* Posts by Adam 1

1716 posts • joined 7 May 2012

Nest cameras can be easily blacked out by Bluetooth burglars

Adam 1
Silver badge

> Nest deliberately designs its cameras to use internet-hosted storage for video, not local storage

Wait, a *security* camera that is flummoxed by a lack of internet connection? Using cloud storage doesn't stop you including a cheap sd card as a rolling buffer.

Oh and Google, October would be 90 days ago Shirley.

9
0

DNS lookups can reveal every web page you visit, says German boffin

Adam 1
Silver badge

Re: So does that mean...

Another way would be to have a collection of DNS servers configured locally that get round robin'd for each request, since profiling requires combining the pattern of DNS lookups from specific pages.

That, or if you're feeling like a real crazy cat, use an ad blocker and VPN.

5
0

Git sprints carefully towards SHA-1 deprecation

Adam 1
Silver badge

> "it's no longer possible to prove that (for example) a hashed document is unique"

Agreed with OP. This is not the goal. It relies on the fact that the amount of hardware, CPU/GPU time, electricity and opportunity cost involved in "reversing" the hash back to the original bytestream means that a suitably resourced attacker wouldn't bother.

Whilst source code is much harder than a PDF file to hide junk bytes of your discretion so they remain unnoticed, it wouldn't be impossible to use comment blocks or constants.

0
0

SVN commit this: Subversion to fix file renaming after 15 years

Adam 1
Silver badge

Re: Is this still being used?

> Is this still being used?

What a weird question.

I assume you have ranked them in your head and have put git at #1. Out of curiosity, what would you put at #2 and #3?

1
1

Judge issues search warrant for anyone who Googled a victim's name

Adam 1
Silver badge

Re: you heard it hear first

Just looking out for you dude. Whatever you do, don't click the "did you mean?" hyperlink!

0
0
Adam 1
Silver badge

Re: you heard it hear first

"here". It's Friday....

0
0
Adam 1
Silver badge

you heard it hear first

You better not Google Barbara Streisand or you are ..... hang on, there's a knock at the site I'll be back in a minu....

11
0

Hell freezes over: We wrote an El Reg chatbot using Microsoft's AI

Adam 1
Silver badge

Re: If you're truly brave...

They tried it a few years ago, but had to shut down the Eadon bot when the caps lock got jammed.

13
0

Barrister fined after idiot husband slings unencrypted client data onto the internet

Adam 1
Silver badge

Don't mix up encryption with public access. The data being encrypted is about physical protection (eg if the laptop is lost/stolen) and to prevent MitM. It doesn't help if you configure your server to send it to anyone who asks.

0
0
Adam 1
Silver badge

Re: Everything is relative.

Fair enough and I'm sure she feels terrible, BUT...

There is a limit to the scope of contract you as an IT Pro would be willing to sign before bringing lawyers at 12 paces. IANAL, but i have seen clauses in contacts that aren't worth the paper they are written on because the thing they try to claim indemnity for (as an example) can not be indemnified against due to legislative protections.

I would expect a barrister to understand their liability for breaking client privilege or publishing information with various suppression orders active. And knowing that, it would be incredibly surprising to think it's ok for the data to be downloaded onto a shared computer where the husband alone might accidentally stumble upon confidential documents whilst searching for something he needs. And i would expect such computers used to handle that data to be maintained by people who have signed both confidentiality agreements and agreements that state that the data will be handled in accordance with best security practices. So again, she either failed to obtain those assurances or her husband should be rather nervous about his breach of contract.

And finally £1000?? Did she park in a bus zone or compromise the private documents of hundreds of people through at best carelessness?

3
1

Mini-VODAFAIL hits Australia

Adam 1
Silver badge

I'd say less so

I mean historically, you tolerated a bit of droptus/vodafail or worse because their plans were priced competitively. If reliability was critical, you paid your Telstra tax. These days, Telstra is probably the worst of the three.

0
0

'Password rules are bullsh*t!' Stackoverflow Jeff's rage overflows

Adam 1
Silver badge

Re: It only makes it easier to crack...

> Why not just have an increasing delay between logon attempts?

That defence only works against online attacks. And it is probably easier to detect enumeration attempts from the same IP and blacklist it. More likely though, someone forgot to password protect their Mongodb which gets lifted and then they throw hashcat at it.

0
0

Cold callers illegally sold Aussie farmers 1,700 years worth of printer ink

Adam 1
Silver badge

is there more to this?

I mean, don't misunderstand me, cold callers are only one step above politicians, but would they reasonably be expected to know how many printers a specific farm might require?

And farmers who apparently can't afford $1/L milk at colesworths but don't notice 80K in their IT consumables budget? Weird.

Also, been a while since I looked at my map, but why is the Brisbane Times reporting on a Victorian tribunal decision about 2 Melbourne businesses?

