* Posts by Steve 53

82 posts • joined 22 Jun 2009


Rogue ADT tech spied on hundreds of customers in their homes via CCTV – including me, says teen girl

Steve 53

Re: Camera in bedroom?

I suspect the salesman was bonused on the number of cameras installed / size of deal, so if they can persuade them that cameras in the bedrooms are 1) Safe 2) A good idea then they'll sell more cameras and make more money.

Only way to stop that is ADP having a corporate "No cameras in bedrooms FFS" policy, and even then the sales people will be grumpy about getting in the way of their ability to sell...

Magecart malware merrily sipped card details, evaded security scans on UK e-tailer Páramo for almost 8 months

Steve 53

Re: Wait

To be fair, they're using Paypal, not processing their own cards. The expectation is that paypal will take care of the security / PCI-DSS as the retailer will never handle to card details. Frankly Paypal shouldn't be offering the option to load in an iFrame - ie an environment they don't control the Javascript for

Broken your new Surface Go 2 already? Looks like it's a bit more repairable this time

Steve 53

Microsoft's update has added some much-needed horsepower

The "standard" pentium offering is a very, very small speed bump a 1.7ghz Kaby Lake process vs 1.6ghz. It was a moderately old design when the Go 1 was released, it's a very elderly processor now, and one which is noticeably slow even when being used for general web browsing.

All they've offered is the opportunity to spend an extra 90 quid (Only on the high end 128gb model) on a processor which isn't crippled by disabled turbo.

The surface go is a lovely machine, but £629 is an awful lot to spend on a machine which is only going to have tolerable performance.

Royal Navy nuclear submarine captain rapped for letting crew throw shoreside BBQ party

Steve 53

For the purposes of the act, I think it's entirely reasonable to consider the sailers to be members of the same household, given they've been in a tin can for months as ordered.. Providing they're quarantined, frankly it's not an issue if they organise a mass orgy on the dockside, let alone have a BBQ...

We need to apply common sense and science...

UK big five carriers bin wired broadband download quotas for as long as we're all stuck indoors

Steve 53

Interestingly, A&A (one of the few premium ISPs who have download quotas) beat ofcom to the punch by about 3 weeks. They're keeping quotas, but topping people up as needed. Seems to strike a decent balance between helping people with unusual traffic patterns due to Covid and keeping people accountable for their usage.

One of the few providers who beat themselves up if they have any packet loss due to congestion... But of course it needs subscribers who are invested in that idea as well.

Steve 53

Re: Stupidest Idea EVER!!

Few packages are actually have download limits, and it's unlikely the tiny fraction of users who have these packages (We're talking tight budgets here) are the sort of users who will suddenly download tonnes. Hell, we're probably talking about people with just a bit of DAS.

Probably not a problem...

Brother, can you spare a dime: Flickr owner sends mass-email begging for subscriptions

Steve 53

Re: "Sure, but they're providing the content"

Just because there is 1TB of disk space doesn't mean that the average user is going to use 1TB of disk space - as I said earlier, my usage was close to 4gb, which leaves a very fat margin for them at $49/year

Steve 53

Re: The Rubicon has already been crossed

It depends how you use Flickr of course, but the way I used it was to showcase my best shots, generally not in full resolution. While I do have ~500gb of photos taken over the years, only a tiny fraction of that ever saw Flickr. Looking at what I downloaded from Flickr when I evacuated, it was about 4gb for 12 years as a fairly avid user.

$49 gets you about 177Gb of standard S3 storage, assuming you don't want to do any intelligent tiering, infrequent access, etc. At retail I would have been costing them about $1.104 in storage a year, although AWS will of course cut special prices for people moving entire farms of storage over...

Of course, others might chose to use it as a backup solution, but even then AWS Glacier Deep Achieve is a cheaper option for anything up to about 4tb...

