* Posts by Lee D

1614 posts • joined 14 Feb 2013

Your internet history on sale to highest bidder: US Congress votes to shred ISP privacy rules

Lee D
Silver badge

It's always been the case under EU data protection that your data can't safely pass through the US anyway. This is why Facebook et al set up EU data centres and refuse requests from US authorities to just pass on information.

The Internet, from your ISP onwards, is still - and always has been - an untrusted connection. If you're transmitting things in plain-text through it, even to next-door, then you're at risk of your traffic being snooped and need to protect, encrypt, VPN, etc.

This won't make any difference to that.

However, I do love the irony of all those years of having US people accuse the UK of playing "Big Brother" when in reality they are years ahead of us in that regard.

4
0

I need an ISP that offers IPv6. Virgin Media: Whatevs, nerd

Lee D
Silver badge

Virgin have a post for their forums for about the last three years with people asking for IPv6.

They keep announcing it "next year" and then nothing materialises.

And they announce it at trade forums and the like, not just a forum post.

They have zero interest, even if you have a leased line, which is precisely Sixxs' reason for shutting down. While they are doing the job, ISP's don't have to.

6
2

ICO fines Flybe, Honda for breaking data rules. They were, um, trying to comply with GDPR

Lee D
Silver badge

Spam is pretty easy to filter.

If you're not already refusing non-CLI phone calls and using your mobile's blocklist features (you do have a modern smartphone right?), then the number you get is pitiful. Get the apps that automatically looks up those "who's calling" lists for any number you don't already know.

And then you just blacklist anyone who gets through those measures and tell them why.

If the only way you can sell to me is to phone me up at random, without permission, on the off-chance that I might want to buy whatever-it-is, at that exact moment, from that exact company only, then you're really dead in the water anyway and there's no way I'd want to do business with you.

I have to say, HP resellers - and HP themselves - are doing this to me at the moment. I wouldn't mind but there's literally not a single piece of HP hardware or software anywhere on the site, and hasn't been for over a decade.

Bother me once, I'll take your details, make no promises, let you send to my work email.

Bother me again, within six months or a year, no problem.

Bother me more than that, blacklist. And I'll tell you why.

Yeah, it's "just one email to check in" but multiplied by every business in the UK that might want to do business with me, that's a ludicrous amount of unnecessary emails.

Personal users, there's no excuse. Unless I've literally signed something saying yes, the answer is no.

My landline doesn't get answered, it just goes to voicemail.

My phone doesn't get answered if I don't know who you are, it doesn't even HAVE voicemail.

Both are on TPS.

My email I can just click Spam and that's the end of it.

Bother me past that, and I'll just blacklist your company forever in both walks of life, personal and professional.

1
2

LastPass scrambles to fix another major flaw – once again spotted by Google's bugfinders

Lee D
Silver badge

Re: I don't get it

I'm the same.

Terrible memory for virtually everything EXCEPT those things I desperately need to remember.

Passwords of obscure accounts that other people use once in a blue moon aren't one of those.

But I still know them.

Alternatively, I have a password file stored encrypted on a USB stick (actually two) in the safe in my workplace, if I REALLY need to save them and/or I get run over by a bus.

Are you honestly telling me that using a bit of buggy software to auto-insert those passwords on forms, and store those passwords in the cloud with a random third-party is more secure than either my own memory, or an encrypted USB stick stored in a secure place that only the relevant people (me, my boss - who's data controller and won't reveal it) know is there and/or know the password to, and that it's inside a box that reveals if you've tried to tamper / access it (and hence is checked regularly whenever the passwords are updated)?

Get a clue.

1
6

As of today, iThings are even harder for police to probe

Lee D
Silver badge

Ask people who have iPhones and iPads if they know about it.

Ask them if they know it's an in-place upgrade of the thing that holds all their photos

Ask them if they've read the release notes (which the article says don't mention it)

Ask them if they are on the public beta (the existence of which doesn't mean anything).

I don't buy Apple - My reason for not doing so is very simple - I manage several hundred Apple devices.

And an in-place filesystem upgrade is NOT something that you push with an update without even mentioning it in the release notes or giving people a chance to opt-in rather than just doing it.

7
47
Lee D
Silver badge

Company upgrades your device without warning to a new and relatively untested filesystem.

Yeah, this is just one of the reasons that I don't touch Apple.

4
62

How Ford has slammed the door on Silicon Valley's autonomous vehicles drive

Lee D
Silver badge

Re: Sounds reasonable

Slight exaggeration there.

8
0
Lee D
Silver badge

WHY would you want to provide a facility for people to manipulate their phone's Spotify from the car controls?

As it is people aren't paying enough attention.

12
0

BT hit with £42m fine for Ethernet compensation delays to competitors

Lee D
Silver badge

Good timing.

I work at a school that spent THREE YEARS waiting for Openreach to install a leased line. Literally, they did nothing until the last months when I took over and ramped up the complaining, then they put empty fibre tubes all over the site (three different sections), then when it came time to blow the fibre, they said there was "no room at the exchange"... maybe in those three years someone could have checked and/or upgraded capacity? They never completed and we eventually blocked them from site because they kept trying to come back to "complete the install" after we cancelled the contract.

However, our new site has no choice but to use Openreach even if we specify Virgin as the vendor on our end. As such, we're expecting Openreach to drag their feet like they did for our first site. Maybe this will gee them up a bit, with a bit of prompting from Virgin (who we actually contract with).

