* Posts by ds6

118 posts • joined 17 Jul 2017


DDoS sueball, felonious fonts, leaky Android file manager, blundering building security, etc etc

ds6 Bronze badge

Re: Don't touch ES File Explorer with a barge pole

v3.2.5.5 was the last non-malware version—but even it suffers from this vulnerability. I am thoroughly spooked, but at least I very rarely connect to public WiFi unless 100% necessary. Constant use of private VPNs also helps :)


Looming EU copyright rules – tackling Google news article scraping, installing upload filters – under fire from all sides

ds6 Bronze badge

Re: ....unless they can prove its not copyrighted

I was going to upvote both you and the person that you replied to, since both posts posit interesting points, but your pompous use of "Have a think, there's a good chap." absolutely demands a downvote. Being a tool is rather socially self-defeating when you are trying to defend an opinion.

ds6 Bronze badge

Absolutely not; in fact, just the opposite. You are using the wrong definition of "free."

As the name implies, copyleft was created to counteract the restrictions of copyright, in which the original creator of a work may do whatever they want with it, and no one else may do anything with it outside of explicit allowance; whereas copyleft ensures that the work remains free-as-in-freedom and all users of the work are able to do whatever they want with it, including distribution and sale. More specifically, clauses in copyleft licenses will often prohibit redistribution when it is done in a way that prevents others from doing the same, eg. not including source code with software binary releases.

You can still make money from copyleft works, and it is in fact encouraged to do so. The purpose of copyleft—rather than removing the profits of authors—is to allow others to study and improve upon copyleft works, and to have them give any improvements back to the community even if they don't want to, and even to allow them to profit from it themselves should they give people an incentive to pay them over the original author. For example, there is no problem licensing a work under the GPL, selling it, and not publicly releasing the source code—as long as it is given as part of the sale and with any binary releases, of course. One also does not have to release the source code of a GPL application if it is provided as a service (SaaS) and the binaries are never released. Some licenses may have provisions against the previous use-cases, but it would be possible to argue they are not truly copyleft; see this argument against CC-BY-NC-SA.

Weak copyleft licenses like the MPL, CDDL, or LGPL also exist that play the balance between strong copyleft licenses like the GPL and permissive open-source licenses like the BSD or MIT licenses, where it is possible to create works utilizing free software as part of a larger, potentially proprietary whole, so long as the free software portion of the work remains free and open source. Of course, the intricacies of this vary from license to license, but this is the general idea of weak copyleft.

It is also possible to dual-license, such that for free and open-source purposes a work remains so, but for commercial purposes it is licensed differently, see MySQL licensing.

Protestors beg Google not to build censored Project Dragonfly search engine

ds6 Bronze badge

That's another thing I don't get—compared to the things Google/Alphabet/et al. do in other countries including censorship of search results, are people just blind to how things really work, or seeing what they only want to see? It's no secret China is responsible for lots of bad stuff and censoring it is morally questionable, but other countries demand that of Google all the time.

The problem is the platform. Until Google is challenged and it stops making money, it will never stop.

Microsoft partner portal 'exposes 'every' support request filed worldwide' today

ds6 Bronze badge

Re: More Microsoft user based testing

Fallout v0.76b

Sign up now for the low low price of full price to get access to the private beta

Oh, SSH, IT please see this: Malicious servers can fsck with your PC's files during scp slurps

ds6 Bronze badge

When your whole backup solution is centered around SCP transfers...

Everyone always told me to use rsync; I should have listened, apparently.

Next up: Rsync CVE posted, file transfers can virtually kick dog in real world.

If I could turn back time, I'd tell you to keep that old Radarange at home

ds6 Bronze badge

Re: Pesky microwaves

Actually, everything on the disc fell off when God bumped his knee into it when doing some maintenance on the nearby wire closet. We've been freefalling for quite a while now.

Yeah I'm free...

ds6 Bronze badge

Re: Ding!


That was terrible. Have a beer.

Great, you've moved your website or app to HTTPS. How do you test it? Here's a tool to make local TLS certs painless

ds6 Bronze badge

Re: But why is it so complicated?

