truth?


Re: Should we be worried ?

This sounds like a great ignoble prize research topic: (chipped) animal behaviour influenced by external RF sources, via the nice warm neck (or wherever the chip got put) syndrome. What you need to do is set up another (identical) router a few feet away and alternate which one has it's WiFI transmitter on. Correlate with cat's favourite resting place...

Do not adjust your set, er, browser: This is our new page-one design


Ads broken?

Is it deliberate? I assume not.

I'm getting blank white where there ought to be some adverts. I wondered if you'd switched add provider and now every script is running, but nope, still no adverts. Come on Reg, protect your revenue, we don't want you to go bust!

Raspberry Pi supremo Eben Upton talks to The Reg about Pi PoE woes


Re: Works on my switch

"When are you going to release the Power-over-Wifi version ?"

Didn't someone living near the BBC's longwave transmitters do some experimenting with this in his loft? I seem to remember they ended up convicting him for theft of electricity.

Y'know what? VoIP can also be free from pesky regulation – US judges


Re: "you cannot call emergency services if there is a power outage"

"Add a small UPS, and it will keep on working - the other endpoint should already have it. That should become part of the standard install, though."

It should but they don't, not even round here where power cuts are commonplace.

FYI, there are loads of CCTV type sealed lead-acid battery-backed up 12v power supplies out there, some of which are complete with a nice box and low voltage cut-out to stop you under-voltaging the cells. Cost is around 30quid. Add a low-drop 12v regulator (or a step-down DC-DC converter if you need 5v) just in case your ISP's box doesn't want 14v with ripple, and Bob is the brother of one of your parents, as they say.

I now get at least 8 hours's internet/phone compared to around 1 hour if the thing was going up to mains freq and back to 12v again.

Cobalt cybercrooks phry up phishing campaign to phling at phinance orgs


2 URLs

It's probably just a little bit of consumer preference/user interface testing. Where are people most likely to click? The link at the bottom or the one in the middle of the screen the user accidentally triggers while trying to persuade their stupid phone to do respond to that really complex user interface interaction known as "scrolling back up to find the delete button".

Or is that just me?

Give yourselves a pat on the back, top million websites, half of you now use HTTPS


Re: I'm not surprised.

Yes, this would be the point that makes me think of rolling out HSTS. But I'm also thinking of dumping TLSv1, and those two decisions put together means some of our readers (the ones with android 4 devices) get kicked off the site....

Maybe I need to convince relevant people we need a mobile version of the site which does older TLS versions, and conditional redirects / header setting.

EU wants one phone plug to rule them all. But we've got a better idea.


Re: Be much more interested in...

You forgot:

In Europe, the half-hearted attempt at safety shutters on Schuko/french sockets relies upon the pins pushing sloping shutters out of the way, a motion which is only made possible by the presence of some kind of lubricant. When said lubricant has melted/vanished/gone sticky or when the track/pivot on which the shutters are laughingly described as moving is no longer in perfect condition, the only way to get the pins into the socket remaining is wiggle, twist and apply extreme force, e.g. with a large hammer. Said tool of course further damages the shutters and does bad things to the cable, and the whole process may lead to bruising of the head against nearby brick walls.

Add to this the disaster known as "switched socket, what's that?" and you have to unplug / plug in the stupid things far more than you would in the UK.

Google shaves half a gig off Android Poundland Edition


Re: Old Linux ?

32K? Thirty two? What luxury! You could play acorn invaders and rat race in 3K, as long as you could get the volume right on the tape player.

3K of RAM really taught you how to watch your code for bloat.

The first Linux distro I used fited on 2 floppies, if I remember right that was including including gcc.

Google risks mega-fine in EU over location 'stalking'



I imagine in quite a few locations on this planet, a 2km square pinpoints your exact home. Should we understand there some kind of 'polygon sized to fit 10000 people' calculation?' Even then, searching on some terms, one in 10000 might be enough to identify someone uniquely.

