* Posts by PaulVD

41 posts • joined 28 Jul 2010

Use an 8-char Windows NTLM password? Don't. Every single one can be cracked in under 2.5hrs


There are 203 passwords in my password manager

Most of them unique, and many of them used maybe a couple of times a year.

No rules for password complexity, passphrases, or other similar solutions come close to dealing with the problem that I have to remember 203 of them, and I have to remember which memorable phrase was used for which site or account login. It ain't going to happen.

One of my banks supplies a dongle for two-factor authentication, and a few sites offer my phone as a second factor. But carrying round a keychain full of dongles is not going to happen either.

There is simply no alternative to a password manager.

Oz auditor: Number of times failed government biometric project met a milestone = None


So, how much is PwC going to be sued for in respect of their incompetence in working out the requirements?

Tens to be disappointed as Windows 10 Mobile death date set: Doomed phone OS won't see 2020


Actually, I still think the phone is quite nice. I will certainly keep using mine up to the end. Having previously owned a couple of slurp-phones Android devices, I am not looking forward either to returning to them or to paying the Apple tax.

IBM: Co-Op Insurance talking direct to coding subcontractor helped collapse of £55m IT revamp project


Agile waterfall

It is a new development methodology known as Agile Waterfall. This is also the technique adopted by people who go over Niagara Falls in a barrel, and the success rate is similar.

Google logins make JavaScript mandatory, Huawei China spy shock, Mac malware, Iran gets new Stuxnet, and more


If Google can prove it is human...

... then I will submit myself to its ReCaptcha test.

'He must be stopped': Missouri candidate's children tell voters he's basically an asshat


Re: It's Missouri

Sounds like a good precedent: maybe the Democrats could nominate a dead man (or woman!) as their next Presidential candidate.

Yes, Americans, you can break anti-piracy DRM if you want to repair some of your kit – US govt


Re: Status?

Go back and read the story. Congress delegated this specific power to this specific agency - to be exercised only once every 3 years.

Ex-UK comms minister's constituents plagued by wonky broadband over ... wireless radio link?


Spokesperson was telling the exact ruth

"We're sorry to hear about the issues with broadband in Fernham, and we'd like to reassure residents that we’re doing all we can to resolve the matter."

(1) We are indeed sorry to hear about this. We had hoped that nobody would tell us, so that we would not need to do anything about it. We are not, of course, sorry that there is a problem.

(2) We would like to reassure residents. However, we are not in a position to reassure them, because we are doing as little as possible.

HTC U12+: You said we should wait and review the retail product. Hate to break it to you, but...


Re: 40 Year Old Lesson?

"But the Chinese consumer industry is relatively young and so is going to recycle ideas that never made it to commercial production in the West,"

Except that HTC is from Taiwan, not China. I know, China says there is no difference; but when it comes to experience of consumers, there should be.

Windrush immigration papers scandal is a big fat GDPR fail for UK.gov



"their dog stumbles across the shredded Windrush documents blowing around in a skip somewhere."

What makes the author think they were shredded rather than just dumped? It would be consistent with the rest of the sorry mess if they were just dumped in the skips with the other construction rubble.

Cyber-coin crackdown continues: Commission charges couple crypto-currency company chiefs concerning 'conned' customers

Thumb Down

He always needs insurance against the loss from his calf dying (or he takes the risk himself). The hedging contract gives him insurance against changes in market prices, nothing else. If he hedged the risk with an option, he can walk away from it at no cost. If he took out a futures contract, then with no calf to sell he becomes a speculator: he pays out for the difference between the contracted price and the market price at the intended delivery date (and if that is in his favour he wins money back).

Security pros' advice to consumers: 'We dunno, try 152 things'


That's lousy advice too. I have 209 different passwords currently in my password manager. Even if I had 209 individually memorable passphrases, I am never going to remember which one belongs to The Register. Much safer to copy and paste "pYsuuRM-jr5q".

Linux kernel community tries to castrate GPL copyright troll


Re: Non-GPL feature

You don't want to use the GPL'd library? Be my guest - nobody forces you to use it. Write your own code for those functions, and you can do whatever you like.

But if you want to re-use code that somebody else has written to save you the cost and bother of re-doing all their work yourself (and doing it properly, which is often hard), then you do it on their terms. If they are fans of open source, their terms may include that you have to add your new product to the open source pile. Like it or lump it.

Or pay damages, of course.

Review pins blame for Medicare ID breach on you. All of you

Big Brother

Simple, except for a slight legacy issue

Withdraw all existing numbers, and issue everyone with a 256-bit code, unstructured except for a check digit or two. Record the new numbers as a QR code on a plastic id card, so that they can be read by standard handheld scanners.

Make it a criminal offence for anyone (including the Government) to store these numbers. Instead, require the number read to be salted with the organisation's name and then stored as a SHA-512 hash value only. The hashed value works just as well as the raw number as a key in the database records for the organisation.