Alright mister "I can pinch my grandkid's cheeks while simultaneously playing guitar on vacation in the Alps", have at you. Welcome to Certs 101—or How I Learned to Stop Worrying and Love OpenSSH

Certificates are cryptographically secure chains (terminology: the chain of trust) that are able to verify eachother through a web of cryptographic keys and signatures. Just like you don't need to know polynomials to know algebra exists and works, you don't need to know the ins and outs of cryptography to use certificates, and it really is quite straightforward.

Firstly, it is necessary to mention that there are usually 3 separate parts to a valid certificate:

1. The private key;

2. The public key;

3. The signature.

There are other varyingly relevant data points (including expiry date) but this is all you need to know to fathom the idea of certificates. What people call a "certificate" or "cert" is usually a file containing the public key and the signature, as well as various related (and cryptographically secure) metadata. On Windows, they appear as *.crt files, and you might have seen them as .pem on *nix. The private key is kept separate, for reasons outlined below.

A cert's signature is generated using a second cert's private key. The private key should never be shared, ensuring the person that originally created the second cert can sign the first. The public key is used to verify signatures created with its sister private key, but cannot be used to sign new signatures. This process makes it easy to verify the validity and trust of a signature, while making it highly improbable to fake one.

Since we need a private key to sign a certificate in the first place, we can create self-signed certs, also known as root certificates. These root certs can be used to sign other certs down the line, creating the chain of trust. But if the certs in the chain all come back to this root certificate, how can we trust the root, thus giving credulence to the chain?

A CA, or Certificate Authority, is an entity that is responsible for widely-trusted root certs. They create root certs and provide tools to have other people's certs signed by them. We choose to trust CAs and their root certs because they put their reputation as a company and policies behind the certs they provide. If you look through a certificate viewer eg. in your web browser, you'll see all certificates on your computer trickle back up to root certs provided by Microsoft, Google, Verisign, GoDaddy, Symantec, etc. Every operating system and/or web browser has its own list of root certs that it trusts, and these certs are usually provided along with the software.

That's it, really. Not too complicated right? Now we can get to more practical uses of certificates.

The reason why your browser is giving errors when you try to connect over HTTPS to your control panel is likely because of any of these reasons:

1. The certificate is expired;

2. The certificate is self-signed, and your computer/web browser does not have the cert in its list of trusted root certs;

3. There's no certificate at all.

A solution that would work fine for you is to:

1. Create your own cert;

2. Install it in the server;

2. Install it in your browser/OS's trusted cert store.

You can easily accomplish this with many methods, and I will provide one for OpenSSH (works on any platform). Contrary to popular belief you do not need to pay a CA to get a certificate and can easily self-sign your own. A self-signed cert of your own making is not any less safe than a CA-signed cert, and depending on your viewpoint may be more safe since you probably trust yourself more than some faceless company :)

For the creation of certificates, aside from the private key, there is also the certificate signing request which is a simple file outlining some of the extra metadata that is used to generate an X.509 cert, which is the standardized format for the web. Ever see the company name next to the green padlock in your web browser? That's some of the metadata in the cert that the CSR is used to generate.

You can easily create a private key, CSR, and certificate in order using the following oneliner:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 1096

key.pem is the private key that was used to sign the cert. cert.pem is the public key, signature, and metadata, in one file. You will be prompted for various pieces of information to fill out the CSR after running the command. The CSR is consumed in the process here; it's optional to save it since you likely won't need it in this instance.

The only thing you need to worry about in the CSR is the Common Name, which should be the address you are accessing the web service through. The Common Name is how your web browser knows it's using the right cert for the right site. If you access it via IP, since you are only using it locally, it is safe (though not recommended) to use local IPs for the CN, eg.

As for installing the cert in the system/OS's trusted store, if you visit the site with the new cert installed in the web server, on a modern browser it should ask you if you want to allow the cert, and if you want to store the changes permanently. This method should work on all major operating systems and browsers and should be all you need to do. Alternatively, if you don't want to have to repeat this process for all the browsers you may use, while mildly outdated here's the easiest way to install a certificate into Windows' trusted store: https://blogs.technet.microsoft.com/sbs/2008/05/08/installing-a-self-signed-certificate-as-a-trusted-root-ca-in-windows-vista/

I don't know how your software works so I won't comment on how to get the cert in there.

