* Posts by NonSSL-Login

238 posts • joined 13 Nov 2015


Accused hacker Lauri Love loses legal bid to reclaim seized IT gear


Re: Something not ringing true here ...

Personally I think it's a screw up of language somewhere along the line and the reality is that some of the drive was readable and the rest was encrypted in a trucrypt volume.

Rather than encryption kicking in, they meant to say that they couldn't read the encrypted part. That is my best guess anyway.

Firmware for hard drives probably needs to be signed(?) so not straight forward to do even if you could modify it to delete content on a certain sector or block read.

Password managers may leave your online crown jewels 'exposed in RAM' to malware – but hey, they're still better than the alternative


Could do better but not much better

It looks like all the major players in the Password Manager area have done a fair amount of work to try and protect content in memory and scrub after use but need to make small changes to slightly improve it this. At the same time, with your machine already being accessible some of the changes will make no difference anyway.

Better to fix them than not fixing them but in the big picture, it's nothing we didn't know already. Code has been created before to extract and dump the content of unencrypted password managers to screen or file and it will always be possible one way or the other. Even if only one entry is decrypted as it's used, that means the master password or secret is somewhere in memory in some form, just waiting for someone to work out a way to reverse it. Or whatever is watching on that machine waits for every password to be used.

Keepass came out well in their summary table, so I get to feel smug running that on Linux :)


Re: Ha, it comes to something when the Post-it is superior to software...

Stick it to the top of your webcam, so the lens can't see it ;)

Intel SGX 'safe' room easily trashed by white-hat hacking marauders: Enclave malware demo'd


New chipset security features always mean deeper embedded exploits

If you look at every new security based addition to intel chipsets as a gift of another backdoor for the NSA, it all makes sense. Every time.

Hollywood getting anti-piracy stuff built in to chipsets angers me. The things I cannot do with my HDMI out cable that I want to because of the MPAA's Sony being involved in the HDMI standard and inflicting DRM through HDCP is another one of these annoyances. The sooner we eject the media cartels influence form hardware the better.

Housing biz made to pay £1.5k for sticking fingers in its ears when served a subject access request


I'm sure many companies would be happy to fork out £1500 rather than give out SAR information that may embarrass them or cost them business opportunities.

If people can choose to weigh the pro's and cons of addressing a SAR, then maybe it's not quite where it needs to be yet.

Stormy times ahead for IBM-owned Weather Channel app: LA sues over location data slurp


Re: Tech/Syntax question

Another way is to decompile (or edit in other ways) the apps APK file and remove advertising links and libraries but it can be fiddly to find and edit out code that sends data back to their own servers. Doable though and easy once you have done it a few times.

GCHQ pushes for 'virtual crocodile clips' on chat apps – the ability to silently slip into private encrypted comms

Thumb Down

Re: Quid pro quo, Clarice...

WhatsApp has already gifted the alphabet agencies a backdoor to their users chats via a new 'feature' which backs up your chats to Google drive (unsure about apple version) totally un-encrypted. You might disable backups but has the other end you are speaking too?

Expect to see more of these crafty backdoor ways to your chats as well as interference with keys at the service provider end to give real time access/mirroring capabilities.

Scumbag who phoned in a Call of Duty 'swatting' that ended in death pleads guilty to dozens of criminal charges


Re: So the police bear no responsibility ?

You could count the shooting mistakes by UK police over the last 20 years on a single hand.

Even when you consider the population difference of the UK and US, the amount of bad US police shootings a month probably surpasses the last 2 decades of bad UK shootings.

OnePlus 6T: Tasteful, powerful – and much cheaper than a flagship


Re: L500

I wish decent phones were cheaper but I make use of the phones CPU and memory massively so im glad it fits in my pocket and with me at all times.

Laptops keep tearing my trousers when I try and stuff them in my pockets.


Re: No headphone socket - no sale

Still have a Oneplus 1 and a OnePlus 3T but the increasing cost and a few annoying Oneplus quirks (no automated quiet times because 'the settings may interfere with the hardware DND switch', battery issues after updates, no Daydream support even though the chipset supported it, among other things) and the increasing price made me think twice about getting another OnePlus.

