* Posts by -tim

626 posts • joined 10 Jul 2009

Page:

Happy Thursday! 770 MEEELLLION email addresses and passwords found in yuge data breach

-tim
Unhappy

Re: Check the Password page

Sometimes "Password" is the best password. I have a domain that I've been using for almost 25 years. In that time I've been asked for a email address and password for hundreds if not thousands of sites that I don't trust at all. Far too many of those untrusted sites happen to be on HIBP's lit of Pwned Websites. The most common email address I use for these throw away things managed to get 4068 spam messages already this year and that is the ones that got past the spam filters.

If I could turn back time, I'd tell you to keep that old Radarange at home

-tim
Boffin

Re: Running backwards ?

Hardware clocks can't run backwards because the core BCD counters don't generally have the hardware to do it. What can happen is the hardware time chip might have been programmed to provide 60 interrupts a second and the real time was calculated based a interrupt counter but the the microwave was blocking some of those interrupts so it calculated a time that went backwards. That was common on early multi-processing systems.

Two out of five Silicon Valley techies complain Trump's H-1B crackdown has hit 'em hard

-tim
Facepalm

They just want slaves

I've been approached by many head hunters trying to get me to work in the US on an H1-B. The employer never seems to be interested once they learn that I'm a citizen and don't need a visa to work there.

Begone, Demon Internet: Vodafone to shutter old-school pioneer ISP

-tim

Re: Modem ISP

The equipment for setting up a dial in service is now cheaper than the power it will use in a year. Ebay has E1 dialup RASs for less than $50 but can you still get an E1 service or would you need to build a server pretending to a fake phone company and a VoIP service that can deliver uncompressed data properly? The last time I saw a rack full of dialup servers, there were only two active calls out of a capacity of about 5,000.

I'm just not sure the computer works here – the energy is all wrong

-tim
Boffin

Re: Memories

The 727 had auto land capability for ILS approaches. My father designed part of that system. Autoland is a bit of an overstatement. It predated the RNAV systems but If I remember correctly it could change altitude and course over a VOR transmitter and then follow an ILS approach while adjusting the throttles. It couldn't do the landing flair and probably couldn't even adjust the flaps. It could not lower the landing gear (just like the shuttles computer) or apply the brakes so its use is limited to making bad weather approaches a bit easier for the flight crew.

Fake 'U's! Phishing creeps use homebrew fonts as message ciphers to evade filters

-tim
Unhappy

Fonts are hacking vectors and are not safe.

Most font rendering engines can be tricked into drawing something like an O about a billion times. Modern fonts are just a program that often runs with elevated privileges.

Blind downloading fonts into a browser is a risk. There were a number of CVEs last year about the issue.

Millennium Buggery: When things that shouldn't be shut down, shut down

-tim
Pint

Millennium Buggery, I knew there was something I forgot

We have a special file drawer at work where we file very odd things that are just too unique to go into the round file. One of them is folder that contains quite a few letters asking for us to prove we are y2k complaint. I wonder if I should reply to them yet.

-tim

Re: God Bless written instructions

I thought "needful" was another way of saying "can you do my job for me?"

It's a lot of work, being popular: Apple, Tim Cook and the gilets jaunes

-tim
Meh

Tariff planning?

I wonder if part of the high price for the newer products was so they could "absorb" the tariff if they did go to 25%. Of course it could just be price gouging or even something else. Apple has made some very odd decisions lately like not allowing removable storage in the mac mini to be removed even though there appears to be pads on the motherboard for connector for an high speed add on board. A simple option would have made the machines much friendlier for companies that have security compliance issues.

Apple to splash $10bn raisin' American bit barns

-tim
Black Helicopters

$42? What is it doing?

I seems to me that is about $42 per American worth of data processing capability. In my industry it cost about $.02 per record with security and audit process in addition to typical IT capex and opex expenses. So is Apple keeping 88,000 records of data on every American and if so, what and why?

Poor people should get slower internet speeds, American ISPs tell FCC

-tim
Pint

Rural ISPs in the USA have unique problems

I've helped some of the one man ISPs that are represented by WISPA. They tend to be providing service in regions that have very low population density centered around monopoly controlled areas. They often will have a few wireless access points on a radio tower but will have to backhaul the uplink feed to a remote larger city because the local towns ISP only covers a few blocks from the exchange. The owner of the exchange may not be willing to sell upstream service to a competitor or will sell but but mess with the speed and that assumes they haven't oversubscribed their link to the exchange. Another problem is the density is just high enough to make things expensive. If you can get a fiber line from a larger town, you still have to run it though intermediate towns and that might require going around it. Many power companies think they are in the ISP game yet won't or can't provide service so leasing space on their poles is out. The regulations are a mess as they might be federal, state, Indian, county, town, home owners associations, water authority, electrical authority, telco co-op, sewer authority, federal or state parks, railroad or even the army corp of engineers and those are just the ones I've heard about. Some of these ISPs are replacing dialup services that wouldn't do much over 9600 baud and sometimes cover areas where satellite coverage is even an issue due to steep mountains.

