* Posts by Pascal

214 posts • joined 25 Dec 2009


Fancy a .dev domain? They were $12,500 a pop from Google. Now, $1,000. Soon, $17.50. And you may want one


Re: If only....

As long as you add non-country-specific names at the root of the hierarchy, to allow international organisations to be properly identified. Call them "Top Level Names" or something. You'd need them for COMmercial entities, communication NETworks and the like. Maybe also open that up so that various interest groups could register their own root name.

Thumb Down

Re: Not remotely compelling

The compelling reason is "hey, you won't have to add *one* header to your site to enforce HSTS"?


Re: But I've had a couple dev domains for over three decades!


It's annoying, but 17$/year is cheap enough to just get it for our corporate domain just to prevent some other asshat to get it.

That definitely figures in the business model of anyone registering a new TLD. They know they will instantly recoup any costs and get an instant recurring profit model just from 1000s of brands that registers their names in every TLD under the sun preemptively because that definitely costs less than any effort at getting rid of even just one squatter.

Of course currently for our domain it lists a $1700 "early access" .DEV fee, so let's see if it's still there sunday.

Welcome to the sunlit uplands of HTTP/2, where a naughty request can send Microsoft's IIS into a spin


Not putting in default values is fine, ...

But it would be really helpful to have some indication as to what is considered normal and what is considered excessive or for that matter where / how to log the # of settings parameters per frame and/or # of settings frames exchanged with a client.

We're left with this:

Name: Http2MaxSettingsPerFrame


Data: Supported min value 7 and max 2796202. Out of range values trimmed to corresponding min/max end value.

And no clue whatsoever on picking a reasonable value.

As much as I like learning protocols, fixing a potential DoS situation should come with better guidelines than "go learn everything about http/2 and settings/frames" :(

Go, go, Gadgets Boy! 'Influencer' testing 5G for Vodafone finds it to be slower than 4G


Re: No, thank you.

"As an aside, I lost count of the websites that put a mega hi-res pic up scaled down to 640 by 480"

Best one I've seen: newsletter from a major news outlet, sending a custom version designed for cell phone email clients. The newsletter included thumbnails for each articles (pretty small since phone layout), in the ~90 x 90px range on-screen). One glorious cock-up later in their CMS thumbnail generator and the thumbnails actually sent out the full, 30-mb files.


Can't decide if that post is sarcasm or real.

Either way, unrelated, I think we need a BOFH episode about "influencers". (Yes.: In quotes).

HPE wants British ex-CFO to testify in UK Autonomy lawsuit before Uncle Sam sentences him


Re: Ponzi Scheme

Gee that's an easy one to solve, just need eternal economic growth. Also sprinkle a nice dose of inflation on top to devalue the debt. Voilà! Problem solved, debt gets paid off by pocket change. Can I be President now?

Crash, bang, wallop: What a power-down. But what hit the kill switch?


Re: Not Unique...

Building codes changed a bit over the year, magnetic lock doors here now can't work like that anymore.

You can get the usual ID mechanism (card reader or biometric or whatever on the side of the door) for normal access, but emergency access has to be the "normal door way" i.e. turn the handle / press the release bar in the middle of the door, except secure doors are allowed to have a timer of up to (15 seconds I think) with an audio warning before the emergency release happens / alarms are triggered.


Re: Not Unique...

For a time, yeah. Early turbo switches changed the clock speed of the whole system, as isa bus was synched to cpu.

Blockchain is bullsh!t, prove me wrong meets 'chain gang fans at tech confab


Re: Sorry

The problem exists: "What can we use Blockchain for?"


Re: I've yet to hear of an actual, real application of blockchain

Especially if there's Synergy between the blockchain and the AI.

Use an 8-char Windows NTLM password? Don't. Every single one can be cracked in under 2.5hrs


Re: Still used?

If you're using a "recent" (as in, 2008+) AD and only allow Kerberos, according to an old Technet article the passwords are stored like this:

"AES256_CTS_HMAC_SHA1_96, AES128_CTS_HMAC_SHA1_96 - Used for Kerberos authentication since Windows Server 2008. Salted with user logon name and hashed 4096 times using HMAC-SHA1."


Re: The Usual Response...

I still don't like them either but typical password managers now encrypt passwords on your end before storing them and your one master password that you need to remember is used to encrypt the key.

