* Posts by Charles 9

8962 posts • joined 10 Jun 2009

Good luck securing 'things' when users assume 'stuff just works'

Charles 9
Silver badge

So how do you deal with the problems when you can't use mnemonics (because *a* the password rules won't let you use one and *b* you forget the mnemonic), a password manager (because the computer isn't yours or is communal), or a book (because again, you lack privacy)?

0
0
Charles 9
Silver badge

"Yup. How many people would prefer to log in automatically to an admin account so that on those rare occasions where they install a program, they don't have to take the whole extra couple of seconds to type in an admin password? My longest password in current use is in the 15-20 char range covering most of the keyboard, and it takes me about 3 seconds to type.How much of my life have I wasted watching 10 minute software installs every few months because of those extra 3 seconds? I could've done so much in that time! Why, that's a whole extra 10 seconds of sitting idly on my arse every single year! So much effort to type that in...."

Ever thought many people have to do this MUCH more often? Why do you think UAC was panned so much? Does the term "click fatigue" spring to mind? What about having so many passwords you can't remember them all (and you can't use a mnemonic because you forget the mnemonic) and a manager is not an option because the computer's communal? Too many people these days are suffering from a chronic case of Information Overload and just wish the KISS principle could be applied to everything to stop the insanity. Flip a switch and be done with it, thank you! Some people even feel locks on the front door is too much work.

0
1
Charles 9
Silver badge

Re: "Caught between Scylla and Charybdis"

Eh? Sting? I'm taking this from the Odyssey.

3
0
Charles 9
Silver badge

Re: "Nice to Have"

"Too late, there's probably a patent on that."

But it's probably also expired.

1
0
Charles 9
Silver badge

"...unless companies start building secure products then we're goosed."

But the money's not there. Customers want the job done FIRST, secure somewhere below that (especially if, like it usually does, it INTERFERES with getting the job done).

0
1
Charles 9
Silver badge

Re: Stop training users not to update!

So what happens when you're caught between Scylla and Charybdis: you CAN'T update because it'll break, but you MUST update because it's already broken, and you're obligated to use the device for legal, contractual, or practical (as in it's the ONLY one that'll work with your setup) reasons?

0
0
Charles 9
Silver badge

Re: How about what BT/VM do?

"Which is why some of us keep saying the solution is to make such security provisions mandatory. You want to sell your stuff here? This is what you have to do.

To some extent it levels the playing field - those costs are common to all products. And for manufacturers who can't afford that, maybe they're best kept out of the market. If they were selling cars would you consider it acceptable to omit bakes to enable them to compete on price?"

You ever thought about the Law of Unintended Consequences? Instead of keeping them out, you'll just move them to the lawless badlands of the gray and black markets. If people want them badly enough, they'll be provided in spite of God, Man, or the Devil. See Prohibition.

0
1
Charles 9
Silver badge

Re: Physical handshaking

"NFC comes to mind. Easy, cheap, extremely short range (almost contact only, if you want), and good enough to home routers and such."

Someone points a Yagi antenna at it. Range significantly increased.

0
0

Boffin's anti-worm bot could silence epic Mirai DDoS attack army

Charles 9
Silver badge

Re: go for it

I don't know. Most places have at least one telephone-based ISP and one cable-based ISP, meaning competition DOES exist since the two firms are usually crossing into each other's turf, making them bitter rivals. For example, in my area Cox and Verizon have to keep honest because both offer the same stuff (TV, phone, and internet).

0
0
Charles 9
Silver badge

How when the average user doesn't even know such a function even exists? Most people expect turnkey solutions.

1
0

Obey Google, web-masters, or it will say you can't be trusted

Charles 9
Silver badge

Re: Moms going to love this

No, why can't we come up with a nice Internet where we don't have to deal with things like this on an everyday basis?

0
0
Charles 9
Silver badge

Re: The whole mechanism sucks

What about foreign states? This would be an excellent tool of espionage and subversion, and criminals can be sponsored by states or working for them as a plausible deniability angle. Bet you many of the Chinese hackers running today have state backing. Plus what about larger criminal enterprises which are virtually states unto themselves in terms of the power they can pull?

