How big is the global blacklist? Could add long delays for users on slower connections, and perhaps overload the server's pipe.
Posts by Nick Kew
1575 posts • joined 16 Jan 2007
Mozilla-endorsed security plug-in accused of tracking users
Boffins get fish drunk to prove what any bouncer already knows
University of Portsmouth?
I guess they have a tradition to maintain. If it's good enough for the sailors and tarts, why not the fish?
Now you have the reply ready ...
... for next time some annoying person tells you there's lots of good fish in the sea.
Here's a fab idea: Get crypto libs to warn devs when they screw up
Wood for the trees
This looks like classic deprecation warnings. And yes, warnings are a useful tool: don't you always use at least -Wall with gcc and insist it builds cleanly? A policy that can make life more difficult when faced with a third-party or legacy codebase that generates reams of warnings, especially when combined with a PHB who insists you treat it as a 'black box'.
But it's a narrow focus. And when it makes a programmer's life more difficult, it risks being counterproductive, by causing the programmer to take his eye off the ball and risk introducing other errors that should be obvious. Perhaps the next experiment should test whether the warnings are productive when the programmers are presented with a legacy codebase that generates a gigabyte of them?
When's a backdoor not a backdoor? When the Oz government says it isn't
Re: PGP ?
Actually orthogonal to the legislation (as I read the article).
It'll mean you can't sell gnupg in Oz. And if you sell a tool that implements PGP, you'll have to be prepared to cooperate with the stasi.
Basically what it seeks to prevent is not unbreakable encryption, but rather making unbreakable encryption available to the Great Unwashed.
Those of us who can use gnupg are the tech equivalent of people capable of manufacturing drugs or weapons. You don't wipe us out, but you come down heavily on a person who supplies them to anyone else.
Ironic that it was an Aussie (Eric Young) who originally wrote the software that later became OpenSSL, back in the days when that would've been illegal in the US.
Prank 'Give me a raise!' email nearly lands sysadmin with dismissal
The security hole isn't really what's claimed: ability to forge a From: address is baked in to SMTP, and it relied on Damian having sysop privileges.
It's the mail system that first accepted the message then bounced it. Anyone who's suffered a Joe Job knows the hard way how inexcusably broken that is - and has been for the last 20 years or so (since mail abuse went from prank to spam). Either reject it or accept it; don't bounce!
Now boffins are teaching AI to dial up chemo doses for brain cancer
Looks to me like a perfectly routine use of AI. The expensive Quack will do the high-level stuff, while the AI takes the technician role.
Experiments with AI in such roles help determine whether it's competent, either in an absolute sense or compared to human workers. Hopefully the AI can do a good job of avoiding some traditional problems, such as mistakes of boredom.
Australia on the cusp of showing the world how to break encryption
Re: bad legislation
The paragraph quoted in the article doesn't imply breaking crypto (nor of course does it imply the contrary). It *could be* a perfectly realistic bill dealing with situations like the FBI-Iphone row.
Flat-earth George has now moved on: wikipedia tells us he's now Aussie High Commissioner to Blighty. Damn, he should be a Barry Humphries character!
You won't believe this but... everyone hates their cable company: Bombshell study lands
Re: Obviously Not American But...
Any technical fault may takes repeated visits to get fixed,
That's hopelessly over-optimistic.
It assumes you can contact them in the first place. And their customer service is inspired by Kafka.
Google Spectre whizz kicked out of Caesars, blocked from DEF CON over hack 'attack' tweet
Re: Where To??
They cannot move the conference to the UK because the visa issuing department will reject most of the applications.
... which would be a big improvement for unfortunate victims like Sklyarov or Hutchins.
Not sure where to suggest. There are a few countries with more liberal track records re: the 'net, but such things are subject to change (e.g. Oz, Germany). Perhaps a venue with a well-developed hospitality industry but busted government might suit. Greece, for instance?
Are you suggesting he'd abuse his position?
Surely better just to get the kind of publicity this story has brought it. When I was a lad we used to associate this kind of incident with Soviet-empire communism.
