* Posts by PyLETS

644 posts • joined 11 Jul 2011

Page:

Intel adopts Orwellian irony with call for fast Meltdown-Spectre action after slow patch delivery

PyLETS
Linux

Open source hardware needed ?

Personally I think patching existing systems is likely to have to involve using software to increase timing entropy resulting in the blocking of these side channels where the software access control context calls for it. So processes already running sandboxed from each other or owned by different users shouldn't be able to read each other's memory and will run slower as a consequence.

This is just a patch. If the deeper problem exposed is that proprietary hardware can't be trusted anymore due to it's combination of obscurity and complexity, then open source hardware might offer a solution for users and applications where security really matters enough, initially to be willing to pay more for hardware offering the same raw performance, until scale economics enable this approach to compete against established hardware designs. The RISC-V open source hardware project seems to be making useful progress .

2
0

Registrar Namecheap let miscreants slap spam, malware on unlucky customers' web domains

PyLETS

Re: DNS is insecure - muggle key mismanagement

It's a question of whether it's better for a muggle to learn to be more like a wizard by risking key management mistakes or to risk getting screwed by an incompetent or untrustworthy registrar which holds the keys for them. I guess if the muggle who wants looking after has the sense to pay for the less cheap registrar who relies on income from customers to not want to screw them over, that's their choice.

0
0
PyLETS

DNS is insecure

What's needed is for the reputable registrars to provide customers with more useful help in setting up DNSSEC in ways such that the customer retains the zone signing private key and this never exists on the DNS servers which serve the public key and signed records. The DNSSEC standard also probably needs a signed assertion available to the effect that unsigned subdomains of a zone do not exist, but if it currently has this capability I'm unaware of it.

2
0

Accused Brit hacker Lauri Love will NOT be extradited to America

PyLETS

@Hans 1

"I am amazed at the decision, I think this is the first time in history that a UK judgement has prevented extradition to the US, but I might be wrong."

You are wrong. Garry McKinnon's case had various similarities to this one. https://en.wikipedia.org/wiki/Gary_McKinnon#Extradition_proceedings

4
0
PyLETS
Black Helicopters

@AC: re Extraordinary rendition

"He will need to suspect anyone coming within a foot of him in the street of having a rag with chloroform and a car parked around the corner to take him to a "private" Cessna parked at a nearby airport. Everywhere worldwide. UK included."

Depends on whether the US want us to tear up the treaty that allows lawful extradition. If they commit crimes of assault and kidnap on UK soil because they lose an extradition case in the UK courts, this would make any future UK extradition legal cases and the treaty that requires these moot, regardless of whether these concern a silly hacker or a genuine terrorist.

17
0

Death notice: Moore’s Law. 19 April 1965 – 2 January 2018

PyLETS

Re: You do know that Moore’s law says nothing about speed?

"Design changes can fix most of the weaknesses that allow Spectre and Meltdown, but it will take them a while to filter through to live systems."

It's always been reasonable for processes running with the same userid to share information from an access control point of view - you can always have more userids or introduce the appropriate mandatory access controls. If you want to create better boundaries between processes to restrict information sharing, operating systems already have plenty of discretionary and mandatory access controls which are supposed to give software designers the ability to achieve this. It is appropriate to close off these side channel vulnerabilities where processes are already running in different security contexts. It probably isn't appropriate to hit performance where the software design already runs things within the same security context and available access controls which could be used aren't being used.

Should I worry that a text editor I run can filch information from my word processor with the same user login or vice-versa ? Probably not and in this use case no performance hit needs to be imposed. Should I worry that some Javascript running in a supposed web-browser sandbox downloaded as part of a web page can filch information from my word processor ? Absolutely I should, and if fixing the sandbox means it has to run slower then that's a price which has to be paid.

We expect hypervisors and sandboxed applications to be contained against side channel information leaks, so the performance hit of containment needs to be accepted as part of the processor and operating system access control design.

28
1

Serverless: Should we be scared? Maybe. Is it a silly name? Possibly

PyLETS

Problematic business model

Geocities was bought in 1999 for $3.57B and switched off 10 years later. Providing the server and service with no revenue stream apart from paltry advertising, however temporarily popular, could only have been sold for that price if someone making the decision imagined it could become a monopoly capable of being monetized at some point.