WhamWham, bambam, no thank you, SamSam: Iranians accused by the Feds of orchestrating ransomware outbreak

-tim
Facepalm

They are looking at a lifetime in Leavenworth

Computer crimes against US military hospitals where they treat people that have been harmed by top secret things can get you 18 years per offense. So if they tried to hack a hospital where an airman that worked on an Atlas in 1959 had been a patient, they can be persecuted under some particularly draconian cold war era laws. Being out of the easy reach of the US government is only a minor inconvenience unless they also managed to screw around with CIA operative's medical records.

MIT to Oz: Crypto-busting laws risk banning security tests

-tim
Flame

What I would like to see...

The day before voting starts at the next federal election I would love to see Apple or Google run out an update that turns all the Aussie smart phones into dumb phones and with a display of "Your government is run by morons who pass laws they don't understand so your phone is now a dumb phone." The voter backlash would be so strong that no sane elected government would ever consider this type of stupidity again anywhere in the world.

NBN satellite user waiting for extra gigabytes? Keep waiting

-tim

In the days before ADSL, there were satellite providers where the data to them was via dial up modem and the bulk data went via a cable TV satellite. It had much better latency than symmetric satellite but was prone to errors and a real pain to fix. It was great for high speed downloads compared to the other options.

What's that? SSH can still use RC4? Not for much longer, promise

-tim
Meh

There are lots of buried systems

It isn't the public facing ones that are the real issue, it is all the stuff hidden away with automated scripts that will be a real pain to find and update.

My toolbox includes a copy of the last openssh to support ssh protocol 1 with all the bad ciphers because sometimes it is needed.

While the authors seems to treat ssh as a interactive utility, there is a massive amount of data that is slung around automatically with it. The scripts used tend not to be too robust with even simple things like server key types being updated.

Dot-com web addresses prices to swell, thanks to sweetheart deal between Uncle Sam, Verisign

-tim
Pint

Say what?

"Given the enormous value built up behind most dot-coms..."

And all this time I thought most of the 138 mill dot coms were useless. 1.8 million are just all 4 letter combinations.

At least domains aren't $100 for 2 years like it was long ago.

The great and powerful Oz (broadband network): Revs rise, but nbn™'s exec bonuses don't

-tim
WTF?

Odd maths?

There are 24 million people in Australia. At an average of 2.4 people per family the nbn should have 10 million homes connected if they are close to being done. That doesn't include the 2 million registered businesses.

Our brave El Reg vulture sat through four days of Oracle OpenWorld to write this cracking summary just for you

-tim
Facepalm

Trusted extensions in the cloud?

Can you even run their labeled system stuff properly in the cloud? They say their cloud stuff is a fortress but if it has a screen door, a bunker with a real door would be better.

Who am I kidding... people don't use the trusted extensions since they were just too hard.

This two-year-old X.org give-me-root hole is so trivial to exploit, you can fit it in a single tweet

-tim
Coat

Those who fail to learn history are doomed to repeat it

Why does the frame buffer, gpu and mouse need root access and the inevitable setuid root nonsense with its security issues? System V Unix had special devices such as modems that could be opened by one user at a time that didn't require root access. That is why modern systems have /dev/tty* and /dev/cu* which talk to the same hardware but one only allows on user to open it without root privileges.

Haunted disk-drive? This story will give you the chills...

-tim
Angel

Re: Bah!

I had a house that had a number of hanging plastic dome lights. When they cooled after being turned off, I would hear a pop and see a flash. A friend was convinced she would see ghosts. I decided to record the noise and the flash but it wasn't there. What was there was piezoelectric generator. I've found it interesting that many places with high ghost siting areas have piezoelectric geological effects and different cultural areas seem to have different results such as ghosts, UFOs or saints.

Talk about a curveball: Microsoft director of sports marketing fired, charged with fraud over 'fake' invoices

-tim
Coat

The best use case for AI

It seems that one of the 1st jobs that AI will be very good at is replacing the top end of middle management. How hard can it be to allocate a chunk of advertising money to sports and verify it is doing what it should?

