* Posts by Brian Scott

46 posts • joined 13 Jun 2007

X-ray specs: Signal whizz JMA Wireless claims to have solved indoor 5G, everyone

Brian Scott

Re: Dreaming of the future that could have happend years ago

Voice over TCP/IP will always remain a hack that I believe even skype only uses as a last resort. However Voice over UDP/IP using RTP is extremely common and becoming the standard means for fixed line phone calls around the world.

Support on actual fixed phones has been very slow taking off with most people going through a local gateway (Analog Telephone Adapter). Support from mobile devices is also a little hit and miss, generally using a customised app from your carrier of choice. Free VOIP apps tend to be difficult to configure and lacking in useful features although the situation is improving.

As for roaming between WiFi networks there are a lot more problems than the initial captive portal (a legal necessity as you seemed to party acknowledge) to solve. The change in IP address would be a much more difficult problem to solve.

Even within single organisations with handoff between WiFi cells with the same SSID (and therefore no new captive portal or IP address), the problem of dropped audio within a fraction of a second is still a problem that WiFi vendors are solving with incredible proprietary hacks. Add to that the fact that most WiFi devices resist handoff for as long as possible, degrading performance unnecessarily, don't look to WiFi in the near future to make this work.

The Great IoT Protocol War may have been won: Thread's 1.2 release aims at business

Brian Scott

Of course what we really need for IoT devices is for them not to need to talk to the mothership at Google, Amazon, Apple, or their chinese equivalents.

I bought an IoT power switch recently that would only work when used through the prescribed app. That app sent my requests of to a server in china which was also connected to the device. Coincidentally the app also insisted on knowing my GPS coordinates from the phone. This means that there exists, somewhere in the chinese part of the cloud, a database of devices and exactly where they are located in the world and the means to turn them off and on. Very scary. I wanted to name my switch 'nuclear reactor purge' but my wife wouldn't let me!

The problem is that most people don't have any sort of infrastructure at home that could happily manage this sort of thing in a well protected way (register readers excepted!). The easy answer for lazy manufacturers to get a product to market is to run a central server somewhere to manage things for everyone. It also allows them to think of ways to monetise all their connected customers sometime in the future.

The proper answer is for someone to build a suitably simple piece of hardware kit that everyone can have in their home that can manage their own devices without recourse to servers in some undefined part of the world. It would have to be based on open standards so there would be multiple compatible implementations from different vendors using different chipsets. Builders of IoT would need to support the same standards.

Wishful thinking I know. Standardised protocols are only the beginning of a very long path to enlightened happiness.

Still sniggering at that $999 monitor stand? Apple just got serious about the enterprise

Brian Scott

Re: Shiny, shiny

I thought Apple bought CUPS.

Ignore the noise about a scary hidden backdoor in Intel processors: It's a fascinating debug port

Brian Scott

Needing root is not the problem

It's easy to think of this as vulnerability but I don't think that's the point.

What it means that a bad guy™ can use the feature on their own equipment to investigate and develop new speculation attacks in the comfort of their own homes. When the attack has been properly developed, it can presumably be set loose on their targets without any further need for the debugging help this 'feature' has given them.

The only system that the attacker needs root access to is the one sitting on the desk in front of them.

This two-year-old X.org give-me-root hole is so trivial to exploit, you can fit it in a single tweet

Brian Scott

Just tested this on a very up-to-date FreeBSD install.

"The '-logfile' option cannot be used with elevated privileges."

% Xorg -version

X.Org X Server 1.18.4

Release Date: 2016-07-19

X Protocol Version 11, Revision 0

Build Operating System: FreeBSD 12.0-ALPHA8 arm64

...

Build Date: 07 October 2018 07:35:55AM

It pays to not be at the bleeding edge I guess. (The Xorg executable is setuid but obviously at this back-level version there are sufficient checks for dangerous options.)

It's the real Heart Bleed: Medtronic locks out vulnerable pacemaker programmer kit

Brian Scott

Why didn't they do this in the first place?

It seems to me that this is the sort of security that should have been baked into a product like this in the first place. All updates delivered personally by a verifiable representative of the company. The only extension might be a visual comparison of a locally produced secure hash and one published on the web to guard against rogue/compromised company reps. (a visual check because the device doing the updating shouldn't be capable of connecting to the net.)