(Most of this came from memory so I apologize if I was wrong or misleading somewhere.)

Finally, yes, it doesn't really matter if you have a valid cert on your local network or not, but denying the information just because it might not be immediately relevant is not a very good practice to keep. Even if you don't go through with setting things up properly, let this at least be a lesson into certs and how really not confusing they are. Things can get crazy with OCSP stapling and other additive technologies, but those are outside of your use-case and you likely will never need to care. The basics, however, are still important. Even knowing the basics can give a lot of insight into what might otherwise be considered ungrokable geekspeak, and with how widespread HTTPS is, that makes it even more inportant to know.

Certs 201 is next week and I expect to see you there young man.

ds6 Bronze badge
IT Angle

Re: But why is it so complicated?

But, frankly, I barely understand even that. I just know they work, somehow[...]. That's all I want or care about.

This kind of attitude is terrible and hurts not only yourself, but others. If you ever have to set up an Internet-facing service—even if you don't know it is—your lack of knowledge will now open you up to being attacked, spied upon, information stolen, the device in question put on a botnet... And this only encourages those with malintent to keep doing what they're doing because people keep on making the same basic mistakes that allows them (users and miscreants) to continue operating.

"I don't care as long as it works" is why grannies everywhere buy trash Chinese routers with 0% security features enabled so that her grankids can get on the dang ol' Internet, and suddenly it comes as a big surprise when granny gets busted for downloading pirated movie rips and child pornography when it was really a distant neighbor, or some miscreant using her Mirai-vulnerable device as a proxy.

"I don't understand it but it works" is why we have shoddily-coded websites, databases, and other pieces of critical infastructure being breached seemingly on the daily and billions of people's information being sold on back-alley channels. As another example, let's say you think you know how something works and try to give advice to your friend—now you're both spreading FUD about something you truthfully know little to nothing about.

Please. Educate yourself. For everyone's sake.

ds6 Bronze badge

Vivaldi is a Chrome fork so it has all the same features. They're likely using an OS where the certificates are not handled by the browser, as it usually is.

ds6 Bronze badge

Re: That feature photo

First thing I thought was "they're going to ruin that CPU".

ds6 Bronze badge

Re: Lol arcane knowledge of memory management

If it looks pretty, it goes faster. Duh.

It's just like racing stripes. Don't you know how racing stripes work?

ds6 Bronze badge

I think the real problem isn't that we're making things easier for ourselves—the current generation that knows how these things work, it's that we're making things easier for the next generation of programmers that hasn't learned what we know.

Sure, it would be neat to have a one-liner to generate a cert for everything, as opposed to fuddling around with openssh parameters, but it's not a big deal that we—those that already know and understand how OpenSSH works—make it simpler for ourselves, because we understand the implications of what we are doing, and know how much control we are giving up by using a higher-level solution. This of course applies to everything from memory management to database queries and more.

But here comes along Billy Big School that just got their 2-year degree in Really Quite Basic Programming that only taught them high level languages in a Windows environment with Visual Studio, and now they think they're cool and go apply for an entry-level, underqualified web dev position because "I write JScript in my free time PLUS I went to school for it" they say, and now they suddenly need to know how to generate certs from the command line to get the test environment started, something they know nothing about and have never done.

In enters mkcert, giving them an effortless way to make certs! How does it work? What is even a cert? Who cares, I can just run it and put a file here and suddenly the test environment works in Chrome! Hurray!

When things get easy enough that even a trained monkey can do it, it allows for the untrained human to slough their way through without really understanding the implications of what they are doing. That's the real problem we're facing.

To apply this logic to the memory management/DB examples we've seen, it's obvious those PHP developers were learned in how PHP and databases worked, but did not understand how the commands affected the underlying memory model or how much IO they clogged the database with.

