* Posts by Graham Cobb

346 posts • joined 13 May 2009

Page:

London mayor: Self-driving cars? Not without jacked-up taxes, you don't!

Graham Cobb

Re: Missing the point.

I think this is the point. And I will be surprised if this isn't TfL's real main concern.

Driverless, electric cars will encourage people to not own them but use them like much-cheaper taxis. That will drive a lot of people away from much more efficient mass-transport (trains and even buses) to very inefficient (in terms of road space as well as other resources like energy) driverless cars with one occupant. Much more convenient, door-to-door, and no parking, insurance, capital, etc costs.

That will really screw up transport in London.

I think the only answer will end up being some form of congestion-based road-pricing (at very high rates in congested areas) for driverless cars. The tax revenues will be enormous but the personal freedom we all imagine that driverless cars will bring will be non-existent.

Presumably TfL aren't talking about this now because no one wants to point out that the automated cars emperor has no clothes. At least while there is money to be made from gullible investors.

1
0

For goodness sake, stop the plod using facial recog, London mayor told

Graham Cobb

Re: Of course the police dont want a national strategy

I am not particularly worried about crime. I am certainly not worried about terrorism -- terrorists reduced to running people over in vehicles and attacking with knives are no longer a serious threat to public safety.

I am worried, however, about political surveillance: surveillance of the people protecting my freedoms and way of life such as journalists, campaigning lawyers and even the many political activists I do not agree with. I need to be confident that the police are not returning to 1970's levels of involvement in politics.

Tracking, watching or recording people who are not already suspected of a crime (or their cars) interferes with our rights of free expression, assembly and political activity and must be illegal.

22
1

Anonymized location-tracking data proves anything but: Apps squeal on you like crazy

Graham Cobb

Re: Don't worry

To be fair, laws like this are important and do help with the many commercially-oriented concerns (most big consumer companies do not like to be caught out systematically breaking laws). So, this law is important to stop, for example, insurance companies de-anonymising data to drive health insurance premiums.

Of course, the law needs to be well-drafted, and include serious penalties for commercial infringement, while also protecting research. None of those apply in this case, unfortunately.

8
0

ATM fees shake-up may push Britain towards cashless society

Graham Cobb

It isn't just the government... I always pay by cash in supermarkets because I don't want the shop, or the card company, profiling me. Particularly if they are thinking of selling the data on ("this guy buys a lot of wine -- probably a good idea to put his health insurance premiums up").

When the shops & banks are willing to pay me for giving them useful data (I would require well over 1% cashback) I will consider using cards.

6
0
Graham Cobb

Re: Hang on a sec...

I suspect many of the ATMs round here (a rural area) do make a loss. They are mostly inside small shops and I suspect the shopkeepers tolerate a small loss in order to get the additional foot traffic (I have certainly gone to use the ATM and left having bought several things I hadn't planned). A really big problem with village shops is just getting volume of traffic so they can sell stuff before it hits end-of-life. This is the same reason some are still willing to have Post Office functions -- not to make money but to get people into the shop.

Even a small reduction in charges probably will cause several of those to disappear as the shopkeeper decides they can't afford the fractionally higher loss on already very small profits. Which is a shame as in these cases they really do provide an important service, often offering the only ATM in a village.

3
0

UK financial regulator confirms it is probing Equifax mega-breach

Graham Cobb

Re: What Exactly Was The Breach ???

As I said in an earlier thread, it is time we forced the credit reference agencies to clean up their act and severely limited their capabilities:

Reform should mean that data kept must be limited to a small number of permitted categories, all recent and personal (not hearsay or "linked"), with the sources clear, and limited to clear factual data which can be easily either confirmed or refuted and immediately fixed without the co-operation of the source.

Combine that with full control by the subject: full visibility not only of the data but history of all requests and responses (with future notifications if they wish) and full control over who may or may not make requests (able to be changed at any time).

Yes, this would mean credit checks would be less conservative, and there would be more bad debt. But the world won't end.

