* Posts by djack

307 posts • joined 16 Jun 2009

Page:

Oh my chord! Sennheiser hits bum note with major HTTPS certificate cock-up

djack

The fix is just as bad

Now the software relies on a key that only Sennheiser privately keeps a copy of.

So they've just appointed themselves as a root CA. Wait until that key leaks and...

What would be better in this case would be to generate a unique key on install. If it's only to authenticate 'localhost' then no-one else needs access to that key or to trust it. Plus if an attacker manages to steal a key off someone's installation, it will affect .. no-one else. If they have access to be stealing private keys, your system is already hosed without Sennheiser's help.

Germany pushes router security rules, OpenWRT and CCC push back

djack

Re: Giving the vendors a choice will give the users a choice

If you have enough knowledge about firewalls and how the Mikrotik works, it is a great bit of kit, but for the average user the default configuation leaves a lot to be desired.

It is quite obvious that Mikrotik devices are not aimed or marketed at the average home user. It's quite obvious from the feature-set, UI and documentation that these devices are aimed at networking professionals who should be expected to be able to secure their own stuff. I wouldn't recommend Mikrotik kit to Joe Average for the same reason I wouldn't recommend Cisco, Checkpoint, Juniper etc. etc.

However, for those that can handle them, they provide huge capability for the price.

That said, there's no need for insecure by default.

Mikrotik routers pwned en masse, send network data to mysterious box

djack

Re: @marcus - Vulnerability is overstated

What complete idiot implements remote access in a consumer firewall ?

I wouldn't call Mikrotik a consumer firewall. They are squarely aimed at the semi-pro through to carrier market segments.

Plusnet customers peeped others' deets during system upgrade

djack

Re: We've asked the Information Commissioner's Office to confirm it is aware of the issue. ®

PlusNet store your password in plain text

.. or at least encrypted in a reversible fashion.

Whilst this is not best practise for storing credentials, the PPPoE layer uses CHAP authentication. I've not kept up with PPP authentication methods but a few years ago at least, the options were send in clear, some sort of CHAP variant (where the server needs to know your credential in clear) or something proprietary that will restrict the type of router you can use. At this layer, they are making the best of a bad set of options.

and will email it out to you

This is where it all falls down though. They use the same credential store for access to manage your account and has accessible mechanisms to discover it. To my mind, they should be making every effort to make the credential store a 'write only' system.

Chap asks Facebook for data on his web activity, Facebook says no, now watchdog's on the case

djack

Re: 'It's not clear whether he also has a FB account or whether he's a non-account'

The 'service' is not being provided to the individual, it's being provided to advertisers.

Hence they have no defence of it being stored as an essential part of the service to the subject.

djack

Re: 'It's not clear whether he also has a FB account or whether he's a non-account'

But that's the thing with the GDPR, the potential fines are quite large.

If someone has the will (and I'll admit it's probably quite a big if) then this sort of case could cause some massive changes of behaviour in the tracking and advertising industry. Probably just for European end users though. It will either cost a shed load in fines or a shed load in lawyers fees (and then hopefully a shed load in fines on top! - Hey, I can but dream)

djack

Re: 'It's not clear whether he also has a FB account or whether he's a non-account'

Let's take the thought exercise a bit further ..

They have a bunch of data that is classed as personal. You may even go so far as being able to deanonymise some of it making it potentially identifiable (don't ask me how, but the deanon crowd can be scarily inventive when they get a hold of big datasets).

For any particular data element, they can say that they don't know who it is about. Therefore there is no way that they can evidence any informed consent for the collection and processing of said data. The individual is not (necessarily) a user of Facebook so there is no way that the data is collected as an essential part of any service provided to the individual. Therefore, as far as I can see, they would have no legal basis to keep hold of the data and should therefore delete it.

That will probably save them megabucks in storage costs ;)

djack

Re: 'It's not clear whether he also has a FB account or whether he's a non-account'

Why does it matter whether he's a member or not? It's personal data that they have collected about him.

