* Posts by MJB7

130 posts • joined 27 Nov 2013

Page:

I say, BING DONG! Microsoft's search engine literally cocks up on front page for hours

MJB7

Re: Tides

Somebody has identified it as Croatia. There is 35cm (1 foot) difference between high tide and low tide at Split today - and those are Spring Tides!. Next Friday it will be 16cm (6") (The Med doesn't have much in the way of tides).

What code is running on Apple's Secure Enclave security chip? Now we have a decryption key...

MJB7

Re: Well you cannot make this secure

" you cannot enter complex alphanumeric passphrases on a touchscreen"

Err, why not? I can enter almost all the characters on my phone that I can on my keyboard.

My most important passphrase has about 77 bits of entropy (I can be that precise because of the way I generated it). I enter it on my phone. (It actually only consists of lower-case ASCII, but length is more important than character set, and Password123! is not a secure password.)

Cloudflare: We dumped Daily Stormer not because they're Nazis but because they said we love Nazis

MJB7

Re: This has probably killed off Cloudflare

Nah! Most of Cloudflare's customers are businesses who don't give a damn about free speech, they just don't want to be blackmailed by some DDOS crooks. (And having *their* customers able to load the website quicker is just a bonus.)

Creepy backdoor found in NetSarang server management software

MJB7

Re: not rule out the vendor as the creator

A suborned employee is not (in any real sense) "the vendor". A suborned employee is just a mechanism for how the external attacker places in the code in the product.

"The vendor as creator" was my initial thought on reading the headline - I thought it was a debugging tool that was left in place in the release. However, debugging tools don't tend to conceal their access to C&C servers like this....

Marketing giant Marketo forgets to renew domain name. Hilarity ensues

MJB7

Classy

Quote: A source familiar with the matter says Marketo has made a "substantial donation" to a charity chosen by Travis Pebble

That's fairly classy if true. I can't decide whether not trumpeting about it is even classier, or whether it indicates it's not true, but they want some of the brownie points anyway.

NASA lights humongous rocket that goes nowhere ... until 2019

MJB7
Boffin

Re: Blue whales.

Quote: distance per unit time is velocity and has nothing to do with either thrust or power

You have misunderstood what the OP wrote. What he actually said is: "power is distance moved per unit time multiplied by force" (which is correct). There was a parenthetical remark after "time", but it didn't end the definition of power.

Alphabay shutdown: Bad boys, bad boys, what you gonna do? Not use your Hotmail...

MJB7

"If you have money"

I suspect the problem is that the cops would have frozen all his bank accounts, so he *didn't* have money.

Boffins with frickin' laser beams chase universe's mysterious trihydrogen

MJB7

Re: Missing matter

No, I'm afraid not. If all the missing matter mass is the form of baryons (protons and neutrons) there would have been rather more fusion going on just after the big bang. The result would have been rather more Helium and Lithium in the universe.

I remember a talk given by Professor Sir Herman Bondi in the 80's where he was asked about the missing mass problem (actually, "missing light"). His preferred solution was "bricks". Dust (aka "soot") is too visible in long wavelengths; enough Jupiter sized-objects would show up at other wavelengths. Things the size of a brick (about 1kg) would solve the problem nicely.

... but we now either need something *really* exotic, or our fundamental theories are wrong. I keep hoping we can get rid of "Dark Energy" and replace it with a new theory of gravitation.

It's time for a long, hard mass debate over sex robots, experts conclude

MJB7

"I still don't understand why pseudo images are illegal."

The justification was that it meant that the prosecution for possessing real images wouldn't have to prove (beyond reasonable doubt) that the lightly photoshopped image was originally a real image rather than a entirely constructed.

I can see that argument, but it also makes me uncomfortable that images whose creation have involved no harm to anyone are illegal.

GnuPG crypto library cracked, look for patches

MJB7

Re: It's important that it's been fixed..

"WebAssembly is nothing more than a cut-down interpreted VM, like Java used for decades". I know nothing about WebAssembly, but people have certainly demonstrated side-channel attacks using javascript (which fits that description). The whole *point* of side-channel attacks is that they need no privilege to perform. I see no intrinsic reason to suppose they can't be implemented in WebAssembly too.

GitHub flub spaffs 8Tracks database, 18 million accounts leaked

MJB7

Also, hope the salt was not in the same repository....

That shows a *profound* misunderstand of what "salting" means. The salt is stored in the database along with the hashed password. It is not, in any way, intended to be secret.

The point is that different users will have different salts, and what is stored in the database is the hash of the salt+password. This means that the attacker must try common passwords for each individual user (well, individual salt), and can't just hash all the common passwords once, and then look up each user's hashed password in that list.

Labour says it will vote against DUP's proposed TV Licence reforms

MJB7

Re: German TV license

@big_D : You are several years out of date. These days you have to pay for license even if you don't have a radio, TV, *or* internet device. It's a straightforward (hypothocated) tax on each household.

Spacecraft spots possible signs of frozen water on the Moon

MJB7

Re: Soil?

According to Wikipedia (an admittedly unreliable source), "standard usage among lunar scientists is to ignore that distinction."

WannaLaugh? Funsters port WannaCrypt to Commodore, Cisco, Nintendo and Tesla

MJB7

Re: They won't stop

IMHO it is better to only allow updates to be done by a dealer.

The trouble is, that people won't take it into a dealer to get it updated. That leaves vulnerabilities lying around waiting to be exploited. OTA updates are the only way to get them done on a timely basis.

Car manufacturers are very excised at the moment about how to do this securely (*). (Updates which are properly signed, and update kernels which are *very* carefully written are about as good as it gets.)