Creating a production as opposed to demonstration/research app using such a service is likely to be high risk unless you can know in advance what it's going to cost your users and how they will pay for it. If it becomes a must-have monopoly, your heavy users will be price gouged or have to stop using what they've come to depend upon. If they imagine it will cost nothing it's unsustainable by definition and will eventually be switched off when the investor gives up funding the black hole.

4
0

US House reps green-light Fourth Amendment busting spy program

PyLETS
Black Helicopters

Smokescreen

If the NSA want to do illegal surveillance within the US of US citizens, I thought that's what they paid GCHQ to do for them legally.

2
0

Cisco can now sniff out malware inside encrypted traffic

PyLETS
Stop

Just as well it doesn't work all the time

In the early days of computer viruses when we used to find new ones every other month while providing a PC helpdesk and support service, I used to send samples encrypted against the public key provided by our then anti-virus vendor to said vendor so they could update their products and we could detect and remove them with less work on our part. Obviously I didn't want the malware I was sending our anti-virus vendor to infect anything else within the transmission channel so PGP encryption was a must.

1
0

We need to talk about mathematical backdoors in encryption algorithms

PyLETS

Re: Bank Vault locks - cardboard doors

"The problem is that those who hold the high value secrets might know this but their bosses have a timeline of the next prime ministers questions."

This is probably why those in the know seem unlikely to want to include politicians within their inner circle.

8
0
PyLETS
Meh

Bank Vault locks - cardboard doors

Perhaps the cryptographic equivalent of bank vault locks can be got through by the tiny elite likely to be in the know, but why would anyone bother most of the time ?

Those who hold such high value secrets (i.e. knowledge of algorithm weaknesses) where these exist will want to use them very infrequently and against only the highest value targets for fear of disclosure through honeypot techniques and well tuned intrusion detection systems. It's all basic spy craft - those with high value sources protect these as much as they can which means most who could usefully know are denied access, information gained from these sources has to be very carefully guarded and sanitised prior to declassification and use, and the more use that is made will increase the probability that this kind of source gets disclosed sooner rather than later.

Everything else will involve getting through the cardboard doors - the very many and various implementation weaknesses against which very few systems are likely to be properly protected. So I don't think I'll be rolling my own crypto or combining multiple forms of it or engaging in other obscurity exercises likely to fail when I'm not yet doing the thousand other things I'd have to do (including knowing all my chip technologies and binary device drivers and system software) to avoid the cardboard doors.

The targets I have to defend just aren't valuable enough for me to worry about algorithms no-one has yet discovered unsafe despite large prizes for effective attacks being on offer for those who try to discover these backdoors.

9
1

IETF protects privacy and helps net neutrality with DNS over HTTPS

PyLETS

What's wrong with https://8.8.8.8/

I don't think CA's trusted by any browser currently issue certificates per IP address. I'd also guess it would be insecure for them to do so unless they only issued these for addresses known to be static for the future lifetime of the certificate anyway, and I guess also that the PTR reverse mapping pointed back to a domain which also participates in the same ownership establishment protocol. Could possibly be done in the IN-ADDR.ARPA domain using DNSSEC.

1
1

Why is Wikipedia man Jimbo Wales keynoting a fake news conference?

PyLETS

@Androgynous Cupboard - Re: Pot calls Kettle black

"That we should hold Wikipedia to a lower standard because many of the pages are wrong?"

Not at all. Wikipedia consistently achieves a very high standard in relation to the articles most people read, just as the Linux kernel achieves a much higher standard than proprietary alternatives in connection with the code paths most people use. There are still plenty of zero day vulnerability bugs in Linux device drivers hardly anyone ever uses or checks the source code of. If I find an error in Wikipedia I correct it, and if I find a bug in Linux I report it to the appropriate maintainer.

1
1
PyLETS
Stop

Pot calls Kettle black

I have no reason to doubt that the Register tries very hard to get facts right as well, and generally believes its sources until corrected when it checks, fesses and corrects, just as Wikipedia does. But I very much doubt The Register has the funding to take the same amount of time to correct articles which are of more than passing interest and which are read by more than a few people over many years. Sure Wikipedia also has many pages likely to be wrong, but how many people are interested in correcting these compared to the articles which get 99.9% of Wikipedia's page hits ?

The second law of thermodynamics when applied to the WWW would humble any editor who both understands and cares, but debugged open source knowledge is a difficult beast to compete against for those for whom their published output is a profit centre.