2
1
Adam 1
Silver badge

I call bull!

0
0
Adam 1
Silver badge

Re: HP cartridges

> how Mrs sharp manages to make one cartridge operable for over a year in the heat and dust of the aussie desert

Yeah, The Great Melbourne Desert is up there on my bucket list.

3
0
Adam 1
Silver badge

Re: This just reinforces the stereotype

> Fosters

Yeah sorry about that.

4
0

BOAR-ZILLA stalks Fukushima's dead zone

Adam 1
Silver badge

Spider pig. Spider pig...

27
0

Zero-days? Sexy, sure, but crap passwords and phishing are probably more pressing

Adam 1
Silver badge

Why? Averages can be skewed by outliers. Trimmed mean might be better than either, but the main question is whether that number meaningfully illustrates what is happening with the data.

0
1

Fraud detection system with 93% failure rate gets IT companies sued

Adam 1
Silver badge

Agreed. You could almost get half a fighter jet for that.

2
0

CIA hacking dossier leak reignites debate over vulnerability disclosure

Adam 1
Silver badge

Re: I've been saying this since the Snowden revelations came out...

Exactly. The Windows zero day (for example) will get reported to Microsoft when both

* A better/faster/less detectable exploit is discovered/purchased; AND

* They catch an adversary doing it.

If the first point hasn't happened, the second point won't be a consideration.

3
0

Spies do spying, part 97: Shock horror as CIA turn phones, TVs, computers into surveillance bugs

Adam 1
Silver badge

Re: @ Adam1

Sorry. I misread your comment as don't bother with VPN or tor because that makes you interesting

0
0
Adam 1
Silver badge

Re: So if they've redacted the actual exploits

I think they should be giving Google at least 90 days before publishing. Only fair.

1
0
Adam 1
Silver badge

Re: In CIA Russia...

In Soviet Russia, you listen to your TV.

2
0
Adam 1
Silver badge

Re: If a nation-state agency wants you --

> do not be interesting in the first place.

So your argument is that your obscurity provides your security. Let me know how that works out for you....

3
1
Adam 1
Silver badge

21. Your secret master key escrow backdoored encryption will be compromised. Don't worry though, it'll only be all encrypted information that's at risk.

2
0

Centrelink 'big data' system built without consulting taxman

Adam 1
Silver badge

Tudge has got to go. As outrageous as the design flaws with the system are, the real shocking thing is that they haven't paused the automation whilst they sort it out. I am in the fortunate position to have had very little to do with them, but what I did see was an organisation that was unable to arrange for a human to assist with an enquiry. Everything was about being redirected to their online portal seemingly developed by Satan himself that when you followed those instructions then told you that you needed to go in person.

The sooner they understand that half their clients are only there because of poor and immoral decisions made in boardrooms half a world away and not because of laziness (some are of course), the sooner they can start treating people with respect they deserve as humans.

4
0

Watt the f... Dim smart meters caught simply making up readings

Adam 1
Silver badge

bigger problems

The biggest problem is that there will be some hard coded telnet password for a root session on these things, and once remotely exploited, miscreants are going to do serious damage to the grid by cutting gigawatts of demand within seconds.

8
0

UK Home Office spy powers unit pretended it was a private citizen in Ofcom consultation

Adam 1
Silver badge

Re: Get what you wish for

> the clear implication of the government (a) lobbying itself and (b) pretending to be a private individual.

I have no problems with (a). It is a good thing™ for governments to extoll their positions on any matter and to force them to justify the positions they are advocating. My problem is with (b). And I have a big problem with it. It has the optics of an attempt to present a case for change or not without the usual skepticism applied to a normal government mouth piece.

2
0
Adam 1
Silver badge

Re: Get what you wish for

> Sort of ironic that someone disguised their identity to complain about a technology which would allow people to disguise their identities.

IT'S LIKE RAAAAIIIINNN....

1
0

3Par brought down Australian Tax Office with >REDACTED<

Adam 1
Silver badge

> some are likely to go to litigation.

Not buying it. There is no way they'll pay up without lawyers at 12 paces.

<Tinfoil hat mode>

I could believe that HPE were offered a very good settlement in exchange for falling on their sword. The government really doesn't want any more IT failures on its watch.

</Tinfoil hat mode>

5
0

User rats out IT team for playing games at work, gets them all fired

Adam 1
Silver badge

Re: Big Companies and Policies

Curious about the down vote. Happy for anyone to disagree with me, but at least state your argument so I can see where you're coming from.

Despite what the story states, it is not going to be everyone's job to check the backup. Most of that 75 won't even have the rights to do so, nor should they. And it's not unheard of for places to be temporarily overstaffed. Think about what happens with planned mergers or spin offs, where IT functions can get duplicated for a while or sit there idle until some other department gets up to capacity. Sometimes it is cheaper to pay people to do nothing for a few months than to scale up or down, especially where the skillsets are not so fungible.