2
0

uBlock Origin ad-blocker knocked for blocking hack attack squawking

Graham Cobb

Re: disagree with Scott and Troy

I'm curious how your privacy is decreased by sending a CSP report, especially if that report is sent back to the same host.

I don't know. Possible issues may be discovering how I use GreaseMonkey, or DeCentralEyes.

But just because neither of us can work out how to abuse a new feature not widely in use at all yet, that does not give me any confidence that it cannot be abused. It hasn't been very long since no one realised that canvas was a privacy violation.

As a general principle, I do not permit anyone to receive anything except the most limited information. I don't use UBO (I have other tools) but certainly will not be permitting CSP reports to be sent to most sites. I might make a few exceptions if it seems particularly worthwhile for some site and I particularly trust them. Just like I make a few exceptions to allow some applications to report crashes.

2
0

Microsoft faces Dutch crunch over Windows 10 private data slurp

Graham Cobb

Re: Blaming North Korea?

So what happens when you need to open a very formatted MS Office documents.

Yes, the Microsoft Office software is good, if rather expensive. Particularly Outlook. I can certainly understand why medium-to-large businesses use it, and why it drives them to run Windows. Personally, I have MS Office running under PlayOnLinux for use when I absolutely need it, but I acknowledge that it took some effort.

Most consumers, however, do not need MS Office installed on their PC and are perfectly happy with LibreOffice and/or online tools. Small businesses have to make the choice: LibreOffice and Thunderbird (maybe combined with web-based tools) are probably fine for their needs. Unfortunately I think it is other tools (payroll, accounting, tax & HR software, SEO and marketing tools, photo & video processing, etc) plus cheap and easy support (local PC company) which drive them to use Windows.

8
2

UK Treasury Committee chairman calls on Equifax to answer for breach omnishambles

Graham Cobb

Regulation of credit references

The credit reference business needs some serious regulation. Yes, credit checks (for businesses and individuals) are important to keep our economy functioning but the processes and data behind that should be extremely heavily regulated (one level down from health data).

Reform should mean that data kept must be limited to a small number of permitted categories, all recent and personal (not hearsay or "linked"), with the sources clear, and limited to clear factual data which can be easily either confirmed or refuted and immediately fixed without the co-operation of the source. The data subjects must be able to see all data held on them, all requests made, and all analysis/reports made and the data subject must be able to put blocks on access to their data from certain sources or for certain types of requests (understanding that that might mean they are refused credit).

Yes, this would make credit reporting less useful -- with a higher risk of bad debt. But so be it -- the economy won't collapse over that. That should be the price paid by an industry which gets a free pass in terms of receiving, keeping, and processing, personal data without permission.

4
0

Seagate fires NASty volley of 12TB spinners with lifebelt for fried data

Graham Cobb

Re: Don't buy Seagate

On the other hand, I bought a Seagate 10TB IronWolf in July 2016, run continuously since, with well over 100TB of writes in that time and have had no problems with it at all. No reallocated sectors or uncorrectable errors at all. I am just replacing it with a 12TB drive and will move it to being a backup disk in my NAS.

I have several other Seagates with no problems with any. I don't believe they are any better, or any worse, than any other major manufacturer nowadays.

So, don't believe the anecdotes about one drive being more reliable than another. With current technology they all seem to be very close in reliability. Any drive can fail at any time; most will not fail until well after you have stopped using them; and no ordinary user will see any measurable difference between manufacturers.

2
0

Home Sec Amber Rudd: Yeah, I don't understand encryption. So what?

Graham Cobb

Who defines what is "terrorist material"? Government could decree any sites working on disrupting their plans are "terrorist material".

Or what happens when the government go all Spanish and decide that calls for Scottish independence are illegal?

Seriously, after this weekend, in a supposedly civilised, EU country with military levels of force against people expressing peaceful support of their elected representatives by just voting, I don't think the government have a leg to stand on when discussing supposedly anti-terrorist legislation.

