* Posts by h4rm0ny

4617 posts • joined 26 Jul 2008

Bloke charged under UK terror law for refusing to cough up passwords


Re: Device with multiple partitions

Bitlocker doesn't do this - it encrypts but doesn't conceal you have done so. However, there are several successors to TrueCrypt such as BestCrypt and VeraCrypt which do support Hidden Volumes / Hidden Containers which are what you're referring to.

Because all of an encrypted partition or file appears as random noise, there's theoretically no way to distinguish empty space on the disk from used space. So you can have two encrypted containers appearing as one and determine which you're accessing by the password. Think of it as a magic door. You knock three times and it opens on a room where you've stored a few innocuous things like your email password. Knock five times and it opens on a room where you hide the state secrets you just stole. The magic is that the number of knocks can't be guessed so you just tell the interrogator it's three knocks and that's the only room they'll ever see and they can't prove that a different sequence of knocks would show a different one. It adds the last vital component of encryption which is deniability.

Microsoft to spooks: WannaCrypt was inevitable, quit hoarding


Re: You're assuming that Microsoft didn't actually implement these "flaws" at the request of TLAs?

>>Much of this work was done for a reason, and it wasn't all to provide better reliabilitiy for Skype based communications. I believe Microsoft were part-paid by the NSA to decrypt Skype's peer to peer secure model, and hence the high price Microsoft was willing to pay for Skype.

Quite probably. But I'd say there was also a pretty big stick held up visibly as well. I used to work in telecomms and was once interviewed for a job writing an interface to enable real-time eavesdropping on phone conversations. (Hence this will be my second or third ever Anonymous post in all the many years I've been commenting on El Reg.). I didn't know what the job was when I applied for it, only that it was in my area of expertise (Add-Drop Multiplexer controller software) and paid well. I like to think that I would have turned it down for ethical reasons but I was rejected anyway due to a poor interview performance (seems likeliest).

Anyway, as I understand it, nobody gets away with not implementing backdoors for Intelligence Agencies. Nobody. Anybody recall when Vodafone's eavesdropping system was subverted by an unknown party to listen in on the Greek Prime Minister and cabinet? Much like this case, the hacker or hackers looked at what a State agency had done and then just repurposed it to their own benefit. I'm not sure the hackers were ever caught - somebody simply noticed some dodgy software connected to their "legal" APIs. That was ten years ago. Incidentally, the person in charge of the Vodafone networks in Greece was found hanged and Vodafone were very uncooperative in the investigation to the extent they were fined £76m for it. (Link for those who still have optimism in their hearts and need citations).

I don't trust the spy agencies, and nor should you.


>>What is criminal is Microsoft deciding that millions of PCs running its software are suddenly obsolete


Are you by any chance a Galapagos tortoise, a sentient giant redwood or Wowbagger the Infinitely Prolonged? I just ask because most of us are not blindsided by something that has been known about eight years in advance.

Windows XP had fundamentally poor security. I mean conceptually in its design. These problems were not fixed until Vista (and then not usable until 7). MS have been doing everything they can to get people to move forward - they don't want to support XP systems any more than the sysadmins do. Half of the people who wrote it are probably retired by now - it was released in 2001. Goddess knows how long it was in development for!

74 countries hit by NSA-powered WannaCrypt ransomware backdoor: Emergency fixes emitted by Microsoft for WinXP+


Re: From North of the Border

Enterprise licences don't do this. It's only Home and Professional et al. that spy on you. With Enterprise you can disable every last bit of telemetry if you choose.

Microsoft will provide you privacy if you pay enough.


Re: Risk Management

>>Or they're simply wary of being "upgraded" to Windows 10 with the next automatic update, that curiously lacks a "No, I don't want to upgrade" button - and interprets the closure of the popup as "Yes, please upgrade me to Windows 10", even in violation of previous documented configuration policies that expressed a customer's desire to stay with their current OS.

I see you've already been modded up twice for your reply to my post. But we are talking Enterprise Windows licences here. You have control over updates in Enterprise licences and they also don't suddenly randomly upgrade themselves to Windows 10, either. The rest of your many paragraphs all follow from not being aware that Enterprise Windows functions differently from Home and Professional licences. There is no excuse for being two months behind on updates marked Critical or for using Windows XP which is four versions out of date of the current. Neither have anything to do with home users being updated to Windows 10 making Sysadmins reluctant to apply updates. The idea is nonsense.


Re: Solution

>>Not to speak of the company that after 3 decades worth of producing software STILL cannot produce something that shows signs of the most basic principles of security. Yes, Microsoft, I'm looking at you.

