* Posts by Adam 1

2416 posts • joined 7 May 2012

Oz government rushes its anti-crypto legislation into parliament

Adam 1
Silver badge

Ok, we've just run this through our Enigma.io system. It says

{"messages":[

{"text":"Can we have another go at repealing 18C?"},

{"text":"QUOTA'S BAD!!1!! Hurumph"},

{"text":"Right, so our new energy plan is to ban wind and just burn non-Adani coal, then subsidise it so it's no more expensive than solar. Sounds good to me. Can someone just run it past Alan?"},{"text":"Got half a billion here to spend on the reef. Anyone know a small charity stacked with petrochemical board members we can grant it to?"},

{"text":"Hey man, know it's a Sunday, but need to call in a favour about my au pair."},

{"text":"Don't worry mate, you've got my full support."}

]}

Crazy talk there, glad we could help. Some folk are really messed up. I can't imagine how I'd sleep if someone sent me the last one.

3
0
Adam 1
Silver badge

Dear el Reg,

Please name names after the vote. No-one can possibly argue that a week is sufficient to consider the far reaching implications of this potential law. So some of our (supposed) representatives are being negligent in their duties if they wave it through. This is a hard area of law. But that means a large effort is needed to be on top of the many consequences. My ballot paper sometime between now and May wants to take it into account.

32
0
Adam 1
Silver badge

Re: I had to read this twice

Shouldn't it be daft law?

12
0

Just 13 – no, er, make that 3,200 punters hit in Oz's Perth Mint hack

Adam 1
Silver badge

Re: It's times like these you need

Minties make me sad. Very delicious, but I think I've paid the lease for enough of my dentists' Audis.

2
0

Boffins bash Google Translate for sexism

Adam 1
Silver badge

Re: English non-gender pronouns

English "they" doesn't communicate whether you mean singular or plural whereas s/he implies singular*

Singular:

I was speaking with a former colleague. "They" couldn't deal with that stupid manglement for another day.

Plural:

Those school kids on the train were so noisy. Why can't "they" stare at their mobile screens quietly like other normal people.

Notice how my second sentence doesn't on its own explain whether I mean one or many? So you've fixed one problem and introduced a new one.

In many cases, you don't need the additional gendered information, either because it has already been communicated and is therefore redundant or because whilst not communicated, it bears no relevance to your point.

*Doubtless someone will find some sentence which breaks my point.

0
0

By gum: Supermicro's Samsung storage ruler server uses secret SSD

Adam 1
Silver badge

if you have to ask....

you probably aren't their target market.

5
0

A boss pinching pennies may have cost his firm many, many pounds

Adam 1
Silver badge

Re: Developer PC

> was so slow that compiling (building) the application literally took 10 minutes.

I had no idea that the node stack had been around for such a long time.

/Only half joking, doing a clean checkout of 10 quadrillion 1KB js files is, er, not the fastest thing in the world.

2
0
Adam 1
Silver badge

Re: Imagine...

> And this isn't counting nefarious teenagers breaking the chain by unplugging one of the BNC connectors...

Yeah, sorry bout doing that, er, on behalf of a good mate of a mate.

11
0

Official: Google Chrome 69 kills off the World Wide Web (in URLs)

Adam 1
Silver badge

don't go there Google. it's turtles all the way down

A user agent filter with a 302 redirect to www.www.example.com.

Then bind these to the same site.

3
0

How to nab a HTTPS cert for a stranger's website: Step one, shatter those DNS queries...

Adam 1
Silver badge

Re: Paranoid AF

How secure are we? Our key space is 374144419156711147060143317175368453031918731001856 times larger than that 88 bit key.

Also worth noting that enigma wasn't cracked by manually brute forcing on the 309485009821345068724781056 possible keys. At 100 billion guesses per second, this would take on average ~50 million years to search.

Rather they used some systemic weaknesses like how it wasn't possible for a character to encipher to itself, pattern analysis to guess how many teeth were on the cogs, tricking the originator into resending the same message with multiple keys, stealing codebooks when the opportunity arose, and automating the scanning of that substantially reduced possible key surface. The weakest link of course was and still is the meat sack not following process.