Watt the heck is this? A 32-core 3.3GHz Arm server CPU shipping? Yes, says Ampere

-tim

Re: Locked Up?

"I was aware that IBM manufactired, and offered for sale, data centre servers built around the PowerPC architecture."

IBM and Sun opps... Oracle still make same fantastic insanely powerful hardware. The problem is nearly no one has a problem where they need that much power. Both of them also have the problem that you can no longer start small. Sun's last server comes in sizes that are the price point of a very nice new car, a very nice house or very nice house in the Bay area. There is no way the future decision makers will ever get to play with that sort of hardware so there isn't much research being done about making use of some of the newer concepts like fully compressed and encrypted memory. The very big machines from last year can map tends of terabytes of a file into ram and then go through it with a thousand threads. What that is cool, it isn't a problem most companies have.

No, that Sunspot Solar Observatory didn't see aliens. It's far more grim

-tim
Boffin

Standard procedures?

Did the FBI want to copy all the images on the local servers too? Observatories tend to have lots of images.

Card-stealing code that pwned British Airways, Ticketmaster pops up on more sites via hacked JS

-tim
WTF?

PCI-DSS? Where?

If your web form uses javascript and processes credit cards, it must be audited to comply with PCI-DSS specs. It looks like someone's PCI auditors missed that part. I wonder if version 3.3 will start to clamp down in useless javascript on payment forms.

Raspberry Pi supremo Eben Upton talks to The Reg about Pi PoE woes

-tim

Compliant but non-functional?

We have 8 devices that claim to be 802.3af compliant power providers. Most of them work with most devices we plug in but there appears to be no rhyme or reasons why some devices won't talk to some providers. There have been situations such as 20 supposedly identical devices plugged into switch A and 16 work but 4 don't. Plug them into vendor B's switch and a different 4 don't work. We even have a Mobotix camera that used to work on most switches but now only works on just one port on one Cisco switch.

Python joins movement to dump 'offensive' master, slave terms

-tim

"I had to change the terms whitelist and blacklist from an internal server-side application over 15 years ago. [...] I thought it was silly but NBD, I changed it to redlist and greenlist and carried on."

So now your going to upset the Indians and the Hippies?

Strewth! Aussie ISP gets eye-watering IPv4 bill, shifts to IPv6 addresses

-tim
WTF?

Re: Finally?

Internode no longer supports IPv6 on the HFC (aka cable TV) NBN as they are simply reselling TPG service there.

Experimental 'insult bot' gets out of hand during unsupervised weekend

-tim
Coat

Where is that window?

We had a lab full of shiny new Sun 4 workstations. I found out that there was no protection of the window position of other peoples sessions and I could detect which window was active. The result was a program that moved their active window towards the edge one pixel every second. In the days of 1024 pixel screens, it didn't take long for it to be very annoying.

Incoming NBN boss inheriting regulation, service headaches

-tim
FAIL

I'm shocked...

A overgrown cable tv network Isn't' a good data network? Who would have thought that might happen?

I've been telling people to buy a new NBN connection and cancel the other one once it has been proven to work rather than take advantage of migration. I've meet way too many people who are in that group of no phone or data for weeks.

Even with HFC, the network should be build like a peering network, not a cable TV network on steroids.^

^ back end complexity, it sure isn't a comment on the speed.

Apple tipped to revive forgotten Macbook Air and Mac mini – report

-tim

I've been waiting to buy one for a long time

For me to buy a computer, I demand replaceable hard drives (yes 2 need to fix in the box). I have to have expandable ram. 16 gig just isn't enough for some workloads. I would like the thing to have so many ports it looks like a USB switch. I like the internal power supply and I don't care about the size. It would be nice if I can get 6+ years out of it.

Why don't they roll these out in time for the start of the University class semesters?

Get drinking! Abstinence just as bad for you as getting bladdered

-tim
Pint

Lies, damned lies, or statistics?

Everyone knows that self reporting numbers tend to be off a bit. Perhaps a Reg hack can go out and do some real investigative reporting. I want them to be out there drinking with some of the people that self report and report just how right or wrong their self reporting is. The Whitehall surveys are where a great deal of the data about "normal drinking" comes from.

SMS 2FA gave us sweet FA security, says Reddit: Hackers stole database backup of user account info, posts, messages

-tim

Re: Should have used a hardware dongle

If it can be mathematically reduced to "something you know" and every hardware token can be, it is not 2FA in the formal sense. In my case I have a list of token IDs in a database. If they get stolen, then whoever stole them can pretend to be any hardware token I've issued.

