* Posts by Adam 1

2497 posts • joined 7 May 2012

Password managers may leave your online crown jewels 'exposed in RAM' to malware – but hey, they're still better than the alternative

Adam 1 Silver badge

Re: Security software 101

> You keep it at least hashed

A hash is a cryptographic one way function. Knowing the hash, it is mathematically impossible to recovery the original string without brute forcing all possible strings and looking for one that gives the same hashed value. Being able to vomit back the original password into a password box is kinda a big thing for a password manager.

> or XOR-ed with some other binary

So where do you put that binary so the attacker can't do the same? Why don't you just put the passwords there instead.

Also, what would happen if you xor'd the obfuscated passwords together with other obfuscated passwords from that same secret binary? What can you learn about the key? What if you discover just one of those passwords in a paste bin dump then xor the obfuscated password with the known one? Oh look, secret binary in clear. Now we can read any others too.

Fun isn't it?

Even something as "simple" as clearing the secret out of memory is much harder than you might think. Depending on the runtime involved, you be relying on a garbage collector to actually overwrite the memory and you control over that process is limited. And that's before you consider whether it might be in the CPU caches which might as recent vulnerabilities show, be an oracle.

Secret mic in Nest gear wasn't supposed to be a secret, says Google, we just forgot to tell anyone

Adam 1 Silver badge

Re: TL:DR version

In fairness, they were upfront in admitting it had a speaker. They never actually made a claim about where the energy to move the speaker coil was going to come from.

No yoke: 'Bored' Aussie test pilot passes time in the cockpit by drawing massive knobs in the air

Adam 1 Silver badge

> the pilot also drew what the Aussie publication described with unfamiliar restraint as "some intriguing, somewhat phallic symbols"

Just wait until NT News picks it up.

/Popcorn time

You know the drill: SAP has asked Joe Public to name Munich arena so go forth and be very silly

Adam 1 Silver badge

Footy McFistFace

Or if this is a shameless branding exercise

Sapatron

Court sees Morissette Meter flip out as Oracle assumes anti-arbitration stance in pay dispute

Adam 1 Silver badge

Re: title

It's like RAAAAAIIINNN .....

LG folds at prospect of launching bendy phone while Samsung flaunts its upcoming kit on telly

Adam 1 Silver badge

You're folding it wrong.

Australian prime minister blames 'state level' baddies for Oz parliament breach

Adam 1 Silver badge

Re: Personally I hoping

But B33tr00ter passed the complexity rules.

Adam 1 Silver badge

Come on guys. It's unhealthy to hold a grudge forever. It was one delivery 38 years ago.

Hold horror stories: Chief, we've got a f*cking idiot on line 1. Oh, you heard all that

Adam 1 Silver badge

Re: Careful of what you write

And next Monday, that time when that mate of a mate put the *cough* technical notes into the customer notes field by mistake.

Wow, fancy that. Web ad giant Google to block ad-blockers in Chrome. For safety, apparently

Adam 1 Silver badge

Re: Firefox forever (except at work)

I should add, there at least used to be a Firefox and Chrome extension that could open up specific sites using a tab with embedded IE (IETab or something like that). That was really useful at the time. I'd be surprised if it or something similar isn't still available.

Adam 1 Silver badge

Re: Firefox forever (except at work)

Intranet isn't really where you normally need to worry about web nasties. So you can use ie or whatever for your work sites and FF for outside stuff.

Stage fright or Stage light? Depends how far you dare to open your MacBook Pro's lid

Adam 1 Silver badge

Re: Rinse and repeat

I believe the accountants know the game and to be frank, are playing it brilliantly.

Through a couple of decades, hardware advances themselves justified a new shiny every couple of years. Experientially faster, better screens, new gimmicks. But for most consumer workloads, tell me what a 2014 spec'd i7 couldn't do if you swapped out its HDD and put an SSD in when compared to a modern machine at a similar price point? There's only so much compute power needed to run office 365. This literally freaks out these companies (no need to single out Apple) as their business model relies on repeat customers. It is an existential threat to their profitability. Of course, if you can engineer the parts so that they'll definitely last 3 years, but after 5 it needs to be facing west when you power it on, they can strut out someone to say "that old thing, wow, haven't seen that model in ages*, you need a new shiny, I'm afraid warranty blah blah" without destroying their reputation. It is no accident that more and more components are glued in place.

*at least a three days ago

Holy crappuccino. There's a latte trouble brewing... Bio-boffins reckon 60%+ of coffee species may be doomed

Adam 1 Silver badge

Re: Temperature?

> if Starbucks et al have proved anything, it's that coffee drinkers will pay more for coffee.