Sometimes the internet isn't the right answer. This is one of those times.

If you haven't already patched your MikroTik router for vulns, then if you could go do that, that would be greeeeaat

Brian Scott

Re: Router OS?

MikroTik - I'm guessing it sounds a lot better in Latvian.

Brian Scott

Re: Would anyone...

Yup. I've got a bunch of them around the place.

The only one I have actually directly connected to the internet is regularly updated and has pretty minimal functionality enabled. The others are blocked by firewalls except when I'm updating them.

That being said, they are very nice flexible cheap little boxes.

Time to dump dual-stack networks and get on the IPv6 train – with LW4o6

Brian Scott

Re: Throw caution to the wind and it will fall upon someone else

eldakka:

You do realise that setting up normal IPv6 addressing is actually easier than DHCP. DHCP is the hard way that we get to leave behind with IPv6 except for the really unusual corner cases.

The router advertises the network prefix regularly on the wire (or when asked). The device picks a unique address on the local network (64 bits to play with and usually based on the MAC address) and away it goes. Easy. All your modern devices do this already. Windows has been doing it since XP but your router wasn't smart enough.

The only exception might be a few really stupid IoT devices that have been developed by a work experience student and shouldn't be allowed on a network anyway.

In non-startling news, EFF says STARTTLS email crypto is mostly done wrong

Brian Scott

Email transport is insecure

Get over it and move on.

The only secure way to communicate via email is with end to end encryption using something like pgp.

The fundamental problem with starttls is that if the certificate on the other end fails for some reason then it can 1) use it anyway, 2) downgrade to non-encrypted, or 3) bounce the email back to the sender. Number 3 is pretty unfriendly for the average user to work around. Number 2 is just stupid because the connection may be legitimate but with a self-signed certificate (or expired, wrong name, whatever) and the encryption would still defeat anyone listening to the connection. Alternative number 1 wins by default.

DANE is good (provided you can use DNSSEC to authenticate it) but support is crap. Also, because of the multi-hop nature of email it is still only protecting an individual hop (although that is probably enough for uncomplicated email these days). Fake headers could be added by anyone along the way claiming encryption when it isn't used (why you would is beyond me if you can fiddle the headers then you already have access to the content).

However, all this is solved if your email client encrypts the message in a way that it can't be decrypted until the destination email client decrypts it. The worst that an adversary can do is stop the email from being delivered. This is something that already happens regularly with over zealous spam checkers so is now an inherent problem with email anyway.

Not one, but 20,000 black holes hiding in Milky Way's heart

Brian Scott

"The researchers found 12 black holes with similar masses as the sun surrounding the supermassive black hole Sagittarius A* that lives in the galaxy’s center."

I don't claim to be an expert at this but I thought the mass of the sun was too low to form a black hole.

South Australia bins emergency alert app, contract

Brian Scott

Obligatory XKCD

https://xkcd.com/937/

Some 'security people are f*cking morons' says Linus Torvalds

Brian Scott

Linus Torvalds is a f*cking moron?

Security works by having multiple layers. It protects you against accidents and malicious attacks.

Subroutines should check their arguments. You can call this a security thing or you could call it just being careful of other code having bugs. Personally I don't care which but it's good coding practice. Now it is possible to just say fix all the buggy software and then you'll never need to validate arguments but I've never heard a competent programmer advocate that. Call it security in depth.

Now I will admit that you have a problem when it's the kernel checking it's own behaviour because things can get ugly when it shoots itself. These things need to be well thought out and tested. That doesn't mean it shouldn't be there.

It's lucky most projects don't have project managers like Linus Torvalds. This sort of behaviour is not how you get the best out of people. It is bullying behaviour that shouldn't be tolerated anywhere in this day and age.

systemd'oh! DNS lib underscore bug bites everyone's favorite init tool, blanks Netflix

Brian Scott

Underscore?

I thought underscores were illegal in DNS names. I know Microsoft had other ideas in the distant past but now even they frown on them. Why the hell are netflix using them?

Oh, and to echo everyone else: why is an init process doing DNS resolving? An init process should start things and possibly stop and/or monitor them. The tool to do DNS resolving is a DNS resolver. I would be very upset if my DNS (unbound and bind depending on system) resolver started starting processes. The reverse also applies. FFS.

