* Posts by Displacement Activity

337 posts • joined 2 Jun 2008


Dev's telnet tinkering lands him on out-of-hour conference call with CEO, CTO, MD

Displacement Activity

Yes, alpha particles

<nerd mode>

Cosmic rays cause soft errors in memory chips and general circuit failures. At sea level, 'cosmic rays' are primarily high-energy neutrons. Neutrons are uncharged, so don't themselves cause circuit upsets. However, when they're captured in a nuclei in a circuit element, they produce charged secondaries, including alpha particles, which do cause circuit upsets. See https://en.wikipedia.org/wiki/Soft_error#Cosmic_rays_creating_energetic_neutrons_and_protons, for instance.

</nerd mode>

Amid Trump-China tariff tiff, Cisco kit prices to resellers soar up to 25%

Displacement Activity


"Chinese-built components coming into the US" are almost certainly assembled PCBs and systems, and are unlikely to be anything with any significant IP attached.

I've been with companies (in the UK) who have outsourced assembly to China for 35+ years. Everybody who does this has always lived in fear that they'll be ripped off and their IP will be stolen. The upside is maybe 50% off your end-user price, and the downside is potentially losing your IP and your market completely.

Whatever Trump does or doesn't actually say or believe, if anything, it's a fair bet that everyone in the electronics business (outside China) is breathing a sigh of relief, whatever they say in public. The dust will settle eventually, and the end result will either be that the Chinese start to play ball, or that manufacturing will return on-shore. Both of which are Ok by me. Sure, the US will take a hit short-term, but that's someone else's problem.

Nokia reinstates 'hide the Notch' a day after 'Google required' feature kill

Displacement Activity

Re: Can't make sense of this.

And... umm... what is a 'notch' anyway?

Official: Google Chrome 69 kills off the World Wide Web (in URLs)

Displacement Activity
Thumb Down


And what if you have set up DNS to route *only* 'www.foo.com', or *only* 'foo.com', to your server?? This isn't particularly unusual - my local hardware shop is 'www.woc.com'. 'woc.com' isn't routed and doesn't work. So, go there with Chrome, and you think you're on 'woc.com', which doesn't exist. Or does Google want to run DNS as well?

Those tossers have already achieved the impossible, which is to make me start using MS's excuse for a search engine. Chrome is next on the delete list.

Google keeps tracking you even when you specifically tell it not to: Maps, Search won't take no for an answer

Displacement Activity

Not really news, and How To Screw Maps

I've been using Google exclusively for 15+ years without problems. Then, a couple of months ago, they started swamping my searches with ads. Not just at the top - mixed in throughout the search results, even when I'd clicked the invisible 'hide ads' button, making the real results unusable. Really, really dumb ads, and all for the same thing - say, 8 different ads for Dubai hotels, all on the first page of results. The connection? I had *flown* over or through those places, with a maximum stay of a couple of hours, over the last year or so, with maps turned on. Seriously. I've never been to Jersey, but flew over at 35,000ft, and got pages of ads on camper van hire in Jersey. In case I crashed, presumably.

My fix is to to dump Google. MS has screwed me in thousands of ways, but their search engine hasn't quite got to this level of stupidity. And duckduckgo if I can be bothered.

RIP: Sinclair ZX Spectrum designer Rick Dickinson reaches STOP

Displacement Activity


So long, Rick. We spent many happy nights in the Baron after work, along with Jim and Dave, and occasionally Clive, back in 80/81. If there's a bar where you're going, get me one in.

BCC is hard, OK? Quite a lot of orgs blurted your email addresses in GDPR mailouts

Displacement Activity

Re: BCC is actually slightly hard

Sounds like mine is pretty much the same - also for a kid's club I helped to run (small world!). I've got an extra level of security - everyone gets their own club address, and has to post through a proxy, which modifies all the mails so that no-one ever gets a 'real' outside-world mail address. It never uses BCC, of course - it's far too wooly.

