Well to fair the disc hadn't stopped rotating, it had never started rotating in the first place. It was just sat there filling a gap and awaiting its destiny.
690 posts • joined 30 Aug 2012
Re: Was that a good idea?
FTA: "And so it dug back into the annals of internet browsing history and specifically Joe Belfiore's patent for "Intelligent automatic searching" which he developed while working for Microsoft back in the Internet Explorer days (Belfiore is still at Microsoft btw). He filed it back in 1997."
Re: It really is as simple as
Apple heavily restrict the NFC to use primarily for Apple Pay.
Therefore it can't be used for passport verification, unlike android where the NFC can be used for anything the developer wishes to use it for in both secured and unsecured mode.
"Pin sentries are not specific to any bank so I found out when I used a Barclays one with Nat-west and vice versa, certainly a security error on the banks part."
Why on earth is that a security error? This is by design, it is an open standard that is used by many banks in different countries. It means that if you have 6 different bank accounts then you don't need 6 different pin devices - less plastic waste. Also if you need to make a cash transfer you can borrow one from a friend - especially useful when travelling the world. It also means they are all secured (or insecured) to the same standard rather than having weaknesses in specific ones. They also wouldn't need to all be swapped out every time a card range is changed for a certain bank (which happens many times a year).
So, completely failing to see why it is a negative...
"The firm couldn't provide evidence for any consent having been given for some, while for others it claimed consent had been gathered via privacy policies on certain websites.
However, the ICO ruled (PDF) that the wording of the policies wasn't clear or precise enough for people to understand they would receive direct marketing messages advertising the firm's services."
Now this is annoying. This seems to suggest that the ICO thinks that if the wording of the policies was clearer then this would be acceptable.
This is PECR and although I don't have the inclination to read through the regulations again just for this post, I'm pretty sure you need to get actual tick box (not pre-ticked) consent for communicating via MS, Phone and email, not just a policy stating you can, however clearly written it is.
I just don't understand the idea that it must be a single user's problem when there is an outage like this. Surely they have network monitoring systems that flag up within milliseconds that there is a significant problem and should let them know it isn't a user problem before the first call/tweet/letter comes in.
Re: The user has no freedom but to consent
"You can absolutely do advertising without spying on everybody, it's just less lucrative."
Need a citation for that - on a specialist site like "the register" then surely knowing its content and therefore its intended audience is enough to know what ads to run. You don't need to track/personalise/etc me to show me an ad.
Re: The report also says...
True, but every bit of bandwidth is shared regardless of the medium and to varying degrees.
BT used to have a contention of 50:1 on the ADSL product - not sure what it is now or what it is on different products but probably a lot less. At various points you'll get contention on any connection.
SSLlabs checks you SSL security and other associated bits an pieces. It doesn't check for XSS, CVE vulnerabilities, patch management etc.
A simple CSP header would have stopped this attack (and other script injection attacks) and should be a basic security measure for most sites, especially one like this that has a credit card checkout and uses third party content.
"He suggested it could be the type of breach where..."
A bit behind. It was due to a keylogger using a fake Google Analytics script called "https://g-analytics dot com". This was inserted into the page which skimmed the details and intercepted users and cookies.
Vision Direct claimed that the developers had tried to mitigate attacks like this but the signature was different, however they had completely inadequate security against an attack like this and were not following PCI best (required?) practice. The security scan of their site -> https://ibb.co/m35V20
How did the script get on there? Well they use Google Tag Manager so if someone gets access to the console of that then they can put any tags they want on.
Re: 2018 is the year of stupidly sized phones
Just because you ride a motorbike and wear a crash helmet doesn't mean that you take it off every time you stop. I don't even take it off when filling with fuel and going in to pay as it is a pain and most fuel stations don't mind nowadays (banks are a bit more concerned!) I made sure my latest phone was waterproof just so I can mount it without a full waterproof case to my handlebars. This has the advantage that riding around southern France in the summer is has maximum cooling - in a case it will generally overheat and switch off constantly.
