* Posts by Adam 1

2064 posts • joined 7 May 2012

Developers' timezone fail woke half of New Zealand

Adam 1
Silver badge

Re: Aukward moment

African or European?

6
0
Adam 1
Silver badge

Re: Aukward moment

Sorry, but anyone who thinks timezones are simple doesn't know what they are talking about. Did you know that not all timezones are on the hour. Oh hi Adelaide. In fact not all are even on the half hour (hi Kathmandu). Not all timezones are between -12 and +12 (hi Kiribati with your cheeky +14). Then you have daylight savings transitions on top. Congratulations to our Brazilian contingent for not having midnight on Sunday week. Yes folks, it goes straight from 23:59.9999 to 01:00 and causing problems for any software that gets the current date by truncating the current local time.

Why attribute malice where incompetence is far more likely. In many languages, the datetime class has a property to indicate whether it is UTC or local. Most of the time (ha!) it won't make a difference but if you send that via any form of serialisation framework it will get auto converted to UTC and back at the other end. If it thinks the time is already UTC, but the recipient is expecting to convert back to local then in the case of NZ you are going to add 12 hours (or subtract if the same problem in reverse). Either way, lunchtime becomes middle of the night.

Now that's off my chest, I'm going to go and open a new medical practice, providing psychological services to those poor souls who have the misfortune of working with timezones.

16
0

Dropbox thinks outside the … we can't go there, not when a box becomes a 'collection of surfaces'

Adam 1
Silver badge

was that a dare?

No no. Not the logo, that looks perfectly fine if you want to refresh your branding. I mean the mountain of dribble. Visual metaphors for collaboration? Open platform? Place for collaborating? Or are we playing buzzword bingo?

8
0

Java EE 8 takes final bow under Oracle's wing: Here's what's new

Adam 1
Silver badge

Re: The horse is but a distant memory...

Um. I'm making a joke, a humorous misunderstanding given the two possible meanings of the phrase "Closure will surely follow [the improvements that Oracle are making to Java]". In the intended understanding, the term closure is to express a change in open state of the stable door, from the saying "to close the door after the horse has bolted". In simple terms, too little, too late. The second, unintended meaning is the language feature of closures as present in many languages from lisp to c# but notably missing in Java. The comment about real closures is because many people confuse lambdas with closures. For some use cases they can substitute but not all.

I am not sure why you bring up JavaScript.

3
0
Adam 1
Silver badge

Re: The horse is but a distant memory...

Nope. Java doesn't support (real) closures.

6
0

Brit prosecutors fling almost a million quid at anti-drone'n'phone ideas

Adam 1
Silver badge

Re: Trained Pigeons

> Build moats round all the prisons

You guys really need to stop sending your politicians such mixed message! I thought you emphatically told them NO MOATS a few years back.

3
0
Adam 1
Silver badge

Re: Trained Pigeons

> Build moats round all the prisons then get some duck billed platypus wearing monocles, top hats and walking sticks trained to confuse anyone trying to smuggle contraband using interpretive dance routines.

> I see no problem with this plan.

Did it slip your mind that all* animals from Australia are venomous?

*Ok, I exaggerate. Some of the sheep are safe.

0
0

Java security plagued by crappy docs, complex APIs, bad advice

Adam 1
Silver badge

Re: if only

Sorry but that argument is pretty flaky and would equally apply to Wikipedia / Reddit / El Reg commentards.

It solves a different problem to documentation, which tends to focus on classes, constructor overloads, methods and properties. SO does a reasonably good job at pointing back to the official documentation where applicable.

Two examples from recent experience. I was trying to figure out how to write

if (old!=null XOR new!=null)

Obviously for bitwise xor there is ^ but there is nothing for a condition. SO reminded me that XOR is the same thing as !=

In another example, I had two Hashsets and wanted to know if there were any differences between their contents. The top answer would have worked but it was frankly going to be inefficient. Sure enough the first comment below the answer states that it works but it is going to be O(n^2) whereas the other answer (which was slightly less voted would be O(n). Sure enough, the second answer pointed out the method name and a link to the documentation for it.

The other thing that SO does much better than the documentation is explain why something was/wasn't done, like why can't youb in c# yield return inside an anonymous method? Is there a fundamental ambiguity around what you are trying to do or is it just not high enough on the backlog because people want other features? The documentation just tells you you can't do that. Maybe that's all some people care for, but I need to know reasons. For the curious, the answer is too much effort and not enough demand especially now local functions can do this.

