* Posts by Adam 1

1745 posts • joined 7 May 2012

Centrelink 'big data' system built without consulting taxman

Adam 1
Silver badge

Tudge has got to go. As outrageous as the design flaws with the system are, the real shocking thing is that they haven't paused the automation whilst they sort it out. I am in the fortunate position to have had very little to do with them, but what I did see was an organisation that was unable to arrange for a human to assist with an enquiry. Everything was about being redirected to their online portal seemingly developed by Satan himself that when you followed those instructions then told you that you needed to go in person.

The sooner they understand that half their clients are only there because of poor and immoral decisions made in boardrooms half a world away and not because of laziness (some are of course), the sooner they can start treating people with respect they deserve as humans.

5
0

Spies do spying, part 97: Shock horror as CIA turn phones, TVs, computers into surveillance bugs

Adam 1
Silver badge

Re: So if they've redacted the actual exploits

I think they should be giving Google at least 90 days before publishing. Only fair.

1
0
Adam 1
Silver badge

Re: In CIA Russia...

In Soviet Russia, you listen to your TV.

2
0
Adam 1
Silver badge

Re: If a nation-state agency wants you --

> do not be interesting in the first place.

So your argument is that your obscurity provides your security. Let me know how that works out for you....

3
1
Adam 1
Silver badge

21. Your secret master key escrow backdoored encryption will be compromised. Don't worry though, it'll only be all encrypted information that's at risk.

2
0

Watt the f... Dim smart meters caught simply making up readings

Adam 1
Silver badge

bigger problems

The biggest problem is that there will be some hard coded telnet password for a root session on these things, and once remotely exploited, miscreants are going to do serious damage to the grid by cutting gigawatts of demand within seconds.

8
0

UK Home Office spy powers unit pretended it was a private citizen in Ofcom consultation

Adam 1
Silver badge

Re: Get what you wish for

> the clear implication of the government (a) lobbying itself and (b) pretending to be a private individual.

I have no problems with (a). It is a good thing™ for governments to extoll their positions on any matter and to force them to justify the positions they are advocating. My problem is with (b). And I have a big problem with it. It has the optics of an attempt to present a case for change or not without the usual skepticism applied to a normal government mouth piece.

2
0
Adam 1
Silver badge

Re: Get what you wish for

> Sort of ironic that someone disguised their identity to complain about a technology which would allow people to disguise their identities.

IT'S LIKE RAAAAIIIINNN....

1
0

3Par brought down Australian Tax Office with >REDACTED<

Adam 1
Silver badge

> some are likely to go to litigation.

Not buying it. There is no way they'll pay up without lawyers at 12 paces.

<Tinfoil hat mode>

I could believe that HPE were offered a very good settlement in exchange for falling on their sword. The government really doesn't want any more IT failures on its watch.

</Tinfoil hat mode>

5
0

User rats out IT team for playing games at work, gets them all fired

Adam 1
Silver badge

Re: Big Companies and Policies

Curious about the down vote. Happy for anyone to disagree with me, but at least state your argument so I can see where you're coming from.

Despite what the story states, it is not going to be everyone's job to check the backup. Most of that 75 won't even have the rights to do so, nor should they. And it's not unheard of for places to be temporarily overstaffed. Think about what happens with planned mergers or spin offs, where IT functions can get duplicated for a while or sit there idle until some other department gets up to capacity. Sometimes it is cheaper to pay people to do nothing for a few months than to scale up or down, especially where the skillsets are not so fungible.

That said, it appears some mock DR exercises would have been a better use of time with hindsight.

0
0
Adam 1
Silver badge

Re: Big Companies and Policies

> Difficult call - without further information

Very easy call. Of the 32.5 people let go, I could believe that it was 1 person's job to do the backup monitoring and tapes so fair enough for them. Also someone was their manager and failed in their oversight. That's another one or two. So what did the other 30 do wrong? Assuming they had finished their tasks and they had their management's permission to be running whatever application, then the decision to let them go can't be disciplinary related.

2
1

Amazon S3-izure cause: Half the web vanished because an AWS bod fat-fingered a command

Adam 1
Silver badge

Re: Makes me wonder how many others in the "playbook" have this capacity.

> Ultimately somebody has to have the power to do this because shutting down servers is a valid admin activity. However it should be made a multistep process with plenty of Are You Sure? types prompts

How about "Please enter the shutdown validation GUID. This can be found on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard."