1
0

UK Home Sec: Give us a snoop-around for WhatApp encryption. Don't worry, we won't go into the cloud

Lee D
Silver badge

"UK minister wants snoop-around for encrypted messaging"

Meanwhile, encrypted messaging is designed to be an anti-sneak-around for everyone, including UK ministers.

I find it funny that, 20-30 years after the PGP cases, and 60 years after the Enigma, we're still having the same conversation.

And though Whatsapp is "convenient", there's nothing stopping anyone using encryption technology way outside the reach of the security services via ANY service whatsoever.

Honestly, any decent terrorist who was trying to hide their movements wouldn't be using Whatsapp, they'll just have a bunch of encrypted shared files on some website/cloud that only each individual concerned knows the private key for. Hell, they may well even have their public keys stored in the public key stores on the net.

If you have any brains, you don't reinvent the wheel, or rely on a third-party service, when your life is on the line.

4
0

Dishwasher has directory traversal bug

Lee D
Silver badge

Ubiquity of general-purpose computers = ubiquity of general purpose security problems.

Things will only get worse as companies realise that it's cheaper to just put a Raspberry Pi in place of that specialist circuit board that controls everything, and then it's only one click from putting it on the net in the next model.

Seriously - look at the RPi zero boards with their wifi and GPIO. You're not telling me that making that old ancient washing machine control board is cheaper than that? Even the Arduino was a micro-controller really, but now it's just as cheap to deploy a full machine.

Economics of general-purpose computers that small, cheap, well-connected and powerful is going to be the end of any kind of sense in electronic devices. Prepare to see them in everything from phones and answering machines to clocks and radios.

1
0

MPs slam 'dismal' cost savings of government procurement body

Lee D
Silver badge

I work in educational IT.

I have yet to see any centralised purchasing cheaper than the individual schools could get the same thing. It's like the old thin-client, fat-client / centralised, decentralised services argument. If you put everything together and run from a central entity, then that entity has to be big enough to handle it all, while also handling all the little customisations for everyone. It also has to work out cheaper, despite being a much larger and taking on all the responsibility and staffing to do that.

But if you push it out to the individual places, everyone ends up with the things they want for the price they want to pay. Sure, it means the uneducated are paying more per seat, but that's because they don't research. Meanwhile, Johnny finds a great deal on Amazon and is reaping the benefits on buying it at 3am on a special deal, in bulk.

State schools all suffered the same problem if they were part of a borough purchasing program. Literally may as well have thrown money out of the window. Rubbish hardware coupled with overstretched support, and contracts that said you "have to" buy RM etc.

I used to break schools out of those contracts by providing myself for ONE DAY A WEEK and doing a better job that those centralised procurement departments. I did that for over a decade before I got bored of the same thing over and over and over again.

Academies were touted as a way around local education departments. That soon was revealed to be a lie as they are either part of multi-academy trusts or owned by entities that bought them with the EXACT same intentions as large government-based procurement departments (NHS etc. inclued) - You WILL use the governor's/headmasters owned company for purchasing everything. They sell a server that's not as good for a penny cheaper than our rival's, but a pack of AA batteries costs ten times as much as just buying one in a newsagent. Once you're in that loop, it costs twice as much to do everything, but everyone signs off because they're getting their 20% from the company that owns it (hint: This is the ENTIRE point of academies, by the way... all the pupil behavioural changes are vastly temporary and just shifting the problem pupils onto ordinary state schools until they can get this process in place, then achievement all returns to what it was before).

Strangely, every single independent school I've ever seen or worked for just uses Amazon, or whatever is cheapest for the product they want. Literally millions of pounds of business every year goes through Amazon from some of the larger schools. I've bought 500+ iPads via Amazon as they undercut every supplier we had, could deliver tomorrow, and offer their warranties. Hell, we even do some business via eBay because do you really care if the phone in that old office for the caretaker is brand new?

When I worked in state schools, that kind of thing (getting the same product simply, quickly and cheaply for the provably lowest price) was frowned upon and not allowed, don't ask me why! You had that "three invoices" junk on large purchases, which just made you choose the best supplier and then find two places more expensive in order for yours to be "best".

And these huge, expensive, prestigious, business-oriented, "jobs for the boys" private schools are all basically going on Amazon and don't require all that nonsense. Literally the time you spend and the money you waste messing about with any kind of central procurement (always subject to corruption) just isn't worth it. There are currently 100+ names plugged into a bog-standard Amazon Prime account at the school I work for... every member of staff @ the school address. Because we order so much, I can just send an Amazon link in an email to the accounts department, CC: in the bursar, who replies Yes/No, and then accounts click the link, buy it, and have it shipped with my name on it. Every morning there are more than a dozen Amazon parcels on the front door for everything from pens and paper to iPads and fenceposts.

My girlfriend, in contrast, works for the NHS where - quite literally - the AA battery story above is true. She's not allowed to claim £1 for a pack of Duracells, she has to go through procurement, pay a fortune (literally 10-20 times as much), it gets delivered a month down the line, gets stolen by some other department in the hospital (very common, because they just don't trace it), and about two months later arrives. By which time whatever you wanted to do has had to had batteries bought for anyway, which you can't get refunded on expenses.

