* Posts by Adam 1

1746 posts • joined 7 May 2012

Who's behind the Kodi TV streaming stick crackdown?

Adam 1
Silver badge

Re: Said it before, will say it again

> Spotify has proven the model works even if not perfect.....

I think the pluralsight model could work well if the rights holders had more than 2 years foresight. Basically your monthly fee gets divided into two buckets. The first (small) bucket keeps the lights on for the service. The second (relatively large) bucket gets distributed to the content producers in proportion to the amount of time you spend consuming each. So if you spend your whole month watching some David Attenborough miniseries and then flick on frozen for the kids, most of that second bucket would get paid to BBC and the rest to Disney.

Sell plans by the hour if you like, it's fair, easy to track, transparent and solves the content monopoly problems where a consumer literally can't afford to purchase all the services they like because of exclusive arrangements.

3
0

Mag publisher Future stored your FileSilo passwords in plaintext. Then hackers hit

Adam 1
Silver badge

> El Reg asked Future for some comment on the breach and the reason why the passwords were stored in plaintext and not encrypted. In accordance with FileSilo's security policy, we sent the request in plaintext.

>

> We have not heard back. ®

Let's not be too cocky. Until rather recently, certain other sites used to force credentials and session cookies to be submitted in clear text. Glad to see they saw the error of their ways though...

11
0

Data breach notification law finally makes it to Australia's Parliament

Adam 1
Silver badge

The difficulty I see is that even a minor breach can have associated consequences.

Consider for example a sporting club with an online portal for court bookings or classes etc. There is nothing confidential in there, it's all printed out on the noticeboard anyhow. But their server remained unpatched for years as they can't afford an IT BOFH and now their mysql backup files are popped.

OK, so nothing confidential had been exposed, and the passwords are all at least hashed, even though it is unsalted md5 (which we knew not to use even 10 years ago *cough* Yahoo! *cough*) but by my reading this would definitely be a minor breach.

The problem?

* Any common md5 password can literally be cracked by googling the hash. Or hashcat will find it very quickly if less than 8 characters.

* Most people use the same password for multiple services.

So now someone has their email account popped and from there password resets on other services.

0
0

Juno how to adjust a broken Jupiter probe's orbit?

Adam 1
Silver badge

> Juno how to adjust a broken Jupiter probe's orbit?

Maybe put it near Uranus?

0
1

Slammer worm slithers back online to attack ancient SQL servers

Adam 1
Silver badge

Re: Bugs? Fixed? Really?

What next? My prediction is an embedded font based vector.

/Pun not intended but I'm easily amused so I had a chuckle.

1
0
Adam 1
Silver badge

No credit card information is believed to have been exposed.

2
0

Microsoft's DRM can expose Windows-on-Tor users' IP address

Adam 1
Silver badge

> “If you want to build your own Microsoft DRM signing solution the price-tag is around US$10,000,”

If it's only large content distributers that can unmask tor then that is pretty good. I can't imagine any reason why *they* would want to unmask sessions.....

6
1

Particle accelerator hacked: Boffins' hashed passwords beamed up

Adam 1
Silver badge

Re: Is this a Distributed Denial of Science attack?

The good thing about these types of passwords is that if the attackers try to observe them, the passwords will collapse.

14
0

IETF 'reviewing' US event plans in the face of Trump's travel ban

Adam 1
Silver badge

Re: Hey Chirgwin...

> Note the TPP is also out the window (though good riddance to that) which hits the Australians.

Hits? I am yet to meet an Australian who admits to supporting the TPP. We don't want your gene patents or lawsuits against plain packaged cigarettes or Methuselah aged copyright so we can get a 4 week GDP improvement over 20 years.

A true free trade agreement would be about a paragraph long. The TPP is just about pandering to this or that interest.

So for his many flaws, he got that one right. Even stopped clocks show the right time twice a day.