If I was $EvilGovernment$, I wouldn't even bother attacking AES directly. It doesn't have those weaknesses inherent to enigma. Much easier task to compromise the random number generator so that keys are poorly chosen, or even easier would be to exploit vulnerabilities in the system holding the keys, or trick those systems into revealing their key to an imposter.

8
0

Benchmark smartphone drama: We wouldn't call it cheating, says Huawei, but look, everyone's at it

Adam 1
Silver badge

Re: VW

So why the down votes? Peer reviewed journals use too many big words for you? Or have you got some paper showing how a fake CPU mark score is causing deaths? Both are wrong, but your moral compass is pretty screwed up if you can't understand why one is not a few orders of magnitude worse.

3
0
Adam 1
Silver badge

Re: How did they ever think they'd get Huawei with it!?

Where would the Honor be in that?

5
0
Adam 1
Silver badge

Re: VW

> So it's like the VW thing which they all probably do anyway.

Yes, except I doubt that the synthetic benchmark faking will lead to thousands of deaths p.a.

4
3

Archive.org's Wayback Machine is legit legal evidence, US appeals court judges rule

Adam 1
Silver badge

finally a proper use case for Blockchain

Having a distributed ledger that proves that the hash of the archived page has not been modified since collection could certainly add such trust. Of course it can only prove that WBM faithfully kept a copy of the same thing that was delivered to them originally. It cannot prove whether or not:

* WBM was served a custom version of the page different to what another visitor would see

* Whether any doctoring occurred between what was served and when that block was added to the chain

9
4

Strewth! Aussie ISP gets eye-watering IPv4 bill, shifts to IPv6 addresses

Adam 1
Silver badge

Re: Not el Reg

Took me longer to figure out what you were on about than I care to admit.

8
1

Anon man suing Google wants crim conviction to be forgotten

Adam 1
Silver badge

> The Particulars [case papers] complain that the continued publication by the Defendant of the news report referring to his conviction has prevented him from pursuing his ventures, causing him and his businesses to suffer substantial losses,

No. The loss was caused by the crime that this man committed. As long as the reporting doesn't imply that it is a more recent offense than it was, then what exactly is the complaint?

I can well appreciate that someone who was reported to be "charged" with an offence may want the record set straight if they were found not guilty but an old article implies a cloud over them. Doesn't seem like the case here though.

13
0

Spies still super upset they can't get at your encrypted comms data

Adam 1
Silver badge

Re: "No homebrew" is NOT elitist

> I have DREAMT integer register programming.

You're only human. Don't beat yourself up.

3
0

No D'oh! DNS-over-HTTPS passes Mozilla performance test

Adam 1
Silver badge

Re: Doesn't this...

Yes. In the slip of paper where you have printed the AP name and the password for the day, you print the Uri that the guest must visit to sign in.

0
1
Adam 1
Silver badge

Re: Something Fundamentally Wrong with the Argument?

The real elephant for... No that's not fair. It certainly improves the level of privacy and reduces the attack surface. The real reason for why DoH is no silver bullet for domain name resolution is noted in the IETF draft.

"HTTPS connection provides transport security for the interaction between the DoH server and client, but does not provide the response integrity of DNS data provided by DNSSEC. DNSSEC and DoH are independent and fully compatible protocols, each solving different problems. The use of one does not diminish the need nor the usefulness of the other."

0
0

Vodafone, TPG propose 'merger of equals'

Adam 1
Silver badge

At the retail side, I personally think it's not too bad. They don't really swim in each others' pool, so merging isn't likely to reduce either mobile or ISP competition. TPGs more recent acquisitions of iinet etc would be more worrying than this.

The bigger questions for the ACCC or whatever other toothless tiger would be things like whether they should be permitted to hold whatever 5G frequencies as one company.

/IANAL etc etc

1
0

Voting machine maker claims vote machine hack-fests a 'green light' for foreign hackers

Adam 1
Silver badge

Re: Which machines, where?

