* Posts by DaLo

669 posts • joined 30 Aug 2012

Page:

'The inmates have taken over the asylum': DNS godfather blasts DNS over HTTPS adoption

DaLo

Re: "He said DoH removes a discriminator that can be used to distinguish DNS"

|In an organisation as the firewall owner and the directory administrator you could choose how to do it.

You could only allow standard DNS requests and then convert them to TLS at your gateway providing oversight locally but not outside your administration or you could stop them altogether.

It's your choice, you have a root cert on every PC.

2
0

SQLite creator crucified after code of conduct warns devs to love God, and not kill, commit adultery, steal, curse...

DaLo

Re: Not the first piece of absurd preaching to come from the SQLite team

" If you want to have software that can have it's database hammering with multiple processors on multiple harddisks ..."

Doesn't necessarily mean this. You may have high intensity procedures doing significant number crunching running on multiple threads which are just storing and retrieving small amounts of data from the SQLite database. The database isn't being hammered or particularly big but it still needs to be accessible and consistent across multiple threads.

4
1

European Commission: We've called off the lawyers over Ireland's late collection of Apple back taxes

DaLo

Re: So does that mean that Apple had indeed received preferential treatment ?

Currently under appeal, hence why it has gone to the EU (in Escrow) and not Ireland.

If appeal is successful Apple will get it back, if not the money, I believe, will go to the Irish government.

Come back in 10 years for the answer.

11
0

Chrome 70 flips switch on Progressive Web Apps in Windows 10 – with janky results

DaLo

Re: Why I'm not interested in PWA

So what do you currently do with websites? Do you block browsers on the desktop or just whitelist/blacklist individual websites?

I don't fully understand what the issue is? PWAs don't get admin level control, they can't open up ports on your machine at random, any ports they send out on can be blocked, there is almost as much control over malicious websites as there are malicious programs, and more control over categorized websites, whereas I'm not sure a categorized system exists for applications.

So you can block PWAs globally or individually or block access to the web completely and restrict their remote connections and activities, this seems like quite granular control and would seem far safer than an application that has to be installed (and therefore has admin privileges at that point).

3
0
DaLo

Re: Why I'm not interested in PWA

Well a PWA is still just a web site nothing more. It can utilise hooks that can do some 'clever' os level stuff like add link to your homepage etc, but these are dependent on your browser and OS. So access to sensors and hardware has been granted by the browser so any app, whether it is a 'PWA' or a web page can access it.

Therefore your firewall ports will be as useless against PWAs as they would against any old web site. However blocking access to specific sites and to remote hosted data stores is just as easy with a PWA as another website.

As for offline/online. That is completely up to the developer - they can use web workers or service workers to allow use of a cache api or small db to do some offline work. Often this is regarded as a temporary storage state which will sync and clear down once an internet connection is achieved.

2
0

UK Home Office admits £200m Emergency Services Network savings 'delayed'

DaLo

And works as designed.

They always work as designed - designing is the ongoing process that the developers carry out

The problem is more whether they work as intended or planned.

Even then, they may work as intended but not work as required.

4
0

California cracks down on Internet of Crap passwords with new law to stop the botnets

DaLo

Re: IoT & Patching - The bigger picture issue is Trust is Dead

Trust may be dead for some devices and by some technical people but the average consumer will go on amazon, buy a cheap device install it, download their app agree to 501 permissions required and put it on their network.

Why are they to know any better? There is no mandatory test and qualification required to buy a IoT device, they don't presume the ones on sale are dangerous.

As well as extending this bill to a larger are (e.g. all of the US or all of the EU) where every manufacturer would be forced to comply, as the author states it should be extended and certified further. A beep for an update will not work as very few cheap IoT devices ever get updated out of the factory.

I suggest:

# All devices need to have security assessment to provide a test of the device based upon current most likely threats. Devices must pass this and be certified before going on sale.