From a technical aspect, if he's a member it should make it easier for them to extract and collate the relevant data. If he's not a member, they have no justification or permission whatsoever for collecting and processing that data in the first place.

Ticketmaster gatecrash: Gig revelers' personal, payment info glimpsed by support site malware

djack

Barclaycard were a little bit proactive.

Dunno if it was related to this but Barcklaycard suddenly decided to revoke and replace my card over the weekend. This was a couple of days before the 23rd but other news sites indicate that people were aware of the attack before that date.

In non-startling news, EFF says STARTTLS email crypto is mostly done wrong

djack

Re: Actually...

.. or if you use letsencrypt as the CA, which the mention of certbot seems to be advocating even if it's not explicitly mentioned in the text.

it's not difficult to do, even without an updated version of certbot.

Two's company, Three's unbowed: You Brits will pay more for MMS snaps

djack

I had that same situation. It is likely a 'problem' with the configuration or provisioning of your SIM. I also thought it was because I was using a non-network phone. However, the last time I bought a new handset I needed to migrate to a nano sim. I made the mistake of getting a replacement sim (free and pretty much instant process in the local store). Ever since then it has been properly registering 'tethered' traffic.

Car-crash television: 'Excuse me ma'am, do you speak English?' 'Yes I do,' replies AMD's CEO

djack

Re: F1 is a Car Crash

They do need to sort out the media rights again. Hopefully something more along the lines of what Formula E are doing

.. giving it to a broadcaster that does not care about it enough to show it consistently. You have to play guess the channel does not lead to audience retention. Will the next race be on Five, will it be Spike or will they find some other channel to dump it on.

their emphasis seems to be on fan engagement and large audiences.

Fanboost needs to die in a fire. Having a popularity contest contribute directly to the available power a driver has isn't racing. Sam Bird is at a massive disadvantage, I reckon most Brit racing fans are traditionalists so he never wins the vote yet he still brings home the points.

An next year's Formula E car looks like something straight out of the Hot Wheels factory

yep, the Gen2 car looks hot hot hot. They actually designed in the halo instead of just plonking it on top like a pile of scaffolding.

I love F1, i also love FE. I don't understand the "it's slower" argument. The cars in an F1 race are going slower than in Qualy yet you don't say there's no point in watching the race. The enjoyment in the race is in watching the drivers getting very close to each other indeed and battling to get past/stay ahead through corners. there's typically much more of that in FE than there is in f1 nowadays. That said, both series were blessed with cracking races this past weekend.

djack

Re: Might not look scripted, but they've prearranged the interviews and for how long in advance.

Pretty much all of the gridwalk interviews is based on spur of the moment judgement, luck and being well-known enough that the drivers want to talk to you.

Brundle is pretty much the king of the art. I do remember one (not by Brundle) where the hopeful interviewer didn't have any luck. the entire gridwalk was basically repeating "Let's go and speak to <x> ... oh, he's gone to the toliet"

Keep it light, and keep doing something. Even if it goes horribly wrong the viewer will hopefully let out a sympathetic chuckle.

Nvidia: Using cheap GeForce, Titan GPUs in servers? Haha, nope!

djack

Re: Note to Nvidia

Why is it 'abuse' anyways? and why is one type of 'abuse' a licensing issue an another ain't?

if I decided to massively overclock a card, push 1KV where it's expecting 5V or dissolve the thing in acid, that can be construed as 'abuse' of the card but no-one is gonna come round and try and sue me for doing so, the worst that would happen is laughter if I tried to claim a replacement under warranty.

Consumer cards aren't designed to be run at full power 24x7. OK, state that and state that it's not covered by warranty if it breaks, that should be the beginning and the end of ir.

Security pros' advice to consumers: 'We dunno, try 152 things'

djack

Re: Don't open unexpected attachments

Malware can harm a company even without elevated privileges. Even if everything a user has access to is regularly backed up, a ransomware attack can still cause great disruption and expense.