Steve 53

The Rubicon has already been crossed

This time last year, they blackmailed their users into either paying for pro, or having the majority of their photos deleted. I decided that $49 a year with a 25% discount for the first year wasn't something I could justify in perpetuity, so I let them delete the photos (I have my own copy, of course).

You'll be surprised to know that after deleting the majority of my photos, I'm not going to pay the same to keep the very limited selection of photos left.

They took a very hard line attitude, it was a gamble, it didn't pay off. (And I have paid for pro in the past, btw)

The email generally irritated me; $9 / month for netflix or spotify? Sure, but they're providing the content. Why would I pay $49/year for them to provide me what amounts to a bit of web hosting?

Suggesting that the price will increase in future years makes me glad I bit the bullet there and then... It'll be a shame to see it go, but it's a shell of it's former self.

Log us out: Private equity snaffles Lastpass owner LogMeIn

Steve 53

Re: Bitwarden

I've moved from LastPass to Bitwarden. Lastpass have upped prices year after year and provided very little by way of enhanced user experience as a result - which might explain why they're making such substantial profit by revenue. It felt very dated when I moved in April.

Bitwarden is less than 1/3rd of the price for premium, offers a solid set of features and has a noticeably nicer UI (IMHO). Self hosting is obviously a bonus, but I'm happy to have them host for me.

I've suggested a number of friends (mostly technical) move from lastpass to bitwarden, and they've all been happy.

Uber JUMPs at chance to dump load of electric bikes across Islington

Steve 53

Re: Weird pricing model

I actually have a Brompton. They're not particularly heavy as folding bikes go, but the weight is still substantial.

It's not worth the faf of dragging it through Waterloo station and bank, then around with me for the evening. I'd rather just pay a couple of quid to rent an bike for the short section where it makes sense.

Steve 53

Re: Weird pricing model

Yes, but I have to wait for a bus, and on the route I regularly bike rent on there are no bus routes which take me all that close.

Bug-hunters punch huge holes in WPA3 standard for Wi-Fi security

Steve 53

Off by default? Have you met the general public?...

Uber driver drove sleeping woman miles away from home to 'up the fare'. Now he's facing years in the clink for kidnapping, fraud

Steve 53

... But John Worboys ...

Uber won't face criminal charges after its robo-car killed woman crossing street

Steve 53

Re: New???

Legally, yes. Practically people don't leave enough space for a completely unjustified emergency stop

Steve 53

Re: Safety driver?

Agreed. The wheels are by definition going to be low on the bike and you can see them quite some distance in advance. Reflective sidewalls / reflectors on spokes are a very good way to be seen from sideways, for example at a T junction - bikes don't tend to have sideways lights.

Unfortunately wearing dark clothes at night with no lights seems rather common around here, and the build in reflectors are normally pretty high up the bike or removed because they don't look cool :/ It's lead to a few "Where the hell did they come from" moments.

I do a 50/50 cycle/drive to work, but my bike has 5 lights (2 flash, 2 constant, 1 wheel light - n+1 redundancy!), 2 reflectors and spoke reflectors. You can pick up lights for a couple of quid from amazon, I don't understand why people are allowed to get away without them tbh. (Take the bikes and crush them)

Steve 53

Re: New???

Well, there is a clear reason for this. If you've not got your algorithm right yet and KNOW that it's skittish with the emergency breaking, then that IS a good reason to disable said system. If the system incorrectly performs emergency breaking then you're very likely to end up with a car in the back of you (Or I guess correctly - but at least then a car in the back of you is the lesser of two evils).

So you set it to log, you put cars on the road and you gather data. Once you have data you can refine your algorithm and get more data. Once you get it right you actually turn on the system.

The problem here is us meatbags - The safety drivers is there to deal with these situations, but if a machine only needs intervention on rare occasions then the job is boring as hell and you're likely to piss about with your phone. And of course the squashed meatbag put themselves in danger by crossing the road without checking said road was actually clear. I could do that the main road 200m away from my house and end up squashed even with no robodrivers involved.