No, I don't have a solution for this. One can't just say "have better schooling!" or "enforce testing of all employees for basic knowledge!" because both are terribly unrealistic in the education and corporate worlds respectively. Even simply "leave things complicated enough to require at least intermediate knowledge on the subject!" doesn't work anymore, because one can just pop on over to SO and copypaste a sexy snippet and be on their merry way.

Teaching the fundimentals as building blocks is very important, because it leads to a deeper understanding of the actual functionality of the technology we use daily, high-level or otherwise. Don't do that and you get a whole host of people that will eventually learn on the job that they have no real idea what they or their code is doing from a lower-level perspective.

The D in SystemD stands for Dammmit... Security holes found in much-adored Linux toolkit

ds6 Bronze badge

Re: I use FreeBSD, and for good reason.

Alpine, Slackware/Salix, and Void are the closest you can get to FreeBSD in Linux-land. Debian GNU/kFreeBSD is an interesting experiment but I wouldn't recommend it.

In general:

Salix for the most BSD-like experience; very similar tools and philosophy. Uses OpenRC by default last I checked which is similar to FreeBSD rc, though FreeBSD doesn't have an equivalent to runlevels. Package manager spkg is less similar to FreeBSD pkg_ng and more similar to old-style BSD pkg_add and apt/dpkg in my opinion. It's the largest of all the choices I've said but that makes it feel more FreeKitchenSinkBSD eh?

Slackware if you're a masochist, since you aren't used to Linux. Salix just adds some nice user-friendly tools and modifications to Slackware and is backwards-compatible, so you should absolutely use it over vanilla.

Alpine if you like minimalism and/or non-GNU (userland is Busybox). Package manager apk is very straightforward and is closest to FreeBSD pkg_ng. Also uses OpenRC so the points for Salix I mentioned also apply here. I highly recommend it if you're wanting a system that will let you build your own environment while still remaining very user-friendly. I use it everywhere—servers, gateways, desktop, laptop, SoCs... Also it's tiny. Tiiiny.

Void is somewhere between Alpine and Salix; it's quite minimal but is much bigger than Alpine and doesn't have all the out-of-the-box features that Salix does. Feels more like Arch, including its package manager xbps that feels like some kind of frankenstein mush of pacman and apt/dpkg. I really don't like the package userland tools and they do not feel anywhere close to either pkg_ng or pkg_add. Additionally, it uses runit which while dead simple is nowhere near the robustness of FreeBSD rc or even OpenRC.

Since I'm an Alpine shill I recommend it first, but Salix is probably the "most BSD"; after all, Slackware has always been known for being the "most-Unix Linux" by a lot of people, since it's also the oldest distro still around, and it really hasn't changed much. You should try all of them to see what you like best.

I heard they might be switching to systemd a while ago, though... Hope that never happens.

And if you don't like any of them, install Gentoo.

ds6 Bronze badge

Re: It could be worse, we could be running Slackware.

Poettering, is that you, you unaffable, arrogant cock?

ds6 Bronze badge

Re: It could be worse, we could be running Slackware.

I was confused for a moment.

ds6 Bronze badge

Re: Cloud fad

Why did you rewrite your previous comment and repost it?

ds6 Bronze badge

If Poettering were to... Ah, mysteriously disappear, do you think his projects would die off with him? Or has the cancer dependency chain spread too far?

ds6 Bronze badge

Re: I guess it's a good time

Or Alpine. Live ISO is 100MB ;)

Dozens of .gov HTTPS certs expire, webpages offline, FBI on ice, IT security slows... Yup, it's day 20 of Trump's govt shutdown

ds6 Bronze badge
Paris Hilton

I wonder how long until the essential employees stop showing up to work.

Unrelated icon because it isn't used enough.

'Moore's Revenge' is upon us and will make the world weird

ds6 Bronze badge

Re: Getting more and more off topic ...

But what if your Ferrari is covered in primer? Does the fresh-off-the-lot Hyundai get to go first?

ds6 Bronze badge

Re: Article misses a critical point

But "do one thing and do it well whilst safeguarding against attackers and allowing the user to actually get things done" is a tad bit on the winded side.