4
16

AI taught to beat Sudoku puzzles. Now how about a time machine to 2005?

PyLETS

Been there done that

My automated python suduko solver does this using a combination of simple techniques and clone, guess and exclude in about 400 lines of source code. Haven't found a suduko it can't solve. Will link the source code if anyone's interested enough.

7
2

Mozilla devs discuss ditching Dutch CA, because cryptowars

PyLETS

Re: Isn't it about time...

"national CAs were only authorized to sign certificates for their own national TLD" . That's called DNSSEC. See also RFC7671, otherwise known as DNS Authentication of Named Entities (DANE).

3
1

NBD: Adobe just dumped its private PGP key on the internet

PyLETS

User friendly encryption ?

If the user of a product is aware that they have to do something in order to encrypt or decrypt then their security process isn't user friendly, because a secure process is secure by default. Crypto keys for typical users should be created and stored automatically, e.g. when they register a domain or account, and ideally stored where they're very unlikely to be meddled with by their user, and can't be meddled with by anyone else. Those able to access private keys in the first place need to know what they're doing with them, or these aren't secure.

0
1

Go fork yourself: Bitcoin has split in two – and yes, it's all forked up

PyLETS
Terminator

Depends what ransomware victims are obliged to buy

BTC/BCH is now less dependent on blind faith and is now managed by the number of marks infected by ransomware and the proportion of these who decide to buy in, in order to decrypt their data. Another group who have to buy in are arms and illicit substance vendors who want to reduce their risks of becoming collateral damage victims in the violent gang warfare which traditionally has controlled their turf in the absence of recourse to civil law to resolve contractual disputes. So which one of these currencies survives, or whether both survive, will be determined by survival of the fittest ransomware and darknet marketplaces, and how long it takes regulators to disbelieve these systems have legitimate uses before closing down the BTC/BCC for conventional exchanges as accessories to money laundering.

4
4

McAfee online scan used plain old HTTP to fetch screen elements

PyLETS
FAIL

Is this model trusting 3rd parties not to be evil ??

Wow, but I'm not convinced this article has more than scratched the surface of the real security issue, likewise "fixing" it using HTTPS only fixes the 4th party exploit described.

It's not difficult to understand why a security scanner needs admin access to a system. This context presumably prevents normal sandboxing, as you would get for 3rd party scripts linked through a webpage - though I block such scripts generally. But even if the 3rd party content were provided using HTTPS is it really considered sane for such content to have the same admin access to the PC as the scanner it funds ? It sounds to me like the 3rd parties are probably not just getting access to _show_ you their content. An investigation into whether they are in fact or are capable of _accessing_ likely to be more valuable content on the machine being scanned seems called for.

Personal data seems likely to be more valuable than the right to display content during a scan or web page view, and it's why I'm refusing so many mobile apps inappropriate rights to access this on my mobile platforms which they don't need in order to deliver the functionality offered.

2
0

Don't panic, but your Bitcoins may just vanish into the ether next month

PyLETS
WTF?

continuing demand for bitcoin

As managed by the number of marks who get infected by ransomware, a proportion of whom will choose to pay the ransom and so have to buy in. Bitcoin is a managed currency, where 3 factors: mining, anonymisation and demand management are all likely to be in the hands of those controlling the biggest botnets for various technical and cost reasons. So this impending fork probably won't change the game much, though might leave cybercriminals 2 different payment options. Governments blocking the $conventional for Bitcoin exchanges as money laundering accessories would do that, by making it impossible for marks to pay ransoms, making Bitcoins worthless overnight.

1
0

Tails OS hits version 3.0, matches Debian's pace but bins 32-bit systems

PyLETS
Black Helicopters

Re: I think the point is that..

"You can use PGP signatures, but how do you know you have the right PGP key to validate it with?"