That said, it appears some mock DR exercises would have been a better use of time with hindsight.

0
0
Adam 1
Silver badge

Re: Big Companies and Policies

> Difficult call - without further information

Very easy call. Of the 32.5 people let go, I could believe that it was 1 person's job to do the backup monitoring and tapes so fair enough for them. Also someone was their manager and failed in their oversight. That's another one or two. So what did the other 30 do wrong? Assuming they had finished their tasks and they had their management's permission to be running whatever application, then the decision to let them go can't be disciplinary related.

2
1

Amazon S3-izure cause: Half the web vanished because an AWS bod fat-fingered a command

Adam 1
Silver badge

Re: Makes me wonder how many others in the "playbook" have this capacity.

> Ultimately somebody has to have the power to do this because shutting down servers is a valid admin activity. However it should be made a multistep process with plenty of Are You Sure? types prompts

How about "Please enter the shutdown validation GUID. This can be found on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard."

0
0

We found a hidden backdoor in Chinese Internet of Things devices – researchers

Adam 1
Silver badge

Pfft. Like my car. It has two back doors that I'm aware of.

/Grabs coat

2
0
Adam 1
Silver badge

Re: With a bit of luck

Or they will just rebrand with a new logo sticker on the side and carry on business as usual. Hardly a middle kingdom phenomenon though...

0
0

Germany, France lobby hard for terror-busting encryption backdoors – Europe seems to agree

Adam 1
Silver badge

Re: openpgp

Firstly, not the down voter. I agree with the general gist of what you are saying. My only disagreement would be about the easiness of detection. Remember that a lot of things need to hold true for encryption to be secure. A few years back, Debian's RNG was accidentally screwed up by removing some code that looked buggy but was necessary for seed initialisation. That fundamentally compromised all encryption operations for a 2 year period.

See https://www.schneier.com/blog/archives/2008/05/random_number_b.html

2
0
Adam 1
Silver badge

Re: Requirement

For me the question isn't whether a back doored encryption approach wouldn't prevent some crime, even some serious crime. Of course it will. There is a large overlap between the Venn diagram of idiots and criminals, so it is obvious that some idiot criminal is going to use the back doored crypto and be caught with much fanfare. The question is what do we have to trade off to get that? One is the risk of some rogue group getting their hands on such a key. The other is for misbehaviour of its trusted custodians.

Anyone who has studied history will immediately recognise the difficulty of considering that to be "a good trade-off". Heck, we have detailed information now in the public domain about top secret intelligence operations, compromised hardware/software/algorithms because they couldn't stop one of their own from "stealing it". Colour me unconvinced on this...

5
0

LG, Huawei unwrap 'Samsung Galaxy-killers'

Adam 1
Silver badge

better call quality!?

Why waste your R&D budget on features that no-one will bother reporting? (Current company excluded). Shirley better to do something like make it thinner, remove useful ports, change the aspect ratio or remove wireless charging like a normal vendor.

2
0
Adam 1
Silver badge

Re: You could be a touch more sceptical, please

> are you nuts or an Intel employee

False choice!

0
0

Energy market operator used urban data only, undershot heatwave forecast by 3°C

Adam 1
Silver badge

Not quite as crazy as it sounds

Nearly 80% of the state's population live in or around Adelaide, and no-one lives in most of it. Compare that to about 65% for Sydney metro vs NSW. Don't get me wrong, they definitely have questions to answer. At so close to the margin and with plenty of warning, everyone should have been on standby. Can't do much about freak storms knocking down your towers (other than, you know, maintenance), but this should not have happened. They have really stuffed up of SHY sounds sensible.

0
0

HPE's Australian tax failures may have been user error

Adam 1
Silver badge

> The Register has filed a freedom of information request with the ATO, seeking documents explaining the nature of the outages

HAHAHAHAHA. You must be new here. Where even the Attorney General's appointments on a specific date range are "too much effort" to respond to a FOI, I really don't like your chances...

3
0

'First ever' SHA-1 hash collision calculated. All it took were five clever brains... and 6,610 years of processor time

Adam 1
Silver badge

Re: Pigeonhole Principle

> or partitioning the document and using the same hash method to "cover" overlapping portions of it

Just be aware that whilst the pigeon hole principle shows that it is mathematically certain that two documents that collide must exist where the input size exceeds the hash output size, it does not follow that two inputs that are smaller than the hash output cannot collide. In a well designed algorithm, it should be both very rare and computationally infeasible to find the other. IE. Nothing short of brute force

0
0
Adam 1
Silver badge

> There are far more possible documents than there are hash function outputs

Known as the Pigeonhole principle. Where the size of input exceeds the size of the hash output, there not only "can be" but "must be" collisions. To those harping on about file size differences, Windows explorer rounds to the closest KB unless you specifically check the details of the properties. For most use cases, having a slightly different file size is unimportant, but it is impressive nonetheless that they could locate a collision even constraining themselves to the valid file format and same file size.