Whilst there are gateway systems that can extract all "non-active" content from incoming files and just deliver that, they are not perfect, can throw away important content and are currently insanely expensive. Until that sort of system is perfected and commonplace, this sort of attack vector is going to be a massive risk.

Although we don't expect normal staff to "be" security guards, we expect them to not open the fire exit doors because some randomer wants to be let into the building. (That said, we all know that people hold open access doors for unknowns far too often) A bit of awareness is not an unreasonable thing to ask. Yes, mistakes will happen from time to time but "don't click links or attachments in unexpected emails" and awareness that emails may not be from who they say they are should not be difficult concepts for anyone performing pretty much any task in an organisation.

Star Wars: Big Euro cinema group can't handle demand for tickets to new flick

djack

Re: spoilerific

No, that's the gerbil out of g-force it's part of the Disney Cinematic Universe now, Kermit the Frog's in episode 9 in a role not dissimilar to Yoda, "here, hi-ho, Kermit the frog I am".

Surely it'd have to be Miss Piggy as Yoda.

Sofa-jockeys given crack at virtual Formula 1 world championship

djack

Re: Tight squeeze

dont forget swears constantly and hurls abuse at everyone else in the game

Why does that make them unfit? You could almost believe that the team radio conversations are in morse code!

djack

Re: Clarification by a simracing bore

winner of which will win a contract to be a test driver in their Formula 1 Simulator at the Mclaren Technology Centre.

That's basically what I do at the moment.... I'm sat in a chair wondering when/if my car will be fixed and emerge from the garage.

Sonos will deny updates to those who snub rewritten privacy terms

djack

Re: Farewell Sonos

If you did own a Sonos I wonder if changing the T&Cs to something you no longer agree with provides a case for you to return the goods for a full refund?

I don't believe that anyone managed it when Sony released a firmware update that removed functionality from the PS3.

IIRC, they used a similar sort of language as Sonos in that if you wanted to keep the OtherOS function, you simply didn't have to install the (unremovable) update. Though in reality if you wanted to play any games released after that, you had to install the 'optional' update.

Sainsbury's IT glitch spoils bank holiday food orders

djack

Re: Round these parts ...

Neither, we blame the weather.

Dell to patch AMT-vulnerable systems

djack

Re: Poweredge T20?

Hmm.

Mine is still well within its warranty period, so there's absolutely no way it should be unsupported.

Red alert! Intel patches remote execution hole that's been hidden in chips since 2010

djack

Re: PANIC!!!!!!!!!! :-)

That test looks flawed to me.

AMT sits between the physical ethernet controller and the os.

127.0.0.1 only represents the visual lo loop back device and therefore goes nowhere near the network hardware. Even doing that to the ip address assigned to your nic wouldn't work as the kernel would know that it doesn't need to send across the network.

Try it from another host on your network towards your i7 and you will get more accurate results.

Linux kernel security gurus Grsecurity oust freeloaders from castle

djack

Re: WindRiver?

There is no licensing issue. GrSecurity's kernel are license under GPLv2 which specifically allows the recipient to re-distribute.

However, you are not obliged to re-distribute and nor are grSecurity obliged to do business with you, so if they find that you have distributed the kernel they are entirely within their right to refuse to give you their next version.

The use of the grSecurity trademark is a different matter and I suppose the usage of it depends on what they are claiming in the associated documentation.

Hutch's Three UK users ripping through over 6GB a month

djack

Re: fortunately 3 do reasonable all you can eat data packages

It actually seems to be done via the SIM or network.

For whatever reason, they used to be unable to differentiate between my tethered and non-tethered traffic. I changed phone (direct from manufacturer, not from three) and realised I needed a nano SIM. Not having one of those hoe-punch style things to hand, I went to the local store where a helpful chap swapped my SIM out for free.

Result : my tethered traffic is now registering as being tethered - on the new phone and the old - no special firmware required. I can only guess that my previous SIM wasn't provisioned correctly.