Fake broadband ISP support scammers accidentally cough up IP address to Deadpool in card phish gone wrong


Re: reporting the account and the IP address to Twitter and the Met Police

Yeah for a while we played with honeypots against various scams like those "president of our company sends urgent email to accounting needing a bank transfer done" messages, collecting communication traces and ip addresses, and reported the first couple of those to the proper authorities. It quickly became clear that nobody gave a rat's ass about it when we were never asked any follow-up questions and any of our own follow-up questions never got any real replies.

France wants in on the No Huawei Club while Canuck infosec bloke pretty insistent on ban


Re: Huawei isn't any different than any other corporations.....

That phrasing is a hell of a culture clash tho.

It still comes down to firing people to increase profit, but there would be an interesting uproar if a westerner company called it "getting rid of mediocre people".

Stalk my pals on social media and you'll know that the next words out of my mouth will be banana hammock


Funny, a few weeks ago there was this radio show host that was going full-on conspiracy theorist about this -- stating that targeted ads kept coming up for him in a way that made him certain Google was listening to his conversations through his Android phone.

I guess both are just as likely!

Huawei sales director nicked in Poland on suspicion of 'spying'



It's funny how some people think China is that retrograde country filled with such incompetent populace that its economy would collapse and it would lose all skills needed to do anything relevant if a few expat workers were to leave.

Yes, you can remotely hack factory, building site cranes. Wait, what?


How does "Offline" and "Wireless" fit in the same conversation exactly?

"It's really a philosophical issue rather than a technical one. On one hand, you don't want to load something down with security implementations when it's a strictly private offline network."


This must be some kind of mistake. IT managers axed, CEO and others' wallets lightened in patient hack aftermath


Re: It might have as much to do with who was affected as with local culture.

Indeed. The prime minister was affected, so heads had to roll.

You were told to clean up our systems, not delete 8,000 crucial files


Re: xfer

I took an even worse habit of just hooking up the old drive to a new system. My current home desktop has its own fast ssd + big hdd pair, and then it also has the drives from the 2 previous generations hooked up "to be sorted later".

Yes there are backups of that mess.

But I don't see myself sorting it out any time soon.

Maybe next system.

Cathay Pacific hack: Airline admits techies fought off cyber-siege for months


"The airline has set up a dedicated website"...

... That asks you to provide them location data!

Because why let the fact the site is about a data breach, get in the way of collecting more data?

Junior dev decides to clear space for brewing boss, doesn't know what 'LDF' is, sooo...



"Or is it all self-tuning and autonomous for all but the most esoteric setups?"

More or less.

You can get cheap all-flash storage arrays that can do 100,000 x more IOPS than you had access to during the classical period, and of course nobody runs databases against pentium 3s with only a few Mb of RAM...

So unless you have top tier requirements It's easy to just throw hardware at a problem to make poor design go away.


"Why would database software be written such that deleting an ancillary file ( such as a log file of historic steps) cause it to fall over?"

Because the transaction log of an SQL server is anything BUT an "ancillary file".

SQL Server transaction logs are actually split in virtual log files, that are used in rotation. All transactions are written sequentially to it and eventually it goes back to the start / 1st virtual file and starts over, ever-overwriting old transactions.

Other than being where current, non-committed transactions are serialized to allow for rollback or for recovery in case of power loss / unexpected shutdown, it also serves multiple other purposes and that's where "runaway transaction log files" tend to happen to people, but those are actually an indicator of something not configured correctly or something else being broken.

The issue is that those virtual log files can only be reused once they can be cleared; and a few things control how and when they can be cleared.

One thing is ongoing, uncommited transaction. Put simply if you have 10 Gb of uncommited transactions, and 5 Gb of transaction log files... Well, the file will grow. That's normal, otherwise the transaction can't happen.

But SQL Server also has different recovery models (related to how you backup/restore a database).

A "full recovery" database is designed in such a way that by combining (full / differential) backups and transaction log backups, you can do point in time restores down to an exact transaction.

To do that however all transactions must also be backed up! So until a specific virtual file is fully backed up, it can't be freed for reuse. It's typical for fully logged database to have a very fast transaction log backup regime (think 5-15 minutes), because the transaction log must hold all transactions until they're backed up.

