* Posts by Adam 1

1891 posts • joined 7 May 2012

Reminder: Spies, cops don't need to crack WhatsApp. They'll just hack your smartphone

Adam 1
Silver badge

@Jack, and the vulnerability hoarding by TLAs is exactly what enabled Wannacry. This isn't a zero consequence game where you get more bad people caught. I would love there to exist a construct whereby keeping confidential information secure for good people but insecure for bad people but that is not what math gives you. Unfortunately

(m^e)^d === m (mod pq) even if you are an {insert today's boogyman}.

We know that the NSA previously used specific elliptic curve parameters to weaken the RNG used and therefore effectively sidestep the encryption. Now have a think about what happened when that was discovered. Everyone stopped using it. Do you think the bad guys will continue to use a communication medium they know can be read at will?

The other thing I would ask those who think that these sorts of proposals are a good idea is "what sort of argument could you give against a future law that bans meeting someone in person behind closed doors without tapes being held by the conference centre in question?". Or is that ok too?

5
0
Adam 1
Silver badge

> With government officials still struggling to convince the public of the need to give law enforcement the ability to decrypt

I would support this if it was effective. That's unfortunately not how math works (even in Oz oh wise leader).

In simple terms, asymmetric encryption works as follows. Use a key exchange (eg RSA or DH) to invent a shared secret that can be computed by both sender and receiver will (relatively) simple math. That secret is then used to encrypt the payload with a symmetric encryption (eg AES).

So where does that leave government backdoors/lawful intercepts.

Well you could ask Alice or Bob to kindly share the secret they came up with together with Eve. (Some) law abiding folk might agree to that but I'm skeptical that criminal Alice and criminal Bob will trouble themselves to do so.

I guess you could not tell Alice Bob's real public key but the service provider's one, then have the service provider decrypt the messages and re-encrypt it with Bob's real public key. A few problems there. Firstly, the service provider becomes a honey pot to hackers or misbehaving staff. Secondly, if Alice and Bob ever meet then they can tell the public keys are different.

I guess you could limit the key size or RNG in some way, but here in the tech world we call that weakening the encryption. There is just no way to do that so that your good guys can do it without equally enabling the bad guys.

2
0
Adam 1
Silver badge

Re: What stops Apple and Google from buying a copy of this software?

As they very well should. It is their job to ensure that their software is secure, and to remedy any shortcomings that are discovered.

Such software is hardly new. There are several malware frameworks which pull together C&C, keylogging, botnet herding, encryption/ransom, email relay etc. That is why these Wannacry style attacks can be launched so quickly. All they need to do is write the hook for the specific vulnerability they exploit. That the good* guys can use the same tools for good* is unsurprising.

* Levels of good may vary from region to region.

7
1

SK Telecom makes light of random numbers for IoT applications

Adam 1
Silver badge

Plenty of room at the table

> At various times, random number failures have hit iOS, Windows XP, Raspberry Pi, and famously, RSA

Don't worry, this is one game that Debian can play too. That meant only 32,768 possible seed values for the RNG and it was unnoticed for nearly 18 months.

0
0

Las Vegas locks down ahead of DEF CON hacking conference

Adam 1
Silver badge

Virus scanners (pretty much all flavours) claim to use heuristic analysis of the binaries to detect likely threats. The main problem is that the bastards who write the malware can easily see if their code triggers some pattern and write some diversion to trick the heuristic pattern matching and then you get a game of cat and mouse.

I would trust email over USB too. The USB interface was designed in a more trusting time*, so if it claims it is an Ethernet card then many OSes will immediately start sending it traffic. If it had a built in 4G then it could easily MitM. Or it could emulate a keyboard and send the shortcut keys to do whatever the logged in user can do. They might even be able to do some interesting trick pretending to be a sound card and sending voice commands as if it was a microphone input. And that is without physical damage. There is a USB stick that you can buy that basically has a capacitor inside. It takes charge for a short time, then unloads all that energy on a few chips expecting 5V 1A maximum.

At least with email, they would have to embed a font in the PDF to pwn the machine.**

*It is fort Knox compared to FireWire though.

**And I wish that was a joke

1
0

Adobe will kill Flash by 2020: No more updates, support, tears, pain...

Adam 1
Silver badge

Re: It's going to make life tougher for El Reg

There is going to be a steady stream of flaws in the HTML5 rendering engine that will no doubt get built into systemd. It will get pwnd by someone using some specific background colour in their CSS, but will be closed as won't fix because users shouldn't use such a stupid colour anyway.

15
0

I've got a verbal govt contract for Hyperloop, claims His Muskiness

Adam 1
Silver badge

Re: JR shot "...let alone 200 miles away on the same track..."