Alright, I'll take that one on - you tell me what the "most basic principles of security" are that Microsoft have missed in current Windows and we'll see if your GNU/Linux distribution of choice has or has not also missed them. My contention is that a similarly neglected GNU/Linux system would be similarly risky. If someone were running SuSE 6.4 I think you would be leaping to say the problem was the neglected state of the OS, not the GNU/Linux itself.

So come one then - back up your statement: "Most basic security principles" that Microsoft have neglected that don't apply to other OSs.


Re: "the SMB server bug is the result of a buffer overflow in Microsoft's code. "

>>BTW People make a big thing about XP but this SMB stuff is in all versions of Windows.

Yes, and patched automatically in all supported versions before this happened. The reason people make a big deal about XP is because nobody should be using this 2001 OS in 2017. If you're running Windows 7 / 10 then unless you've somehow prevented it updating it's not vulnerable to this. You make it sound as if all versions are.


Re: Risk Management

That's not a correction. A patch for this was issued in March. If you are two months behind on your patches that would be a problem for GNU/Linux systems as well. Or do you leave your systems unpatched for that long as well? If so, you're not fit for a job as a sysadmin.

The greater problem here is agencies such as the NSA instructing companies to leave vulnerabilities available such as in the case of the Intel AMT bug which according to Semi-Accurate was almost certainly left in by request. What we're really seeing here is a highly visible example of why we shouldn't be allowing the government to mandate backdoors into systems such as Theresa May and Amber "we must know the necessary hashtags to combat terrorism" Rudd want us to create.

Seriously - an unpatched OS is a security risk. Using an OS written sixteen years ago and STILL refusing to upgrade it - that's on Jeremy Hunt and his ilk. Don't try to deflect the blame elsewhere.

UK hospital meltdown after ransomware worm uses NSA vuln to raid IT


Re: Phew!

All tax payer money gets handed over to criminals.

A small portion of it they give back to us.

Paris Hilton

Re: NHS staff

Having worked in the NHS and seen how hard people at the bottom often work, I'm more inclined to say it's PEIDO. (Problem Exists In Director's Office).


Quick, someone blame Russia/DPRK/Iran/China/ISIS/Tory cuts/Donald Trump/Jeremy Corbyn

One of these is not like the others...


Re: Surprises?

I believe (having worked in the NHS) that it was safer when all the data was stored at individual GP practices. Firstly, this prevented a massive treasure trove of data being collected which will inevitably be stolen (if it has not already). Rather than numerous small troves which had to be individually gone after and thus weren't pursued by intelligence agencies or criminals. Secondly, it inherently partitioned the data according to need. Someone couldn't find the sexual history of their partner or look up the address of someone they were stalking just because they worked at ANY GP practice. When we pointed this out, they told us only people who had agreed to strict privacy controls were given access. By this they meant the bit of paper that every GP secretary and anyone else signs without reading. We pushed and were told that all accesses were logged but we investigated and at the time they weren't (not that this takes the place of restricting access). I.e. they lied to some of the people actually responsible for this stuff! Maybe those controls are implemented now but the principle that far, far more people have access to this data than need it remains in place.

So no, I don't think it has made it safer even in principle. A thousand boxes, each individually locked and each containing a pittance. Or Smaug's heap of gold entrusted to whichever company's director is mates with the Health Secretary of the day. I know which I think is safest in principle.

Booze stats confirm boring Britain is drying


Re: Less alcohol consumption or more fibbing

Yes. But in a democracy, they aren't the same lies.


No, you could get LSD in the Nineties. Now nobody seems to carry it.

LSD is one of the safest illegal drugs there is.

Paris Hilton

I've never understood biscotti. They're rock hard and very thick which leads me to assume that they're designed for dunking in your coffee. This would make sense and would probably taste quite nice. But I've never seen someone dunking them in a coffee shop. Do people dunk them?


Re: 1960s health advice?

I don't know if it's so much science being better or worse in the 1960's than today, so much as it is different degrees of harm being tolerated. In the 1960's if you said that a bottle of wine doubled the risk of health problems from 0.1% to 0.2%, they'd probably shrug and say people make their choices, it's pretty much a tiny change to someone's personal risk. Today they'll look at what the 0.1% does to society as a whole and cry armageddon, running headlines about millions of £'s lost each year due to drinking and "thousands at risk of liver damage". There's just no acceptance of any risk at all these days. In the Sixties, people considered risk a normal part of life.

Don't stop me! Why Microsoft's inevitable browser irrelevance isn't


Re: It won't be seeing my computer

>>"Only if you tell it to remember your password. You can delete saved passwords under advanced options."

