* Posts by Squander Two

1115 posts • joined 26 Mar 2012


It's World (Terrible) Password (Advice) Day!

Squander Two

Re: I might be wrong, because I don't know

This is why you shouldn't capitalise the first letter of each word: as it creates a sign of where each word starts and ends, which could (conceivably) be cracked (though I personally don't see how). Capitalising the second or third or fourth letter of each word is fine, though.

Squander Two

It is true that hackers use dictionaries, yes, but that doesn't make collections of random words easy to hack, as long as the hacker doesn't know where the breaks in the words are -- and why would they? "correcthorse" is easy to hack if you know that you're looking for 2 dictionary words and the first one's 7 and the second 5 letters long. Otherwise, it's just as good as any 12 characters. You can make it even tougher by chucking in a deliberate misspelling or two, though.

Squander Two

When HSBC's superduper voice recognition got hacked by a journalist, one of the giant holes in the system turned out to be that they let him try a dozen or so times and didn't lock him out.

Squander Two

Re: In these cases, your pronounceable-words password won’t actually work.

Well, exactly. It's pretty easy to make one of the words a number or to include some punctuation without sacrificing memorability.

Squander Two

Re: Biometric?

HSBC asked me a while ago if I wanted to adopt their shiny new voice-recognition system instead of my old password that has never ever been hacked. I said no and they asked why not. "Because I work in IT and know enough to know that it will fail," I said. It got hacked by a journalist imitating his brother's voice a few months later.

Thank God it was optional.

Squander Two

Some good advice missing from this piece:

Yes, use a handful of real words, but misspell at least one of them.


Capitalise some letters, but never the 1st of each word -- how about the 3rd?


Instead of having a password, memorize a simple password-generation rule which is based on the thing you're logging into.

E.g. "koRrekthoRsbaTtery"+[1st & 3rd letters of app name]+[[number of letters in app name]-2]

which for The Register would give:


This is just as easy to remember as a password while being different for every site or app you use.

Also, a good alternative to random dictionary words is to use the initials of a memorable sentence, which gives utter gibberish that's very easy to remember.

You're welcome.

‘Alan Turing law’ to give posthumous pardons to 59,000 men for 'gross indecency'

Squander Two

What about the people who weren't convicted?

These men were convicted, so a pardon makes sense -- as does an apology.

What about all the people locked up for life without parole with no trial and no conviction? We did the right thing and released all the ones who weren't dangerous (which was almost all of them), but I think most of them could have done with a proper official apology from the government too.

You know what the most common reason for a woman to be in an asylum was? "Moral turpitude" -- i.e. having a baby out of wedlock. It wasn't a crime, but was evidence of insanity, so you got locked up for longer than if it had been a crime. Also evidence of insanity was denying your guilt when accused of a crime by your betters -- which was a real risk for people in service to masters or mistresses who mislaid things. Stealing was criminal, but denying you'd stolen was criminally insane, so up you were locked, forever, no trial or conviction necessary.

About time we apologized to these people too. A lot of them are still alive.

Microsoft keeps schtum as more battery woes hit Surface sufferers

Squander Two

I have a certain amount of sympathy with manufacturers over this sort of thing. Social media means that it's very easy for a small problem to look big. How many Surface batteries have this problem compared to the number of actual Surfaces out there? That's what we really want to know. Even a rough estimate would be helpful. Otherwise, it's difficult to assess the situation properly.

Microsoft's failure to respond to people is another matter, and is inexcusable.

I've had two Macbooks which both had such a severe battery problem that they persuaded me never to buy Apple again -- especially since Apple insisted to me that the fault was a deliberately designed feature, not a bug, and demonstrated how superior their batteries are. I have a Surface Pro 3 and love it to bits, and the battery's absolutely fine. Is that because I'm part of the lucky minority who got decent batteries or is my experience the norm? No idea. It'd be nice to know.

TV5Monde was saved from airtime-KO hack by unplugging infected box

Squander Two

Re: Incorrect....

> Listening to the interview yesterday, it was "indicated" that the attack was by the cyber-jihadists, with later investigations showing it was Russian linked

Yes, I thought that too. Although I didn't get it from hearing the interview. I got it by continuing to read this article all the way to the end.

