* Posts by Sandtreader

93 posts • joined 22 Jun 2009


British Airways hack: Infosec experts finger third-party scripts on payment pages


Re: is it just me

Good thought - indeed any competent web dev could write both this code and the backend POST handler in under an hour. But that leaves out the capability to inject this in the first place, and then 'fence' the massive resulting data set, which I guess points to a more established group.


Looking at the JS

JS dev here, a few interesting points about the added code:

- Uses JQuery explicitly rather than $ - maybe the BA site had disabled $?

- But doesn't use JQuery all the time, when it would have been quicker to do so - getElementByID("personPaying") - maybe indicating two authors?

- Odd to replace window.onload entirely when you have $(function() { ... } )

- Uses a 500ms setTimeout and async AJAX to avoid delaying the legitimate operation, and domain 'baways.com' which looks plausible-ish, in case anyone notices it in the status bar.

- As the article says, binds to both mouseup and touchend so it also works in their thin-wrapper mobile app. That must have been an unexpected bonus J

The big question, of course, is how did the attackers manage to inject this into their static CMS server? But it emphasises that if you are loading libraries - yours or third party - the security of those sources is just as critical as the payment handling server.

ICANN CEO criticizes domain 'hoggers'


Sir Humphrey

It's one of those irregular verbs: I invest; you squat; he is a bounty-seeking lowlife who gums up the works for legitimate commerce.

Pine trees' scent 'could prevent climate change really being a problem'


Negative feedbacks only as good as the ecosystems that produce them

I asked James Lovelock at a talk once why he was so concerned about positive feedbacks when all his work on planetary homeostasis ("Gaia") suggested the predominance of negative ones. His answer was that we are destroying the agents of negative feedback, in particular the forests...

Bloke hews plywood Raspberry Pi tablet

Thumb Up


Sir, you are a Sandbender. I know of no higher praise.

"It started with a woman who was an interface designer ... Her husband was a jeweller, and he'd died of that nerve-attenuation thing, before they saw how to fix it. But he'd been a big green, too, and he hated the way consumer electronics were made, a couple of little chips and boards inside these plastic shells. The shells were just point-of-purchase eye-candy, he said, made to wind up in the landfill if nobody recycled it, and usually nobody did. So, before he got sick, he used to tear up her hardware, the designer's, and put the real parts into cases he'd make in his shop. Say he'd make a solid bronze case for a minidisk unit, ebony inlays, carve the control surfaces out of fossil ivory, turquoise, rock crystal. It weighed more, sure, but it turned out a lot of people liked that, like they had their music or their memory, whatever, in something that felt like it was there. . . . And people liked touching all that stuff: metal, a smooth stone. . . . And once you had the case, when the manufacturer brought out a new model, well, if the electronics were any better, you just pulled the old ones out and put the new ones in your case. So you still had the same object, just with better functions."

Gibson. Idoru. GIYF.

Blame Silicon Valley for the NSA's data slurp... and what to do about it


Irony not lost

Interesting article - made all the more apposite by the Skyscanner advert (via Criteo) that appeared to the right of it which is offering me the same flights I searched for yesterday.

Do as I say?

DON'T PANIC: No FM Death Date next month, minister confirms


Long grass

Reminds me of Gordon Brown telling us we would consider joining the Euro when the economies converged - i.e. never. Let's hope this has a similar effect.

How STEVE JOBS saved Apple's bacon with an outstretched ARM


Wilson / Furber

Not a single mention of Sophie (then Roger) Wilson and Steve Furber. Really sad.

Google puts Dr Who's Tardis onto Street View - and you can get INSIDE


Classic stage set

What I love about this is it isn't CGI - you can see the weld marks and marker tape on the floor, and if you look up to the edge of the canopy there's a definite hint of the set-builder's staple, 2"x2" PSE, holding it up! You can also amuse yourself working out what all the knobs and levers came from originally :-)

Richard Stallman decides Emacs should go WYSIWYG


Re: Free as in "you're free to go and get your own beer"

Oh FFS, don't you (and the others on a similar vein) think RMS has earned the right to make suggestions rather than code it all himself? Suggest you try whinging about it without using anything compiled by GCC, running on GNU/Linux or developed in emacs.