Then (1) the numbers can be used freely within one organisation but records cannot be linked from one organisation to another; the authorities cannot correlate your tax records with your health data using this code. (2) Stolen hashes are of no value to anyone. (3) If a dump of stolen hashes comes to light, it is possible to identify with certainty the organisation whose security was at fault. (4) Banks or other organisations can use the identifier if they like, but cannot link data acquired from elsewhere to expand their knowledge about you.

From a consumer protection point of view, what's not to like? There is, of course, the slight problem that legacy databases will have to be restructured to use a different key. Also, it shifts power away from bureaucrats and corporations to consumers. Oh, that's a fatal disadvantage; it will never fly.

Has AI gone too far? DeepTingle turns El Reg news into terrible erotica


Re: so this is automated buzzword bingo ?

It was Richard Strauss. Google says that the story was "Art Work" by James Blish, in Science Fiction Stories 1956. I am not quite that old, so it must have been anthologized somewhere.

Far out: Dark matter bridges millions of light-years long spotted between galaxies


False false colours

Surely the colour should be black where the density of dark matter is greatest?

New Zealand puts the bite on Apple over taxes


Please use the right sheep

If you are running a story on New Zealand, and decide that you really need sheep to illustrate Apple's tax affairs, please source a stock picture showing Romneys or Correidales. And they should be on hillsides rather than in a European farmer's lane.

Other than that, NZ has Goods and Service tax instead of sales taxes and, yes, it is a tax on consumers not on Apple.

For corporate tax, NZ has the same laws as most countries (but not the US) - companies pay tax where they are incorporated/resident. If Apple runs its NZ affairs through an Australian firm, it pays profit taxes in Australia. Likewise, when I sell consultng to a US client, my company pays taxes in NZ, not in the US.

Windows PC spy nasty dormant for three years, mutates and resurfaces


Patched long ago

The original vulnerability was patched in 2012; the later one was patched by MS15-033 in April 2015.

So this nasty affects stupid people and stupid organisations only. Apparently such targets can be readily found in the US and Africa, as those are the currently affected regions.

Geo-boffins say 'quake lifted bits of New Zealand by 8 metres, moved at 3km/second


Re: So how was New Zealand created?

Oh yes, there is a long history of earthquakes. And don't forget the volcanoes in the North Island. The Oruanui Eruption (26,500 years ago) was the biggest eruption anywhere for the last 70,000 years. Auckland is built on a volcanic field: lots of pretty little hills, with new ones popping up every now and then. The last was about 600 years ago.

But tsunamis seem to come most often from quakes elsewhere in the Pacific, typically Chile.

Google Pixel pwned in 60 seconds


Re: Four Seconds

Easy: if you could patch all of the flaws in Flash, Flash would not work at all.

Even in remotest Africa, Windows 10 nagware ruins your day: Update burns satellite link cash


Maybe I missed it...

But I didn't notice anyone saying they had sent a few bucks to help this outfit with their bandwidth needs in protecting wildlife in one of the most godforsaken parts of the world. (And the various people with guns are variously Muslims, Christians, and Animists; poaching and murdering game wardens is an all-faiths activity there.)

So, for the record, they have $50 from me. Any other takers? Just follow the link in the story.

Insure against a cyberwhat now? How the heck do we crunch those numbers?


Many commentards don't understand insurance

Look at your fire insurance policy; it will exclude, for example, acts of war. The last time Britain got into a big war, half [sorry, lots of] the houses in London caught fire. No insurer can actually pay out that scale of losses, so they exclude them from the risk covered. Somebody else, the insured or the Government, has to bear these risks.

The insurance spokesman no doubt understands this about insurance, but does not understand cyber security. It is perfectly possible to insure against the odd idiot who leaves a laptop in a taxi, because this is standard idiot behaviour and the industry has lots of data on that. But cyber attacks are much more like warfare, in that people are actively working to create losses. If some unknown vulnerability is discovered and exploited, half [sorry, lots of] the companies in Britain could suffer big losses. The insurers cannot actually pay out for this, and last year's data on cyber attacks is pretty much useless for predicting next year's losses due to new kinds of attacks.

So the insurers want data that actually won't help them, and that will create new risks. The insurers will either have to become cowboys, making promises that they cannot honour, or will have to exclude liability for most active attacks. That would rather defeat the purpose of cyber insurance.

Earthquake-sensing smartphone app fires off early alerts of disaster


Done this already

I was part of the Quake-Catcher Network for several years - small sensor mounted on the floor with my desktop analysing accelerations and sending packets to Stanford. Apparently proved the concept well, and my setup reported on several quakes, but maps of user locations showed that the network was over-represented where lots of tech people live and under-represented where most earthquakes happen. It seems that the grant ran out, and the network is no longer really active. Maybe this will replace it.