Ended up getting a s9+ with 256gb of storage for such an awesome deal it worked out cheaper than the OnePlus. Obviously I had to de-bloat it with package manager as I prefer the cleaner OP experience and generally dislike Samsung, but can honestly say im happy with the performance of the phone. The waterproofing and camera quality are worth paying that little bit extra for, even though I actually paid less.

I think my love affair with OP is over now. Loved their first phone but now they are becoming similar prices as other flagships and all have quirks which annoy me to some extent and have terrible support. Hurts my pride to say I like a Samsung phone too, compared to the pride of having an OPO with cyanogenmod as standard.

Virgin Media customers complain of outages across UK

Thumb Down

Re: Maybe I've just been really lucky, but...

While I had about 98% uptime/internet connection with Virgin over many years, 50% of the time it had packetloss, horrible jitter and slow speeds.

99% uptime sounds good but when you can't game or stream things due to congestion on the line and all the related problems, the uptime stat becomes a bit meaningless. Give me 95% uptime and a clean non-congested connection over a 99% uptime congested all over the place shit one.

After so many years of fibre problems, Virgin couldn't pay me to go with them now. Every FTTC service I have had since has been flawless. The network topology virgin uses, DOCSIS, was just bad for congestion but they can probably hide the flaws better with the higher speeds and more stream connections they use now.

Super Micro chief bean counter: Bloomberg's 'unwarranted hardware hacking article' has slowed our server sales


Amazon, Cisco etc no Angels

I can see Amazon not wanting to push this publicly other t might get mentioned how they work with the CIA and allow parcels on route to be opened, motherboards with backdoors placed in to packages in place of legit hardware, then sent on the rest of the journey.

It's highly possible super micro has made a few modified boards for Chinese intelligence to be used in a handful of places, in a similar way the US works with Intel, Cisco, Apple, Microsoft etc to backdoor devices and software in a small number of cases.

Finding evidence when only a few are out there would be difficult. At the same time, without evidence anyone can com e along and claim x, y and z and damage a companies credentials. The US have a habit of trying to damage foreign competitors of its companies. Look at all the angles they attacked Kaspersky with (even signing US gov malware with kasperskys digital keys) in a hope of damaging the company beyond repair. THey have upped their game on these attacks since the Sony attack.

Do not adjust your set, er, browser: This is our new page-one design


Probably intentional. If you can't see the date you are more likely to click it to look than if you see an old date where you can decide it's old news and ignore. Not good for the user but good for the-register who wants clicks and views for their income.


It's not even pretty though



Reddit also allowed the old design to be used too when they made major changes recently. Link was prominent at the top too so easy to access.

There is am opt-out at the bottom of the register page, It might be hidden under a floating toolbar asking you to click OK to accepting cookies though, requiring you to click that before you can reach the opt-out link.


Re: Argghhh

The BBC admitted to changing their staple of lots of information down to smaller byte sized generic sentences so they could fit on mobiles too. So even the stories got shit and more tabloid looking amongst all that white space.

The register shouldn't have that issue at least as stories are still a decent length.

In the past I have used the Stylish addon to change the look of sites/pages but that addon got pulled from both browsers app stores when an update started sending data back to their servers. Don't want to create security risks just to fix horrible formatting for a site.

Thumb Down


Too much white and too much empty space. Exactly how shit the BBC site looked when they made it to look better on mobiles. No care about those that use huge monitors due to stats saying a mobile users are a larger percent of viewers.

In this day and age it should be easy enough for technology to format on the fly better for mobile/large screens yet no one seems able to do it. Web 2 maybe not fit for purpose if it can't handle that.

My browser removes cookies that it hasn't blocked on exit, so im guessing every visit I will have to opt-out.

From using the BBC site daily I now use it once a month at best since they made the changes everyone hated. I guess im now going to have to find another way to view register content which isn't so dreadful or it will go the same way as the BBC in my viewing habits.