As a long-term customer who doesn't (often) take the mick with the unlimited data, I enjoy a very significant discount on the unlimited service. they've bumped me off my old plan the other month but as it was the first price increase in about five or six years for me I'm not too aggrieved.

Solarwinds sends customers each others' complete client lists

djack

Re: @GingerOne

I would be very angry if any customer I looked after had had their details leaked knowing what could be on the way after such a breach of information.

if I were a Solarwinds customer in this case, I'd be worried what level of legal liability I would have to my customers if their data was involved in this.

djack

Re: The Cloud...

That's a case in point. It was a dedicated NHS system so the 'damage' was contained with in the NHS.

Aside from a deliberate act, there's no conceivable way that, say, everyone's data can be sent to BUPA. However if they both used a shared third-party cloud platform, you cannot make such an assertion.

Tablets become feebleslabs as sales spiral down

djack

Re: Everybody who wants one, got one

For example, I am typing this on my Nexus 10, which is getting to be close to 5 years old. However, it still works fine, and anything mid-range I could get to replace it won't be an improvement in terms of the screen quality, which is the crifical requirement for me.

I also have a nexus10 though sadly the battery is on it's way out, after a couple of hours usage the thing just dies with very little warning ((battery monitor would be 60-70% not long beforehand). It has also started to feel a bit sluggish.

Totally agree that there seems to be nothing at a reasonable price that comes close to the screen quality - I almost wish I hadn't got used to the Nexus as then what's available now would seem like an upgrade.

Furby Rickroll demo: What fresh hell is this?

djack
Black Helicopters

Spy Furby

Wasn't there some hysteria years ago that furbys might record voice and could be used as a spy device? This got them totally barred from many establishments even though the recording and playback was pretty much uncontrollable.

If you can change it's programming then this one could definitely be used in that way.

Oh, the things Vim could teach Silicon Valley's code slingers

djack

Of course releases are slow..

They are feature complete, do the job well and aren't chasing constantly changing standards or dealing with complex data in a changing security landscape.

That said, I agree that there's a lot to be said for stability, there should be different streams for browsers, one with feature updates and another concentrating with just bug and security fixes. I think that Mozilla have tried this with their esr(?) releases.

How can you say that the likes of vim and emacs are so much better than modern software that "feels like reinventing the wheel for the sake of it" when just in the previous paragraph you lauded Emacs' ability to render HTML.

Finally, yes if you have something written in a language or environment that can only be learned about by trawling through archive.org it should be re-written. The application is pretty much un-maintainable and the underlying infrastructure is obsolete and will therefore be crumbling. What happens if the execution environment has security issues or does not function in the next version of $OS?

The top doc, the FBI, the Geek Squad informant – and the child porn pic that technically wasn't

djack

Re: For the sake of argument...

If it was a legitimate medical image, why is it taken on his personal phone, not on a hospital/surgical system?

djack

Re: My 2p worth

<quote>I am not sure which of the two makes me sicker, some of the peodos are mentally ill, so some small sympathy, but the lawyer is scum.</quote>

Nope, the defence lawyer must and should do everything in their ability. The accused should get absolutely the best defence. that way any eventual conviction is rock-solid and beyond all doubt.

The laws against unwarranted searches etc.are there for very good reasons to protect society as a whole and the way of life you are accustomed to. They were put in place by people much cleverer in such things than you or I. Law enforcement should absolutely follow the spirit and intent law. By the sounds of it, the guy should absolutely be put away but he should have been caught in some other manner.

However, quite how a 'borderline' still from a known child sex abuse video would not be sufficient to get a warrant (wether the still was indecent or not) is beyond me.

Itchy-fingered OnePlus presses refresh, out pops value champ 3T

djack

Re: 'The capacitive buttons ... make it vastly easier to operate the phone in the car'

That has always been the case, the law has not changed. Anything that distracts you enough so that you are not paying enough attention to driving - whether that be a phone call, fiddling with the radio or talking to the person in the passenger seat - is dangerous and can lead to a charge of driving without due care and attention. The hand-held mobile law is different as it is illegal even if it isn't obviously affecting yur driving at the time. I think that the penalties have changed recently though.