19
2

How Apple is taming the ad biz. Just don't expect Google or Zuck to follow

Graham Cobb

Re: Logical move for Apple

As it said, Google is not really affected.

That is only true if you visit Google at least once a day.

Sure, most people do visit the search engine once per day, although not everyone searches for something every day - plenty of people spend whole days in Facebook, WhatsApp, Twitter and Instagram. if you miss a day does Google lose the info about what you were doing that day?

More interestingly, some people have switched to another search engine. For example, I search using Startpage. I don't use Gmail so that means I almost never visit Google at all!

So, does this mean that those trying to make big advertising less effective should push really hard for people to search using Startpage or DuckDuckGo? If a significant number of people using Safari did that, would that make a noticeable dent in Google's advertising capabilities?

6
0

More are paying to stream music, but YouTube still holds the value gap

Graham Cobb

What has UGC got to do with streaming?

46 per cent of on-demand music streaming is from Google's video website

OK. But how much of that is from UGC vs. uploaded deliberately by the musician/copyright holder/agent?

This is a genuine question. I imagine that it is a tiny proportion. Is it actually a significant proportion? How much? Pointers to published data, please.

I realise I am not in the target demographic (I don't stream or pirate music -- I buy it), but the (very small amount of) music I stream from YouTube is to check out something a friend has recommended to see if I am interested in buying more of it. And I don't think it has ever been UGC -- it has always been a clearly authorised upload, exactly for that purpose. Why would YT pay anyone for that advertising?

Of course, I know that people post video captured from concerts but, again, surely that is a tiny part of the "on-demand music streaming".

2
0

What's that, Equifax? Most people expect to be notified of a breach within hours?

Graham Cobb

At the time that I started my IT career (1978), Music was quite a common degree for other entrants. Personally I did Maths. Very few of my peers did a specifically computing degree.

I seem to remember that at that time Music was the most common non-STEM (we didn't call it that then) degree for computing professionals.

0
0
Graham Cobb

Re: How?

Or, maybe, Equifax can tell them which of their customers might cause them grief (lawyers, politicians and other rich people) and so should be dealt with politely, helpfully and efficiently and which ones (everyone else) can be ignored or sent to a useless website,

A strategy I am assuming they are using themselves.

10
0

Bloke fesses up: I forged judge's signature to strip stuff from Google search

Graham Cobb

Digital signatures

So when will all documents signed by judges also be given a digital signature (with public keys available from the official court website)?

There is no need to go all techy and stop judges really signing real documents, but every court should also issue a digital version signed by the judge's (or, at least, the court official's) electronic signature.

Recipients could then trivially check for authenticity.

8
0

Whoosh, there it is: Toshiba bods say 14TB helium-filled disk is coming soon

Graham Cobb

I don't believe them

Two manufacturers announced 12TB He drives about New Year, saying they would be available mid-2017. Then 3-4 months ago they announced they were now available. Except they aren't. You can't buy them anywhere, that I can find.

A couple of suppliers have had them listed for a couple of months, but with no stock and no sign of when they will receive any stock. For the last month or so I have been checking major retailers and even comparison sites almost daily but no one has any available (even though the couple of sites that list them keep changing their prices slightly every day).

So, I don't believe these 14TB drives will be available by the end of the year.

1
0

15 'could it be aliens?' fast radio bursts observed in one night

Graham Cobb

Re: Bad news travel fast!

If only it hadn't taken them quite so long to charge up their 10 million trillion trillion joules the warning from their model of the end of the universe 3 billion years into their future might have arrived on time.

3
0

Samsung keeps the smartwatch alive. Just

Graham Cobb

Re: They all try to do so much

all I want is at-a-glance read of texts or notifications and an easy control for the music features of my phone / iPod.

All I want is the exact opposite! I am over middle-age so I need reading glasses. I really want to be able to control my watch from my phone. Have it get accurate time periodically from the phone, be able to set complex alarm patterns from the phone, be able to choose which time zone(s) to display from the phone, etc. I want the phone to replace the horrible tiny display and fiddly buttons for the control stuff, leaving the watch (with an analogue display, preferably with real hands) just looking nice, showing me the time, sounding an alarm and having a really long battery life (over a year without charging/replacement).

