* Posts by Doctor Syntax

16426 posts • joined 16 Jun 2014

RBS promises 'safe, secure, confidential' info-sharing on Facebook at Work

Doctor Syntax Silver badge

Maybe it's so they have something they can usewhenever the main RBS systems go TITSUP.

Mostly Harmless: Google Project Zero man's verdict on Windows 10

Doctor Syntax Silver badge

Re: re. "ultimate bug bear"

Re: allthecoolshortnamesweretaken

Can we have a groan icon?

You own the software, Feds tell Apple: you can unlock it

Doctor Syntax Silver badge

Re: US surveillance, destroying Internet commerce one lawsuit at a time

A precedent set in the US wouldn't be binding elsewhere. In any event I'd guess that Apple will push this to the Supremes.

If the judgement stays I'd also guess that it will provoke some changes to EULAs to make them more customer friendly which might not be a bad outcome in the long run.

Doctor Syntax Silver badge

Re: This is stupid

"I suspect what the Feds are saying is, you control what software runs on the device, so push software to the device that allows us to get unfettered access; i.e. you have the capability to backdoor the device so we are ordering you to do it."

It's not what the Feds are saying. From the article: "the device in question is an iPhone 5s running iOS 7 – one of the devices that Apple can unlock" (my emphasis).

However, it's worth looking at the point you make. If the device isn't unlockable by Apple the likelihood is that it requires key input by the user. In the absence of such input it would make no difference what S/W Apple were to push on to it it would stay locked so no amount of huffing & puffing by the Feds would help them in the least.

Doctor Syntax Silver badge

Re: Ummmm...

'I think that Apple is saying, "This is not *our* information to hand over, it's his or hers," and pointing the feds at that individual.'

However, the point is that there is a search warrant. Due process of law is being followed. We complain when the authorities don't follow due procedure. When they do we should acknowledge the fact.

TalkTalk plays 'no legal obligation' card on encryption – fails to think of the children (read: its customers)

Doctor Syntax Silver badge

Re: Class Action Lawsuits

I've read the link you posted. Could you explain how it applies in this case bearing in mind that the news item says it's about "firms that have fixed prices and formed cartels".?

Doctor Syntax Silver badge

Re: On transparency

'Dido Harding goes on record stating two interesting things: firstly, that their security is apparently "head and shoulders" above competitors.'

Unless by "head and shoulders" she was referring to the shampoo this seems an ill-advised thing to say. How many other ISPs can she name who've been popped more times this year?

The technical means of how data was protected is secondary. The main issue is that whatever measures they did take were inadequate.

TalkTalk attack: 'No legal obligation to encrypt customer bank details', says chief

Doctor Syntax Silver badge

"Technically, TalkTalk are a victim of crime."

Hmm. I need to think about this. How bad do things have to be before they can be considered an accessory to the crime and not one its victims?

Doctor Syntax Silver badge

Re: Does there need to be an obligation to "encrypt" ?

Irrespective of what constitutes "appropriate", given the circumstances, it must surely be difficult to argue that whatever measures were taken met the criterion.

TalkTalk attackers stole 'incomplete' customer bank data, ISP confirms

Doctor Syntax Silver badge

Re: You missed this bit from the email

"I read this as meaning they got my sort code and account number?"

And the account name.

Doctor Syntax Silver badge

"I used to be a Tiscali customer, and was swept up in the takeover."

I used to be a Nildram customer. Nildram was taken over by Pipex which was taken over by Tiscali but the email address remained Nildram. After the TalkTalk takeover I also bailed out. As a matter of curiosity I just tried a test post to my old Nildram address. It bounced but a quick whois indicates the domain expired yesterday. Deliberate, coincidence or have they just been too distracted to renew it?

Doctor Syntax Silver badge

Re: It is time for a PSA

"They must think we're stupid, I thought...and then I thought, well, how many people do actually understand that it is a random caller's job to prove who they are?"

The banks, building societies and insurance companies certainly don't. Neither do they think it essential that they prove their emails are from them. I've had emails from digital marketing companies working on their behalf where the client's domain is in the From: field but a quick glance at the headers shows that it never came from them and any links don't come from them either. When the clients are taken to task over this they show no indication that they realise the result looks just like a phishing scam and that they're training their customers to be scammed.

Doctor Syntax Silver badge

Re: It is time for a PSA

"it might be best"

Better to say it's essential.