/Obligatory Rant

HTTPS crypto-shame: TV Licensing website pulled offline


Or just someone on the same wifi network running wireshark or other tools. Requires catching the initial handshake but easy enough to disconnect a client and force it to reconnect to catch it.


Re: redirecting HTTP to HTTPS

Searched for the Beefeater site yesterday and google gave a http link which didn't redirect to https once on it which I thought was odd for this day and age.

To view a menu it wanted my postscode and while it's not the end of the earth for that to be sniffed, it felt too dirty to post it over http so I had to manually change it to https.

My name was a good few years of nagging at el register to https up and it took google to start giving horrible chrome messages and lower search engine ranks to http site before it was changed. Anyone company not using https now should be considered lazy and not fully competent imo.

Nope, the NSA isn't sitting in front of a supercomputer hooked up to a terrorist’s hard drive


Re: Don't assume they don't have supercomputers...

It wouldn't surprise me if they have access to be able to use every idle CPU on the Amazon cloud along with some tools that distribute the load of the job. No supercomputer needed when you can have a million computers working for 2 minutes on their section of the same job.


Re: Am I being thick ?

Apps on phones such as whatsapp run in their own memory space so it is not a simple task to add another encryption layer on top without rooting phones and such which cuts out most users. A keyboard app could potentially convert what you type ad copy to clipboard and convert replies but it would be far from pretty and straight forward which is what app users want.

The NSA/GCHQ's are being crafty now and instead of asking for backdoors in encryption, they are asking technology companies to implement sly changes which means no backdoor is needed. Skype conversations used to be peer to peer and never touched servers so one assumes they got Microsoft to buy and change the product so all conversations went through their servers for the 5+ eyes benefit.

One assumes Whatsapp went out of their way to help the government agencies by adding a chat backup option, an in your face popup to all users asking if it should be enabled and when they do, it disabled the encryption of their chats. The backup of their chats are also stored on their servers indefinitely for the 5+ eyes too.

So expect more sly changes like these as technology companies shout publicly that they are fighting for your privacy while still looking you eye add these privacy defeating changes they hope you don't notice.

Archive.org's Wayback Machine is legit legal evidence, US appeals court judges rule


Integrity is not guaranteed but could be

Hash of the page made (with a decent hashing standard to avoid collisions) as soon as it's mirrored and that hash stored in a blockchain or another tamper proof method, then it can be trusted a lot more.

All it takes is for one vulnerability or a determined hacker to phish their way in to their systems and modify some content and the trust is all gone. It's no good saying the files or disk is read only when someone can change the links and results to point to their own created content instead.

Archive.org is far from perfect as evidence as it stands imo. It could be made better for evidence integrity but as long as they continue to do the great job they started out to do, that should be their main focus.

UK.gov: NHS should be compensated by firms using its data goldmine


Is the data not ours? Do NI payments mean we paid for the care and have data protection?

Why must my data be given away in the first place?

At no point while being treated by the NHS was I told that my data would be shared or sold with anyone. I have never given permission for my data to be sold or shared nor have I ever signed any paperwork that said that my data will be shared outside the NHS if I accept treatment.

If they start asking patients to sign away their rights, they may stop using the NHS to avoid their data being shared. This could lead to instances where for example someone who suspects they have contracted HIV may choose to not get checked/treated and go on to infect others rather than risk company x,y,z getting hold of that pseudo-anonymized (not anonymous at all) data.

Sharing NHS data in 99.9% of cases will not benefit NHS patients.

Spies still super upset they can't get at your encrypted comms data


They got used to having access to more of our communications than what they were entitled too and now want to push so that it continue. They should just be glad they had it while they did.

Kaspersky VPN blabbed domain names of visited websites – and gave me a $0 reward, says chap


Re: So they fixed it...

Companies list what products they pay a bounty out under on Hackerone and the VPN product was not on the list. It is that simple.

There is nothing to sell black hats in this case as there is no exploit for a vulnerability. It's a data leak problem.