* Source: Meetings I have attended, jobs I have been offered.

Fortran greybeards: Get your walking frames and shuffle over to NASA

MJB7

Re: > will run 10 times faster on the new faster computer

"Or, maybe even more to the point, will be able to handle jobs that are ten times more complicated in the same time" - err, probably not.

If you are doing finite element modelling in four dimensions (three space + time), then a factor of 10 will not even allow you to half the mesh size.

After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts

MJB7

Re: Nothing new here!

"There's no problem with SS7, provided the numpties don't give out the crucial information first!"

They didn't give it out. It was stolen from their computers via malware.

Windows 10 Anniversary Update crushed exploits without need of patches

MJB7

Re: Why is font rendering in the kernel in the first place?

>> And, from what I read about Linux, more than ever seems to be going into that kernel too.

> no, just systemd and wayland. I'm sticking with FreeBSD.

FreeBSD is not Linux - it's an entirely separate operating system (although they are both Posix compatible).

CompSci boffins propose scheme to protect privacy in database searches

MJB7

Re: But is this not security through obscurity?

No.

This will be similar in principle to Shamir secret sharing, where you give n people shares of your secret (or more plausibly, write the shares onto n smartcards), and it then requires k of them to come together to recreate the original secret. The magic of the algorithm ensures that if only k-1 collude dishonestly with an attacker, the attacker is no better off than trying to brute force the secret from scratch.

Inside OpenSSL's battle to change its license: Coders' rights, tech giants, patents and more

MJB7

Re: One man band

It was always more than a one man band. It never went below about three or four central figures.

There are now even more people involved.

Wanna protect your data center? Take tips from the US Secret Service

MJB7

people don't test their backups

When has that not been the case?

Admittedly, for most history that's been because copying stuff by hand onto vellum meant that it was too difficult to take backups in the first place, and it's really hard to test a backup you haven't made.

Mars orbiter FLOORS IT to avoid hitting MOON

MJB7

"space is so vastly, hugely, mind-bogglingly big"

See http://joshworth.com/dev/pixelspace/pixelspace_solarsystem.html. It is subtitled "A Tediously Accurate Map of the Solar System". It's not that accurate - it lines all the planets up in straight line, and has a lot of extra text to relieve the monotony. It is very tedious if you try to scroll all the way through (I gave up)

Feeling safer under Microsoft's cloud patent shield? Don't

MJB7
Stop

'Since Microsoft could not reasonably be expected to promote a “benefit” with no value whatsoever'

Err, why not? This is marketing types we are talking about here.

Git fscked by SHA-1 collision? Not so fast, says Linus Torvalds

MJB7

Re: I missed this reading the original collision notification

@Naselus : ""I actually missed the part that the attack produced by Google needs to meddle with both sides - "good" and "bad" of the collision." You missed it because it doesn't 'need' to. "

That is seriously wrong. The attack absolutely *does* need to fiddle with both sides. Fiddling with only one side is not a collision attack, it is a pre-image attack - and nobody has demonstrated a pre-image attack against even MD5 yet.

'First ever' SHA-1 hash collision calculated. All it took were five clever brains... and 6,610 years of processor time

MJB7

Re: Do we need to do anything about old content?

No. They manipulated both first and second document until they got an identical hash.

MJB7

Re: 9,223,372,036,854,775,808 sha1 calculations

@Hans 1 You are almost right *but* what they can do is get

000011100010001xxxxxxx0001000111001100[...] to equal the hash of 000011111010001yyyyyyy0001000111001100[...], where x and y can be anything.

This is the difference between a collision (which we now have), and a second pre-image attack (which we don't have - yet).

Intel Atom chips have been dying for at least 18 months – only now is truth coming to light

MJB7

Re: EU Customers don't need warranty

That is certainly true if you bought as a consumer. However, if you bought as a business (even a one-man-band consultancy). I don't think that applies. (IANAL and ICBW)

TrueCrypt considered HARMFUL – downloads, website meddled to warn: 'It's not secure'

MJB7

Re: Rebuild from source code

I don't think building from source is all that hard. What is hard is deterministically building from source. Thus given the same source files, you end up with the same (bit-wise identical) executable.

There are a lot of tools that make that hard these days; there are good reasons, but it's not desirable in open source security software.

Don't snap SELFIES at the polls – it may screw up voting, says official

MJB7

Re: No one ever stands ....

When I sat asking for numbers, a) all of us had party rosettes (although I don't know whether mine said "Vote Green" or was just coloured green; b) we all asked for the voter numbers on the way in - nobody objected.

MJB7

"This way they can find out from the electoral register who can be bothered to vote, and target their junk mail accordingly" - That's not right. Each party will buy a marked up electoral register indicating who voted after the election. The trouble is that doesn't appear until some time after the election, and they want to know who to send somebody round to with a "don't forget to vote" postcard.

Sysadmin job ad: 'If you don’t mind really bad work-life balance, this is for you'

MJB7

Re: ..I don't need to apply..

Sadly, that story is almost *certainly* apocryphal. In particular, Shackleton would have been very unlikely to write "Safe return doubtful." - that would be much too negative for him.

Other points:

- although all the team that Shackleton was leading survived, there were three deaths on the team laying supply depots that Shackleton's team was supposed to reach after the pole.

- I'm not convinced that Worsley was *the* best dead-reckoning navigator ever. Captain Bligh was pretty good too (for all his other faults). (But yeah. If I was stuck in a 22' lifeboat with the nearest accessible human habitation 800 miles away across the stormiest ocean in the world, with a target only 100 miles long, he's the man I'd want to do the navigating.)

Page:

Biting the hand that feeds IT © 1998–2019