40
0

Google's Chrome is about to get rather in-your-face about HTTPS

Adam 1
Silver badge

Re: @Adam1

I don't think what I'm proposing would be required to break your suggestion is at all beyond the skillsets of anyone who reads a tech news site.

1. Buy the applicable hardware.

(Eg https://wifipineapple.com/ )

2. Create a self signed certificate for website.org

(Eg https://technet.microsoft.com/en-us/library/cc753127(v=ws.10).aspx )

3. Look for a location likely to have free wi-fi but who fail to use HTTPS

(Eg https://t.co/6Bu4v9f5Qn )

4. Redirect any form submit action to a Uri under your control

(I won't detail that step RTFM)

5. Profit

Alternatively, pick a café/library/train station/hotel and call you fake AP "Free McDonald's WiFi", hijack the first HTTP page they request, put the McDonald's logo on top and say "Sign in with Facebook", put the f logo on it and many people will just connect to it and type in their credentials.

CAs are imperfect. Diginotar and Wosign stand out, but I couldn't characterise them giving me a fake cert as "easy". Having the right political connections to get them to make a fake cert for you is much less of a threat for most people than what I have described above.

CAs are like democracy. The worst form of government, except for all the other forms we have tried from time to time.

0
0
Adam 1
Silver badge

Re: Cult of useless HTTPS

Users are users and will reuse those passwords on other sites. I agree on the caching problem. That is a solvable problem if they hash all the resources used by the page then sign the hash with their private key but i guess noone is pushing for it.

4
0
Adam 1
Silver badge

Re: Double agenda?

It *is* insecure. Whether that matters to you or not is another thing, but a http link allows a MitM to:

1. Read and manipulate any content the site sends to you, removing anything they don't like and adding any they want. This may be as simple as ad substitution or could directly implement an exploit.

2. Read and manipulate any content that you submit to the site.

What is wrong with letting people know?

And your self signing signature idea doesn't have legs because I can create a self signed signature for website.org and then MitM you. A CA needs to validate you control the domain. For example, letsencrypt will request you to host a file in a certain location to prove that the domain is under your control.

15
2

Want to bring down that pesky drone? Try the power of sound

Adam 1
Silver badge

It's all about understanding your threat model. What is the bigger threat? A misdose by a fat fingered health professional (or medical researcher) or by some lone wolf with a laser pointer on the roof of an adjacent building? The attack vector is interesting and I'd definitely watch the next Bourne if they used it as part of the plotline. There are plenty of IoT health device security issues with real world risk from default passwords to blindly trusting unencrypted instructions over WiFi or Bluetooth.

2
0

Australia to review effectiveness of ISPs' copyright-defending website blocks

Adam 1
Silver badge

Re: not good enough!

Wrong! What is needed is a tarpaulin design that becomes transparent when observed by law enforcement who have a special camera lens but which is opaque to everyone else. I urge the tarpaulin industry to come onboard and help us. We are an innovative country. Why do you keep mentioning physics?

14
0
Adam 1
Silver badge

not good enough!

I demand that the government enact legislation to prevent our public road network from being used to transport stolen goods!

What do you mean it can be bypassed by throwing a tarpaulin over the trailer?

30
0

Sony takes $1bn writedown: Streaming has killed the DVD star

Adam 1
Silver badge

bad economics

For the price of a 10 year old movie on Blu-ray down under, you can get 3 months Netflix. Heaven help you if you wanted something like a 3D / 2D / DVD combo edition. Maybe I'm just getting old and my eyes are wearing out, but these same 10 year old movies are in the DVD bin for under ten bucks. It's better but not 3x better.

2
0
Adam 1
Silver badge

Re: Short Window of Opportunity...

> Lots of ports.

Why would anyone need lots of ports when they can easily spend 100 quid on a flaky adaptor that has had Cupertino holy water sprinkled on it?

6
1

Naughty sysadmins use dark magic to fix PCs for clueless users

Adam 1
Silver badge

You didn't use an android VPN I hope.