0
0
Charles 9
Silver badge

Re: The whole mechanism sucks

P.S. It's always possible to beat a Web of Trust with enough shills, and States are particularly well-resourced regarding identities and shills.

4
0
Charles 9
Silver badge

Re: The whole mechanism sucks

Instead of compromising the trust authority, they'll just compromise the client instead. Social engineering and such to pull an identity theft.

0
0

LaCie flings out super-glam desktop Bolter drive

Charles 9
Silver badge

Curious...

Just how much footage (timewise) does one terabyte of 4K ProRes 4444 XQ footage tend to include? They don't provide a comparison.

0
0

Chinese electronics biz recalls webcams at heart of botnet DDoS woes

Charles 9
Silver badge

Re: Nice

Um, China's scary enough as it is. They've got nukes and an eastern mentality to warfare (meaning they could be more accepting of MAD).

0
0
Charles 9
Silver badge

Re: UPnP is a red herring in this thread @fidodogbreath

"EX1: Thingie vendor supplies a wizard to walk users through setting up a proper password, and does not make a UPnP port call until after that has been completed."

User doesn't HAVE a computer, so trying to talk them through a configuration process that may have to rely on an underpowered, non-spec portable device is just asking for hell desk trouble.

"EX2: Thingie comes pre-loaded with a randomly-generated ID and password that's printed on the device. If the user doesn't change them, well, at least they're not admin and password."

People lose the sticker. More hell desk trouble.

0
0

Bundling ZFS and Linux is impossible says Richard Stallman

Charles 9
Silver badge

Re: @Charles 9 - @boltar - Question

"That doesn't sound quite right. No licence can prevent one exercising one's right to free speech. Otherwise i couldn't mix GPL code with, on the same CD, the works of Shakespeare, a list of English words or indeed the file allocation tables off the media itself.. That would clearly be nuts."

Um, the license is related to copyright, and copyright IS a legally-erected restriction on the First Amendment: namely, speech and press can have ownership, and that ownership can impose restrictions which are supported by the law.

The works of Shakespeare are generally OUT of copyright because Shakespeare died hundreds of years ago. English words fall under the "too generic" escape clause (but a compiled dictionary can be subject to copyright), and the file allocation tables are the product of machine, not man.

"Clearly you can distribute GPL licensed software alongside non-GPL files, no matter what the GPL says."

No, because you can violate the license and copyright associated with the GPL. Without copyright, authors can't prevent their works being copied and so on.

0
0

Search engine results increasingly poisoned with malicious links

Charles 9
Silver badge

I don't know if there's a way TO test it further without getting all expensive. The poisoned links are basically turning Turing Tests against us: only opening up when it detects an unguarded (not protected by something like a VM or honeypot) human coming to visit.

1
0
Charles 9
Silver badge

Re: NoScript and AdBlock+

"If an ordinary site is unusable with Noscript or AdBlock+ then I remove it from the sites that I visit."

And if it's the ONE AND ONLY source of something you need? Like your device company's website and the ONLY source for official drivers (it's hard to trust anyone else now since they can inject their copies)?

0
0
Charles 9
Silver badge

Re: RE: malware capable of --

"1. Require the attackers to do a lot of time-consuming development on hypervisor attacks, Linux vulnerabilities, and low-level hardware coding,

2. Result in access to a few tens of thousands of PCs worldwide."

1. Only need to do it ONCE. Then anyone else can copycat. Perhaps state-level hackware can be copied.

2. High-value targets. If they're behind this much lock and key, they're likely to have secrets.

0
1
Charles 9
Silver badge

Re: "looking at location or IP"

Both peer-to-peer and blockchain have data costs, and many users have low data caps, meaning they'll end paying more for less. That's why I had to give up on freenet and bitcoin.

1
0

ARM: Hold my beer, we'll install patches for your crappy IoT gear for you

Charles 9
Silver badge

Re: Payment for updates and escrow

And if manufacturers balk at the requirements and switch to Intel or some other CPU architecture to avoid the rigamarole?

