Posts by Brian Miller

Why bother?

With ASICs, FPGAs, GPUs, and eye-popping networks on a chip, will quantum computers really amount to anything? Either it's going to be too late, or else it's going to be too expensive for anything actually useful, except by Big Government and Big Corporation. Really, does anyone expect a quantum computer priced like a PC?

By the time a quantum computer will be breaking encryption written today, the art of encryption will have moved beyond what would make that quantum computer practical. And no, it wouldn't be cheap enough for crims to purchase to crack our online transactions.

I predict the obvious: bad implementation and practices are our biggest problem. Always have been, always will be. "Passwords? We don't need no stinkin' passwords!" "Encryption? Uh, I saw a movie with that in it."

Harshing their mellow!

Oh, the pain, the horror! To be told that weak anonymizing protocols don't count for much! Tor should have a FAQ about how many ways its anonymity can be countered. It doesn't matter how many times the packet bounces around Tor's echo chamber, there are only so many entries and exits.

Tor is broken. Time for better protocols, where source and destination are anonymous, despite the fact that everything is in a big glass fishbowl!

Google is the best hope? Aw, sh...

"Google has more information on the people of the planet and more influence on the people of the planet than all of the governments combined." -- Andrew Greig, founder and CEO of Vizzeco.

He likens Google to the Borg. Actually, it sounds like the Borg and the dark side of the Force. "Don't be evil." Uh huh.

Quick, El Reg, go for it!

Now is the time to leverage all of the wonderful expertise gained with the intrepid Plamonauts, and go for that prize!

Tor = broken!

There are a lot of "secret" services which are essentially broken by design. The Tor service can be decloaked if one rents sufficient temporary capacity, and then makes a lot of requests to the site in question, and the analyzes the traffic on the captive Tor nodes. Eventually, the server that you are after lights up in the statistics, and you've got them.

Tor nodes can be evil, too, dumping malware on the files being transfered. Thus when feeding traffic back to someone, you can drop into the stream some exploits to easily track the user's computer.

The only way that a service can be effectively hidden is if it exists on multiple nodes, and move around of its own accord. There was a research paper about using the logic in the Game of Life to keep nodes alive, and give a stable user experience.

And what was doxbin? A blackmailing service! Kind of like an evil Wikileaks.

Shouldn't they have seen this coming?

There are so many capable maritime consulting companies available, I don't see why they weren't hired to do the job right the first time around. Really, does Google really have a need to burn money stupidly like this?

But TOR *IS* broken

Let's see, what do we need to do? Establish a bunch of "evil" TOR exit nodes? And how much do "cloud" servers cost? And there you have it.

But Silk Road 2.0 was broken through normal infiltration, and nothing else. ("Yeah, I'm a crook! I'm wearing a mask and carrying a crowbar." "Want to be a sysadmin on my evil site?") And then the Feds went on to do routine surveillance, which is something they are very good at.

Personally I'd really like to see the "sellers" serve time. Really, offering contract killing? I would so love to see crap artists like that in the slammer.

Not a panacea

Network access is not a panacea. Never has been, never will be. Yes, it can be good for some things. But it won't change the ox cart! If a third-world country's rural population is running at ox cart speed, no amount of network access is going to change that. The ox only moves just so fast.

The Internet made a difference in the first world countries because we already had networks, we were moving at the speed of trains, planes, and automobiles, and we had been doing so for quite some time.

What steps to take?

What are they going to do, forbid all travel to north and south America? "Sorry chums, we love you, but you'll have to be isolated to save the newts." And the frogs, and whatever else this fungus loves to eat.

And then the fungus will mutate and eat us.

Collect garden gnomes, something else, PROFIT!

Interesting how they didn't show anything that actually had to do with wearable computing or computers. Fur suits and cue cards just doesn't cut it.

The first wearable computers we had were those little things from Sharp, the PC-1500, etc. OK, more like stuffable in a coat pocket, but close enough. The next thing that really caught on, and is still sticking with us, is the "mobile phone," with more screen resolution than a desktop monitor.

Since "augmented reality" is sure to be a larger distraction than texting, I'm sure that this will result in more Darwin awards (or runners-up or honorable mentions).

But it's still two blokes in a shed...

Look, everybody knows when ASIO makes a phone call because they have to move the wombat off the phone. In order for the other bloke to not listen in, he has to hold a koala on either side of his head to muffle out the sound.

At least they're better off than the Tasmanian office, where they haven't ever made a phone call because there's a Tasmanian Devil on top of it.

Wasn't there a Bitcoin fund for him?

IIRC, there was a Bitcoin fund for him, as a "thank you for making Bitcoin or sorry that you got fingered by idiots at Newsweek" set up for him. I suppose that's not enough for waging battle against Newsweek, though.

Industry has had IoT for quite a while

You do realize that industry, i.e., big machines and such, has had IoT for some time, right? It's just that nobody has made a big deal about it. Industry does have quite a lot to monitor, from the tire pressure in dump trucks to all kinds of factory processes. But it's an intranet, for local use only, security breaches aside.