9
0
Adam 1
Silver badge

if only

... SO provided some mechanism to register the fact that you disagreed with a solution such that the better solution bubbled its way to the top, and a comment box where you could provide a reason for why you disagree.

12
3

At last, someone's taking Apple to task for, uh, not turning on iPhone FM radio chips

Adam 1
Silver badge

Re: hasn't really thought this through

I believe the Note7 came with toast making capabilities.

3
0
Adam 1
Silver badge

hasn't really thought this through

FM receivers need an aerial of about 75cm. Phone manufactures don't have an aerial cable coming out of the phone. They use the cable of the wired headphones as the aerial. Fun fact: this requires a headphone jack.

15
0

Patch alert! Easy-to-exploit flaw in Linux kernel rated 'high risk'

Adam 1
Silver badge

Re: Yeah but

Not so fast. Shirley if you run systemd, you get the additional protection of its built in ASLR and antivirus packages.

6
3
Adam 1
Silver badge

requires reboot

... Ok, someone's taking "year of Linux on the desktop" too literally.

3
0

Smartphone SatNavs to get centimetre-perfect GNSS receivers in 2018

Adam 1
Silver badge

Re: I am an Audi driver...

Audi blinkers aren't for lane changing. They are rather used to signal that the traffic lane has been temporarily designated as a parking spot.

0
0
Adam 1
Silver badge

but not just that

Airports are big places. It can be tricky to understand which taxiway the fruity map app is directing me to drive down.

1
0

El Reg is hiring an intern. Apply now before it closes

Adam 1
Silver badge

K. McCarthy goes ballistic. Intern's skills atrocious!

5
0

Driverless cars will make more traffic, say transport boffins

Adam 1
Silver badge

Re: Asking people if they're willing to share

I don't think that it is going to operate in the way imagined by some commentards. Whilst I would leave open the possibility of personal ownership, my money would be on these share vehicles being operated by a fleet company.

To the concern about not having a car in an emergency or having to wait 10 minutes, or being too rural, I don't think they are deal-breakers. How many families do you know with two cars, where for the most part one of them is almost only used to transport someone to and from work and maybe the odd errand? It can easily be 10K a year to operate a car once you include depreciation, insurances, registration fees, servicing, tyres and fuel. That is not to even talk of having to have additional garage/driveway/kerb space to store such vehicles for the most of the time when they are at home or at the shop or whatever. Public transport may not be an option between the places and at the times needed, or may add half an hour to each trip, or may feel unsafe waiting at a poorly lit bus stop awaiting a bus that may not arrive, so whilst we might argue that public transport is a better option, the reality is that public transport operators cherry pick the routes with the highest patronage.

If families kept their primary vehicle, then a compelling case could be made to ditch that second car and use some on demand system not unlike Uber. This could be a fraction of the cost of ownership. You don't have the inconvenience of getting the thing serviced or repaired or new tyres or checked for rego or having to decide when it's time to sell it. If you are going from suburb to city for business, you probably end up sharing a van with 3-6 others with your fee heavily discounted. Getting a new fridge? Take a ute with you to the shop. Actually, take whatever comes with you and order a ute home. Flying somewhere? No need to rent a car at your destination. No need to even pay the extortionate airport parking rates to leave a perfectly functioning vehicle a few 10s of Kms from home for a week.

It's not going to happen overnight. It doesn't have to. But my prediction is that most kids born in 30 years time will have a puzzled look when you tell them about how you used to spend a double digit percentage of your income on owning a car that you left in your garage except for a dozen trips per week.

0
0

Want to get around app whitelists by pretending to be Microsoft? Of course you can...

Adam 1
Silver badge

Re: Bore off

@yogan

"However, we're told, there’s also CryptSIPVerifyIndirectData, which can be abused to green-light malicious applications with a counterfeit signature. The only thing you need are some coding tools and, oh yeah, admin privileges on the target computer."

If you are not mistaken then Iain is.

1
0
Adam 1
Silver badge

Re: It's..

Sorry, if evil Adam1 had admin rights then your cert store would find itself a new trusted root CA, bypassing the need to do any of the above.