If uber didn't tell the safety drivers quite how critical their role is, then that is of course an error on their part - but the safety drivers know they're ultimately responsible for the cars safety...

Good news! Only half of Internet of Crap apps fumble encryption

Steve 53

Re: New???

Wouldn't ROT-X be "Military Grade" at one point. That point being 2500 years ago?

The marketing dept just weren't specific on the timeframe!

Time for a cracker joke: What's got one ball and buttons in the wrong place?

Steve 53

Re: New???

I was thinking, that would be hard work.

That said, back in the day I spent quite some time diagnosing a network card issue before realising the user had plugged into an ISDN TA rather than the 10/100 NIC. (Both RJ45)

Vision Direct 'fesses up to hack that exposed customer names, payment cards

Steve 53

HSTS is highly desirable. The website itself might not have a HTTP binding, but MITM creating a HTTP binding is pretty trivial.

Re CSP domains - in this case it would have helped. For the BA hack it wouldn't have as the script host was compromised. Doesn't make it easy to implement of course.

Dutch cops hope to cuff 'hundreds' of suspects after snatching server, snooping on 250,000+ encrypted chat texts

Steve 53

Re: New???

Well, yes, but I'd say paying €1.5k for 6 months with a phone with "unbreakable encryption" and "a panic button if you get nabbed by the fuzz" is probably reasonably grounds to suspect it's not just a private conversation about what groceries to bring home.

Internet be nimble, internet be QUIC, Cloudflare shows off new networking shtick

Steve 53

Re: Shome mishtake shirley?

Yes, Jesus wept at this article... A cursory check of Wikipedia would have spotted half the issues.

It will also mean saying goodbye to the protocol that effectively made the internet possible: TCP.

TCP will continue to be a fallback, not least because there is no support for UDP tunnelling under a HTTP proxy

"And the reason is that TCP intrinsically assumes you will stay at the same address on the network while you are sending and receiving information. As soon as you starting moving around however, that address shifts. If you leave your house and your home Wi-Fi to join a 4G network, that's one shift."

Yes, that would be. At which point you'd have the break down the old TCP conneciton and build a new one. But UDP despite being stateless is likely still going through NAT / GiFW, so you'll still need to send packets to get traffic.

"If you get on a bus or a train to head to work in the morning, or if you stroll home at the end of the day, you will be constantly shifting your network address as you move from cell tower to cell tower."

Handoff between cells generally keep the same IP. Not all subscribers, but the vast vast majority

"This modern use of the internet has already led to plenty of other changes and improvements to existing internet protocols – for example, the shift from HTTP 1.1 to HTTP 2.0 was largely because people now use multiple applications at the same time and expect each to be able receive data."

Jesus wept. HTTP 2.0 allows multiple streams of data to a single service, not multiple services, not from multiple applications. With HTTP 2.0 you'll establish a new TCP connection for each app to each destination, or with QUIC UDP.

"What's more, if you are moving around from network address to network address, this UDP approach should end up much faster because it pulls out TCP's checking mechanism, speeding things up."

Checksums are offloaded to hardware, so the "Effort" is minimal. With UDP over IPv4 checksumming is technically optional, but if you skip it you have to zero pad the checksum field, so you don't reclaim bandwidth. Under IPv6 it's mandatory anyway, as skipping checksumming makes no sense. Besides, you need to hash for DTLS anyway.

What's faster is you have direct control of the congestion control algorithms, fewer roundtrips to bring up a "Connection", etc.

"And that's what first Google and now the IETF internet engineers have been working on: how to add TCP-style encryption and loss detection to UDP. It will also add in the latest standards like TLS 1.3."

TCP doesn't have encryption. TLS only runs over TCP, true, but DTLS (UDP transport) has been around for a very long time

"It will create problems for people using NAT routers as a way to handle the painfully slow move from IPv4 to IPv6. NAT routers track TCP connections to work seamlessly and since QUIC doesn't use TCP, its connections through such networks could well drop out."