If someone sets a database to be fully logged, and then does not get a transaction log backup schedule going, well... They log fill will grow indefinitely, because... well because that's what they asked it to do.

Another reason is replication. The various replication schemes that exist in SQL Server are based off the transaction log: transactions that are commited on the source server, are transferred to the transaction log of target server and then also commited to the datafiles of the target servers. Any virtual log files that contain data that is not yet replicated to even just one of the target server can't be cleared for reuse, so broken replication configurations / failed servers can be a reason for transaction log files bloat.

Oh well I could keep blabbing about that, but yeah confusing transaction log with just "log files" is a classic mistakes that bites every SQL dabbler in the ass eventually :)

Nikola Tesla's greatest challenge: He could measure electricity but not stupidity


Re: country & western singers

The list is a good first draft, but you really should bump "influencers" up a bit. Probably above country singers even.

Sendgrid blurts out OWN customers' email addresses with no help from hackers


The way it works is that messages they send out have unsubscribe links.

Those links ask for confirmation - displaying the name/address about to unsubscribe, and from what list.

This isn't supposed to be crawlable as nothing refers to those URLs in the first place, and robots.txt files block those paths from indexing.

But then people receive messages and post the full message to various forums or other public sites- for whatever reason (sharing messages they got, etc.) and they don't remove those link.

The forums are indexed, and follow those links -- and Google explicitly ignores robot.txt for content linked from other sites, they only honor explicit headers in pages under that circumstance.

The leak really originates from specific users posting their messages online, added to Sendgrid not understanding how google indexing / robots.txt work.

This specific scenario has happened to most major online services like that - any service that has any sort of links that automate access to any types of profiles is susceptible to that kind of indexing when users don't understand where they're posting those links.

Australia's Snooper's Charter: Experts react, and it ain't pretty


Re: GDPR compliance

Of course. GDPR has exceptions tailored exactly for that.

GDPR basically goes "You shall not retain data without user permission, except if you have any other legal reasons to do so".

British Airways' latest Total Inability To Support Upwardness of Planes* caused by Amadeus system outage


Re: weight calculation

"You do these calculations before you load the cargo into the plane. Having the plane measure it and then say "oops, that's outside the safe limits, you need to unpack and rearrange" is sort of not helpful..."

Then hum... Why were the passengers sitting IN a plane for 3 hours? Surely they should have done the calculations before letting them board?

Tired sysadmin plugged cable into wrong port, unleashed a 'virus'


I looped switches like that too once, except...

.. that when I did it, I also took down a border router of my then-ISP, which apparently disrupted service to a few dozen other customers of theirs.

Happy times :)

App devs bewildered by last-minute Google GDPR klaxon


Technically, because if your app is free and ad-driven, they're not your customers, they're your product. Hasn't that been the generally accepted consensus for a while already?

Anyway I hate ads as much as the next guy and would rather pay for an app than have ads, I think it's the most annoying shit that can ever be put in a mobile app.

But it seems Google also fucked up in the sense that GDPR doesn't require consent to show ads, it would only requires consent to track users (so personalised ads)? Shouldn't their API be about consenting for personalized ads (with tracking) vs generic ads, without forcing the "no ads" option?

Equifax reveals full horror of that monstrous cyber-heist of its servers


Re: And how...

> "It would also break the secondary market for debts as well, because if companies can't share that information, they can't sell your debts to anyone else"

Oh, the humanity! What would we ever do if that insane, mafia-like "secondary debt market" system disappear? We'd have to shutdown society or something.

Secondary debt racketeers are just about as useful to society as pedophiles and murderers, and should be treated the same.

It's not you, it's Big G: Sneaky spammers slip strangers spoofed spam, swamp Gmail sent files


Small subset my arse!

> "We have actively taken measures to protect against a spam campaign that impacted a small subset of Gmail users."

I had dozens of them. They came complete with a (brand new I assume) banner stating that "We can't confirm that you sent this message or not, headers may have been forged".

They have since updated the banner to say the message "seems to be a fake bounces reply to a message I didn't actually send".

From inspecting the message source it seems they spoofed a lot of things, including Message-ID formatted google-style that might have been what tricked Google.

Cinema voucher-pusher tells customers: Cancel your credit cards, we've been 'attacked'


Re: UK Law Must Introduce Guest Checkout

You don't even need guest checkout, just don't save credit card info after payment -- or at the very least, let the customer decide if you should "remember" that credit card.