Thumb Up

Tell you what I would like...

My ideal text processing system would be:

1) Simple structured text entered in emacs - maybe XML but some kind of tag generation/folding/autocomplete assist would be good

2) CSS stylesheets with import (so they can be standardised across documents)

3) Live preview in a side window

4) Export to sane PDF

That would give me both consistency and the ability to properly source control documentation. Not exactly WYSIWYG but the optimum combination I think. I know some/all of that is possible in LaTeX but the styling isn't to my taste.

(emacs coder currently using LO for docs)

Google Earth SHOCK: ZERO point ZERO ZERO SIX of world forests disappear each year


That's alright then

200 years left before it's all gone, that's alright then. Who needs oxygen or soil anyway?

(BTW, can't replicate 0.6%: 1.5/32/12 ~= 0.004)

Sail HO! Look out Bay Area - it's the GOOGLE GALLEON


For small values of "seaworthy"

I like the fact that they will take down the sails when the wind blows. Very wise with an AVS probably not more than 30%...

(good call on By and Large, Capn' Wykeham)

Your kids' chances of becoming programmers? ZERO


Re: So fix it!

[@dominic National Curriculum]

So people can see what is really in it:


OK, they aren't teaching Lambda calculus (although you won't get far in Javascript without using it, implicitly), but there is algorithmic complexity, Boolean logic, modularity, plus real coding.

Agreed about Computing teachers but I'm finding there is an older generation of Maths & Science teachers who do remember some Basic and Fortran and are keen to learn.

You have to work with what you have, with a positive attitude; but the general attitude here seems to be we're f*cked, leave it to the Indians.


Re: So fix it!

[@davtom, choice of language]

That's easy - Java in Greenfoot (www.greenfoot.org). Not a perfect first contact language maybe (Python probably shares that with BASIC in terms of PRINT 2+2, and LOGO was hard to beat) but teaching good concepts and more importantly, a brilliant mini-IDE with a sprite-based world to make games in and a wealth of teaching materials and support forums. And it's free and runs on anything. Next question?

(it would be interesting to know how many people whinging about access being too hard and capability too limited have ever even heard of Greenfoot, or have seen kids playing with it)


Re: So fix it!

I think we need to expose all kids to the basics early so you can find the ones with the real talent for it later - exactly as we do in maths, science and modern languages.

Understanding an algorithm at KS1 could be as simple as taking them out in the playground and getting them to sort themselves in height order (easy) and then birthday order (harder) and then some loose discussion about what happened. Understanding why computers are dumb could be getting them to shout instructions to a blindfolded child to navigate a simple maze.

FWIW back in 1984 I was teaching LOGO to schoolkids (year 6, I think) as part of a computers-in-schools projects in Plymouth. We need floor turtles again!

But I agree, teachers will need a lot of help with this - hence my exhortation to us geeks to Switch Off The Monitor And Do Something More Interesting Instead (there, that dates me even more!).


So fix it!

Obviously I don't know what you are going to put in the second article yet but I refute the title - it has been true for the last two decades but look at the new National Curriculum which has Real Computer Science and Programming at every level from KS1 up.

Actually it's not even completely true now - there are kids out there who have found their own way into C++ games development, ObjC/Java mobile apps or Raspberry Pi Python hacking. I've met them in schools and have had some as work experience - every bit as keen to learn the deep stuff as we were in 1980.

This kind of "ain't like the good old days" 80's nostalgia is all well and good but it's getting old hat. What's needed now is a concerted positive effort from education and us in industry to fix it. Schools are crying out for help - Google "STEM Ambassador" or just go and talk to your local school's head of ICT who is probably panicking right now. Learn some Greenfoot (Java) and Scratch (drag-and-drop) and get out there!

Moto sets out plans for crafty snap-together PODULAR PHONES


Cost & reliability

It's a great idea in theory but the mantra I was always taught for reducing cost and improving reliablity in consumer electronics is removing connectors and reducing independent assemblies.

I suspect it might have a limited market for people like El Reg readers, though...