Yes, I have IP cameras, but I don't open my network to the outside. That's part of the sensible nature of security, is to not expose what doesn't need to be exposed. So what about the fridge? The fridge isn't supposed to nag, it's supposed to report what's in it when you're at the store, trying to remember what's in it. You do realize that the alternative is to write things down on a slip of paper, right?

Look at all of the things that we use remotes for today. You realize all of that's IoT, but without the internet, right? I remember when a friend of mine, madly obsessed with remotes, had them all lined up on his coffee table, and then he wanted to turn off the telly. But that didn't work, because he'd grabbed his calculator instead. (It was hilarious watching him mash that red C/CE button!)

So what it comes down to, do we need industrial control for the home? Maybe a bit, but that's all there is, really. Old thermostats need to be replaced with something a bit better, but mainly because the old ones stick a bit, and don't turn off the heat when they should. But it's not because we want the heat only when the electricity is the cheapest.

Nice idea, installation & maintenance problematic

The current system for finding out when things go wrong is when the citizens in the neighborhood of the device call in to let someone know it doesn't work. Such as street lamps and crosswalk buttons. Now imagine trying to set that IOT device up. There will be a lot of paperwork just to note the location, like 27b/6.

How problematic would the firmware be? Depends on what it does. If it only reports, then there's not much of an attack vector, unless it's through the IP stack. But the ARM chips, if the system really is bare bones, don't have enough room for large complex code anyways. The IP stack itself will take up most of the space.

No, really, I read it and I have proof...

What everybody misses with things like this is that you could fake it when given that assignment. Or else completely fill up their database with garbage. Anytime your data is sent back to someone in plain text, you should get in on the act, too. Give them more data than they had planned on receiving, not less. What would happen if everybody claimed to be reading the great classics of literature?

Bash is Bollocks for security

Why in the world Bash isn't deleted from any Internet-facing system, I have no idea. If you look at John Hall's code, it's Bash itself that's making a connection back to Hall's servers. I can imagine that a complete evil server system could be hidden in Bash environmental variables. A "minimal system" should be exactly that, with minimal functionality.

No sh!t, DRAM to the rescue!

Wow, once again we find out that massive DRAM caches speed things up. Who would have thought?

These days a 60MHz 32bit processor is smaller than your thumbnail, costs $5, and people are still amazed that massive DRAM caches improve I/O. Back when IDE drives had just been introduced, I bought a smart controller and populated it with 16Mb of cache. Wow, builds could fly! And when I shutdown the system, the writes continued for a minute. Same thing here, different day, same premise.

Oh, why Steam?

Playing games bought on Steam has not made me happy. When I want to play a game, I want to play it when I sit down, not when Steam decides that it has server capacity to see if I may play it. I'd rather pay a premium for the game to not play it on Steam, and wait for it to be delivered to me.

Something about garden gnomes, ???, profit

Ballmer went on an acquisition spree, since Microsoft can't innovate. Microsoft bought Nokia, allegedly for its cell phone expertise. Now they lay off practically the entirety of Nokia, plus good chunks of their own US operations. Huawei dumped Microsoft phones due to poor sales.

Spend lots of money buying stuff, lay off lots of people, ???, profit.

Well, the profit is, of course, from Windows OS, Office, cell phone patents, and never from cell phones themselves.

Why bother with "Fantasy Supercomputer League" anymore

Once upon a time I'd look at the list and think to myself, "Gee, how much would it take for me to get my bedroom on the list?" Now, with the smallest configuration using over 2,700 cores, there's no longer any way this could happen. Any configuration worthy of #500 on the list these days would take more power than the whole house's mains circuit. Back in 2005 a system with 50 cores could score well. Not anymore! I'd need about 100 NVIDIA K-40 cards to get to #500.

M-Disk: 42,000 pictures of cats

From their own website: 21 hours of non-HD video, 120 minutes of HD video, or 42K pictures of your cats.

So in 1,000 years, the archivists will pop one of these into a drive, and see pictures of cats. And they will wonder what the hell is wrong with us!

2FA, passwords, fingerprints

I've had fingerprint readers on my past three notebooks. And I've used 2FA with a key fob device, for access to a corporate network.

The first real level of security is, "don't put that there," and, "don't let it do that." Don't put embarrassing photos of yourself on the Internet, and don't let your bank transfer funds like that.

The fingerprint idea is OK until you get an owie on your finger, and you need a Band-Aid. Even when it works right, it can take a few swipes before it recognizes your finger. The key fob is OK until it gets out of sync with the service, and then a re-sync needs to happen. The smart card and the key fob can also suffer from insufficient randomness or whatever other problem can crop up.

It's really hard to protect people from themselves. My apartment manager's password is two very simple words, followed by repeating numbers, and he has problems remembering that, so no way is he going to remember v<#?rSK51_Rc,pt, which can still be broken by a rainbow table. Yes, he has called me up on occasion to find out what his password is.