The real problem is that any proper 2FA system needs to integrate into older hardware. Sysadmins need to log into things like switches and routers and firewalls and many of them just don't have proper hooks and many that do can be tricked with things like fake radius servers. Most 2FA solutions are windows only or support a very limited amount of hardware. The old OATH and HOTP systems could be done on just about anything but like the old RSA tokens, once you have the secret keys, it isn't anything other than an annoying one time password.

Now that's a dodgy Giza: Eggheads claim Great Pyramid can focus electromagnetic waves

-tim

Re: Mystery?

I expect the Pyramids at Giza were built two sides at a time with minor bits on the other two as it was built up. That fixes the problem of having a completed pyramid very soon after the death of a Pharaoh. The different chambers also end up near the middle at different times as well. I've seen marks that appear to have been made from logs supporting the outer lip of the casing stones on the Red and Bent pyramids that would imply they put the casing stones on from the top down. I think the evidence that the casing stones were removed and reused to be lacking as the angle they were cut happens to be a suitable angle for archways yet there aren't any examples of it being used that way.

Your 60-second guide to security stuff Google touted today at Next '18

-tim

Re: Two-factor while holding a gadget

The phone is only holding something you know... if you could remember 2048+ bit number. Depending on your legal requirements for two factor authentication, it may not count as something you have.

Fukushima reactors lend exotic nuclear finish to California's wines

-tim
Flame

They missed a source

It turns out the trees are very good at concentrating cesium and now that more of them are being burned near wine country, all that lovely cesium from the cold war that has been concentrated in trees is now being released into the air when those trees burn. The wines from down under seem to have less of an issue but it did show up with the major fires in the last decades. That mostly flat line on their graph is heading up towards the right if the scale is changed. One report from downunder was trying to understand why home fireplaces are releasing more of the stuff than forest fires. Last winter in Europe, most reporting stations are seeing a year on year increase in radiation in the air.

Fork it! Google fined €4.34bn over Android, has 90 days to behave

-tim

Re: Big fines are just a cost of doing big business

What would happen if the court required that they issue $5 billion worth of shares at a $0 share value on a given date based on the prior days closing price? I expect our new AI stock market overlords might have something to say about that type of fine that might have company directors looking to keep everything above board.

Google to build private trans-Atlantic cable from US to France

-tim
Coat

Re: If the Atlantic is so narrow...

The water pressure must be squeezing it smaller.

-tim
Pint

How many repeaters?

Undersea cable was about $7 per meter for the deep sea stuff a few years ago. The real cost is the repeaters that are every 100 to 200 km along the line and used to cost about $1,000,000 each.

I would hope that Google would put in more fibers and have them bypass the repeaters for real world research on long links. A decade ago there were 12,000km links in labs but way too slow. If I were them, I would be putting in the normal repeaters for 4 pairs and then at least a dozen pair bridged the whole distance terminated in rooms somewhere at each end were researches can test real links with new equipment.

Oracle cuts ribbon on distributed ledger service

-tim
Facepalm

Why?

Because as a business I with audit requirements, the first thing on my christmas list is a distributed ledger... for reasons.... I guess.

I think some of the hype of block chain has to be from someone who has figured out the "split islands" problem and wants governments to consider blockchain as secure so they can run several sets of books. While I don't have the computer power to play that game, there are plenty of billionaires who do.

You wanna be an alpha... tester of The Register's redesign? Step this way

-tim
Pint

Geolocating options to turn it off?

I would love to have https://www.theregister.co.uk/uk as well as https://www.theregister.co.uk/us and https://www.theregister.co.uk/oz which would turn off the geolocated story selection.

-tim

Re: How about...

If your going to fix the commenting, consider running a private usenet server as the real backend. It fixed all the problems most comment systems have but it addressed them decades ago.

‘Elders of the Internet’ apologise for social media, recommend Trump filters to fix it

-tim
Pint

RFC number?

Too bad RFC-666 has already been taken.

At the current rate RFC-31337 won't be assigned for about a century.

Tech support chap given no training or briefing before jobs, which is why he was arrested

-tim

I was working at a USAF base and the CPU module wouldn't plug into a machine even though the test report said it had been working at the factory. I was in the data center late at night when the Lt Col asked what I was doing and I mentioned that I needed to cut the metal bracket just a bit but I needed to protect the board from the metal shavings and that had to be in an anti-static environment. He suggested I take it home after learning I did have the proper tools. I told him there is no way I was going to take that out of the machine room without the proper paperwork based on cost per ounce, it was more expensive that nearly everything else on the base there were were some very expensive things on that base.

