* Posts by Androgynous Cupboard

528 posts • joined 7 Mar 2012

Page:

The Internet of Flying Thing: Reg man returns with explicit shots

Androgynous Cupboard

I see what you did there

...and this push into cloud-based apps...

1
0

US voter info stored on wide-open cloud box, thanks to bungling Republican contractor

Androgynous Cupboard

Re: 200 million people in the DB?

All the answers to your questions, and more besides, are in the article on upguard.com linked to from the original article. It's a very, very interesting read.

Link here if you're too damn lazy too look for it yourself.

2
0

Stack Clash flaws blow local root holes in loads of top Linux programs

Androgynous Cupboard
FAIL

Re: Why am I not surprised to see sudo there?

Removing sudo is only half the solution - I've gone one step further and deleted the root user altogether. This is working fine, although I confess I am struggling to log in at the moment as "sshd" doesn't seem to be listening on 22...

15
0

Uber sued after digging up medical records of woman raped by driver

Androgynous Cupboard

It also claims that, in an effort to discredit the woman, Alexander went to Delhi and managed to obtain her private medical records.

I find this the most bizarre part, if true. Forget Uber: what could motivate an individual to do this? Where was the moment he paused for a minute and though "no, this is probably the wrong thing to do". I hope he was exactly 100% convinced she was lying, because even at 99.9% a little warning bell should have triggered that he was about to do something he wasn't going to feel good about.

I'm sure Mr Alexander isn't actually a psychopath, but there's at least a trace of psychopathy here, surely?

1
0

From landslide to buried alive: Why 2017 election forecasts weren't wrong

Androgynous Cupboard

Re: So when will the politicians learn? @werdsmith

You open your comment by suggesting a politician would "have to" stand by their manifesto, and yet somehow expect to be taken seriously? I don't think politics is your strong suit, friend.

8
2

Hyperloop One teases idea of 50-minute London-Edinburgh ride

Androgynous Cupboard

Re: UK Fault lines

They're going about it all wrong. Why try to build a vacuum underground when we already have a perfectly good vacuum in space? Just run the pipe 100km above the earth and there's no need for an expensive tunnel.

So, who's investing then?

1
0

Gordon Ramsay's father-in-law gets six months for hacking sweary super-chef's computer

Androgynous Cupboard

Re: There must

I remember cringing at this event at the time. Fairly ugly situation for all involved.

0
0

Horror in space: Hot alien giant boiled alive by nasty radiation-belching star

Androgynous Cupboard

Re: A day at the beach for The Great Old Ones

I hope they have their sunblock:

https://www.youtube.com/watch?v=SCTSCAQzY9k

1
0

Cuffed: Govt contractor 'used work PC to leak' evidence of Russia's US election hacking

Androgynous Cupboard

Re: Any incompetent should know what todo by now.

I think the name you're struggling to remember was Colin Powell

2
1

First-day-on-the-job dev: I accidentally nuked production database, was instantly fired

Androgynous Cupboard

It's not an airline by any chance?

0
0

BA IT systems failure: Uninterruptible Power Supply was interrupted

Androgynous Cupboard

You have to factor in the Mails need to pont the blame at someone foreign. Allow for that and it all makes more sense. Surprised they did t accuse him of eating a Swan for good measure.

10
0

Trident nuke subs are hackable, thunders Wikipedia-based report

Androgynous Cupboard

Re: Normal USB Attack Vector

I suppose on the plus side, the Russians have little incentive to hack our submarines to launch a first strike against Russia. Although now I've written that, I can't help but wonder...

2
0

Microsoft founder Paul Allen reveals world's biggest-ever plane

Androgynous Cupboard

Having built a multi-hull boat in a too-small shed, I can confirm that accidentally building it around a central pillar is something that can easily wake you from a dream at 3am :-)

13
0

Oracle asks for more time to finish Java 9

Androgynous Cupboard

Re: Please pull the pull now

You crazy kids with your wacky ideas. Why don't you go off and rediscover functional programming for a bit and leave the comments for the big boys.

5
5

How the Facebook money funnel is shaping British elections

Androgynous Cupboard

Re: MAKE the RITE REFISION DEVISION decision uk!

Upvoted, because it's so absurd it has to be parody. Doesn't it?

1
1

Blighty's buying another 17 F-35s, confirms the American government

Androgynous Cupboard

Re: F-35A

Serious? Nope

0
0
Androgynous Cupboard

Re: F-35A

.... aaaaand my Ali-G reference was wasted.