Let's acronymize it, like all the kids are doing: DOTADIWWSAAAATUTGTD

Welcome to 2019: Your Exchange server can be pwned by an email (and other bugs need fixing)

ds6 Bronze badge

Re: Hang on

42% on IIS is because it's the Windows Solution. Got Windows Server? Why not deploy IIS? Bing bang boom you're done.

Meanwhile everyone else has been enjoying a diversified landscape of tailored stacks, unfortunately with a bit too much serverside JavaScript... But hey, better than dealing with Windows.

And so I quickly escape before IIS admins come for my head.

ds6 Bronze badge

All seems good

...Meanwhile, my employer refuses to provide the funding to upgrade from Server 2003 with very old versions of Exchange. All user home directories are stored on unencrypted SMBv1 admin shares. Every AD account has local admin privileges on whatever system they are able to log into. All AD/Google/etc. accounts are disabled manually when an employee leaves but there are still hundreds of accounts still active back to 2008. We just recently decomissioned 2 print servers at my behest that had been running for years and were completely unused security holes. I'm the only one that knows how to write scripts in the whole department. Our netmaster doesn't know how DNS wildcards work and even after I explained it to him managed to take the entire site offline for 2 days (yeeeaaah 48hr TTL) by fat-fingering the domain name. We didn't get Webroot even though they went out of their way to get rid of a company-wide infection of Emotet for us with a proprietary, custom-tooled removal package, and instead are paying for an abandonware endpoint antivirus system that hasn't had its definitions updated in months and was clearly designed for XP. My cool boss just left for a better job right after I finally had some hope of making things better. My boss's boss admitted to the whole office he "doesn't know much about computers, [he's] a policy guy" when asked if he would perform interim duties. High-profile, high-availability, mission-critical systems are running XP on hardware from a similar era and no one wants to so much as touch it from fear of killing it, and we can't get the funding for a backup, let alone replace it. We pay for third parties to manage the CMS and phone system and both regularly break. If the VoIP server ever goes down it refuses to come back up and it has to be re-imaged over the wire from their servers and any voicemails from within the time period of the last backup are lost; they have not fixed this issue despite weeks of downtime and we still pay for their services. Oh but at least we're dumping money into some Indian company to develop an absolutely useless app that shows you a glorified calendar and half the time doesn't let you log in.

Sorry, I needed to vent about 20% of what I'm currently dealing with.

Fake 'U's! Phishing creeps use homebrew fonts as message ciphers to evade filters

ds6 Bronze badge

Re: Defence in depth

BitLocker is for disk encryption [with TPM], did you mean Smart Screen?

Also, are you checking for other executable files, such as ClickOnce or JavaWS? At an old company I'd worked for, while they'd blocked native executables, they didn't have any CAS policies so I could run whatever .NET stuff I wanted and install/run things with it that way. Obviously I didn't end up staying long.

Detailed: How Russian government's Fancy Bear UEFI rootkit sneaks onto Windows PCs

ds6 Bronze badge

Re: @ds6

No, but it would be needlessly pedantic to mention the use of two greater-than symbols as opposed to one seems mildly excessive.

My coat is getting too small to hold all this pomposity.

ds6 Bronze badge

Re: The anti-intellectual Americans etc...

How needlessly pedantic of you. If a word is enough to set you off I'd probably not want to be in the same room should someone errornously type out an "armor" or a "color!"

"Egghead" has lost most of its negative connotation and is nearly equivalent in sting to "boffin;" both funny words but you'd likely not say either in front of a neuroscientist. It just so happens that the atmosphere here at El Reg is fairly relaxed. (Extra credit: Someone find a post written by a non-American where the word "egghead" is used instead of "boffin" and I will mail you an egg roll)

The US was and is home to many, many brilliant scientists both native (John Nash Jr., Donald Knuth, Oppenheimer, Grace Hopper, Carl Sagan, Benjamin Franklin, George Washington Carver, Richard Feynmann...) and foreign (Nikola Tesla, Albert Einstein, Isaac Asimov, von Newmann, Enrico Fermi...) and it would do them even more of a disservice compared to simple fun-poking naming by striking off the whole place with a broad generalization. Even beyond that, science is a worldwide, collaborative effort, one that transcends nation, ethnicity, creed, and whatever else.