If you have been using Debian or Ubuntu for any length of time, packaged software downloads are signed using developer keys, some of which have signed the Tails gpg keys. So you can install the debian-keyring package, which is signed by these distribution repositories and this gets the same verification as other Debian or Ubuntu packages installed using apt-get . This means that for the NSA to have compromised the Tails instance as downloaded through a MITM or whatever, and for you not to be able to detect this if you're very careful and check signatures, they would also have had to compromise signed parts of the Ubuntu or Debian infrastructure. It seems to me much more easy for the NSA to have compromised the Tails distribution itself. To find that kind of hole you would have to check the Tails source code and compile it yourself, assuming you're both paranoid enough to want to do that, while sufficiently technically capable to compile it yourself on a platform which you do actually trust. Instructions on checking this chain of trust here:

https://tails.boum.org/install/download/openpgp/index.en.html#wot

0
0

Whisky snobs scotched by artificial tongue

PyLETS

"People who pay more than than an average yearly income for a bottle of rotten grain DESERVE to get cheated!!!"

It's the emperor's clothing - the oldest scam in the book. And the psychology is all to do with the presentation. Once the mark who is parting with the cash has been sufficiently flattered, their vanity will override their sense of taste anyway. And frankly I don't see anyone parting with that much cash for a blend of organic substances and residues preserved in spirits aged beyond where it can still have very much flavour wanting to waste a drop by putting it into a reagent testing machine anyway. Yes it's true - all beverages will lose their flavour if aged beyond what's best for them, which in the case of fine whisky can be up to 20 years.

4
1

America 'will ban carry-on laptops on flights from UK, Europe to US'

PyLETS
Mushroom

Re: So what about the battery

They can use kevlar bags in hold to contain luggage explosions up to a certain size. And then use fire suppressants which they wouldn't be allowed to use in the cabin.

http://www.bbc.co.uk/news/science-environment-33650713

1
0

Post Unity 8 Ubuntu shock? Relax, Linux has been here before

PyLETS

Change the distro ?

Given the modularity of different Linux desktop flavours and different Linux distros, this particular choice no longer needs to be conflated. I thought the underlying package management systems had pretty much fixed that problem years ago. You choose a distribution for its package management style and the package repositories and their management nowadays - not the desktop flavour.

1
0

Come celebrate World Hypocrisy Day

PyLETS

Re: Property is theft

@Doctor Syntax: If I make or grow something by my own efforts you should be entitled to it for free because somehow I've stolen it from you?"

No form of property is absolute. It always confers _limited_ legal monopoly rights and can come with reciprocal social obligations. This is because the law which enforces legitimate property rights is a balance of public interest exercised at cost to the public through the expense of the taxpayer funded legislature and court systems. There used to be only one informed side to this discussion concerning copyright: i.e. your side, because that's the only side the man who bought ink by the barrel considered fit to print. That's no longer the case.

There is a wider public interest in the creation of new intellectual property. But no-one is incentivised to create original new work based on speculation of what they might earn 20 or more years after it's published. Those so engaged have better incentive if they are not going to be contested by every stale idea or meme from the past which someone else may have thought of generations before and which new creative work can't avoid accidentally infringing upon, or legitimate reference to. The public benefits from new copyright being established to the extent outdated copyright enters the public domain, but not when copyright durations are extended beyond their original legitimate purpose by one sided terms of discussion and political lobbying.

If you ever purchase a plot of land, you'll find your rights are also limited. You probably won't be allowed to turn a domestic dwelling into an industrial unit by planning restrictions. You'll have to pay taxes to the local authority. You won't be able to stop aircraft overflying, or miners from undermining. Your house and land ownership is defended by the public purse, to the extent it's in the public interest that you enjoy your ownership for the purpose for which the wider public intended, through planning and other environmental regulations and the local taxation due.

2
1
PyLETS
Thumb Down

Property is theft

One person's property always fences everyone else out of what's been enclosed. It doesn't happen without taxpayer funded cost of the legal protection to whoever is granted this exclusive right. it's all of us who pay the taxes to enforce property rights, but not all of us who benefit from the exclusive rights granted to private individuals and corporations.

Sometimes there's a good case for it, and sometimes the reverse. Sometimes what spun as benefitting most people will change compared to what's happened before - change is to be expected here. The Bible probably wouldn't exist had the early copyists had a concept of IP as a moral issue, because to survive the burnings of Bibles and the feeding to the lions of those who would copy it in opposition to the state morality at that time, considerable resources had to be invested, given the primitive procedure of copying then with the effort this took. On the other side of the argument you'll find that agricultural productivity increased greatly through the late 18th and early 19th century as a direct consequence of the land enclosures and Parliamentary acts which enabled the conversion of land held in common into private smallholdings which could later be concentrated into the hands of the richest. But it came at a terrible price for those forced off the land into near slavery in the industrial mills.