Displacement Activity

BCC is actually slightly hard

I've written a mass mailer, which uses anonymised addressing. The main confusion is that your mail program talks to the rest of the world over SMTP, which knows nothing about "BCC". Quick overview here:


Comp sci world shock: Bonn boffin proposes P≠NP proof, preps for prestige, plump prize

Displacement Activity

Re: "And P=NP is completely irrelevant to crypto in general. "

Posted by someone with absolutely no understanding of the subject they are posting about.

Curiously, I'm probably the only person writing here who works in precisely what I was writing about, full-time.

Displacement Activity

Current cryptography assumes P≠NP?!

And at the following link:

Ask many computer scientists what happens if P = NP and you'll get the response that it will kill cryptography.

Really? Knowing that there's a class of problems that are harder to compute than to verify isn't going to affect public-key crypto. That will only be affected by one specific problem: the difficulty of deriving a private key from a public key, ie. the ease of factorisation. Everyone knows that factorisation is currently difficult, and that everyone is working on it, and that quantum computers can handle it (already, but only for small numbers) with Shor's algorithm. Whether or not P = NP will make no difference; it's already known that public-key is dead in the longer (or shorter) term.

And P=NP is completely irrelevant to crypto in general. There are already lots of practical systems around the world sharing private keys using provably-secure quantum mechanics, with no public key anywhere. Ok, I know that some people reading this won't agree that something is provable because they can't prove it themselves, but still not P=NP.

While Microsoft griped about NSA exploit stockpiles, it stockpiled patches: Friday's WinXP fix was built in February

Displacement Activity

Re: One lesson to be learnt frin this (was Wormable holes)

And knowing where to look...


Ergo, any trust infected was still running it's own improperly configured separate mail system in preference to using the centrally provided NHS Mail system (nhs.net)

I'm not sure that this actually came in by mail. There was an IBM guy on Radio 4 this morning saying that they'd scanned a billion (literally) mails and hadn't found any with the original infection. Is the source for the mail infection angle just one statement from Telefonica?

Displacement Activity

Re: One lesson to be learnt frin this (was Wormable holes)

I have an application that can run only on Debian 5 (it's being phased out). A good part of it are kernel modules... etc

Sorry, but your post makes absolutely no sense. I really hope that you're not involved in NHS commissioning.

Displacement Activity

Re: One lesson to be learnt frin this (was Wormable holes)

@Richard 12

If you airgap it, how do you get the images off? Today, things like X-rays and MRIs etc.pass the images etc. into your records and can be seen on screens throughout a hospital. Making them only available on a few screens near the MRI etc. is pointless.

Don't airgap it; open one port, and write an app that retrieves images. Transer with standard sockets code; it's trivial, and the comms can be done in a couple of hundred lines of standard C.

And you wouldn't even think about running this on XP, or Win10, or whatever, and using SMB.

Displacement Activity

Re: Eh?

Microsoft provided the patches to those who had contracted for support of XP. No hoarding.

Errr... the point is that MS pointed the finger at the NSA for hoarding. MS selectively disclosed, and the NSA selectively disclosed. No hoarding.

Just in case Microsoft didn't understand: intelligence agencies and hackers all round the world spend their life looking for zero-days, for their own reasons. How MS can then blame them and whine that they're 'hoarding' is beyond me. F***tards.

Sophos waters down 'NHS is totally protected' by us boast

Displacement Activity

Re: Fault?

Obsolete OSes and timely application of patches are one issue, but this could just as well have been a zero-day.

Sooner or later you're going to get an infection inside your network. What you want is (a) to detect it quickly, (b) to limit the spread, and (c) to allow the affected parts to be wiped clean easily.

Well, yes, but you omitted the fundamental problem - don't, by default, assume that your computers have to be on a network. They don't. And, if they do, don't just share everything on SMB/whatever.