5
0

US government: We can jail you indefinitely for not decrypting your data

Graham Cobb

Good quality encryption results in random data, which can be decrypted to anything.

Citationn, please. The first part is true, the second does not follow. I am not an expert, but as the key length is shorter than the file, there are far, far fewer possible decryptions than there are possible data files of the right length.

15
2

WikiLeaks a 'hostile intelligence service', SS7 spying, Russian money laundering – all now on US Congress todo list

Graham Cobb

Re: Do you realize...

If Snowden would come back and do this... and win, then he'd be considered a hero

You do realise that there is no "public interest" defence permitted to a charge of revealing classified information in the US?

2
0

CrashPlan crashes out of cloudy consumer backup caper

Graham Cobb

Re: The real reason ?

"wget -r https://google.com" simply doesn't work

That is obviously because you forgot the span-hosts option. Try "wget -rH https://google.com" instead.

1
0

Good Lord: Former UK spy boss backs crypto

Graham Cobb

We have to be careful that we oppose the right things. The government have stopped talking about banning encryption -- they have changed to talking about a modern form of key escrow (without using those words). They want to get rid of (maybe even ban) end-to-end encryption, where the users control their own keys, and have keys controlled by someone else (not the government, oh no, we aren't interested in your keys, oh dear me, we just want your service provider to have the keys, in your own interests, so that you can recover them if you need them, or something).

But (i) I actually trust Amazon even less than I trust the government (believe it or not), and (ii) if the UK government can put legal and other pressure on the service provider to decrypt my data then so can any other government in the whole world. Do you trust all of Trump, Putin, Kim Jong-un, Maduro and May?

We need to make sure that the discussion isn't about banning encryption -- that is what the government would like us to be talking about because they can then just say "we aren't going to ban encryption". It is about key escrow.

10
0

Can GCHQ order techies to work as govt snoops? Experts fear: 'Yes'

Graham Cobb

Re: Supply chains

It is this case which worries me. Could (for example) Alan Cox be served with a warrant requiring him to sneak a tiny vulnerability into the Unix kernel? He is certainly sufficiently clever, well known and trusted to be able to do it (so the "not practical" exemption doesn't apply). Although I suspect he may also be bloody-minded enough to be a poor choice (thankfully).

More realistically, maybe, a one-man maintainer of a very popular Github project (plenty of those -- for example rclone) could be served a warrant. And if the project was to do with communications, and had over 1000 users, he might even qualify as a telecom operator!

8
0

Snopes lawsuit latest: Judge orders disputed cash can flow to fact-checking site

Graham Cobb

Re: Corporate vs. Individual

It turns out that it is more complicated than that. Techdirt has a detailed explanation, but basically, the particular corporate structure used means that only individuals can hold shares, not companies. So, Proper paid for the share but the shares are held individually by the directors. So the court has to decide whether Proper can be regarded as the "beneficial owner".

9
0

Reminder: Spies, cops don't need to crack WhatsApp. They'll just hack your smartphone

Graham Cobb

Re: Simpler way

I have always assumed that there are already standardised, and legally required, mechanisms in the baseband processors to allow certain remote operations from the air interface. In the past I assumed that included remote monitoring of audio and with the rise of smartphones I presume that includes some way to run code in a highly privileged environment (which can then be used to download and run anything they want). If so, these cannot be bypassed by anything you might install on the device.

The interesting question is whether these hacks only exist in chips for communications where a licence is required (and hence including the feature is a condition of the device getting the necessary licence) or whether they also now exist in chips for unlicensed usage (such as WiFi).

If I was a political activist, or an investigative journalist, and thought I was likely to be the subject of targeted surveillance from government agencies, I would assume anything with an air interface can be monitored.