Bollocks. NAT routers track UDP "Connections" in more or less the same way as TCP. Plus QUIC clients fall back to TCP in case of issues

"Likewise, if a network is using Anycast or ECMP routing – both used for load-balancing - the same problem will likely occur."

Anycast and ECMP break TCP too. And require more work to re-establish

Strewth! Aussie ISP gets eye-watering IPv4 bill, shifts to IPv6 addresses

Steve 53

Re: Has anyone truly made the switch?

Nail on the head, a huge portion of ISP traffic is to google, youtube, facebook, etc. The large services are IPv6 and therefore if you just implement CGN with IPv4 only, you're going to pay an awful lot of money for the kit and you're going to need to work out how you cleanly expand that over time. Implement IPv6 and >50% of your traffic zips straight past your CGN box.

So you've got a clear cost/benefit on the ISP side, either do a IPv6 project or pay way more than you need for your CGN solution.

On the content provider side, things are a lot less clear. Unless you're hyperscale like facebook, you don't need IPv6 for any particular reason, and don't care much than the users might need to be go via CGN and incur a bit of cost for their ISP and maybe an extra couple ms latency. It's just extra complexity, which means extra cost. Hence el reg is V4 only.

Steve 53

Re: Another IPV6 article which exposes issues with IPV6

Typically PBA or DNAT will be used, whereby a subscriber is given a source port range on a particular public IP (EG ->, -> Saves a lot of logging, but then you've got extra fun with the likes of SIP which need a lot of TLC to run through the solution.

Steve 53

Re: Finally?

AAISP use TalkTalk as one of their two backhaul carriers, and the customers get an uncontended low latency service. Just because their consumer service is rancid doesn't mean their wholesale offering is.

Plusnet customers peeped others' deets during system upgrade

Steve 53

Re: New???

Somehow I see them more likely to move to a BT "Standard", eg a 25 year old mainframe based system, perhaps with a front end GUI added to make sure the pig has a little lipstick

Cache of the Titans: Let's take a closer look at Google's own two-factor security keys

Steve 53

Re: New???

In all fairness, the Yubikey FIDO is only $20. The Neo and the 4 are only needed if you want "Classic" Yubikey authentication, TOTP + NFC.

East Midlands network-sniffer wails: Openreach, fix my outage-ridden line

Steve 53


Well, you can always call sales and ask. I suspect the type of fault here would be considered a broadband fault, not PSTN.

Steve 53


Try A&A. Pricey but decent support and very effective at dealing with openreach


We'll fix your line even if you are with another ISP!

If you are migrating your service to us, even though you know you have a problem with your line, we'll take on the fault. We'll tackle the problem and get it fixed within one month. If we don't then you can migrate away and owe us nothing for your migration to us and your service charges for that month. Details.

Visa fingers 'very rare' data centre switch glitch for payment meltdown

Steve 53

Re: New???

I would argue that "Good" design would mean you don't have HA pairs of switches and consider that a redundant solution. This stuff can and does break, hence you're much better with DCs which aren't attached at L2 (Which I presume is the case here). Better to use L3 or DNS - but of course this is an old design, and there may well have been good reasons to follow this model at the time.

'Disappearing' data under ZFS on Linux sparks small swift tweak

Steve 53

Doesn't hurt to look at this as a way of informing a rather decent number of technical people who may run ZFS that they want to patch to 0.7.8 PDQ

Steve 53

TBH as with most opensource, don't patch immediately for production. The release was only a couple of weeks old, hadn't even made it into debian testing.

Breaking up is hard to do: Airbus, new bae Google and clinging on to Microsoft's 'solutions'

Steve 53

Re: New???

Typically classified and unclassified are separated by air gapped networks. Potentially with 2 stations on the same desk.

If that wasn't the case now, and say you wrote to either the classified or unclassified CIFS / Sharepoint then you'd have the same sort of mixups now...