Git fscked by SHA-1 collision? Not so fast, says Linus Torvalds

Brian Scott

Good software design

The key here isn't whether sha-1 should be used in git in the first place.

Good practice in designing security software should acknowledge that after some time all of these things become obsolete so you need to design in a framework that allows you to easily migrate to future algorithm when the need arises. Baking sha-1 into the design is a mistake if it is then too difficult to change.

Other than that,there is no particular reason to be worried about sha-1. It's just another warning shot to not use it in new products and to start looking at how to turn it off in existing software. This should be simple with well designed software.

Researcher reports XSS hole in Google France

Brian Scott

"Cupertino slings quick fix."

Isn't that another mob?

Having offended everyone else in the world, Linus Torvalds calls own lawyers a 'nasty festering disease'

Brian Scott

Re: Easy to get rid of the lawyers

I think that Linus thought the GPL was just like BSD. He now seems to defend the rights of business to use Linux any way they want, without interference from lawyers. That's the BSD model that he probably saw earlier in life.

Mind you, there are probably ways that you could move Linux to a BSD license if they really wanted to but why bother. There are plenty of good operating systems out there with a BSD license on them already.

If Linus really believed in the GPL (perpetually free software) he wouldn't be keeping the whole shooting match licensed under the very outdated and full of holes GPLv2. The GPLv3 does a much better job in the 21st century and other projects have easily migrated to it. Blame the contributors perhaps (contributions under GPLv2, blah, blah, blah)? No, I think that's just a nice scape-goat for keeping it all as BSD like as he can get it.

Remember that it was Linus (I presume) who dropped the 'and later versions' clause from the licensing clause on Linux and created the whole license mess that people are now fighting over. I can't help but think if he had talked to some good lawyers way back then, the world would be much simpler now.

IBM makes meek apology for Oz #CensusFail, offers no fail detail

Brian Scott

Re: Meh

Geo-blocking DNS? WTF? That's just being stupid.

I saw a lot of screen shots in the media that were actually DNS failures. That explains something I suppose.

Let's Encrypt in trademark drama

Brian Scott

Law vs. Ethics

I would have expected a Certification Authority to behave ethically as part of its business model.

For the CEO to claim that they were just operating within the law and that this is the cut-and-thrust of business shows that they have confused the two concepts of law and ethics. What they are doing may well be legal (I am not a lawyer, etc) but stealing a name from a non-profit is in absolutely no way ethical.

The list of trusted root authorities in our browsers represent the companies that we trust to a very high standard to make our decisions on the authenticity and legitimacy of domains on the Internet. I expect them to do this both within the bounds of law and with a very high degree of ethics.

A legitimate approach to this would be to remove Comodo from everyone's list of trusted certificate authorities since they clearly are not living up to the high standards demanded of them.

They would then go out business because internet sites could no longer choose to use their now untrusted certificates.

This is business comodo. Sorry to see you go. Don't slam the door.

Take that, Mom! Turns out Super Mario Bros was all about solving complex math problems

Brian Scott

This is like saying my dog can solve quadratic equations because it can catch a ball.

Apple assumes you'll toss the Watch after three years

Brian Scott

MacOS

It could just be my old, faulty memory but I thought MacOS was the predecessor of OS/X. This would put the last release (Mac OS/9) somewhere around the turn of the century. I'm too lazy to look it up exactly but that would mean it was all obsolete about 10 years ago.

I don't know anyone still running a pre-OS/X mac. I have one (Mac plus running OS/7) but I certainly don't fire it up and do work with it. It still works though.

Verisign warns new dot-word domains could make internet unstable

Brian Scott

Re: telling quote

I'm guessing that the available namespace for private networks is now reduced to rude words. This could go do well in some workplaces.

It's almost time for Australia's fibre fetishists to give up

Brian Scott

Fibre? Copper?

Wow. I'd very happy to have either copper or fibre.

My NBN future (guessing at least the next 10 years) will be wireless delivery. I'm really looking forward to that like a good toothache! Of course at the moment I'm stuck on ADSL 1 unless I switch over to BigPong so maybe I shouldn't complain too much. Friends who have ADSL2 in the region tell me that they are going to be moved off that to wireless in the long term.