0
0
Adam 1
Silver badge

Re: You want an evil genius IT man.

> Finally he caught his dad adding extra ones to his pile....

That's got me wondering. What does he do with IKEA furniture?

1
0

IBM's SoftLayer is having a meltdown – and customers aren't happy

Adam 1
Silver badge

Re: Thank you for calling IBM technical support.

> completely bizarre error messages to be displayed. "SYS0014A722FE-00-97125: Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn."

I see what you've done. You've accidentally changed your preferred language to Welsh.

3
0

Windows code-signing tweaks sure to irritate software developers

Adam 1
Silver badge

Re: Change in mindset is needed IMO

> So what if someone (say a state) produces a completely bogus chain of trust and then publishes a bunch of updates to the system while posing as the company, spreading the bogus-signed stuff everywhere and then say hacking the original company to say their chain of trust got broken and had to be refreshed?

Here are some random URIs

https://en.wikipedia.org/wiki/DigiNotar#Issuance_of_fraudulent_certificates

https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/

1
0

Northumbria Uni fined £400K after boffin's bad math gives students a near-killer caffeine high

Adam 1
Silver badge

Re: bad math

Adding 30g (6 teaspoons) of sugar to juice is like drinking 2 glasses instead of 1. If your diabetes is so bad that this is lethal then I would be steering clear of juice altogether.

1
0

I'm deadly serious about megatunnels, vows Elon Musk

Adam 1
Silver badge

makes sense

What else is he to do with the lava tubes surrounding his volcano lairoffice?

2
0

Chinese bloke cycles 500km to get home... in the wrong direction

Adam 1
Silver badge

Re: If only all coppers were so nice

> Facing a twelve mile walk by road we reckoned the train line was probably shorter as it ran in a mostly straight line, so we jumped down onto the track and started walking.

I was going to point out how dangerous that is. Inebriated folk do have a tendency to grab a quick kip and walking all long a track isn't the best location to be when that happens. But not only is it dangerous, I can't think of anything more stupid and ill prepared. Tell me, just where did you expect to find a kebab shop on that route?

4
0

Boffins explain why it takes your Wi-Fi so long to connect

Adam 1
Silver badge

Re: hold your phone upside down

¡ǝɹoɟǝq uɐɥʇ ɹǝʍoןs uǝʌǝ ʇɔǝuuoɔ ʇsnɾ sƃuıɥʇ 'ƃuıɥʇʎuɐ ɟı puɐ ɹǝpun uʍop ʇı pǝıɹʇ ʇsnɾ I ˙ɹǝɥʇoq ʇ,uoᗡ

36
0

Furby Rickroll demo: What fresh hell is this?

Adam 1
Silver badge

> Furby Connect World app doesn't bother with niceties like HTTPS for its startup connection

Wow. Even tech news comment sites do that these days!

21
0
Adam 1
Silver badge

You could make me pay for that.

15
0

Biz claims it's reverse-engineered encrypted drone commands

Adam 1
Silver badge

There's plenty of things it could be. Perhaps it's vulnerable to a replay attack where for example a specific command can simply be recorded and repeated to get the drone to do the same thing again.

Or perhaps they are using the MAC address as part of the key generation algorithm.

Or perhaps they can MitM attack the pairing operation between the device and remote.

Or perhaps some development numpty hard coded the root password in the firmware.

Or perhaps they can drown out the packets coming back from the device and trick the remote into falling back to some ancient broken encryption.

Or perhaps it suffers heartbleeding beast poodle....

6
0

Learn to code site Code.org loses student work due to index bug

Adam 1
Silver badge

Don't understand the relevance of that sorry. The bug here is simply the wrong choice of data type meant all available values were exhausted. (Hint, for 64 bit fields that won't happen until after the heat death of the sun).

The xkcd comic refers to the common mistake (let me guess, it is still OWASP top error) of not using parametrised queries and so allow a user not just to provide data, but additionally instructions.

