* Posts by DougS

12863 posts • joined 12 Feb 2011

Gov to take axe to big IT contracts soon, will hand chunks to SMEs

DougS Silver badge

Will this really save money?

Yeah, splitting the contracts will probably result in paying less overall, but then you have add staff (or hire another company) to coordinate all your suppliers. Sounds like a job program for project managers.

IETF group proposes better SMTP hardening to secure email. At last

DougS Silver badge

Apple could easily do this, but only in a limited way

They already do basically the same thing for key distribution for iMessage. The problem is that this would only help Apple user to Apple user emails, which means less than 1% of all emails.

There isn't any easy way for Apple to support this for say Outlook 365 or GMail users, and while Microsoft and Google (ha! good luck getting them to help make GMail data mining proof!) could do this for their users, it really only helps for emails within their ecosystem as well. The percentage of Gmail to Gmail emails may be higher than Apple to Apple, but it is still tiny.

The only way it could feasibly work is to add something to the MX record that tells where to find certificates for users in that domain. I would expect Google to do everything they can to delay and roadblock any RFC that attempts to do so. The US and most other governments in all parts of the world as well. To be honest, I don't expect to see standard peer to peer email encryption ala PGP or S/MIME in my lifetime.

Apple Macs, iPhones, iPads, Watches, TVs can be hijacked by evil Wi-Fi, PDFs – update now

DougS Silver badge

Re: Reality check

They could easily do it. Just have iTunes running on a PC, connect the phone to the PC's USB port, and install the update. There is nothing difficult about installing an OS on a locked phone, Apple deliberately made that easy so you can recover from a bad flash.

They have announced they are going to change this soon, now that the FBI wants Apple to use it against themselves. Perhaps this is already changed on iOS 9.3, I have seen the list of security fixes but that isn't a security fix as such so it would be listed elsewhere.

Of course the FBI gains nothing by doing this, and risks Apple having made changes that make whatever method they are going to use to get into themselves more difficult, so upgrading the OS now would make changing the iCloud password look like a genius move by comparison!

DougS Silver badge

Upstream security fixes?

Are you seriously suggesting that Apple should set things up so that the libxml devs can deliver patches directly to people's iOS devices as an app or something?

I'm sure that would go over well when they deliver a buggy update that crashes something important that iOS relies upon....

Something useful from Cupertino?! Apple sees the light – finally

DougS Silver badge

Blue light

For this to make a difference for me, I probably need to switch out the blue OLED panel nightlight in my bathroom :)

DougS Silver badge

Maybe the backlight isn't able to change color temperature on the older phones?

Apple engineers rebel, refuse to work on iOS amid FBI iPhone battle

DougS Silver badge

Re: @Displacement activity

Every Apple SoC has a unique ID (actually two) fused onto the chip, just like Intel.

DougS Silver badge

@Displacement activity

The processor IS customized. Every CPU from the A6 (used in the 5 and 5c) and on is a fully custom design done by Apple, so any references to the capabilities ARM CPUs have is not really relevant. Apple created their own design that implements the ARMv8 instruction set, which bears no resemble to ARM designed cores like the A57, A72, etc.

In the iPhone 5S and newer they also designed a second ARM CPU on the same SoC which is the "secure enclave" that runs an L4 microkernel completely separate from and independent of the iOS kernel that only communicates with iOS used a tightly defined and highly limited communications channel so any bugs/exploits in iOS can't be used to exploit the secure enclave.

DougS Silver badge

@tom dial

The reason people have more respect for the 4th amendment than the All Writs Act is because the Constitution is the basis for ALL federal law in the US. It grants powers to the federal government, and nothing not specifically enumerated can be the subject of a federal law.

I'm not really concerned with the age of the All Writs Act per se, only its constitutionality. If it violates the Constitution in any way, then those portions that do so violate it are unenforceable. It wouldn't be any more or less constitutional if it had been passed last year.

DougS Silver badge

@tom dial

if it were that simple it is likely the government would do exactly that and avoid an unnecessary dispute

You're overlooking the value of the precedent a decision in favor of the FBI would set, both for Apple and for other tech vendors, that a judge can force them to use their control over the OS to hack their own products.

There are many who argue that the CIA/NSA could hack into the phone, but the Director of the FBI testified in Congress that they asked for help and were told they couldn't get into the phone either. It isn't as if a government official has never lied under oath to congress (remember James Clapper) so even though the suggested method wouldn't work it is quite possible to believe that the FBI may have avenues they are choosing not to take in order to gain this precedent.

