* Posts by Woodnag

196 posts • joined 24 May 2010


Apple-Google COVID-19 virus contact-tracing API to bar location-tracking access



Are they "banning location-tracking" or "preventing location-tracking"? What if the app comprises two processes, which communicate, and the while BLE process is "not ... able to access or even seek permission to access location data", the companion process can and does?

We could have pwned Microsoft Teams with a GIF, claims Israeli infosec outfit



Do you mean the weekly all-hands bullshit meeting that pretends to be an "Is everyone well and happy?" check, but is really an "Is everyone working hard and getting stuff done?" sniff test.

Attention, lockdown DIY fans: UK hardware flinger Robert Dyas had credit card data and more skimmed from website



"We became aware on 30 March 2020 that malicious software (malware) had been uploaded on to our ecommerce website by an external third party, which was immediately blocked by our IT Security team"

malware... uploaded... immediately blocked. Sounds good, until you read more carefully.

Apple: We respect your privacy so much we've revealed a little about what we can track when you use Maps


The problem is...

...that if Apple collects the data, they can be subpoeana'd for it (1), given a National Security Letter to demand real-time access to it (2), similary court-ordered forced to de-anonomise it (3) under COVID emergency pretense.

ZX Spectrum prototype ROM is now available for download courtesy of boffins at the UK's Centre for Computing History



What makes me sad is how bloated modern design teams are, with cookbook assembled software using libraries, when in the days of Acorn Atom, Beeb, ZX8x, Speccy the teams were 2 engineers and the cat, and they did everything hard and soft. The cat just supervised, of course.

Google: You know we said that Chrome tracker contained no personally identifiable info? Yeah, about that...


social media accounts

So refusing access to social media accounts is taken as denial of having social media accounts?

Linkedin is now a social media account unfortunately... which is why I cut my profile down to a minimum.

Google to appeal against €7m fine from Swedish watchdog for failing to remove search results under GDPR


legal basis

"Google does not have a legal basis for informing site-owners when search result listings are removed."

I suspect that the law doesn't say that Google can't inform site-owners when search result listings are removed...

Auf wiedersehen, pet: UK Deutsche Bank contractors plan to leave rather than take 25% pay cut for IR35 – report


Not quite

Those waiting lists would be smaller if NHS would budget and pay for 100% of the consultants time.

Oracle staff say Larry Ellison's fundraiser for Trump is against 'company ethics' – Oracle, ethics... what dimension have we fallen into?



You have it in reverse for USA. Only the people on the top floor will have contracts, which spell out every term of employment, separation etc. It binds both ways.

The minions don't have contracts, and can resign or be terminated without notice. That's what 'at will' means.

In UK, full time employees expect a contract by right, and if a company doesn't issue it then the terms are normally the best an employee can wish for under challenge.

Gin and gone-ic: Rometty out as IBM CEO, cloud supremo Arvind Krishna takes over, Red Hat boss is president


Some interesting analysis from The Cringe:


EU've been naughty: GDPR has netted bloc €114m in fines since 2018


I expect the BA fine to be quietly brushed under that tired old rug, 'forgotton about', and not collected...

Unlocking news: We decrypt those cryptic headlines about Scottish cops bypassing smartphone encryption


Re: Fail to see what the fuss is

I think you miss the point.

Right now, there are some controls on when a phone can be slurped. But the law can change.

Before RIPA, passwords were private.

Before even then, silence was a right and could not be used against the defendent.

Why is a 22GB database containing 56 million US folks' personal details sitting on the open internet using a Chinese IP address? Seriously, why?


Re: be sued into oblivion? No

...provision of the CCPA allows businesses the opportunity to avoid a consumer suit under the private right of action provision by “curing” the violation of “its duty to implement and maintain reasonable security procedures and practices” that resulted in “unauthorized access and exfiltration, theft, or disclosure” of the consumer’s personal information. To pursue statutory damages under the CCPA, would-be plaintiffs must first provide the would-be defendant business with 30 days’ written notice that the data security provision of the CCPA has been violated. Id. § 1798.150(b). The business then has 30 days to “cure” the violations and provide the plaintiffs with “an express written statement that the violations have been cured and that no further violations shall occur.” Id. If the business does so, then the plaintiff may not request statutory damages in a subsequent suit.



be sued into oblivion? No

California's new privacy law doesn't have a right of private action.