10
0
Androgynous Cupboard

F-35A

Does class A guarantee that they is better quality? For real, is that the one that actually makes you fly?

6
0

Julian Assange wins at hide-and-seek game against Sweden

Androgynous Cupboard

Re: But but but.......

> That's something which would usually happen as part of the trial proceedings

Exactly. By his own hand, Mr. Assange will never be "the man found innocent of rape". He will always be "the man that avoided the question of whether he was innocent of rape", until the end of his days.

That's fairly long winded, I'm sure it will be shortened to "Possible Rapist Julian Assange" over time.

Ps. I note his tweet: "Detained for 7 years without charge while my children grew up and my name was slandered. I do not forgive or forget.” There is no doubt, he really is a first-rate cock.

7
1

Bloke charged under UK terror law for refusing to cough up passwords

Androgynous Cupboard

Re: Location, Location, Location

The State you are entering does not have to let you in, even if you do have a passport for that country.

Are you sure about that one? I'm pretty sure they do, even if it's just to take you straight to jail.

PS - on a related note, a friend of mine found when she got her laptop back after a search at LAX that they'd given her the wrong one! Unfortunately she didn't notice until she was back in the UK. The woman who had hers got in touch (via Apple) and I believe the two machine are winging past eachother on UPS flights as I type.

15
0

Police anti-ransomware warning is hotlinked to 'ransomware.pdf'

Androgynous Cupboard

Re: My employer's internal warning...

I even had to look up what a .emz was (gzipped .emf)

Unbelievable

1
0

Realistic Brits want at least 3 security steps on bank accounts

Androgynous Cupboard

Am I the only one happy with one security step, provided it's a 2FA token with a pin? More than that feels a bit belt-and-braces to me.

3
2

Facebook is abusive. It's time to divorce it

Androgynous Cupboard

Re: "Did you get burgled while you were away"

Ha.

Message at 15:14: "hi all just arrived at LAX, long queue, homeland security checking laptops. Hope we don't miss our connection lol xxxx"

Message at 17:30: "No Homeland Security we not checking laptops. We, er, they were simply enforcing security of the United States Of America, Land Of The Free and did not force me to hand over social media login passwords at any point. Also they were very courteous and handsome."

Message at 17:35: "funny I don't remember writing that last message, have I been hacked??!?!"

Message at 17:36: "Yes I definitely did write that. Apologies, nothing to see here, move along. I see I am posting from the LAX Airport Hilton. BRB"

Conversation ends.

2
0

Facebook fake news: Sort it out yourself, readers

Androgynous Cupboard

Couldn't agree more with most of this, although I'm not sure measuring the effectiveness of the impact of fake stories by "engagement" (whatever that is) is reliable. I've had a few mates quote me the "donald trump said if was going to run, it would be as a republican" one - people that would probably know better in general. They might not have clicked on it, but it certainly registered.

This stuff does have an impact, which is why it matters that facebook is going to do cock all except offer a "here's ten crazy ways to improve your critical thinking they don't want you to know" type guidance (am I the only one that finds their form-factor a tad ironic?)

3
0

Leaked: The UK's secret blueprint with telcos for mass spying on internet, phones – and backdoors

Androgynous Cupboard

Re: Apple meet Corer

Christ, Is Worstall writing for Forbes now?

You're quoting the Daily Mail and a former UKIP press officer. Not to say you're not right, but both of those sources are demonstrably more interested in grinding axes than reporting facts, and I have to discount them.

0
0
Androgynous Cupboard

Re: What a level headed bunch you are

Not you, downvoter. No beer for you!

0
1
Androgynous Cupboard

What a level headed bunch you are

I have to say I am heartened by the fact that most of the commenters here have read the paper and are, largely, underwhelmed by the threat this will pose to our privacy. Very little waving of arms (in both senses of the word) and lots of "but this only applies to encryption applied by telecom providers, nothing to see here".

Buy your sensible, rational selves a beer, you deserve it.

2
2
Androgynous Cupboard

Re: i vote for Radio Then there is"old school" communication...

In the UK at least, it's illegal to transmit encrypted content over the radio - if you're using a broadcast channel, eg. VHF, then it must be cleartext. I'm a bit hazy on the source of this info but that's how I remember it. I'm sure there must be a HAM here to back this up?

1
0

systemd-free Devuan Linux hits RC2

Androgynous Cupboard

Re: Most of the complaints about it...