Say what you will about self-driving cars – the security is looking 'OK'
Re: Boot full of IT kit
Erm, different markets there. People who need help with wheelchairs or luggage are orthogonal to the question of who drives them.
My infirmity is my eyesight. I think I'd be reasonably safe (though not legal - despite holding a full, clean licence) driving in good conditions, but lethal in the dark and wet. No problem lugging a heavy load. The fact that self-driving doesn't solve every problem doesn't mean it's not a potentially-excellent solution for some disabilities.
Re: "Know where every tree, curb and stop sign is"
Damn. Can we do anything to curb this illiteracy?
Brain brainiacs figure out what turns folks into El Reg journos, readers
@Phil O'Sophical
There's a time and a place for pessimism. A bit of mundane optimism over the immediate weekend is neither here nor there. It's not as if he'll enjoy the shallow pleasures of a beer: it just focuses the mind on ultimate futility.
Space, the final Trump-tier: America to beam up $8bn for Space Force
Re: Which raises the question
That's easy. A formal launch now becomes a legacy for the people currently in charge. Consider Hollywood blockbusters of a generation or two hence:
Thanks to the Space Force, founded by Trump, we have space dominance.
Re: What are the five existing armed forces?
Wot, no cyberforce heading among them? What are those folks at NSA? And come to that, also CIA?
And will they now have to replace the Pentagon with a Hexagon?
Kaspersky VPN blabbed domain names of visited websites – and gave me a $0 reward, says chap
Is this a bug at all?
Doesn't rather depend on what the VPN product claims for itself? The app store page you link isn't specific enough to tell that.
When I've used a VPN Client, it has nothing to do with hiding my identity. It's just a means to connect to an employer's or client's network. A higher-level (and much more scary) alternative to ssh, and providing less privacy than ssh, in that it gives the relevant BOFH a lot of audit trail if I do anything so frivolous as read El Reg on $work time.
In a product aimed at the employers and clients for whom I've used one, DNS lookups outside the VPN would not be an issue at all.
America's top maker of cop body cameras says facial-recog AI isn't safe
For what purpose?
OK, quoting your actual words from the opening paragraph:
today's facial recognition technology is not safe for making serious decisions.
Is anyone seriously trying to claim otherwise? There's a world of difference between making a serious decision and flagging something for human attention.
A couple of years back, I had a nasty incident with police, who thought I was someone else (who I've never met, let alone know why they wanted to arrest him) and wouldn't accept I'm me[1]. Facial recognition technology might have helped there, and - crucially - couldn't have made things worse!
[1] Their evidence? I opened the door at my home, where the man they wanted had previously lived. I had never thought an estate agent could be so useful as the one who manages this place and eventually was contacted to confirm my identity - and when the occupant had changed - in a manner they'd accept!
Re: Wow!
Good on Axon for being honest and realistic!
No possibility they might've had a vested interest? Perhaps in implicitly discrediting a competitor who makes claims for facial recognition?
Revealed: El Reg blew lid off Meltdown CPU bug before Intel told US govt – and how bitter tech rivals teamed up
Re: and?
If they told the government, then within hours they'd be exploiting it themselves, for who knows what nefarious purposes!
Speaking from ignorance here. But I'd've thought that, as with any big organisation, there's both good and bad. Not everyone in the US government would have a clue what you were talking about, let alone exploit it.
I'm sure there's someone they could've told who would just have filed it.
Bank on it: It's either legal to port-scan someone without consent or it's not, fumes researcher
If the client side javascript can scan localhost, I guess that NAT firewall isn't too much use against browser-based attacks.
Verily, it has come to pass. The world has routed around misguided security.
@Ian Emery
I get VERY grumpy at etailers that try to introduce 3rd party scripts at the final stage of a payment process
If that's the abomination called "verified by visa" you have in mind, these days my transaction seems to go through just fine if I just back out of it. I presume that's Just One More inexplicable aspect of its brokenness.
Internet overseer ICANN loses a THIRD time in Whois GDPR legal war
@DJV
Not like SCO. SCO was undead. Long-drawn-out undead. Lots of cases, and a lingering bad smell.