A contact doing nbn installs suggests that they are really not very interested in anything other that wireless because it avoids playing in pits.

I'm not sure where they would be bothering to install this stuff. It might just be Malcom Turmbull's place.

Boffins brew TCP tuned to perform on lossy links like Wi-Fi networks

Brian Scott

Broadcast?

"As an example of how TCP congestion control can get in the way of network performance, the paper cites a broadcast of two packets to multiple receivers:"

I think I see a problem here... (hint for non-network people: TCP is very strictly point-to-point not broadcast).

In fairness I couldn't find the word broadcast in the original paper, on the story.

Google devs: Tearing Chrome away from OpenSSL not that easy

Brian Scott

"In response to the Heartbleed debacle, a group of NetBSD developers created an OpenSSL fork called LibreSSL."

Actually, that's OpenBSD not NetBSD. OpenBSD forked from NetBSD a long time ago. They have a bit of a history doing this.

Microsoft admits it's '18 months behind' with Windows 8 slabs

Brian Scott

"But UK director says 'iPad will become marginalised'"

He's right. Eventually the iPad will be marginalised.

Something else will be the next big thing and by then Microsoft might have a competitive tablet OS and no one will care.

If Microsoft wants to survive they need to work out what the next big market will be and start working towards that. They also need to shake the belief that the answer to everything is Windows. It may be that no one will want to buy Windows for Underpants.

The iPad really is crap in an enterprise environment and there may be a few bucks to be made building something better for that market. Unfortunately there wont be big money in it, just a few crumbs for the companies still hanging around in that space.

Free cloud server self-destructs in 35 minutes

Brian Scott

Re: MiB?

But not GiB.

They've only partly gone over to the dark side.

Lots more virtualisation, cloud, added to TAFE courses

Brian Scott

Re: Wrong, These are NEW units.

I apologise. It looked like a late announcement for the existing units. I look forward to reading the new units when they become available.

Brian Scott

Um, sorry about your slow news sources. ICA11 was published in 2011.

This is the second year that we (a TAFE in regional NSW) have been using these units.

You can help fix patent laws … now!

Brian Scott

Re: I hereby patent making sarcastic article titles

"*No right to hold a patent unless the holder actually uses it."

So I presume in your grand plans if a company were to design processors but not manufacture them, then they shouldn't be able to license others to do the manufacturing (i.e. make money off their design work).

Seems to me that many companies have a valid reason to patent things but not manufacture them. Perhaps the test should be whether they are actively trying to entice others to license the designs.

Chrome 9 debuts with WebGL, app store, instant annoyance

Brian Scott

Installation still broken?

I presume the installer is still incapable of working if you're behind a proxy. When I've tried to install it on a work machine, the little installer would immediately die because it was incapable of navigating a proxy server (presumably to keep the installer very small). The only option has been to try to find the download that the installer downloads and bring it down manually. A task that google appeared to definitely discourage.

A lot of work and enough to make me think that it isn't a good fit in a business environment.

Then again, I gave up trying back at about version 3 or so.

Windows 0day allows malicious code execution

Brian Scott
Headmaster

0 Day?

So, information about the vulnerability has been published, microsoft have been made aware of it, and some time later (guessing > 0 days) we will have exploits in the wild.

How on earth is this then a 0-day vulnerability?

Google open sources Apache server speed mod

Brian Scott

Open source?

For an "Open Source" project there seems to be a pretty big emphasis on binaries. I suppose the source code is there if you look very hard but certainly not on the downloads page.

Shouldn't this be classed as open binaries?

Microsoft says XP netbooks die on October 22

Brian Scott

re: Ubuntu Linux Netbook Remix

> looks easier on the eye due to being optimised for low resolution screens

That would be except for the dialog boxes that are larger than the screen. How many tab keys to you type blind before hitting space and hoping you got the OK button and not the cancel button? Its fun to guess (often 2 but 3 needed on network manager) but definitely not easier on the eye or optimised for low resolution.

Woman called Window joins Apple

Brian Scott

or the very famous...

Robert'); Drop Table Students; --

http://xkcd.com/327/

Anti-Internet Explorer 6 protests grow with online petition

Brian Scott

SVG

Just a little point in favour of IE6.