When's a backdoor not a backdoor? When the Oz government says it isn't


data rate

Whats the baud rate for a tin cup and and a piece of string?

If you can get hold of some light, inextensible string, as beloved by high-school physics teachers, then your signals arrive instantaneously (0 propagation delay, since the string will not extend) and depending on the mass of your cup then your data rate could exceed that of all known network cables.

Unfortunately the last time I looked, they'd stopped making it. Something about the laws of physics.


Re: The Holy Trinity

You forgot extremists.

I notice that "extremists" now potentially includes your grandma and / or the local vicar, assuming they still hold views they've held for 40 years.

The age of hard drives is over as Samsung cranks out consumer QLC SSDs


Re: Ah, but

C15? C15? Wow, you lucky guy!

Try finding your program when it's somewhere on a C90 and the tape counter's broken.

Not to mention the pain of discovering that even after upgrading to a whopping 3k of RAM you don't have the space to implement a high-score table well as use colour graphics.

Youngsters these days...

Google Chrome update to label HTTP-only sites insecure within WEEKS


Re: Shared Hosting

One little-discussed 'gotcha' of SNI is that, unexpectedly to the user who's been told 'no one can see

what you're browsing with https' ... with SNI they can. Because SNI isn't sent encrypted.

This gets significant when you, say, live in Iran and want to visit 'www.how-to-become-a-christian.org', (or in USA and want to visit 'diy.nuke.designs.nk')

WannaCry is back! (Psych. It's just phisher folk doing what they do)


Re: Only one so far

Public Cc: list? Never mind the fraud, extorting money with menaces etc,... they've gone and broken GDPR too!

That'll get them in trouble.

(not a lawyer!)

Google plays cloud catch-up and moves into a place of its own


Re: Given Spectre

Watch this space... how long until all the mitigations for meltdown/spectre/rowhammer etc. mean that there is such a cost-disadvantage / admin nightmare to 'cloud computing' that it ends up as out of date for 'real work' as dialing in to someone's mainframe?

Buggy software could lock a Jeep's cruise control


Re: Oh Lord

My 2007 car has said hooks. The mfr-designed, bought-with-car-from-new floor mats, however had no provision for connecting to the the hooks and relied on sticky-backed velcro which came unstuck after a year or 3.

You know that silly fear about Alexa recording everything and leaking it online? It just happened


Re: Unplugged most of the time.

If you're in the UK, and they don't take it back, then talk to your local trading standards people.

"not fit for purpose" sounds like a good description.

FBI to World+Dog: Please, try turning it off and turning it back on


If the FBI can tie the IP address to people...

I hope they're GDPR compliant.

Microsoft gives users options for Office data slurpage – Basic or Full


Re: @Herring`- "is there a chance of any document data being sent to MS?"

Back in the days pre-Y2K, I was a postdoc researcher in space debris impact science, we had various bits of data about the properties of highly compressed metals we were using (for entirely peaceful purposes) that originally came from one of those ^^^ .

The nice guys who let us play with their data would have been rather unhappy at the thought of, say, a (very strictly internal!) report that included such gems being exported to wherever MSoft decided to send it.

I vaguely seem to remember that thermite was one of their recommended disk-disposal methods to ensure compliance with arms non-export / non-proliferation regulations, when more serious tools weren't available. Just imagine the help-desk call for that one.. Hello, I have reason to believe you've just slurped some nuclear secrets. Where do Uncle Sam's guys with the thermite need to go to ensure that it doesn't proliferate?

Advanced VPNFilter malware menacing routers worldwide


Shock/horror: unpatched software vulnerable to known vulns

Mikrotik patch was released > a year ago.