I don't think that's correct. Or else you misunderstand me and think I'm talking about it signing you in automatically to web sites. What it does is every time you start it up connect to a Microsoft account for you, tracking any search history and browsing history, et al. The only way around this is to switch to Private Browsing every single time you open it. There's no setting to disable the Microsoft logging, so far as I'm aware. It's nothing to do with saved passwords.


Re: I use Chrome

Um, I'm just as old as you if we're going by using Mosaic and I have to say things have changed. These days Chrome is responsible for more standards violation and strong-arming of how the Internet works and IE11 / Edge is the one that plays nice. You know why? Because it isn't determined by which company is a Good Guy and which is the Bad Guy, it's determined by which one has the power. And these days Google do.


Re: It won't be seeing my computer

I'll add my voice to the crowd. I actually like Edge fine - but it signs you into Microsoft automatically. You can put it into private mode every single time you start it up but you can't set it to not try and track you every time you fire it up.

Don't install our buggy Windows 10 Creators Update, begs Microsoft


Re: Another day

>>"They may not be doing all users at once but once your machine is selected there seems to be no way of preventing the upgrade.

Which I'd actually be okay with if it were just an update to performance, security fixes, etc. But they should have no power to force functionality changes onto a product that I have already bought.

Uber engineer's widow: Stress and racism killed my husband ... Uber: Let's make flying cars!


Re: I'm not surprised

I've done one start-up in my career, the rest has been established companies. I fortunately didn't have the problems you listed - indeed, our founder and director worked shockingly hard and was extremely driven - which is one of the reasons it was so hard to give less than my all myself. It's one thing to hold back when you're being asked by a hypocrite for extra effort. A different thing when you know your boss is working just as hard and is taking huge personal risks. But I doubt that applies in Uber's case!

I think you nailed it when you talked about people who take pride in their work and just can't "fail" at something. I'm like that. When the expectations are out of control, that sort of professional pride can destroy you. We don't deal well with being set up to fail. Ironically it was after the start-up stage when other people came in who were essentially reaping the harvest planted by others that the problems you talk about (Old Boy's club, inexperience and ego) started to manifest. I eventually resigned my position because I felt I was unable to do a good job at my work. I think as many engineers have probably quit over that as have quit over money.

I'll say one minor counter-point, which is that the figure of 8.8% isn't evidence of racism. Do people just tout such things because it sounds like a small figure? The proportion of Black people in the USA between twenty and thirty (prime hiring age) is around 7-8%. Now I can well believe it's possible that there is racist culture in Uber given the evident sexism at the company (-isms are often found together), but the 8.8% figure isn't evidence. And that's just comparing it to the population as a whole without allowing for the fact that Black people are disproportionately poorer in the USA and less likely to be applying.

Cuffing Assange a 'priority' for the USA says attorney-general


Re: Ah, yes, I nearly forgot about him

>>Touché, although they never pretended to be anything else, or act for the good of humanity.

Yes they do. SInce when do Daily Mail or Fox News preceded their outpourings with "but keep in mind we're biased." Ditto for pretty much any news outlet that isn't purely focused on a financial audience (who care more about information than being told what is right or wrong).

If your criteria for being a journalist or a news organization is being unbiased, you're going to have to discount the vast majority. So either change your criteria or accept that it doesn't single out Julian Assange how you'd like.

Really, what should matter is if what Wikileaks publishes is true, which it is the case is it not?


Re: Why would he go after Assange?

Well the USA has traditionally had a rather novel approach to debt. Namely, if you can invade / overthrow / imprison the person you owe money to, you don't have to pay them. (Libya springs to mind).

Y'know CSS was to kill off HTML table layout? Well, second time's a charm: Meet CSS Grid


Re: If you have questions about grid

>>You didn't go online much in the 90s did you?

I did actually (note my hopelessly archaic l33t username ;) ). But you've misread my comment as saying that the 90's tech was better. It's actually a snarky commentary on the person I was replying to suggesting that they'd be happier back then because they're a grumpy anachronism. Not because things were better then!

We're in agreement. And yes, thank the gods that I now only very rarely see comments about "a girl on the Internet" and even then only from hopelessly out of date Geek-culture types.


Re: If you have questions about grid

Stay there. You'll be more comfortable.


Not to blunt your righteous rant, AC, but you are aware that this CSS grid is not currently a standard? It's a candidate release. I mean, you're talking a lot about standards so I'm sure do. Don't you?

Script kiddies pwn 1000s of Windows boxes using leaked NSA hack tools


Windows XP was released a decade and a half ago. It's replacement was released a decade ago. Extended Support ended three years ago.

At this point, you should really consider your vendors inadequate for the job.