Central procurement is a con and a backhander that only works in an ideal world. Everyone with business sense just buys what they need for what they're willing to pay from where they want.

1
0

Hutch's Three UK users ripping through over 6GB a month

Lee D
Silver badge

Re: Pah!

Cables beat radio every time.

It's not hard to see why, or to find proof in your own house.

Cables are dedicated, cables are isolated, cables are point-to-point.

Wireless is shared, wireless is subject to interference, wireless is to a sphere of a radius

I can put 10Gbps down a Cat6a cable, to as many cables as I have.

I can't put 1Gbps in a room in my house without it dividing by two the second a neighbour turns on theirs, or another device comes online.

Same principle applies to landline/cabled broadband vs mobile broadband. And the day it DOESN'T work like that, mobile broadband is dead because how are you going to provide the backhaul needed to the cell tower anyway?

The rule of thumb I use for everyone who complains about their login speed over wireless:

Expect wireless to be 20 times slower than a cable, in ideal conditions.

It seems to hold pretty well. That one-minute login with your large roaming profile will take 20 minutes over Wifi.

Although 4G is quite impressive, you can't expect people's demand to lessen, or the network's to improve in-line. I barely get a few Mbps to my phone most of the time. Enough for a stream or a download and really handy for browsing compared to the GPRS days, sure. But if I need to download a large backup, ISO or VM image or similar, I'm going to be plugging into a real connection.

15
1

Plusnet slapped with £880k fine for billing ex customers

Lee D
Silver badge

Re: How can you not notice?

I don't care what YOUR SYSTEM can refund.

YOUR COMPANY will refund me for 18 months of non-provided (and non-providable) service.

Quite literally, it's theft as they've taken your money and not provided the promised service, if there's no phone line to provide it on.

8
0

What should password managers not do? Leak your passwords? What a great idea, LastPass

Lee D
Silver badge

Both of which are worse than just securing your machine (not letting people see you type your passwords), choosing sensible passwords (* long, not complex) and not running third-party software with access to EVERYTHING on your computer, including an explicit list of every password you've ever used, anywhere, ever.

Like antivirus - the only program to run as SYSTEM, begin at startup, run for every user, intercept every possible file access on the entire machine, able to hide anything it does, not let itself get shut down, connect to the Internet, update itself automatically, and even nowadays run your firewall, decide what can get out or see packets, and what can come back in, often with remote-support tools built in. Yeah, that's not a recipe for disaster.

(*) Human-rememberable passwords are WAY outside brute-force limits - just make sure they are LONG, not faff around with fancy characters in your potential alphabets. Starting with just an ordinary alphabet, a character added to password length would make the password 26 times stronger, while including a new character (e.g. an asterisk) into the alphabet itself only makes it 1/26th stronger. STOP IT.

3
9

Microsoft IE11 update foxes Telerik dialogue boxes

Lee D
Silver badge

Am I the only one thinking "What the hell is Telerik?"

I mean, I guessed given the context and I happened to be right when I Googled, but it's not obvious.

1
1

Plans to force ISPs to filter content branded 'disproportionate'

Lee D
Silver badge

So the first time that someone's SSL VPN or whatever cuts out because they've put a filter on a business connection, are they going to pay for the support for that?

Also, why would you filter at the end-point, if you have both adults and children in the house? How do you distinguish between the two machine types/user types? You don't. So you leave the main connection unfiltered and apply filtering on the premises if you want that.

And, what are the statistics on how many homes with child-friendly filters opt-out, or how many opt-in when it's not the default?

Given a completely arbitrary survey here (800+ parents on a school site, working in the IT department), the last three times we asked, nobody was interested in any help buying, installing, advising, etc. them on how to apply a filter to their Internet connection. Literally NO-ONE even turned up. And we have parents turning up after work for EVERYTHING, it's a private school. Parents give the same answers - they don't want to be filtered, but they'd like their child to be. They enforce that by making them go online in front of their parents, and they know the school blocks everything else.

We are required to stay with KCSIE guidelines. We are required to deploy filters. And yet we want those filters under OUR control so have unfiltered Internet VLANs and connections. Because when something is blocked accidentally, it could take our business down, so it needs to be under our control.

Enforcing a child-friendly filter on every home is stupid.

Enforcing it on every business is even more stupid.

If they ever think about enforcing it for back-end and technical connections (business leased lines, datacentres, etc.) it would be so incredibly dumb I couldn't mention.

Especially when a £2.99 VPN app will bypass all that for you. Usually by connecting to one of those back-end technical connections in a datacentre that is almost entirely unfiltered and unmonitored.

P.S. Yes, I opt-out of every possible "child filter" for my personal life as possible. 2 x giffgaff blocks, and the ISP opt-in one. Not because I intend to do anything naughty, but because I want to make it quite clear that it's up to me if I do.

13
0

Nest cameras can be easily blacked out by Bluetooth burglars

Lee D
Silver badge

Re: bypassing CCTV is easy

Bypassing it is easy.

Doing it without arousing suspicion is hard.

Most CCTV systems have an "image obscured / power fail" alert that detects when a camera is obscured, damaged or disconnected and alerts people.

And such alerts - because they NEVER happen - generate much more suspicion than anything else. Hell, you can even have it set off the house alarm when that happens if you like, it's that rare.