Spreadsheets are rarely *that* complex, and if they are, probably only a fraction of the people need office licenses to keep using them. FWIW the javascript scripting under google is pretty powerful and generally more usable than macros under office.

Batteries are so heavy, said user. If I take it out, will this thing work?

Steve 53

Re: New???

If i recall correctly from 2005

How to check the oil, tread depth ("Must be 1.6mm over the inner 3/4 of the entire circumference of the tyre"), check tire pressure ("Using a reliable pressure gauge"), break fluid, lights are working ("Turn them on and walk round")

Nobody covers high-beams vs dip though!

UK.gov: Psst. Belgium. Buy these Typhoon fighter jets from us, will you?

Steve 53

We're buying F35Bs, which are STOVL for carriers. Eurofighter was never designed for carrier use, but that's hardly a concern for Belgium when they have no carriers.

Apple iPhone X: Two weeks in the life of an anxious user

Steve 53

Re: New???

Certainly 12 months ago i didn't need to unlock for nationwide. Could it be bank specific?

After I replaced my last phone I decided not to bother with android pay - using the contactless card is just easier...

Steve 53

Re: New???

Point is you need a fingerprint to unlock the (standard apple) device in order to use apple pay. This is generally less of a faf than FaceID, but if you have gloves on it's preferable.

FWIW android pay doesn't require unlock to pay. And nor does my contactless card. Honestly not sure why I'd bother with either instead of the card itself. Not like everywhere takes contactless anyway.

SSL spy boxes on your network getting you down? But wait, here's an IETF draft to fix that

Steve 53

Re: "it works by essentially not trusting said equipment."

You wouldn't use this type of box as a Government or ISP, it's obvious that the certs have been resigned if you know where to look (Just a case of checking the CA who signed the cert), and a government will very much struggle to insert a CA into every citizen's device.

This technology is for corps who have control of the devices on their network (GPO) and are looking to protect themselves against Malware, Dataloss, etc. And that sort of technology is very much going to be needed to meet GDPR.

Steve 53

Re: I don't get it.

Couldn't agree more. Malware is pretty much always delivered over SSL/TLS because the writes know this is a blindspot for many organisations. The SSL/TLS Interception proxies are there to decrypt this and stop the malware. If there is a fallback to ATLS, then the malware will move to the new blindspot created by it, and the middleboxes will shortly follow.

There is plenty of potential for abuse of this technology, and it doesn't always work very well (CA's need to be distributed, applications pin certificates, breaks client tls auth, etc), but that doesn't make ATLS a sensible option.

As far as privacy is concerned, the browsers should be placing a massive "Eye of Sauron" icon in the address bar rather than "Secure".

El Reg assesses crypto of UK banks: Who gets to wear the dunce cap?

Steve 53

Re: "we do have a number of layers protecting the website"

They're probably talking about the ability to flag fraudulent transfers after the request has been made via the compromised user.

Realistically poor SSL/TLS is a much less exploitable fraud vector than banking malware.

Steve 53

Yes, if you can MITM you can put a HTTP server between the customer and the bank web server, then serve a dodgy version of the site without needing certs. Not that many users look for the padlock before they provide their credentials...

Steve 53

Not the best of articles.

Firstly, HSTS is not "a cryptographic technology", it's HTTP Header signalling used to tell the browser to only connect via HTTPS next time.

Barclays domain doesn't support Forward Secrecy, which they "absolutely should". "There is no reason not to"

Well, given CPU decrypt I would agree, but most banks will offload these to crypto cards (Generally on an ADC, perhaps with a FIPS card / NetHSM which makes PFS much less of a requirement in that the key is very well protected), and a good number of those don't support PFS ciphers. Not to mention depending on architecture lack of PFS may be very helpful for IDS type devices.

"The most crucial thing the bank has missing is a HSTS policy which, for a secure website using HTTPS, is an absolute requirement."

Well, it's clearly not an absolute requirement, as the site works without it. Good practice, sure.