0
0

We found a hidden backdoor in Chinese Internet of Things devices – researchers

Adam 1
Silver badge

Pfft. Like my car. It has two back doors that I'm aware of.

/Grabs coat

2
0
Adam 1
Silver badge

Re: With a bit of luck

Or they will just rebrand with a new logo sticker on the side and carry on business as usual. Hardly a middle kingdom phenomenon though...

0
0

Germany, France lobby hard for terror-busting encryption backdoors – Europe seems to agree

Adam 1
Silver badge

Re: openpgp

Firstly, not the down voter. I agree with the general gist of what you are saying. My only disagreement would be about the easiness of detection. Remember that a lot of things need to hold true for encryption to be secure. A few years back, Debian's RNG was accidentally screwed up by removing some code that looked buggy but was necessary for seed initialisation. That fundamentally compromised all encryption operations for a 2 year period.

See https://www.schneier.com/blog/archives/2008/05/random_number_b.html

2
0
Adam 1
Silver badge

Re: Requirement

For me the question isn't whether a back doored encryption approach wouldn't prevent some crime, even some serious crime. Of course it will. There is a large overlap between the Venn diagram of idiots and criminals, so it is obvious that some idiot criminal is going to use the back doored crypto and be caught with much fanfare. The question is what do we have to trade off to get that? One is the risk of some rogue group getting their hands on such a key. The other is for misbehaviour of its trusted custodians.

Anyone who has studied history will immediately recognise the difficulty of considering that to be "a good trade-off". Heck, we have detailed information now in the public domain about top secret intelligence operations, compromised hardware/software/algorithms because they couldn't stop one of their own from "stealing it". Colour me unconvinced on this...

5
0

LG, Huawei unwrap 'Samsung Galaxy-killers'

Adam 1
Silver badge

better call quality!?

Why waste your R&D budget on features that no-one will bother reporting? (Current company excluded). Shirley better to do something like make it thinner, remove useful ports, change the aspect ratio or remove wireless charging like a normal vendor.

2
0
Adam 1
Silver badge

Re: You could be a touch more sceptical, please

> are you nuts or an Intel employee

False choice!

0
0

Energy market operator used urban data only, undershot heatwave forecast by 3°C

Adam 1
Silver badge

Not quite as crazy as it sounds

Nearly 80% of the state's population live in or around Adelaide, and no-one lives in most of it. Compare that to about 65% for Sydney metro vs NSW. Don't get me wrong, they definitely have questions to answer. At so close to the margin and with plenty of warning, everyone should have been on standby. Can't do much about freak storms knocking down your towers (other than, you know, maintenance), but this should not have happened. They have really stuffed up of SHY sounds sensible.

0
0

HPE's Australian tax failures may have been user error

Adam 1
Silver badge

> The Register has filed a freedom of information request with the ATO, seeking documents explaining the nature of the outages

HAHAHAHAHA. You must be new here. Where even the Attorney General's appointments on a specific date range are "too much effort" to respond to a FOI, I really don't like your chances...

3
0

'First ever' SHA-1 hash collision calculated. All it took were five clever brains... and 6,610 years of processor time

Adam 1
Silver badge

Re: Pigeonhole Principle

> or partitioning the document and using the same hash method to "cover" overlapping portions of it

Just be aware that whilst the pigeon hole principle shows that it is mathematically certain that two documents that collide must exist where the input size exceeds the hash output size, it does not follow that two inputs that are smaller than the hash output cannot collide. In a well designed algorithm, it should be both very rare and computationally infeasible to find the other. IE. Nothing short of brute force

0
0
Adam 1
Silver badge

> There are far more possible documents than there are hash function outputs

Known as the Pigeonhole principle. Where the size of input exceeds the size of the hash output, there not only "can be" but "must be" collisions. To those harping on about file size differences, Windows explorer rounds to the closest KB unless you specifically check the details of the properties. For most use cases, having a slightly different file size is unimportant, but it is impressive nonetheless that they could locate a collision even constraining themselves to the valid file format and same file size.

Designing effective hash functions is really hard. I had to last year and stuffed it big time. It wasn't a cryptographic hash but one that would see hundreds of thousands of our objects get hashed into different buckets for faster dictionary lookups. So basically you had an infinite combination of inputs that had to hash to 32 bits (about 4 billion). I managed to create an accidental swarm to zero which meant that whilst there was good distribution generally, a substantial proportion of real world objects would end up in bucket 0. After fixing it, the worst I saw was in the 3 objects per bucket out of a million range.