> Yes he scenario they described of a devastating 1 atmosphere pressure wave travelling a long way through the tube is far from plausible as the engineering required to counter it is so trivial.

Trivial? Back of the envelope math. The speed of the air molecules entering a vacuum are in the order of 500m/s. That is about double the cruising speed of a 747. Perhaps if the failure occurred 250km+ away, you would have time to apply the emergency brakes in the pod and safely repressurise the tunnel at a safe rate. If you're close though, you're screwed. If the failure was caused by say a seismic event, you may have to deal with power outages and damaged pumps etc as well. None of which bodes well for a fast but safe repressurisation.

0
0
Adam 1
Silver badge

> Depressurisation of the tube? Well, it'll slow down the pod,

You may want to check your math there. Unless you mean it will slow down the pod in the same way that coming into contact with a mountain will slow down a plane.

That is really the engineering deal breaker for this technology safely conveying passengers. Using tunnels is clever because it solves three other challenges.

1. The need for a direct route with only the gentlest imaginable corners. I've also include hills as part of this issue.

2. The need to deal with thermal expansion whilst maintaining air tight seals.

3. Having to deal with drunk idiots taking pot shots at the tube out the back of Nowheresville. I also include genuine accidents which could compromise part of the track or its supporting pillars.

At least underground, it is less likely to have to go around things (1), will remain at a predictable temperature (2), and is unlikely to be in close proximity to (3). What isn't solved is seismic activity. Now before anyone jumps in and points out something about the proposed route being away from the plate boundaries, you wouldn't need a large event to break the air seal or the track alignment. Elon is the best person in the world to perfect this* but what is needed here is a demonstration of solutions to the things we know to be current deal breakers.

*having a volcano lair clearly endows a level of expertise in the subject.

3
0

Microsoft hits new low: Threatens to axe classic Paint from Windows 10

Adam 1
Silver badge

Re: The end

> Silly me, and here I thought .NET apps didn't have to worry about managing memory..

I've inherited a lot of code where the author assumed that to be true. The .net GC is very good, but it isn't magical. The number of times I have seen event handlers hooked up then never unsubscribed, which prevents your views being released for garbage collection. Argh. Those and timers. But that's ok because IIS can recycle the worker process once it gets too high - something they honestly thought was a good solution.

2
0
Adam 1
Silver badge

Re: The end

> For shits and giggles if *nothing* else.

+1

Sure you can use snipping tool for screenshots. Gimp is great but hardly opens quickly and isn't necessarily on every machine you find yourself in front of. Sure Irfanview is the Notepad++ of graphics tools, but seriously, why not keep it around paint? I don't think anyone wants new features in it. Just let it live out it's days.

Next they'll be pulling calc.exe

25
0

Sweden leaked every car owners' details last year, then tried to hush it up

Adam 1
Silver badge

Re: "as much value as a truckload of dead rats in a tampon factory"

@Drybones, I'm with @Snorlax on this one. Round these parts, the construction is more subtle than "as much value as X on a Y", where X and Y bear no relation. Here at least there needs to be almost a relation. So tits on a cow; great, A++, would buy again. They can either get me milk for my coffee or feed my future dinner. Both excellent endeavours. Tits on a bull... not so much.

Maybe something gets lost in translation, and I'm the first to admit that my knowledge about the manufacturing process for tampons is somewhat lacking, but truckloads of dead rats don't seem to have an equivalent that is used in the production. Maybe the word sounds like something, or maybe other parts of the world you can just say whatever you feel like with such a sentence construct. Curious.

3
0
Adam 1
Silver badge

don't over egg it

> e-mailed the entire database in clear text messages

It's not as sky falling as being made out. The data was protected by the BorkBork cipher whilst in transit.

10
3

systemd'oh! DNS lib underscore bug bites everyone's favorite init tool, blanks Netflix

Adam 1
Silver badge

Re: Underscore?

> Why the hell are netflix using them?

Is that you Poettering?

44
3

Authorities go hard on coffee maker for stiff Viagra-powered brew

Adam 1
Silver badge

I'd have given it one more.

1
0

User filed fake trouble tickets to take helpful sysadmin to lunches

Adam 1
Silver badge

Has a customer ever apologised to you?

Customer apologised you say? Clearly another fake on call.

9
0

Microsoft finally allows hosted desktops on multi-tenant hardware

Adam 1
Silver badge

But it will run Crysis!

0
1

Second one this month: Another code bootcamp decamps to graveyard

Adam 1
Silver badge

Re: Who didn't see this coming?