1
0
Lee D
Silver badge

Re: In other news

Which is why you use 3G/4G backup on your router, and why you use UPS on any device that you care about surviving a power outage. CCTV DVRs and cameras should be top of that list.

(And is the Nest PoE-powered or mains? Even if it's mains (stupid), it's not difficult to ensure it runs on a protected circuit, but if it's PoE, you just need to UPS the switch).

Anyone who cares about home/business security can spend £50 on the cheapest of UPS and buy a GSM alerting alarm/camera system (which is the only kind of thing I'd buy anyway... why would you want the alerts from your cameras - literally "someone has cut me off!" - not get sent over an independent connection to warn you personally?

Don't rely on ADT/Yale to come running. Don't rely on your phone line being up. Don't rely on your neighbours to see the burglars or respond to your alarm. Even the police barely respond unless there's proof of a robbery in active progress, just an alarm going off is useless and CCTV? "Yeah, if you can just search that for us and send us anything that's relevant" (I worked with the CCTV in schools for 15 years and have also provided evidence for 3 crimes for neighbour's burglaries etc. - they just don't have time to sit through even YOUR footage, they will ask you to provide it or not bother).

My system is actually a proper system:

- 30-day recording CCTV on all cameras, full res, none of this motion detection junk.

- Wired cameras with blackout / cable-cut detection alerts (even putting a bit of chewing gum over the lens).

- UPS-backed NVR.

- Connection for alerts via email, GSM, etc.

- Smartphone app on my phone, my girlfriend's phone.

- Tablet app on an iPad in work, constantly showing all the cameras all day (just underneath my monitor. After a while, you ignore it all unless something happens, but because it's ALWAYS in line-of-sight you see everything you need to).

- Home burglar alarm is wired internally and alerts via GSM messages with internal battery backup.

Already proved useful in 3 police-reported crimes for my neighbours, numerous "neighbourly" disagreements ("If I catch your kids standing on top of my garden fence again, you're buying me a new one", "But they don't!", "1.28pm today, 12:12pm yesterday, would you like me to send you an MP4? Just because I'm not there doesn't mean I can't see it"), and no end of other minor disputes (my council weren't collecting my rubbish, then they claimed it was "contaminated", then they claimed that my bins were in the wrong place - ALL WRONG!, DHL parcel guy lobs fragile parcel over back-fence and then signs our signature... etc.), as well as my girlfriend "checking the cats were okay" every two seconds. It survives power-cuts (an hour at least, I think, but I've never had it out longer than that in 3 years), it survives cable-cutting, it survives people blocking or obscuring the cameras, and instantly raises enough alerts / suspicion that I'd be on my way home with a friendly call to the police on the way there (which, generally, should gee them up more than just "Oh, someone is burgling an empty house")..

And, strangely, the closest we've come to a problem is the guy who burgled one neighbour, then came back the next week in the same car, drove past my house at 2mph looking intently at my house for a long time, then decided to burgle the other neighbour instead. I'm sure the cameras, infrared floods, hard-wired connections, bell-box, RFID alley gates, etc. had nothing to do with that....

Ironically, all-in the system cost about £300 and a couple of days of cable-running. And you'd be hard pressed to find enough inside to walk out with worth more than that before I could do something, and it'd be much more tricky to do it untraceably.

Hell, even the iPad at work isn't actually mine.

2
3

Cisco reports bug disclosed in WikiLeaks' Vault 7 CIA dump

Lee D
Silver badge

I judge Cisco way more than anyone else in that regard.

That's not some super-secret hackery.

They have damn unencrypted open-packet interface enabled by default whether or not an option is explicitly set, that accepts commands from ANY packet.

Why the hell is that not just sheer negligence in creating a product?

That someone found it "before they did"? No... someone found the UTTER TRIPE that they were pushing as an interface to a modern device and just left in there.

3
1

The priest, the coder, the Bitcoin drug deals – and today's guilty verdicts

Lee D
Silver badge

Re: That's funny, isn't this the same as how the stock market works?

Not exactly sure that I agree either is really a crime.

"Hey, John, this product is so fabulous you should buy shares!"

John does so.

Shares turn out to be worthless.

As far as I can see, John kinda deserved that by not doing his homework.

Now if they were fiddling the accounts, or putting out false sales figures to make the stock prices rise, that is indeed fraud.

But bigging up worthless shares? Not sure I see the problem with that. The only people hurt are those stupid enough to believe advertising.

1
3

Shine on, you crazy Eind minds: Boffins fire out 43Gbps infrared 'Wi-Fi'

Lee D
Silver badge

Re: Radical new idea

IrDA and the like has indeed been around forever.

And site-to-site infrared / microwave systems too.

They have serious problems that stop them being used for anything other than consumer toys (IrDA way surpassed by Bluetooth, line-of-sight kills anything but use over your own land or free space).

Been trying to convince my employers to put in site-to-site-links but the only places that can "see" are in positions that would show the ugly, and they disapprove.

Instead, we spend £10k a year on a Virgin leased line and another £10k on a BT leased line at the other end (because no one supplier covers both areas... sigh). When I can see each building from the other. Just a shame we don't own all the land in-between because I'd just get them to chop down a couple of trees and problem solved.

0
0

Why is the Sinclair ZX Spectrum Vega+ project so delayed?

Lee D
Silver badge

Stick a RPi 3 in a box, run Fuse, use a real keyboard or wire up a Speccy keyboard matrix into one of the stupendously cheap arcade-controller extension boards. Done.