ICANN has, by contrast, picked a no-nonsense jurisdiction and opponent, and is getting through the process remarkably quickly. Seems to me like looking for a quick, clean loss.
Uptight robots that suddenly beg to stay alive are less likely to be switched off by humans
Re: H2G2
Indeed, H2G2 - and some of those truly annoying robots - are what sprang to mind as soon as an example of "chatty" was given. Of course people wanted to shut it up.
Think tank calls for post-Brexit national ID cards: The kids have phones so what's the difference?
Re: Not this crap again
@Chloe Cresswell
Last time this came up, I was told I would need 2 ID cards, with different names and genders on them.
So you're ideally set up for a life of crime and depravity as Mr Hyde, while maintaining Dr Cresswell's status as an entirely upright and respectable member of society.
Grad sends warning to manager: Be nice to our kit and it'll be nice to you
Rebecca++
That's two weeks of On Call, and two vintage columns. A definite thumbs-up to the change of editorship here.
(Yes of course it could just be coincidence, but I wonder if Simon had done it for long enough to have lost some of his initial spark).
Nudge
Hats off to your printer, for the nudge towards thinking before you print
Basic bigot bait: Build big black broad bots – non-white, female 'droids get all the abuse
Presenting as?
Any time we get one of these "look at the hate" articles, it leaves one crucial question unanswered.
Are the "victims" themselves (or researchers, in the case of those whose funding depends on Outrage) Making an Issue of their "group identity"?
Consider
Person: "I'm a straight white male and proud of it"
World: "So?"
Person: "I'M A STRAIGHT WHITE MALE AND PROUD OF IT!"
World: "Shut up, idiot. We heard you the first time."
--- vs ---
Person: "I'm a black lesbian and proud of it"
World: "So?"
Person: "I'M A BLACK LESBIAN AND PROUD OF IT!"
World: "Shut up, idiot. We heard you the first time."
SJW Army: "WAH WAH HATE SPEECH"
DEF CON plans to show US election hacking is so easy kids can do it
The Solution
Blighty has a foolproof solution to voting security.
Just have none in the first place. No checks whatsoever on $person turning up to vote, nor on stuffing electoral registers. No security to break.
UK comms revenues reach all-time low of £54.7bn, as internet kills the TV star
All-time low of £54.7bn?
A quick google finds as a data point[1] our entire GDP was around £52.7bn in 1970. A phone (let alone a phone call) may have been a somewhat-expensive luxury back then, but I doubt they consumed more than 100% of the entire economy!
I'm not even being pedantic when I say claims like "all-time low" need to be qualified! There is genuinely no clue in the article WTF the claim is supposed to mean!
[1] Or rather two data points: GDP $130.672bn, and exchange rate 0.4033.
Drink this potion, Linux kernel, and tomorrow you'll wake up with a WireGuard VPN driver
Kernel?
I get uneasy when someone pushes for tight integration of secure comms: it's such a high-value target. This is potentially someone for NSA&friends to terrify the s**t out of until he smuggles in a backdoor for them.
Anyone know the chap in question? How would he react if someone were to suggest to him what a shame it would be if his nearest-and-dearest were blind and crippled?
Amnesty slaps Google amid crippled censored China search claims
Re: It's just a test.
They'll be deploying stuff like the "right to be forgotten". Along with the same technologies that our own and other governments are requiring of them to deal with forbidden contents (under labels like "extremist" or "paedo") around the world.
Pentagon 'do not buy' list says нет to Russia, 不要 to Chinese code
@DougS
If it was protectionism, they would ban all non-US sources rather than just two countries.
It's all done in small stages. First Kaspersky (um, surely a globally leading Good Guy). Then various Chinese bigcos on varying pretexts. Now a little more.
For non-US western companies there's a different approach, and it's outsourced. Use bogus patents to cripple Blackberry, leaving it a Suit-dominated company which can no longer innovate and dies a natural death. Lend a helping hand to Nokia's self-immolation.