Sending a text message containing a second password to the phone is a good idea, though. Then the second password could be something random, like, "battery horse staple." Of course, for a MITM attack, that would restrict the attack to the current session. But depending on the data that the attackers want to access, that may be enough.

Security by brick!

Never mind security by obscurity, you need security by brick! If it has all the connectivity and Internet functionality of said brick, it's definitely secure for ten years!

Seriously, a lot of the security problems simply stem from really bad practices that should get someone fired in the first place before they create a pile of crap. If you want to manage a fridge, all it needs is SNMP, and nothing else. Same for basically every other appliance. SNMP v1 is more than enough to monitor everything, because you just need to get an appliance's state, not turn it on or off. Honestly, an IOT blender is pointless to turn on and off over the net. Really, is your robot capable of washing and slicing and dicing the veggies, but it can't turn on a switch?

Wonder where they get their data

"Predating Stonehenge, the building is thought to have been a house of the dead where bizarre burial rituals were played out. "The rituals included exposure of the dead bodies, and defleshing on a large forecourt,""

Where do they get that data? And about a wooden building that's older than Stonehenge?? The builders and others who played around with the stones weren't big on writing anything down, so I wonder how the archeologists came up with the specifics of the rituals.

Watch idea is valid, still bad implementation

I wear a wristwatch, and I keep the mobile phone stowed away. Honestly, I think that the watch is still a great idea, but they keep implementing it wrong.

A watch isn't supposed to be its own input device, it's supposed to be an output device, and it's supposed to be convenient. For a while, Epson produced a watch with pager functionality. Instead of a bulky pager, you had the convenience on your wrist. These new "smart" watches are trying to do too much, and thus essentially fail at everything.

Really, what do you want on your wrist? #1, the time. #2, who's calling you. #3, a small notification that maybe you'd like to look at your phone. That's it, and little more than that. Small, thin, light, and keeps running for a very long time.

Does the watch need to transmit data back to the phone? No. Does the watch need an amazing color display? No. Does the watch need to keep running? Yes, preferably at least a year between battery changes.

Let the smartphones be the little computers they are, and leave the watch with simple functionality.

Passwords? We don't need no steenkin passwords!

Anybody remember about the researcher who created a botnet to map out the Internet? 420,000 nodes, just on cameras alone.

It doesn't matter how many times this happens, the hardware manufacturers need to start requiring passwords on their devices, and ones that are "strong." My Cisco ISA550 requires a password that is stronger than logging into their website! And yes, it has to be changed on the first login. And why do they keep opening up ports by default? "This router keeps you safe!" Really? Really?? It doesn't keep you safe, and it doesn't keep anyone else safe, either!

Maybe the manufacturers could be fined under the truth in advertising laws. These are insecurity routers!

But it's my neighbors what's done it!

Once upon a time, a while back, I set up a honeypot on my connection to see what bots were rapping and tapping at my virtual door. It wasn't a raven, but a crowd of my neighbors! The vast majority of bot net zombies were, in fact, in my IP neighborhood.

So who is the military going to nuke when a DDOS happens?

I just can't help but imagine that some 12yo is going to start WWIII for shits and giggles.

Why binary compatibility?

"The chief problem for ARM is existing Intel apps won’t run on the chipset."

Once upon a time, not that long ago, this would never have been an issue. Really, the data center environment was heterogeneous, and many architectures were found. It was quite typical for a vendor to distribute many versions of the product. Yes, I personally did that, and the product was compiled for over 20 flavors.

Now we supposedly have Linux all over the place, but it's not really about Linux, is it? It's about Windows. If it were Linux, then it would be nothing to do but type "make" and then get on with it. But all of this actually has to do with Windows, and of course there's no end to that rat hole.

What's the point?

Everybody knows the Aussie agency is in a shed in the garden in the first place, and everybody knows everybody else as 'Bruce,' what's the point of all the security fallderal?

"Hello, who are you?"

"Oh, I'm Bruce!"

"Right, grab a beer from the fridge and let's chat."

"Hello, who are you?"

"Oh, I'm Ivan."

"GET HIM!"

He's right! PGP sucks to use!

Yeah, the prof is right, but it shouldn't take a PHD to get people to listen. It's actually been way past time for an update to the general implementation.

One of the reasons all of this really stinks is because SMTP was never designed with rigorous security in mind. It's really past time to move to a better mail protocol.

Security has poor memory...

http://www.theregister.co.uk/2009/09/21/bum_bombing/

What, they don't remember the grenade-up-your-ass ploy? "Please moon us for your safety."

Or how about the movie "Black Sunday" (1977) where a blimp is used to haul in the weapon of mass murder?

So all the fans are queued outside of the stadium, filing through the checkpoints, right where the terrorists will have such easy pickings.

I'm so glad that terrorists are so freaking stupid. Otherwise we'd be in so much hurt.