1
0
Adam 1
Silver badge

Re: "just stash away the "KJ"BIUE_D H£(*ERNY£" in a garbage area, you're sorted."

Why does the size have to be identical? As long as the artifact is a believable size you can launch an attack.

Imagine an executable file download through some sort of update mechanism that uses sha1 to validate the binary before executing it. No-one will notice that the 64MB upgrade.exe is 25KB larger. But now the attacker has replaced the intended payload with their own. It would be interesting to know about the collision algorithm. Like does it require the two files to be nearly identical? Does a large file take longer to generate a collision?

2
0

Mysterious Gmail account lockouts prompt hack fears

Adam 1
Silver badge

Re: Google stating problems occurred as a result of "routine maintenance"

It really did look like some sort of phishing attack. And certainly Google have now through lack of foresight opened up their user base to fall for the next one. They should have had a website explaining exactly why you needed to reauthenticate. Not a mystery popup!

1
0

Boffins exfiltrate data by blinking hard drives' LEDs

Adam 1
Silver badge

Re: Root access

> your fictitious drone videos them from a handy window would more likely to go unnoticed than a HDD thrashing for no apparent reason

Nonsense. It's simple to mask. Simply call the executable svchost.exe and no-one will bat an eyelid when it randomly consumes all the system resources.

You are treating this attack vector as if it is a fairy tale, but remember stuxnet was a weapon that accidentally got out but it was designed to take out Iran's nuclear enrichment capabilities on air gapped systems. It is not beyond comprehension to imagine a machine that is not air gapped but is fire walled off. Sometimes the observer just needs a private key so they can MitM on the legitimate channel without detection. This sort of bandwidth could send out a private key sub second with no packets apparently leaving the network.

1
0

I was authorized to trash my employer's network, sysadmin tells court

Adam 1
Silver badge

Re: "I wish for world peace"

Why? It will just say something like "in the discharge of their authorised duties, the employee agrees to at all times refrain from actions likely to cause damage to the company, its suppliers, customers, associates, ...."

If your company gives you a car, you have the right to depress the accelerator or brake hard to avoid an emergency. It does not follow that you are permitted to do it for kicks until you've damaged it.

Hope he loses. What an arse hat.

11
9

Swedish politician wants weekly hour of paid sex. For exercise

Adam 1
Silver badge

Has el Reg approaches Trump for comment?

(Autocarrot wanted to write consent. I had a good chuckle)

1
2

US judge halts mass fingerprint harvesting by cops to unlock iPhones

Adam 1
Silver badge

Re: At reader level yes

Wrt to the collision rate of fingerprints, that is a side issue. It actually becomes worse in some cases. Some occupations are notorious for using chemical compounds that effectively eat away the prints so for those people the templates have a lot less points of interest and so collisions become possible. Most APIs won't let such people record a template. But the templates are basically a set of angles and distance measurements. No two scans of the same finger would ever result in the same measurements any more than taking two photos from a tripod could create a byte wise identical bitmap. The question is never "are they a match" (hint: infinite FRR). It is always "are they acceptably close". That's where the complex math starts because you are expecting features in a similar location to distort in a similar way, and some features are missing altogether because of sloppy scans.

1
0
Adam 1
Silver badge

Most biometric APIs I have played with allow you to trade off your false accept rate (FAR) vs false reject rate (FRR). FAR and FRR are opposite sides of the same coin. You can't improve one without making the other worse. There are usually two broad use cases.

1. The person claims an identity and this is a second factor where they prove it. (Well technically they only prove they have your finger/iris/hand but you need to understand your threat model)

2. Out of a large number of candidates, decide which identity has presented their digit.

With 1, you can tolerate a much higher FAR (it's the FRR that makes usability suck). With 2, you need a very small FAR but that does require a nicer template and a nicer scan than 1

If you take a mobile phone use case, it's actually much closer to 1. You want it to unlock even with the vaguest of touches in any orientation and with any light level. You could tolerate a 1:10000 FAR quite easily. For blame purposes, you want FAR to be 1:10s of millions+.

8
0

Radioactive leak riddle: Now Team America sniffs Europe's skies for iodine isotope source

Adam 1
Silver badge

Re: Not the best choice

Um. Pretty much the other way around. The shorter the half life, the more aggressively the thing is throwing particles out. And iodine will happily be absorbed by your thyroids and do plenty of damage throwing its beta particles about in those 8 days.