NIST: People have given up on cybersecurity – it's too much hassle

Squander Two

Re: Bad prognosis

Who the utter bucketing fuck gave you a downvote for congratulating someone on their taste in books?

(I mean, it's actually Stand On Zanzibar, but surely no-one's so pedantic that they think they need to punish someone for that, are they?)

Squander Two

Re: Punishment.

> If a user wants to own a general-purpose computing device, then there is a responsibility for the operation of that device that goes with such ownership.

OK. So you go found a computing company with that mission statement and let us know when your profits go through the roof.

Meanwhile, here in the real world, the firms making actual computers that actual people actually use have spent several decades specifically marketing them as things that you can use without understanding their inner workings. I'm fine with that. If you're not, you're going to need a time machine.

The point is, a duty of care isn't something that accidentally happened to the IT giants. It's something they chose and pursued. They didn't have to.

> If the use wants to abrogate that responsibility - that's fine, but don't expect to be permitted to do whatever you like with it.

Permitted? Gosh. By whom?

>> Someone below mentioned the internal combustion engine, apparently under the impression that people who drive cars know how it works. No they don't.

> That's actually a superb example - we don't expect car owners to be experts in the internal functioning of their vehicles ...

So not a superb example, then. What you're talking about is a different example.

> ... but we do expect them to operate those vehicles in a safe manner - with potentially huge penalties if they fail to do so. Don't want to take that responsibility? Take a taxi.

But we're not talking about people using computers recklessly and thereby endangering others. We're talking about users opening an email and being fucked. A few months ago, there was that text message doing the rounds that would brick iPhones if you received it. Now we're looking at IoT botnets, apparently. Yet still this attitude prevails in IT circles that it's always the victim's fault. Their fault for what? Putting a smart lightbulb in their living room?

> Sure - but if they've put a new roof on, then they come to look at the leak you've reported and found you've drilled a massive hole in the roof to get some stuff in ...

This is exactly the attitude I'm talking about. You just won't accept that a computer might actually have an inherent problem when it's sold.

And this is odd, because go to any comments thread on this site about the new version of any OS, and there'll be loads of knowledgeable comments about all its problems and bugs. But the moment we discuss security, some of the same knowledgeable people insist that everything is the users' fault -- with the implication that the computers they're using must be perfect.

Apple had that huge security hole a couple of years back that was caused by a dev screwing up their copying and pasting. The code was visible to the public, and the bug was obvious (I showed it to two non-devs, one with no interest in IT at all, and they both spotted it), yet none of Apple's processes picked it up. Every machine that shipped with that code and every machine that was updated with that code had a giant security flaw in it that was 100% Apple's fault and 0% their users' fault.

Heartbleed was similar.

> Just as you wouldn't expect a chainsaw manufacturer to take responsibility when someone's tutorial in "using a chainsaw to remove unsightly facial hair" goes wrong, you can't blame the manufacturer of computer software to accept responsibility for everything a user might do with their product ...

... such as checking their emails, opening a text message, or simply turning their computer on and connecting it to the Internet without first writing and installing a patch to a massive security hole that no-one except some criminals has discovered yet. Yeah, that's definitely equally as reckless as taking a chainsaw to your own face. Probably more.

> Revenge porn requires three steps:-

•Creation of the porn

•Distribution of that porn to someone who should (at the time) have it

•Distribution after the fact to someone who should not have it

The example I gave -- people having their webcam hacked and being filmed without knowing it -- is a real example, that has actually happened. That's caused by users recklessly and irresponsibly changing their clothes in the same room as their computer. The stupid morons.

> So whilst I'm all for some software being required to perform properly under pain of litigation, making such sweeping statements that it must all cushion users such that they do not need to be responsible for their own actions is both ludicrous and extremely unwanted.

And not remotely what I said.

Squander Two

Re: Punishment.

> how does the adjuster know the difference between a car that blew up on its own or one that blew up because some idiot put the wrong liquid in the crankcase?

Wrong analogy. With computers, the problem isn't that some idiot put the wrong liquid in the engine by mistake. The problem is that some bastard put malicious liquid in the engine on purpose. And the car was manufactured with four hundred funnels all over the outside for strangers to pour liquid into it. And you can't lock the caps on any of those funnels because the manufacturer hasn't designed the locks yet. And there's a Russian criminal in the backseat with a gun, but the manufacturer says that's your fault for buying the model with doors.