Kaspersky should however be ashamed of itself for supplying VPN software with DNS leak problems. They could potentially argue that the VPN is to stop encrypt your traffic to avoid it being read or modified (MITM'ed) while on public networks rather than for anonymity although I have not seen how they market the product. In this day and age though one would expect DNS traffic to be VPN'ed along with the traffic as standard for such a product.

Either my name, my password or my soul is invalid – but which?


Re: "Wrong" email addresses

I know someone with an apostrophe in their email address, due to their irish O'whatever name. Despite the fact it's 50/50 whether the receiving email server will accept it or not, the admin has never enforced a policy that removes it when creating accounts.

What annoys me is when you have to login somewhere else and it's not obvious they have a different country keyboard layout. Those special characters are not where they are supposed to be. So do I devise new passwords which only uses the characters that don't move say between US and UK layouts, thus weakening the password due to less entropy, or use them and struggle to login some places?


On Kaspersky’s 'transparency tour' the truth was clear as mud


Stating the opposite of the bloody obvious

You do not have to be a security genius or have a degree in politics to know the whole US attack on Kaspersky is political butt hurt revenge.

They are having to do the transparency tour to repair their business after US gov pressure against them. The CIA has previously tried to leave kaspersky fingerprints on their bad deeds. Its open day on the company that found and reported some of the NSA malware.

Journalists asking Kaspersky ridiculous useless questions instead of asking governments and politicians to backup their statements, is half the problem. They are not real journalists. They just parrot scripted lines told to them to publish with no actual journalism done.

The comments here show that the majority of IT people think the article talks a load of bollocks and there is indeed a vendetta against Kaspersky. Nothing has changed since the banning of their product. Move alone, nothing to see here. No story yet, until the actual transparency tour and even then, going by this article, we will get another crap axe job article. It's a good job el'reg has a lot of good articles to read between the crap like this one.

Bombshell discovery: When it comes to passwords, the smarter students have it figured


Hi JV, thanks for the reply.

Having read the article I appear to have missed the fact that Troy had shared a database of hash's and the comparison was done against that. Apologies. I usually blame lack of caffeine for my mistakes as otherwise I would never make any *cough* :)

There are many variables in passwords that cross the IQ barrier. Not everyone has a job related to their IQ as ambition and other factors are involved but if you generalise that a manual labourer may have a lower IQ than a director of a company you may expect the labourer to have a weaker password. A fair percentage of the time it's their favorite sports team or player with maybe a capitalised first letter and a number at the end if the signup forces those attributes. Yet a lot of CEO's will also use their sports team as a password too.

There are differences where say a fruit seller on a stall in London may have a football(soccer) related password, a CEO who went to Oxford might have a Rugby related password as social economic groups also play a part.

At the same time both groups may use a password based on a crush/partner/kids or dog or a date of birth.

Both high IQ and low IQ people know they are supposed to have good passwords. Is it down to IQ about who puts the effort in?


The article says that 215 students hashes were in Troys database and states this was down to bad/unsafe passwords. Wrong. They are in Hunts databases because they happened to be signed up to websites that got hacked. There is no relation to IQ at all.

Maybe a correlation between how many sites someone signs up to, or quality of site, could be made relating to IQ but that is not what the article says.

Brit ISPs get their marker pens out: Speed advertising's about to change


Speed + Quality/Stability score

We still need a quality score to go with the speed with advertisements. 200mbit is no good for streaming or gaming if latency jitter is all over the place.

Something occasional browsers conned in to getting 200mbit to solve their browsing issues on the 50mbit service can ignore but gamers can use to make an informed decision.

Commodore 64 owners rejoice: The 1541 is BACK


Re: Reliability

Also started with a VIC 20 which is now emulated easily with just javascript... https://www.mdawson.net/vic20chrome/vic20.php

30+ years later I still can't purge the music from a cartridge game called Radar Rat Race out of my memory. Found a Vic 20 emulator and the game cartridge turned in to a 6k rom....everything gets emulated these days.

The Action replay cartridge for the Amiga was also emulated, so I assume they did the same for the C64.

Fun times.