5
0

Facebook U-turn: React, other libraries freed from unloved patent license

Adam 1
Silver badge

That might be a stretch. "Anyone" includes bad guys and TLAs.

0
0

IT plonker stuffed 'destructive' logic bomb into US Army servers in contract revenge attack

Adam 1
Silver badge

What about hiding it in gcc / msbuild.exe so it injects the payload (ie the Ken Thompson Hack)

5
0
Adam 1
Silver badge

> Disguised as notepad.exe

Curiosity here, if you had admin privileges to replace notepad.exe, why not just copy the logic bomb at the same time?

I think evil Adam1 would do it this way.

1. Download CCleaner

2. Run it

7
0

Hi Facebook, Google, we think we might tax your ads instead – lots of love, Europe x

Adam 1
Silver badge

It'll never happen due to vested interests, but the simplest solution would be too tax at the higher rate between seller and buyer. In the French/Irish example, the tax to the French sale is 33%-15%=18%.

There may still be benefits to setting up these shell companies but they would need to derive from efficiencies or value add rather than tax avoidance.

I guess the other way would be to apportion 50:50 between seller and buyers jurisdictions. So back to France and Ireland, Ireland gets 7.5% and France gets 16.5%.

Aside from getting everyone to agree on the treaty, what would stop such a scheme from being a practical solution to the wealth transfer open only to global megacorps with sufficient tax lawyers?

0
0

Attention adults working in the real world: Do not upgrade to iOS 11 if you use Outlook, Exchange

Adam 1
Silver badge

Re: Works here

Agreed. Seriously El Reg, they might ban you from WWDC if you aren't careful....

12
0

You lost your ballpoint pen, Slack? Why's your Linux version unsigned?

Adam 1
Silver badge

it's ok

I've scanned the download with CCleaner and it checks out safe.

34
0

AI slurps, learns millions of passwords to work out which ones you may use next

Adam 1
Silver badge

Re: Hashing and salt

Usually you to both. A secret string known to the server but not in the database, and a secret they is unique to each account. Your goal is to increase the cost of each guess that the bad guys need to make whilst not making your validation unfeasibly slow. They are used for protection against different attack vectors. Both will protect against a rainbow table (just a reverse dictionary measuring in GB or TB of millions or billions of hashes and the corresponding password). The power of a rainbow table is in reusability across multiple attacks and pretty much any reasonable length salt will mean that the hash won't be known up front (ie the bad guys need to invest a lot more, which is good)

A per server salt (rather per environment/application/etc) is useful because your validation logic knows that secret but it isn't in the database. That means that when the mongodb is left open to the world (don't get me started) it is still not possible to find the relation between password and hash.

A per user salt will inevitably require something accessible in the database (either encoded into the hash itself or in a field pertaining to the same field that doesn't change like username). The prime benefit of a per user hash is that if you and I use the same password because we like the same footy team or the same book (and we like most people don't follow recommended practice with password generation) then figuring out my password doesn't give away yours as it would if the hashes matched. Worse still, if my password hint gives away my password and my hash matched yours, that further weakens things. Worse again, I can find common hashes and collate all the password hints and join the dots. A per user hash solves all those.

Either way, don't roll your own scheme. Find a framework and use it. Recommended either bcrypt, scrypt or argon2 which use schemes that are much better at protecting against this and other attack vectors and generally require very little effort to implement.

1
0
Adam 1
Silver badge

Re: XKCD

> Does using dictionary words not simplify the brute force attack?

Reimagine every word as a character in your alphabet, and then the number of words used as the length. Using English and a 50,000 word dictionary and taking 5 words at random*, the number of permutations is 50,000^5 or 54 bits of entropy or roughly the same as an 9 character completely randomly selected password of mixed case and digits.

So it's well beyond brute forcible.

* That is absolutely essential for this scheme. Don't choose them manually because your brain is too predictable.

4
0
Adam 1
Silver badge

Re: Feed this

SoundingSqualidMopeAntler is both easier to remember (you probably already have) and several orders of magnitude harder to brute force than your suggestion.

As long as you choose the words randomly from a dictionary of reasonable size. Even a 5 word pattern from a very modest 10000 word dictionary gets you 1e20 possibilities, and it isn't too hard to use a 50000 dictionary. You might even learn a new word....