Squander Two


> I await the torrent of comments to the effect of "Well, if they don't know how to use a computer correctly, they deserve what happens to them."

There's always some of that, yes -- IT does seem to attract more than its fair share of misanthropes (I'm one myself) -- but I think the more prevalent attitude is simply a lack of understanding. IT people just don't seem to get that not only do most people not understand the inner workings of a computer, but that they shouldn't have to. This decision was made back when Gates and Jobs and their peers decided that computers should be mass-market machines for everyone: with that aim comes the responsibility to make them safe.

Someone below mentioned the internal combustion engine, apparently under the impression that people who drive cars know how it works. No they don't. Neither do we need to understand cathode rays or LED tech to watch TV, or materials science to use a ceramic frying pan. And if a manufacturer were to make a frying pan that catastrophically explodes if exposed to the highest temperature on a normal hob, a bit of small print in the packaging saying "Do not use the highest temperature with this pan" wouldn't protect them from the ensuing prosecution.

Computer firms have a choice: they can make highly specialised machines for a tiny market of specialist professionals, and trust those professionals to know what the hell they're doing -- and so leave them to clean up their own mess when stuff goes wrong. Or they can make general mass-market machines for everyone, and accept the duty of care that comes with doing so. The trouble with too many IT people is their belief that you can sell to the latter market but act like you've got the former customer base.

The big firms get some of this, as we see just from the fact that they do roll out security patches. But they don't get it enough. They still expect their customers to be watching the news for the latest "Install the latest patch immediately!" story and then doing so by the end of the week. Imagine if a toy manufacturer issued a product recall every week for a decade. They couldn't, actually, as they'd be bankrupt inside a year.

Customers hate this crap, and rightly so. But they are faced with an industry that, although it refuses to change its stinking attitude, makes undeniably useful and wonderful things. So they try asking their techie friends for help, and those friends say things that they genuinely believe are helpful, such as "Switch to Linux" or "Implement this new encryption algorithm I've found", but which actually all boil down to the same piece of shitty advice: "Become an IT expert." So the only rational course left to users is exactly what this study has discovered: resignation.

Since computer security is increasingly a safety issue, I'd like to see governments updating their laws to reflect that. If a young lady buys a laptop and happens to have it switched on in her room while she gets changed, she has an entirely reasonable expectation that video of her naked isn't going to be used to blackmail her. If it is, the manufacturer of the laptop and its software should be held liable. If a builder puts a new roof on your house and it's leaking six months later, they're simply not allowed to write an EULA that says it's not their problem because it's your roof and they didn't make the rain. They're liable, legally. The same principle applies to all other manufacturers and producers -- unless they're an IT firm. Car manufacturers don't get to shrug when their products crash due to design and manufacturing flaws, but IT firms do -- which is why Tesla are suffering from cognitive dissonance: they're full of IT people with IT attitudes, and are beginning to discover that that won't wash.

Well, it shouldn't wash anywhere. Next time someone is driven to suicide by identity theft or revenge porn, how about we identify some senior executives responsible for the tech that made it all possible and drag them through the courts and embarrass the fuck out of them? Do that a few times and just watch computer security improve. Incentives matter.

(Sorry, this comment went on a lot longer than I intended. Rant over.)

OK Google, Alexa, why can't I choose my own safe, er, wake word?

Squander Two

Re: If you wanted an ideal wake phrase, OK Google isn't it

In countries where people don't naturally say "OK," it's actually a better choice of phrase.

Not many of them, though: it's the most common and universal word on the planet.

Squander Two

My preference.

Apple's voice recognition back in the days of MacOS9 allowed you to pick your own phrase. I went with "Are you fucking listening to me?"

Good God, we've found a Google thing we like – the Pixel iPhone killer

Squander Two

Re: Read it and grin madly

It's entirely possible that Google are simply paying Apple for a licence to use the patents. Not in Google's nature, I know, but the design does look too close for even them to try it on.

Should Computer Misuse Act offences committed in UK be prosecuted in UK?

Squander Two

Re: A historian writes...

> So Great Britain, the whole island, is a component of the UK, not the whole.