0
0

OK Google, Alexa, why can't I choose my own safe, er, wake word?

Charles 9
Silver badge

Re: Being able to unlock your house from outside... already done

"A proper exterior door (both in domestic and bussiness settings) should NOT be easily kicked in with half a ton of force."

Can AND WILL. Trust me. I've seen the results first-hand. Pine (the average framing wood) just doesn't have that much sheer strength. That's precisely WHY most business doors are steel-framed and if necessary carry additional anti-jimmy measures.

"There is a reason most police forces have specially designed "universal door openers" (ie. battering rams) for the purpose."

It's so they don't break their legs, plus since they have handles on TWO sides, it also allows for two-manning if you need extra muscle. A burglar usually won't have that many resources plus will want a stealth angle at least for the initial approach.

"It makes a lot of racket and attracts attention of witnesses."

Unless it's the middle of the day, when everyone's at school or work. Most burglaries actually occur in broad daylight...because of this.

"Standard MO is thus to work quietly, at best using a crowbar, preferably drilling or breaking a lock to gain entry."

No, standard MO is to work quickly. If you can get in an out inside of 60 seconds, anyone who happens to be home at the time (again, they're likely at work or school) probably won't have enough time to make anything out, let alone notify the cops. No details means no way to track you means a clean getaway as long as you can conceal your loot (easy enough with something common but large like a van, SUV, or covered pickup).

0
0

Self-driving cars doomed to be bullied by pedestrians

Charles 9
Silver badge

Re: Yes, it IS a game of chicken.

If I'm thinking what you're thinking, I believe the original concept was for them to have straight sides. However, the mechanicals needed to make them mobile were too big to fit in the original frames; in addition, widening the bottoms to fit them made them more stable, so they went with the modified design, and one of television's most iconic villains was created.

0
0
Charles 9
Silver badge

Re: Non-issue.

"It does helps it's mainly moped I'll agree and generally they tend to drive pretty slowly for the most part so dodging traffic is not to bad in some places but I have been hit by a kid who was texting while riding his scooter luckily he was going slow and I saw him coming so was dodging, I think the roads in Vietnam seem safer than Thailand where it can be a bit more scary in general."

I don't think the Philippines is much different. The general rule seems to be that when it comes to pedestrians, they're on their own, although some places (like Metro Manila) are so packed with cars that often they're barely moving, making it pretty easy for pedestrians and street peddlers to go their merry ways. More open areas of the cities, you need to just be aware of the traffic, though if you can take a detour to roads less traveled, that would be preferable. As for the boonies...good luck.

1
0
Charles 9
Silver badge

Which means NO ONE looks. Isn't Boston where yellow is "Go Faster" and red is "Last One"?

0
0
Charles 9
Silver badge

Re: Hailing a self driving car?

"Newflash - there are already these things called "taxis" (maybe you've heard of them?) that you can hail that have been around since before the internal combustion engine was invented. Oddly it hasn't stopped people buying their own cars. Also the chances of anyone who's forked out a small fortune for a car just to let it become an unsupervised taxi where drunks can throw up with impunity or try and still the contents or fittings I suspect is pretty damn slim."

Newsflash #2, have your seen their fare schedules? Why do you think people avoid them unless they absolutely have to? Given how much we need door-to-door transit every day, all those taxi fares would add up to well over the car and then the annual costs associated with them. At least train and bus fare is much cheaper, but for it to be practical, you have to be pretty close to a stop or station.

The hope is that with automated cars, taxi fares can be reduced to make them less expensive than the ongoing costs of owning a car, convincing more people to give them up.

0
1
Charles 9
Silver badge

Re: Simple.

You can't automate shoes since it's the legs that do the actual locomotion, and legs can be some powerful things making them hard to control.