If at first you don't succeed, pry, pry again: Feds once again demand Apple unlock encrypted iPhones in yet another terrorism case


Re: Yeah, sure

It's not a question of trusting the citizen. It's a question of maintaining the status quo by detecting potential threats to the military-business complexes and defusing them before they materialise. Not bomb threats, political threats like effective leaders in civil disobedience, or rising popular and effective polititians like AOC getting into office.

Apple sues iPhone CPU design ace after he quits to run data-center chip upstart Nuvia


When I was interviewing at Fruit, you had to buy your own phone. That may have changed since of course...

Den Automation raised millions to 'reinvent' the light switch. Now it's lights out for startup


IoT devices that require the manufacturer's active support in order to continue functioning

Like the TV that I returned because all internet access went through the TV company's servers. In Japan.

No wonder cops are so keen on Ring – they can slurp your doorbell footage with few limits, US senators complain


The un-named PR gave half an answer of course

"users get to decide whether or not to voluntarily provide their videos to the police"

Sure they do.

But they don't get to decide whether Amazon/Ring provides their videos to the police.

Fed up of playing Whac-A-Mole with network of SoftBank-owned patent holders, Intel hits court


Re: Not an Intel fan...

Have a look at the Dyson case. It's not that easy.

HP to hike upfront price of printer hardware as ink biz growth runs dry


Re: Printer cheaper than ink

If the user filled up the cartridge completely before powering up a new printer first time, would the DRM accept that?

Those furious gun-toting Aussies were just a glitch. Let's try US drone deliveries, says Wing


actively listens, responds, and respects your viewpoints

They do. Then they ignore it.


Re: This should be good

A lady I know who works in a gunshop says that occasionally a group of Japanese tourists will come in the store... at which point all handguns are moved well out of reach because they've had too many cases of silly pranks of firearms being picked up and pointed around etc. Gun safety is absolutely not instinctive, and essentially any continuous gunplay in the movies etc where the actors have no ear protection is simply makebelieve.

Going over the top of the trenches in WW1 must have been a complete sensory overload, poor buggers.

Chef roasted for tech contract with family-separating US immigration, forks up attempt to quash protest


What you describe is convenience, not sense

When a release is approved, it should be rebuilt with all the libraries pulled and stored locally, and that binary shipped. This way, and only this way, can the build be described as frozen and repeatable. Of course it's a pain. But the first time you try to compile you create a script with all pulls to make it easier next time.

You can also audit whether different code portions are calling different versions of the same library.

Think that's silly? See HCSEC_OversightBoardReport-2019.pdf at https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/790270/HCSEC_OversightBoardReport-2019.pdf where Huawei's code used "6 copies of 2 different OpenSSL versions, with 5 being 1.0.2k and one fork from a vendor SDK. There remained 17 partial copies of 3 versions, ranging from 0.9.7d to 1.0.2k. The fragments from the 10 different versions of OpenSSL remained across the codebase as do the OpenSSL derived files that have been modified by Huawei. More worryingly, the later version appears to contain code that is vulnerable to 10 publicly disclosed OpenSSL vulnerabilities, some dating back to 2006. This shows the lack of maintainability and security resulting from the poor configuration management, product architecture and component lifecycle management."

Lastly, repositaries are other peoples' computers. Use them, don't depend on them.

Five NHS trusts do DeepMind data deal with Google. One says no


Re: No investment in the UK

You're in a bit of a pickle spelling Richard's surname, laddie...

Your ugly mug may be scanned yet again – but at least you'll be able to board faster at Gatwick


Re: no data would be stored for longer than a few seconds

"no data is stored for longer than a few seconds during the trial", because it's immediately shipped to outside NSA/GCHQ servers, and further analysis done there.

Apple's making some announcements! Quick, lay off 435 Uber workers


"always holding ourselves accountable"

Loved that part of the statement.