BBC's Clangers returns in £5m 'New Age' remake


Re: Swear like Troopers

You mean you can't understand them? I could (when 5) and still can (when suitably inebriated)!

Nasty BOFHses. It burns us! It burns...

Big Brother

The BOFH is Harry Tuttle, and I claim my five pounds.

Facebook's request to the flash industry: 'Make the worst flash possible'


Re: What about tape?

Read-from-deep-archive times are the key here; what if your kitty pic is in the middle of a tape that's in a rack 10m from the drive? User Gets Bored, "FB sux".

Flash doesn't need power when it's not being written or read either - I think dynamic power management would be front and centre of the storage device design.

What I can't get my head round, though, is the implied contract of FB, Google/YouTube, Flickr an' all with their users is to keep all their data, however much they like, forever. Can they keep that up indefinitely? If not, who is going to prune it?

Can't agree on a coding style? Maybe the NEW YORK TIMES can help


Re: @Robert Long 1 @Richard #1

In Cornwall you'd be an emmet; grockle is Debon, me 'ansome.

(anyway 'grok' comes from Heinlein = understand to a point of total immersion)

Texas students hijack superyacht with GPS-spoofing luggage


Re: This is an issue for incompetent crew only IMO.

Indeed, although everyone has done their DR/EP/Astro stuff in the classroom there probably aren't many who could do it live and even then they'd only try if the GPS fails completely.

But as a modern day Cornish wrecker (=large-scale beachcomber, really) I feel obliged to point out that the whole leading ships onto rocks thing is highly debatable; sure they made use of stuff that washed up, but there are more real stories of heroic rescue than myths about deliberate wrecking. Plus if it ever happened you're talking a lot older than our grandparents generation - I caught the 'wrecking' bug from my Granddad, but he was the local Police Sargeant!

WTF is... WebRTC?



Just thinking... Could support for uncooperative browsers (IE!) be provided with a Flash app using the Camera/Mic access and implementing the WebRTC protocols over a raw socket?

Bendy screens are the future, screams maker of bendy screens


Empty gestures

New gestures:

To delete the current file, scrumple up screen and toss in recycling bin.

To shred the current file, rip screen in half or set light to it

To archive current file, spike on sharp vertical spike on desk (HSE's nightmare)

To e-mail current file, folder screen, put in in envelope and hand deliver to recipient

To decrypt current file, soak screen in benzene and hold over a light source



... or possibly "minimum".

Browser makers rush to block fake Google.com security cert


Re: Trusting trust

On further investigation:



It looks like the intermediates/subordinate CA certs that were issued were *not* their standard ones, so other customers wouldn't be effected. That still leaves the issue of the whole system only being as strong as its weakest branch, though.


Re: Trusting trust

If the intermediates that were wrongly released (more accurately, private keys revealed) were their standard ones in current use then revoking them will indeed revoke "some or all" of the certificates previously issued. So although they could in theory reissue a new intermediate and carry on, there's a good chance every one of their current customers will be baying for blood, never mind the browser developers wanting bits of their anatomy on skewers. Ouch.

But as others have said, every time this happens it shows the weakness of a distributed authority system where any branch can pretend to be any other branch. Proper integration with the domain system which provides firewalls between branches is the only solution.

Bash Street bytes: Do UK schools really need the Raspberry Pi?


Horses for Courses

I'm working with some other schools in Cornwall on developing proper Computer Science / Programming teaching to replace the godawful Office-based GCSE ICT. We're taking a twin-track approach:

1) Scratch (probably up to year 8) and GreenFoot (year 9 and above) to teach proper programming on existing ICT suites - both can be installed by the ICT tech in a few minutes, and completely free.

2) Raspberry Pi to enable all kinds of 'physical computing' projects in DT, Physics, Biology, Chemistry, Sports... Probably using only one or two devices for each project, not a classroom full.

So I agree with the article, I can't see the need for a suite of RPi's lined up in rows, it has far more value as a component for tinkering in the real world. What it has done, though, is lit up the entire debate and pulled things like Scratch and GreenFoot (which have existed quietly for years) into the limelight - all good.