Murdoch's 21st Century Fox agrees £18.5bn Sky takeover deal

djack

Re: 168 year old paper

I'm sorry, but I can't agree with any sentiment for people to die.

If you'd said to send the money grabbing human turd-nozzle to jail then I'd be in total agreement.

It's now illegal in the US to punish customers for posting bad web reviews

djack

Re: Trump might want to repeal that, especially because he said this about journalists:

I was just thinking of this tweet

Uber to Cali DMV: Back off, pal, our 'self-driving cars' aren't self driving

djack

Typical Uber

Their drivers don't work for them.

Their self driving cars aren't self driving (unless you want to claim that the driver is working for them).

Next week : their app isn't an app and the money you're paying them isn't paying them.

Work ends on Open Virtualisation Format

djack

OVF doesn't work

.. At least with vmware.

It's a great idea to allow interoperability between hypervisors. As the article says, the knowledge needed to convert between formats is well known and ovf was intended to be the standard to enable that. However, when the best known play only pays lip service then you have to ask what's the point...

Create a vm in virtual box and export as an ovf. Now try and import into esx or (shudder) vcloud. Even though all the required information is present in the ovf, vmware refuses to register the vm. You need to read the hardware details from the ovf, manually convert the virtual disk and manually create the vm. Btw, the import tool can clearly parse the ovf configuration and the disk conversion tool is part of esxi.

I hope that people have it better in the hyper v and xen space but from my experience ovf has failed.

Amazon's Netflix-gnasher to hit top gear In December

djack

Re: Yarrgh

@Buzzword

Not on the Amazon app on my Samsung TV, alas.

There is on mine, but it's not immediately obvious (and resets to 'everything' at any opportunity). Try pressing the Green (B) button on the remote.

Lenovo intros monster disk box

djack
Paris Hilton

Is maths broken??

1.5x the capacity of the 5U HPE D6000, which holds 70 3.5-inch drives

OK, 70 x 1.5 .. so it can hold 105 drives? Impressive.

Hang on..

the D3284 JBOD, a 5U enclosure holding up to 84 3.5-inch disk and/or solid-state drives.

Hmm .. my brain hurts.

UK's 'FBI' hit by DDoS barrage

djack

Re: Haven't they just been given oodles of cash to protect us agains this kind of thing?

Because their website has zero operational impact and pretty much zero value to them.

Unlike most businesses, no-one is going to use their website in an attempt to use their services. The site is totally distant from their operational networks, it is pretty much a place to put out press releases and PR material.

Given that an outage has no impact, there is no ROI on spending thousands on DDos protection - money that could be far better used doing what they are meant to be doing.

Stickers emerge as EU's weapon against dud IoT security

djack

Other Warnings

There should be other (ralated) mandatory stickers in bright red on white in inch high text like

WARNING : This product sends your information to other people

WARNING : This product will be an expensive paper-weight when <company> closes or decides it does not want to continue running it or wants you to upgrade.

Anything requiring those stickers don't go near my home.

CloudFlare shows Tor users the way out of CAPTCHA hell

djack

Re: nonce field - unfortunate choice of name

I never fail to giggle at it, but 'nonce' is a long established term in the fields of crypto based authentication. It is just a random blob of data that is generated on demand. basically it is unique and unpredictable so it can be used to establish a challenge for proof of possession of a key and a differentiator between different transactions.

As the actual value is irrelevant I guess that the name comes from a contraction of nonsense.

Crypto guru Matt Green asks courts for DMCA force field so he can safely write a textbook

djack

Little Comfort

There is a huge difference between 'unlikely to be prosecuted' and 'cannot be prosecuted'. Any potential for jail time has to be seriously considered by the individual.