Great Britain, yes; "Britain", though, without the "Great", is generally used to refer to the country. The Northern Irish are actually quite strict about this, referring to the country of which they are a part as "Britain", not "Great Britain". (Whether they say it proudly or bitterly is another matter.)

This does lead to a rather nice irony, that Britain is larger than Great Britain. English, eh?

Squander Two

Re: Jurisdiction

> I accept that others may have different interpretations

Well, that was my point. I don't think there is a single answer to the question. I think various answers are all perfectly reasonable. A lot of the commenters are making simple black-and-white statements of "this part happened in the UK therefore obviously extradition should not happen". I say it's not obvious and the "therefore" is more of a "so maybe".

Squander Two

Re: Autism.

> Teaching a kid 'this is wrong because the law says so' is a SUCKY way to instill morality.

Sure. But teaching a kid "this is illegal because the law says so" is quite easy. And, since autism usually involves literal-mindedness, even easier for autistic kids.

Squander Two

Re: Entrapment

Oh, I stand corrected. Thanks for that.

I fell into the trap of assuming the commenter was basically correct about entrapment and correcting his use of the term "illegal".

I do know a load of speeding convictions have been nullified on the grounds that the police speed-traps were hidden and that that constituted entrapment (which seems a bit odd to me, but hey).

Squander Two

Re: Jurisdiction

Actually, extradition treaties, as is the case with all treaties between states, are there for whatever those states decide they're there for. International law is like contract law: you can put anything you like in the contract.

Thought experiment: a sniper in Canada fires across the border, killing someone in the US. Where was the murder committed? Would the US be insane to claim jurisdiction or to request extradition? Seems reasonable to me. (Which isn't to say that the Canadians would be unreasonable to claim jurisdiction.)

Transnational computer crime seems similar to me. Ready access to the Internet obviously makes the whole concept of physical location a bit more complicated than when you're considering, say, a case of shoplifting. You really can commit a crime in one country while sitting in another country. We can argue about how best the law should address this problem and whether it's addressing it correctly, but it seems strange to me to argue that the law simply should not address the problem at all.

We've been here before. In the early 20th Century, some American robbers pioneered the use of cars to commit a crime in one state and drive across the border and out of that state's jurisdiction. The law was updated to address the problem raised by the new technology -- as it clearly needed to be.

Squander Two

Re: How?

> Sure, they'd face financial ruin

Ah, yes, if the Greeks were to leave the Euro, then they'd face financial ruin. Wouldn't want that to happen.

Squander Two

Missing the point.

> If a Saudi comes over here, marries nice english girl , beats the shit out of her, then goes home is that ok?

No, it's not, so we'd have an arrest warrant in place that could be enacted as soon as the perp re-entered the UK or a state with which we have an extradition treaty that covers that type of crime. This has nothing to do with whether the act is OK.

The whole argument surrounding the Lauri Love case revolves around extradition, yet people keep bring up hypothetical examples involving countries with which we have no extradition treaty. These shed no light whatsoever on the case, because they are, by definition, shite examples.

Squander Two

Re: Well, not before the name...

> Would you count putting "Democratic" in your name as boasting?

I'd almost always count it as lying. "The Democratic Republic of" is never either.

Squander Two


Entrapment is not illegal in the UK. Evidence gathered via entrapment is inadmissable in court. Not the same thing. The police don't get prosecuted if they commit entrapment; they just fail in their attempt to prosecute someone else.

Squander Two

Re: Jurisdiction

That's rather the point of extradition treaties.

Squander Two

Re: How?

You're saying that all those other Brexits, the ones that never happened, totally could have. OK. The fact is, the only ever real-world case of a state leaving the EU has started only after the EU created what is in effect its express permission.

The idea that a member state can leave even when there's no mechanism for doing so has a certain amount of evidence against it. The Greeks really, desperately, need to go back to having their own currency. There is no mechanism for leaving the Euro. You could argue that Greece is still sovereign and so could leave the Euro if it wanted. Your argument might well be theoretically true, yet would not match up too well with the facts. Merkel even went so far as to explain that a state leaving the Euro would lead to all-out pan-European war. There's sovereign, and then there's sovereign.