Oops, wait, yeah, we did hand over photos for King's Cross facial-recog CCTV, cops admit


FYI... this appears to be the requirement

Suilvision has compiled the following points to assist in ensuring your business has guidelines to meet the new GDPR Regulations.

ANPR recording

All businesses will need to put a risk assessment in place to state the purpose of any ANPR Cameras on site, for example if you are placing cameras on your site to monitor vehicle movements for the purpose of security, access control, vehicle matching or statistical data gathering this will need to be recorded in your risk assessment. If you have installed an ANPR camera system to monitor employees vehicles you must inform the employee highlighting the requirement of the system.

the right to be informed

Signage must be visible to all persons on site stating that ANPR Cameras are in place. It should also state the purpose for the data being collected. It should also detail a contact number for anyone who requires additional details.

request for personal data

Anyone who has had their vehicle captured on ANPR has the right to request their personal data and to ask how their data is used by the company after it has been gathered. The company must provide a copy of the personal data, free of charge and in electronic format if requested. If other vehicles are visible in the image, image redaction should be provided i.e blur out the licence plate of the other vehicles in the image.

assisting Police

The Police may request data from your ANPR system to assist with their normal duties.


If the ANPR companies monitor systems they act as Data Processors under GDPR. “Clients of the ANPR company should have a contract in place which details what the ANPR company may do with the data; what security standards should be in place and what verification procedures may apply.” Any subcontractors working on your behalf, e.g Security companies or Engineers must follow this procedure.

For Foxit's sake: PDF editor biz breached, users' passwords among stolen data


"20 characters seems like a stupid upper limit".

It's the limit for BitLocker on Win 8.1 at least.

And you thought the cops were bad... Civil rights group warns of facial recog 'epidemic' across UK private sites


Re: So widespread as to be mundane now

A friend worked for a high end restaurant in Phoenix 10 years ago. Customers who made bookings over the phone were tracked across repeat visits in terms of tipping, early/late, etc and this used to decide whether a new booking would be accepted, particularly if the covers were filling fast.

You're all set for your long summer vacation. Suddenly a text arrives. It's the CEO. 'Data strategy by Friday plz'



Give your company a landline number, not your private mobile.

Apple: Ok, ok, we'll stop listening in on your Siri conversations. For now, but maybe in the future



"users will have the ability to choose to participate in grading".

I wouldn't call being given the option to allow 3rd parties to listen to previously-presumed-private sounds "participation".

Metropolitan Police's facial recognition tech not only crap, but also of dubious legality – report


Re: Help with "Innovative Solutions"

It's not just that Mr Menezes was murdered that's the problem, but the lies about the circumstances to make the guy appear suspicious that were instantly shovelled out and regurgitated by the press.

The Met really doesn't suffer from much accountability. The UK lost "S and Marper v United Kingdom" 11 years ago and still haven't deleted that illegal DNA database.

$30/month email upstart Superhuman brought low with a blast of privacy Kryptonite



Undo can be implemented completely by pausing the send until the undo window has passed. Or, implemented on the same server system, in the sense that the sent copies can be retrospectively deleted... but before that nothing stops a recipient keeping a copy by forwarding it, printing to PDF etc.

Good old British 'fair play' is the answer to vexed Huawei question, claims security minister


Re: Fair play

Can manage all that by having mandatory custodial consequences for those in the entire management chain (from the liar for the claims on the warrant, up to the OIC whose authorised the intrusion.

Microsoft goes to great lengths to polish Azure Active Directory's password policies



Yet Bitlocker is limited to 20 characters maximum, AES-128 is default, and settings have to be changed before encryption to go AES-256 and/or use non-alphabet.

Supreme Court of UK gives Morrisons the go-ahead for mega data leak liability appeal



It's really not difficult to limit access to data, and not difficult to lock out portable media on computers with the access.

Inconvenient, yes.

TalkTalk kept my email account active for 8 years after I left – now it's spamming my mates


Re: I once had fun with Talk Talk...