Whoever decided that an MRI scanner/X ray machine/whatever had to talk SMB should be fired. It would take a day to knock up a program to transfer X-ray images over a basic sockets connection, and another week to turn it into a client/server app to find and return any image.

Stanford Uni's intro to CompSci course adopts JavaScript, bins Java

Displacement Activity

Re: Biggest problem is the apostrophe

Hello AC1 what wrote the apostrophe thing, nice to meet you.

I should probably warn you that meating AC0 may not be a nice thing to do, and is probably illegal.

Displacement Activity

Re: Biggest problem is the apostrophe

@AC: +1 for assisting Mr. Stiles with his enema. However, I would like to point out that 'spelt' *was* probably appropriate (anywhere outside the US, anyway).

And I have to wonder whether anyone defending JS has actually used it. It's an extraordinary mismash of the obscure, esoteric, and downright inane. It was knocked up in a weekend (Ok, more or less), and has been constantly added to ever since. And, whatever you write, there's always some tosser somewhere who'll refuse to run it because you clearly intended to break out of their browser and trash their system, despite your inability to access any files.

Still, on the plus side, there won't be much competition from Stanford graduates in the jobs market.

TCP/IP headers leak info about what you're watching on Netflix

Displacement Activity

Re: Stating the obvious

That's not how it works. The connection is HTTPS, so the secret key is specific to the browser session, so it's not the same as matching "up the flashes around your curtain upon scene changes". The flashes will be specific to the viewer.

Silverlight/DASH/VBR produces specific sequences of video segment sizes, which can be extracted from the headers. Apparently.

And, more interestingly, someone is still using Silverlight.

SVN commit this: Subversion to fix file renaming after 15 years

Displacement Activity

I actually use both

Here's the thing: one's distributed, one isn't. If you're writing a Linux kernel, distributed is great - 20,000 people get their own complete repo, and mess it up to their heart's content, and you never expect to hear from 19,950 of them ever again.

In the average dev environment, you want that like a hole in the head. You want one centralised repo, and you need to enforce discipline. git can more or less do that, eventually, but it's difficult, and it's not the git way (how many git users even know what a bare repo is for?)

I have to deal with someone who does fixes and adds features by cloning a git repo on his local machine, with the master being his previous local clone, and who very infrequently pushes anything remotely. I then have to try and work out WTF is going on and then merging myself. That would never, ever, happen in an svn enviroment.

I've also used RCS, CVS, Clearcase, and Perforce. For my money, svn does the job, and it's intuitive, and easy to learn. For the right project Perforce is also a good choice, if you've got the money, and someone to read the manual and do the difficult bits.

Why is the Sinclair ZX Spectrum Vega+ project so delayed?

Displacement Activity
Thumb Up

Good on you, Clive...

The complete 70's retro experience for only £100. Brilliant idea. I think I'll personally give it a miss, though - I was sat in Sinclair HQ the first time around, and that was enough for me.

Today's WWW is built on pillars of sand: Buggy, exploitable JavaScript libs are everywhere

Displacement Activity

Re: Lots of shouty, no content

I've just scanned it as well, but I can't find anything of any value. It even explicitly states "Note that the focus of this paper is not measuring the security state of specific JavaScript libraries. Rather, our goal (and primary contribution) is to empirically examine whether website operators keep their libraries current and react to publicly disclosed vulnerabilities". The technical content on vulnerabilities appears to be zero.

Java? Nah, I do JavaScript, man. Wise up, hipster, to the money

Displacement Activity

Re: @wolfetone

"What do you think all those new fangled hipster bootstrap/angular/ember/FOTM.js GUIs are querying? Protip: it ain't C. "

Errr.... protip++... yes it is. Maybe not for you but, in my case, Bootstrap/JS querying C++ and some plain-old-C. The code that implements the CGI/JSON/etc stuff is tiny and trivial compared to the rest of the app, and those SQL APIs generally start life as C anyway.