We can't all live by taking in each others' washing

Doctor Syntax Silver badge

Agriculture vs finance

That efficiency thing that Tim's kept mentioning has a lot to do with the fact that we spend relatively little on food. Selective breeding has given is more productive varieties of plant and animal. Artificial fertilisers have artificially increased the fertility of the ground. Mechanisation has reduced the need for labour. Chemicals have improved the health of both plant and animal crops.

On the other hand financial services seem to be costing us more. Why? There have been technical inputs which should increase efficiency there, just as in farming.

I suspect the reason is similar to why bank robbers rob banks - it's where the money is. Ultimately it's the money men who largely decide prices (including screwing the farmers) because they can. It's not surprising if they receive an increasing share of it. When we discuss adding value I think we often confuse it with adding cost. The actual value of the added cost can be extremely dubious.

Doctor Syntax Silver badge

'Not when that "logic or journalism" is actually a fake veneer for specious vacuous emanations from a brainwashing collective whose only desire is self-promulgation and self-enhancement.'

Citation needed.

Doctor Syntax Silver badge

Re: Shame

"the elasticity of demand for food is lower. If the price halved, or doubled, we wouldn't eat twice, or half as much, we'd eat roughly the same"

Unfortunately the daft pillocks with their nudge theory are trying to do just this with sugar. However I have about 100sq metres I can devote to beet cultivation.

Silicon Valley freeze-out: EU watchdog tells firms clock is ticking to limit data transfers

Doctor Syntax Silver badge

Re: Yeah, But,

" Ireland, where their EU operation is registered, is fine"

And it's Ireland's regulator who is now charged with looking into the rest of the questions. That's what the ECJ ruling was about.

Doctor Syntax Silver badge

@YAAC

Some aspects of Facebook are being looked at by the Irish regulator. In general, however, with social media the data subject initiates the transaction.

Doctor Syntax Silver badge

'"No one wants to see data transfers to stop completely," head of the European Union's Article 29 Working Party, Isabelle Falque-Pierrotin, told Reuters.'

Why does she think she's talking for everyone. There's no good reason why transfer of data to the US should continue except for transfers for specific cross-Atlantic business transactions initiated by the data subject.

American robocallers to be shamed in public lists

Doctor Syntax Silver badge

Re: @allthecoolshortnamesweretaken (was:Re:Wait and see)

"The problem is that the Constitution recognizes political speech as the most important form of free speech"

The odd thing about this is that the politicians don't see this as freedom to lose votes. Or maybe they run robocall campaigns impersonating their rivals?

Doctor Syntax Silver badge

Re: Could be solved quite easily.

"How do you deal with international robocallers who basically operate outside of the law?"

Your phone company knows where they got the call from so they can bill for it. They log the callback code against it and so on back up the line. If the callback reaches somebody who didn't keep track they become liable. PDQ they'll also be keeping track until it hits source.

Doctor Syntax Silver badge

Re: Could be solved quite easily.

"the offender gets hauled off to court and those who did the '*xx" get some $$$ for their trouble."

I'd go one further. Everyone who made the callback gets a credit against their phone bill as a fee for answering the call.

Doctor Syntax Silver badge

Don't do it. Don't waste time doing it. Just get on with prosecuting them.

So what's the internet community doing about the NSA cracking VPN, HTTPS encryption?

Doctor Syntax Silver badge

Re: Nothing to hide..

"I of course don't follow the argument 'Nothing to hide. Nothing to fear'."

You don't? OK, if you've nothing to hide then why not unhide all your logon & security answers for banking, eBay, Amazon or whatever? You could just post them here*.

As to resources, go back up the thread & read some of the other posts. The significance of this discovery is that once you've done a humungous amount of computation for a commonly used prime it becomes relatively cheap to attack any connection using it so the more that are attacked the cheaper the cost of each. So yes, if you've done the initial work why not look at what that webcam's seeing, what that VOIP call's about, what that person's bank account has in it? It's so easy to just ignore due process of law. But due process of law is the basis of a free country.

*Or rather, don't. You almost certainly not only have stuff to hide, you also have contractual obligations to hide it.

Doctor Syntax Silver badge

Re: The Real Problem

John,

There are some flaws in your argument.

Just consider the consequences of adding the word "yet" into some of your sentences. How do you stop that "yet" happening?