They may well have reasonable physical security, but that is only one threat model, but only the most ridiculously poorly thought out attacks would seriously adjust voter intention on a particular way. There are much more effective ways, including

1. Suppressing small numbers of votes from polling booths that are known to lean to the unfavorable side and injecting votes in the booths which tend to vote toward the favourable side.

2. Adjusting votes to lower preference (in preferential systems) which may be enough to push someone over the required quota.

And you and I so far have only addressed the machine level attack vector. The data must be aggregated across thousands of polling booths. That means that these memory cartridges need to be transported. It also means some other opaque system then claims to read what is written to it. This is very hard to externally validate. Everything from the device driver through to the application code must be inspected. Then you have the build chain of those pieces of software. Can you prove that the code that you reviewed is the exact code that was compiled? This is hard enough without malicious actors trying to deliberately add some hole. Can you prove that the compiler itself doesn't inject malicious code even if you can inspect it? Can you prove that the version that you reviewed is the same as the version that was deployed during the actual count? Can you trust the output of the crypto libs in that machine to not lie about the hash of the deployed files?

These are a bunch of really hard problems. It is completely inappropriate to permit a counting tool to be used where the vendor won't permit full inspection.

2
0

No, eight characters, some capital letters and numbers is not a good password policy

Adam 1
Silver badge

> I still think that capital letters and special characters are more trouble then they're worth. I haven't trawled through any big password dump files, but I'd be willing to bet that the majority of number/special character requirements are fulfilled by adding a 1 and/or ! to the end of a "normal" or easily guessable password

So much true that hashcat even does this (and a=>@, l=>!, s=>5 style substitutions) and their permutations.

At the end of the day, size matters. A 12 character password consisting solely of lower case a-z has more entropy than an 8 character password consisting of any character (upper and lower), symbol, digit and whitespace.

Those in a position to influence password system design should consider flat out blacklisting terrible passwords. I'd personally consider integrating with pwnd passwords either directly or by just downloading the list and rolling your own.

19
0

Ah, um, let's see. Yup... Fortnite CEO is still mad at Google for revealing security hole early

Adam 1
Silver badge

Re: I learned something

I'm not sure who you're suggesting people go with. Apple store is also 30% (plus another call it 100pa for the account). At the low end of the market, paying 30c to Google or Apple for vetting, indexing, distribution and push of upgrades isn't too bad, but once you start hitting the the expensive apps, you can't really justify it.

If enough of these sorts of companies separately distribute their wares, the app stores will smarten up.

15
1

Muslim American woman sues US border cops: Gimme back my seized iPhone's data!

Adam 1
Silver badge

Maybe it did, but unless it was material to a warrant, then Shirley this sits in the none of their damn business category.

8
2

MyHealth Record privacy legislation published

Adam 1
Silver badge

Re: What time is it now?

@Phil, whilst I don't know you from a bar of soap, you can't be much worse than those on offer. Whilst JB might be ok in the job, she lacks a penis so they won't promote her.

3
1

TLS developers should ditch 'pseudo constant time' crypto processing

Adam 1
Silver badge

Re: Obviously, their code 'Review and Approval' processes need some work...

> The article notes the code was formally verified. What does that say?

That it is a hard problem that even a reviewer or 10 can miss.

Imagine an ancient city under seige. The defender must cut off each and every attack against their stronghold. Be they through the city gates, over the walls, under the walls, earthworks outside to cause a collapse in those walls, every vector, every time. If they fail once, the city is at risk of capture.

Now imagine the attacking army. They get to choose how to attack. Whether to try and sneak one person through to sabotage the defences, or whether to block off the water supply and wait for surrender. They may notice a piece of wall that is not visible from the defensive ramparts to start digging or climbing. They may observe a pattern of those sentry guards and learn when they have 30 minutes of time.

That's the equation here too. One step wrong and you are exposed. If it's not a timing attack then it could be some other vector to act as an oracle. It's serious, sure. But let's be realistic.

2
0

SuperProf gets schooled after assigning weak passwords to tutors

Adam 1
Silver badge

Re: SuperProf

Maybe they should get one of their "star" tutors.