I love the Spectrum.

I love emulation.

A £25 copy of Spectaculator is my pride-and-joy, after my £30 registered copy of Z80/WinZ80 by Gerton Lunter.

They do everything the Speccy could do - and more - and even have options for nostalgic real-tape loading/saving (via the proper screechy audio, headphone cables or via WAV, TZX, etc.), TV scanline emulation, etc.

And then I bought a GP2X many years ago, and things like FUSE worked perfectly. A bit of controller config (and then realising you need a full keyboard for most Speccy games anyway) and you had this product - handheld, full-colour, console-like Speccy but that could also play ANYTHING else and even had GTA-clones written for it.

Honestly do not get the fuss. Buy anything that portable can run homebrew and they'll be a Speccy emulator for it.

But nothing quite beats a laptop with 1000 Steam games, all my work, VM's for programming, a full browser, and a Speccy emulator second-to-none with HDMI out if I need it. Hell, plug in my XBox360 wireless controllers and we all played Gauntlet on TV at a party a few months back. And I demonstrated loading from tape into the emulator, and playing a TZX out of the emulator into a real Speccy. It just worked.

If you spent any money on this, I really pity you.

A Nintendo DS could do what you want, and they're basically second-hand scrap nowadays:

http://zxds.raxoft.cz/

1
1

'Hardware 'dislodged' from HPE SAN during cable replacement

Lee D
Silver badge

Re: Never knew...

Offtopic but - the single most stupid rule for a rotational movement.

1
2

More Brits' IDs stolen than ever before

Lee D
Silver badge

Technically, for your identity to be stolen you would have to have been permanently deprived of it.

Therefore, if what you say is true, you are literally nobody.

Identity "theft" is really identity "fraud". There is no permanent deprivation of your identity.

If they used fraud to steal your money, they have deprived you of the money. They have stolen your money VIA committing identity fraud. Obtaining goods/services by deception.

Like software "piracy", identity "theft" doesn't exist. Unless they kill you in the process. But even then the charge would be murder and fraud, not theft.

2
0
Lee D
Silver badge

Re: let's not even mention companies house

What on earth makes you think that a signature should ever be accepted as authentication?

Like fingerprints, that's SECURITY DONE WRONG.

And it's easy to get hold of most people's signature. Ask them, make them sign for a parcel, or just get them to write you a letter.

There's no way that the system should let name + address + signature = confirmed identity.

Anyone who thinks so is DOING SECURITY WRONG.

5
0

National Insurance tax U-turn: Philip Hammond nixes NIC uptick

Lee D
Silver badge

How can you plan a budget for a year, only to undo it because of a couple of days of mild disapproval?

1) Did you not plan things properly and check you could do it earlier?

2) Is a year of planning really inferior to a few affected people grumbling?

3) What kind of forethought is going to be put into the change, which is a few days old?

At what point does anyone sit down and do research in government before opening their mouths?

Oh, Brexit is fine and we won't need to follow the law that we wrote... oops. After much expense and court-cases and backtracking, back to where you SHOULD HAVE BEEN before you even suggested the idea seriously.

Drives me mad.

36
0

UK's BT Openreach settlement highlights wider issues of 5G convergence

Lee D
Silver badge

Re: Forget 5G

People get confused here.

A cable, fibre or copper, gives you what's promised, and only tends to get more as time goes on (ADSL->ADSL2->VDSL, DOCSIS->DOCSIS2->DOCSIS3, etc.). You are sharing it with your street, but can be guaranteed a portion of it.

A speed on wireless / cellular is HIGHLY variable and totally out of your hands and will ONLY get less with time as more people jump on. And the old devices will make your new devices slower. You are sharing the connection with anything in a sphere of a certain radius and there are no guarantees.

It's a bit like Ethernet - Gigabit to every single machine is easily doable. Gigabit wireless to even half-a-dozen devices is almost impossible to guarantee in any significant way as you're sharing, say, 802.11ac between six before you even start. Adding more points makes more noise too. Whereas adding more cables makes things faster (LACP, etc.).

I use the rule-of-twenties. It takes one minute to download your network profile on a wired connection? It would take 20 minutes to do the same over wireless. This is why you don't use wireless, especially in crowded environments or for more than web browsing.

5G would be no different. Technically, it can give amazing speeds. In real life you'll get a pittance just larger than the previous pittance, which will get less as more and more people use it.

1
0

Borked browser baked into Nintendo Switch

Lee D
Silver badge

Re: I see what you did there

Since when has The Reg been Apple-loving? They can't even get a quote from them any more.

8
1

Lenovo EMEA wakes up after five quarters of sliding sales, adds CEO

Lee D
Silver badge

Re: Maybe ....

Lenovo kit is okay.

It's their home-based junk that got loaded with all sorts but what kind of place doing any serious deployment doesn't just image over the computers, even if they are brand-new.

My place is entirely Lenovo (IBM Bladecenter servers, Lenovo clients) on the PC side, their hardware is pretty bullet-proof. The laptops aren't bad (IBM Thinkpad legacy), the desktops are solid yet cheap. Their Chromebooks leave something to be desired but are in the same ballpark as Acer, Asus, etc.

Pretty much, they have the business side down. Their problems in the home-market are self-inflicted but I'm not sure most people would even recognise the Lenovo brand, and certainly won't understand its history.