If Starbucks has proven anything, it is that Americans will drink anything lukewarm and full of sugar and caffeine.

Are you sure your disc drive has stopped rotating, or are you just ignoring the messages?

Adam 1 Silver badge

I'm not even sure that half the developers read the prompts they are adding

Encountered a prompt in a piece of software along the lines

Confirmation

This will cancel the operation? Please confirm.

[Ok][Cancel]

But I won't name and shame the large Washington based software behemoth.

Computing boffins strip the fun out of satirical headlines

Adam 1 Silver badge

algorithm is actually pretty easy for headlines

bool IsHumourous(string headline)

{

return Soundex(headline)==Soundex('Supercalifragilisticexpialadocious');

}

Reg Standards Bureau introduces the Devon fatberg as coastal town menaced by oily blob

Adam 1 Silver badge

Fosters

... just kidding. We only export that to you lot because we don't drink it. Mainly because it tastes like s*!?*

I'm just not sure the computer works here – the energy is all wrong

Adam 1 Silver badge

Re: Ah, the carefree days of yore

Drives a Jeep.... Don't judge too quickly. Those jump leads might come in handy. (Although a tow strap is another gift idea)

Happy new year, readers. Yes, we have threaded comments, an image-lite mode, and more...

Adam 1 Silver badge

Re: Width

> The point varies by breakpoint: 40th child on 884px+ wide devices

So what you're saying is that 40 child threads should be enough for anyone...

Is Google purposefully breaking Microsoft, Apple browsers on its websites? Some insiders are confident it is

Adam 1 Silver badge

Re: Brittle software?

Comments are not included in a compiled binary.

A few reasons why cops haven't immediately shot down London Gatwick airport drone menace

Adam 1 Silver badge

Re: Got it.

Or maybe they could mandate the use of Logitech harmony APIs.

Adam 1 Silver badge

Re: Blockchain

Blockchain!? Maybe DevOps

Adam 1 Silver badge

Re: Other options...

I think you'd need one of the bigger supersoakers rather than the original one. Like this.

German cybersecurity chief: Anyone have any evidence of Huawei naughtiness?

Adam 1 Silver badge

it's like RAAAAAIIINNN ....

... except actually ironic.

One of the following statements explains why Huawei is banned from the Australian 5G networks. The other is part of the Assistance And Access Bill 2018 written by the same collection of muppets. To hold both positions simultaneously is an incredible feat of intellectual contortion. To holda straight face expousing it is nothing short of incredible.

"the government considers that the involvement of vendors who are likely to be subject to extrajudicial directions from a foreign government that conflict with Australian law, may risk failure by the carrier to adequately protect a 5G network from unauthorised access or interference."

"a notice may require a provider to facilitate access to information prior to or after an encryption method is employed"

Brazil bested by hackers, Virgin plugs hub bugs, and France surrenders… records

Adam 1 Silver badge

Re: "while the apps themselves are secure"

Unfortunately, they also collect your outgoing messages courtesy of your keyboard app, and display outputs courtesy of your video drivers. But I'm totally confident that these parts of the operating system and apps don't have debug modes that log to disk.

If most punters are unlikely to pay more for 5G, why all the rush?

Adam 1 Silver badge

Re: Well, if they can secure it, then it's okay, I guess

@DougS, this remains at least technically possible even if you don't buy a new shiny. Your current handset will be vomiting out your IMEI regularly, which the operator could intercept on their microcells to gain your location with much higher precision.

Godmother of word processing Evelyn Berezin dies at 93

Adam 1 Silver badge

little known fact

This word processor had the ribbon a long time before Microsoft.

Ah, my coat, thanks.

Adam 1 Silver badge

Re: Redactron

And like many government efforts, it achieves the redactions by gluing a black square over the top of specific words, names or phrases.

Supernovae may explain mass extinctions of marine animals 2.6 million years ago

Adam 1 Silver badge

I guess it's possible

But I think to confirm for sure, they should really be checking the fossil records for evidence of the superpowers that these sharks developed.

Waymo presents ChauffeurNet, a neural net designed to copy human driving

Adam 1 Silver badge

> Self-driving cars won’t learn to drive well if they only copy human behaviour, according to Waymo

I hope it didn't take a PhD for someone there to figure that out. Meatsacks too often drive without reference to prevailing conditions, without anticipating what other meatsacks might be about to do, without a good night's sleep, with screaming kids in the back, paying attention to the radio/GPS/SMS/air conditioning knobs rather than the task at hand, with their seating position and mirrors just wrong, with boredom and wandering minds, without indicating, at inconsistent speeds, in the wrong lanes, towing too much for the rating of the vehicle, without maintaining their vehicles properly, often trained by other incompetent meatsacks who propagate the same bad habits.