DougS Silver badge

"Apple is fucked in marketing terms and brand loyalty"

There are going to be some iPhone owners who think they are completely wrong, and will become former iPhone owners. There will also be some non-iPhone owners who think Apple is 100% right and will become new iPhone owners because of their stand.

I think the "Donald Trump boycotters" and the "standing up for privacy switchers" (or that huge market of terrorists and pedophiles some idiots claim Apple is trying to attract) will pretty much cancel each other out, so I don't think this battle will have any noticeable impact on Apple's business.

DougS Silver badge

Re: It's likely I'm missing something.

The reason why physical security to protect keys used to be so costly is because pretty much only the military cared about stuff like that. When you have a combination of very low production volume and a totally price insensitive customer, of COURSE the solution will be expensive!

When you have a combination of lots of money to throw at the problem to figure it out (i.e. credit card companies and Apple) and very high production volume, then solving the problem in a way that doesn't cost a fortune per unit becomes a lot easier to understand.

DougS Silver badge

It isn't clear whether the 5S are newer are vulnerable to FBiOS

The secure enclave is basically a separate computer, which runs separate software. Can iOS updates deliver new software to the secure enclave? I don't know, but if so, and if updates to the secure enclave can be made in a DFU mode iOS update (which I doubt) then it would just be a different update.

However, Apple's upcoming change which blocks DFU updates entirely will block the All Writs Act angle. They'd be able to use that with iPhones they've already collected, but any collected with iOS 9.3 or later (or whatever version gets this) would be immune to that.

That's not to say congress couldn't pass a law that obligated Apple and other tech companies have some way to access data on their devices, effectively mandating some sort of back door, but that's a whole separate fight.

DougS Silver badge

Re: It's likely I'm missing something.

Even though he was wrong I gave him an upvote for at least being smart enough to have the realization "when something seems that obvious, then it's likely that I've either completely misunderstood the problem at hand", which none of the dozen others who posted the same thing over the past couple weeks had the self awareness to realize.

FBI backs down against Apple: Feds may be able to crack killer's iPhone without iGiant's help

DougS Silver badge

Re: Not a win for Apple

No, that 0 day is about using a man in the middle attack to decrypt iMessages - if you are able to receive thousands of them. It doesn't help you get access to the phone.

And iOS 9.3 is already out, so that avenue is closed for anyone who has already updated like I did :)

DougS Silver badge

No, this is a win for Apple

Whatever is being done to break into this iPhone 5c isn't simple, or things wouldn't have reached this point. So it can still be claimed to be pretty darn secure, just not perfectly secure against every possible attack - and this 5c is a model from before the secure enclave was added. Whatever is being done to get at the data might not be possible against a 5S/6/6S/SE.

This is a win because it gives Apple free reign to continue to improve iPhone security without an active court case getting in the way. They can make it impossible for them to hack themselves via a custom iOS update, for instance. So next time the FBI comes calling for something no one can help them with, Apple will be able to say "sorry, we can't help you either".

iOS flaw exploited to decrypt iMessages, access iThing photos

DougS Silver badge

Re: Nation-state?

Not only did they probably choose favorable conditions, if you want to do this in a targeted way you'd have to capture and decrypt everything. So no worries about someone setting up a WAP and doing this.

DougS Silver badge

4 digit PINs

The 4 digit PIN isn't used to seed the encryption, it only unlocks the real encryption key. Read the iOS Security Guide Apple helpfully provides for a full explanation. So no worries about lack of entropy. Whatever this flaw is, it has nothing to do with the PIN and must be something in the way key exchange works for iMessage. Encryption is hard to get right, even for experts. Which is why the spooks probably like the idea of terrorists using some third party app like Telegram - they don't have all the experts an Apple or a Google can afford, and if they can screw up, and all the people reviewing OpenSSL can screw up, what chance does a guy writing an app like that have to get everything right?

As for the length of PINs, you aren't limited, you have the choice to use passwords. I think with a PIN you might only get 4 or 6 digits, and maybe that could be relaxed but I think it would be better to not relax it and instead encourage people to use passwords.

US Supremes to hear Samsung's gripes about the patent system after Apple billed it $550m

DougS Silver badge

Re: Won't be 4-4

I agree. Patents aren't a partisan issue for the Supreme Court, and while we may not always agree with their decisions they usually have a pretty strong agreements amongst themselves one way or another. Remember, they are not allowed to decide on "common sense" grounds, but only to interpret the laws congress has written. If you want common sense, you have to convince congress to change patent law (and THEN it becomes a partisan issue)

Smartphones help medicos, but security is a problem

DougS Silver badge

Sending medical images via MMS

I had to visit the ER after a cycling injury in fall 2014 and the doctor wanted to have a specialist check on something before stitching me up and sending me home. She took a few pictures with her smartphone and texted to him, which I'm pretty sure has to be a HIPAA violation in the US. I didn't care since the alternate was me waiting around an extra half hour while he drove to the hospital to examine me in person.