Copyright in something close to its current form probably can't be avoided in some sense, but it almost certainly lasts longer than is needed to incentivise the work it protects. It lasts too long, due to the previously successful lobbying efforts of those who would extend it to last for ever minus a day and the improbability of politicians arguing against the private interests of whoever bought ink by the barrel. If copyright lasted a shorter period, perhaps similar to the 20 year lifetime of patents, it would construct fewer barriers to the creation of newer cultural work which has to reference older works by reusing these in some minor ways.

https://en.wikipedia.org/wiki/Property_is_theft!

4
2

Alert: If you're running SquirrelMail, Sendmail... why? And oh yeah, remote code vuln found

PyLETS

Re: Why?

Squirrelmail has been around for years, and trouble free in my case, and this vulnerability doesn't affect me as I use SMTP/IMAP as the front/back ends for it. As with others, I try to keep personal and family communications away from corporate data mining and branding. I've heard of Roundcube, but as I've been successful with Squirrelmail/Postfix/Mailman and others, which have been relatively straightforward to setup , configure and maintain compared to Sendmail which I used in the past. So I've had no reason to try Roundcube as Squirrelmail just works. Can you provide one ? It's Dovecote and trying to get proper email clients working sensibly on all sorts of tablet/phone platforms that have me tearing my hair out, so maintaining webmail for this kind of application (other than on proper desktops which have proper email clients) makes more sense as I only need to do it once for many client platforms.

1
0

Machine vs. machine battle has begun to de-fraud the internet of lies

PyLETS
Holmes

trust decisions need verification

This is probably mostly about human decisions here being assisted by machine ones, though the fully machine decisions also matter, e.g. what is the probability this email came from a spammer, or what is the probability this prospective customer will pay ?

Verification of what to believe first and foremost depends upon who said something. If it's said by someone you've never heard of, do cryptographically verifiable assurances exist from trustworthy assurers that the person who said this is generally honest ? E.G. Has the Guardian's/BBC's/Telegraph's/(choose your media poison) known key signed that this person is on their staff ? Or is this person a friend of a friend known to have good judgement about choice of friends ?

If assertions of fact e.g. in Wikipedia have verifiable chains of trust to more than one strong trust source, these assertions are likely to be considered as more reliable than assertions with only 1 chain to a weaker source. Trusting a key holder to be a good verifier of one variable which matters, (e.g. identity or veracity or honesty ) doesn't automatically make it a good verifier of other variables.

Building this key infrastructure is something the social networks which already know about who knows whom or who reads what will have a natural advantage. And it's an inherently Metcalfe Law monopoly position liable to be exploited in ways which probably aren't in all of our best interests - if we think a little about what the banks have done to everyone else historically. Privacy requires we are able to speak with different digital personae in different contexts each of which may have its own reputation as perceived and verified by others.

0
0

I need an ISP that offers IPv6. Virgin Media: Whatevs, nerd

PyLETS

An IPV6 address that's really hard to remember.

How many IPV4 addresses (or phone numbers for that matter) do you remember ? That's what DNS was invented for - so you don't have to remember IP addresses.

1
2
PyLETS

Re: I'm Ok with IPV4 for now

"Why would I need IPV6? What will it bring me?"

The ability to address and talk to the half of the planet which doesn't yet have Internet at all in any form ? So I was happy with my short 1960ies style telephone number - what did adding extra digits give me ?

That's the most obvious benefit. Not having to talk through proprietary cloud servers due to loss of end to end connectivity with Carrier Grade NAT at both ends between which a connection could usefully be made is the next compromise best avoided, and not having to pay a price to rent an IPV4 address in a market shortage so you can run your own cloud server is a further compromise best avoided, otherwise required to save a limited addressing scheme gone smelly due to being way past its use by date.

2
0
PyLETS

Hurricane Electric IP6 over IP4 tunnel broker

Hurricane Electric have supported my IP6 tunnel to my VM broadband connected system and it's been very stable for years. However, on the few occasions when VM change my IP4 address I have to re-register my endpoint on HE's tunnel broker server. I guess I could probably figure out how to automate this if VM changed my IP4 address more frequently, but it may be a reason for me to drop all VM services.

2
0

Boffins reveal how to pour a perfect glass of wine with no drips. First step, take a diamond...