Tariffs didn't happen all at once either. Divide and rule. If they'd hit their friends and allies (Canada, Mexico, the EU) at the same time as they hit China, the world might've got together and stood more united.
Well, well, well. Crime does pay: Ransomware creeps let off with community service
Depends where they get caught. If they'd travelled to the US, they might look anxiously at various foreigners, from Dmitri Sklyarov to Marcus Hutchins, NOT convicted of any such wrongdoing yet suffering harsher treatment.
FBI boss: We went to the Moon, so why can't we have crypto backdoors? – and more this week
Re: Man on the sun
Why not just counter with Turing's Halting Problem disproof?
All you need is a super-Turing computer. Like, for instance, an Analogue X Machine.
Turning your intended analogy on its head, I guess politicians and spooks can dream of an entirely new crypto framework. Then un-inventing our existing framework can be the next thing after brexit to keep them away from reality.
Rights group launches legal challenge over London cops' use of facial recognition tech
Re: Peaceful protest
When I've been on a peaceful protest, I've always done so fully expecting to be identified - and that's based on last century's technology (and police on horseback in big events). Not going to let that bother me.
The big psychological hurdle was going on an event associated with the loony left. That put me off for years, before I felt strongly enough about something to overcome natural revulsion.
A fine distinction
CCTV is old news. In widespread use, and seemingly accepted by most.
What does facial recognition really add to CCTV? If evidence from a camera is ever going to be used against someone in court or elsewhere, it's going to be based on human analysis, and cops have been doing that for as long as there's been CCTV. Patterns of behaviour? What cop is going to stand up and face such obvious ridicule as M'lud, my client's alleged appearance in all that footage is part of the 98%.
Prof claims Lyft did a hit-and-run on his ride-sharing tech patent
Re: The stupidity of "business method" patents
GPS was a known future technology as far back as the 1980s.
I did some work in the late '80s on a system that was presumably prior art to the patent in question. It used a pre-GPS positioning system (non-global) and pre-GSM data network to monitor and track vehicles. Originally for security (we were part-owned by Securicor, whose business was secure transport of very-high-value loads), the system was expanding to include users like utility companies, who would use it to identify and call a nearby van when Mrs Miggins called to say she smelled gas. From distant memory, taxi companies were another target market, but I'm not sure whether any were signed up in my time.
I left that job in 1989. I'm pretty sure the company migrated to GPS sometime in the 1990s.
Want a $200k TIP? ZDI sticks bounties on bugs in big-name server code
Re: No hypotheticals
@GnuTzu - the problem with bug bounties is that they attract a lot of hopeful junk. A rather poor signal-to-noise ratio among the reports. That puts a burden on the developer community. Fair enough for a company paying its developers, but not good in the case of volunteer developers in an open source project.
This is mitigated if whoever offers the bounty also takes it on themselves to pre-filter submissions and forward only those that look real. But not every hopeful is capable of reading TFM and submitting their "bug" to the right place. And a rejected wannabe might submit directly to us, with the hope that we accept it and they then turn round to the bounty sponsor and say "look, it was real".
No hypotheticals
Good to see a bug bounty that isn't going to attract loads of wannabes to submit contrived nonsense reports in the hope of getting paid.
But this too could have unintended effects. If someone claims the full monty, who has been pwned? The sysop who perhaps misconfigured the software? Canonical @ubuntu? Upstream packager @debian? Or the software's original dev team? Or all of the above? Lots of scope for uncertainty there, and that's without even mentioning third-party Usual Suspects like PHP in a web server.
Insecure web still too prevalent: Boffins unveil HSTS wall of shame
SSL slows down low power devices.
Not just low-power devices!
HTTPS is far, far worse than that. It buggers up web caching. The effect of that on web traffic is like taking 1000 people off a commuter train and putting each of them in a car to clog up the roads!
HTTPS isn't just about hiding the content. It's also about proving that the content is intact, as it left the source server, and that the source server is who they claim to be.
Sometimes that matters. Other times it really doesn't: who cares if it was some anonymous MITM who inserted your comment? And there are much-lower-overhead ways to achieve such goals: for example, the rarely-used Content-MD5 HTTP header offers a way to verify intactness of content against accidental damage, and similar use of a cryptographic signature such as PGP could protect where it really matters.