0
0
Charles 9
Silver badge

Re: Right of way

I was always taught the Right of Way means the right to travel across a specific area before others. Thus cars IN an intersection have the right of way over those coming to it, why straight-goers have right of way over turners, why emergency vehicles at work (sirens on) have right of way over other cars on the same road, and so on. Because it can apply at intersections, too, this applies both to cross traffic and to pedestrians. Pedestrians can be granted right of way under certain conditions, like during school hours or when a school bus, crossing guard, or police officer asserts.

1
0
Charles 9
Silver badge

Re: physics

"besides an AI will likely calculate the odds of stopping in time and decide to change lanes and slow down, avoiding the pedestrian entirely without compromising speed by much, bypassing the whole point., less they do something stupid, like change direction, into the lane the automated vehicle was moving into in too short of distance for it to avoid them, then they deserve the darwin award for being that dumb and dead."

Suppose it's a single-lane or the other lane's occupied? Or it's a human cordon where there's nowhere to divert (and these can stop human drivers)?

1
0
Charles 9
Silver badge

Re: But we will know who they are

And as the weather gets colder I imagine those lunatics will start committing crimes wanting to get jailed since jail will be preferable to being out in the cold; at least jail has a roof and laws protecting against cruelty while incarcerated.

2
0
Charles 9
Silver badge

Re: Yes, it IS a game of chicken.

"Or maybe add a manual override -- and then we're back to where we are now."

The main problem is the Laws of Robotics. At their core, we don't want robots harming us through action or inaction. By that standard, they'll never win against trolls who abuse the Laws. Any robots that don't won't be in use for long because of our self-preservation instinct.

1
0

Uber's robo-truck makes first delivery of ... Budweiser in Colorado

Charles 9
Silver badge

Re: @bobajob12 - This is the future

For every flight you can list that was saved by pilot action, I can probably point to a bunch of tragic incidents that were CAUSED by pilot error. And note I said error, not deliberate action like 9/11.

Here's 11 for starters. Wikipedia also keeps tables of articles about airliner incidents, and it goes back a ways. Quite a few are the result of pilot error (like Controlled Flight Into Terrain).

0
0

Web devs want to make the Internet of S**t worse. Much worse

Charles 9
Silver badge

"Customs peruse eBay/Amazon/whoever for stuff that looks as if it might not comply and make a few trial purchases. If it's a vendor with a UK address, even if the stuff is posted direct from China the UK vendor gets prosecuted. For the rest eBay/Amazon/whoever get an offer they can't refuse and simply stop advertising the stuff."

And if the vendor ITSELF is from outside enforceable reach, like alibaba which is itself based in China? As for the eBay stuff, odds are the sellers can go fly-by-night and disappear before enforcement can come at them, not to mention eBay and the like are MULTInational so are hard to really pin down as their operations can shift; like I said, they and China can play sovereignty against tight governments. That's also how taxes are dodged and why big oil companies tend to get favors. Few things get a government's attention like a big firm threatening to pull up stakes and take their business (and tax revenues) out of their reach.

1
2
Charles 9
Silver badge

Re: Security First

"You might reasonably reply that the rise of market places such as eBay makes it possible for the Del-boys to sell non-conforming items. Yes it will; it also makes it possible for other safety regulation to be by-passed. It's another thing for legislation to catch up with. It's not an entirely separate issue but it's one which will get tackled in due course."

No, because the gray market by definition goes AROUND regulation, any and all. You ADD regulations, they just go AROUND them, usually by a direct shipment which is easy to do with something this small, unlike larger things like cars. Do they really, REALLY inspect every single little parcel at EVERY port of entry? It's a lot like the drug wars. If people want them badly enough, they'll find ways to get it in spite of God, Man, or the Devil. You have to either fix the source or fix the destination. Sovereignty prevents you fixing the source and stupidity prevents you fixing the destination. It's times like this that you have to wonder if this is the right battle.

0
1
Charles 9
Silver badge

No, gray markets go AROUND regulations by cutting out the middlemen like customs. How can products be regulated when not even the government knows they're coming in? The only way to tackle the gray market is at the source, but the source isn't cooperating. It's like the drug wars.

0
1
Charles 9
Silver badge

"You name it, I'll disable it, thanks."