I had similar fun after building a new house on a old lot, demolishing the old house. It used to have POTS, and so it was easy to start a new account. However, the line to the house was dangling in the air by the fence, and obviously needed to be terminated to the house. However the phone company insisted that it was connected... and finally did the install after I managed to email the rep a picture of the dangling cable.

Sure, you can keep Grandpa Windows 7 snug in the old code home – for a price


"Prevaricating" means "lying"

No, it doesn't.

Just keep slurping: HMRC adds two million taxpayers' voices to biometric database


Re: They've been deleted?

Exactly. HMRC's copy is deleted. But the data that was pushed to GCHQ etc on arrival won't be.

Intelligence services won't even delete bio data, even if ordered too, even if audited. There will always be a copy somewhere else, and the storage requirements are tiny compared to AV recordings.

So yes, those illegally obtained genetic swab data that UK police collected, and were ordered by ECHR to dispose of will never actually be deleted.

Um, I'm not that Gary, American man tells Ryanair after being sent other Gary's flight itinerary



I received a Costco barnded credit card for a name I've had mail for at my address. I can guarantee that the name has never been associate mailing-wise with my address, because I built the house and the number issued is new.

First point of interest - credit card issued to an address clearly not associated to the name. Great credit check.

@nd.. I called Costco, had to get through from CS to Security. They Oohed and Ahhed, thanked me politely, and asked me to destroy the card. One week later... a replacement card arrived. I simply kept it for 3 months during whic I heard nothing, then destroyed it.


a tale for a different thread

Pretty PLEASE tell us now...

Could you speak up a bit? I didn't catch your password


Re: Craig has nothing on you, Dabs

...and the very lovely wife.

France next up behind Britain, Netherlands to pummel Uber with €400k fine over 2016 breach


Re: Stolen ?

Kindly cite one example where "it's illegal to leave your keys in the car". In Texas it is unlawful to leave the cars in the ignition, but that's it.

UK Supreme Court considers whether spy court should be immune to legal probes



When considering charities... do check the finances, as some NPs are more lifestyle vehicles for the directors than do-good orgs. A lot of phone-based fundraisers keep most of the contributions. In US, 501(c)(3) non-profits must file Form 990 showing finances, and these aren't difficult to dig up on the webs. When directors are getting a few hundred $k, a question or two are begged...

Germany pushes router security rules, OpenWRT and CCC push back


The updates section is not very good

1. Mandates firmware updates from WAN, so flash will need to be double size to hold old image and new image

2. Allows push updates, which is a massive attack vector, not least because each router must phone home to tell mummy who and where it is, so every nation state monitoring all traffic will know who's got what.

Solid state of fear: Euro boffins bust open SSD, Bitlocker encryption (it's really, really dumb)


Re: Really?

Per an earlier comment:

If anyone wants to quickly check whether their system is using their drives own hardware encryption, run "manage-bde.exe -status" from the command line as administrator.

For mine it shows AES-256, which is how I configured it, not using the available hardware encryption on the Samsung EVO SSD.



If MS wanted BL to be great, why is AES-128 the default, and passwords limited to 20 chars max?

Oz intel committee: Crypto-busting is only bad if you're a commie, and we're not by the way


Re: We're not a communist regime

The US systems relies on the various parts of the system (legislature, congress, reps, justice dept) ensuring practice of separation of powers. For example, El Pres. being required to get Congress' consent to declare war. Not working so well right now.

Civil rights group Liberty walks out on British cops' database consultation


Presuming that editing individual records to delete unlawfully retained data is, as claimed, painfully and uneconomically difficult... then the reason not to create a script that filteres out the traffic on transfer to the new system is probably this: it won't get deleted (easily) from the new system. It will get moved instead (equally easily) to the the other 5-eyes databases. So ministers can say that LEDS doesn't have the data. But we won't get an answer on what got pushed to foreign databases for reasons of national security.

Google actually listens to users, hands back cookies and rethinks Chrome auto sign-in


Re: "tucked away in the Privacy and Security settings"

Shift Ctrl Delete gets you to the Clear Browsing Data settings page in Chrome/ium.

Didn't find this out til yesterday meself :{



Biting the hand that feeds IT © 1998–2020