The old adobe SVG browser plugin worked with IE6 and gave reasonable results for embedded SVGs in web pages. As I recall, when adobe dropped support for their plugin ("all reasonable browsers have native SVG support built in") some years ago, IE7 and IE8 didn't exist and therefore don't work.

Embedded SVG was a good way to crash IE7 in some quite entertaining ways. I haven't tried it with IE8.

I think microsoft are considering adding SVG support to IE9 or 10, so in the meantime if you must access websites using important internet standards you should either use IE6 and the unsupported plugin or any other browser released in the last 5 years.

Mozilla lights fire under Thunderbird

Brian Scott

Happily using IMAP with Thunderbird

I've been running thunderbird for a few years now, mostly because their IMAP support is better than entourage or apple's mail. I use outlook at work because of an exchange server but find that its IMAP support is a bit clunky when I connect it up to other servers.

Web based email always seems like the poor cousin of real email clients. Its something you do when you are forced to, not because you want to.

On a command line my preference is for mutt.

Thunderbird hangs occasionally (mostly when I sleep my laptop while its checking mail) but not so much that I care.

I would happily move to a better email client if one existed. If that was Thunderbird 3 then good. If someone else gets their act together then they will get a convert.

As the developers of mutt said "All mail clients suck. This one just sucks less."

IBM lab builds computerized cat brain

Brian Scott
Headmaster

title

"petaFLOPS per second"

<pedant-alert>

The PS at the end of petaFLOPS stands for Per Second. The additional per second isn't required unless we are dealing with an acceleration (i.e. per second per second). Alternatively you could use "petaFLO per second" but nobody would know what you mean.

</pedant-alert>

Only mildly less annoying than people that drop the final S when there is only of them (e.g. 1 petaFLOP).

Does the Linux desktop need to be popular?

Brian Scott

@Robert Pogson

"The usability issues are gone on a well-configured OEM installation. eeePC showed that."

Have you ever used the rubbish Xandros install on a eeePC? My wife demanded I fix it within a day of getting one. She is now happily using eeebuntu. I look at eeebuntu and think that it is appalling that many of the dialog boxes are too big to fit on the screen so you have to guess how many times to hit the tab key (to select an unseen OK button rather than the equally hidden Cancel button).

Xandros 0/10

Eeebuntu 5/10

*nothing* gets 10/10

This is meant to be a core market for Linux and they don't get it.

Researchers forge secure kernel from maths proofs

Brian Scott

Title

Unfortunately a mathematical proof of correctness may prove that some set of known types of bugs don't exist and it may prove that the program actually matches the specification. What it doesn't prove is that the program is what the customer wanted (i.e. the specification is never complete and will change over time so insisting on it being complete and static is a very good way to get a disappointed customer).

Does proof of correctness result in code that is optimally able to be maintained (oops, sorry - if it starts out life correct then it never needs maintenance does it?).

More importantly, our happy user needs to use this kernel to do some real work so they install a web server on it, along with php, then hire a cheap programmer that has read a book on PHP to write applications for it.

The eventual end user knows nothing about any of this and compromises the integrity of the system by writing down passwords on sticky pieces of paper or surfing pr0n sites that use have bonus cross site request forgeries embedded in them....

It may be nice to have a more robust Kernel but I think the money would be better spent on researching how to fix the real problems that plague computer systems.

XML flaws threaten 'enormous' array of apps

Brian Scott

Title

So let me get this straight,

"we tested out some XML frameworks and some of them broke". Good, this is nice to know. Now tell me which ones so I can see if I have a problem. Not telling? The CERN advisory has a very short list but if that is the full extent of what they found then its not much. @Fazal Majid says that expat has a problem - OK, that's interesting to me.

"broke things might run other people's code". True. Do any of these top pieces of software break like that or is this just a statement of general principle? I agree with the principle but not all broken software breaks in the same way.

"here is a list of XML parsing software - we haven't tested most of it but it may all be broken". Or not. I'm having a little trouble with this logic. I want a list of what these guys have tested, not a wikipedia entry on XML.

"We have a piece of software that everyone should be using to test their libraries". OK, now I understand what this article is all about - its an advertisement.

