* Posts by Steve Graham

333 posts • joined 21 May 2007

Page:

Tens of millions more web accounts for sale after more sites hacked, Mac malware spreads via Windows.exe, and more

Steve Graham

Incompetence is always the most likely explanation.

I suspect that the Mono-based attack isn't really a sopisticated attempt at disguise. More likely it's Windows developers writing code the only way they know how. You see it all the time in the Linux world, Mono used, not for porting .NET applications, but for writing new ones from scratch.

Fun fact: GPS uses 10 bits to store the week. That means it runs out... oh heck – April 6, 2019

Steve Graham

This sounds a lot like the strategy for encoding Unicode as UTF-8.

It's 2019, and a PNG file can pwn your Android smartphone or tablet: Patch me if you can

Steve Graham

Re: Suggestions please

My Nokia 5 has just updated itself to Android 9, with January 2019 security updates. I expect the February update will be along soon.

It came with Android 7 installed and updated to 8.1 previously. There's a slightly improved model now, but I think it's still around £150, SIM-free.

LibreOffice patches malicious code-execution bug, Apache OpenOffice – wait for it, wait for it – doesn't

Steve Graham

Re: Someone please explain...

Abso-bloody-lutely. And if a few users need it, then ship with the functionality disabled by default.

The D in SystemD stands for Danger, Will Robinson! Defanged exploit code for security holes now out in the wild

Steve Graham

Re: Again

...and when you replace 10 lines of code with 10,000 lines of code, you have increased the incidence of bugs by a thousand times. Got it yet?

Great, you've moved your website or app to HTTPS. How do you test it? Here's a tool to make local TLS certs painless

Steve Graham

Funny, I was just trying this the other day on my home server (no external access) -- the old-fashioned way. I got it all working too, except I couldn't find how to get Vivaldi, my default browser, to accept a self-signed certificate. I think it's actually missing that functionality. I lost interest at that point and put it all back the way it was. I think a CA might be the fix, so I might give this tool a go.

Bish, Bash... gosh! Good ol' Bourne Again Shell takes a bow as it reaches version five-point-zero

Steve Graham

Re: "Trusty command interpreter"?

I share your concern. Bloat and excessive "cleverness" which 99% of users don't need.

Debian-like distros usually ship with dash, not bash as the default shell, and its executable is literally a tenth of the size.

Mark Zuckerberg did everything in his power to avoid Facebook becoming the next MySpace – but forgot one crucial detail…

Steve Graham

Re: Facebook's shadow profile.

I don't see IP geolocation working that well. I live in Northern Ireland, and when I open Google Maps, it shows me a location in Northern Ireland, but not where my home modem is located.

Today, it's a village about 100km away. Yesterday, it was a different location entirely.

I've given Google permission in my browser to acces my "actual" location (actually, it's a fake location, generated by a plug-in). It doesn't use that until I click the circles icon, so I'm assuming it uses IP information initially.

Hot on heels of 2.0, Vivaldi 2.2 adds tab session management among other goodies

Steve Graham

Re: Quick question

Ublock Origin is available. I'm not sure about NoScript -- I use ScriptSafe in preference.

Super Micro says audit found no trace of Chinese spy chips on its boards

Steve Graham
Big Brother

1. American government discusses cutting CIA funds for Chinese technical matters.

2. CIA gives industry a "confidential" briefing on the dangers of Chinese manipulation.

3. Anonymous sources brief Bloomberg on alleged actual Chinese manipulation.

Join the dots, people.

NASA has Mars InSight as latest lander due to arrive today

Steve Graham

Ed Sullivan Theatre?

To save you looking it up, EST is UTC-5.

Did you hear? There's a critical security hole that lets web pages hijack computers. Of course it's Adobe Flash's fault

Steve Graham

Re: Can anyone tell me...

The basic problem is that Flash is more like a complete operating system than a video player. You can implement a full user interface, do computations, networking, and all kinds of stuff.