3
0

AWS can now bill us if you read this far. This bit will cost us, too

Adam 1
Silver badge

Shirley

... cloudflare would be taking 90+% of your traffic before it even sees AWS?

0
0

Apocalypse now: Ad biz cries foul over Apple's great AI cookie purge

Adam 1
Silver badge

Re: How many ads is too many?

Wow, what sites are you visiting? I've only got a very modest 123,830*

*On my phone. And that is connected via VPN which itself has built in as blocker.

0
0

D-Link router riddled with 0-day flaws

Adam 1
Silver badge

@alan brown

You are presenting a false choice. The contention being that because dlink were/are dicks that the security researcher isn't acting like one here. My post made it very clear in the very first sentence what my thoughts about dlink's behaviour was.

If I had criticism of the first 8, it would be that he didn't disclose them for far too long a time. But I stand by my other point on the final zero day issue dump. He has a good argument in claiming that their security patching isn't up to snuff. Dumping 8 vulnerabilities after months of inaction would have made that point very well, but on the last one he had given their or droids an out. You now watch them deflect the legitimate concerns we all have with guff about irresponsible disclosure that anyone could be the victim of.

3
7
Adam 1
Silver badge

> No, I think you missed the bit where he gave them six months to pull their fingers out on eight other vulnerabilities but they just sat there hoping he would go away.

Firstly, dlink are being dicks by not patching security vulnerabilities in a timely fashion. Nothing I say below detracts from that.

On those 8 vulnerabilities, as long as he warned them that the vulnerabilities would be publicly disclosed (not clear from my reading of TFA), he has done exactly the right thing.

On the latest one (with no vendor notice), I'm afraid to say he is being a dick. Even though past experience it would seem unlikely to receive a prompt patch, you just allow the vendor to argue that irresponsible disclosure put customers at risk, side stepping their responsibility to have a secure product and promptly patch security flaws.

7
14

Google to kill Symantec certs in Chrome 66, due in early 2018

Adam 1
Silver badge

subbie missed a trick

Symantec kicked; in Chrome 66

8
0

User demanded PC be moved to move to a sunny desk – because it needed Windows

Adam 1
Silver badge

Re: Error 524

> Can I just say how comforting it is to be mercilessly pilloried for an errant apostrophe, I would miss this site.

Can you imagine if you had accidentally used a comma instead of a question mark,

12
0
Adam 1
Silver badge

Re: Error 524

They'd love to, but they are stuck on a bunch of 418s in the kitchen.

6
0
Adam 1
Silver badge

WOW

He sounds like a right Dick!

/Mines the gown with the tie at the back.

0
0

Google rushes to curb Oreo's massive appetite for your 4G mobile data

Adam 1
Silver badge

Re: Data allowances

Your ADSL is 24? What do you live in the storeroom at the exchange? When I lived 150m from the exchange I got 22.8. Since moving it is closer to 6.

Also, that 100Mbps isn't happening when there is the slightest whiff of contention.

Also, here in the real world, 4G data allowances are sadly still a thing.

8
0

Dude who claimed he invented email is told by judge: It's safe to say you didn't invent email

Adam 1
Silver badge

Re: To speak to someone?

@just enough

Just a slight tweak:

It's almost like different forms of communication on a mobile device have different strengths and weaknesses!

Now you're clear.

0
0
Adam 1
Silver badge

Re: Where Do I Find These Lawyers

> as they invented the hyperlink

But as any fool know, the internet didn't exist until <blink />

1
0

Sub plot subplot thickens: Madsen claims hatch fumble killed Swede journo Kim Wall

Adam 1
Silver badge

Re: Scraping the bottom of the excuse bilge?

Aye sea what you did the-arrh.

8
0

Thousands of hornets swarm over innocent fire service drone

Adam 1
Silver badge

Re: "Scumbags" is understating matters

> they are quite capable of wiping out a substantial part of the ecosystem because they have no natural predators there. They really are no joke.

¿sɹǝpᴉds ɹno ɟo ǝɯos ʍoɹɹoq oʇ ǝʞᴉl noʎ plnoM

26
0

Crypto-busters reverse nearly 320 MEELLION hashed passwords

Adam 1
Silver badge

@def

I've definitely seen worse. The per user hash and thousands of rounds do prevent precomputed attacks and would certainly up the cost of any attack on your site. The hash iterations are there primarily to multiply the effort per guess (75K times in your case). That is obviously important but it is based on an assumed CPU time per iteration. You are somewhat limited in your iterations by the capacity of your own server (eg, it probably couldn't be a million iterations or your own server would be too unresponsive). And you are limited to the performance characteristics of a general purpose CPU. The attackers may rather use a GPU cluster or even an ASIC and be able to compensate for the additional rounds.