You want to mock and stereotype the USA and its commoners, go ahead—but leave the scientists out of it.

It's the end of 2018, and this is your year in security

ds6 Bronze badge

Re: The election wasn't hacked, oooh no it wasn't, honest.

What a funny mess, that Brexit thing. Impartial of political alignment or support, you have my sympathies from across the pond for having to put up with it.

At least a considerable percentage of your federal workers aren't being forced to work without pay at the behest of a president trying to fund billions of dollars into an overpriced wall. So that's nice.

Tumblr resorts to AI in attempt to scrub itself clean from filth

ds6 Bronze badge

Re: Spare A Thought

Mind sharing that link to the Tumblr article? Or is it too scandalous for mortal eyes?

Naked women cleaning biz smashes patriarchy by introducing naked bloke gardening service

ds6 Bronze badge

Re: Why is it sexist

"If naked cleaning (ironing, cooking* etc...) ladies was considered sexist, the answer is to provide naked cleaners of whatever gender."

Yeah, where's my cute boy cleaning the kitchen in a naked apron, dammit?!

(I think ordering these services may result in my trouble.)

FCC slammed for 'arbitrary and reckless' plan to change how text messages are regulated

ds6 Bronze badge

Every time I see a "FCC has done another no-no that only benefits Big Telco" post, my brain plays a recording of Ajit Pai—or, Paijeet, if you will—shooting a nerf gun and spinning noisemakers. Whoever supported inserting his worthless, money-grubbing existence into the position of chairman deserves a chair to the head. Can't wait for my internet to be throttled even harder because deregulation is saving all of us or whatever vapid garbage is exiting his septic gob.

Where is my "indelible rage" icon?!

Sacked NCC Group grad trainee emailed 300 coworkers about Kali Linux VM 'playing up'

ds6 Bronze badge

Warning: Technobabble

"There is no way she could have fixed things on her own."

Based on her conduct, yes, there's no way in high hell she could have fixed it.

I mean, she would have to reflash the CMOS battery to uncorrupt the bootup registry and translocate the root virus to null space outside of the BIOS SRAM, and that is a very difficult process that only IT can solve. Shame on them for not helping a poor defenseless lady about the perils of a root virus in her malware device driver!

3ve Offline: Countless Windows PCs using 1.7m IP addresses hacked to 'view' up to 12 billion adverts a day

ds6 Bronze badge

And of course...

...They're all Russians.

Not living in Russia.

The least these guys could do is stay in Russia to help their struggling economy... Or is that not something the greater world would want right now.

Black Friday? Yes, tech vendors might be feeling a bit glum looking at numbers for the UK

ds6 Bronze badge

Re: Stop trying to make "Black Friday" happen. It's not going to happen.

In Finland retailers started doing Black Friday deals some years ago to follow the trend. Here's what the owner of the largest army surplus store in the country—possibly all of the EU[citation needed]—said about it:


Technical foul: Amazon suffers data snafu days before Black Friday, emails world+dog

ds6 Bronze badge
IT Angle

Re: WTF?

They probably wanted to get it out ASAP. I sure as hell don't personalize my replies when I have to answer 10's of the same ticket...

Still, one would think the biggest tech company in the world would have a better system already in place for this.

Or a website that isn't vulnerable. One of the two.

The D in Systemd stands for 'Dammmmit!' A nasty DHCPv6 packet can pwn a vulnerable Linux box

ds6 Bronze badge

Re: Now hang on, please!


Oh my sweet olfactory system it really exists. WE DON'T NEED ANOTHER AUDIO SUBSYSTEM THERE ARE LIKE 5 ALREADY... sndio, alsa, pulse, oss, jack...

"It aims to support the usecases currently handled by both PulseAudio and Jack and at the same time provide same level of powerful handling of Video input and output."

Ah, Gunther, remove me from this mortal coil immediately. And after that, lunch.

ds6 Bronze badge

Re: There is a reason ...

"Mostly because the old-style init system doesn't cope all that well with systems that move from network to network."

It is absolutely attitudes like this that resulted in the black hole that is systemd.