Talk about a cache flow problem: This JavaScript can snoop on other browser tabs to work out what you're visiting

Steve Graham

The "fingerprinting" depends on every browser requesting identical data from the site. If your ad-blocker and script-blocker stop your browser from requesting some of it, the fingerprint becomes blurry.

Big Falcon Namechange for Musk's rocket: BFR becomes Starship

Steve Graham

Re: Starship

Subversive? Are they?

I thought they were references to Ian M Banks' "Culture" ships. Although I would argue that a vessel should be sentient and choose the name for itself.

I wrote a fan story (very poor; don't ask) about a ROU called "And Carry A Big Stick".

Scam or stunt? It's looking like the latter... Xiaomi so sorry for £1 smartphone 'promo'

Steve Graham

Obviously, they'll have obtained a licence from the Gambling Commission.

Google logins make JavaScript mandatory, Huawei China spy shock, Mac malware, Iran gets new Stuxnet, and more

Steve Graham

delete malware

"admins would be well advised to make sure they are running the latest version of SystemD"

No, no... I have a better idea...

Alexa heard what you did last summer – and she knows what that was, too: AI recognizes activities from sound

Steve Graham

"people won’t want this sensitive, fine-grained data going to third parties"

The General Public is too stupid to worry about that.

Chromebooks gain faff-free access to Windows file shares via Samba

Steve Graham

Re: DFS

Linux (and other Unix-like OSs) don't fundamentally have the concept of a "share". Everything which is mounted is part of a single file heirarchy and files should work the same no matter what's happening under the surface.

make all relocate... Linux kernel dev summit shifts to Scotland – to fit Torvald's holiday plans

Steve Graham

Re: New! It's the elReg trip advisor

My trick for remembering the difference between whisky and whiskey is that the Scots are notoriously frugal, and so they use fewer letters.

(Says an Irishman educated in Edinburgh.)

Dear America: Want secure elections? Stick to pen and paper for ballots, experts urge

Steve Graham

Re: In short, the British system

"the relatively primitive and mostly manual system, as used in the UK, is highly secure"

I agree. I have very little doubt that the EU referendum result accurately reflected the votes cast. And given the difficulty of manipulating the recorded results, the billionaires and oligarchs chose to attack the weak link, the human one.

It liiives! Sorta. Gentle azure glow of Windows XP clocked in Tesco's self-checkouts, no less

Steve Graham

Re: Local Optician

"running XP is not really that bad especially if the machines are not connected to the Internet"

They probably use floppy disks to collect the transactions. Didn't all XP computers come with a disk drive?

CADs and boffins get some ThinkPad love

Steve Graham

*Bootnotes

Since the asterisk came at the end of the sentence as in "the battery life of a Mayfly.*", I expected the Bootnote to admit that mayflies do not actually have any batteries.

EU wants one phone plug to rule them all. But we've got a better idea.

Steve Graham

Re: Just add wireless charging

As I understand it, the cable connector is "sacrificial". It's designed to fail first, rather than damage the device's port.

When's a backdoor not a backdoor? When the Oz government says it isn't

Steve Graham

Progressive, democratic Australia

"Australian senator calls for 'final solution to immigration problem'."

https://www.theguardian.com/australia-news/2018/aug/14/australian-senator-calls-for-final-solution-to-immigration-problem

(He's not a member of the governing party, but the accusation is that the current government tolerates, perhaps even courts, such opinions.)

The off-brand 'military-grade' x86 processors, in the library, with the root-granting 'backdoor'

Steve Graham

I was running a Nehemiah-based system last week! Waiting for a part to arrive for my poorly "home server" (an old Thinkpad) I resurrected an ITX board as a stand-in. It's gone back in the cupboard now, and I don't think I can be bothered to set it up again to try this trick, neat as it is.

UK spies broke law for 15 years, but what can you do? shrugs judge

Steve Graham

typo

The closed judgement is described as "non-private", when clearly you meant "non-public".

Oldest swinger in town, Slackware, notches up a quarter of a century

Steve Graham
Linux

I first installed Slackware from a CD, and I've just checked: that means it can't have been earlier than 1995. Newbie here.