And, if you want real money, you'll get twice as much with a Maths degree/C++/Matlab as you will with Java.

And, if you're currently delivering pizzas, you're a lot more likely to make money with JavaScript than with Java.

Firefox 52 kills plugins – except Flash – and runs up a red flag for HTTP

Displacement Activity

BBC flash


Go to news.bbc.co.uk, find a vid, right-click, confirm you're on flash.

Go to http://www.bbc.co.uk/html5, opt in to HTML5.

Reload your vid, should now be on ContinuousPlayPluginHTML. Tested of FF 51.

Google's Chrome is about to get rather in-your-face about HTTPS

Displacement Activity
Thumb Down

Follow the money

1 - Google charges for TLS on inbound connections;

2 - Google is a prime mover behind 'TLS Everywhere', and is now starting to factor this into page rankings;

3 - (Google's) Let's Encrypt certificates prove exactly nothing except that you have control of the server for which the certificate was granted (you only have to post stuff on it to get the certificate);

4 - Bad People control their own servers anyway, so can trivially get their own certificates; MITM is therefore irrelevant on these sites

95% of sites have exactly *no* reason to worry about whether someone is forging their site, or whether there's a MITM somewhere in the connection. So, Google is screwing us, and we have to pay the price by dicking about with TLS on our own sites, and keeping certificates up-to-date, and trying to ignore pointless warnings, and handing cash to them if we're stupid enough to host with them.

Stallman's Free Software Foundation says we need a free phone OS

Displacement Activity

"Have you forgotten that GNU provide the GNU tools, you know, all the userland stuff for Linux, available for many other UNIX's as well ?"

Errr.... I'd be a lot more impressed if they hadn't taken a huge amount of *existing* free software, and rewritten it simply because they disgreed with the definition of 'free'.

Samsung set a fire under battery-makers to make the Galaxy Note 7 flaming brilliant

Displacement Activity

"placing anodes and cathodes in locations where they were likely to come into contact"

Doesn't seem to have happened, judging from the limited summary you're printed. Different parts of the negative electrode may have touched each other. The negative electrode touched the "positive tab". If the actual electrodes had touched, it seems pretty unlikely that affected batteries would have survived any attempt at charging.

On last day as president, Obama's CIO shrouds future .gov websites in secret code

Displacement Activity

Re: Someone forgetting how https actually works?

@just_me: the browser doesn't send a key (except for very secure sites, where the server asks for a certificate from the browser to prove the browser's identity - not relevant, since the vast majority of us don't have certificates and don't try to connect to these sites anyway).

1 - the server identifies itself by sending a certificate, which includes the server's public key

2 - the browser/client decides on a secret (symmetric) key to be used for the actual browsing part of the transaction (the second phase). It then encodes this using the public key sent by the server, and sends the result to the server

3 - the server decodes the new symmetric key using its own (the server's) private key

4 - Both the client and the server now know the secret symmetric key to be used for encryption.

So, basically, asymmetic keys (different public/secret keys) are used to decide on a symmetric key (one secret key) to be used for subsequent encryption. During the asymmetric phase, only the server's public key is used.

Galileo! Galileo! Galileo! Galileo! Galileo fit to go: Europe's GPS-like network switches on

Displacement Activity

"Don't wait, innovate"...

"Today I call on European entrepreneurs and say: imagine what you can do with Galileo – don't wait, innovate."

Curious. I got a letter (remember those?), maybe 10 years ago, from the UK DTI (UK Department of Trade&Industry), asking me to do exactly that. In other words, "we're going to spend billions now, and it's a f*** of a lot of money, so please, please, please, come up some justification for it".

10 years later, and there were no new ideas, because the whole thing is fundamentally flawed. The system is fragile, and even a country as backwards as North Korea could reduce the whole thing to ashes in a matter of hours. Having in-car and in-plane satnav is great, but the Americans have already rather thoughtfully paid for that. We could use it to reduce our reliance on the US for missile delivery, except that they could turn it off just as easily as they can turn off their own system. I can't think of a single other useful application that couldn't be handled better, and much more cheaply, by a ground-based system.