What relation does the DHCP client have to the init system? Hint: absolutely nothing. The init system or "suite" as they're calling it, should NOT be responsible for DHCP.

"Old-style init system[s]" are not at fault for network issues when a proper roaming DHCP client is not installed, wpa_supplicant isn't configured, etc. I have been using Alpine Linux on my laptop for a while now—no GNU, no FreeDesktop, no Poettering. udhcpc comes with busybox and works absolutely fine, in conjunction with wpa_supplicant and a trigger script to automatically re-run udhcpc when a network change is detected.

init should get the system going and nothing else. Maybe a function of the solution will work as a service manager, and maybe it will start your networking for you. At that point, if your network client is not smart enough to figure out how to reconnect to a network then it is that application's fault and not the init.

"These days networking is essential to the basic functionality of most computers; I think there's a good argument that it doesn't make much sense to treat it as a second-class citizen."

What does that even mean? Are you implying systemd-networkd is a superior solution? When it just had a potentially dangerous exploit patched??? It's rather presumptuous to consider alternative, non-systemd DHCP softwares to be the equivalent of "second-class citizen[s]".

Now this might be going out on a limb, but here's how a branch.io bug left '685 million' netizens open to website hacks

ds6 Bronze badge

Re: Thank you uMatrix. It won't even let me go to the branch.io site.

Anyone that doesn't use uBlockO + uMatrix is not a friend of mine.

...Actually, none of my friends do, so maybe I should re-evaluate my claim.

ds6 Bronze badge

"going to"? The Internet is already a massive dumpster fire, what with the likes of IoT, XSS, phishing, domain squatting, Facebook exploits, database dumps, and what have you. Every day something new that either has the capability to affect or has actively affected millions of people is uncovered, and no one cares or changes their habits.

It's like having your house broken into while your throw rug is aflame, but you just keep sitting there eating your bowl of porridge and scrolling through your phone because it's "not your problem" and hasn't visibly touched you yet. Daunting.

Ubuntu sends crypto-mining apps out of its store and into a tomb

ds6 Bronze badge

Re: New funding possibility?

I recall a link sharing service I believe it was, that asked to mine for a few seconds before fetching the link. The user gets what they want faster than the "Please wait 30 seconds to download this file" prompts, doesn't see ads, and doesn't have to disable their ad blocker (unless you block 1st party scripts and XHR). It seems like a win for everyone involved.

Register-Orbi-damned: Netgear account order irks infosec bods

ds6 Bronze badge

Re: marketing data?

The only reason Facebook is able to make money, or even exist at all, is because they market targeted ads to you and sell your personal information to third parties—and we unfortunately have undeniable proof of that second one.

Marketing runs the business world. It's unfortunate but it's true. Every little morsel of personal info a company can squeeze out of you is equivalent to a few coins worth of profit.

And people don't care. They will never care. The convenience and shiny–thing–attraction is a worthwhile price to pay for them.

Don't panic, but your baby monitor can be hacked into a spycam

ds6 Bronze badge


Congratz, nearly every modern laptop, router, IoT device, car, toaster, and even your nan's toothbrush are connected to the internet and shout at the nearest master server not only that they exist, but where they are, who you are, your dog's name, and the shape of your left gonad.

The more advanced models allow you and anyone else to remotely access anything for your and their convenience, because this is what you and they want, we and they are sure of it! See: Windows RDP which is enabled by default on most models, Swiss cheese router admin panels, cameras of the baby variety or otherwise, cars with a giant phablet plonked right in the dash that automatically connects to any nearby bluetooth device, or otherwise anything even partially cloudy.

There is no escape. Embrace the Intimacy of Telemetry.

Israel cyber chief's 'pants' analogy for password security deemed, well, 'pants'

ds6 Bronze badge

Re: Advice: Use a password manager

You seem to assume "password manager" means a central server. It is terrifying and depressing to me that is anyone's first thought.

Rather, use a local solution. Use KeePass (open source, audited clients for all systems, including Windows, macOS, Linux, BSDs, Solaris, Android, iPhones; and no, all the clients I can think of either work entirely offline or can be configured to never connect out) and sync your database physically, with SCP on a cron job, or with Syncthing using a TLS certificate.