2 + 2 = 4, er, 4.1, no, 4.3... Nvidia's Titan V GPUs spit out 'wrong answers' in scientific simulations


Re: Shades of the Pentium floating point bug?

I am Pentium of Borg. Division is futile. You will be approximated.

Programming languages can be hard to grasp for non-English speakers. Step forward, Bato: A Ruby port for Filipinos


Re: Nope, it doesn't work

Earlier (before the year-based versioning) it did in fact save "SOMME(...)" and wouldn't load in an english Excel.


Re: Nothing new here

Even Microsoft did it back in the 90s.

VBA was localized so that code written in Excel / Access / etc. would use a french syntax in my version. "SI/ALORS/SINON" instead of "IF/THEN/ELSE" and so on.

And the crazy part was that it wasn't saved in an intermediate form. So an MDB file with code created on a french Access wouldn't work on an english Access.

Then in the early 2000s there was a push by the OQLF here (Office Québécois de la Langue Française) to coerce IT to switch to french; including threads to be barred from government work for including such evil anglo constructs in HTML pages as "é".

Much joy.

Cluster-f*ck! Etcd DBs spaff passwords, cloud keys to world by default



"it seems as if people may not be using etcd's security capabilities and leaving the ports open, which can be a problem with every database"

Yeah but... CAN IT really? Does EVERY database really come with ports open by default that allow access with zero credentials "unless you enable some feature"?

I'm sure we can collectively come up with at least one or two that don't quite work like that...

XM-Hell strikes single-sign-on systems: Bugs allow miscreants to masquerade as others


single point of failure maybe,

But the alternative is requiring people to have 15 login/passwords to 15 systems.

This results in the same password being used everywhere, or passwords written down on post it notes, and so on.

And obviously, 15 actual point of failures within 15 different login processes.

In theory one secure and thoroughly vetted sign-in system should mean less risks.

Microsoft works weekends to kill Intel's shoddy Spectre patch


Re: The WinTel Cartel...

In this context they're passing along microcode updates produced and vetted by Intel, as part of a very urgent, very critical security update. You really want to lay that one at their feet instead of Intel's?

UK, US govt and pals on WannaCry culprit: It woz the Norks wot done it


But he's a government official and he pinky swears it, surely that's proof enough?

Mailsploit: It's 2017, and you can spoof the 'from' in email to fool filters


> DMARC only reports if your policy is set to "none", it can quarantine and reject mails if you like. or am I missing your point?

DMARC lets you broadcast a policy, that tells the world what *should* be done about messages coming from your domain and that are not authenticated a certain way. DKIM is one of those authentication methods and it can actually protect the domain used "from:" (the one in the message, not the smtp envelope). There are a lot of problems still however:

- Adoption rate is very low at the sender level (only a tiny % of domains have proper spf, dkim and dmarc policies in place)

- Adoption rate is still so-so at the received level. It's a much higher %, but there are still stupid situations like Microsoft still not doing shit about DKIM, and *lots* of self-managed smtp servers don't handle these things properly

And of course none of those policies, and use of those policies in email filtering, will do anything about the fact that most email agents are complete garbage. Take Yahoo for instance, you can mangle the subject line so much that it can alter their webmail GUI, still to this day.

Please activate the anti-ransomware protection in your Windows 10 Fall Creators Update PC. Ta


That, or your outlook.exe lacks the proper signature, and isn't the one on the whitelist. Scan for virii? :)

(My Outlook from Office 2013 had no problems writing to my document folders when saving an email attachment after enabling this).


The obvious unfortunately. The unsecured one scrambles the files, syncs them to dropbox, from where they get synced back to the secured device. If only the unsecured device could have read-only access to your cloud data...

Google slides text message 2FA a little closer to the door


"The article says Google now has a system where you have to reply to a text. The act of replying acts as the validation in the server - there is no code to input"

No SMS or reply.

Their new method sends a push notification to the app. The app then prompts the user somehow ("Looks like someone's trying to log into your account from *location*. Is that you?", with allow / block buttons). Upon pressing allow/block, the app calls a Google API to complete the process.

So yeah it's a 2-way street but it's data communications, not SMS, which is the hey as SMS has been proven to be vulnerable to SS7 and it was effectively exploited in the wild already.