There are also legitimate reasons to rewrite content on the fly. My own involvement with such go back to about 2002 when I was working on accessibility tools, and provided a proxy that would rewrite elements of HTML on-the-fly to make it more readable to someone with a linear or text-only browser. Remove some of hurdles faced by blind users, or by Granny Arthritic who stands no chance chasing script-driven menus with a mouse.
Sysadmin sank IBM mainframe by going one VM too deep
Re: Just to mudddy the waters a trifle ...
So you Brits were running your economy off of LSD for years? That explains a bit...
That goes back to the Romans. And we're not the only country to do it in modern times, though some (like Italy and Turkey) saw their £ fall so far as to eliminate any purpose for the S or D subdivisions.
@Sam Liddicott
Would that be when # was the standard prefix to get an external line from an office network?
Rebecca - a flying start
This has to be one of the best Monday mea culpas to date: a protagonist who is absolutely to blame and in circumstances I (and I expect many of us) can identify with. Did Simon leave you this story lined up, or are you just better at it?
I'm sure the only reason I've never done similar is that I've never been in charge of a mainframe. Though it brings to mind a few 1980s-vintage pranks, from when Unix machines trusted each other and would happily share screens (xhost + was a default setting). Or the one on VMS that had the company go into panic mode for a major security breach 'cos I altered my logout to display a logout screen for "SYSTEM".
Here's a thought. These days when bored like that, one can turn to the 'net and browse something - like the day's crop of Reg stories. I wonder if that's substantially reduced the rate of "bored" pranks, and accidents like this?
I predict a riot: Amazon UK chief foresees 'civil unrest' for no-deal Brexit
Re: "Where is the evidence to suggest that would happen?"
The NI "Troubles" had their roots in the civil rights excesses practiced by the Stormont government in the 50's and 60's
Erm, which century? The Stormont Government only came into existence in 1922, as a response to the "troubles".
Re: "Where is the evidence to suggest that would happen?"
NI is a hard one to judge from outside. But insofar as a pragmatic centre ground exists in NI politics, I'd expect brexit to increase support among them for unification with Ireland. Particularly a Rees-Mogg brexit that sweeps away food standards in Blighty and so necessitates a hard border.
Re: I was pro-remain, but this really is "Project Fear" at work.
Project Fear was evident on all those Conservative election leaflets last year.
It was the mugshot of Corbyn, and the prospect of his getting any whiff of power. It worked, to the extent that the Tories didn't get annihilated, as would've happened if they'd faced a credible opposition. It just didn't work as well as May expected.
The brexit risk comes in two parts. One is the logistics of importing enough food to feed us all: we can expect the likes of Tesco, Sainsburys, Lidl, etc to be on top of all the new Red Tape they'll face, but that doesn't help if their trucks are stuck in 100-mile tailbacks. Then add to that our government's inability to agree among themselves what they're trying to do, and no matter how much the EU bend over backwards to accommodate us, nor how well-organised our logistics businesses may be, they'll be up against undefined rules and no fine manual.
As for WTO, the UK may have to get its act together rather more than our government can agree on just to qualify for membership. And then ... will the WTO itself survive if Trump goes to war with it? What will he do if and when WTO rule against him and in favour of any of the countries he's attacked, such as China, the EU, or Canada and Mexico?
Boss helped sysadmin take down horrible client with swift kick to the nether regions
Re: Booo! Booooooo!
Oh, i thought you said excrements... never mind.
*Shrug*. Whatever turns you on.
Though now you mention it, I expect the Reg's other Simon could do excrement. Talking of which, have I missed a BOFH or has it just been a long time?
Re: Booo! Booooooo!
The acid test will be whether Simon cares enough to stay on as a commentard. I hope he will: to disappear completely would seem a bit dismissive both to his successor and his community.
Raise a glass to Simon as I see his future self: a scurrilous backseat driver as Rebecca takes the column on to new excitements.