# All internet connected - or connectable - devices have a grading which shows a length of time in which they guarantee updates for a device. All source code is held in Escrow in case the supplier goes under in that time.

# Any security threats discovered in a device during its service guarantee time must be fixed in a standard length of time based upon the severity

Therefore the customer can understand that by pay $5 for an IoT device there are likely to only get 1 year of usable life from it, someone who pays more might get a much longer guarantee.

9
0

Office 2019 lumbers to the stage once more as Microsoft promises future releases

DaLo

Yes, but that was also said about Adobe and the Creative Cloud and still everyone went out and signed straight up for it.

3
1

DNSSEC in a click: Cloudflare tries to crack uptake inertia

DaLo

Re: in large part because DNS providers don't see much of an upside to offering it

"Without a CAA record I can go to a CA and get a valid certificate for theregister.co.uk and then perform a MITM attack."

No you can't. If you can then go ahead and do it. Is it possible? Yes, but there would have to be other security breakdowns with the trusted root authority or elsewhere (hacked into the register email system) to be able to do it.

0
0

Guess who just bought Maplin? Dragons' Den celebrity biz guy Peter Jones

DaLo

Re: Well, best of luck to him...

Well, you know what I would do ... and Peter Jones you can have this idea for just 40% of the company, but you can reduce it to 30% in 5 years time if you have repaid me what I decide I'm worth... is run it with priority to the education sector. Create whole kits and lesson plans with add-ons and homework where parents can buy extra kit to get the extended marks with a school provided discount - keep that discount available as a Maplin educational member.

Embed it as part of GCSE and A-level coursework. Create books and course and provide them as off curriculum extras.

Push birthday and christmas gifts aimed at children and educational so that family members can buy cool things that have a good education slant.

Then push into extras for the school - tablets, projectors, PAs, lighting, security - with service techs and mobile installers, get on the LA procurement list as a preferred supplier.

Easy push, lot of money and you have to seriously screw up to be delisted.

14
0

A boss pinching pennies may have cost his firm many, many pounds

DaLo

Re: Imagine...

Well as long as each server had 20x quad port ethernet cards and you had 1m square trunking I can't see any problem with that at all.

20
0

HTTPS crypto-shame: TV Licensing website pulled offline

DaLo
Pint

Thanks - There you go!

4
0

'World's favorite airline' favorite among hackers: British Airways site, app hacked for two weeks

DaLo

Not third party code, the AC is talking about third party hosted code which is prevelant across the board.

There are many benefits to both the user and the site owner but it does provide another avenue(maybe multiple avenues) for potential attacks. If it is not using an Https connection to the third party then that is open to abuse.

7
0

Evil third-party screens on smartphones are able to see all that you poke

DaLo

Re: Who else would have a fox’s cunning that brings these attack vectors coupled w/ spare time?

It can't "miss a touch or two". It would be built in to the screen's digitiser. Therefore if it missed a touch then it wouldn't send that data to the CPU in the first place.

It could also "read the screen" so that it knew what information was being displayed and there what app was in use and what apps were installed potentially making it 100% accurate.

1
0

Google’s Android Emulator gains AMD and Hyper-V support

DaLo

"But those features were available on MacOS and Linux only:"

Hmmm, and Windows using a PC with an Intel processor.

0
2

Cisco surges after pricing switches-plus-subscriptions just below old hardware prices

DaLo

"If Cisco had taken what customers were already buying and added subscription licences, customers would have seen straight through it "

Read between the lines ... we had to adjust it to make it more opaque so they wouldn't "see straight through it". This term is usually used when you have an obvious scam.

0
1

Yorkshire cops have begun using on-the-spot fingerprint scanners

DaLo

"I always thought it was bizarre that the government cancelled the ID card system"

It wasn't bizarre, it was a simple fact that they needed to get a significant amount of people to sign up to the voluntary scheme or else it would not work. As soon as the majority are signed up then you can make it difficult for non-IDers to access services. However it was heading for a disaster, colossal amounts of money for a system that in trials very few people were subscribing to and there was a significant public and media backlash.