Big bimmer bummer: Bavaria's BMW buggies battered by bad bugs



Excuse me for being stupid... if I was designing something to connect the engine management system to entertainment system - presumably for display purposes? - it would be strictly one way, probably with 1-way, physically separated opto-couplers, so that some kid pouring coke into the entertainment system had zero chance of inflicting, say, 50w of audio signal onto the can-bus.

Why would anyone want to let the stereo muck about with engine management?

Whois privacy shambles becomes last-minute mad data scramble

Big Brother

Re: I'm still waiting for e-mails from Facebook(*) and Google

Isn't this wrong? There are multiple options for the legal basis, consent is only one of them. They might decide they ought to be able to claim that knowing my browsing habits is a legitimate business requirement.

The biggest "problem" is when they used to rely on 'we could do it, and we're too big to bother with fines, so we did it.' For some reason that isn't in the GDPR.

It's Galileo Groundhog Day! You can keep asking the same question, but it won't change the answer


Re: snooty

Not being part of the EU didn't noticably stop them before we joined, why should leaving make a difference?

It's not rocket science! Actually it is, and it's been a busy frickin week


Is it rocket science?

Having wielded the rocket equation a few times, I think it's the rocket engineering (and orbital mechanics and re-entry maths) that are the really hard bit(s).

Eight months after Equifax megahack, some Brits are only just being notified


Re: GDPR Deadline...

I thought it was 4% PLUS damages/time/etc?

After all, if they're failing to protect your rights, (72hour notification...) and on top of that they're causing significant stress, hair-loss, sleep-loss, humour-loss....

It's April 2018, and we've had to sit on this Windows 10 Spring Creators Update headline for days


GDPR rights vs MS

I wonder what happens if/when someone (on May 26th) demands MS (a) hand over all the data they have on them (b) delete it, (c) never collects any more, (d) does not contact them for advertising purposes.

Does MS send them a complementary copy of Windows 95, freedos, or ubuntu?

We need to go deeper: Meltdown and Spectre flaws will force security further down the stack


Oh joy. Added complexity...

My wife half-expects that at some point the sum total of IT/networking/power distribution will become so complex and (for want of another term) balkanised into specialisms, that it essentially becomes impossible for humanity as a whole to maintain it, and then something will break and we'll be back to heating with wood and communicating with pen an ink (or maybe IT jobs will become more critical to society than doctors/nurses and we'll all die from treatable diseases??).

When you add in obsolescence, shortening product-lifecycles and lost/outdated skill-sets (is anyone anywhere employed as a thermionic valve designer any more? How many people can read amd64 assembler compared to the numbers who could write 6502 or Z80 30 years ago?) then I tend to agree with her.

Linux Foundation backs new ‘ACRN’ hypervisor for embedded and IoT


acrn should be arm-centric!

Given the early days of ARM as of Acorn RISC Machines.

HTTPS cert flingers Trustico, SSL Direct go TITSUP after website security blunder blabbed


the oldest bad practice in the book.

I <it>have seen</it>, in a book my son was lent by his school teacher, about a year ago, exactly this sort of code. Take variable from $_GET, build string by concatenation, pass to SQL. No input checking at all.

Someone - big name publisher - made money selling that book. Someone wants to make money selling the revised version, which I'd hope talks in detail about sanity checking and prepared statements.

Someone ought to be offering a permanent recall on the early version of the book and free-replacement including shipping to anyone with a copy, because it was plainly never fit for sale. Instead, copies are still being lent to school kids by teachers because the school budget can't afford to restock the library.

Ob disclaimer: I have no connection with anyone in the above certificate fiasco. And I expect that no one bothered fixing it because that would take time. WHY do CAs who ask for your private keys still get any custom?

PCI Council and X9 Committee to combine PIN security standards


...to the darkness bind them

I thought the whole thing about the one pin, was that assuming you don't want to be subject to the evil overlord, you needed to throw it into Mount Doom? (see icon for effectiveness >>>>)

Now all we need to do is work out how you that to the customer services bod....


Biting the hand that feeds IT © 1998–2019