14
0

Linux kernel gets patch for 11-year-old local-root-hole security bug

Adam 1
Silver badge

> DCCP code cockup lay unnoticed since 2005

DCCP code cockup is not known to have been noticed since 2005. TFTFY.

9
1

Netflix treats security ills with Stethoscope: Open-source self-probing tool

Adam 1
Silver badge

Re: Of course for Netflix..

Or whether a VPN client is running.

0
0

Speaking in Tech: Taxing robot labour for benefit glorious taxpayer

Adam 1
Silver badge

Humans pay no taxes. They merely pass them on as a reduction of their consumption from businesses. Just as silly an argument.

According to economics, businesses will charge as much as the market will bear and no more and seldom less. Humans will seek out the best deal for them (including a cost minimisation objective). Taxation is an input cost to businesses. So are employee salaries. So are executive salaries. Any business who wants to raise prices in response has to either have a monopoly/duopoly or hope that their competitors follow suit.

It's a genuinely interesting problem. If more folk are going to be displaced (I hate that word because it doesn't capture the impact on the individuals) then unemployment costs and pensions will rise, tax take will drop and spending capacity of society as a whole will drop. That is a negative feedback loop, so we are royally stuffed if we don't find some way of dealing with it. I think there are several issues with Bill G's suggestion (when does a piece of equipment become a robot as well as handling the import tariffs you would need to stop offshoring of the robot labour to give two examples) but it is worth considering in the mix of ideas.

2
0

Software glitch, not wind farms, blacked out 60,000 in South Australia

Adam 1
Silver badge

You also need to take into account the new gas export infrastructure that has come online in recent years. Prior to this the supply and demand equation was primarily domestic consumers. Now gas prices follow the international market as many producers can make more by selling it overseas. As a result, wholesale prices have at least doubled and this ruins the economic assumptions behind such plants. But hey, at least Chevron, Santos ExxonMobil et al contribute to our collective wealth by paying a fair share of tax.....

0
1

Drop the F-bomb, get your coding typos auto-corrected

Adam 1
Silver badge

Re: The F*ck

Maybe they need the reverse

> rm -rf /

> I'm sorry, Dave. I'm afraid I can't do that.

2
0

Beeps, roots and leaves: Car-controlling Android apps create theft risk

Adam 1
Silver badge

Re: no car apps here

> I've seen more fobs fail than work.

That I strongly doubt. Yes, fobs can run out of battery but in my experience you tend to get at least a small warning where for a few days or weeks you have to press it a few times before it goes entirely. And yes, operating then with gloves can be a challenge.

But

We have seen jeeps get remotely driven into ditches. We have seen Nissans have their climate control activated from another hemisphere (literally). And by now some of these cars are being sold to second and third owners who are blissfully unaware that the original owner's iPhone can still unlock it. And that's before the more novel attacks from fake charging points that sideload apps as demonstrated just this week that could quite easily grab those credentials and the GPS location where that phone is often kept.

Now I grant that water can block some frequencies used by key fobs, but frankly if the ice is that thick, you ain't even getting to the handle, forget about driving it today.

0
0
Adam 1
Silver badge

Re: no car apps here

> Tried using it on a frozen winter morning in the dark

No. Temperatures around here seldom drop that low and my car is garaged. And the transponder on my keyring does a reasonable job of unlocking the doors even if there is ice over the lock. There's just no need to do it over the internet. It adds a whole bunch of security attack vectors. The only reason it's there is so they can add an extra bullet point on their feature comparison when you are picking your trim level.

1
0

Google bellows bug news after Microsoft sails past fix deadline

Adam 1
Silver badge

Re: GDI32?

No I don't mean legacy stuff using MFC. Of course that uses it, but not all things that use it are MFC. If I look at the processes on this system that have a handle open to gds32, I can see 148 of them, including things like Firefox, Chrome, cmd, devenv (VS 2015), Notepad++, powershell, Process Explorer (ironically), sqlservr, w3wp (IIS worker), and of course the various office applications, updaters, svchosts etc. I literally just created a new otherwise empty WPF application, and even it loads gdi32 when you double click it.

3
0
Adam 1
Silver badge

Re: GDI32?

That is the Graphics Device Interface library for 32 bit applications. You know, responsible for minor things like drawing lines and shapes, painting bitmaps on your screen (actually even a printer is considered a canvas) and rendering text. Basically the 2D stuff.