The Mad Men's monster is losing the botnet fight: Fewer humans are seeing web ads


How many clicks is fair payment?

El Reg won't let me pay directly (as I do for various other websites) and with Firefox/NoScript I can't see any ads. So I started up IE, found a couple of ads (only for things I would never buy, unfortunately) and clicked on them in order to feed the vulture.

I don't mind doing this now and again, but it raised the question in the title. Presumably clicks are more valuable than just views - so does a couple of clicks a month provide fair support?

Verisign warns new dot-word domains could make internet unstable

Big Brother

Context: the law is an ass

The point is that this is a regular filing to the Securities and Exchange Commission, as part of which the company has to discuss any material risks to its business. These boilerplate filings are written by corporate lawyers, and their purpose is to ensure that no matter what happens "we warned you of that risk, so you (investor) can't sue us."

This does not mean that anyone technically competent at Verisign actually expects a problem, just that the lawyers get paid for imagining possible problems.

Microsoft cracks personalisation without prying


Firefox does it better

I set Firefox to accept all cookies - no questions asked - and then to discard them all automatically at the end of the session regardless of their expiration instructions. Voila, no tracking, except for sites which I am comfortable adding to my whitelist (such as theregister.co.uk, of course).

IE's cookie handling is intrusive and complex; if I reject cookies for a site, it may not work during the session, and if I accept cookies then they are retained unless I hunt them down manually afterwards. Bloom cookies seem designed to reduce the impact of this poor UI design; not a good approach for the user, although it may suit MS's commercial interests.

Files aren’t property, says US government



Then keep them on your own computer.

Ten netbooks


Re: Windows is not the enemy of netbooks

An afterthought: in case of theft, my netbook's hard drive is completely encrypted using TrueCrypt. So everything, including the operating system files, has to be decrypted on the fly, which is a tax that I don't impose on my desktop machines. Even with that overhead, the netbook's performance is perfectly adequate.


Windows is not the enemy of netbooks

I don't understand the complaint about netbooks being underpowered. My old Samsung N140 (Atom N280 at 1.6GHz, 2GB RAM) runs Win7 Ultimate 32-bit just fine. The original Win7 starter + crapware quickly got annoying, and I eventually replaced the 250GB(?) disk with an 80GB SSD, of which I use less than half - this improves battery life a lot and improves performance a little. I run Office including Access, statistical analysis with Mathematica and R, VBA programming, and basically all the same stuff that I run on my desktops. Yes, some operations that take 10msec on a fast desktop take 30msec on the netbook, but you usually need a timer to notice the difference.

Of course, I could have bought a full laptop for the money I spent upgrading, except for two points: (1) Every manufacturer seems to supply Windows + crapware preinstalled, and there is no way to thoroughly remove the crapware and get decent performance from Windows except to install a clean copy direct from Redmond. So that upgrade is necessary on a laptop anyway. (2) Laptops are too big to fit properly in front of the next seat on a train/plane/bus, where I do much of my work.

Modern machines, even netbooks, seem easily powerful enough for the things I do. I wouldn't try video editing on one, of course, and I don't play games. My complaints are the crippled screen resolution and the fact that opening a Sammy case to upgrade is difficult and dangerous. But this line-up shows that there are netbooks out there now with reasonable screens, so maybe it's time to upgrade. (I'd still transfer across my SSD and my proper Windows, though.)

Finally some QUALITY apps for Android: PalmOS emulator ported


Re: Just needed a leaf from the Palm

Ta, Bill. It hadn't occurred to me to search for a graffiti app. Just installed it, and my HTC One X is now finally usable!

Secret US 'Jedi' ghost-copters kept out of bin Laden raid


This post has a black helicopter logo

But its stealth technology is so good that you can't see it.

Boffinry summit names 3 new elements


Prenaming elements

We already know the atomic numbers of the elements that have not yet been created. So why did the committee not clear the decks while it was meeting anyway and announce the names to be assigned to the next dozen or so?

Open-sourcers suggest Linux secure boot block workarounds



You won't get your money back, because the computer WAS fit for purpose. It was sold to you as a machine that runs Windows 8, and it did that. Wanting it to run Linux (or XP, for that matter) is like buying a petrol-engined car and expecting to run it on diesel. (Anyone managed to get a refund on an iPhone because it won't run Android?)

The problem is that some of us will want to buy machines that are not tied to Windows 8, and it is not at all clear that enough manufacturers can be bothered supplying that market. The Windows 8 logo will be really important to them, and they can get that without the extra fiddling needed to support other operating systems.

Reg hacks confront really wide Oz load terror


Instead of photographs...

... will you settle for Playmobil?