Great Western Railway warns of great Western password reuse: Brits told to reset logins


Re: We need a court action

Depends on the attacker and the tools they use. Some of the programs used to try user/email combo lists against sites also allow you to specify a public proxy list which can be grabbed from many places. So you end up with hundreds of IP addresses with random User Agents with a bigger gap in time before a particular IP/proxy gets used again.

Some of the better tools allow you to specify a timeout before retrying with the same IP so you work out beforehand what triggers the captcha and adjust settings accordingly.

A captcha at every login would help but I hate with a vengeance having to fill in captures every time I want to login somewhere. Even then, it's easy to add code to a tool to cover sending the captcha's to a usually Indian based site where they charge you a fraction of a penny for each captcha solved on your behalf by an army of people employed to do so. 2captcha and anti-captcha are two such services. 50 cents for 1000 solved captchas, 2000 people online, 8 sec solve time.

Recording Industry Ass. says vinyl and CD sales beat digital downloads


Re: Just a few weeks ago they were telling otherwise...

Depends on what law change and location the media cartels are lobbying for on that particular day...

Leading by example: UK.gov's secure server setup is patchy at best


Re: To root or not to root

Probably easier and quicker for them to get the info via XKeyscore thanks to Tempora mass collection and it will be up to the second logs compared to synch + database integration once a day or week. But if you read my comment again, you will notice i'm not wearing the tin foil hat in this case anyway, so a moot point.

However, injecting payloads when the IP of Russian arms suppliers browse badly SSL'ed site....


To root or not to root

It appears the only security angle they look at with .gov sites is it secure from being rooted. Anything else doesn't seem to matter to them except for a working website. The fact that browsers have now started acting on bad SSL setups has exposed the bad config and bitten the admin on the ass.

Although in other areas I would be happy to don the tin foil hat and say the bad ciphers and config is to make it easier for GCHQ to log data, inject payloads and other shenanigans, these .gov issues are just down to bad administration.

Also, out favourite el-reg was a long holdout for SSL despite having a login form for users. Hence my username.... It was only when Google said they would list sites lower without SSL that they were forced to move their butt in to gear and add SSL that they did. The bad publicity might be enough to make the gov sites fix ssl issues but a lower search engine ranking might do the job faster.

Private Internet Access VPN opens code-y sarong, starting with Chrome extension


Re: Unrelated...

The GEOIP location data is based on what the ISP/owner of the Netblock registers the location of the IP to be at.

So while one ISP might register a block of IP's to their local office location or even a head office, some will be more accurate and give a town or village name for a set.


Re: Why not openVPN?

My VPN provider has their own client with lots of options but it acts more as a frontend to OpenVPN with extras. You can choose ports, RSA 4096, scramblesuit, tor-obfuscation etc which get passed along as parameters to openvpn. Obviously the extra code for that gets installed with the client, at least with their Linux client.

A few VPN providers probably have something similar.

NHS Digital heads accused of being 'suppliers', not 'custodians' of UK patient data

Big Brother

You mean like anti-terrorism law RIPA being used by half of councils for waste and littering offences or BBC for licence enforcement?

This is exactly what the committee is getting at and I am impressed they have stuck up for everyone with a decent argument. Yet nothing will change, making the whole thing pointless.

Sorry, I can't hear you, the line's VoLTE


Re: Correction needed

I also have a OnePlus 3T which can handle VOLTE but it won't work on Three as they refuse to add it to the Volte list. No reason for them not to add the support other than the fact they don't sell the phone themselves.

The Three in touch app is utter shite and it annoys me that I am expected to use it on a phone that supports Volte natively but is nerfed by the Three network.

From what I understand, other networks do it too. So it's not as if I can switch to another provider to get Volte working on my current phone. My mobile pet peeve beyond the obvious broken SS7 protocol.

Mueller bombshell: 13 Russian 'troll factory' staffers charged with allegedly meddling in US presidential election

Black Helicopters

Re: Icredible

That is the hypocrisy here. In many countries, including the UK and the US, teams of people are paid to try and influence the elections for the team that employed them. Sometimes under the banner PR, sometimes through leaking negative information about the other party and using friends in media to publish it.