Yes, basically. We know the malware was created by the Equation Group and they are certainly a state-backed group. As you mention it, the Equation Group has created firmware malware. The malware in the article just isn't one of those.

Boffins crowdsource hunt for 'Planet 9'


Re: Considering that Pluto was demoted.

Maybe if they find another planet they should re-use Pluto then all parties will be happy. Plus it will create even more confusion which seemed to be the purpose of trying to redefine Pluto anyway.

Seriously, "planet" is an arbitrary term. No rocket scientist ever based their slingshot calculations on something being "a planet" rather than, say, 1.3x10^22kg or whatever. The term is a cultural artifact with no useful scientific meaning. It is to astrophysics what the term "race" is to genetics. I.e. a visible thing for non-scientists to get hung up on that is next to useless for any meaningful discussion.

And as it is a cultural artefact, just let it be a planet given that it always has.

Now, would anyone like to hear me rant about applying SI metric definitions to MB that are more useful in powers of 2?

Intel reveals Optane SSDs: 375GB to start, at surprising speed


Re: Is it really that fast?

Not only is that an excellent article (as per usual for SemiAccurate), but that last paragraph but one was spared nothing in calling out by name certain journalists that they believe are influenced unduly by Intel. Certain journalists whose bylines appear in El Reg., no less! :)

Trump's cybersecurity strategy kinda makes sense, so why delay?


Re: Reason why Trump didn't sign cybersecurity executive order

>>"Good try. Unfortunately for your comment, it didn't happen. One post does not a hijack make."

I count four. And yours makes it five.

And now mine has made it six. It's off-topic whether it's true or false (and it's false). Could the reason you're fine with someone ham-fistedly forcing their cause into the thread be because it's a cause you're favourable to?


Re: He didn't sign it

The CIA are probably poisoning his tea as we speak!

Cyber-spying, leaking to meddle in foreign politics is the New Normal


Re: @Peter2

>>The difference is...?

That Hillary was Secretary of State and a close political ally of the government under which much of the ramping up of US presence on Russia's borders and increasing tension with Russia took place. And also that she is historically very hawkish. She was one of the chief proponents of the destruction of Libya and killing of Gaddafi. She has a considerable pedigree of being someone who pushes US hegemony abroad. Trump does not.


Re: I have wondered for a while

The NSA and FBI probably wouldn't use Intelligence such a manner. The CIA would and almost certainly have. The NSA for all that they are the bete noir of privacy, do actually honour their goals internally I believe which is to serve their country (however that may or may not align with civil rights). The FBI are all about the law enforcement. (The DEA should be given notice immediately to disband and their entire jurisdiction and case load and budget be handed over to the FBI to be re-prioritised). But the CIA are a political agency in their own right. They have run drugs operations for profit in order to fund themselves on things that congress didn't. They absolutely have political agendas and I have no doubts personally that they abuse their powers in ways that not only the public but Senators would be horrified to learn about. Of course there are thankfully policies on what they can do on US territory but I don't know how much that actually restricts them in practices.


Re: "MIght appear to be unprecedented?"

When you have to start not merely taking sentences out of context, but snip out fragments of sentences for your point, you should question whether you're arguing in good faith. You quoted my words "Wikileaks have never lied about this" and responded with "How could you know?" My actual words: "to my knowledge, Wikileaks have never lied about this." Whereas we have established examples of the CIA lying even to Congressional hearings about their use of torture. Any objective assessment will conclude that the CIA should be afforded less benefit of the doubt than Wikileaks.

As to your link, have you even read it? It headlines about a major lie by Wikileaks. But the "story" seems to be that someone on the Wikileaks twitter account repeated a news story that Clinton's campaign manager had deleted their tweets and then deleted the comment when he did tweet. Wow. Such significance. They don't even link to anything involved. The "story" is rubbish.


Further to my last comment, I have to seriously question this article writer's impartiality. For example, they talk about the alleged Russian interference in the election of Yanukovich (I see Wikipedia states it as fact, but uses the Supreme Court of the Ukraine - appointed by the people who overthrew him - as their citation). They neglect to mention that the USA was actively funding opposition in the Ukraine and helped forment the Orange Revolution which overthrew the government. You also can't help but notice how for its example of nation-state hacking against Germany, the article goes with alleged hackers possibly from Russia of very dubious success, rather than the much more widely known and established fact that the USA was monitoring Angela Merkel's communications. In her own words: "that's not what friends do."

This article does not do what I consider the required level of journalism to present an accurate picture.

Also: "It's possible that culprits can manipulate digital evidence to make it appear as is someone other than themselves perpetrated an attack."