However I am not riding at speed reading the latest Brexit news and searching for a new saucepan. I do stop, pick up the phone and take a photo or select a different route when stuck in a long traffic jam, or open the translation app when at a roadside to read a sign, or look at reviews of places to eat when pulled up on the outskirts of town.
However what I actually do about unlocking is use smart unlock to detect the bluetooth on the bike intercom to keep it unlocked (the bluetooth switches off with ignition) and it has a gloves mode so that I can still use the touchscreen with summer riding gloves on (when stopped!)
Re: Power efficiency difference
"there are a few trades and professions that benefit from it"
Those trades and professions are not likely to be relying on a smartphone display for business critical colour accuracy. In fact I can't think of any trade or profession who would proof something on a smartphone that would require *that* level of colour accuracy and a decent non-10bit display would work just as well.
Could you imagine the conversation "The colours are slightly off brand"..."That's impossible, I used my iPhone to visually confirm they were correct"
Re: Biz math
"NAS is primary storage and should be at least RAID 5, so unless your disks all fail truly at once, your primary storage should remain intact. "
Not true unfortunately (if talking about HDD not an all flash array) - having a hot spare wouldn't help either. It used to be okay with smaller disks however the issue with much bigger individual disks is that they can easily fail on the RAID5 rebuild. All disks will have their read/write limits and on average once one goes unless it was a dud then there is a higher risk that the others are in a time period where they will also start to fail. Now a RAID5 rebuild is a very very intensive processes that hammers the disk, making another failure quite likely (actually very probable). If another disk fails during rebuild then you have lost the lot.
A recovery of data from a failed Raid 5 array would need a very expensive process to do it and for most situations near impossible.
Re: RID master
DO you then cluster the RID master over geographic locations to ensure redundancy? Do you then need a RID master master to oversee your RID cluster?
How will the ID blocks work when they are re-merged, the transactions will be all over the place? If you don't need the ID for anything useful outside of a unique index then you could just do a compound index with the server name or start your index block at different starting points that will never overlap.
In reality it isn't so much about inserting data once or reading data, it is about changing data or a set of transnational commands that needs to be done in a set sequence where some of that sequence may exist on one server and some on another and where the times could be ms out. Or where some data is changed that only exists on one system, or has only made it into one index.
Re: "He said DoH removes a discriminator that can be used to distinguish DNS"
"Well, it's nice to know that the firewall configuration is easy. No offenses, but care to take a turn being responsible for..."
I have run network border security for more users than that. However the number of users - 1000, 10,000, 100,000 doesn't affect your configuration or make it harder. You are also not talking about a firewall if you are talking about a web proxy, they are different things. You may have a UTM with both firewall and Web Proxy included but the configuration of these is pretty standard, not sure why it would be difficult especially when talking about user requests.
I'm not trying to tell you how to do your role, but if you spend a *lot* of time dealing with users who have to inform you that they can't resolve a hostname and you have to spend any significant time troubleshooting it then I would suggest changing the procedures somewhere.
Re: "He said DoH removes a discriminator that can be used to distinguish DNS"
|In an organisation as the firewall owner and the directory administrator you could choose how to do it.
You could only allow standard DNS requests and then convert them to TLS at your gateway providing oversight locally but not outside your administration or you could stop them altogether.
It's your choice, you have a root cert on every PC.
SQLite creator crucified after code of conduct warns devs to love God, and not kill, commit adultery, steal, curse...
Re: Not the first piece of absurd preaching to come from the SQLite team
" If you want to have software that can have it's database hammering with multiple processors on multiple harddisks ..."
Doesn't necessarily mean this. You may have high intensity procedures doing significant number crunching running on multiple threads which are just storing and retrieving small amounts of data from the SQLite database. The database isn't being hammered or particularly big but it still needs to be accessible and consistent across multiple threads.