0
0
Adam 1
Silver badge

It's not just hours either. I'm not even going to get the 30 seconds back that it took me to write this comment.

0
0
Adam 1
Silver badge

Re: Hmm...

Isn't the standard to claim "No credit card information was accessed"?

2
0

Boffins ready to demo 1.44 petabit-per-second fibre cables

Adam 1
Silver badge

Re: Impressive but ...

MV CSCL Globe can carry 19100 containers. So as long as it was moving about 2km/h (that's like a 2yo walking pace), it could still have higher bandwidth.

4
0

Square Kilometre Array precursor shrinks 5TB of data to 22MB – every second!

Adam 1
Silver badge

Re: Firehose of data ...

I'm sure HPE are on top of it.

0
0

Meet 'Moz://a', AKA Mozilla after it picked a new logo

Adam 1
Silver badge

Re: The next Big Thing

> CHRØME

Pretty sure that's a bookshelf in IKEA.

13
0

Li-ion tamers: Boffins build battery with built-in fire extinguisher

Adam 1
Silver badge

Re: Cars

> Wouldn't want to be around when a petrol tank went up either

I agree. The fire would be very hot. (Or were you like most people expecting some form of explosion?)

1
0

Stanford boffins find 'correlation between caffeine consumption and longevity'

Adam 1
Silver badge

Re: And what about your heart?

What does in large amounts mean? And over what timeframe?

Tbh, having large amounts of coffee, it's going to be the cholesterol (from milk) and the sugars that get you rather than the caffeine.

0
0
Adam 1
Silver badge

With having to type in that handle at sign in, I'm surprised that you ever have enough time to bother with a comment.

0
0

Google reveals its servers all contain custom security silicon

Adam 1
Silver badge

> These requirements limit the ability of an insider or adversary to make malicious modifications to source code and also provide a forensic trail from a service back to its source.

So they trust the compiler then?

0
0

McDonald's forget hash, browns off security experts

Adam 1
Silver badge

> McDonald's main website that could be fodder for phishing attacks

But those URLs are coming from the wrong McAddress.

/Sorry. I'll grab my McCoat now.

15
0

Mr Angry pays taxman with five wheelbarrows worth of loose change

Adam 1
Silver badge

Bull!

4
0
Adam 1
Silver badge

Re: one wheelbarrow shall be known as 1Whb

Sorry Phil, a common mistake, like people confusing light-years with speed rather than distance.

Whbs aren't a measure of wealth but rather a measure of frustration or angst.

Usages:

* He was so rude to me, I hope the next guy pays with 2 Whbs!

* These #£&+ mosquitos are everywhere. Every time I get one another starts buzzing. It's like 7 Whbs.

* Is it so hard to put your phone on silent at the theatre. May the parking ticket machine return her 400 mWhbs in change.

3
0

Wi-Fi for audiophiles: Alliance preps TimeSync certification program

Adam 1
Silver badge

> “The protocol also determines which determines which device is going to be the master clock – there's a mechanism for devices to evaluate which is the 'best' clock,

I'm Spartaclock!

No I'm Spartaclock!

No I'm Spartaclock!

8
0

Oz government on its Centrelink debacle: 'This is fine'

Adam 1
Silver badge

Re: Communication

> They are as factual as the accuracy of the information provided to the ATO and centerlink

No. You are either ignorant of the issue or trolling. They are not using the information provided to the ATO. The ATO doesn't hold income per fortnight. Centrelink have inferred that fortnightly ATO figure through a patently flawed algorithm.

It is outrageous to falsely accuse a person of fraud, send in the debt collectors (oh hi there credit ratings) and not have sufficient resources to deal with challenges from people who have evidence to show they were indeed entitled to those benefits.

It's not just 'dole bludgers' who should be worried by this crazy math shoot first ask questions later behaviour. Should we apply this logic to pension asset tests or family tax benefit?