Euro Patent Office staff plead for third time to get rid of Battistelli

Displacement Activity

Dear KM/Reg: Que?

I was going to look up what the problem actually was, until I got to your last paragraph:

"However, Battistelli's abrasive personality and his insistence that the solution to each set back is to give the presidency greater power has long since stopped serving the organization itself and has instead becomes a personal crusade that benefits no one".

Is this your personal opinion? Why have you put it in a news article? How do you expect anybody to take you seriously?

WebAssembly: Finally something everyone agrees on – websites running C/C++ code

Displacement Activity

Re: ... applications as web pages instead of applications as applications ...

The main reason is to reduce the reliance on the OS.

The main cost is the reliance on "current" browsers, who may pull the rug-out at any time without warning which leads to the still-existent IE6 stuff still hanging around.

+1, but 'reducing reliance on the OS' includes supporting all those users on stupid OSes, dealing with moronic walled garden vendors, learning multiple development environments and languages, handling OS bugs and security flaws, rather than just browser ones, packaging and distribution, you name it.

And the commentards still turning off JavaScript in your browsers: what actually are you using the web *for*? Static webpages and videos? Really?

Displacement Activity

Re: Safe?

@bazza - I think you may have the wrong end of the stick as well:


"Why would you need C/C++ to make a website safe?"

Wrong way round. C/C++ (or indeed anything else that can be compiled down to a WASM) can be run in the browser safely, everywhere, probably. The emphasis is on the "dangerous" language being available to a programmer but being fully constrained by the sandboxed Javascript engine that actually runs the WASM.

Disclaimer: I've only spent 10 minutes on the webassembly website, but that seems to be good enough for ElReg comments...

Nothing to do with JavaScript. Your code compiles down to binary instructions for a stack machine. This code is then executed in what is, hopefully, a safe environment, normally in the end-user's browser, possibly by a JIT compiler, or possibly by an interpreter. Your original high-level code (C++, for example) uses standard library calls and APIs, so there's going to have to be some pretty hefty security model in the JIT compiler/whatever.

The JavaScript angle is that there's currently only one way for the browser to get the WebAssembly code from the server, and that's with a new WebAssembly object.

Speaking as someone who writes a lot of server-side C++, and a lot of client-side JavaScript, I have to say that this sounds great. JavaScript is an amorphous pile of byzantine sh**e, and this is potentially infinitely superior. Of course, the security model needs to be tighter, and this does smell of the hype originally surrounding Java and the JVM, so it could be a rocky road.

Appointments on hold as (computer) virus wreaks havoc with NHS trust systems

Displacement Activity

A lot of rumour, speculation and bollox being spoken here by the unknowing.

You need to publish. The reason that we have these problems is that the people who know keep their mouths shut.

Bad news: MySQL can dish out root access to cunning miscreants

Displacement Activity

Re: I've got a cunning plan my lord

> On the other hand why on earth does any part of MySQL run as root?

> I've used several other RDBMSs and no part of them runs as root.

For the same reason that everything else runs as root: if you want to listen on a "system" port (less than 1024) then you have to *start* as root. Not just MySQL: MariaDB, all your other RDBMSs, Apache. If you don't want to do this (and why would you?), then don't run mysqld_safe as root.

Apache normally listens on 80/443, so has to be started as root before it drops privileges. The docs have lots of useful advice on how to protect your system during this time, which cover exactly the issues in this article. The problem isn't that your attacker can load malicious code if they already have root access, it's that they can load malicious code when they're *not* root, which is the cunning plan.

WhatsApp, Apple and a hidden source code F-bomb: THE TRUTH

Displacement Activity

> I run the system up and - wow! - no problem.

> so why does the production version not work but the debug does?