2
0

US Homeland Sec boss has snazzy new laptop bomb scanning tech – but admits he doesn't know what it's called

Graham Cobb

Re: The theatre opens another season......

"$70 a flight"

I would say that certain recent actions by the US government have just put the price up.

I wonder who gets to benefit...

0
0

Q. What's today's top language? A. Python... no, wait, Java... no, C

Graham Cobb

Re: On Another Note

The IEEE has a royal charter? That must annoy the IEE.

3
0

'Millions of IoT gizmos' wide open to hijackers after devs drop gSOAP

Graham Cobb

Re: SOAP

It would be good to have a list of all the software which relies on the libraries.

Fortunately it seems to be less than I feared. I note that the package is not installed on my systems (Debian workstations) and a quick apt-cache rdepends libgsoap10 doesn't show any well-known things using it. So it may be that the IoT devices are the biggest vulnerabilities.

1
0
Graham Cobb

Re: Requires an incentive

Unfortunately that won't work. It places the incentive on the wrong people.

The people that have to be incentivised are the owners. If I own a crappy IoT device (I may not even know it is one: think teddy bears) I need an incentive to upgrade or replace it if it can be hacked. Even if a refund is available, I guess less than 1% of people will bother if it is "working" for them.

1
1

We'll hit THAT 95% Sigfox coverage target using telly aerials, says WND-UK

Graham Cobb

Re: Am I completely missing the point?

why can't these non-defined 'things' use the existing infrastructure of wired broadband and non-wired internet already blanketing the country?

Good question. The main answer is very low power devices. Don't think about consumer devices (they will be connected to the mains, or be rechargeable). Think about devices that are installed somewhere (inside a water meter, in a river, around the neck of a cow, on a container when it ships from China) and never touched. There are many use cases which only need to transmit a few bytes a day but need to last for many years without being touched.

Current mobile phone protocols can't support these sorts of devices. NB-IoT can (that is what the NB bit is about) but it doesn't exist yet. SigFox and LoRaWAN are trying to get up and running with blanket coverage before the mobile phone companies can roll out NB-IoT. Being first to market obviously puts them in a strong position (although there are also significant technical, and commercial business model, differences between the solutions).

[Full disclosure: my employer sells some of these technologies, although the above is my personal opinion only]

0
0
Graham Cobb

Re: That's nice

The demand for Sigfox and other similar solutions isn't primarily domestic consumer business: that is probably best served by WiFi, combined with either permanent power or phone-style recharging. The demand is primarily for applications which either need wide area coverage (like lorry or package tracking) or very low power (like collars that can be put on livestock and left without recharging for the lifetime of the animal, or monitoring of water flow and quality in streams).

Meter reading may also be a case (because it is hard to ask your customer to provide the power and connectivity necessary for you to send them a bill).

So, I expect that ordinary people won't do much with it. But that doesn't mean it won't be big. Personally I think these business uses are the real IoT business case.

0
0

G20 calls for 'lawful and non-arbitrary access to available information' to fight terror

Graham Cobb

Sure, PGP is great. But the remaining very hard part is the infrastructure that goes around it. Particularly ease of use, key management, and avoiding leaking metadata. PGP-encrypted email, for example, makes no attempt to hide the source and destination, the length of the email and most implementations don't even drop all the optional clear-text headers (such as Subject).

Also, messaging, as it has evolved from chat to today's messaging apps, has very different design priorities from email (such as little interest in store-and-forward or the large amount of metadata in email headers, and a tolerance of centralised or federated servers instead of complete decentralisation).

The lack of an open-source version of WhatsApp, Telegram, etc is proof that PGP is not enough and we have a lot of work still to do.

1
0
Graham Cobb

...nothing to stop the (nominal) targets of this legislation from authoring and using their own encryption tools that don't suffer from the limitation of being breakable

And I am sure this is well underway. Pick your favourite "state sponsor of terrorism" (Russia, Saudia Arabia, China, The Great Satan, Iran, ...): they all have plenty of smart computer scientists who can create a secure encrypted messaging system, with secure distribution (and, probably, a reasonable cover story for using it - like building it into a "community values dating app" or something).