Squander Two

Re: spanish boiler rooms

It's a false dichotomy: crimes have in fact been committed in both countries. Same as the Lauri Love case, then.

Squander Two

Re: Should be tried here.

> Just as, if I left my front door unlocked, I have not given a burglar authorisation to go in and take all my stuff.

Exactly. If you don't secure your house properly, then your insurance company may not have to pay up, since you've probably breached your contract with them. But anyone who goes in and nicks stuff is every bit as much a criminal as they would be if it were locked.

Are we going to stop prosecuting pickpockets if they only take things from unsecured pockets?

Squander Two


> For example accessing a public website is deemed as being authorised without any explicit authorisation ever being given. So technically your access is unauthorised.

I'd've thought setting the permissions to 644 constituted granting authorisation to the public to view it.

Squander Two

Re: How?

> Parliament is still sovereign and always had been. If it wasn't, then Brexit wouldn't even be an option without the express consent of the EU.

And indeed Brexit wasn't an option without the express consent of the EU, as the EU only created the sainted Article 50 quite recently -- until they did, there was no mechanism for leaving.

I dare say we could have left anyway. But it would have been even more fraught and complicated, and would have had to involve the emergency creation of something like Article 50 -- i.e., the express consent of the EU.

Squander Two

> I've read in various places that the term Great comes from Roman writers who didn't have a firm grasp of geography or because of James VI/I holding the crowns of Scotland and England.

Don't know where you read such things, but the "Great" in "Great Britain" originally referred to the fact that it is the largest of the British Isles. That is why Northern Ireland is in Britain but not in Great Britain.

The phrase has of course come to have other connotations over the years, as "great" has come to mean "good" as well as "big". Pretty sure we don't have any politicians who are somehow under the impression that the largest of the British Isles has been overtaken in size by one of the Orkneys.

Squander Two

Re: Seems simple to me

The UK has an extradition agreement with North Korea? Bloody hell. How did this not make the news?

Telcos hit out against plans to hike their broadband rates

Squander Two

Re: Rateable values are not rates.

Actually, reading the piece again, I see that it's The Register, not the telcos, who've claimed that a fourfold increase in rateable values equates to a fourfold increase in rates. [sigh] This magazine used to get stuff right.

Squander Two

Rateable values are not rates.

The rates on a premises are a combination of two things: its rateable value and a multiplier. The multiplier is there simply so that authorities don't have to survey every property in the country every year: instead of surveying a property again to see how much its value has changed in the last twelve months, councils just multiply last year's valuation by 1.2 or whatever. I did a report on the system for my GCSE (many many years ago), and discovered that Southwark Council were at the time using rateable values based on thirty-year-old surveys -- with, of course, a huge bloody great multiplier.

In other words, this kind of huge leap in rateable values is completely normal, and it doesn't usually lead to equally huge leaps in actual rates.

I'm happy to admit I'm hardly an expert on this. Is there some reason why, on this occasion, a fourfold increase in a rateable value could lead to a fourfold increase in the rates? Or are the ratepayers taking advantage of the public's ignorance of the system to threaten them with drastic price hikes?

Londoners react with horror to Tube Chat initiative

Squander Two


Although urban areas versus the countryside explains some of this, it can't be the whole picture. Because it's not cities or large towns in general; it's mainly bloody London. Glaswegians and Mancunians and Durhamites and Yorkers and Belfasters (Belfastians? Belfishers?) will happily chat with each other. Not as much as people in the countryside, no, but a hell of a lot more than bloody Londoners.

Don't let banks fool you, the blockchain really does have other uses

Squander Two

Re: Must try harder @ DougS

@ DougS

> They may have found a tiny niche where it is useful

The global movement of goods: a tiny niche. Hmm.

Squander Two

Re: Must try harder @ G Mac

> the documentation was hashed in the blockchain, not the funds itself which were sent via Swift

Yes, which shows banks aren't stuck in a rut where they can't disassociate blockchain from the idea of virtual currency -- contrary to Bob Rocket's comment above that "The Blockchain itself has nothing to do with Bitcoins or money but the financial institutions can't get their head around that" and to this article's headline.

> In this case, who did what to who? And how do you known given anonymity in the real world?