End result is extra security because push notification subscription are "secure" (only the owner of the app can push to a specific phone/installation and no known hiijaking of that has happened yet) and the specific install on a phone is the only owner of the key necessary to sign the response message (the public part of which is sent to Google as part of the enrollment process).

In the end it's one more tool in the 2FA toolkit. Google aren't forcing this, they're offering it as a more secure version of SMS. You can still use authenticators that don't require sms or data connections.

'Israel hacked Kaspersky and caught Russian spies using AV tool to harvest NSA exploits'


So... Israeli intelligence, in the process of hacking Kaspersky for (probably exactly the same purpose), discovered that Russian intelligence had beat them to it?

Where's the popcorn icon?

Apple's iOS password prompts prime punters for phishing: Too easy now for apps to swipe secrets, dev warns


One way ...

To truly differentiate system password prompts from application-generated password prompts (including fake password prompts) would be to include contents in the system login prompt that is selected by the used when creating their account, and is never visible to the App landscape under any circumstance.

My bank for instance issues a favorite picture selected from a bank of hundreds along with a "personal saying" type phrase that was entirely typed in by me;

After years of seeing the same picture and text on their login screen, I would say I am phishing-proof (*).

It would be easy to implement by Apple / Google, and would mean the system login prompt is a "personal" thing that always has the small P.S. note "we'll never ask your password without showing those!"

Then give it ~5 years for users to train themselves.

(*) ok, so for varying degrees of "proof", but at least not spoofable unless a seriously bad leak already happened.

Support team discovers 'official' vendor paper doesn't rob you blind


Re: "opting for cheaper 3rd party labels"

I had a very nasty argument with one of those high end audiophile shops when digital stuff started showing up - he was trying really hard to prove to me that his ~$300 gold-plated, HDMI cable was so badass that colors would be brighter, blacks would be darker and general contrast/sharpness would be better.

Complete with 2 TV sets showing the same movies, with "exactly the same things except for good vs cheap hdmi cable", to prove how shitty it was to watch a movie with a cheap $50 HDMI cable vs his expensive one.

2019: The year that Microsoft quits Surface hardware


Re: Surface, the Apple iPad/MacBook wannabe

Another way to see it is that Surface's goal was to give the OEMs a solid kick in the behinds, and wake them up from all the terrible, terrible hardware they were making.

Just look at screen and storage.

As apple was coming out with retina displays and ssd storage in their laptops, it was still considered a premium, high-end, "costs 100s of dollars more" feature to get an 1920x1080 display from Dell, HP and the like: they were very comfortable still peddling those 1366x768 pieces of junk in overweight laptops with storage that felt slower than my old 20 Mb RLL drives from the 1980s.

The current surface line-up clearly has those heat / etc. issues but calling them iPad wannabees is ridiculous.

Pumpkin bumpkins battle, 800kg monstrosity wins


That's an impressive pie!

> "The winning vegetable actually weighed in at 792.5kg, or enough to make 100 pumpkin pies serving around 800 people. Despite this bulk, it still came up well short of last year's 900kg record."

We're talking about 8 Kg of pumpkin per pie!

Twitter's 280-char blog mode can be enabled client-side. Just sayin'


Re: Never understood why ..

Holy crap if SMS is "a technology that most people don't use these days" I must live in a weird place :)

But at any rate twitter limit was in no way technology-related, it was a design choice, they wanted to create an instant short-message feed. It's part of their branding, so to speak.

As another poster said, make it unlimited and they'd be just another Facebook knock off.

Developer swings DMCA sueball at foul-mouthed streamer PewDiePie


Re: Perjury

Is it?

I don't care about pewdiepie or that specific game / developer, but I'm genuinely asking from the legal standpoint.

I'm assuming game developers have some rights / control regarding this, and streamers would need their permission and/or could be asked for some licensing fees? After all, (some) streamers are making a living out of this, in somewhat (and I'm really stretching here probably) the way that cable companies make money off the TV channels they carry, but in exchange for license fees. Of course game developers certainly must be getting lots of sales out of the deal (endless hours of free advertising).

I really don't know (or have any very clear opinion either way), but does anyone know the "legalities" of this?


Biting the hand that feeds IT © 1998–2019