If the logging version works, and the production one doesn't, the answer is almost certainly that you have an issue with uninitialised data, or memory over-writes. You can (and should) find and fix all these on your dev system with Valgrind/Purify/etc. before it gets anywhere near production.

Tinder porn scam: Swipe right for NOOOOOO I paid for what?

Displacement Activity

Still optional

"excitedly splashing sand at it's balls".

its balls.

Smartwatches: I hate to say ‘I told you so’. But I told you so.

Displacement Activity


Another more recent example. In the early Noughties, the BBC’s iPlayer was envisaged as a sophisticated P2P client, and at one stage had over 400 people involved in spec meetings. iPlayer only rolled out after the team had been reduced to around 15 – and the doors were bolted shut.

And all 15 of them had iPhones. And it was impossible to watch it on Android. And I spent years getting iritated at how anyone could have been so stupid (and still are?), before just giving up. And the news website is equally moronic.

So, just maybe, cutting a team down to 15 and letting them get on with it is not necessarily the right thing to do.

Samsung: Don't install Windows 10. REALLY

Displacement Activity

Re: If proof is needed...

"Of course if you want to avoid support for your hardware going away, best bet seems to be running Linux. Strange how we got to that state".

Speaking as a lifetime Unix user, and an occasional Linux device driver writer, and as sometime who recently had to take a hammer to his wife's computer after it announced that it was going to 'upgrade' to Windoze 10 in 5 minutes...

Not quite. Keeping up-to-date with kernel changes is a major, major, PITA. I did a PCIe driver a few years ago, which was originally for 2.4.7. There were significant or major changes in so many kernel versions that I lost count - 2.4.10, 2.4.17, 2.4.22, 2.6, whatever, not to mention the whole v3 and 4 thing. The only way to keep on top of it is to select a major distro - something like RHEL6 - and try to support that.

The kernel people will update a few selected drivers (which I've never heard of) when they make a change, but the rest of us are on our own, with little or no usable documentation.

The Windows Phone story: From hope to dusty abandonware

Displacement Activity
Thumb Up

Someone at MS with a brain?!

“Being a special unique snowflake works for art but not design. Design should be invisible… so you have die hards that love it, but you have the mainstream of the market that struggles with it, if they try at all”.

Now, if somebody could just tell that to the the f***wits behind the Ribbon...

Windows 10 with Ubuntu now in public preview

Displacement Activity

Re: Which way round are the slashes?

> Industry standard or Microsoft?

Or VMS... DEC... RiscOS... etc. RiscOS was a PITA - deleting *.c could wipe your disk. And MS has actually always supported '/', though I'm not sure to what extent.

Seriously, though, Cygwin and MSYS have file path conversion issues which make it difficult to do Makefiles, scripts, and so on. If MS have managed to sort this out so that the machine looks like it has native *nix file paths then it's probably worth trying out.

Apple engineers rebel, refuse to work on iOS amid FBI iPhone battle

Displacement Activity

Re: @Displacement activity

@DougS: different sort of customisation. If every processor off the fab line is identical, then running up a VM is trivial, as long as you can get your hands on a spec for the CPU.

The problem is when each processor on a wafer is individually etched with something like a serial number, which can be used as a secret key. This is what is expensive, and is what Intel used to do on x86. This is what you'd need the electron microscope for.

Displacement Activity

Re: It's likely I'm missing something.

@Bucky2: no-one seems to have specifically answered your point.

*If* the processor on the iPhone board (or any other embedded system) is generic, in the sense that it doesn't have extra mask processing to give it a unique attribute of some sort, then you're probably right. You just use the ATE equipment which was used to test the boards to extract the ROM data, create a VM, and you're good to go. However, many ROM devices will have a security bit which may be blown after manufacture to prevent this. To get around this, you may (or may not) have to get the chip off the board and read it (normally, ie not with JTAG/ATE equipment) in your own test rig.