As good as a human driver most definitely should not be considered the high watermark.

Official: Voyager 2 is now an interstellar spacecraft

Adam 1 Silver badge

Some time 6-7 billion years ago

God: 14,959,790,000,000 Km ought to be enough for anybody.

Wow, what a lovely early Christmas present for Australians: A crypto-busting super-snoop law passes just in time

Adam 1 Silver badge

> no, they are going to outlaw CO₂ thus solving Global Warming once and for all

You know, I'm doubtful that they'd get such a proposal through their party room .... You'd need to convince them that CO2 was bad first.

Adam 1 Silver badge

Re: "Ship! Come back!"

WhatsApp is a closed source app that implements an open source protocol (signal).

If they add the capability to generate a new group key-pair whenever requested by the server without authorisation within the app, then a systemic weakness had just been included that anyone who manages to pwn WhatsApp servers can now exploit.

You might as well just let the server manage the session keys.

And if you have ever run a Java decompiler (I have but for the record, not on WhatsApp or any other application for which I did not have permission to do so), you would struggle to hide "if (request.Guid==magicGuid) return true;" inside the method responsible for collecting user's consent. The bad guys would have that line NO-OPd within minutes of it being discovered, or they will just move onto whatever other app that implements the signal protocol but is based in whoknowswhere.

Adam 1 Silver badge

Re: "Ship! Come back!"

They can update the app, but egress traffic from each participant cannot be avoided without fundamentally changing the protocol.

And I'm not sure what you mean by ignore the keys. These are public keys of each participant for the new participant that allow them to decrypt the messages you send and allow you to decrypt messages that they are trying to send you. Ignore them, and they cannot understand you or vice versa.

Adam 1 Silver badge

Re: "Ship! Come back!"

@Mark, the signal protocol used by WhatsApp requires each participant to push their group key to the new user. Whilst Signal/WhatsApp can BCC all comms to 5eyes, they are not in possession of the encryption keys used by the group conversation. If they tried to push an invite out to 5eyes, then each device could notice that the administrator has pushed an invitation to a new member.

Without weakening the security by adding a vulnerability to permit the servers to manage the session key, they cannot comply. They must either weaken security for all or refuse to comply.

Thanks very much Labor for supporting the laws of fairy math. I had held hope that you had understood what the experts were all, without exception, telling you. History will judge you poorly for supporting such a dangerous law.

College PRIMOS prankster wreaks havoc with sysadmin manuals

Adam 1 Silver badge

Re: Value added installer

I once had to handle a complaint about system responsiveness. The client application had to wait for a bunch of data from the server, but given that the penny pinchers had, er, purchased network kit and internet connections that one could make a case were more suited to a small household than a business, occasionally these responses would time-out/retry or just take absurdly long to complete.

For reasons that largely boil down to historic cries of "just push it out, we promised it two weeks ago" from the PHB, the calls themselves locked up the UI thread which as anyone with an ounce of foresight can see was going to make the application appear unresponsive.

I couldn't magic up better performance given the data required and network conditions, but it's amazing how the complaint disappeared as soon as I included an animated gif progress bar and demonstrated how much faster the new version was.

Adam 1 Silver badge

Printer test page, missed a trick there

[Company Logo]

Memo

Directive to all service staff - Beer O'clock Super Special Tuesday

From this Tuesday afternoon, we will be commencing our new Super Tuesday initiative. We value our regular patrons, so whenever an order is placed for a craft beer, the first one is on the house.

Cheers

Management

Pencil manufacturers rejoice: Oz government doesn't like e-voting

Adam 1 Silver badge

> Who uses a pencil to cast their vote? Use a pen!!!! You can't rub out a pen.

If you are planning to subvert an election by changing the votes, do you:

(A) Open up the ballot box, pull out an eraser, carefully rub off all the marks, then renumber them according to your evil plans; or

(B) Print out new ballot forms and then number them according to your evil plans;

(In both cases you need to figure out how to stuff those faked ballots into the box).

Adam 1 Silver badge

As someone who strongly advocated against the government's mathematically illiterate magic fairy unbreakable but yet somehow still possible to assist in breaking when receiving a magical signed order, can I express relief that at least on this proposal they managed to see what a stupid idea it is.

Warning: Malware, rogue users can spy on some apps' HTTPS crypto – by whipping them with a CAT o' nine TLS

Adam 1 Silver badge

Re: It's time to start over

I saw a lecture by "Uncle Bob" once, and he made an interesting observation about the rate of growth of programmers. Broadly speaking, since about the '60s, the number of programmers has doubled every 5 years. Or another way to word that is that half the monkeys bashing keyboards today have had less than 5 years experience in the profession. I personally think that this explains quite a lot.