Other approaches try to max out some other resource (eg RAM). If a given guess expanded out to say 100MB then the idea of tens of thousands of parallel guesses isn't practical.

At the end of the day, use a framework. What you're doing is terrific for learning but it is so easy to stuff up (eg how random is your salt actually). I like the common password idea. We've done something similar. And minimum length is pretty much the most important metric. Mixed case/symbols/digits all simply serve to make your password hard to remember and given people use common substitutions (a/@ etc) they tend to add only limited additional security in practice)

Checkout scrypt, bcrypt or argon2 to handle password storage though rather than something bespoke. It will otherwise end in tears

Disclaimer <- I am not a security guy either

2
0

Deputy AG Rosenstein calls for law to require encryption backdoors

Adam 1
Silver badge

Re: Impossible

> it is possible to use multiple encryption programs in series (eg use 7-Zip to create a password protected Zip file then use ccrypt to encrypt the Zip file then use OpenPGP to encrypt the output from ccrypt.). Done properly there is no way of recovering the original message without knowing the keys even if one of the programs has a backdoor.

Obligatory

Also your idea whilst stopping attacks on specific ciphers does bit assist when said TLA compromises your RNG.

0
0

P≠NP proof fails, Bonn boffin admits

Adam 1
Silver badge

Re: Of course P≠NP....

The proof was much closer than it sounds though. It held for all values of N except N==1.

B+ Good effort

19
1

Some positive news: LG, Hitachi, NEC charged $65m in li-ion battery price fixing shocker

Adam 1
Silver badge

Re: Oh, yes

Jail!? But it was rogue engineers m'lord.

3
0
Adam 1
Silver badge

That's a very specific number. Do they have receipts or something?

3
0

Japanese sat tech sinks Sea Shepherd anti-whaling activists' hopes

Adam 1
Silver badge

Re: a matter of pride?

> Why do people who vaccinate their kids care about people who don't?

1. Vaccines work really well to boost your kids'immune systems to fight of some pretty horrible diseases. Really well, but not 100%. You can be vaccinated against say whooping cough but still catch it. Your odds of catching it are much much lower but not zero.

So...

2. Herd immunity means that if less your 'herd' is carrying the virus then you are even less likely to catch it, so that's nice.

3. A very small percentage of the population cannot be immunised. Consider cancer sufferers on medications that suppress the immune system. Also newborns under 6 weeks fall into this category. Their only protection really is herd immunity (newborns might get something via breast milk but it isn't enough). Some people may also be allergic to some ingredients used in the vaccine or as stabilisers or as preservatives, so take them away as well.

4. Treating the disease is massively expensive. Doctors, medications and hospital beds are a financial burden on society and it is frustrating when the majority of cases were cheaply avoidable.

5. Many of these diseases cause long term disability in the survivors and society must pick up the tab on that too. Think polio and even things like rubella can easily kill an unborn child or otherwise cause deafness and heart issues if contacted by a pregnant woman (see point 3, you can't get vaccinated whilst you are pregnant)

6. If you choose to not vaccinate and heaven forbid find yourself watching your child struggle for breath plugged into a million machines or worse, you will have to live with your decisions.

21
0

Huge Apple news CONFIRMED. Software deal with Accenture is official

Adam 1
Silver badge

WOW

> Huge Apple news CONFIRMED

El Reg finally received an invite to WWDC?

8
0

Swedish slip-up leaks hosting company's customer data

Adam 1
Silver badge

Sounds like their security was really borked!

/Mines the one with the tongs in the pocket.

2
0

Crowdfunding scheme hopes to pay legal fees for Marcus Hutchins

Adam 1
Silver badge

Re: Who is benefiting

> is unlikely because if he has a good defence he is less likely to dog on his [alleged] accomplices.

TFTFY.

You had it right in the previous paragraph but if he's innocent then he has no accomplices to which to "dog on".

20
0

Forums

Biting the hand that feeds IT © 1998–2017