Post-defenestration Microsoft: It's the APIs, stupid. And Metro


Re: Lack of Use (If Any) and Lack of Knowledge (If Any)

OK, leaving aside the fundamental impedance mismatch between touch and desktop UI metaphors, we geeks could probably hold our noses, learn to configure away the worst bits of it and set it up so it is vaguely usable again, because after a lifetime of it we're used to reconfiguring our brains and spending hours tweaking to adapt to badly designed products

That's not the point. The point is the vast majority of users are like your "older lady" and we are going to have to support them. That is a sword of Damocles hanging over the IT world and everyone except Microsoft and a few gadget freaks knows it.

The GPL self-destruct mechanism that is killing Linux


Festering hacks, endlessly copied and pasted...

Not a great article, but El Reg journalism isn't *that* bad.

BBC in secret trial to see if you care about thing you plainly don't


Needless obsolescence

No, the primary argument is making hundreds of millions of FM radios - in cars, homes, phones, building sites - needlessly obsolescent overnight, for no benefit whatsoever.

The switch to digital TV made sense because it gave a massive improvement in quality, TV is mostly a full-attention medium where people care about quality, the devices were renewing anyway (CRT to LCD) and most households have only one or two of them. Radio is entirely different. DAB quality improvement is hotly debated; radio is for most people a background medium in a noisy environment, the devices don't require any upgrade and many households have lots of them. I count about 7 in mine, of which 4 are in active use (two cars, one phone, one wind-up portable).

DAB does have its place (where it works) for fixed installations for audiophiles. Fine, let them have it. But for 95% of users its completely unnecessary and because of the power and quality issues, a retrograde step.

... and don't even get me started on the death of truly local radio due to the bigger advertising regions.

Microsoft: Welcome back to PCs, ARM. Sorry about the 1990s


Missing the point about RISC

The most important point about RISC isn't arguments about instructions per second, but reduced die size. The original ARM-2 had 30,000 transistors, roughly the same as the 8-bit 6502. That makes it (a) cheap (b) low power (c) easily testable and (d) easily integrated.

Pints all round as Register Special Projects hacks hack off feet


Wood yard?

Don't you mean an 8km drive to the wood 0.9144m?

Metric versus imperial: Reg readers weigh in


Cat-o-ten-tails? Shiver me timbers!

Cat-o-nine-tails are made by unlaying twice-laid 3-strand rope, me hearties. Neither man nor Devil can make a cat-o-ten-tails.

Microsoft releases JavaScript alternative


Shades of ML

OK, he says it isn't type provable (it can't be because it allows 'any' types) but there's a lot of really nice ML-like type inference going on here.

As someone whose main gripe with JS is lack of types leading to runtime failure I think this could be a real boon - but I'd want it the same code completion & inference tricks in Eclipse, please!

Famous thesps tread boards on smart TVs


Macbeth! Macbeth! Macbeth!

The superstition over mentioning Macbeth only applies if you are inside the theatre at the time...

Everything Everywhere to be Nothing Nowhere in rebrand



Orange + T, clearly.

New MPEG format paves the way for UHDTV


Re: The critical measure here is the bit rate

>> Where are you going to find space for 90Mb/s, or even 25Mb/s, signals without returning the UK to a three channel country?

Multicast IPTV over GPON Fibre

Arctic ice panics sparked by half-baked sat data


Re: (Slightly) longer term view

Fair point about the annual mean trend. You should be able to get the summer minimum trend with from: 1979.6 / every: 12 / trend but this doesn't work, it forgets the expanded scale. I'll add it to the bug list!

(Neat trick using every:12, BTW, hadn't thought of that myself!)

Paul, WFT


(Slightly) longer term view

Looking at the Sea Ice extent over 30+ years puts ice-free in the summer somewhere around 2100 - *if* the present trend continues.


Snap suggests Apple out to 'screw' hardware hackers


Yet another use for Fimo

... but Rameses(.*)'s comment above does make me think that a *very* slightly oblate circle would make quite a good security head, since copy-moulding tolerances aren't that great and any slop would make it slip.

Python wraps its coils around the enterprise


ASSERT_FALSE("C++" == "C#");

(and I shall go to my grave saying C-hash, so there!)

