* Posts by James R Grinter

132 posts • joined 5 Aug 2009


Apple yoinks enterprise certs from Facebook, Google, killing internal apps, to show its power

James R Grinter

Re: "but it also treats mobile users like adults capable of making their own decisions"

Yup, and I’ve seen comments elsewhere on this debacle to the effect that one should be able to consent to what Facebook was doing (“if they pay me enough”, said someone)

But IMHO there’s no way they can obtain legitimate *informed* consent from an average user. With the installed root cert and a VPN Facebook were in a position to read *everything* between the phone and any other TLS protected service that wasn’t using certificate pinning (and probably break those that were), riding roughshod over security best practices, laws, and user agreements.

Requests for info, gag orders and takedowns fired at GitHub users hit an all-time high last year

James R Grinter

Not just source code

Not everything posted to github, gists, or pages, is code.

It’s quite possible for them to end up hosting dubious or illegal content, or just something that is objectionable to another.

Royal Bank of Scotland, Natwest fling new bank cards at folks after Ticketmaster hack

James R Grinter

Re: Ticketmaster should be financially responsible for card replacements

Indeed, they may well be getting a less favourable transaction fee now. Unfortunately we’ll end up paying it in “booking fees”.

(In my case it was my Amex card number that got stolen, but it only came to light after the subsequent BA incident. I haven’t flown with BA in years but it seems someone started testing the numbers they had to see which were still working... it’s good to get alerts on card transactions!)

Begone, Demon Internet: Vodafone to shutter old-school pioneer ISP

James R Grinter

Re: Wild West Days

Is that you, Fis?

Another greybeard has left us: Packet pioneer Larry Roberts dies at 81

James R Grinter

Small correction

It’s *Leonard* Klenrock.

Total Inability To Support User Phones: O2 fries, burning data for 32 million Brits

James R Grinter

Re: Other mobile operators around the world are also affected?

SoftBank did. Presumably they were running one of the old software versions too.

What the #!/%* is that rogue Raspberry Pi doing plugged into my company's server room, sysadmin despairs

James R Grinter

Re: easy pickings

Its actually a good procedure (or would be if they’d done it intentionally) - the returning person may not be doing the same job as before so giving a new account name can avoid giving access they used to have but no longer need.

Amazon tries to ruin infosec world's fastest-growing cottage industry (finding data-spaffing S3 storage buckets)

James R Grinter

About bloody time!

I think it isn’t truly appreciated just how easy it is for an authorised piece of software to upload an object - with an “everyone can read it” ACL - and completely undo any attempts to keep the bucket secure.

(Yes, you could craft a policy that blocked anything with open access from being created, but you couldn’t block everything already there.)

'The inmates have taken over the asylum': DNS godfather blasts DNS over HTTPS adoption

James R Grinter

Re: Paul Vixie is correct

The malware authors are gonna love this new feature, as a way of avoiding even their C&C lookups from being seen.

British Airways hack: Infosec experts finger third-party scripts on payment pages

James R Grinter

I've never lost out as a result of fraudulent transactions on any credit card and there have been a few over the years (I don't think I've ever had my debit card ripped off: I don't use it anywhere but ATMs.)

It's just the inconvenience of having to get cards replaced, but Amex were quick (reported Saturday, arrived Tuesday) on the last occurrence - which was probably the miscreants testing cards stolen via Ticketmaster but after the BA hack and publicity.

'World's favorite airline' favorite among hackers: British Airways site, app hacked for two weeks

James R Grinter

Re: Missing from the press release -- CVV status

Co-inky-dinkly, my Amex card just got abused last night. At least twice, before I was able to make the call and get it blocked.

Nothing massive, just a couple of online services taking a preauth - possibly an abuser “testing” the numbers. Now I’ve not flown BA for a while: I probably have used that card number with them in the past, though it would be a different expiry and CID.