4
1
Adam 1
Silver badge

Re: At Superprof we take security seriously and know how key it is to the running of our business

> "I apologise if any offence was caused"

> (no admission that I was the one who caused it)

Shirley that would be "We apologise if anyone took offence"

(We didn't cause it, it's your own fault if you got offended. Mumble mumble mumble nanny state mumble PC gone nuts mumble. Suck it up princess.)

4
0

Mozilla-endorsed security plug-in accused of tracking users

Adam 1
Silver badge

Re: Bloom filters

> the more elements that are added to the set, the larger the probability of false positives

Yes, it is mathematics, not magic. The laws in information theory are not violated. The probability of false positives can also be lowered by using a bigger file. It's a bang for your buck argument.

And if you keep reading that Wikipedia page, you'll read about how Google Chrome uses this exact technique to flag pages as malicious.

You need to remember that larger is a comparator, not an absolute size. In the same way that 0.0000033% chance is larger than 0.0000032%, but both are still rather unlikely.

0
0
Adam 1
Silver badge

It is no doubt unimaginably huge. A list is the wrong data structure to be using for this use case. Other structures like bloom filters let you trade off between storage size and false positive rate.

It doesn't really matter if your bloom blocks a page wrongly once every hundred thousand tests if that drops the download size from multiple GB to a handful of MB. They could even hash the Uri that was blocked and send for further analysis without the privacy complaints apparent from uploading every address you visit.

But that is why you don't push down a list of URIs

4
1
Adam 1
Silver badge

so

We've not heard about bloom filters then?

5
2

Google risks mega-fine in EU over location 'stalking'

Adam 1
Silver badge

> Google was defiant in a canned statement sent to The Register this week that "Location History" is "entirely opt in"

I think they may need to reflect upon the term "in" in the phrase "opt-in". It means that the default behaviour is to avoid collecting and tracking it unless the user explicitly acts to enable it.

33
0

When's a backdoor not a backdoor? When the Oz government says it isn't

Adam 1
Silver badge

Maybe it would help to understand if you substitute USA where you see Australia and, geez, pick any law, but let's go with DMCA, or EU and GDPR.

Our collective Muppets-in-charge can not get their head around the limits of their legislative powers.

You can ignore this unless:

(a) you planning to visit our fine shores; or

(b) you starting up a local company presence; or

(c) Some trade agreement where your own country has agreed to limit you in this area; or

(d) Your customer is subject to these laws and requires that you agree to the technical assistance measures to the extent that your law permits you to. (You are of course free to not accept such customers).

TL;DR, if you're the cow on the hill, feel free to ignore Yertle bellowing from the pond.

2
0
Adam 1
Silver badge

Re: The Holy Trinity

> They make the legislation apparently quite definite. Then subsequently they gradually widen the scope of interpretations of "terrorists, paedophiles and organised crime".

It already covers "protecting the public revenue", so add to that library/parking/dog shat on the footpath fines as technically meeting the criteria.

5
0

Prank 'Give me a raise!' email nearly lands sysadmin with dismissal

Adam 1
Silver badge

So your handle is quite applicable.

Sounds like you need to take more care next time you "send and e-mail" from the CEO.

1
0
Adam 1
Silver badge

"Security holes" really have gone to both extremes now. On one hand, we have exploits that rely upon timing attacks against the CPU cache to act as an oracle. But also apparently, we accidentally configured our mail server to act as a relay then spoofed an email from the PHB. HELO theregister.co.uk. Must do better.

4
0

Australia on the cusp of showing the world how to break encryption

Adam 1
Silver badge

Re: Note to self

No point if the laws of mathematics don't apply. On a serious note, do this as there are already metadata retention laws in place.

/Posted from, oooh, let's go Azerbaijan, today.

5
0

WhatsApp security snafu allows sneaky 'message manipulation'

Adam 1
Silver badge

Re: WhatsApp or Signal protocol?

Why down votes for AC on a reasonable question? Signal users are indeed very interested given that WhatsApp uses the same end to end encryption protocol.