Those who are not terrorists, but who may fear interference from major vested interests (political monitoring, state industrial espionage, etc) need an equivalent.

It is time we, in the global open source community, really invested in creating an open equivalent, where you can be confident that (i) if the endpoints are secure messages cannot be decrypted, and (ii) if the servers are secure metadata is also secure. And make it federated (so you can communicate with people on other servers if you want to, at the cost of possibly exposing your metadata).

Bitmessage was a good attempt, but does not scale. It is time we created a project like the Tor project to do secure messaging properly.

4
0
Graham Cobb

So treat online like offline then

We affirm that the rule of law applies online as well as it does offline.

Thank goodness for that. I thought for a moment that they were going to suggest intrusive and excessive monitoring of private conversations.

Enough of this "Going Dark" nonsense: this is a pure power grab to try to use the online world to get a much higher level of surveillance than was ever possible in the past and eliminate freedoms we have had for the last century or so.

In the "offline world", private, unmonitored conversations are not only possible, they are the norm. Mass surveillance of private conversations is literally impossible and even targetted surveillance is hard, dangerous and very expensive: it involves placing spies very close to the targets, often in their personal lives, combined with sophisticated, expensive and often ineffective bugs. That cost is exactly the reason that we (society) allow it at all: we know it can't be abused too much because we deliberately limit the resources available so the authorities prioritise its use.

What the spooks see now is an opportunity to use the online world to completely remove those costs and barriers. Clearly they could do their jobs much more effectively if they could, in practice, have a tail and a bug recording every conversation on every man, woman and child 24 hours a day!

5
0

GnuPG crypto library cracked, look for patches

Graham Cobb

Re: It's important that it's been fixed..

You'd be measurably safer if all your application writers recompiled their apps to WebAssembly and you only accessed them via a browser.

I am happy to believe you. But you would be much safer still if the apps remained on the websites where they belong and the browser was just using HTML.

Obviously not everything could be done that way, but the answer is not to make it easier to create pages which do a lot of processing locally, particularly processing which is not easily inspected by human beings.

9
2

Constant work makes the kilo walk the Planck

Graham Cobb

Re: Something puzzling me

Actually I was wondering... Is it a matter of averaging (which, of course, can only help with random errors rather than systematic errors) or of intersecting ranges (error bars) which can give smaller error bars than any individual measurement (but relies on all the error bars being correct)?

I know that (at least some) time protocols rely on intersection: if clocks always report the time as a range ("I know the time is currently between 12:55 and 13:07") and you ask several clocks, you can get a more accurate value for the time than any one clock can report by intersecting the ranges (as long as all the clocks are really right in their range reporting, of course).

1
0

Backdoor backlash: European Parliament wants better privacy

Graham Cobb

Re: " “decryption, reverse engineering or monitoring of such communications shall be prohibited”,"

Fortunately we will only have to wait about 20 years to get it. I am sure that within 20 years we will find that we have no choice but to ask to join either the EU or the USA (51st state) in order to have a reasonable position in a world dominated by very large countries (China, India) and very large economic blocks (North America, EU and something Russian-led).

And the EU is certainly not going to re-grant us our current rebates and opt-outs. But by then the end of the pound and entry into a fully federal environment (EU or US) will definitely be worth it. If nothing else, to allow us to share our elderly care and pensions problems.

Unfortunately, I am not sure I will still be around to see it.

6
0

UK PM Theresa May's response to terror attacks 'shortsighted'

Graham Cobb

Re: More legislation?

The politicians need to stop trying to blow smoke up our arses, interfering with the the various security bodies, and let them get on with their jobs.

What politicians need to do is GROW UP and explain, in an adult way, that it is impossible to protect everyone all the time and to stop pretending that that is what they are doing. Explain that terrorism has been around a long time and that we have beaten it before, not with guns, prisons or magic (i.e. technology) but by staying firm to our principles and fixing the issues causing people to become terrorists so they prefer to do something else instead. Stop pretending, and do the real hard work of being a leader!