Microsoft: For God's sake, people, cut down on the meetings!

-tim

Re: Then there are the Meetings about a meeting to set the agenda for another meeting

Most companies are at the opposite edge of the spectrum with no records and no agendas. I've been telling middle-managment that any meeting that doesn't have an agenda and minutes isn't a meeting, it is a waste of time. I figure they will find the middle ground for about two meetings sometime in the next decade and then swing all the way to meetings about a meeting to set the agenda for another meeting.

It's 2018 so, of course, climate.news is sold to climate change deniers

-tim

Re: Nothing worthwhile in the post-2012 gTLDs anyway

You don't need to delete the gTLD, you need to point them to a mostly useless zone file that provides the proper info for the anti-spam filters. That zone file should also point www.@ to a local web site that says "computer says no" while counting the people trying to visit while providing reports of people most likely to click where they shouldn't.

Two-factor auth totally locks down Office 365? You may want to check all your services...

-tim
Facepalm

2FA?

There are strict rules about proper 2 factor authentication that you must pick two out of the set of 1) Something you know, 2) something you have and 3) something are. Most compliance frameworks require the "pick any two" but not two of the same.

Mathematically most of the "Something you have" turns out to be "something you know" and if that can be shared in any way such as restoring it to a new phone. All that you have done is doubled down on the "something you know" even if what is known is too much for more people to remember. One of the key bits of "something you have" is that it needs to be unique. Once you can duplicate a token system on a phone for example, that fits in as something known, not something held and should be treated as a hopefully strong password sorted in a password vault.

A major issue with 2fa, is that all the old systems stuff needs to be tied in and most of the newer solutions just can't be made to work with older hardware which introduces major weaknesses in the total system. If the corporate phone systems is controlled by 4 digit pin or a core router can be asked to shift packets around where they aren't meant to go, the rest of the system might have already been compromised.

Boffins want to stop Network Time Protocol's time-travelling exploits

-tim
Pint

Re: Time NTP was upgraded(See what I did there!)

"Sure it is a cost but you can start from £100 (for a Raspberry PI and a GPS expansion board (e.g. from uptronics), antenna, plus a funky case)"

We did that with the £40 uputronics GPS hat. I thought it was about 4 times better than the old server we had been using and then I looked closer at the numbers and it appears about 4,000 times better than the older one which was a decade old server that spent its days saving CCTV data on spinning rust. The GPS sits in the warehouse on a beam under one of the plastic skylights. The problem with the hat is it confused FreeBSD boot process since that didn't like the NMEA strings and the 1PPS driver in NTPd can't cope with adjusting the local NMEA clock so for a non-Internet NTP server, you want two Pis and one with a battery back clock to keep the time when power gets cycled.

And that's now all three LTE protocol layers with annoying security flaws

-tim
Facepalm

So much more to come

I do like the customization option where the carrier can tell a modern phone that the "2G" it should be displayed in the corner showing that a Stingray clone has capture the connection should be displayed with an icon that happens to have "99G" or whatever on it.

No more slurping of kids' nationalities, Brit schools told

-tim

Re: Killing the patient

"What language is spoken at home?" does not require "What country were you born in?" to be answered.

It might. Knowing a kid is from Spain means they will speak different Spanish than a Mexican schoolmate. It can also be useful to let teachers know about kids that were from different sizes of a war zone.

Perhaps a better solution is get the UN to come up with a resolution that makes it illegal along the lines of a war crime to use children in border disputes and make it very clear that the Nuremberg defense isn't an acceptable defense.

Time to dump dual-stack networks and get on the IPv6 train – with LW4o6

-tim
Meh

So just like the network my phone uses?

My phone uses an IPv6 only network but only hands its application an IPv4 address. We were heading in the direction of admin interfaces are IPv6 only starting about 3 years ago.

Every once in a while I get sick of the tracking/ad/scam games and turn off IPv4 on my computer. It works much better for me most of the time and most important sites work fine (hint, hint, El Reg).

The rollout of IPv6 in Oz is hampered by the fact that most of the competent IPv6 players were bought out and their new owners never had IPv6 working properly resulting in everyone using the overgrown cable tv network flavor of the NBN requiring ugly hacks to do IPv6 at all.

Page:

Biting the hand that feeds IT © 1998–2019