Pretty soon, most of the web will REQUIRE it just to run, in which case you'll have a decision to make. Bend over or go back to the Sears catalog (as in abandon the Internet altogether)?

0
1
Charles 9
Silver badge

Yes, I do get it. What I'm saying is that the big big plan is to make it so that modern society comes part and parcel with Big Brother via the backdoor. How will you buy a dumb TV, for example, when there aren't any left because TV standards will REQUIRE an interactive TV just to pick up the channels? You can't use analog TVs by themselves anymore because all channels for digital, for example. That's just the first step.

And it'll apply to all appliances soon, using powerline networking or whispernets if need be to get around anything cleverdicks/smartypants try to block the networking (and using suicide circuits to break the devices if you try to kill the radio chips).

1
1
Charles 9
Silver badge

You forget the times BEFORE that, where industrial pigments and sanitation weren't so abundant, plus most people grew their own food or bartered from the neighbors who also grew them. As I recall, back then life expectancies STILL weren't over 50.

0
0
Charles 9
Silver badge

I'D like to suggest that, to them, it's not a mess; it's the desired result. It's also the human condition; you versus the neighbors. And unless you want to go back to hairshirts, making everything you need from scratch, no electricity or running water and life expectancies under 50, you pretty much have to bend over.

2
0
Charles 9
Silver badge

"A UL for software needs to occur. We need to give software the same legal status as hardware and allow software companies to be sued. No more 50 page disclaimers. Software needs the same legal status as any hardware device, like a car."

How do you deal with the China angle, though? China has sovereignty, and most of the devices come through gray markets where regulation doesn't really exist.

1
0
Charles 9
Silver badge
FAIL

Re: Security First

"Jeez. Just how long will it be, and how much pain do we have to go through, before the companies that make any kind of coded kit, from toasters to PCs, realize that the first action in any code is to make it secure? It seems probably never in the case of when, and not even when the pain kills the patient in the case of what has to happen."

In most spheres, security doesn't sell because it gets in the way of getting the job done, which is the first and foremost requirement of ANYTHING. You buy things to get jobs done; if not, you're throwing money away. Security first can ONLY come if a Machiavellian Prince with some scruples takes over the world and demands it with extreme penalties for noncompliance. Otherwise, sovereignty, competition, and overall human stupidity will ensure it'll never happen.

2
0

Data ethics in IoT? Pff, you and your silly notions of privacy

Charles 9
Silver badge

Re: These little morsels of information

What about information that pertains to multiple parties simultaneously, such as employment information, which is germane to both employer and employee. Who gets the final call in a yes/no decision about this data?

0
0

How many Internet of S**t devices knocked out Dyn? Fewer than you may expect

Charles 9
Silver badge

Re: Maybe some basic math?

Really? Where I sit that's about $100/month. Most users I know are lucky to have 1Mb/sec (DOWNstream).

0
0
Charles 9
Silver badge

Re: Solution?

You can't cache these days because the same query can return different IPs with each query. This happens to be one way to avoid hammering a server.

0
1

Windows Atom Tables popped by security researchers

Charles 9
Silver badge

Re: Firewalls to block the downloading of executables?

"Identify all potential executables including interpreted scripts."

Wouldn't that just be a matter of fencing in the interpreter so that IT can't do anything bad?

0
0
Charles 9
Silver badge

Because it was never broken. And you know what they say about what to do if it isn't broken...

And the thing is that this can be the initial link of an execution chain. Imagine linking this to a privilege escalation...

1
0

Divide the internet into compartments to save us from the IoT fail whale

Charles 9
Silver badge

But how do you keep it from (a) becoming as lawless as the one we have now or (b) building a completely-stateful Internet (Hello, Big Brother)?

0
0
Charles 9
Silver badge

Re: About bloody time

"The only solution I can see is a standardised IoT h/w platform, pretty much along the lines of the PC model, where all of the software can be maintained independently of the OEM or vendor."

Which will never happen because device (and CHIP) manufacturers value their trade secrets in a highly-competitive market. Plus there are countries like China who don't care and can hide behind sovereignty.

0
0

Forums