In reality most XML parsing software is regularly tested with broken XML. I do it all the time without even trying. A typo here, a misplaced character there, some broken encoding, whatever. And what happens? I get a message telling me that my XML is broken. Just like it should. Now, if the application using the library is too stupid to realise that something is broken and chugs on regardless then bad things might happen, or if the application lets the library stop the program (very unusual in my experience) then we might have a denial of service attack against the application.

Many applications using XML do so with XML that is completely under control of the software or the local user so there isn't likely to be any direct threat. Its only the applications that process XML from untrusted sources that are at risk.

Maybe not everyone is doomed after all.

Comcast trials Domain Helper service DNS hijacker

Brian Scott

A good jon for DNSSEC

Roll on DNSSEC aware resolvers and the fraudulent DNS entries for the non-existent domains will result in a local error on the client machine.

Rather than seeing the "Domain Helper" service, users will just see a warning that someone upstream is fraudulently altering their traffic. They will then move to a different ISP to avoid the warning. Eventually the ISPs will work it out or die. Easy.

AVG scanner blasts internet with fake traffic

Brian Scott
Thumb Down

Not only does it hurt websites and dialup users

I was hurriedly removing this from a friends dialup computer and took the opportunity to trace the network traffic while connected to my broadband connection.

First thing I noticed was a lot of failed POSTs as it tried to tell explabs.net about browsing history. Nice one - people would pay very good money to AVG for this information. Hopefully they have a privacy policy (haven't checked) but it does go over the internet in clear text so it cause save your ISP some trouble. This can be turned off during installation.

What worries me is that it uses 'Cache-Control: no-cache' on its requests. This means they are also causing proxy servers to do more work downloading content. OK, not everyone has a proxy on their home network but I notice that my ISP has a transparent proxy and it must be wrecking their links.

World economy group gives IPv6 big push

Brian Scott

Re: Death of IPv4??

Actually, I saw a paper a while back explaining why IPv6 addresses would run out much sooner than expected. I forget the details but my understanding was that it was caused by stupid administrative practices.

By convention, the bottom 64 bits is made up from a slightly modified version of the MAC address of the network interface, thus every network is automatically provisioned to be able to have every network device in the whole world connected to it at once. This is possibly overkill.

ISPs would give out /48 addresses so you can do your own subnetting (16 bits, 65536 subnets - should be enough, even for me). We are now down to 2**48 possible connections to ISPs.

The addresses available to an ISP are part of an allocation sold to their upstream providers, and so on up the pole. Everyone in the chain needs a sufficiently large allocation of subnets that they wont run out any time in the future.

I think that this sort of thinking is very similar to the old 'give everyone an A class address so everyone will have lots of flexibility' thinking from the dawn of the internet. We all know the mess that caused when more than 125 companies wanted to play.

IPv6 was never designed to have 2**128 devices connected. The fact that it has 128 bit addresses leads some people to draw the wrong conclusions.

I run IPv6 at home with no thanks to my ISP or router vendor. The only advantages at this stage seem to be the swimming turtle at www.kame.net and learning about something that everyone else will be learning in a hurry in a few years time.

Patent law passed in US, but Presidential veto could follow

Brian Scott

Won't this make things worse?

I could have misread it but doesn't "first to file" mean we will get a lot more patents for things that are blindingly obvious and in common use just because no one has tried to patent them before? Has breathing been patented or will someone (having read my post) be "first" to file?

It seems to me this only benefits the big companies that can generate patents everytime someone on their payroll has an idea. The rest of us loose out because we don't have the budget to get patents for everything we do - to date we have believed that prior art protected our use of our ideas from subsequent patent applications.

Apple's Safari 3: a crashing experience for non-US users

Brian Scott

Proxies

I tried it but it crashes. It looks like it can't handle our local proxy setup (configured through a proxy script and then authenticated with NTLM) so it crashes. The only work around seems to be to not load any web pages - not really a viable option for a web browser. You can't turn off the proxy settings (as someone pointed it it just uses IE's settings and my settings at work are locked done by group policy) so I can't even test it on local content. I think the most remarkable thing about this is the complete lack of feedback channel for me to point his out to apple. I'm happy to regard it as a beta and send back feedback but it seems odd to only want feedback from people that it works properly for.

Anyway, its obvious that this is being rushed out because it (or the webkit component) forms some key component in the new version of iTunes for Vista so they need to get most of it working on windows anyway.

Biting the hand that feeds IT © 1998–2019