European Commission: We've called off the lawyers over Ireland's late collection of Apple back taxes
Re: So does that mean that Apple had indeed received preferential treatment ?
Currently under appeal, hence why it has gone to the EU (in Escrow) and not Ireland.
If appeal is successful Apple will get it back, if not the money, I believe, will go to the Irish government.
Come back in 10 years for the answer.
Re: Why I'm not interested in PWA
So what do you currently do with websites? Do you block browsers on the desktop or just whitelist/blacklist individual websites?
I don't fully understand what the issue is? PWAs don't get admin level control, they can't open up ports on your machine at random, any ports they send out on can be blocked, there is almost as much control over malicious websites as there are malicious programs, and more control over categorized websites, whereas I'm not sure a categorized system exists for applications.
So you can block PWAs globally or individually or block access to the web completely and restrict their remote connections and activities, this seems like quite granular control and would seem far safer than an application that has to be installed (and therefore has admin privileges at that point).
Re: Why I'm not interested in PWA
Well a PWA is still just a web site nothing more. It can utilise hooks that can do some 'clever' os level stuff like add link to your homepage etc, but these are dependent on your browser and OS. So access to sensors and hardware has been granted by the browser so any app, whether it is a 'PWA' or a web page can access it.
Therefore your firewall ports will be as useless against PWAs as they would against any old web site. However blocking access to specific sites and to remote hosted data stores is just as easy with a PWA as another website.
As for offline/online. That is completely up to the developer - they can use web workers or service workers to allow use of a cache api or small db to do some offline work. Often this is regarded as a temporary storage state which will sync and clear down once an internet connection is achieved.
Re: IoT & Patching - The bigger picture issue is Trust is Dead
Trust may be dead for some devices and by some technical people but the average consumer will go on amazon, buy a cheap device install it, download their app agree to 501 permissions required and put it on their network.
Why are they to know any better? There is no mandatory test and qualification required to buy a IoT device, they don't presume the ones on sale are dangerous.
As well as extending this bill to a larger are (e.g. all of the US or all of the EU) where every manufacturer would be forced to comply, as the author states it should be extended and certified further. A beep for an update will not work as very few cheap IoT devices ever get updated out of the factory.
# All devices need to have security assessment to provide a test of the device based upon current most likely threats. Devices must pass this and be certified before going on sale.
# All internet connected - or connectable - devices have a grading which shows a length of time in which they guarantee updates for a device. All source code is held in Escrow in case the supplier goes under in that time.
# Any security threats discovered in a device during its service guarantee time must be fixed in a standard length of time based upon the severity
Therefore the customer can understand that by pay $5 for an IoT device there are likely to only get 1 year of usable life from it, someone who pays more might get a much longer guarantee.
Re: in large part because DNS providers don't see much of an upside to offering it
"Without a CAA record I can go to a CA and get a valid certificate for theregister.co.uk and then perform a MITM attack."
No you can't. If you can then go ahead and do it. Is it possible? Yes, but there would have to be other security breakdowns with the trusted root authority or elsewhere (hacked into the register email system) to be able to do it.
Re: Well, best of luck to him...
Well, you know what I would do ... and Peter Jones you can have this idea for just 40% of the company, but you can reduce it to 30% in 5 years time if you have repaid me what I decide I'm worth... is run it with priority to the education sector. Create whole kits and lesson plans with add-ons and homework where parents can buy extra kit to get the extended marks with a school provided discount - keep that discount available as a Maplin educational member.
Embed it as part of GCSE and A-level coursework. Create books and course and provide them as off curriculum extras.
Push birthday and christmas gifts aimed at children and educational so that family members can buy cool things that have a good education slant.
Then push into extras for the school - tablets, projectors, PAs, lighting, security - with service techs and mobile installers, get on the LA procurement list as a preferred supplier.
Easy push, lot of money and you have to seriously screw up to be delisted.