Well, duh! Here's a pro-tip that actual security experts have been saying for a while: use paper ballots, not voting computers.


Re: Hmm... Deja Vu...

A little unfair to compare the elected leader of Russia with a man who seized power and murdered millions in nationwide purges, isn't it? Do people in the West really see Putin as that much of a caricature that they roll him in with the likes of Stalin?


"MIght appear to be unprecedented?"

Well, only if you've never followed the entire history of the CIA and their repeated interference in foreign governments - not infrequently democratically elected ones as well. THEN you might see quite a lot of precedent.

Also, doesn't this assume rather a lot in the first place in taking as a given that this did occur as the CIA (sans proof) say it did? I mean Wikileaks claim it was given them by an insider in the DNC (the one that was shot several times in the back in a "robbery" near their home, by any chance?) and to my knowledge, Wikileaks have never lied about this. Whereas the CIA lied to their own government about torturing people and ran an entire profit-making drugs business to fund operations that Congress hadn't? So isn't it more likely that it was a leak and not "Russian hacking the election". Which is a funny way of putting informing the electorate about what their candidate actually did and said, anyway.

Coming to the big screen: Sci-fi epic Dune – no wait, wait, wait, this one might be good


Re: Lynch's Dune was good, lots of people agree

I think if Lawrence of Arabia had been made to day, there would be an extremely vocal grouping of people who decried it as "having a White protagaonist who saves the day for the brown people" and demand that it be changed so Lawrence wasn't the hero.


Re: I am obviously alone in this.

I'll say this for the Lynch version. If it had been a bog-standard Space-epic of its era, few would be talking about it here now. The spectacle of the floating baron ripping plugs out of people's hearts (why?) or enormous baroque fish-tanks being wheeled into an emperor's audience chamber, eyebrows like someone threw two jungle caterpillars at someone face at high speed... It may or may not be good, but it certainly makes one Hell of an impression.


Re: Can't be a single movie

But in this case, it's almost inescapable that the USA are the parallel to the Bad Guys. Paul Atreides joins a bunch of semi-nomadic desert people whose homeland is being mercilessly exploited for its natural resources by an empire and trade guild using better technology, air support, etc. and appointing the plum job of regional governor to their own upper class politicians. (Baron Harkonen, Duke Atreides...) It's essentially Lawrence of Arabia in Space.

Fremen or Yemen, the parallels are pretty starkly drawn. If they do this, they should absolutely carry it through to how Paul leads a semi-religious war against the rest of the galaxy leading to billions of deaths. People don't seem to do Tragedy in the classical sense anymore. It would be good to have the full arc. And I don't mean just making him a Hard Man Making Hard Choices anti-hero. I mean actually follow the path of the noble and caring leader through to the slaughtering despot he becomes.

Dear Microsoft – a sysadmin's wishlist


It must be great to have your own news outlet

So you can rant about all the things you're upset about.

Dido queen of carnage steps down from TalkTalk


Re: Great headline

Dido of Carthage killed herself, not her kingdom, though.


Re: Dido's First Job Interview

>>".... because I need the money and no one likes me at home."

Well, I'm pretty sure that part is a lie, at least.

TV anchor says live on-air 'Alexa, order me a dollhouse' – guess what happens next


Re: Blakes 7 and Microsoft

Was it ever explicitly stated that Avon and Callie were involved together? There were hints and there was line of Villa's with "Did I miss something" and I think Callie or Jenna replied "yes, you missed something. which I thought was about Avon and Callie. I was too young to watch it when it came out, I think, but maybe they re-ran it. It might have been my first introduction to Sci-Fi.


Great. So in addition to the USA imposing its spelling and grammar on the rest of the world, it's now imposing its prhasing and meanings, too.

CES 2017 roundup: The good, the bad, and the frankly bonkers


Re: I quite agree

Put it in the toe of your shoes. A small vibration there as you approach your turning would be noticeable and intuitive.

Paris Hilton

And now she can legitimately tell you to get lost? ;)

Assange confirmed alive, tells Fox: Prez Obama 'acting like a lawyer'


Re: >So what crime did Assange commit that would require a pardon?

>>"You can't have it both ways. The only way his behaviour adds up is if you assume something *did* happen and he damn well knows it."

Or if you believe that people in the US government are out to get him. That also works. Are you really arguing the unliklihood of that?


Re: ...unlike his credibility

Fascinating. So what information has been passed to Wikileaks that they have decided not to publish for reasons of bias. Presumably you have such a clear view of what Wikileaks have been given in order to say that they're being selective. I mean if you didn't, your post would be without support.

Biting the hand that feeds IT © 1998–2019