All the three-letter-agencies rubbing their hands in glee. Looking forward to the day they can float a few motes of dust into the beam-path and eavesdrop on the comms with some binoculars.
176 posts • joined 19 Aug 2010
I'm imagining comically enormous powerline adaptors plugged in at either end
If you're going to donate your profits to charity, wouldn't the ACLU be a much more appropriate recipient of said funds?
I doubt it. This is a truly terrible way of responding to criticism, and I think most companies are smart enough to realise the negative PR would cost them far more.
I don't know is this is a recent configuration mistake, or it's always been like this, but HTTPS isn't available across the site; even login is posted across an insecure connection.
No excuse to not be mandating HTTPS in this day and age,
Seems to me carriers not adequately protecting users' voicemail is the bigger problem here.
> I don't see anyone ... end their use of their products because of a new vulnerability,
Ok, so Microsoft isn't a great example, but just off the top of my head, give Mt. Gox or Ashley Madison a call, see how much they would have been willing to pay to get their hands on the bugs that wiped them out.
Every other week I read a responsible disclosure of some bug that could have wiped out or seriously damaged a business, and then in the footnotes it'll say they got a bounty of $2,000, or $10,000, or they broke some rule and the company decided to not pay out anything.
> yet again a US vulture that is quite happy to make a profit ... because capitalism trumps decency every time
Until bug bounties are competitive, these pig-dog-capitalist bug-brokerages that you despise will thrive. My point is that bug bounties programmes need to offer more. A lot more. This will also have the fantastic side-effect of compelling software producers to give much more of a shit about security. Maybe once bug bounty programmes start paying (what I would consider to be) reasonable rates, security would no longer be an afterthought, but a primary concern.
> I don't think you understand how supply and demand works.
Bud, I'm not sure you do either. The maximum a black hat will pay for a vulnerability is not determined by how much Microsoft is willing to pay for it; it's determined by how much they think they can make from the exploit.
We have to assume there is already an efficient market for these exploits and that the prices already discussed represent close to the maximum that black hats are willing to pay.
The bug bounties offered by these billion dollar companies is pitiful. $10,000 for a flaw that could ruin your company overnight? What are they thinking?!
The sooner they start offering more realistic bounties, the sooner we can shut down the black market for these exploits, and stem to flow of these zero-days to criminals and governments with malign intent.
> To view the webinar, which is streaming now for you to watch at your leisure, click here.
... ERROR 404: Sorry, this page doesn't exist!
Re: I wonder how
I wonder too.
If they begin blocking known VPN endpoints, that'll only be partially successful because I can still VPN to my brother's apartment in Manhattan. And existing commercial solutions will inevitably adapt too.
Locking the catalogue to the country the account is registered to would be the other option, but what happens when you then travel abroad?
Re: There seem to be a number of uninformed commenters out there today.
> It is expressive, fast (yes, really), powerful, scaleable and easy/pleasant to code. ... It's biggest issue was the organisation of large scale project code
It's powerful? What does that even mean? Any language that's Turing complete is "powerful".
Yes, it's scalable, and yes it's easy to get started in because it's so basic, but pleasant to program in? If you want a language that's pleasant to program, you'll find Ruby, Python or Perl a lot more fun.
I'd say it's a pretty tenuous link
Maybe Lyft did steal the data, maybe they didn't, but I think it's a stretch to imply Lyft's CTO did anything wrong.
If I was CTO of Lyft, and I read the news that Uber had put their codebase on GitHub, of course the first thing I'm going to do is git clone that repo. It would almost be remiss of him not to. It's quite possible he picked through the code and didn't even realise the database key was in there.
Correct! I am down under right now.
I noticed a fresh story filled the headline spot this morning, so whatever you did seems to have worked.
Back to "D-Link spilled its private key onto the web" this morning. I read it weeks ago and yet it lingers like an unwanted guest.
Looks like you've implemented some algorithm to decide which story gets the headline position on the main landing page.
Right now I'm seeing either D-Link spilled its private key onto the web – letting malware dress up as Windows apps or BOFH: Press 1. Press 2. Press whatever you damn well LIKE. It seems to randomly alternate between the two.
The problem is that both these stories were published on the 18th. 12 days ago.
When I load El Reg, I'm left wondering if there some aggressive caching going on somewhere along the line (its not), or there has been nothing to publish in the last 12 days, or the register has gone under and disbanded its staff leaving only this semi-sentient website behind.
Whatever the case, the front page looks stale.
It's not really a "vulnerability" in Android if: you have to manually enable installation of unverified 3rd party software, then ignore the blatant red flag that says "this app requires access to your camera".
> Really? Then why are we having this discussion seven years later? Not everyone jumped just because Jobs said 'jump'.
Obviously we're arguing semantics here, so let me re-phrase and explain a bit further.
There were plenty of reasons to drop Flash; the constant security issues, the poor performance, the terrible UX, but I'm arguing that the single biggest blow to the success of flash was when iPhones were shipped with support for Flash, and Steve Jobs indicated there never would be.
If you've worked in tech over the last decade, you'll have noticed that a very significant number of your colleagues have been using iPhones and other iProducts. When iPhones were shipped with flash, suddenly web developers were compelled to make websites that worked without Flash. And if they worked without flash then there was no need to use Flash in the desktop version of your website.
Any ecommerce website that popped a polite "This site requires flash" notice silently lost business. CEO's with new iPads were calling up their CTOs, demanding to know why the website was broken.
We are still having this discussion seven years later because when I say a technology "died", I'm not implying that it literally died over night and disappeared. It'll just slowly fade away. At 15 frames per second.