I was installing a new server recently with systemd. I was mucking around with the mounts in /etc/fstab, but for some reason the mount command wasn't picking them up. Turned out I had to request systemd reload the file by running "systemctl daemon-reload".

This isn't a question of a "fossilized admin" such as myself having to learn new things - it's simply poor design. Caching the contents of a small text file that is likely to change is the kind of idiocy I would associate with sendmail - it's pointless from an optimisation point of view, and only add to the complexity of the process. A simple text file read on demand has now become an on-disk representation of some internal datamodel which I have to manage manually. There is no problem solved by doing this, only a problem created.

That's one example, I'm sure there are others. Maybe systemd does solve some great horny issue but it has, and indeed necessarily must, introduce a bunch of others that have been ill thought out. Change for change sake, as someone has already pointed out.

7
0

Australian Taxation Office named as party preventing IT contractors being paid

Androgynous Cupboard

I know who will have first dibs

In an insolvency, the first dibs on the companies assets go to pay the involvency firm, the second to the taxman, then from memory it's staff (non-directors) salaries, and so on down the list until way, way down at the bottom of the list - trade creditors, which is what any contractors working through Plutus are.

I imagine if the Oz Revenue Dept. felt they were owed something by Plutus it would follow this same pecking order, and most likely the contractors will see fuck all of their money. I do hope I'm proved wrong on this.

1
0

'I feel violated': Engineer who pointed out traffic signals flaw fined for 'unlicensed engineering'

Androgynous Cupboard

Re: Bureaucracy

Why are you constantly banging on about r-types and k-types in your comments?

2
0

Jimbo announces Team Wikipedia: 'Global News Police'

Androgynous Cupboard

Re: I knew you'd hate this, Andrew, ...

Indeed. I think I said at the time "I wonder what Andrew Orlowski will have to say about this, assuming he survives his apoplectic stroke."

So my understanding is that "proper journalists" check their sources, verify their facts before their editors let them run the story. That's how it was supposed to work, at least. Then along comes the internet, and suddenly every angry basement dweller can publish an opinion as fact and fairly rapidly it all goes to shit. And now, the solution for this is - more opinions from basement dwellers? I suppose if all you have is a hammer, everything looks like a nail.

0
0

Oh snap! UK Prime Minister Theresa May calls June election

Androgynous Cupboard

Re: Workers

Doesn't mean workers vote Labour. I predict a largish swing to the Lib Dems in the "employed counties" and turnout lower everywhere else, because really what's the point?

PS. Can I also add that hope that the Labour party hurry up and split already? In their current form they're no use to anyone. Enough infighting - split into two and do your fighting at the polling booth like everyone else.

14
0

US border cops must get warrants to search citizens' gadgets – draft bipartisan law emerges

Androgynous Cupboard

Re: There is a positive side to this...

Er, I think you'll find the IOC is not well known for taking a strong stand on moral issues in the host country. A sentence which may just win me the "understatement of the year" prize.

6
0

Startup remotely 'bricks' grumpy bloke's IoT car garage door – then hits reverse gear

Androgynous Cupboard

Re: Why would you need to control your garage door

Why give your brother-in-law a spare key when you can just generate him one?

Obviously it needs to be signed by a trusted CA, or you can run your own with openssl, provided you can store the CA key offline securely (make sure you back up the storage). And obviously you need to be sure that you're using a modern hash algorithm, SHA2 probably. And, of course, you've got to ensure he's using a strong password on his keychain. And watch for side-channel attacks when you generate the key. But, on the whole I think you'll find an RSA key much more convenient.

3
0

Head of US military kit-testing slams F-35, says it's scarcely fit to fly

Androgynous Cupboard

Phew, bullet dodged.

Luckily for the UK, if the F35 it turns out not to work then our new £6bn carriers will just switch to another carrier launched plane, of which there are several. After all, it's not like our carriers can only launch one type of combat aircraft is it? Because that would be just silly.

36
0

Miss Misery on hacking Mr Robot and the Missing Sense of Fun

Androgynous Cupboard

Re: I'd heard of this

Jesus, now you've spoiled the remake too. Enough!

7
0

Manufacturers reject ‘no deal’ Brexit approach

Androgynous Cupboard

Re: It'll be fine

May may try to play poker, but with 28 players, it could become a Russian roulette

May I propose that we rename Russian Roulette "British Roulette", in recognition of our current trajectory?