Unfortunately, this would require a charismatic leader. As there don't seem to be any of those around, that should be the government's main priority.

10
0
Graham Cobb

Enough is Enough Teresa

So, the terrorists have, at last, worked out that their best tactic is small scale attacks that can't be defended against without completely disrupting normal way of life. Who needs bombs, or the internet, when a van, a knife and going to your local town at a busy time will be much more effective in causing death, terror and disruption?

There are only two things that can be done about this. Both are within the power of the government, should be obvious and should have been done before now: 1) more police on the streets (both in target areas and in the community), and 2) addressing the source of the problem: the disaffected and violent attackers.

May is trying to a) blame everyone other than herself, and b) find a technological solution to a non-technical problem. More police in back offices, more surveillance, more GCHQ wizardry, changes by "internet giants", harsher punishments, internment will all have zero effect. The people doing this are extremely highly motivated, do not expect to survive (let alone be punished) and do not require specialist support (e.g. bomb-makers) or communications (secret or otherwise). None of the things May is talking about, or has done as Home Secretary or Prime Minister, will have any effect at all on this type of terrorism.

The real fix is to stop creating disaffected and motivated killers by channelling their energy, concern and commitment into a more positive activity. When a jihadist returns from Syria, don't throw them in jail (to radicalise others. become even more radical themselves, and build up all the contacts they need for future violence): work with the community to turn some of these highly motivated and committed returning fighters into community leaders, journalists, lawyers, activists and politicians. Channel that energy to fix what they see as the problems of society into a desire to solve the problem instead of destroying society.

Of course, it won't work with everyone, which is why we need police on the streets and very hard work to make sure the community do not endorse or even permit violence.

Spend money in the communities. Reduce poverty. Address the grievances and concerns. And remember that violence has always been with us, always will be, and is at an extremely low level now compared with both recent and longer term history.

And give up magical thinking that technology either causes or can help reduce this.

12
4

'Cloak and dagger' vuln rolls critical hit against latest Android versions

Graham Cobb

30 year old bug re-emerges on Android

Wow. I remember when computers started requiring that you press BREAK before they would give a login prompt, because people wrote programs that made it looked like the terminal was waiting for login and captured passwords. I think it was VAX/VMS V2, in the 1980's, which first introduced it (at least to me).

Microsoft adopted the same strategy with requiring CTRL-ALT-DEL before you could login.

But someone forgot about this and started writing phone OS's that allow apps that require passwords and you can't use a secure gesture to make sure you are really talking to the right app?

10
0

UK ministers to push anti-encryption laws after election

Graham Cobb

It is appalling that at this time of distress and unity against evil criminals, the government would use the attack to push a trial balloon about removing the very freedoms British people fight for.

When I was child, younger than the innocent victims here, I used to be very scared of an imminent nuclear attack from the USSR. My parents didn't tell me not to worry, they explained why we had to stand up against the threat: to protect the same freedoms that they had stood up for in WW2. The freedom to walk the streets without having to explain who we were, where we were going or why; the freedom from a police state; the freedom to live our lives as we wished.

Every generation needs to be reminded of what we stand for as a country. We need to shout together that we reject fear and cowardice and stand together to protect our rights, freedoms and way of life.

162
2
Graham Cobb

Yes, please do. I have paid my dues to the ORG since they were established and I used the great resources they had prepared to help me craft my carefully considered response to the Home Office consultation after they had warned us all and published it.

Of course, as I was not invited to respond I suspect my response will be ignored, but at least ORG have brought this out into the open.

10
0
Graham Cobb

Re: good idea but seriously

I fully agree that both the Tories and Labour are massively authoritarian. I strongly suggest not focusing on Left-Right but on the other axis of the Political Compass (https://en.wikipedia.org/wiki/Political_compass): Authoritarian-Libertarian.