But there’s a few other orgs that held that card’s details, at least three of which are “big enough” to have been storing numbers themselves instead of a third party system. I hope none of them have been hit, for that would be very messy indeed.

UK Home Sec Amber Rudd unveils extremism blocking tool

James R Grinter

Re: Machine learning.

Adversarial attacks on machine learning are the new hotness!

Here’s an idea: develop or improve some video encoding software, get lots of folk using it, and then flip a switch. Now everyone’s uploading “terrorist content”.

UK security chief: How 'bout a tax for tech firms that are 'uncooperative' on terror content?

James R Grinter

Re: So if I pay, it's OK?

Perhaps he’s one of those politicians that consider all fines to be taxes? (It’s not just some politicians that think this way, of course)

Russia threatens to set up its 'own internet' with China, India and pals – let's take a closer look

James R Grinter

Re: Wait what?

Rubbish. It should take a maximum of whatever the TTL was on the record you are changing, and that only if someone looked it up for the first time just before you changed it (unlucky!) and only for those querying that nameserver.

There is no “percolation” in DNS.

Badass alert: 1 in 5 Brits don't give a damn about webpage crypto-miners

James R Grinter

Re: An ounce of prevention.

Hosts files don’t work like that.

As Google clamps down, 'Droid developer warns 'breaking day' is coming

James R Grinter

Re: Rinse and repeat

Yes! I think the lesson we should all take from this is that APIs for mass market products need very careful consideration and design, including some thought on “how would someone exploit this for personal gain?”

James R Grinter

If you read what the poster said, it wasn’t that all push notifications were the issue.

It was a statement that the only way to get a new email notification for an Android email client, since changes that have affected background apps, was to have some central system be logging in and checking the emails too. Yeah, that sounds suboptimal.

Amazon's answer to all those leaky AWS S3 buckets: A dashboard warning light

James R Grinter

Re: “accidentally left open” is incorrect...

It only takes use of a tool uploading an object with a “public” ACL to make some content public.

It’s easily done: one of my colleagues had it happen with some autogenerated CI reports, not fully appreciating the significance of HTML in an S3 bucket that they could directly access via a web browser (it had a “complex”URL path, but required no authentication)

You can write an S3 policy to prevent public ACLs on objects, at the expense of breaking tools like the above, but it’s hard (impossible?) to write one that enforces access to only IAM users from your account - unless you are willing to modify the policy for every user you add or remove.

Apple's 'shoddy' Beats headphones get slammed in lawsuit

James R Grinter

Re: People compare apples to oranges, as usual

They don't look like they'd be suitable for running in, but they may be fine for at a desk.

Alas, discontinued- any ideas of the replacement model?

CrashPlan crashes out of cloudy consumer backup caper

James R Grinter

Re: Crashplan alternative

Ah, useful. I hadn't come across Duplicacy in my reading since the big CrashPlan announcement.

They could be just what I need, for some Linux systems I have, and using one product across Linux and Mac would be easier (Arq was the leading contender, for the latter)

Solaris admins! Look out – working remote root exploit leaked in Shadow Brokers dump

James R Grinter

The first rule of Solaris on the internet was always to disable every tooltalk and any other non essential rpc daemon, and block off the rest from remote access. If you tell that to the kids these days...

TCP/IP headers leak info about what you're watching on Netflix

James R Grinter

Viewing figures?

I can imagine Nielsen, and others, will be dashing off to try and implement this to get viewing figures for their customers that are currently unavailable to them.

US ISPs, with their new freedom to sell off aggregate customer data, will be ideally placed to provide the network access.

Now UK bans carry-on lappies, phones, slabs on flights from six nations amid bomb fears

James R Grinter

Re: Cameras

It's not being in the hold that you need to worry about, it's the journey there!

You see some horrific baggage handling out on the tarmac, sometimes.