I'd be interested to know too. Hence my annoyance at The Reg for not covering (and apparently being totally unaware of) what is currently the biggest news story concerning the topic this article is ostensibly about.

Squander Two

Must try harder

The Register's really going downhill. If you're going to write a piece about financial services using blockchain tech, you should at least mention that Barclays just announced they've completed the world's first use of blockchain tech to execute a global trade transaction. Even if you mention it to say you think it's crap for some reason. By ignoring it, you just look uninformed.


Currently trade transactions of this nature often involve a high number of participants in different jurisdictions around the world, which in turn requires a significant amount of paperwork, counter-signing and courier journeys.

The new blockchain-based system developed by Wave uses distributed ledger technology to ensure that all parties can see, transfer title and transmit shipping documents and other original trade documentation through a secure decentralised network, eliminating many of the current inefficiencies in international trade. The new system could therefore speed up trade transactions, reduce costs for companies around the world and reduce the risk of documentary fraud, said the statement.

Apparently, this pilot scheme got the transaction time down from ten days to under four hours. Sounds to me like they've found a viable use for the tech. Sure, you can claim that it could have been achieved with a transactional database if you like. But transactional databases have been around for years, yet, rather than adopting them, this trade has still stuck with a tedious and absurdly inefficient system of couriering physical paper around to be signed with pens. Could it be that the industry's experts can see a problem that transactional databases don't address and the blockchain does? It's a possibility. Would have been nice if you'd asked some of them.

It rather appears that The Reg have spoken to a couple of people who can't think of what to do with blockchain and recklessly extrapolated that cluelessness to an entire industry.

Brexit at the next junction: Verity's guide to key post-vote skills

Squander Two

Re: What's wrong with the Oxford comma?

Highlights of his global tour include encounters with Nelson Mandela, an 800-year-old demigod and a dildo collector.

-- from a Times story about a documentary by Peter Ustinov.

Squander Two

Can I just point out that "Napoleon won" is the current French value of Waterloo?

Squander Two

Re: I want Gregxit

I think we could revolutionize our credit-based economy by going back to the system where a bad debt must be collected by a "bum" (or "push-arse") who has to touch you with a wooden stave. As long as he doesn't touch you with his stick, you are allowed to run away. And they may not chase you if you stay in the Savoy for some reason.

We could combine payday loans with reality TV and LEAD THE WORLD.

Squander Two

Re: Killer fact!

> About as stubborn as the Russians

I hereby propose that as the Northern Irish Tourist Board's new slogan.

Squander Two

Killer fact!

The Battle of the Boyne took place on the 1st of July, yet its anniversary is celebrated every year on the 12th of July, because of the move from Julian to Gregorian dates. THAT's how stubborn the Northern Irish are.

Asian hornets are HERE... those honey bee murdering BASTARDS

Squander Two

@ Steven Roper

Australia is a tad more isolated than Great Britain. You can stand in England and see France, no telescope required. We have strict quarantine for animals that can't swim the channel to keep rabies out, but there's sod-all we can do about flying animals.

Squander Two

Re: Be Warned

> Why very dangerous? As mentioned Frelon Asiatique is not more dangerous than a standard bee.

Since a swarm of standard bees is very dangerous, what's your point?

Lethal 4-hour-erection-causing spiders spill out of bunch of ASDA bananas

Squander Two

Brazil nuts

Brazil nuts' shells are also so high in aflatoxin that the EU tried banning them. For a few years there, you could only get them without their shells. That ban seems to have been repealed, though, judging by supermarket shelves.

Killer fact! Saddam Hussein's regime was the only ever to weaponise aflatoxin.

Squander Two

Spiders are not insects.

But in a war they'd probably side with the insects.

Apple seeks patent for paper bag - you read that right, a paper bag

Squander Two

Wouldn't this basically invalidate any such patent claims in the EU?


Squander Two

Re: Eco is just marketing

You beat me to it.

If Apple gave a damn about the environment, this wouldn't be a patent; they'd stick the design on the Web and send a copy to every retailer on the planet. Or they'd offer to manufacture them for everyone else at cost. "We're helping the planet by coming up with an innovative new way of doing less damage to the environment and we'll sue anyone else who tries to do the same" just doesn't sound all that convincing.


Biting the hand that feeds IT © 1998–2019