However, the processor may be customised. Older Intel x86 processors had a CPUID instruction which returned a unique serial number, for example. The problem with this sort of thing is that it involves an extra manufacturing mask and is therefore expensive. I don't know (or care, actually) whether Apple does this. If they do, the unlock algorithm presumably requires knowledge of both the 4-digit passcode and the processor ID. In these cases, you may have to resort to getting the top off the chip and examining it under an electron microscope to try to find the ID (which is not necessarily very expensive). If you have some knowledge of the algorithm you may instead be able to brute-force this in your VM.

Anyway, having said all that, I've worked on various embedded devices and I would be very surprised (astonished) if Apple doesn't already have software that can boot up any iPhone without knowing the passcode.

Displacement Activity

Re: @gollux How unAmerican ...

@vector: I think you might have missed the point of JimmyPages' original post.

And it's curious that nearly 30% of Reg readers have either done the same, or are happy with selective principles.

I beg you, please don't back up that secret directory full of photos!

Displacement Activity

Re: Years ago, when the net was young

> And the photos had all been FTP'd from various servers on the 'net.

> How times change. We would never think of doing it today, obviously.

We might not, but most of us are probably getting on a bit. About 6 years ago I had a short gig with a significant engineering company, doing electronic design. This was an all-male environment, but I replaced a girl who had recently left college. I personally have almost never worked with any females over the past 30 years. Anyway, turned out that this girl was frequently on youporn, completely openly, on her work computer, in an open plan office. She had her back to the window and the half-dozen or so guys around her all knew she was doing it, and came and watched occasionally.

Hello, Kotlin: Another programming language for JVM and JavaScript

Displacement Activity


These people need to get a dictionary and look up 'pragmatic'.

HMRC is to tax OpenStack cloud with UK citizens' data

Displacement Activity
Thumb Up

Great news

It's now only a matter of time before we can dowload everyone's tax data and find the MPs, fatcats, and so on who aren't paying any taxes.

Gmail growls with more bad message flags to phoil phishers

Displacement Activity


This sort of thing really pisses me off. Why the **** would anyone want to start encrypting *everything*? I have a mail server that sends out automated non-sensitive messages (*not* spam), and I foresee lots of pointless dicking about coming up. Consider:

1 - Google is a prime mover behind 'TLS Everywhere';

2 - Google charges for TLS on inbound connections;

3 - Google is behind 'Let's Encrypt', which issues free TLS certificates, which are trivial to get (I have one myself, and I did the whole thing online in a few minutes, with no human intervention);

4 - The Let's Encrypt certificate proves exactly nothing except that I have control of the server for which the certificate was granted (I only had to post stuff on it to get the certificate);

5 - Phishers control their own servers anyway, so can trivially get their own certificates. There is *no* "protection".

6 - If you really want private email, you wouldn't do anything as stupid as attempting to encrypt the connection - you'd encrypt the *email*

7 - the whole point of SPF records is to make sure that the email came from whoever it claims to have come from, and webmail providers do a good job of SPF validation. This adds exactly nothing

8 - Conclusion: this is all about Google trying to make money.

The only reason I had to get a certificate was because some pointless retards who run a public, non-sensitive and non-commercial website (ie. most sites) which I need automated access to decided to take TLS-only connections. Why?

I also run mailing lists where about 30% of recipients have gmail accounts, and another 35% have Microsoft webmail accounts. The emails are opt-in, non-commercial, non-spam, and are SPF- and DKIM-signed. About once a year Microsoft will silently cut off all outlook/live/hotmail/msn recipients, and I have to dick about for a day with some retard at Microsoft to get them re-enabled. I now suggest to new subscribers that they don't use Microsoft accounts. This never happens on gmail, aol, gmx/whatever. If Google starts popping up warnings for recipients who happen to be on gmail, they'll get the same treatment.

The Day Netflix Blocked My VPN is the world's new most-hated show

Displacement Activity

Re: I wonder how

There are other ways of detecting VPNs and proxies than playing whack-a-mole with IP addresses.