A fine vintage: Wine has run Microsoft Solitaire on Linux for 25 years

Steve Graham

Re: Virtualisation made it irrelevant

In reality, chasing APIs, especially private ones, is a mug's game.

Especially feckin' ENORMOUS ones with thousands of functions.

The butterfly defect: MacBook keys wrecked by single grain of sand

Steve Graham

Form before function.

Some years ago, fed up with crap keyboards (I really want a VT100) I bought an Apple USB one, under the impression that the higher price meant that I would get a better product.

I some ways I did. It was pretty solid and well made. The key symbols were moulded in, and wouldn't rub off. And of course, it looked sleek and beautiful.

It did have one flaw though. The keys felt like you were operating a 1980s pocket calculator. Wobbly and short travel. I couldn't actually type on it.

There was an additional aspect which tells you all you need to know about Apple. It came with a (free!) USB extension lead. However, the keyboard USB plug and extension socket had a non-standard slot and key arrangement, so that you could not use the USB extension for anything else.

How a tax form kludge gifted the world 25 joyous years of PDF

Steve Graham

Flow

"Now with people primarily reading on screens, (over 50% of eBooks on phones) and no standard screen size or resolution, like Letter and A4 on paper, layout needs to be "Responsive" and work with user selected rescaling (sharp vs poor eyesight)."

Most of the HTML I see these days shows every sign of the "web designer" fighting to stop users' browsers from applying their own formatting to fit the device & screen.

Devuan ships second stable cut of its systemd-free Linux

Steve Graham

How long has systemd got?

systemd is so architecturally wrong, and so complex and badly-designed, that I expect it to collapse under its own weight eventually. Not dramatically. Maintenance and support will slow until it becomes deprecated in most Linux systems.

(If you think systemd is an init system, you don't understand the issues.)

Steve Graham

Migration

I changed my repo sources to Devuan from Debian when it looked as though systemd was going to become the default. So when I first install a new version of anything, I get the Devuan one. It's worked perfectly.

OnePlus 6 smartphone flash override demoed

Steve Graham

Is that a vulnerability? I'd pay extra for it.

The future of radio may well be digital, but it won't survive on DAB

Steve Graham

Psion Wavefinder

I bought the Psion in about 2004, when it was a failed product and was being flogged off cheap. The software supplied was rubbish, but there was a (free? shareware?) suite which was better: it could even save the MP2 streams as files. I still have recordings of John Peel and R3 from back then.

That was when I lived in an area with coverage. I moved house last year, from a remote, rural location to a small, seaside commuter town. Now, if I turn on a DAB radio, all I get is a burbling sound. I have to use a DVB decoder to listen to BBC R3 & R6.

(Actually, we don't even get full Freeview here. Almost every house has a satellite dish.)

US Congress finally emits all 3,000 Russian 'troll' Facebook ads. Let's take a look at some

Steve Graham
Joke

Wait

We're supposed to trust an article about Russian conspiracy written by someone called Andrei Orlowski?

Every major OS maker misread Intel's docs. Now their kernels can be hijacked or crashed

Steve Graham

Re: Be careful about version numbers.

The kernel source uses the x.y.z format. So referring to that format is unambiguous, whereas distro-makers might be doing their own thing.

I compile my own kernels anyway. Distro kernels need to cover diverse hardware, while mine are specific to the machine they run on.

Who will fix our Internal Banking Mess? TSB hires IBM amid online banking woes

Steve Graham
IT Angle

I was once manager of a team which was migrating more than 25 million customers to a new infrastructure overnight. I was so confident that we had covered all contingencies, including total roll-back, that I went home and went to bed.

It went perfectly.

It wasn't easy, and it wasn't cheap, but failure is always avoidable.

Chrome 66: Get into the bin, auto-playing vids and Symantec certs!

Steve Graham

Spectre?

I don't understand how handling different web pages in separate processes mitigates Spectre. Isn't the whole point of Spectre that a malicious process can infer the content of memory which it doesn't own?