PyLETS

Re: Shurely...

Screwtops are much less useful after their first use than ones you pull corks out of which take new standard sized corks with standard tools readily available to the home brewer.

0
0

Can you ethically suggest a woman pursue a career in tech?

PyLETS
Mushroom

I'm encouraging women in tech

And I'm doing this by helping them get university degrees in engineering subjects because that's what I do, and equally for all my students. I'm glad I've got the most diverse bunch of students you could imagine and I want all of them to do well. The idea that not encouraging any categorisation of students with ability to do well in the subjects I teach would be ethical because they might be mistreated in some workplaces is beneath contempt. What needs sorting isn't my encouragement to all my students. It's the kind of workplace where any group with ability are made to feel unwelcome, and management attitudes in such places which need to be made to experience the full and heavy hand of the law.

2
0

One IP address, multiple SSL sites? Beating the great IPv4 squeeze

PyLETS

Re: Doesn't a proxy defeat the purpose?

No particular reasons not to run the proxy on the same host for low traffic multiple domain name sites, allowing more modular webserver configuration. Then no part of the link between the proxy and the back end web server becomes any less secure than the host OS. In most cases the threat model being defended against with HTTPS in preference to HTTP isn't likely to concern the link between the proxy host and the backend host if these are running on different hardware within the same secured LAN anyway.

0
2

Alert! The dastardly Dutch are sailing a 90-ship fleet at Blighty

PyLETS

Welcome our cheese bearing overlords ?

Only when their gouda is very well matured. The young stuff is too rubbery.

4
0

Google's Grumpy code makes Python Go

PyLETS

When you open a can of worms you'll need a bigger can to get them all back in again

"The transcompiled code is not suitable for working with directly."

That's how to create stiffware or keep maintaining unsupported Python 2.7 code forever. We used to have an in-house report generator written in assembly code which was still very useful but nobody knew how to maintain it.

"That said, there is the possibility of rewriting bits and pieces in Go (eg, performance-critical stuff) and then call into it from Python. Sort of a hybrid approach."

You are in a maze of twisty passages all alike.

4
0

Can ISPs step up and solve the DDoS problem?

PyLETS
Boffin

is there a reason that ISP's haven't already implemented ?

It's to do with externalities, an economic problem with an economic solution. For an individual ISP, implementing BCP38 on your network helps other people, but costs you and doesn't help you directly very much, unless everyone implements it. It's a bit like treating a river or the air as a free place to dispose of waste which you're not very interested in. If a Victorian mill owner killed a fishery downstream that was someone else's problem. When his grandson cleaned up the mill effluent in response to legislation, everyone benefited when the river came back to life again. Clearly it would be preferable if the ISP industry could self police this problem - compared to politicians having to deal with this problem by legislation and international treaty as the latter mechanism progresses much too slowly if at all.

The mechanism for ISP community self policing concerns the conditions ISP networks have to maintain in order to be able to obtain the mutual respect of peers or access peering exchanges such as LINX on cheapest possible terms or at all, based on membership agreements enforced by contract law. This probably requires peering exchanges to agree common standards between exchanges in different countries and with backbone providers in a similar way, through club memberships where membership comes with agreed benefits.

If the industry fails to act in this kind of way, the public interest will eventually require the legislation and treaty route to ensure that the industry does act to ensure the polluter pays, as has occurred and is occurring with other pollution externalities.

3
0

Woman rescues red pepper Donald Trump from vegetarian chilli

PyLETS
Flame

Re: Headline correction please

Woman disproves thesis that revenge is a dish best served cold ?

13
0

Quantum traffic jam of atoms could unlock origin of dark energy, physicists claim

PyLETS

Re: I've figured it out...

If it's all a simulation we're living in, then presumably there is no need to simulate what exists at a distance from observation to a finer resolution than it can be observed. Perhaps an experiment for this will detect pixellation (or a coarser quantum grain) of more distant galaxies than closer ones. You may laugh at this idea, but setting up experiments to detect or disprove it is similar to the problem of writing a program to detect that it's running inside a virtual machine setup as a honeypot. If the honeypot is clever enough, it will know about all means of testing it's nature. This fails in the real world when the abilities of the test program outrun the capabilities of the defensive one.

2
0

Reg meets 'Lokihardt', quite possibly the world's best hacker

PyLETS
Holmes

Re: Can I ask a stupid question?