Alternatively, use a script, mobile app, or application that takes a site name and master password, generates a salt using the two, and then generates a password using all 3... Now you don't even need to save your passwords anywhere!

You could also write a shell script to encrypt/decrypt a json/etc. file using a secure technology of your choice (eg. something based on OpenPGP) and forego any fancy technology. Simplicity keeps the attack surface lower.

Or, you know, use a pen and paper, and rather than just writing down passwords, transmutate them using a shared secret present only in your brain, eg. always add a character to position X if Y is Z... Or, only write down hints, only to be used if you forget.

Password management doesn't have to be difficult, and "password manager" should not ever ever never ever mean giving your passwords to some company. Look at LastPass, bastards got compromised and they're somehow still in business and promise to keep your data safe. Not to mention, it's still not open source. Tsk.

EU court: No, expat Frenchman can't trademark France.com

ds6 Bronze badge

Re: Presumably, as a corporate entity...

Everything was peaches and hearts before Freidmann started ranking higher than them on Alexa. I guess what we can take from this is avoid angering state-level actors unless you have a badass [EU] legal team.

In non-startling news, EFF says STARTTLS email crypto is mostly done wrong

ds6 Bronze badge
Black Helicopters

Whether or not the data part of email is a suitable form of communication aside, can we not just nuke the whole implementation of mail transport? Every MTA/SMTP project is a cluttered mess (quite specifically sendmail, woof), and the specs they're based on are even more convoluted. If it's not coded so shoddily it could be pushed over with a brisk swat (again, sendmail), it's overcomplicated and difficult to work on/with—and probably not because the project maintainers want it to be.

I don't see it being that difficult to create a specification based entirely around SSL/TLS with much simpler operating parameters that can still funnel mail through, since MIME is flexible.

The difficult part would of course be getting people to adopt it. I bet some people even still use desktop Outlook, the barbarians.

And now, to make a quick getaway before all the devout followers of sendmail come to raise me on a stake... If there are any left.

'90s hacker collective man turned infosec VIP: Internet security hasn't improved in 20 years

ds6 Bronze badge

Re: 99 bugs on the board today

What, our bugfix introduced 4 regressions? Better fix that...

What, our regression patches introduced 19 bugs? Better fix that...

What, our bugfixes for our regression patch features for our bugfix introduced...

Aussie bloke wins right to sue Google over 'underworld' images

ds6 Bronze badge

Re: I may be mistaken but...

They've switched services a few times IIRC. But honestly, with some of the information that has come out about the leadership in DDG, I tend to just use searx.

My own instance behind a myriad of vpn servers, of course.

I got 99 secure devices but a Nintendo Switch ain't one: If you're using Nvidia's Tegra boot ROM I feel bad for you, son

ds6 Bronze badge

Re: "free games"

Don't get me wrong, I'd love it if every game console came with the source code to all of it's software and all the games you purchased included the source code, but how would that at all be beneficial to the company at the end of the day? Look at what happened to the fidget cube, the original designers sent blueprints to manufacturers to assemble the product, but they ended up getting distributed and the designers lost out on a huge market capitalization when clones of their product were put up for sale before theirs even was!

If companies are not to protect their investment, how will that work out? Digital media is much easier to plagarize than physical hardware; where that hardware takes factories and production lines to exist, software only takes a compiler and some know-how. It is much more persistant, as well; while hardware will eventually decay and rot away, bit rot is a very slow process that can be easily mitigated for cheap. This isn't the 80's where you can sell floppies to companies and the chances of that data being copied, modified, or resold was slim to none, at least to the level of quality that the specialized vendor was able to supply.

If IP is not the answer, what should be done? Should companies be forced to support obsilescent products at risk of fine? Should companies be liable if they stop releasing digital content for their hardware platform before a specific date? Should hardware vendors be forced to open their source code and blueprints to the public? What is the alternative to software intellectual property in a hardware system that does not impact the profits of the company, and does not allow immediate and unrestricted plagarism of that product?

For the record, I upvoted that post. It was much clearer than your first.


Biting the hand that feeds IT © 1998–2019