Linux.com pwned in fresh round of cyber break-ins


@Shaun: Win7 not back to XP

When I played around with Ubuntu, for various configuration or update tasks the computer would tell me to type the administrative password - so I did. I had no way of knowing (and not the slightest interest in knowing) what I was permitting.

In Vista, for various configuration or update tasks the computer would tell me to type the administrative password - so I did. The only difference in Win7 is that I get the option of clicking a dialog box instead of typing a password.

The principle is exactly the same in Linux as in Windows post-XP: programs can't make system-level changes without the user accepting them. There may be implementation errors in either OS, but the security design is now exactly the same.

And the design has the same flaw in both OSs: ordinary users cannot know (and do not care) what they are approving. If Linux on the desktop ever gets 100 million users, this will matter.

Maybe there are other design features that make Linux more secure than Windows, but running as root by default is no longer one of them.

Godson: China shuns US silicon with faux x86 superchip


Maybe the Chinese are stupid, but I doubt it

This technology looks very handy, say for designing nuclear weapons, developing more fuel-efficient aircraft, using brute force to decrypt stolen files, searching through internet data for concealed dissident messages, and lots of other useful applications. What makes everyone suppose that China will give up these technological advantages for a few million in revenue by selling actual chips to the West? More likely Godson and its successors will be declared a strategic technology, not for export (as the US did with encryption and other technologies). China recently suspended the export of rare earths; if this gear is as good as it seems, it might come under the same sort of ban.

Apple patent endangers unbiased product reviews

Thumb Down

Not new, no big deal

Despite el Reg's spin, this is not a review process at all. It is a well-known process called a prediction market, working on the idea that groups of people make better predictions on average than even expert individuals. It is not intended to tell readers which products are good, but to tell marketers which ones are going to sell. The basic idea is not patentable because of prior art problems; economists, in particular, have used prediction markets for many years.

Apple's wrinkle addresses the problem that prediction markets open to any troll do not generally work well. There needs to be an incentive for participants to think about what they are saying and try to get it right. Apple's solution might work, and might be patentable, although it is likely to have problems with both obviousness and prior art.

But the idea is no threat to the system of consumer reviews.

WikiLeaked US cables link China to Google hack


Calm down, folks

I'm less astonished at the vitriol than at the ignorance of so many comments posted here. What has come out so far is routine embassy traffic; ambassadors and spooks reporting back to Washington what they have been told, what they guess, and what might be useful. Every country does this: the diplomatic traffic for the British or Chinese or Australian embassies back to their Governments would look much the same. So far I have seen no information about nefarious US plots, and very little information that was not already clear to anyone who reads the newspapers. (Surely we all knew that Sunni Arab countries are far more frightened of Shia Iran than of Israel, what ever they say in public. You didn't know that? - do try to keep up.)

The shocking thing, and the IT aspect, is that this torrent of unevaluated and mostly confidential stuff was freely available to millions of people who had no need to see it and no way of making use of it. After 9/11 the US security agencies were told they had to share information more. I don't think this was quite what was intended - but, as usual, with a badly-thought-out requirements definition you get an unbelievably useless system. Nobody was willing to sit down and develop a proper data architecture with sensible security controls, because they would have been blamed if a later attack might have been prevented with more information sharing. So the safe bureaucratic position was to share almost everything. Nobody will be blamed for this, even though sharing with Julian Assange would not have been part of any sensible specification.

Netbooks: notebook evolved - or stunted throwback?

Thumb Up

Netbook works for me

On a train, bus and plane, the netbook is small enough that it fits on my lap and doesn't bump into the seat in front. I can't use a laptop that way. Commuting with my Win7 netbook, I write documents in Word, run spreadsheets in Excel, run statistics in Mathematica and R, and generally get to be as happy as Larry. (Leisure Suit, not Ellison.) When I get home, the small screen and keyboard gets annoying, so I break out the laptop for reading El Reg. If I need serious number crunching, there are serious desktops in the office. But the netbook works for me in a lot of tasks that I would thought beyond it. (Mind you, it does not seem that many years since an N140 with 1GB DDR2 and 120GB disk would have been the sort of power you would see in a top-end desktop, so maybe I should not be surprised.)

Stuxnet 'a game changer for malware defence'



"helping to devise revised best practices for securing SCADA systems."

It should be quite a short document:

1. Do not connect any SCADA system to the internet.

2. Do not connect any SCADA system to any computer running any version of Windows.

3. Member States will impose the mandatory death penalty for anyone who violates rules 1 or 2.

Zeus bot latches onto Windows shortcut security hole


Sophos's clever solution

I downloaded the Sophos patch, which seemed like a good idea until I read the licence agreement. (Yes, I have a boring life!)

Clause 3.2.3: You are not permitted to use Software other than the Licensed Product;

So if I stop using any software on my machine, my icons won't get infected? That works for sure.

Biting the hand that feeds IT © 1998–2019