I'm sure the solution to this will be use of a camera to take photos that are passed to a computer then sent via secure email to a special app on a hospital issued smartphone or tablet the doctor will carry. Which despite being simple to do the "HIPAA approved" software will be marked up to an astronomical level since health care is a cost insensitive business. And that's the reason why health care costs will continue to spiral!

Stop! Before you accept that Windows 10 Mobile upgrade, read this

DougS Silver badge

Re: I've disabled

Even if you believe that documentably false statement that there are no vulnerabilities/malware, are you so dumb as to believe that would continue so you don't ever need to patch?

DougS Silver badge

Re: I've disabled

So I guess you don't care about security then? Or are you under some delusion that despite their terrible record for Windows security, Microsoft has done a far better job than Apple and Google have with mobile security?

Biometrics not a magic infosec bullet for web banking, warns GCHQ bloke

DougS Silver badge

Re: Tiresome..

Well sure maybe it is possible to build an NSA approved fingerprint reader that can't be spoofed for $50K, but how does that help use of it on a phone or to unlock your front door?

DougS Silver badge

Re: Tiresome..

If they want our voice prints they have all the phone calls we've placed over the past decade (at least) as they've been capturing them all since 9/11. Believing that your voice something you can and should keep secure from the authorities is the height of folly. Nothing biometric can be kept away from them, because it has to be easy to collect to be useful in a device.

I know the US government has my fingerprints on file, since I previously had a security clearance and had to submit them (and was arrested a long time ago, but that predated TIA style collection of 'everything' and probably isn't even in my state's computer files) I assume they have my voice. They probably don't have my iris, but consider that when I renew my license I have to look into that little thing that tests my vision. I suppose theoretically it could make an iris image. Also I have a yearly checkup with my eye doctor, and they take very detailed pictures of the iris that show all the blood vessels inside. I doubt they have very good security, and probably use some standard system sold to eye doctors - bet the NSA could break into all of them pretty easily if they wanted.

No matter what someone comes up with, from elbow prints to DNA extracted from blood to microscopic X rays of my wrist bones, once it is done and used in some sort of device, that information is no longer under my sole control.

Infosec bods pop mobile money crypto by 'sniffing' e-mag radiation

DougS Silver badge

Admittedly this isn't something I've studied closely, I'm relying on what I've read 5-10 years after side channel attacks were first (publicly) described.

Still, for something like mobile payments I can't see how you could extract any useful information if you did your actual encryption in parallel with several other encryptions of random data. Yeah that's wasteful of power, but since mobile payments aren't something you do every few seconds and don't suffer if a tiny fraction of a second of latency is added, who cares?

For an attack against something you do often like sending an encrypted wifi packet obviously increasing your workload by 4x wouldn't be a good option.

DougS Silver badge

Re: Wow

As I said above, it is not difficult to fix software to block such attacks. Apple could fix this in the next iOS update if they wanted (though I doubt they are focused on TEMPEST style attacks against Apple Pay at the moment, since they have much bigger concerns right now like protecting iOS from the FBI forcing them to hack themselves)

Dedicated hardware presents much bigger problem, since the only option is replacing it.

DougS Silver badge

Android Pay?

I thought Android Pay also used elliptic curve? The EMV standard is 3DES, though it supports alternate methods. I assume that Apple (and Google, if Android Pay uses it as well) use elliptic curve because triple DES is rather power hungry by comparison...though I can't see how that would matter for something like payments that you would do a handful of times at most, per phone charge.

DougS Silver badge

Not sure how practical it is, but it is rather simple to prevent via software changes. These types of attacks rely on being able to divine the key based on changes in workload - i.e. if you had more work for 1s than 0s or something along those lines.

If you change the software to do some 'unnecessary' work during the vulnerable calculations then the useful information is lost in the noise, at a (very) small cost in power for the wasted work.

HERE: We're still, er... HERE

DougS Silver badge

Re: Quite an uphill battle on iOS and Android

The problem is, that's a very very easy advantage for Google and Apple Maps to copy if they wish.