Google accidentally reveals new swipe-happy Android UI

Steve Graham

Re: Really, is it that hard?

You don't know the half of it. In the last few days I've resurrected an old phone, HTC One X, so that I can give it away or use it as a spare. I was somewhat overzealous at my first attempt at wiping it, in that I erased the operating system.

Fortunately, when it was my main phone, I'd installed a 3rd-party "recovery", TWRP. To do that, I'd had to apply to HTC for a code to unlock the bootloader. Why was the bootloader locked? Security? I don't know.

A usual manufacturer's Android has no root access and the system partition is mounted read-only. To replace a library, say, you'd need a special procedure more complicated than "sudo apt install libxyz". And there isn't one.

I actually installed the last available Cyanogenmod for it, an unofficial CM12, or Android 5 build. Potentially, I could now re-mount partitions read-write and update individual system files, although I'd probably break it.

Magic Leap ships headsets at last, but you'll need a safe

Steve Graham

Re: Actually, it seems they ARE onto something...

"just as ardent in your atheistic perspective"

The old canard that belief and disbelief are equivalent.

World celebrates, cyber-snoops cry as TLS 1.3 internet crypto approved

Steve Graham

Geography lesson

"London, England" eh? Oh, THAT London.

Mozilla's opt-out Firefox DNS privacy test sparks, er, privacy outcry

Steve Graham

Re: Interesting

"Many people already ditch their ISP's DNS servers because they are unreliable."

It's more than 10 years ago now, but I was head of software development for a very large UK ISP, and our DNS was bombproof. Literally. You'd have needed many widely-separated bombs (OK, or power failures or faulty software roll-outs) to even have a detectable impact on performance.

Office junior had one job: Tearing perforated bits off tractor-feed dot matrix printer paper

Steve Graham

Re: I remember when...

"We had several that tried to use up the old non-laser safe acetates and labels to save a couple of quid and knackered a £200 toner unit or a whole printer instead."

I once did that.

Good luck saying 'Sorry I'm late, I had to update my car's firmware'

Steve Graham

Let's get physical

How about making the upgrade come as a little ROM chip? The dealership can either send it out, or pop it into your device for you (I'm thinking cars, mainly) for a modest fee.

If you can get 64Gb or more in a micro-SD card for a few pounds, a tiny ROM in that kind of form factor could be very cheap.

Beware the looming Google Chrome HTTPS certificate apocalypse!

Steve Graham

Re: Well done Google....

"Most mom and pop shops will not have the money or expertise to install and maintain certs"

With the hosting company I use, it literally amounted to clicking a tick box.

Ghost in the DCL shell: OpenVMS, touted as ultra reliable, had a local root hole for 30 years

Steve Graham

Re: Source code

Written in assembler and Bliss, an elegant low-level language; and most files signed by the legendary Dave Cutler.

When you play this song backwards, you can hear Satan. Play it forwards, and it hijacks Siri, Alexa

Steve Graham

Well...

So, to summarise: they tuned audio to be recognized by a specific analysis engine, and then tested it by having that specific engine recognize it.

And this won't work on any existing products until they reverse-engineer their recognition. That could be difficult, since it's based on machine learning and is likely to be obscure.

HTML5 may as well stand for Hey, Track Me Longtime 5. Ads can use it to fingerprint netizens

Steve Graham

Re: Anyone test-driven Brave or Vivaldi browsers etc?

I switched to Vivaldi when Firefox broke sound on their Linux browser, and have been using it as my main browser since then with no problems.

I have Privacy Badger, Ublock Origin, Location Guard, Tampermonkey, a User Agent Spoofer and ScriptSafe (which attempts to foil the kind of fingerprinting described in the article, as well as blocking scripts).

Smartphones' security enhancements just make them more dangerous

Steve Graham

I've never trusted the Android ecosystem enough to put anything sensitive on my phone, nor use it for money-related purposes, so it's not much of an issue for me. I suppose Apple users have absolute confidence in the company's omnipotence.

Page:

Biting the hand that feeds IT © 1998–2019