On that basis, consider voting for either the LibDems or the Greens, to put a stop to this authoritarian rubbish. After all, it was the LibDems who forced cancellation of Labour's identity card scheme, which the Tories would have been very happy to continue with.

21
3

Proposed PATCH Act forces US snoops to quit hoarding code exploits

Graham Cobb

Simple process

I don't think this needs a complex review board. Much the same benefit could be created with a simple process:

1) A limit (say 5) on the total number of exploits which can be hoarded at any time.

2) An absolute time limit on the length of time it can be hoarded for. 12 months seems reasonable. After that time, it has to be reported to the manufacturer.

3) A risk assessment and contingency plan, including a patch prepared in advance by the NSA so it can be fixed immediately if it becomes known.

The problem is enforcement (trust, but verify), but codifying it in a law would help. At least it would be clear a crime has been committed if a more-than-12-month-vulnerability appears on WIkileaks.

2
0

MP3 'died' and nobody noticed: Key patents expire on golden oldie tech

Graham Cobb

Re: Such Blatantly wrong headlines, MP3 is NOT dead, it's just now FREE

Corrected headline:

MP3 now FREE so use set to explode! Fraunhofer get Andrew to reprint press release in desperate attempt to drum up licence fees for their next patent.

8
0

Microsoft to spooks: WannaCrypt was inevitable, quit hoarding

Graham Cobb

Ministers need to sort out GCHQ

I will post here a comment I made over the weekend in a different location:

I stand by my view that this incident sits squarely at the feet of those who are paid to protect us but played gods by treating life-threatening faults as if they were weapons and had no contingency plans in place to protect us from the fallout.

Ministers should resign over it.

GCHQ need to get real and dramatically change their risk assessments and decisions around exploit hoarding. Of course we won't get rid of it entirely but this impact was completely foreseeable and the policy needs to properly take the risks into account. Not disclosing an exploit must be an exception; it must require sign-off from the highest levels in GCHQ; it must be very time limited (e.g. no more than 12 months); and there must be a contingency plan in place to deal with any public emergence of the bug before they disclose it (including emergency patches prepared to fix the problem).

And ministers need to bang heads together in GCHQ to enforce this culture change.

8
3

Uber cloaked its spying and all it got from Apple was a slap on the wrist

Graham Cobb

Re: Honesty

We need some high profile actions (probably both legal and moral -- including a few boycotts) to demonstrate to (mainly US) corporations that Terms of Service are a two-way street. I have terms of service for suppliers of services to me, and they are just as important as the ones they have for their customers.

They include no corruption, ethical behaviour and CSR. And if you violate them I will push hard to enforce them not just by cancelling my deal with you but by spending time, effort and money in convincing others to stop doing business with you and regulators to tie your behaviour down.

If a government department really has destroyed evidence of unethical influence from Uber then I want to see someone go to prison for the destruction of the evidence.

8
0

Put down your coffee and admire the sheer amount of data Windows 10 Creators Update will slurp from your PC

Graham Cobb

Re: Soft target?

Many of us don't bash Microsoft any more than others. There is plenty of Google-bashing on El Reg.

I use a Sailfish phone because it is neither Apple nor Android and is collecting much less data. I also do not install any apps that make intrusive demands, however "useful" or "fun" they might be. I would like to try SwiftKey but have not, exactly for the reason you raise.

Microsoft have a dominant position in the personal computer market and should not be allowed to abuse it by not giving people the option to turn off all data collection (maybe for a reasonable fee). Similarly Apple and Google should be required to do the same thing in the mobile market.

What we need is a functioning market in personal information: I should be able to make a personal decision about the value of my data and see whether companies are paying me (often in the form of a discounted price for their product) what I consider it is worth. If so, that is fine; if not I decide whether the undiscounted price is one I am willing to pay and either buy their service with no access to my data or don't buy it. As simple as that.

21
2

Page:

Forums

Biting the hand that feeds IT © 1998–2017