DougS Silver badge

Quite an uphill battle on iOS and Android

Both come with their own map application, and even if HERE is superior Apple Maps and Google Maps only have to be "good enough". I've used Apple Maps on my iPhone since introduction and found it worked very well for the areas I've used it (in the US) so I had no need to install Google Maps when it became available for iOS as a separate app. Likewise I'm sure most Android users are perfectly happy with Google Maps and would see no need to switch.

I think HERE's future will be built into the nav systems of the automakers who own them, but I have never and will never buy a car with a Nav system - why spend $2000 on something that comes for free with my phone?

It is too bad because I hear good things about HERE (no pun intended) but I don't see it having much of a future.

Hand in glove: Google and the US State Dept

DougS Silver badge
Black Helicopters

Doing things the CIA can't do?

Wow, if Google is out-doing the CIA in 'covert destabilization efforts' front, they've taken their old "Do no evil" motto and turned it around 180 degrees. Even at their worst Microsoft was only evil in a business sense, and only lobbied the government to try to prolong their monopoly.

Google is now taking evil to the sort of level typically reserved for companies like Halliburton and Blackwater!

Microsoft's equality and diversity: Skimpy schoolgirls dancing for nerds at an Xbox party

DougS Silver badge

Head of marketing is unaware of who on his team booked them?

Yeah right, pull the other one. Sounds like no one will be blamed for this, it will somehow turn out that no one at Microsoft was responsible lol!

Google tries to run from flailing robotics arm

DougS Silver badge

Never saw BD's products as being useful for the military

Way too loud, and a lot of the cargo it would have to carry would be fuel to keep it running, because you can't afford the chance it runs out or you have to leave it and its cargo behind!

If you're going to make that much noise traveling through rough terrain, get yourself an M1A1 and be done with it. Those can carry a lot more cargo, and are even better at defending themselves from a guy with a hockey stick!

Domino's trials trundling four-wheeled pizza delivery bot

DougS Silver badge

Re: Earth to Dominos ...

Shitty pizza hasn't hindered their success so far, why change things now?

DougS Silver badge

Re: What am I missing?

If the compartment was well insulated, it shouldn't lose heat all that fast. It isn't like a fresh out of the oven pizza is edible anyway, it relies on some heat loss before you can eat it. Surely it could beat those poorly insulated bags that the delivery guys use.

One in five PCs will be a tablet with detachable keyboard by 2020

DougS Silver badge

No, they don't

Please don't buy Surface to use it as a tablet. They are buying it as a "thin and light" laptop, and it is thinner and lighter than about anything else out there with a similar display size.

Look out, Windows Phone 8 users – yes, both of you – here's ... Windows 10 Mobile

DougS Silver badge

Re: 'lifetime' licence to use HERE maps

Fixes to security issues that are found in Windows Phone but will have patches delivered for Windows 10 only, not for 8.1?

Snowden WAS the Feds' quarry in Lavabit case, redaction blunder reveals

DougS Silver badge

Re: Not a mistake

They can't prevent those services from existing, any more than they can prevent terrorists from using encrypted communications by playing whack a mole with iOS, WhatsApp and Telegram.

DougS Silver badge

Re: Groklaw

Please, do you really think the government used Snowden as a smokescreen to cover up a campaign against a paralegal who posts information about lawsuits involving open source? You have to crank your conspiracy theory meter up to at least 9.5 to think the government would use the largest classified leak in history to cover up a "bigger" conspiracy against someone defending open source!

DougS Silver badge

Re: I'm impressed

Considering how badly the government does IT, Clinton's email was probably a lot more secure on her private email server than sitting on the state department server.

DougS Silver badge

Interesting timing

This being released during the Apple/FBI fight. Maybe the FBI wants to show Apple how far they're willing to go over something meaningless. Sort of the government equivalent of putting a horse's head in Tim Cook's bed.

DougS Silver badge

@AC "we now know where the WMDs went during the Iraq war"

Wow, there are still dumbasses trying to rewrite history to claim that Saddam maintained an active WMD program after the first Iraq War, hoping to justify the trillions spent ousting him when he had nothing to do with 9/11.

Sorry, you'll have to do better than that. Mustard gas is quite easy to make, and as for chlorine gas....well that's so easy to make that some people unintentionally make it when they mix household cleaners! Consider that as ISIS has overrun vast territories they've been able to take over various industrial plants that make various chemicals, so they have all the raw materials at their disposal.

Plus Assad may have had some WMDs of his own they found when they overran vast areas in Syria, so even if they used "manufactured" WMDs that doesn't mean they came from Iraq and certainly doesn't mean they were manufactured after 1991 (there were many caches of old rusting WMDs found by US troops that they missed the first time, many of which the Iraqis didn't even know about)

Try again.