Whilst it has its quirks, even the modern frameworks will at the end of the day be interacting with it at the bottom of the object rabbit hole. They could abandon it I guess, but that would just break backwards compatibility with all the win32 applications or there, and well win RT never really took off. Btw, on 64 bit machines it really is just a shim to translate calls into the equivalent 64 bit instructions. I can understand why they may be cautious about changes. At low levels, medicines can easily be much worse than illnesses.

1
2
Adam 1
Silver badge

can't really say too much yet

If Microsoft haven't responded at all then public release of code is appropriate response. But if they have responded with a request for more time and Google did a dump and run anyway then the only point they proves is that they can be arse hats.

5
2

HPE blames solid state drive failure for outages at Australian Tax Office

Adam 1
Silver badge

not Samsung!

Samsung failures would have been notable by the presence of 100 fire engines at the data centre.

2
0
Adam 1
Silver badge

Re: "We'll know more in March, when the PwC report into the incident emerges"

I've seen an early copy of the PWC report. Turns out the real cause of the issues is the wind farms in South Australia.

1
1

nbn™ to cut the charges ISPs pay for traffic

Adam 1
Silver badge

4 ) didn't achieve 1, never had a chance on 2, and failed quite spectacularly on 3.

Trumbull Broadband Network for you...

0
0

Dead cockroaches make excellent magnets – now what are we supposed to do with this info?

Adam 1
Silver badge

Re: This kind of thing always starts down the pub.

I just hope that there is a dissertation published as part of someone's post doctorate. I just want to know that somewhere out there some university big wig in a ridiculous robe has to read out the abstract.

"A comparative study into the rate of decay of multi kilogauss strength magnetic fields at low temperatures between alive and deceased cockroaches."

To be honest, the robes are weirder.

5
0

The Register's guide to protecting your data when visiting the US

Adam 1
Silver badge

Re: An overpriced hot dog truck on every corner

> (#) * Back of package disclaimer reads: "All-American Style Mustard. Made in China. Allergy Advice: Manufactured in a factory that may also produce melamine."

I call "fake news" on that. The real disclaimer would have included the phrase "Caution: Contents may be hot"

5
0

Australia finally passes mandatory data breach reporting legislation

Adam 1
Silver badge

Re: Weasel words

They should have used the phrase "mandatory consultation". Even the most Tasmanian of senators could abide by the official definition of consult.

0
0

Standards Australia might send Tesla's PowerWalls outside

Adam 1
Silver badge

> Classifying batteries based on hazards, and not chemistry type.

Well knock me over with a feather. A sensible way to write regulations so they don't become obsolete 3 months after taking effect.

What is the risk of an unplanned energy discharge event? How easy is such a fire contained and put out? How toxic is the smoke (compared to other furnishings; none is going to be great for your health). If the unit gets physically damaged, what is the risk to health and property of anything that might leak out and how can a damaged unit be safely discharged. Once you know those answers, then you can specify the appropriate installation environment.

7
0

Oz consumer watchdog: 'up to' speeds shouldn't be in broadband ads

Adam 1
Silver badge

it's actually quite simple

For cars we have urban and extra urban fuel economy figures listed separately. Let the ISPs list a peak and non peak figure and make them refund any days charges where the peak speed is not met during peak times or non peak speeds in non peak times. They can quote their big headline speed number for off peak and users can get a realistic expectation of likely performance of the connections they are considering.

Even back in dial up days we used to be able to ask how many subscribers per phone line they had and what the session limit was so you would know which ISPs you could get through to and which would just be engaged the whole time.

0
0

UK prof claims to have first practical blueprint of a quantum computer

Adam 1
Silver badge

Re: FFS

Try here.

0
0

Who's behind the Kodi TV streaming stick crackdown?

Adam 1
Silver badge

Re: Said it before, will say it again

> Spotify has proven the model works even if not perfect.....

I think the pluralsight model could work well if the rights holders had more than 2 years foresight. Basically your monthly fee gets divided into two buckets. The first (small) bucket keeps the lights on for the service. The second (relatively large) bucket gets distributed to the content producers in proportion to the amount of time you spend consuming each. So if you spend your whole month watching some David Attenborough miniseries and then flick on frozen for the kids, most of that second bucket would get paid to BBC and the rest to Disney.

Sell plans by the hour if you like, it's fair, easy to track, transparent and solves the content monopoly problems where a consumer literally can't afford to purchase all the services they like because of exclusive arrangements.

3
0

Forums

Biting the hand that feeds IT © 1998–2017