A few years ago I lost elegibility to part b after a pay rise in one of those perverse getting a rise leaves you worse off cases that makes living wage an interesting idea. The same 'logic' applied here would have seen me being asked to repay a debt I didn't owe.

If they are moving into speculative invoicing, then here's a thought. Anyone found to have been incorrectly accused should be paid at minimum wage for their reasonable time in producing the evidence and their refunded amount should be returned at government bond interest rates.

5
0

Feds cuff VW exec over diesel emissions scam

Adam 1
Silver badge

Re: Nothing new here

Opel have been caught with something slightly more subtle. It only operates it's emission controls in a very narrow temperature range which luckily coincide with lab conditions. It doesn't operate whilst revving beyond 2400 rpm which again luckily isn't needed in the lab. That it hops out the way when you give it the beans isn't surprising (safety first), but the fact it remains off even when the engine is just ticking over once the need for hard acceleration is done means that in real world city stop start driving you will likely disable the emission controls on pretty much every trip. That doesn't excuse VAG. There is enough criticism to go around.

1
0

Top cop: Strap Wi-Fi jammers to teen web crims as punishment

Adam 1
Silver badge

Re: Why would this happen-

> Far better than giving kids a new tool to go and harrass others with.

Look it has a few minor challenges but at least the device can't be disabled with a few layers of aluminium foil....

0
0

Verizon is gonna axe its 'unlimited' data hogs

Adam 1
Silver badge

Re: Off Topic: Whoopee! El Reg has HTTPS! Almost

It's a cloudflare certificate, so at least the initial hop is encrypted. Doesn't mean traffic between cloudflare and El Reg is encrypted. It might be but you can't tell. Anyway kudos for removing prying eyes from at least the most vulnerable link.

2
0
Adam 1
Silver badge

Re: Maths!

> Were you involved with the Australian Census?

No you have me confused with someone else. I've been working on an innovative welfare compliance system where we crosshatch tax records, divide a magic number by 26 and assume every fortnight is paid equally then send out the debt collectors.

4
0
Adam 1
Silver badge

Re: Maths!

@Oengus

Makes sense though. Fibre only has a very small diameter so you can't fit much light through it. But look at all the light you can fit in the outdoors. Clearly that gives much more bandwidth.

8
0
Adam 1
Silver badge

Re: To all the wireless carriers...

> "Unlimited" doesn't mean "infinite",

Absolutely correct.

> it just means there are no pre-set limits.

No, you should have stopped at infinite.

It means that they don't have a limit that you can violate. If you wanted to put a number on it, an ADSL2 line can in theory download 25Mbps. There are 2678400 seconds in a month. There are 8 bits in a byte, so

2678400 * 25 / 8 = 8370 GB per month.

Don't call something with limits unlimited. At its kindest, that is a bait and switch scheme.

16
0

Australia telcos warn: Opening metadata access will create a 'honeypot' for lawyers

Adam 1
Silver badge

> The take-out-the-trash timing of the review, announced in the afternoon of Friday December 23, meant Vulture South missed it at the time.

Not quite. I emailed Simon with the ag.gov.au link on 23 Dec and he replied with a link to this saying we're on it.

Glad it's being picked up in its own right though. It seems to my reading to be just waiting to be abused. It doesn't take too much imagination for some jilted partner who knows the WiFi password to ensure some less tasteful/borderlining illegal websites make an appearance in the ISP logs and then use that in some custody hearings to argue why the other should not be allowed near kids. It is also not beyond imagination that a business partner wanting to escape some contract responsibility could generate the appearance of SMTP traffic to a recipient which wound strongly indicate that confidentiality clauses had been breached.

My 2c. The retention policy is an expensive way of generating large haystacks and it should be scrapped. My visits to el Reg or any other site are not in my ISP logs. Only connections to my VPNs endpoints, and they don't log. Legislators should try harder to understand the systems they are trying to regulate and stop with the do something brigade logic. Otherwise we end up with π == 3 laws.

0
0

Forums

Biting the hand that feeds IT © 1998–2017