Apart from the potential damage to your own society (I conclude from your arguments that you're a US citizen) you need to realise that the rest of the world doesn't trust the US. We don't trust it on a personal level and we don't trust it on a commercial level if a non-US corporation is competing with a US corporation for a sufficiently large chunk of business. The reason we don't trust it is because of its behaviour.

Finally we don't necessarily trust non-US governments either because this surveillance is usually done without any regard to anything that might pass reasonable scrutiny as due process of law. It's odd that this year your country and mine have both been celebrating the 800th anniversary of Magna Carta at the same time as our governments have been doing their best to ditch its most significant clause.

Doctor Syntax Silver badge

Re: Is this a legacy problem

The argument put forward in the paper is that the processing for a single prime is mathematically feasible but computationally very expensive. But what the researchers realised was that once you'd done it the additional work to crack any eavesdropped exchange was trivial and that as the same prime was being used by a large number of sites for a long period the cost could be spread out over an enormous amount of traffic. It was this which made it economically feasible.

If the a larger number of primes were used for shorter periods the economics would work against it and only a small proportion of the traffic would ever be decrypted. As to being concerned about future computer power, you have to remember that in order to make decryption worthwhile you have to do it whilst the messages are still relevant.

Nevertheless, a switch needs to be made to better algorithms or much longer primes.

Doctor Syntax Silver badge

Re: Is this a legacy problem

"2 seconds would be a long time to wait for each TLS handshake, but we could always pre-calculate keys at start-up. And, in a few years the time needed will drop to milliseconds"

As you say the weakness is in using very few built-in primes everywhere. One remediation, even without going to eliptic curves, would be frequent, say monthly, updates with new and maybe larger sets of built-in primes. According to the times given in the paper this should enable users to keep ahead of the NSA. Another would be to have servers running a background task searching for new primes so each server would be able to offer a different prime each time it was contacted.

Doctor Syntax Silver badge

Re: Questions

AFAIK* the Diffie-Hellman works by agreeing on a prime and then each party performing some computation on it and exchanging results they mutually calculate a key and the crack** actually does work by calculating*** a sort of rainbow table for a given prime. By observing the exchange between the parties, including the prime they agree on, they can calculate the key for themselves. The weakness of implementations of D-H is that rather than search for a large prime at run time they have a limited number built in which makes it feasible to calculate a few tables which will be sufficient to attack most sites.

*And I'm not a mathematician.

**Nobody knows for sure what the NSA do but some boffins worked out that this is how they might have done it.

***This is a humungous calculation but is now achievable by throwing enough CPU cycles at it.

If MR ROBOT was realistic, he’d be in an Iron Maiden t-shirt and SMELL of WEE

Doctor Syntax Silver badge

Re: The worst hacking trope of all

"Or have we given up that 'lost cause'?"

Yes. It's over.

TalkTalk hush-hush on compo for up to 4 million customers after mega cyber attack

Doctor Syntax Silver badge

Re: But Seriously

"No, very seriously, if YOU want to be a Boss, and even if you didn't bother to clock a PPE between youthful rides, what do you do NOW?"

In her situation, resign. It ought to be expected of her. The interviews on her round of the media should have started along these lines:

Interviewer: Let me start by congratulating you on your promotion.

Her: I haven't been promoted.

Interviewer: But aren't you the new TalkTalk CEO?

Her: I'm the CEO but I've been CEO since whenever.

Interviewer: Oh, I'd assumed that a CEO in charge of a shambles like this would have resigned immediately. Let me start by asking you why you haven't resigned.

Doctor Syntax Silver badge

Similar reports in today's (Saturday's) Times.

Caption this: WIN a 6TB Western Digital Black hard drive with El Reg

Doctor Syntax Silver badge

John is reassured when TalkTalk's chief security officer tells him that yes, security of his personal data is important to them.

Doctor Syntax Silver badge

Fred discovers that TalkTalk's customer service agents really are robots.

Doctor Syntax Silver badge

Deep in the basement the boss thought his secret weapon would finally defeat the BOFH. Little did he know he'd already been hacked.

Doctor Syntax Silver badge

The inventor of the first colour TV camera is overjoyed when the quietly spoken constable reassures him that one day someone will invent a colour TV set.

Doctor Syntax Silver badge

Reg Thorpe wrote and starred in the Little Dunny Amateur Player's latest production "Hitch-hiker's Guide to the Daleks".