Good question as I wish more IT people knew the answer. In general it makes sense to think of the difference between buying a padlock from a hardware shop and trying many different ways to break it or saw or drill it open in your own workshop. It's your lock and so you're entitled to test it. If the lock is on your neighbour's shed and you test it without authorisation of the system owner, this becomes an offence based upon who owns the lock or property its protecting. The UK Computer Misuse Act makes the correct distinction here.

As you suggest there are possible exceptions to this general analogy. If the software being tested isn't fully "yours" e.g. if it is leased together with some kind of support agreement, rather than purchased outright, then your security testing of it on your own system may invalidate the support part of the deal, depending upon the license small print you agreed to but, probably didn't read.

George Hotz discovered a futher risk when Sony went after him , and though their case may not have succeeded, Sony's persuance of this probably cost them a lot more in reputation than it cost Geohotz. However, Sony's claims of Digital Millennium Copyright Act infringement against Geohotz were more threatening. This was potentially a criminal complaint. Sony's copyright infringement blustering would more probably have come under civil law, concerning which you may lose money but you don't go to jail. It may be that Sony's case was badly flawed, but it's an unfair playing field when a big corporation which can spend millions on lawyers can tie up an individual based on a dodgy case where the corporate can force the individual to make many journeys of thousands of miles to a jurisdiction of Sony's choosing.

So if you want a clearer boundary between what's "yours" and what isn't, then you're better off choosing open source in preference to licensing copyright restricted products under one sided terms which prohibit testing and subsequent speech concerning what you've discovered on your part. The DMCA and equivalent legislation this side of the pond attempts to deny you your fundamental human rights of freedom of expression here - and this denial is as yet untested in the highest courts such as SCOTUS or the ECHR.

3
0

Russian banks floored by withering DDoS attacks

PyLETS
FAIL

Smarter network needed.

As long as the network is treated as having to meet the dumb requirement of routing packets regardless of sender address to wherever the destination address points, this problem will get worse.

How many ISPs implement RFC 2827 which is now 16 years old ? Should packets with forged source addresses still be able to get beyond a non-transit network with a single path to the outside world ? If this kind of protective measure isn't being implemented, what hope more recent approaches e.g. DNS cookies RFC7873 ?

ISPs which don't implement such standards should have their traffic de-prioritised by those which do, e.g. by denying peering . Some of this needs to be achieved by upping the membership requirements of peering points, e.g. LINX.

It should also be possible for a non-transit network to be able to send an authenticated temporary block request signal to a remote router to say it doesn't want traffic from an origin that router is responsible for, but there's little hope for this kind of smart approach until more basic measures such as RFC2827 are in place.

1
0

IETF boffins design a DNS for crypto-currencies

PyLETS

you NEED a minimum level of trust for civilization to function at all

Indeed, and the way I read this effort, it doesn't attempt to do away with trust. It does seem to compartmentalise the trust needed for transactions to occur in a _relatively_ straightforward and standardisable way - probably mirroring the way trust operates within the current banking system (and sometimes fails). Whether having a simpler and more universally implementable protocol will provide useful competition to Visa, the 8 digit account number and 6 digit sort code identified bank transfers and IBAN number routed international payments and whatever remains to be seen. Having a simpler standardised protocol doesn't prevent SMTP email being dominated by a few webmail providers for example. It also potentially applies to currency exchanges and recording who owns which bonds and shares etc.

0
0

Hypernormalisation: Adam Curtis on chatbots, AI and Colonel Gaddafi

PyLETS

nothing new under the sun

Pontius Pilate famously asked "what is truth ?" understanding full well that for politicians there are no absolutes: truth is what powerful people claim it to be. We get much the same from The Emperor's New Clothes classic fairy tale - which additionally points out that those on the inside are those who get most deluded by the subjective realities they spin.

So I spent an hour watching this disconnected ramble telling me what has been known for a very long time.

0
0

Alleged ISIS member 'wore USB cufflink and trained terrorists in encryption'

PyLETS

Another 'intent' crime

And this isn't the same as a thoughtcrime. The act of carrying a knife isn't illegal if you're a chef or carpet fitter on your way to a job which you can account for, but is illegal once proven to the court beyond reasonable doubt that the knife carried was intended as an offensive weapon. Teaching crypto isn't illegal to software engineering students, but is if it's intended as preparation for acts of terrorism.