UK to block Kodi pirates in real-time: Saturday kick-off

James R Grinter

Re: Real cost of sports subscriptions

I saw some numbers shared recently by an analyst for US based cable and sports- calculated as the sums paid to the sporting bodies divided by total cable subscribers. The payment per subscriber, that's regardless of whether they actually had that sport in their "package", was huge!

Here it is, https://twitter.com/asymco/status/839495399052308480

Aaarrgh, zombie! Dead Apple iOS monopoly lawsuit is reanimated

James R Grinter

Re: No rocket science is necessary for the understanding of this story.

I seem to recall Lexcycle being bought by Amazon, and then them removing it from sale because they wanted to promote their proprietary DRMd content reader instead.

DDoS in 2017: Strap yourself in for a bumpy ride

James R Grinter

Until they've blocked everything.

Or, they could actually manage their networks, detect when stuff doesn't look right, and shut down the customers until they fix it (assuming their contracts were wisely drafted)

FYI Apple fans – iCloud slurps your call histories

James R Grinter

Re: They store records of my voice calls ??

And I hear there's a thing called a "phone company", that is involved. Apparently they sneakily make a record of these voice call things, too. Scoundrels, the lot of 'em.

UK.gov flings £400m at gold standard, ‘full-fibre' b*&%*%£$%. Yep. Broadband

James R Grinter

Re: Get the basics right first.

Wait a little while and some scallies will come along and nick the alu by dragging it out the ground late one evening (probably whilst hoping it's cu). Especially with the way the economy is headed.

Twitter trolls are destroying democracy, warn eggheads

James R Grinter

Re: It is a sytemic problem

Pre web? Did you never see/use Usenet?

WhatsApp, Apple and a hidden source code F-bomb: THE TRUTH

James R Grinter

Re: WTF is with those "break label613;" statements?

Decompiled Java code, there's no symbols and often the real control structures are lost.

Hapless Virgin Media customers face ongoing email block woes

James R Grinter

Tried to communicate with their Postmaster

But many attempts were blocked, and my eventual reply to their reply was rejected too.

I guess they got rid of their previous team when they outsourced to Google, and couldn't find anyone when they had to (inevitably) in-source again.

Competition watchdog dismisses plans by TfL to uber-regulate Uber

James R Grinter

Are they agreeing the fare before the journey begins

Or are they still making it up as they (the driver) go along?

I wouldn't use any other mini-cab if I didn't know how much it was going to cost before I started the journey. Why would I want to use Uber?

How TV ads silently ping commands to phones: Sneaky SilverPush code reverse-engineered

James R Grinter

Re: Android 6 Permissions

Alas, Android apps often need access to "external storage" to do the most trivial of things. We developers/publishers of apps would love a finer grained access, and less frightening/misleading descriptions of the permissions displayed to users, but we can't yet always get that.

Virgin Media filters are still eating our email – Ntlworlders

James R Grinter

Re: ISP email?

They were rejecting emails during delivery, the other week (including to postmaster). So you almost certainly have lost some.

Virgin Media's SPAM-AGEDDON 'fix' silences mailboxes

James R Grinter

I was getting instant "this email is spam" bounces when trying to email a blueyonder address last week.

So I tried to tell their postmaster, but that bounced too.

T-Mobile US CEO calls his subscribers thieves, gripes about 'unlimited' limited tethering

James R Grinter

2TB a month, though? Through anything, let alone a phone, that's a lot of data!

No Silicon Roundabout U-Bend U-Turn: Build that peninsula boys

James R Grinter

shared space

Planners keep suggesting and trying to implement it all over, but it's widely agreed by many road users (motorists, pedestrians, cyclists) that it is not a good idea.

it certainly doesn't slow traffic down, anyway

Next-gen Freeview telly won't be another disruptive 4Ker

James R Grinter

Re: Freeview Play

Indeed, "and just 68 per cent per cent of them connect “multiple” times a week" -- because the tv manufacturers don't bother with keeping last year's models services up to date, fools!