Lots of nasty tricks that can influence elections but it's only bad if the rushkies do it.

It amazes me that the world knows that most of the world emails are intercepted and stored by the big intelligence agencies yet someone doing a secret job vs the NSA went and email'ed home to their parents confessing their crimes about covering their tracks from the FBI. Seriously?

Roses are red, Windows error screens are blue. It's 2018, and an email can still pwn you


Re: "...a total of 50 CVE-listed vulnerabilities..."

Sometimes the haystack just needs to be burnt to the ground and leave the needles in it's ashes.

Fancy Bears' who-takes-what in sports hack list ‘manipulated’ before leak

Black Helicopters

Re: Organizational Doxing and Disinformation

4. Bruce Schneier is Fancy Bear.

Mind blown.

Without knowing what information was doctored, it's difficult to guess at the motivation for the changes. I guess that info will be kept from us.

Crowdfunding refund judgment doesn't quite open the floodgates


Backed my first Indiegogo project last year and the buttons say you are claiming a perk for that amount now. So Indiegogo has already got around that issue and rubs it's hands clean of having to help it's site users again.

That might be why Indiegogo seem happy to let people use it's platform to fleece customers of their money.

After being five Months late and hardly any updates or communication, the campaign director of the project I backed has only sent a few of the backers the item, even though he now sells the same item on his website which you can buy and get straight away. Obviously he will get more selling them through his website than the original Indiegogo campaign so has decided to sell them there instead of giving them to the backers.

Try getting Indigegogo involved to get some communication or action taken and they just don't want to know. Would not touch Indiegogo with a barge pole in future.

Oh and their whole refund system, does not work. Plenty of people asking for refunds for the same project but because the project is overdue, Indiegogo say you have to get it back from the campaign manager. When the campaign manager refuses to answer any emails about anything, let alone delivery or refunds, Indiegogo do not care will not help in any way whatsoever. If you try and progress things they just don't reply either.

Sham of a company IMO. /Rant

Virgin Media skulks in disused public toilets


Gives a new meaning to the phrase, "i'm a bit buffered up".

Sad-sack Anon calling himself 'Mr Cunnilingus' online is busted for DDoSing ex-bosses


Logs from security guy....

Around the time this was happening, a flaw in the template used by many of the DDoS sites and re-sellers of VDoS was found. Through this the logs could be snarfed among other things.

So it appears the FBI used data hacked from the systems of the stress testing site to get the info needed to get this guy. Saying it was provided by someone else gives them the ability to do this without questions asked on any cases they want?

The guy is obviously stupid enough to get caught anyway but the method is questionable imo.

User had no webcam or mic, complained vid conference didn’t work


CD drawer wont open

A few years ago working for a well know insurance company a user logged a call to say the computer would not read her cd and the cd drawer would not open to get the cd back out.

Upon visiting it was clear she had no cd drive in her desktop. I asked where she put the cd and she got another cd and started to poke it in the thin gap between two blanking plates. She had just pushed the previous cd through the gap in to the frame of the pc.

Watt? You thought the wireless charging war was over? It ain't even begun


Faster Charging

Faster charging seems to be much more beneficial than wireless charging, which is slower by default.

The speed of wireless charging is the major obstacle to it becoming useful imo, no matter how much further away you can scale the actual charger.

WikiLeave? Assange tipped for Ecuadorian eviction


You missed the 9th one down the cul-de-sac at the side.


Re: "A third country might offer a new couch"

"Although the Ecuadorian embassy is now no longer under 24-hour surveillance by the police."

That's what they want you to think...

Probably a lovely antique clock on a shelf opposite the Ecuadorian door with a lovely crystal 720p lens, backup up by an in-house informer.

UK Foreign Sec Bojo to tell Kremlin: Stop your cyber shenanigans... or else!


Re: The Law of Outrage (gov.uk)

Do as we say, not as we do.


Biting the hand that feeds IT © 1998–2019