> This is a job field that is, by design, guaranteed to shrink.

We are a long way from that point. In fact at the moment the problem is the inverse of what you are describing. Uncle Bob in one of his lectures points out how the number of software developers has doubled every 5 years since the 60s. Another way of looking at that statistic is that at any point in time, literally half of the people writing the software you interact with every day have less than 5 years experience. And they make the poor design* choices that everyone did before wising up (usually after someone else's bovine excrement excuse for functioning code lands on their lap)**. Hence you will see headlines like "it's 2017 and [insert really stupid thing programmers in the 70s knew not to do]

* word used with the most generous interpretation

** other alternatives exist, such as seeking a management route in their career direction

4
0

Cops harpoon two dark net whales in megabust: AlphaBay and Hansa

Adam 1
Silver badge

Re: Layers of security

> We don't catch the smart ones.

Something tells me that one look at the applicable Venn diagram will alleviate any concerns people should have about that limitation.

1
4

Segway hoverboard hijack hack could make hipsters eat pavement

Adam 1
Silver badge

Re: This vuln would have added a whole new

You must make this happen!

0
0

Tapping the Bank of Mum and Dad: Why your Netflix subscription is poised to rise (again)

Adam 1
Silver badge

@ThomH

I don't think you can look at the statistics that way and draw any sensible conclusions. The percentage may have dropped but the pie is much bigger. If the market was "people who need rides somewhere", encompassing all taxi services* rather than just Uber vs Lyft vs whoever else then you will probably find those stats showing growth.

I would be more concerned about corporate governance and culture issues that seem to always leave it a handful of controversies away from failure.

*Uber is just a taxi service by any sane definition

0
0

Reborn Nokia phones biz loses its head

Adam 1
Silver badge

possible market for them

If they want an easy market, try a mid sized mid range spec with....

actually, just grab a Nexus 5 and put a replaceable battery and micro SD card in it, stick the Nokia logo on it, then head to the pub as your r&d is done

4
0

Let's harden Internet crypto so quantum computers can't crack it

Adam 1
Silver badge

Re: @ Mark 65 Possible deadly flaw - compromised software

> Imagine using the random number to find a seek position in to a file of random noise. Then a second number to get its length. And then take a hash for your random value.

It is worth considering how random your random noise file is given the scenario of a compromised RNG.

> Now tell me how a quantum computer can break that since they lack the actual random noise file.

Is your RNG that picks the starting point and length still compromised?

Take a look at Shor's Algorithm to see the problem that quantum computers carrier for classic encryption techniques. I'm short, AES and DH rely on the fact that factorisation of the product of two massive prime numbers is a lot more expensive than their multiplication was. If you break that assumption then pretty much all current crypto fails.

0
0
Adam 1
Silver badge

Re: Possible deadly flaw - compromised software

> For a closed source implementation (eq most Windows programs) there is a danger that a deliberately weakened random number generator is used.

It isn't just closed source with that risk by the way. The fact that such a vulnerability sat there compromising every generated random number on Debian for so many years* without anyone noticing is testament to that. It's also a pretty damn good lesson in 'comment your code if you're doing something that looks a bit unusual'. A simple explanatory comment would have stopped the 2008 'fix' being implemented.

* I don't personally believe this vulnerability was deliberately introduced.

0
0
Adam 1
Silver badge

Re: Possible deadly flaw - compromised software

> I'm also pretty sure that researchers would be able to check whether the key generator / random number generator in IE/Edge is producing shite.

Whilst my hat contains significantly reduced quantities of tin foil than Duncan's, proving that a RNG is producing unpredictable outputs is a really hard problem unless the attacker does a particularly bad job at it.

For example, the basic random number functions used for non cryptographic purposes (eg. Dice rolls in a game) will almost certainly be seeded by the system clock. That is perfectly fine, the series will stand up to scrutiny, however from a crypto point of view it would be terrible to use because an attacker would be able to narrow down the initial seed value to a (relatively speaking) miniscule search space.

There is also a bit of history of TLAs pushing compromised RNG allowing them a way to break it at will.

Ironically it is in quantum phenomena that we also find the solution to create a true RNG. For example a single photon will either reflect from or pass through a semi transparent mirror, so suitably placed detectors can be used to determine a random bitstream from a photon source. Entanglement can also be used to prove that a message hasn't been observed in transit, so quantum computing is both a blessing and a curse to crypto.

2
0

SQL Server 2017's first rc lands and – yes! – it runs on Linux

Adam 1
Silver badge

my analysis ....