<PedantHat>

There is no need to worry that an attacker can manipulate encrypted data. This is always a possibility and is logically unpreventable (at least outside of quantum cryptography). The concerning thing is if they can do so with more than a decimal point of an astronomically small number percentage chance of detection by the receiver.

</PedantHat>

2
0

Better late than never: nbn™ DOCSIS 3.1 upgrade starts

Adam 1
Silver badge

Re: But we're not going to tell you..

No-one is going to get better performance out of it. They've admitted that they will use it to cut the pie into smaller pieces rather than give users more bandwidth. Sorry, how did they put it? "double the capacity".

6
0

Bank on it: It's either legal to port-scan someone without consent or it's not, fumes researcher

Adam 1
Silver badge

Re: Where does it end?

No no no. Who's on first!

6
0
Adam 1
Silver badge

what's the point anyway

It is executing JavaScript code. That is logically equivalent to asking the browser whether the password was right. Anything done on the client side is by definition untrustworthy. 10 seconds to low lifes install some Chrome plug-in to block that js file.

4
0

The age of hard drives is over as Samsung cranks out consumer QLC SSDs

Adam 1
Silver badge

Re: Ah, but

> my first harddrive was eighty whole megabytes, that's room for almost eighty floppy disks

Well lah-de-dar. Look at me and my multi megabyte scale storage nodes. We had it tough. We had to store our data on a tape using an unwound paperclip and a steady hand, magnetised by rubbing your feet on the back of a cat. But we were 'appy back then.

7
0
Adam 1
Silver badge

Re: QLC? It's not the one for me

> (Disclaimer; yes, I know some phycisist will probably come along and point out that this is misleading, inaccurate or oversimplified).

Well they can't. Not now that it has been observed.

5
0
Adam 1
Silver badge

Re: No story here

> I reckon this is gonna come in about £750-1000.

I'm guessing about the US$750-1000 range, so £750-1000 sounds about right.

7
1

Oz retro computer collection in dire straits, bulldozers on horizon

Adam 1
Silver badge

We can't afford one sorry. We're too busy pulling down perfectly adequate stadiums and rebuilding ones with practically the same capacity. And let's not even get started on the powerhouse.

2
0
Adam 1
Silver badge

Maybe you could contribute to the family law fund of anyone who arrives home to a grilling about the several additional creates of junkengineering history.

3
0

Grad sends warning to manager: Be nice to our kit and it'll be nice to you

Adam 1
Silver badge

Re: what the fuck does PC LOAD LETTER mean?

Reminds me of Dennis Denuto* (Language warning)

*We've all been there Dennis

1
0

Hey, don't route the messenger! Telegram redirected through Iran by baffling BGP leak

Adam 1
Silver badge

Re: 'Don't route the messenger'

> the US is about 40x the size of the UK.

Cough* Down here we have a cattle farm that is bigger than Wales.

0
0

Putting the ass in Atlassian: Helpdesk email server passwords blabbed to strangers

Adam 1
Silver badge

known unknowns

I don't mean to single out Atlassian with this comment. Every company seems to do this, but it triggers me. It's this:

"At no point were the contents of your emails (or other data used by Jira Service Desk) exposed to other customers"

Or another way, sorry, we realised that, due to a bug, we occasionally sent some of our other customers your address and house keys, but at no point were the contents of your house exposed. We've known about this for two weeks. You should probably get new keys cut.

You cannot assert that negative. It is not knowable. I mean if your TV and jewellery turned up at said other customer's place, you could know that the keys were used. But absence of evidence isn't evidence of absence.

There's obviously a bunch of legalese in these sorts of customer communications, but sometimes I just wish that they would just explain what they know, what they don't know yet, and what is not knowable, alongside whatever action the customer can take to limit any potential harm.

24
1

Riddle me this: TypeScript's latest data type is literally unknown

Adam 1
Silver badge

Re: shit code in C# every day

> That's the reason why there could be also some Pascal-ish echoes in his later works.

That might have more to do with Anders being the original author of Turbo Pascal and chief architect at Borland for Delphi than any J++ similarity.

5
0

Forums

Biting the hand that feeds IT © 1998–2018