An national ID scheme needed to either be made compulsory, have started a long time ago when people weren't interested in privacy so much, be linked with a decent incentive or be a slow burner where children get to sign up when they are 16/18 as the de-facto age verification/NI card etc.

56
0

Electronic voting box makers want kit stripped from eBay – and out of hackers' hands

DaLo

Re: @ DaLo

"He was saying that the paper voting method was less susceptible to fraud. The crap state of voter registration in the UK is a different matter."

I gave 1 example of voter registration fraud and 5 of possible voting method fraud. Postal voting and no-ID voting is rife for abuse in the current system.

3
2
DaLo

Re: @ DaLo

"Our voting method in the UK is understood by anyone ... far less doubt that the process has been meddled with"

Seemed to suggest that using a paper based system created less doubt that it had been meddled with - meddled I would assume meant a chance of fraud which also meant less chance of fraud than an electronic system.

So I would imagine that a list of areas where the UK voting system can be meddled with in response to a post saying that the UK voting system had far less doubt that it had been meddled with is hardly "the least [ir?]relevant place" to post a reply.

2
4
DaLo

Ah yes, no voter fraud at all. It is impossible to register your dog to vote or utilise the postal voting system to gather as many votes as you want. It's not like anyone could turn up to vote saying they are someone else.

Luckily no blank voting slips go missing or boxes with completed ballot papers and all the blank postal ballots are delivered safely.

Absolutely agree nothing can beat the good 'ol UK paper voting system for ensuring no fraud takes place.

9
10

OK, Google: Why does Chromecast clobber Wi-Fi connections?

DaLo

Re: Nice evasion router vendors...

Because "TP-Link warned, the burst will fill up the router's memory and leave a reboot the only option to restore connectivity."

Hence a DoS, hence it is vulnerable to a DoS.

4
0
DaLo

Re: Nice evasion router vendors...

Or is it more like the neighbour's kid repeatedly kicking a ball against your front door and when he does your door lock pops open.

The door manufacturer says "well the kid is at fault for kicking the ball against the door several times", you might reply "yeah, he shouldn't have been kicking the ball but right now I'm more concerned about the door's locks popping open"

3
2

Smartphones' security enhancements just make them more dangerous

DaLo

"...is stored as a salted hash in the Secure Enclave of the phone, unreadable and unsynchronised with the cloud..."

But what if, and I know this is pushing bounds of reality, a processor had a flaw that allowed un-privileged access to the secure enclave you mentioned, either by being able to read the encryption keys, the salt or directly from the authentication mechanism.

However there is not much chance that a processor would have a design flaw like that, is there?

22
0

£185k in fines rain down on dodgy PIs and claims firm for illegal data slurp

DaLo

Sooo how were the PIs able to get bank transactions? I guess they could have gone rummaging through bins but if they didn't it would be interesting to know how they obtained them.

5
0

Woo-yay, Meltdown CPU fixes are here. Now, Spectre flaws will haunt tech industry for years

DaLo

Re: Insider trading

What's great about the MotleyFool's write up is that the suspicion was raised at the time of the sale (i.e. not in hindsight based upon what we know now). So the author already suspected that his selling off of 100% of the shares he was allowed to sell off was highly suspicious and indicative that he might know something about the stock price.

It's rare to see an analysis of wrongdoing before the alleged wrongdoing is actually known.

40
0
DaLo

Re: Error?

"No. A high resolution enables you to 'see' more. High resolution=high precision."

Isn't that the point MacroRodent was making? A high precision timer will not mitigate it as JavaScript will have access to high precision/resolution timing. The mitigation would be to only allow it access to low precision timing.