2011 Panasonic TV here, which never got Netflix and has just lost YouTube, and isn't supported by many of the new Freeview IP based channels. Firefox OS or not, I'm unlikely to buy another Smart TV from them again.

Golem: Prominent plasticine phallus caught in tech consumerist nightmare

James R Grinter

Re: Provincial Theatres

indeed. This play has already been performed in Harrogate, Brighton, and Salzburg. Up next after London would appear to be Taipei! and Paris.

Google pulls plug on YouTube for older iPads, iPhones, smart TVs

James R Grinter

Re: Panasonic 2012 P50VT50

I have a 2011 Panasonic, bought early 2012. They haven't updated the (Panasonic-implemented) YouTube interface that it receives.

That it is delivered via their online-based Viera network - i.e. it doesn't even require a software update - just really grates. Frankly I expect to get 7-10 years from a telly, in fact as long as the picture showing bit continues to show pictures!

Why Box and not SharePoint? 'Everybody doesn't hate us' says Box engineering veep

James R Grinter

Re: I hate box.

it changed quite a while ago, "Box Sync" can synchronise to a local drive automatically. You still have to configure the top level Box-side folders that will synchronise though and, like Dropbox, it has strong opinions on where it will put those files.

Ofcom can prise my telly spectrum from my COLD, DEAD... er, aerial

James R Grinter

Re: Broadcast is efficient

Some of us live in flats and apartment blocks these days. What's the tech like for massively shared dishes, if each apartment wants two or three receivers?

Want to have your server pwned? Easy: Run PHP

James R Grinter

Re: I wonder...

I'm wondering how many know they're not relying upon (php-cgi seems to have been the main recent weakness) and keep an eye on each CVE to assess the risk and urgency of updates. it can't just be me?

James R Grinter

headlines vs. details

But not every vulnerability in every version is going to be "active" in every installation of it. The one where executing PHP scripts via CGI were vulnerable to attack is not going to apply to anyone using mod_php or php-fpm, for example.

Not to defend PHP (it sure has its issues, and it certainly lets people do stupid things), but there are plenty of poorly written applications, or large complex and evolved applications (such as Wordpress), or very widely deployed applications (such as Wordpress) that offer plenty of scope for attack and would do so whatever languages they were implemented in.

Jellybean upgrade too hard for Choc Factory, but not for YOU

James R Grinter

Re: Technical or financial

An update based off jelly bean- no driver issues for the older hardware- would be far easier for the manufacturers to deploy than the engineering required for Kitkat (or other) on old hardware. That's why the manufacturers should be the ones demanding support from Google.

TalkTalk eyes up Blinkbox for advanced FOURPLAY – report

James R Grinter

Blinkbox was an acquisition.

(Blinkbox existed before it was a Tesco business.)

We recently tried its service: having to rely upon Silverlight really hurts them, as does their top-up credit approach. I'd be unlikely to use them again, even if they were the only service with the next film I want to rent.

ICANN's technical competence queried by Verisign report

James R Grinter

"Hello Kettle," said Pot. You're looking rather black."

GOTCHA: Google caught STRIPPING SSL from BT Wi-Fi users' searches

James R Grinter

Back in July they (BT) were also breaking Google drive, with their meddling of google.com

BBC clamps down on illicit iPlayer watchers

James R Grinter

Re: illicit viewers?

I have a 'SmartTV' with iPlayer. Generally the entire TV now crashes after watching one HD programme. Sometimes it crashes before watching any. That's when I have had to resort to watching iPlayer via XBMC.

Looks like they're determined to reduce the number of iPlayer users.

(Also, encrypting/protecting the feed, like encrypting the DVB-T2 version of the programme guide - I assume it's just a management "hack" because they were told not to DRM the video itself?)

Google hits back at 'Dear Rupert' over search dominance claims

James R Grinter

Say no to SEO?

So News International will be rolling out robots.txt entries that block that evil nasty Google and their web crawlers, yeh?


Biting the hand that feeds IT © 1998–2019