Fwiw, Microsoft don't believe Windows is where the $$ will be in the future. The desktop market is being reduced year on year, some leaking to Windows laptops but a lot is going iOS/Android/Chromebook too. Their foray into mobile failed, and web search, well yeah. They have moved on and don't see Google/Apple as their primary competitors. Their primary competitor is Amazon. That is where they are trying to carve out their next ecosystem.

Look at some of their acquisitions like Xamarin, and their .net core work that sits besides this to see how serious they are taking this. Even Android gets office apps. Don't hear me wrong, they still want you to buy Windows, but in this brave new world of containers and serverless architectures, they are much more interested in staying relevant than locking you in at every point. It really is quite a contrast from a decade ago.

11
2

UK regulator set to ban ads depicting bumbling manchildren

Adam 1
Silver badge

Re: That's a start

Vacuum cleaner ads are awesome. I'm sorry, but if you start messing around with those then how will I know which one is most appropriate to help me sort through my bowling ball collection?

2
0

Dev to El Reg: Making web pages pretty is harder than building crypto

Adam 1
Silver badge

Re: Not even 140 characters?

Yes. Bloody autocarrot is having a field day.

5
0
Adam 1
Silver badge

Re: Not even 140 characters?

Asynchronous encryption (RSA/DH) is also horrendously slow (ballpark x10000 slower than synchronous). If you already have a shared secret, you wouldn't use asynchronous encryption (use AES instead). It's benefit is for sharing that key with a party you haven't met before over an insecure network.

0
0
Adam 1
Silver badge

> I spent way more time on [the presentation] than I did on the crypto-using code. Picking a colour scheme took longer than writing the code for generating a public/private key pair.

Oh. We hadn't realised it was so trivial to bypass. Perhaps our efforts would be better spent helping our agencies work together on complex cases and ensuring they have the resources and manpower needed to do their job.

-No government minister ever

5
0

Jesus walks away after 7,000lb pipe van incident

Adam 1
Silver badge

Re: Jesus!

It's not that based, it is based on the same name as Joshua.

Yeshua (Hebrew) -> Iēsous (Greek) -> Jesus (Latin)

7
0

Burglary in mind? Easy, just pwn the home alarm

Adam 1
Silver badge

stop the press

Wait. Are you saying some IoT tat is full of security vulnerabilities and the vendor doesn't respond until the tenth of never?

Quelle horreur!

5
0

UK spookhaus GCHQ can crack end-to-end encryption, claims Australian A-G

Adam 1
Silver badge

Re: End-to-end - NOT

There is a fundamental difference here between E2E and others.

Alice wants to send something to Bob using infrastructure controlled by Mallory.

Non E2E solutions involve encrypting comms between Alice and the service provider, then the service provider storing that message somewhere (perhaps temporarily), then the service provider encrypting the comms Bob.

That service provider is something like a WhatsApp (pre signal implementation). They do it in 2 parts because

1. Key management is much easier when either Alice or Bob get a new device.

2. Key exchange is much easier when Alice and Bob aren't both online simultaneously. The service provider can hold messages sent while the other is offline then deliver it when they come online. Diffie Hellman for example requires Bob to generate a random key before Alice can know how to encrypt that message.

Pre E2E, governments could demand that the service providers pass on the messages they are sending on to Bob. If they were encrypted, they would be encrypted using the service providers keys so no problems complying. Post E2E, service providers themselves don't know how to do it. That's a big difference.

1
0
Adam 1
Silver badge

> Is every Australian's user name 'Bruce'?

Don't be absurd. At least half are 'Sheila'. Don't make me go all Andy Murray on you!

29
0
Adam 1
Silver badge

Re: Confirmed endpoint breaks

@Brenda, the key sizes we are referring to here are so massive that even a NSA-O-matic isn't going to be able to brute force a single file before the heat death of the universe.

On the other hand, there are ""other avenues of investigation" that do have a pretty good chance of working.

8
0

Funnily enough, charging ££££s for trashy bling-phones wasn't a great idea

Adam 1
Silver badge

Wasn't android, but yes there was.

https://en.m.wikipedia.org/wiki/I_Am_Rich

15
0

Set your alarms for 2.40am UTC – so you can watch Unix time hit 1,500,000,000

Adam 1
Silver badge

Also, seconds! Really? I thought this was a tech site. Shirley we should be measuring time in beard metres.

9
0

JavaScript spec gets strung out on padding

Adam 1
Silver badge

solving the song problem

The issue here isn't with left pad, it is with dependency frameworks like npm that make it all too easy to consume disparate collections of third party libraries in a way that makes this sort of thing inevitable.

Should the language have it built in? Probably, but that is going to be years away before you can safely assume any browser hitting your site supports it. The bigger question is what function disappears next for {reasons=null,noticeDays=0}.