17
0

Damian Green: Not only my workstation – mystery pr0n all over Parliamentary PCs

DaLo

Well the ICO has waded in now so expect a severe word in her ear behind closed doors.

http://www.bbc.co.uk/news/technology-42225214

3
0

Crypto-jackers enlist Google Tag Manager to smuggle alt-coin miners

DaLo

I would suggest that this has happened either because someone at the TV site decided to add the miner to their site to 'test it out' whether with authorisation or not, or the company's Google account was hacked and so the hacked had access to the company's tag manager control panel. You probably won't find out as it would be blamed on a hacker anyway.

If they had access to the website itself then they could just add the code directly or obfuscate with one of the many shortening services available.

0
0
DaLo

Re: Google is complicit

This is for websites so it would be unusual for the chrome or other browser not to have internet (or INTERNET) permissions. Save your aghast for a story about apps.

3
0

Another UAV licence price hike? Commercial drone fliers rage over consultation

DaLo

Re: Logic?

"But I don't have to pay the DVLA to renew my driving licence every year."

But you do pay them £0~£2000 to tax your car.

3
0

OnePlus 5T is like the little sister you always feared was the favourite

DaLo

Re: Fingerprint sensor on the rear

Voice Unlock?

NFC (on car dock) Unlock?

0
0

Jet packs are real – and inventor just broke world speed record in it

DaLo

Re: Flying is the easy bit...

He did take a dive straight into the lake on this outing as well!

6
0

Self-driving bus in crash just 2 hours after entering public service

DaLo

Re: German Efficiency

"Germany has already decreed that robot vehicles must be programmed to kill animals and destroy property before thinking of harming humans"

But a small collision where the other party is to blame (truck reverses into you) and their insurance coughs up in full, including hire car costs etc turns into your car reversing back and hitting a house meaning that your insurance now has to foot the bill, you have to pay the excess, you have to hire a car out of your own pocket and you premiums go up, meanwhile mr truck drives off without a problem.

0
3

Coinhive crypto-jacking increasingly pops up in top 3 million websites

DaLo

Oh come on guys, that's really cheesy!

9
0

VMware open sources VR overlay for vSphere

DaLo

That CA Unicentre demo is pretty impressive for 1997.

Pointless but impressive.

2
0

Humble civil servant: Name public electric car chargers after me

DaLo

Re: Because these electric cars won't be internet enabled

But you would surely have a charger at home? 14 miles to the next hop doesn't seem too bad. Even the worst EVs can do 14 (0r 21) miles without needing their next top up.

As many workplaces are also starting to install chargers, for many people covers most of their commuting needs.

1
0
DaLo

Re: Because these electric cars won't be internet enabled

"Still - this is of limited use here in rural Somerset. I wonder how many chargers will be seen here?"

Already quite a lot: https://www.zap-map.com/live

0
0

WhatsApp? You still don't get EU privacy laws, that's WhatsApp

DaLo

Re: Interesting

"The EU privacy law as it's currently drafted does not permit it."

Yes it does. If you give clear unambiguous consent to users with an opt-in rather than opt-out and clearly detail the processing you will be using then you can do what facebook/whatsapp require.

The problem is, that if they followed the law then most people would not opt-in and so they wouldn't get that data, so they don't. They rely on ignorance not informed consent.

12
0
DaLo

Re: Interesting

"Is it though? It's end to end encrypted so surely they have meta data but not message contents?"

If they own the app they could have access to your messages. End-to-end encryption stops a middle-man or their comms servers, but it doesn't stop a back-channel directly from the app. I'm not suggesting they do use this capability, I very much doubt they do but they could.

12
0

Xperia XZ1: Sony spies with its MotionEye something beginning...

DaLo
0
0

WPA2 security in trouble as KRACK Belgian boffins tease key reinstallation bug

DaLo

Re: So in theory

It's equivalent to being as secure as you would be on a public WiFi network. Anything you wouldn't do on a public WiFi network you wouldn't want to do if you thought your WPA2 network may be compromised.