Doctor Syntax Silver badge

This lone boffin of the 1930s could never have realised what he was starting.

Doctor Syntax Silver badge

The Computer Museum should have realised its new acquisition was the pre-production version of the Dalek.

Doctor Syntax Silver badge

Advice to hitch-hikers

1. Be careful who you thumb a lift from.

Doctor Syntax Silver badge

Ron's demonstration of advanced lift-thumbing technique had an unwelcome outcome.

TalkTalk CEO admits security fail, says hacker emailed ransom demand

Doctor Syntax Silver badge

@Chris King

Like you I've been through the Nildram>Pipex>Tiscali route but I jumped ship nearly 6 years ago. A good deal of what they had will be stale by now, certainly I've changed bank since then. I doubt either of us would fall for a call claiming to be from their customer disservices - they never did anything after the Tiscali takeover so why expect them to be getting round to it now?

In fact, after the Tiscali takeover their email support would have passed the Turing test - there was no way to tell whether it was human or a bot - but not in a good way.

Doctor Syntax Silver badge

Re: Ransom demand

"Can they really have only received one ransom demand?"

No, but only one's genuine. They're trying to work out which it is.

Laid-off IT workers: You want free on-demand service for what now?

Doctor Syntax Silver badge

I didn't miss that. But in the circumstances I'd have told them that MyCo wouldn't work for free but they appear to qualify for one of MyCo's special rates, the Over-A-Barrel rate. And the length of time taken would be the length of time to make it worth while.

Doctor Syntax Silver badge

From the Grauniad's article '"Mike McCoy, the company spokesperson, said: “We understand that a clause in our severance agreement was misconstrued versus its use in actual practice"'

"Misconstrued versus it use in actual practice?" What sort of garbage is that? The construction that everyone's been placing on it is based on what it said. Actual practice may usually be something different but the reality was that the possibility was hanging over all their ex-employees. It may have been some careless drafting by HR which said something other than was meant but you really shouldn't draw up legal documents that say what you don't mean.

Maybe whoever was responsible in HR has now been sent on his or her way with assurance that they will not be called in help at a later date, paid or unpaid.

Doctor Syntax Silver badge

Re: Humans fail too often

"In the future I expect to see more automated AI type systems that handle the coding side for you. Entrusting important long term solutions to fleshy meat bags is a lost battle."

Who writes the AI?

Doctor Syntax Silver badge

Re: How to save money in IT

"what happened at SunTrust looks like moving it from one pocket to another"

And possibly the other has a hole in it.

Snowden, Schrems, safe harbor ... it's time to rethink privacy policies, says FTC commish

Doctor Syntax Silver badge

"why worry"

Because if you don't see what's coming, you don't step out of the way & the train runs you down.

Doctor Syntax Silver badge

"She pointed out that the decision doesn't dig into the actual practices of Facebook"

That wasn't actually the ECJ's role. They were asked if national regulators could actually do this given that Safe Harbour was an EC matter. Part of the decision was that they could so it's now been tossed back to the regulator by the Irish High Court. In short it's being done by the people who were supposed to do it.

Apart from that she seems to have got the message. Whether she's in any position to act on it is a different matter. Maybe the poke at Europe was intended to distract from this.

"came as a shock to many policy makers and companies in the United States"

If it did they must have been living in a fools' paradise. What other decision could they have expected? Or didn't they know the case was happening?

Tardy TalkTalk advertised for a new infosec officer 1 week ago

Doctor Syntax Silver badge

"Call me old skool but the Head of Security should already be fired"

Call me even older school but the Board should accept the CEO's resignation. They may need to prompt her for it once they've accepted it.

In VW's case Winterkorn did the honourable thing in quitting although maybe the generous package tainted this. This seems to be an exception, someone at the head of a business which gets thing this wrong should quit, not make the rounds of the media giving interviews. It would ensure a culture in which things are done right, security gets precedence over marketing and customers can begin to trust the business.

CISA latest: Law urging tech giants to share your info with the Feds shows no sign of stopping

Doctor Syntax Silver badge

Re: Two birds with one stone

"move HQ (extreme, unlikely)"

Unlikely to move it to the EU I agree, but to somewhere with a pleasant climate & very low taxes could be a reasonable probability.

Biting the hand that feeds IT © 1998–2019