200+ desktops deployed, into the fourth year soon, not one failure - not even a hard drive.

0
0

Oxford Uni boffins say internet filters probably won't protect teens

Lee D
Silver badge

Re: hmm

Private schools are far from doing what they like.

We have exactly the same child protection and e-safety problems as any other school, plus a bunch of pushy parents threatening to remove funds all year round if their darlings don't pass standardised exams with top grades every time.

With the ISI etc. breathing down your neck as vehemently as Ofsted.

2
0

Naming computers endangers privacy, say 'Net standards boffins

Lee D
Silver badge

Re: Ping

No, they said that having ping enabled made it a visible attack vector - which is hilarious as the connection in question offered SMTP, HTTP and HTTPS among others.

PoD is old-hat caused by people expecting packets to be compliant with RFCs, which is a stupid assumption in any network-connected system.

1
1
Lee D
Silver badge

Sorry, but if my internal network is leaking my hostnames, or I'm joining untrusted networks that can probe device names, I have bigger problems than the names of the devices.

That said, I do just name things when working using alphabets (phonetic, greek, etc.) or long lists of names. And lots of clients are generally just numbered. Thus there is no leak but - again - nobody but my users should have any clue that there even exists a machine called sierra.domain.com or whatever.

Devices joining my wifi generally only get web anyway, so there are no mysterious discovery protocols running around unless they are trusted devices and, again, how the hell is that stuff leaking outside the network?

The problem is much simpler - you have to advertise what your mail server is called, your local network advertises (internally) what your domain controller and DHCP servers are called. That some iPhone belongs to John? Really, who cares? And, again, what are they doing being able to talk out as if they are Johns_iPhone.domain.com? They're surely not.

This is almost as silly as when my security auditors told me that having ping enabled was a security risk. Not for any definition of security that I can fathom when it's already serving mail and web to the world.

4
1

If fast radio bursts really are revving up interstellar sailcraft, here's the maths

Lee D
Silver badge

Re: Astrophysicists think

If you have enough on-board energy to slow down, you could just use the same amount of onboard fuel, travel at half the speed, be able to stop and start yourself, and not need some complicated interplanetary laser system to help.

It just doesn't really add up.

0
0
Lee D
Silver badge

Re: Astrophysicists think

How do you stop?

I mean, momentum can hurt quite a lot in space, and do you have to have another beam slow you down from the destination?

Or do you have to get a tiny craft with no propulsion down from millions of miles per hour to nothing with no on-board energy?

13
0

Cold callers illegally sold Aussie farmers 1,700 years worth of printer ink

Lee D
Silver badge

$44 a cartridge?

My last printer lasted 12 years and didn't use $44 of toner or other parts in all that time. And it had a replacement drum and roller for that cost too.

Damn, I miss that Samsung laser printer, but there's only so long you can keep an Intel NetPort Express (with its 386SL chip inside) running to convert the Centronics port on the printer to be a network-addressable printer.

It's replacement, which is a mono wifi laser with NFC, smartapps and all sorts, cost less than $100 in equivalent money too.

They could have bought several hundreds of modern printers for the cost of that ink.

1
1

Anti-TV Licensing petition gets May date for Parliament debate

Lee D
Silver badge

Please list any action taken (beyond "discussing it") about any of the Parliamentary petitions whatsoever.

And how much happened compared to how many petitions are made every day. If there's even 0.1% that actually result in anything beyond talk whatsoever, I'll be incredibly surprised.

Like when I was back in school and the pupils petitioned for all kinds of ridiculous things, it doesn't matter how many people sign, nothing happens at all.

In the most extreme cases, lip service is paid to having a discussion about the issue, and literally nothing happens after that anyway.

It's a total waste of everyone's time.

6
2

Apple empties gas can, strikes match, burns bridge to hot-patch apps

Lee D
Silver badge

Re: Code injection.

Do you think the vetting process tests every possible code path? Do you think it even can?

Do you think you hand over your source code to Apple for testing, or a pre-compiled binary?

Do you think you can't just put "Test this website DNS entry, is it X.X.X.X? If so, be a virus" into the code and have it slip past ANY app review process?

Even if you have to obscure it, have you seen how easy such obfuscation is?

Even pretending that you're auditing such code is just smoke and mirrors, I'm afraid. There are no guarantees whatsoever even with the most skilled reverse engineer on the other end. Modern apps are tens of megabytes of compiled binary.

Stop relying on some guy at Apple who has seven millions apps to approve before Monday to spot things.

Just make sure that your permission model means they CAN'T ACCESS those hidden internal APIs, that they can't gain permissions they weren't given, that they can't interfere with other apps or data not explicitly given to them (e.g. via "Share" or other IPC) and that they can do no worse than run up your CPU time.

But, of course, that requires a proper security model rather than smoke-and-mirrors.

P.S. There is still an app - for the last three years - on the Apple iTunes store which is a full VPN, advertised as "break through your school filters", which is rated suitable for ages 3+, and Apple refuse to change it because "it's up to the app developer" (I have the emails if you'd like to see!). But Google Chrome, official app, is rated 18+ because it "lets users access the Internet).

Apple couldn't care less about you. All they want to do is stop you bypassing the app-store to do things.

1
7

Messaging app used by Trump aides 'riddled with security bugs'

Lee D
Silver badge

Sigh, as always totally missing the point.