Fresh releases of TypeScript and Visual Studio 2017 for Mac round out November

Adam 1 Silver badge

Re: Er, so this TypeScript is not a language

> Er, so this TypeScript is not a language just a C-stylee preprocessor ?

Only in the sense that c# is an MSIL preprocessor, or that c is an assembler preprocessor.

It is perhaps more helpful to think of JavaScript the way that you think about MSIL; a set of instructions that the runtime can execute.

The example of the + meaning between string concatenation and addition depending on data is right but on its own really doesn't explain the problem in a significant enough way to get why you'd bother. It becomes a lot more helpful when you can't accidentally pass a complex model in error and allows intellisence to better guess what you're trying to pass. It's the benefits that any typed language provides.

Huawei gets the Kiwi 'yeah nah'* as NZ joins the Chinese kit-ban club

Adam 1 Silver badge

as a left ditchian

Just a heads up that if our government actually troubles itself to sit for more than a week in the next 6 months, they are trying to pass laws that will force Australian vendors to break encryption in their products if they are directed to by the government of the day through their law enforcement arms. Pretty much the same thing everyone is hung up about Huawei on. So be careful when sourcing Aussie kit.

Check your repos... Crypto-coin-stealing code sneaks into fairly popular NPM lib (2m downloads per week)

Adam 1 Silver badge

Re: Build time internet dependencies are garbage

> even though they need an external trim function written by someone else

Whilst I take your broader point, trim is exactly the sort of function that makes sense as a framework provided function. If you think it's trivial, then I'd chance that you really haven't understood its problem domain and what it counts as a character and what doesn't (and expectations in right to left languages) once you step outside the safe world of ANSI. And to implement it efficiently requires a good understanding of how your framework and runtime implement strings.

Adam 1 Silver badge

Re: Javascript

> The only obvious process error is that the original developer handed the package to the malware developer

Nope. I mean it isn't impossible but my money is on the new broom adding a dependency without considering the integrity of the flatmap-stream package.

Adam 1 Silver badge

Web of Trust, you mean that plugin that was caught with its fingers in the cookie jar a few years back? Maybe not.

Also, I wouldn't be so quick to assume that the new maintainer had a clue that this malware had been introduced. It is of course possible that s/he was in cahoots with the other account, but with the way that NPM works, half the web can break because some random Dev throws their toys out of the cot. Leaving asides the question as to whether his actions were justified, it showed that thousands (and that isa generously small number) of projects find themselves with unrealised dependencies.

This is both the greatest strength and Achilles heel of npm.

LG: Fsck everything, we're doing 16 lenses in smartphones (probably)

Adam 1 Silver badge

20 years from now .....

* Hey guys, remember when cameras only had a dozen sensors? A dozen sensors!? Luxury! We used to dream of a dozen sensors ... (Four Yorkshire Men memes will still be funny)

* These 4 MegaSensor claims are really misleading. If it was really 4MS, it would have 4,194,304 sensors, not 4,000,000. We're being ripped off here by nearly 200,000 sensors.

Behold, the world's most popular programming language – and it is...wait, er, YAML?!?

Adam 1 Silver badge

And apparently the most popular language is markdown, with all those readme.md source code files all over GitHub.

Microsoft sysadmin hired for fake NetWare skills keeps job despite twitchy trigger finger

Adam 1 Silver badge

Re: Who writes the damn matching algorithms???

Shirley it would be

Select distinct c.*

From Company victim

Inner join Company oldvictim

On victim.CategoryId=oldvictim.Category and victim.Id<>oldvictim.Id

Inner join CandidateHistory ch

On ch.CompanyId=oldvictim.Id

Inner join Candidate c

On c.id=ch.CandidateId

Where victim.Name='FooCorp'

And (c.LastPlacementDate>DateAdd(Month, -6, GETDATE()) or c.LastPlacementDate is null)

If at first or second you don't succeed, you may be Microsoft: Hold off installing re-released Windows Oct Update

Adam 1 Silver badge

> That stunning Redmond Q&A at work again, we guess.

I am old enough to remember before the abbreviation of Quality Assurance had an ampersand in it.

Oz lad 'fell in love with' baby meerkat, nicked it from zoo, took it out for a romantic Big Mac

Adam 1 Silver badge

I thought it was simples enough

Adam 1 Silver badge

"Obviously life outside its mob just doesn't compare"

Bravo

Biting the hand that feeds IT © 1998–2019