3
0

UK Home Sec: Give us a snoop-around for WhatApp encryption. Don't worry, we won't go into the cloud

Androgynous Cupboard

Re: Colour me surprised

Vast numbers of comments on this thread presume that just because a desirable public key is in existence, it will leak. If this were the case the banking system would have crumbled years ago and your digital passports would all have long been cloned, yet mysteriously this isn't the case. "All a hacker needs to do is get into the system" comes from an absurdly simplified view that everything is stored online, no doubt on a Windows 95 box protected with "password" like you see on the telly. That's just not how it works, and (@MMalik et al) if you'd bothered to read my post you would see it's not what I described.

Properly designed, properly implemented secure systems can and do exist, and the fact we're in the era of both the "Internet of Shit" and some very high profile recent data breaches doesn't negate that. Both Manning and Snowden walked away with data because it was available to download, and because they were trusted to do so; that was the problem. You need to first get that shit offline, and then start with a complete lack of trust between all parties to do this properly. If nothing else I think we can agree we have that already.

Enough with the "what about the l33t hackerz" replies please. This isn't slashdot.

0
4
Androgynous Cupboard

Re: Colour me surprised

@Dan 55 - may I call you Dan? No need for surnames here.

My hypothetical example is really just about key management, specifically that you can design a system where it would be impractical for NSA & law enforcement to electronically hack in to read messages without compliance from WhatsApp. You're asking what happens after they have the key, the answer is - of course - security is potentially compromised.

@John Robson, @Mike Richards and pretty much everyone else.

Gents, this is a lot of fun but once you get into bribing this guy or rooting that, frankly we're in the world none of us are experts in. There are easier ways to do this, as TRT points out above. I'm simply describing a process where this could be done technically, through legal, if not necessarily moral, channels, without introducing a weakness exploitable by a third party.

Signing off now, have to iron out bugs in my OCSP verification code. That's the trouble with crypto, it's all in the f*ing details.

0
4
Androgynous Cupboard

Re: perhaps itself encrypted with a key known only to law enforcement

@Zippy

In my example system the generated plaintext private key doesn't have to be stored, it can be deleted. But yes, you're right - there's an assumption that this is done properly, and that the NSA weren't running a side-channel attacks on the computer generating the key, or bribing the WhatsApp employee who generated it, or that Facebook are just a front for the CIA/Alien overlords, and so on. But if any of these are the case, we have bigger problems.

Designing a system to minimize this risk is complex, and it's also quite good fun as a thought exercise, but it's straying from the (really very simple) technical point I am trying to make: a properly implemented backdoor for law enforcement is technically possible without opening that backdoor to everyone. Sorry. I don't like it much either, for what it's worth.

0
8
Androgynous Cupboard

Re: perhaps itself encrypted with a key known only to law enforcement

Christ. Go read (and implement, as I have) RFC2315, in particular section 10 (enveloped data), then come back to me. The key words from that section begin with "For each recipient".

1
2
Androgynous Cupboard

Re: perhaps itself encrypted with a key known only to law enforcement

My dear Streaky, PGP is very much a thing, You should google it.

I think we're at cross purposes here. "A weakness added by technical means" is wordplay and not helpful to this discussion.

Clearly you are upset at the concept of law enforcement having access to comms that you feel should be encrypted for ever until the end of time. That's not unreasonable, but I'm not interested in legislative or emotional arguments. Yes, people will leave a messaging platform that does this. I already made that point in my first post.

I'll restate my point for clarity. Encrypted communication between two devices could be "backdoored" for law-enforcement without making it easier for a third-party who snoops on the traffic to decrypt. The argument levelled against "backdooring" is that it opens the door for everyone, not just law enforcement, and I am saying that is simply not the case here.

As I'm clearly playing devils advocate, here's how I would construct the system.

Law enforcement generate a keypair and send the public key to Whatsapp, and keep the private key in safe. WhatsApp generate a keypair, and use the public key as I've described. They encrypt the private key with law-enforcement's public key, print it out and put it in a safe, then delete the "plaintext" private key. Or, if you prefer, store parts of the printout in multiple safes in multiple jurisdictions, including bank vaults.

Now to decrypt any communications you need the private key of law enforcement (in their safe), the encrypted comms (on WhatsApps servers) and access to the safes in WhatsApp's offices, which they're only going to open with a court order. It's safe from NSA hacking, it's safe from NSA and Law enforcement acting together, it's safe from WhatsApp acting on their own.