It's like a checklist of things only present if you have no care for security except as an afterthought, which is pretty serious for a "secure" messaging service.

"Not only have these issues been addressed, but we also have no detection of them being exploited by any other party."

That would require you LOOKING and BEING ABLE to tell they were happening. You didn't see the guys doing it when they were initially building their tests and reports, so why would you suddenly detect them now.

You are failing best practices, before you even made a single line of code.

21
2

Scammers hired hundreds of 'staff' to defraud TalkTalk customers

Lee D
Silver badge

With multiple SIP trunks at my disposal? Not a lot. Especially once you call the BT abuse line and just tell them to intercept your line for an hour because of the harassing calls. BT don't much care for such things and have ways to block it upstream and take you out of business past a certain point. Did it to a bank, who got threatened with all their phonelines being disabled (they had an automated dialler that went potty and just kept dialling the same number, no CLI, but soon after BT intercepted it I got a phone call from the managing director of the bank to apologise).

I don't answer non-CLI calls and it takes only a few seconds to add certain groups of international numbers for, say, a few days to a very, very, very long and boring phone menu that costs me nothing to send them through, doesn't disturb or interfere with my system at all, but costs them a lot to dial and listen to.

(Last time someone tried to pull similar stuff it was actually a UK letting agent I was dealing with, who didn't have anything at all techy in the way of a switchboard, and I pissed one of the call-centre guys off so they thought it would be funny to keep ringing from all their different numbers and from withheld numbers. So I called their call centre direct - always argue prepared - and when they realised who I was, i.e. the guy they were trying to spam for sport, they kept hanging up. So I jammed their phone lines solid for 30 minutes with automated calls and scripted it to ring me only when they decided to stay on the line for more than a few seconds. Basically, I carried on with my day and just waited for the phone to ring which meant they actually wanted to talk rather than hang up or play pranks. They confessed that they couldn't do any business for all that time and eventually relented and dealt with my complaint - after threatening all kinds of things that never happened. Probably cost me about £10. I think it cost them a LOT more. Worth every penny for the phrase "No, look, we're sorry, please stop")

0
0
Lee D
Silver badge

With modern SIP trunking, it's almost impossible to bother to police like that.

I can get a Weybridge number in seconds, dialled into from the other side of the world, paid with a credit card (probably stolen if they are a scammer) in minutes, and it would take days to work out what was happening and shut it down.

Additionally, when you did shut it down, it would take only minutes to set up another or use one I've set up previously but not yet used to spam.

CLI is as useless as a From: header in an email nowadays.

Hell, if you do it right, you can have one telecoms system set up in your callcenter with staffed phones, and SIP trunks from all over the world that weren't traceable to that IP (just wrap them in various VPNs, who cares?), and every time a SIP trunk falls over, you have another ten programmed to go. Your staff would never know, your system would just carry on working flawlessly, the SIP people wouldn't be able to play catch-up fast enough, and it would be rather difficult to trace to you.

And when you commit fraud for a living, that kind of setup is probably the bare basics. To be honest, when they catch phone scammers in the UK where every phone is just registered to a certain business that they then raid, I feel a hint of disappointment that they were that stupid to get caught.

Hell, Skype will give you phone numbers galore for a couple of quid a month.

1
0
Lee D
Silver badge

I find that the phrase:

"You are aware that you're committing fraud for a living, don't you?"

usually gets an immediate hangup. I've actually had revealing talks with some of them, where they are quite unhappy with what they are doing.

0
0

UK's Virgin Media subscribers suffer fresh email blocking misery

Lee D
Silver badge

Problem with relying on server bounces? Server bounces end up creating more spam than the original messages, because you can't verify that the address to bounceback to is correct. The only thing that guarantees the server that is sending to you got the message is an error response in the SMTP session itself. Which is easily ignored and not propagated back to the original sender because... you can't verify the original sender's email address if you're the endpoint or a transport server somewhere in the middle of the conversation (e.g. a mail forwarder). And if you don't have the correct settings and suspect that bounceback email isn't genuine, you CANNOT send a bounceback and if you do, likely you're distributing spam on their behalf, etc. anyway.

Email is fundamentally broken in this regard, as are the associated standards which say you MUST send bouncebacks no matter what, etc.

Until someone re-invents email, there is no guarantee of delivery or timeliness.

1
0
Lee D
Silver badge

People relying on email to be delivered EVER and certainly within a specific time-frame are failing to understand how email works anyway.

An email server could hold onto email for 24h or not deliver it at all and nobody would ever know, once the message has been acknowledged by the server itself.

Email is NOT guaranteed. Stop using it as if it is.

It is CERTAINLY not time-guaranteed in any way, shape or form.

But, yes, greylisting often works on a hash of the sender domain, recipient user/domain and IP address such that genuine email from genuine mailservers is delayed by a few minutes for the first ever combination and then never again after a successful retry (subject to certain time windows, e.g. after 30 days of no email it might reset and delay an email again).

4
4
Lee D
Silver badge

Would you like to see my mail logs for a large school?

Greylisting blocks something like 90% of the spam that manages to make it through Spamhaus etc. RBL checks, reverse-DNS checks, SPF checks, etc..

You're required to retry, but on the timescale that the SERVER asks. If you retry too quickly (e.g. automated blasts from botnets), you end up making it even longer before your email will be accepted.