Some of these arguments don't really hold up. Geolocating isn't an issue, because (a) IPV4 addresses are scarce and are sold on, and it's not unusual to find IP addresses that trace to, for example, China where the block itself is registered in the US (though, granted, traceroute will do the job, but I believe that geolocation is normally done through registration and not tracing), and (b) the cheap proxy services are all in the US anyway. You can get a proxy in the US for less than a dollar a month per IP address, and this is where I'd start if I was connecting to Netflix.

On the user agent, I always put a plausible user agent in my (cURL) scraper, and I bet everyone else does. And a plausible referer, and cookies, and everything else.

I wouldn't expect a commerical proxy service to distribute my traffic over the IP addresses I've paid for. I connect to address X, and expect my outgoing traffic to come from address X. If you're right, then that provider doesn't understand anonymous proxying. I automatically test a proxy before using it live and this is easily detected.

But, at the end of day, I agree that you're vulnerable because you have to log in with a Netflix account, and all they have to do is log all the IP addresses on that account. Your best hope is to go through one clean/paid-for US proxy and hope that you don't have to change the address too often. Or you could get a life and stop watching Netflix.

Your boss yells 'build a secure IoT gadget' and you don't know where to start. Take a look at this

Displacement Activity
Thumb Down

I don't get it...

(yet?) First off, I can't see that their examples are even "IoT". Jeeps and Boeings aren't part of the IoT. Somebody just (allegedly) screwed up their entertainment systems, and failed to separate them from the control systems. I don't need a paper on that. Somebody managed to gain access to a rifle targeting system because it had a WiFi connection; not even the Internet. And anyone who builds Linux and WiFi into a rifle deserves all they get. And somebody else built a drug infusion system so that it could be controlled over the Internet; I think I see what their problem was. This was the only example where there was a possible use case for external control, but I would like to see their justification for remote *control*, rather than *monitoring*. The place to control drugs is at the bedside.

Back in the real world, I get asked to monitor taps, for example, over the internet, to see how often they're used (really). They have a tiny micro and a GPRS connection. I might be asked to turn something on occasionally. I thought this was the "IoT", and the paper is pretty much irrelevant to that. It doesn't even mention TLS/SSL, and even that's a big deal on the electronics I've got. My #1 problem is ensuring that a request to turn on a tap comes from a trusted source, which isn't even mentioned. My interest in trusted hypervisors, having cryptographically signed boot software on the micro, chain of trust authentication, and all the rest of it, is exactly zero. Putting in all this overhead is far more liekly to cause a problem than to cure it.

Nigerian government site popped, used for phishing scam

Displacement Activity

Unsupported Joomla?!

*All* Joomla versions are unsupported. Seriously. And please don't down-vote me unless (a) you've attempted a site in all of versions 1, 2, and 3, and (b) you've been dicked about by completely incompatible "upgrades", and (c) you (very) occasionally get completely pointless "security updates" which contain no useful information whatsoever, and (d) at least one spotty adolescent has told you that it doesn't need documentation because it's Open Source, therefore you read the source and write your own documentation.

Yay, more 'STEM' grads! You're using your maths degree to do ... what?

Displacement Activity

If you can't calculate the angles on a 50-cent coin...

Then you probably don't know how many sides it has. I don't know what a year 12 student is, but anyone in the UK who couldn't answer this question at GCSE (16-year-olds) is unlikely to end up as a radio astronomer, or a statistician.

Your entire argument is nonsense. This is nothing to do with rote learning - it's a basic concept with almost-zero mathematics involved. Once you've got your head around this, you can move on to vectors and matrices. For a professional mathematician or scientist there's no such thing as an optional subset which can be ignored - would you have a problem writing articles if you weren't allowed to use the letters 'a', 's', or 'd'?


Biting the hand that feeds IT © 1998–2019