Of course no system is impenetrable, but if you think this system (if implemented as described) is vulnerable then please tell me how you would do it, either as an over-zealous government, a corrupt law-enforcement official or a third party. Facts please, not hyperbole.

2
22
Androgynous Cupboard

Re: Colour me surprised

No. Not a technical weakness. The symmetric key remains encrypted, buy you now have a choice of two public keys to decrypt it. Brute forcing either is impractical, so no technical weakness is created.

It is clearly still "end-to-end" encrypted, as the message it encrypted on device A and not decrypted until it's read on device B.

There is clearly an ability for a third-party to decrypt - that's the point - but it's not a technical weakness. Let's be clear, I'm not advocating this system and I am not keen to allow Amber Rudd to read my messages, but criticising he on the grounds of "it can't be done, technically" is incorrect.

But if you know better, please explain in detail why this is the case - as I just aded to my post, this method is used by PGP amongst others, so I'm sure they would be delighted to hear your analysis.

4
20
Androgynous Cupboard

Re: Colour me surprised

While I think Rudd is, in general, an idiot, what she is describing is technically possible without introducing any technical weakness.

Communication is normally encrypted with a symmetric cipher like AES256, and the key exchange is done with public keys: device A generates a session key, encrypts it with device B's public key. Only device B can decrypt it, and, therefore the session.

However it's possible to encrypt the session key again with a second public key. The corresponding private key could be held by WhatsApp, perhaps itself encrypted with a key known only to law enforcement. WhatsApp (or whoever) stores the encrypted chatter between devices, and can decrypt it with that private key as required.

This is different to the "decrypt the iphone" debate, which is done with a symmetric cipher. Introducing a weakness there introduces it for everyone, not just law enforcement. But where the encryption involves a key exchange between two devices, then allowing a third-party to decrypt communications can be done and, from a purely technical point-of-view, introduces no weakness in security.

Obviously there are other issues, not least for the company that is likely to see people abandoning any platform that does this for one that doesn't. But that's a different problem.

(edit: I should add this mechanism is not something I've just dreamt up, it's used by PGP, Acrobat and probably any system that facilitates the encryption of a document or message for multiple parties)

2
34

Dishwasher has directory traversal bug

Androgynous Cupboard

Re: It's crazy, but it's very Miele

Here's the machine here: PG 8258. You're unlikely to have one of these in your home kitchen...

1
0

Large Hadron Collider turns up five new particles

Androgynous Cupboard

Re: Puzzled, as usual

I blame Uexit

0
0

Git sprints carefully towards SHA-1 deprecation

Androgynous Cupboard

@bazza

I took apart the two PDF documents they created, and I believe they started with two files containing an arbitrary binary stream - in this case, a JPEG with an embedded binary blob. They then diverged the content of both files until they had the same hash.

The two key points here are:

1. Both files had to be modified. Creating two files with the same hash is different to creating one file with the same hash as another, and much easier.

2. The JPEG embedded in the PDF has a binary blob which is of considerable length, and this blob was modified to engineer the hash collision. The nature of PDF means these modifications will still give a valid file, and I imagine you could say the same about any format which allows an arbitrary binary marker, i.e. TIFF, JPEG, PNG, but not something like XML or - and I'd want to confirm this before I staked my life on it - ASN.1 encoded X.509. So your point about modifying PDF being harder than modifying "two arbitrary byte streams" is true, but not by much, as PDF is allowed to contain arbitrary byte streams.

Point 1 is the key and personally I think some of the panic on this one is not yet warranted. SHA-1 is badly damaged, but 6000 CPU years to create two files which demonstrate a hash collision does not make an attack vector. Not yet.

2
0

SVN commit this: Subversion to fix file renaming after 15 years

Androgynous Cupboard

Re: SVN will never beat GIT

We've got over 30,000 commits in a very large SVN repository. We tried migrating to Git a while back but the requirement to have the full tens-of-GB repository stored locally on our CI servers stopped us cold. With SVN it's a couple hundred MB, just the version we're testing. Git brings a lot of improvements, but it's not a panacea.

1
0

Forget quantum and AI security hype, just write bug-free code, dammit

Androgynous Cupboard

Re: 1980s computer science

Three slots a day? My Dad used to have to post his punched cards to the nearest computer. Which, as he was in New Zealand in the 70s, was in Australia.

I imagine they checked their work quite thoroughly before posting.

3
0

Page:

Forums

Biting the hand that feeds IT © 1998–2017