Additionally, retrying adds a lot of logic, storage and bandwidth to the system that only interfere if you're emailing en-masse, without hindering genuine email servers that play ball. You have to retry, from the same address, with the same email, only after the specified delay.

Yes, it's just "another measure". But it's effective. And, like tarpitting (which is basically what it is), it shows you who's just trying to get as many emails out as they can before they get shutdown, and those mail servers who are happy to just deliver your email on your schedule.

Honestly, greylisting does more than some blocklists manage on their own.

Until someone fixes email with a replacement that's secure, authorised (i.e. NO you can't send me email because I don't know who you are), low-bandwidth, compatible, popular etc. then greylisting is a pretty damn good measure.

18
0

Prisoners' 'innovative' anti-IMSI catcher defence was ... er, tinfoil

Lee D
Silver badge

"I'm going out on a limb here, but I guess they get the foil from the kitchen."

So prisoners are walking out of a kitchen with a concealed metal object, back to their cell, where it's stashed, traded and used and nobody notices?

This is exactly my point. There's a problem right there.

1
0
Lee D
Silver badge

Two questions:

Where did they get tin foil from such that they could all use it to block their signals from their own cells?

How do the mobile phones they have smuggled in get charged?

4
0

Tuesday's AWS S3-izure exposes Amazon-sized internet bottleneck

Lee D
Silver badge

Re: Optional DR/Resiliency

The number of times that I've had to explain this:

If you want a backup system, it will cost you what the real system cost, again, and a bit more for whatever tech to make it fall over.

And, yes, that functionality, hardware, processing power, storage, etc. will NOT be available to you to use. It will literally be idle (from a user point of view, but hopefully replicating etc.!) most of the time.

If you want something that tolerates a failure, you have to buy two of them and one of them does nothing all day long but wears, depreciates and costs just as much as the first. If not, it's not a suitable replacement.

And then you get into the depth you take this to - a redundant disk is just another disk. A redundant array is just another array. A redundant server is just another server. But a redundant site is another site. A redundant datacentre is another, fully-funded, fully-functional, datacentre. That sits and does nothing but can break in exactly the same kinds of ways over time.

And then you have to have a controller card, or another storage array, or a licensing for the server and software to make it failover, and site-failover logic and hardware, etc. on top of that cost.

I'm currently working at a place that can put a value on their data. They very nearly lost everything, and it would have cost an awful lot to get back running, let alone try and get their data back. Thus their DR is "proper" as they realised how much it would have cost in time and money, realised how much it would cost to avoid that (including my salary, for instance) and choose the "good" side of the coin.

As such, despite being a tiny employer by global standards, we have remote sites, remote servers, remote backups, full remote operation in an emergency, redundant leased-lines, redundant cabling around the site, redundant servers and all the logic to tie this together nicely.

But to secure System A against failure requires System A and System B of the same spec - MINIMUM - sensibly System C and maybe System D as well, plus the additional licensing and logic to fail them over and complete copies of EVERYTHING on them all. So you would have to pay 2-5x the total price your system cost originally, just to do a basic job of it.

When you do the maths, that STILL works out better than data loss, however. But nobody ever costs data loss properly until it happens and they realise how much it REALLY costs in terms of lost custom, legal requirements, hassle, time and money, the complete INABILITY to recover some data (no, you can't just post it off to 'a specialist' and expect anything to come back except a bill), etc.

7
0

One IP address, multiple SSL sites? Beating the great IPv4 squeeze

Lee D
Silver badge

If anything, I've only ever required one IP per workplace but been given 5 per connection, plus 5 for any external server we rent.

Were we able to get, e.g. BT and Virgin, to properly co-operate on their lower-end of leased lines so we could have proper AS announcements, we would only need the one IP address per site.

From that, SNI is a given and you can safely NAT thousands of users without a problem. I have Smoothwall reverse proxy for a number of things (not least, it can inspect the traffic en-route to internal services acting as IPS at the same time as SSL-wrapping services which aren't SSL-capable internally) but I wouldn't use it to save on IP addresses.

There's no reason that I need lots of external IP's any more. One is sufficient and every connection that gives me a second IP, I'd be more than happy to set up in a load-balance/failover configuration on the same IP anyway, but it's generally not possible with normal business offerings. If anything, having one IP makes things so much simpler.

Currently I run two sites with an external server range in a datacenter, including two leased lines and two VDSL lines. I currently have three ranges of five IPs (six including the gateway IPs, and the VDSLs include a Cisco router which is doing bonding to one internal range), each of which only one is used to refer to that range and add it to the firewall. And only one is publicly advertised as the destination of every DNS setting we use. On top of that I have a small range for the external servers, again, we only use one.

I make that a wastage approaching 85% just for a small business. If everyone is doing the same, it's no wonder there are no IPv4 left.

And again, Reg, when you are going to deploy AAAA records. Look - you could use this article to put a machine on IPv6, add it as the AAAA record, and just have it proxy to your IPv4 site. But I'm guessing the answer will be "we're working on it" for about the seventh year in a row.

1
0

Boeing seeks patent for mobile device case with built-in fire extinguisher

Lee D
Silver badge

Re: Daft!

Better than that.

Patent the solution to the symptom, thus profiting from every fire instead of stopping them.

5
0

Forums

Biting the hand that feeds IT © 1998–2017