Matt LeBlanc handed £1.5m to front next two series of Top Gear

djack

Re: Still Undecided

In partial defence of C4 as I totally agree with your thoughts about that other show (which was a totally different set of circumstances) ..

The BBC clearly didn't want F1 and were trying to do so in as quick a way as possible. So C4 picking it up has been a very good thing indeed. Whilst they haven't done quite as well as the BBC did in previous years, their coverage hasn't been too bad and also their live race sessions are broadcast advert-free (which wouldn't happen if a more commercial terrestrial channel picked it up).

With regards to EJ, he is essential viewing in the F1, his knowledge and insight is second to none (I don't believe any rumour until he has repeated it) but in TG he was totally wasted - not that I suppose he minded being paid to travel 1st class on the orient express.

What says Internet of Things better than a Bluetooth-controlled smart candle?

djack

I can see a point

The automatic extinguisher is a useful safety feature for people who are a little forgetful or have pets (that might knock over a normal candle).

Even though I fit in both groups, I'm still not buying one. I have functioning light bulbs that illuminate the room.

YouTube breaks Sony Bravias

djack

One of my big annoyances is the way that Samsung do updates.

Each update is mandatory and takes an age to install. The annoying thing is that it doesn't check and apply updates while it's in standby, oh no. Clearly the absolute best time to do so is when the user says that they actually want to use it.

Yeah, can have video on deman... Just as long as you give half an hour's notice first.

djack

Re: Who uses the internal TV smarts?

Me. It means that you can have a neatly wall mounted tv and not have to juggle with remotes etc.

A device that is a hdmi stick and uses the hdmi ethernet channel and integrates with the tv remote viahdmi-cec would be an ideal solution. Unfortunately it seems that no one wants to make one.

UK IT consultant subject to insane sex ban order mounts legal challenge

djack

Re: So,

What you've said is what is happening to him now.

I think you were meaning to say 'innocent unless proven guilty'

It also scares me the number of people who say 'until' - that imples it is an inevitability.

Email proves UK boffins axed from EU research in Brexit aftermath

djack

Re: Article 50

That has been the poison-drip from the Murdoch press

Successive governments have been to blame for this and they've allowed the press to fan the flames. Over many years, the blame for anything that could be seen as unpopular (regardless of the issue) has been placed with the EU., "It's not us, guv.. those forriners are making us pass these laws"

A case in point (one of many) is in food hygiene. At some point in the past, the UK gov passed laws forcing butchers to store cooked and fresh meat in separate coolers. This cost businesses a fair amount of money to implemented and caused a fair amount of wailing and gnashing of teeth. The presence of the law was blamed firmly on the EU. As France hadn't yet enacted such laws, some butchers were up in arms about how unfair and unbalanced the EU clearly was.

So... forcing you to reduce the risk of poisoning your customers is a bad thing., and of course you are going to lose business as your customer walking down the high street is going to see the price increase needed to pay for this in your shop (and all your local competition) and then therefore go over to France to get some bacon.

If past governments had grown some balls and pointed out that many of these rules (I'm not saying that this applies to every rule made over the channel) are a good idea and explain why it won't put most people at a disadvantage instead of weaselling out of it then we probably wouldn't have the strength of anti-EU feeling that has lead us to this.

BBC will ‘retain your viewing history’

djack

Re: What if...?

No real change.

Your household TV licence has always covered you for use of wireless transmissions received by a portable, battery-powered device wherever you are. Whether delivery is via long range DVB or short range wifi is irrelevant.

Linux letting go: 32-bit builds on the way out

djack

Re: Thinks Bubble

That is perfectly true, but no-one in their right mind* would be running Ubuntu on such an embedded system anyway. Ubuntu != Linux, the operating systems designed and suitable for that sort of role will continue functioning for a long time to come.

*OK, there may be some geek points available for using an industrial system as a desktop, but that's hardly normal.

Page:

Biting the hand that feeds IT © 1998–2018