I'm surprised flash has persisted this long. It died the day Steve Jobs decided iPhones and iPads weren't going to run it, (around 2008?).
Re: Shit out a bucket of kittens
I doubt encryption is a major concern of theirs. Especially when they'll have a library of zero-days for every major OS, many popular apps, programmes and firmware. And why use your valuable zero-days when you can just coerce Google/Apple/Microsoft/etc to just hand you the keys to the front door?
Time for some investigative journalism...
Ok, I'm in!
Pretty tempted to come along for the ride
What are your sources? This is worse than the time The Times published that piece claiming Russia and China had obtained and decrypted the files Snowden stole. At least The Times attributed the story to anonymous "senior government sources".
Ohio is a "one-party consent" state, so this ruling seems to be in line with that.
Presumably the "two-party consent" states like Florida, would have ruled in favour of the prosecution.
> And some of us actually don't enjoy sitting in front of a computer any more than we need to.
...says the guy who has been commenting on the Register since 2010 ;P
Re: All this does...
I don't blame you for being cynical, but it sounds like you're suggesting we just give up and hand all our rights and privacy over to the government.
I'm glad there are people more passionate about their civil rights than you; people who are willing to fight for them. Maybe they will fail, maybe they wont. But at least they are trying. At least they are doing something.
Why does the NSA's boss care so much about backdoors when he can just steal all our encryption keys?
"We fully comply with the law"
Both the NSA and GCHQ keep saying "we fully comply with the law".
I suppose this stonewalling is supposed to placate and/or reassure us, but to me, all this says is either they are lying, or the law is horribly broken. Both of which are deeply troubling scenarios.
Flash was a workaround made for a bygone era. We don't need it now, and seeking to prolong its demise just seems cruel.
Joking aside, flash is an accessibility nightmare, it's a security nightmare, it's a nightmare for web crawlers and website indexers and it's a nightmare for underpowered computers. Project Shumway only solves one of these problems.
The most egregious parts are under the "Dielectric-Bias System", which claims: "All insulation slows down the signal on the conductor inside" and "when insulation is unbiased, it slows down parts of the signal differently, a big problem for very time-sensitive multi-octave audio".
Ignoring the offensively ignorant implication that audio data is transmitted in analogue form, is there any truth to their assertion?
> After 28 years, MACHINES find Wally
> Python and genetic algorithm spot stripey-shirted cartoon fugitive in a jiffy
No. You're implying his algorithms found Wally, when in fact he already had all the locations of Wally. His algorithms just found a reasonably short path between the locations Wally has previously appeared - the classic Travelling Salesman problem.
How do they know it's the film or the book that's being referenced? Pretty sure when people refer to a "Catch-22", they are thinking of the book and not the 1970 film adaptation.
Re: Is this Peak Facebook?
Even if the attacks did originate from North Korea, no one is discussing whether it was the work of a bunch of script kiddies or a state-sponsored group. I pretty important distinction when you're deciding to sanction a country, one would think.
Ignore these luddites; the reg has been due a makeover for a very long time.
I applaud the move in the right direction, but you still have a long way to go.
You may have moved a few deckchairs around, and administered a lick of paint here and there, but you have some serious flaws in functionality. The most obvious of which is the inability to get any notification that your comment has received a response. With user engagement comes page-views. You're pissing free money up the wall.
And for the love of god please hire a professional graphic designer.
That video was painfully dull. I kept waiting for some kind of content.
Re: Wow, I'm way out of touch...
How the hell is Sliverlight even in the list, let alone #1?! I can't think of a single website that even uses Sliverlight*.
(*Netflix was the only one that sprang to mind, but apparently they ditched it earlier this year)
Were you reading another article?
> Not only that, but professor Kara also reckons once a robot's learned its way around a screen, it only needs a couple of minutes to disassemble it.
Furthermore where are you getting "spend years and millions" from? It's not mentioned in the article or the press release how long they have been working on this, nor how much it cost. More to the point, who cares? It's their money and time to do do with as they wish.
And yes, it's progress. Do you honestly expect the first iteration of an autonomous machine-learning disassembly robot is going to be perfect?
A little explanation of what DoxBin is/was would be nice, and also some comment on why this guy claims he won't be going to prison would interesting.
Re: Is this news?
Not only is this old news; as far as I can tell, this security researcher is just running 'hashclash' to look for the collisions. A program that has existed since 2009. Not sure why this story is making so many headlines.
You forgot one
* Verizon are inserting unique identifier token headers (UIDH) into mobile traffic, regardless of whether you opted out or not.
Something smells fishy
> Links to the doctored story were sent to the MySpace account of a suspect
So they knew the details of his Myspace account. Why didn't they just subpoena Myspace for the user's IP address, like they normally do? Why go to all this effort?
Wouldn't this 'FixIt' program be signed too? (And if not, it would be trivial to do so).
Regardless, this MITM attack isn't exclusive to TOR, it's just as feasible to do with with regular internet.
Furthermore, I wasn't aware that you can mark exit nodes as "BadExit". That's a pretty cool feature; one that doesn't appear in the regular internet.
The story implies that TOR is dangerous - but as far as I can tell, it's actually safer than regular internet.
Remember to pay for your ticket with cash
I'm in Australia so that probably affects what I see.
It seems that 2/3 of page loads on El Reg now show me adverts for Thaimatches dot com, featuring a particularly be-cleavaged young lass.
It's not my place to dictate how you bring in the dollars, but I can't help feeling they are inappropriate for the register, in terms of content as well as aesthetics.
Just my two cents.