People-powered Olympic shopping mall: A sign of utter tech illiteracy


Re: Wrong idea, wrong place

I don't mind the idea of a gym or play area, since in both cases these folk are deliberately wasting energy for other reasons (fitness, being three), so some of it is potentially trappable - particularly in a spinning gym where it's directly available as a circular motion (cue Charlie Brooker, as someone else has already hinted at).

But the idea of putting this on roads is as ludicrous as the idea a couple of years ago of putting wind turbines in the central reservation. You would essentially be forcing cars to roll uphill all the time, even on a flat road. This would just burn more fossil fuels, hugely less efficiently than just putting diesel in a generator, never mind the astronomical energy and financial cost of building the thing.

Someone will no doubt now suggest it would be OK if they were electric cars...


Re: Energy calculations.

Oh, on the 7W thing... A rival firm Powerleap claims 5Ws (5J) per step. So I'm guessing the journo or subbie changed 7Ws to 7 Watts.

It also adds up with the claim that 5% of energy is enough to light the luminaire in the tile itself. Assuming it lights for 1 sec test gives you 0.5W of LEDs - about the same as a medium-sized torch, so fair enough.

Enough now. Mines the one with the wind-up torch in the pocket.


Re: Energy calculations.

Oh yes, *: I'm assuming 'several hundred' is 400 because less it would be 'a few' and 500 or more it would be 'NEARLY HALF A MEGAWATT-HOUR!!!'


Re: Energy calculations.

Looked at another way, 4e5 Wh (*) over 1e4 hrs/yr is about 40 W average power. Allowing a duty cycle of 25% (say 6 hours use in darkness per day), and some storage (one 100 Ah leisure battery would do it), that gives you 160W of lighting. Say 20 small CF or LED fittings. Actually to light that particular piece of walkway, I guess that's doable.

The other issue is where this energy comes from. The pedestrians were relying on the hardness of the floor to reflect energy for the next step. Take that away and like walking on sand it requires more energy. Given the nature of the place let's assume it comes from increased consumption of sugary drinks. That comes from sugar beet in the UK, in a process that involves input of lots of embedded energy in fertilisers, plus direct input to dissolve and recrystallise in the factory, not to mention transport and packaging. So even leaving aside the capital energy cost of building the tiles, it could even be negative on a revenue basis...


Energy calculations.

(warning, from memory and in head, so could be very wrong!)

Ok, so 4e7 visitors generate (say) 4e5 Wh, that's 1e-2 Wh per visit = 36J

Assuming average visitor mass 50kg (in Stratford?), dropping from a height of 0.1m, PE = mgh = 50J. Assume no losses to air friction (no wing suits, only shell suits), KE on impact = 50J. Assume no way to capture take-off energy, 50J per footstep.

Tiles are 60cm wide, assume walkway about 6m wide, you could have a double row and capture 2 footsteps per entrance and exit, 4 footsteps in all = 200J.

So conversion efficiency required = 36/200 = 18%. I guess that's not outlandish, even it was a simple alternator driven from a rack-and-pinion gear. No idea of the efficiency of piezo electric...

Which is not to detract from the fact that 4e5 Wh is a pathetic amount of energy in the first place...

Titsup WHMCS calls the Feds after credit-card megaleak



Something doesn't add up in the terminology here: "Card information was salted and hashed". What use is a hashed credit card number, either to Bad Guys or indeed to the service itself? More likely they were symmetrically encrypted and the passphrase stored in the filesystem somehow. That does at least mean that the DB replicating backups are not sensitive in themselves.

The problem of how to protect information in the DB, private keys etc. from a root attacker is always a tricky one. You could demand entry of the passphrase at startup but that prevents unattended restart, and in theory a really determined attacker could get it out of memory if they can get access to the running daemon.

Of course the trick is to avoid getting rooted in the first place... When your hosting provider demands your root password, refuse, quoting this story!

Ten... freeware gems for new PCs



Genius name for a company making fixing-Windows-cruft utilities. Blimey, Fred, it's all gone piriform!


Biting the hand that feeds IT © 1998–2019