4
0

Concerns raised about privacy, GDPR as Lords peer over Data Protection Bill

DaLo

Re: What?

Also covers someone using a subject access request to ask for their personal details and you then quickly remove all the notes on file or emails of customer service saying what a 'pain'* this person or what a stupid name they've got before passing it on.

* or replace with an appropriate expletive

1
0

'There has never been a right to absolute privacy' – US Deputy AG slams 'warrant-proof' crypto

DaLo

"Result was the same, except for someone in Europe having sore typing fingers for a day or two."

Actually published it as a book with an OCRable font to save the fingers of the intern (although it was 'accidentally' published to usenet before then anyway)

21
0

Is that a bulge in your pocket or... do you have an iPhone 8+? Apple's batteries look swell

DaLo

Re: Wrong Swelling

Do I win £5?

No, because you didn't use proper formatting to create a link in your comment (e.g.https://static5.arrow.com/.../lt1389_0699_mag_fig.1.jpg), therefore your link did not work.

2
0

BBC Telly Tax petition given new Parliament debate date

DaLo

"To be honest, I'd be quite happy to scrap TV licensing and actually just tax TV purchases. Literally put a 10% import / sales tax on new TV's. Problem solved. "

Most TVs are around the £300 mark. So that's a tax of £30 for a TV that will last say 5 years.

Your Tax will raise £6 per year leaving a shortfall of about £141.

The Licence fee brings in £3.7billion per year.

There are about 27m TVs in the UK. If they last 5 years then the Tax per TV would have to be £685 per set. This could be a tax of 200% on the average TV. Combine that with the fact that people wouldn't then replace their TVs until they were kaput, and they'd also be a massive repair and secondhand market and you could easily see the 5 year renewal become 10 year or more.

You're now looking at a tax of perhaps £1,500 which would exacerbate the problem more and no-one could ever afford a new TV and everyone would just use a PC or buy them form Europe (While still in the free market).

So do you then Tax every PC as well? That'll go down well.

21
0

Microsoft gives all staff a marked-up 'Employee Edition' of Satya Nadella's new book

DaLo

@Updraft102 Re: FN+F5

@Updraft102

You've got the wrong end of the stick. The OP was talking about how the F1,F2,F3... keys can only be used by holding down the function key first as without holding it down it just activates the keyboard provider's own non-standardised shortcut. That is the reverse of a normal mode where you can press the F1,F2,F3... keys with one press and you need to use the Fn button to access the shortcuts.

The OP deduced this by the fact that to 'Hit Refresh' normally just requires hitting the F5 key, but if you have to hit Fn+F5 then it is one of those reversed mode keyboards (and a ridiculous design).

11
0

UK Home Office re-bans cheap call gateways because 'terrorism'

DaLo

"So people who are single and live in the middle of nowhere are on their own then?"

Yes, by definition.

23
2

Tick, tock motherf... erm, we mean, don't panic over GDPR

DaLo

Re: Up to €20m includes the figure zero

There has to be room for willfulness. So Talk Talk were heavily fined but it seemed to be for sheer incompetence.

The £500K fine would be for a company who made a decision to act recklessly or even criminally with data and were found out.

With the new fines I think there will be more emphasis on hurting the company's bottom line and will be relative to the size of the company but will still have a major element of whether it was premeditated or not.

2
0

Missed patch caused Equifax data breach

DaLo

Re: Typical problem of many large organizations

"This release addresses one potential security vulnerability:

Possible Remote Code Execution when performing file upload based on Jakarta Multipart parser"

"Namely, no explicit mention of the CVE fixed in the release, making it relatively easy for a busy admin - with several dozen packages status monitor, to downgrade the update from must do to 'pending'."

Hmm, Remote Code Execution would make any sysadmin's ears prick up. Anything that has a possibility of remote code execution needs to be investigated for risk asap and should get it straight into the "must do" pile.

4
0

Page:

Forums

Biting the hand that feeds IT © 1998–2018