Designing effective hash functions is really hard. I had to last year and stuffed it big time. It wasn't a cryptographic hash but one that would see hundreds of thousands of our objects get hashed into different buckets for faster dictionary lookups. So basically you had an infinite combination of inputs that had to hash to 32 bits (about 4 billion). I managed to create an accidental swarm to zero which meant that whilst there was good distribution generally, a substantial proportion of real world objects would end up in bucket 0. After fixing it, the worst I saw was in the 3 objects per bucket out of a million range.

1
0
Adam 1
Silver badge

Re: "just stash away the "KJ"BIUE_D H£(*ERNY£" in a garbage area, you're sorted."

Why does the size have to be identical? As long as the artifact is a believable size you can launch an attack.

Imagine an executable file download through some sort of update mechanism that uses sha1 to validate the binary before executing it. No-one will notice that the 64MB upgrade.exe is 25KB larger. But now the attacker has replaced the intended payload with their own. It would be interesting to know about the collision algorithm. Like does it require the two files to be nearly identical? Does a large file take longer to generate a collision?

2
0

Mysterious Gmail account lockouts prompt hack fears

Adam 1
Silver badge

Re: Google stating problems occurred as a result of "routine maintenance"

It really did look like some sort of phishing attack. And certainly Google have now through lack of foresight opened up their user base to fall for the next one. They should have had a website explaining exactly why you needed to reauthenticate. Not a mystery popup!

1
0

Boffins exfiltrate data by blinking hard drives' LEDs

Adam 1
Silver badge

Re: Root access

> your fictitious drone videos them from a handy window would more likely to go unnoticed than a HDD thrashing for no apparent reason

Nonsense. It's simple to mask. Simply call the executable svchost.exe and no-one will bat an eyelid when it randomly consumes all the system resources.

You are treating this attack vector as if it is a fairy tale, but remember stuxnet was a weapon that accidentally got out but it was designed to take out Iran's nuclear enrichment capabilities on air gapped systems. It is not beyond comprehension to imagine a machine that is not air gapped but is fire walled off. Sometimes the observer just needs a private key so they can MitM on the legitimate channel without detection. This sort of bandwidth could send out a private key sub second with no packets apparently leaving the network.

1
0

I was authorized to trash my employer's network, sysadmin tells court

Adam 1
Silver badge

Re: "I wish for world peace"

Why? It will just say something like "in the discharge of their authorised duties, the employee agrees to at all times refrain from actions likely to cause damage to the company, its suppliers, customers, associates, ...."

If your company gives you a car, you have the right to depress the accelerator or brake hard to avoid an emergency. It does not follow that you are permitted to do it for kicks until you've damaged it.

Hope he loses. What an arse hat.

11
9

Swedish politician wants weekly hour of paid sex. For exercise

Adam 1
Silver badge

Has el Reg approaches Trump for comment?

(Autocarrot wanted to write consent. I had a good chuckle)

1
2

US judge halts mass fingerprint harvesting by cops to unlock iPhones

Adam 1
Silver badge

Re: At reader level yes

Wrt to the collision rate of fingerprints, that is a side issue. It actually becomes worse in some cases. Some occupations are notorious for using chemical compounds that effectively eat away the prints so for those people the templates have a lot less points of interest and so collisions become possible. Most APIs won't let such people record a template. But the templates are basically a set of angles and distance measurements. No two scans of the same finger would ever result in the same measurements any more than taking two photos from a tripod could create a byte wise identical bitmap. The question is never "are they a match" (hint: infinite FRR). It is always "are they acceptably close". That's where the complex math starts because you are expecting features in a similar location to distort in a similar way, and some features are missing altogether because of sloppy scans.

1
0
Adam 1
Silver badge

Most biometric APIs I have played with allow you to trade off your false accept rate (FAR) vs false reject rate (FRR). FAR and FRR are opposite sides of the same coin. You can't improve one without making the other worse. There are usually two broad use cases.

1. The person claims an identity and this is a second factor where they prove it. (Well technically they only prove they have your finger/iris/hand but you need to understand your threat model)

2. Out of a large number of candidates, decide which identity has presented their digit.

With 1, you can tolerate a much higher FAR (it's the FRR that makes usability suck). With 2, you need a very small FAR but that does require a nicer template and a nicer scan than 1

If you take a mobile phone use case, it's actually much closer to 1. You want it to unlock even with the vaguest of touches in any orientation and with any light level. You could tolerate a 1:10000 FAR quite easily. For blame purposes, you want FAR to be 1:10s of millions+.

8
0

Forums

Biting the hand that feeds IT © 1998–2017