10
3

Transcripts: The crunch courtroom showdown to halt ICANN's internet power grab

PyLETS
WTF?

what kind of property ?

As far as its oversight of the DNS root is concerned, IANA only controls the Internet to the extent anyone else wants to be listed in its directory and others want to continue using it in preference to some alternative root. The root zone is a small file and anyone who wants to, and has the infrastructure ( a few powerful enough servers in secure hosting on different continents will do) can replicate and serve it to whoever wants to ask them for it. The last point is made slightly more complex with DNSSEC, but only to the extent of needing to patch operating systems to accept a different root zone provider trust certificate as valid.

Having a private "non profit" registered in California do this job seems a bit weird and corruption inducing, and so is FIFA. The alternative is the relative legitimacy (in relation to international law), glacial responsiveness and byzantine bureaucracy of the ITU which has similar oversight of the global dialup phone system.

0
0

Linus Torvalds admits 'buggy crap' made it into Linux 4.8

PyLETS
Linux

centred around Linus

True, but relatively few people run Linus kernels directly without vendor patches in practice. He's only at the "top of the pyramid" because others choose to follow his lead, and if it's a pyramid, it's one that works both ways past and future, due to various testing releases leading up to and before a Linus release and vendor and stability patches afterwards by other maintainers. In practice the rate of change (number of patch sets per release) is such that Linus has to trust subsystem maintainers to check things he no longer has time to do himself.

4
0

Dirty diesel backups will make Hinkley Point C look like a bargain

PyLETS

Cheaper storage than pushing water uphill

P2G (Power to Gas) will almost certainly become a much cheaper form of storage, though won't ever be as efficient as pumped storage. Given spot price ratios between expensive electricity at more than 2.0, the efficiency loss inherent in P2G at a say 50% efficiency ratio doesn't matter very much, though best available designs look closer to 70%. The problem with the pumped storage is that the cost gets higher once the best sites have been developed, while the cost of P2G, like that of wind electricity, will improve with scale.

Interestingly, the best places to locate P2G plants are more likely to be adjacent to biomass renewable electricity generators than wind generators, due to the continuous availablity of electricity and renewable CO2 feedstock at the same location.

https://en.wikipedia.org/wiki/Power_to_gas

0
0
PyLETS
FAIL

"A winter in which the wind doesn't blow"

That seems a less probable apocalypse theory than a tsunami in the Bristol Channel submerging Hinkley Point. Windless during winter for a few days is likely, making P2G use of the gas grid for electricity storage likely to be needed to avoid the rather more than the £466/household cost/household in climate change externalities, particularly if your house is at risk of flooding.

https://en.wikipedia.org/wiki/Bristol_Channel_floods,_1607

As to lights going out scare stories being used to try to jump start rusty agendas, seen this all before.

6
11

End of life for Linux 3.14

PyLETS
Joke

Final Pi version

Surely 3.14.159 has to be the final Pi version, not 3.14.79 ?

0
0

How many zero-day vulns is Uncle Sam sitting on? Not as many as you think, apparently

PyLETS

Moving target, ethical minefield

I suspect the average lifetime of a known zero day to be fairly short before someone else finds out about it. New ones are discovered and reported every day. Some that are so published will have been known about in secret for some months before by others and may then have been part of this arsenal with a sales life similar to goods on a greengrocery counter. Those whose work requires access to these exploits being kept secret as long as possible won't want to share them - so the NSA probably doesn't want to share with the CIA or military intelligence agencies unless used in connection with a joint operation and vice versa. That's going to be because use of a zero day exploit against a high value target also comes with a risk of exposing it making future use less reliable, especially if the target has a good enough intrusion detection system.

The morality and ethics of this area also extremely murky. Where a zero day is used against a target and their equipment interfered with, the legal rights of the target are then negated, if the exploit-manipulated and then potentially uncertain state of their system is then used as evidence against them without their knowledge that an exploit has been used against their data. If the state fails to hold its nose through unwillingness to buy exploits on the black market paying taxpayer money to criminals in the process, then they will be blamed by certain parts of the media for allowing terrorist plots to succeed in massacring many innocents and so on when claims are inevitably made that something could have been done to prevent this.

0
0

Page:

Forums

Biting the hand that feeds IT © 1998–2018