8
0

G20 calls for 'lawful and non-arbitrary access to available information' to fight terror

Adam 1
Silver badge

Re: I'm going to keep doing this...

I especially liked this bit:

7ttqmBCzMoNKFcSliD7f6cLUNw6/nqeWqkGJ6HxJbd

1
0
Adam 1
Silver badge

Nice write-up Vanessa. Salient points.

0
0
Adam 1
Silver badge

Re: Hmmm

Ironically, it's the same Turnbull* that was explaining in breakfast TV the merits of wickr a few years back.

*allegedly, it isn't entirely clear given his position on so many issues has changed in exchange for the top gig.

2
0
Adam 1
Silver badge

We will be calling on the biro and paper industries to work together with law enforcement agencies to provide access to such information in order to help keep our communities safe.

2
0
Adam 1
Silver badge

@grahamcobb

Signal is open source too and guess who uses that.

1
0
Adam 1
Silver badge

Re: Except they won't, because they can't

> And how will people know that?

Well if they switch from the signal protocol to something new without the public discussions about whatever weakness they see in what they currently use, it's time to be suspicious.

0
0

Ghost of NTLM still haunts Microsoft: Aged protocol hole patched

Adam 1
Silver badge

Is the rabbit European or African?

4
0

Better mobe coverage needed for connected cars, says firm flogging networking gear

Adam 1
Silver badge

I can see the benefit of a connected car for safety. If my car's autonomous emergency braking kicks in to avoid something, it is a good thing if my car immediately broadcast to surrounding vehicles so they can take evasive action if needed (particularly those following me). I am thinking things like exact position, speed, shortest time to stop, longest time to stop whilst avoiding the obstacle (so cars with different braking capabilities can avoid collisions if possible), negotiating cars in adjacent lanes or the other side of the road to pull over/speed up/slow down to avoid or minimise a collision.

What I don't see here is any need for a mobile network. This only needs WiFi range. A car that is 1km away doesn't need to know my intentions in an emergency.

0
0
Adam 1
Silver badge

> They can't even get ubiquitous coverage throughout the UK.

Can't is not the same as economically unfeasible. Each base station has a capex cost to purchase, build and wire up, a lease cost for the site and an operating cost (power/administration/maintenance/licensing bandwidth etc). The coverage is dictated by environmental factors (hills/buildings/etc) and capacity constraints (a single cell could easily convert a couple of football pitches, but could not carry the load of grandstands full of customers). Telcos are therefore interested in an optimistic outcome, not ubiquitous coverage. The fewer base stations they need (in general), the less needs to go on the expense side of the balance sheet. The more customers they can sell to at a coverage level where they are happy*, the better the revenue side. They aren't going to put in a new base station to allow them to sell to a handful of potential customers.

*using a very loose definition of happy that equates to "won't go to another provider"

0
0

Bloke takes over every .io domain by snapping up crucial name servers

Adam 1
Silver badge

Curious. Could he have generated a wildcard certificate for *.io?

Imagine the fun he could have had if this was live....

0
0

His Muskiness wheels out the Tesla Model 3

Adam 1
Silver badge

Re: It will retail for just $35,000

H2 is a non starter for cars in my view (and I'm hardly alone). It isn't dense enough without compression/liquefication for a practical driving range (huge energy overhead right there). It requires some pretty expensive parts inside the catalyst (that bit does have some progress but it's not happening tomorrow).

Most importantly, it requires hydrogen in very large quantities. Hydrogen is light* so doesn't on its own collect in untapped wells. That means you need to split it off some other molecule. Water works, sure. Add some electricity, get your 2 H2O => 2 H2 + O2. But you have just lost at least 35% of the energy you put in. Far more cost effective to start with natural gas: CH4 + O2 => 2 H2 + CO2. Then I guess you can vent that CO2 into the atmosphere thereby defeating the purpose of switching away from fossil fuels in the first place.

So apart from being dirtier, less efficient, harder to handle, more expensive to construct the"engine", I say it had great potential. It's only saving grace is that you can refill it quickly. Don't get me wrong, that's important, but to me that's a much easier problem to imagine a solution to than all the others I have listed.

*Citation needed

11
1

'My dream job at Oracle left me homeless!' – A techie's relocation horror tale

Adam 1
Silver badge

> The story also has something of a happy ending.

Well, obviously. You already said that he job didn't work out for him. Imagine if after those international moving hickups if he still had to work for them.

13
0
Adam 1
Silver badge

in his defense

It doesn't mention that it was a good dream

33
0

Forums

Biting the hand that feeds IT © 1998–2017