Not third party code, the AC is talking about third party hosted code which is prevelant across the board.
There are many benefits to both the user and the site owner but it does provide another avenue(maybe multiple avenues) for potential attacks. If it is not using an Https connection to the third party then that is open to abuse.
Re: Who else would have a fox’s cunning that brings these attack vectors coupled w/ spare time?
It can't "miss a touch or two". It would be built in to the screen's digitiser. Therefore if it missed a touch then it wouldn't send that data to the CPU in the first place.
It could also "read the screen" so that it knew what information was being displayed and there what app was in use and what apps were installed potentially making it 100% accurate.
"If Cisco had taken what customers were already buying and added subscription licences, customers would have seen straight through it "
Read between the lines ... we had to adjust it to make it more opaque so they wouldn't "see straight through it". This term is usually used when you have an obvious scam.
"I always thought it was bizarre that the government cancelled the ID card system"
It wasn't bizarre, it was a simple fact that they needed to get a significant amount of people to sign up to the voluntary scheme or else it would not work. As soon as the majority are signed up then you can make it difficult for non-IDers to access services. However it was heading for a disaster, colossal amounts of money for a system that in trials very few people were subscribing to and there was a significant public and media backlash.
An national ID scheme needed to either be made compulsory, have started a long time ago when people weren't interested in privacy so much, be linked with a decent incentive or be a slow burner where children get to sign up when they are 16/18 as the de-facto age verification/NI card etc.
Re: @ DaLo
"He was saying that the paper voting method was less susceptible to fraud. The crap state of voter registration in the UK is a different matter."
I gave 1 example of voter registration fraud and 5 of possible voting method fraud. Postal voting and no-ID voting is rife for abuse in the current system.
Re: @ DaLo
"Our voting method in the UK is understood by anyone ... far less doubt that the process has been meddled with"
Seemed to suggest that using a paper based system created less doubt that it had been meddled with - meddled I would assume meant a chance of fraud which also meant less chance of fraud than an electronic system.
So I would imagine that a list of areas where the UK voting system can be meddled with in response to a post saying that the UK voting system had far less doubt that it had been meddled with is hardly "the least [ir?]relevant place" to post a reply.
Ah yes, no voter fraud at all. It is impossible to register your dog to vote or utilise the postal voting system to gather as many votes as you want. It's not like anyone could turn up to vote saying they are someone else.
Absolutely agree nothing can beat the good 'ol UK paper voting system for ensuring no fraud takes place.
Re: Nice evasion router vendors...
Or is it more like the neighbour's kid repeatedly kicking a ball against your front door and when he does your door lock pops open.
The door manufacturer says "well the kid is at fault for kicking the ball against the door several times", you might reply "yeah, he shouldn't have been kicking the ball but right now I'm more concerned about the door's locks popping open"
"...is stored as a salted hash in the Secure Enclave of the phone, unreadable and unsynchronised with the cloud..."
But what if, and I know this is pushing bounds of reality, a processor had a flaw that allowed un-privileged access to the secure enclave you mentioned, either by being able to read the encryption keys, the salt or directly from the authentication mechanism.
However there is not much chance that a processor would have a design flaw like that, is there?
Re: Insider trading
What's great about the MotleyFool's write up is that the suspicion was raised at the time of the sale (i.e. not in hindsight based upon what we know now). So the author already suspected that his selling off of 100% of the shares he was allowed to sell off was highly suspicious and indicative that he might know something about the stock price.
It's rare to see an analysis of wrongdoing before the alleged wrongdoing is actually known.
"No. A high resolution enables you to 'see' more. High resolution=high precision."
I would suggest that this has happened either because someone at the TV site decided to add the miner to their site to 'test it out' whether with authorisation or not, or the company's Google account was hacked and so the hacked had access to the company's tag manager control panel. You probably won't find out as it would be blamed on a hacker anyway.
If they had access to the website itself then they could just add the code directly or obfuscate with one of the many shortening services available.