Apple iPhone GPU designers Imagination axes 20 per cent of staff

DougS Silver badge

Maybe they will lose Apple as a customer

Apple hired a bunch of GPU engineers several years ago, and speculation was that they were going to design their own GPU instead of using a modified PowerVR core like today, similar to how they have designed their own ARM core, instead of using a modified ARM core like they did with the A5 and A6.

Maybe they finally have their own GPU design ready and told Imagination last fall that they would not be licensing PowerVR for the iPhone 7 and beyond. If that happened, Imagination would know a decrease in their licensing revenue is coming and they'd have to cut expenses.

HTTPS is not enough: Boffins fingerprint user environments without cracking crypto

DougS Silver badge

Who cares?

The version of OS you are running is not exactly something you can keep secret anyway, due to differences in how the TCP/IP stacks work, not to mention more obviously information leaks.

If someone wants to attack you, the only reason knowing your OS matters is to choose which attack to use instead of simply trying all the popular ones (or just the one they are hoping to compromise) It isn't like they're paying for bandwidth, what do they care if they try a Windows attack on iOS?

Brits seek rousing name for polar research vessel

DougS Silver badge

SS Witches Tits

See title

Apps that 'listen in' to your mobile get slapped by US watchdog

DougS Silver badge

Re: Siri and Cortana

I think you'll find Google not Apple is the king of spying on stuff like what web pages you visit, and are probably hoping to get Android built into smart TVs so it can upload information about what programs you are watching to home base to add to the huge database of personal information they've already collected on you.

Big data boffins crunch GPS traces, find altruistic route planning is good for everyone

DougS Silver badge

Not sure this is the best way

The method I'd like to choose routes in an unfamiliar area are:

1) the simplest / least stressful route - if I just want to get from point A to point B with the least amount of fuss. I don't care if it takes longer if it reduces the chances of missing a turn or going the wrong way. I'd prefer a jaunt down surface streets instead of a quick on/off an expressway, or maybe I'd prefer an expressway that takes longer if the surface streets take me through areas popular with carjackers.

2) the most scenic route - if I have time and there are things worth seeing I'd rather take a drive down a nice windy road instead of an expressway with concrete walls on the sides.

Where I live, I know what routes to take to avoid traffic, so I don't want tourists being directed down the same routes and getting confused. Take them on the main roads where they can reach their destination easier, and leave the neighborhood cut thrus to the locals.

Plucky cable billionaires defeat menace of small-town broadband

DougS Silver badge

Re: Confused

It is twofold. Part people who are paid off by industry lobbyists, and part "conservatives" who think government has no role in the private sector.

The problem is that the government already has a role in the broadband market, through stuff like making utility right of way available or not available, granting cable companies exclusive franchises which guarantee there is only one cable company in town (to add to the single phone company in town which exists because of what essentially amounts to state/federal franchises)

People who claim to believe in the free market often don't understand that a free market only functions properly where perfect competition exists. That means there are no barriers to entry, erected either by government, limited resources, or economic barriers to entry (like needing a lot of money to start a fiber ISP in a city that size) When the market doesn't function properly there can be no free market - that's how you end up with monopolies that don't offer decent broadband because they don't have to since there is no one else to do so and take away their customers.

DougS Silver badge

Re: But what they CAN do is liscense the Tech to other Counties at a nominal fee

"Licensing" doesn't install the fiber in the ground in those neighboring counties.

Comcast now touts unlimited gigabit service (that you can't get)

DougS Silver badge

Re: Meanwhile, the Myth is alive and well.

Wow, I've never seen such an utter misunderstanding of Shannon's Law.

It is not saying that you can't get 1 Gbps on a 1 Gbps line. DOCSIS 3.1 operates well below the Shannon Limit, and if you don't get 1 Gbps on that line it has nothing to do with Shannon's Limit and everything to do with oversubscription, network contention, and mundane stuff like that.

The Shannon Limit for that 18 AWG coax line is well in excess of 10 Gbps. How do I know? Because that's what they expect to be able to get 10 Gbps out of future versions of DOCSIS 3.1, once they drop the 6 MHz QAM channels and go all IP. And that's without going to higher frequencies, and without going to even higher order modulations (which require more computational power, but Moore's Law keeps helping us out there)

The only medium really pushing up against Shannon are satellite broadcasts and 100G base T (when it becomes available in a decade or so)

Biting the hand that feeds IT © 1998–2019