Not saying that the banks shouldn't up their game, but there may be perfectly good reasons not to support PFS

Apache Foundation rebuffs allegation it allowed Equifax attack

Steve 53

I know the vendor I work has found the latest Structs vun is picked up by 10 different WAF signature patterns.

Would imagine the same is true for multiple vendors (WAF, IDS/IPS), which makes you ask if basic steps are being taken by Equifax...

She's arrived! HMS Queen Lizzie enters Portsmouth Naval Base

Steve 53

Don't you mean microwales

The whole point of the reg standards is easy visualisation. Surely when you say the carrier is 10% of the same of waves, you'd stop and think... That doesn't sound right?

It's 0.94 microwales! Not 0.94 wales!

Virgin Media admits it 'fell short' in broadband speeds ahead of lashing from BBC's Watchdog

Steve 53

Re: New???

I had a sustained period (Months) of getting severe packetloss and latency during peak times. Usable bandwidth varied from 15-40mbps on a 150mbps service during peak times.

Eventually I moved to A&A, who you can see are currently posting daily updates on their hunt for 0.05% packetloss on their talktalk backhaul. https://aastatus.net/apost.cgi?incident=2401

I have a more expensive and capped service as a result of the mood, but the connection is fast and stable

Maplin Electronics demands cash with menaces

Steve 53

Eaten by Amazon

Since the advent of same day delivery from Amazon, I can get the tool / component I want, with a set of reviews to prove that.

I can get a bag of 10 STDP switches for the price of one at maplin, same day, without having to make a special trip to a town centre with no parking.

Asking your suppliers for bribes to keep selling their stuff is a low blow from a dying company

Ubuntu 16.04 LTS arrives today complete with forbidden ZFS

Steve 53

Re: New???

The best advise a friend gave me when looking at BRTFS stability was to look at the mailing list, and see how many puppies it was killing.

While it may be the default for boot disks, boot disks are rarely multidisk raid.

There are a number of shortcomings with RAID5 style configuration (Write holes, poor re-balancing, etc) which made me feel decidedly uncomfortable trusting it with my data.

Which is a shame, as from a convenience point of view, being able to simply add disks of varying sizes would have been much more convenient.

I went with ZFS in the end. (Only about 4 months ago, so the info is reasonably current)

NBase-T maps out spec ahead of products in 2016

Steve 53

Re: New???

The point isn't the equipment cost, the point is that you can run it over 100m of cat5e. 10BaseT requires Cat6 at a minimum (55m), and Cat6a/7 for full the same range (100m).

Replacing structured cabling is expensive and disruptive.

Virgin Media hikes broadband, phone prices by five per cent

Steve 53

Both have a great reputation. A&A don't offer an unlimited service though, which you might be used to...

By the time you include line rental, it's very hard to beat the virgin media "Broadband only" option (the price rise for this was back in september/october) in terms of price and performance.

TalkTalk CEO admits security fail, says hacker emailed ransom demand

Steve 53

The state of the SSL/TLS Stack

While the TLS stack isn't compliant with PCI-DSS 3.1, it doesn't need to be until June 2016. 3.1 is relatively recent, and organisations have some time to bring themselves into compliance.

The only thing the audit picks up on the PCI side is a SHA1 certificate, which will most likely be fixed on renewal.

The report flags Camellia as not a NIST standard, which is true - it tends to be preferred in europe / asia.

PFS is available.

As High-Tech says, A rating, and a good indication that TLS has been configured by hand for security, or that they've done pretty well out of the box. Total red herring as far as "indications of the security culture" is concerned.

Now, why an SQL attack (if that is the case - my level of trust in Rory Cellan-Jones is rather low...) was possible is another matter. You'd hope coding techniques and libraries have sorted this problem. At the very least a PCI mandated Web Application Firewall should have caught that sort of attack (WAF is, of course, a safety net - not an excuse for poor coding), assuming it was put in and turned on...



Biting the hand that feeds IT © 1998–2020