* Posts by john.jones.name

94 posts • joined 1 Aug 2017


How do you solve a problem like Galileo? With a strap-on L-band payload, of course!


Bent Pipe ?

why not utilise a bent pipe to effectively use SBAS ?

Get in the bin: Let's Encrypt gives admins until February 13 to switch off TLS-SNI-01


so you can validate via DNS...

but you do NOT have to have DNSSEC...

some PKI scheme you have there...

NHS England's chief digital officer goes full digital, ditches health service for GP app biz


STOP using 'apps' and start using a "webpage"

app's are just a waste of time if your providing a free service

they are only useful if your charging someone....

but what about video conferencing ? have you ever heard of WebRTC... these people have not a clue about how to deliver digital services.

if the NHS or GP's published a web site with video embedded they could bundle it in a app container for those that...

just look at rocketchat they have all the regulations etc...

Who cracked El Chapo's encrypted chats and brought down the Mexican drug kingpin? Er, his IT manager


Re: Collateral damage

people operating in that sort of environment typically have some sort of dead man switch...

if you trust a company then you will end up compromised, personal relationships are far more secure and well understood

Welcome to 2019: Your Exchange server can be pwned by an email (and other bugs need fixing)


exchange better than office 364 which still needs DNSSEC and DMARC

at least you can control exchange and hide it behind a firewall or inspection service...

e.g. office365 lacks DNSSEC and DMARC (even though Microsoft consume this information themselves customers are not to be trusted with actual security)

Happy new year, readers. Yes, we have threaded comments, an image-lite mode, and more...


Re: security ?

Marco good on your for responding,

That Said not many banks criticise theregister for its security practises nor do they publish articles about software security...


security ?

why oh why... since you use cloudflare...

how about adding a IPv6 address ?

how about enabling DNSSEC ?

These are simple to enable...

also your web developers could do with getting a better score than a F for Fail



honestly the most important is DNSSEC

1. Log in to your Cloudflare dashboard.

2. Open the DNS app.

3. Scroll down to the DNSSEC module.

4. Click Enable DNSSEC.

5. A pop-up will open with instructions for how to add the DS record to your registrar.

Copy the DS record and paste it into your registrar’s dashboard.

Once your registrar publishes the DS record, your domain will be DNSSEC-enabled.

Amazon's homegrown 2.3GHz 64-bit Graviton processor was very nearly an AMD Arm CPU


how clueless

I bet the team at AWS / Annapurna love this:

"It does poorly benchmarking our website fully deployed on it: Nginx + PHP + MediaWiki, and everything else involved. This is your 'real world' test. All 16 cores can't match even 5 cores of our Xeon E5-2697 v4."

complete and utter garbage...

how many optimizations does the ARM Compiler emit/use vs the number for Xeon ? NONE

same with the geekbench its all garbage... until AWS / Annapurna actually get GCC to emit / optimize for basic things like AES then they don't have a chance and you cant get it into the mainline tree until you want to announce it. so lets see the code...

so the question is how much has it been optimised for floating point and what is the IO bandwidth like

IF and its a BIG IF they have a decent IO speeds that can compete with the Intel Xeon THEN it will be more than a negotiating tactic with Intel

john jones

Mobile networks are killing Wi-Fi for speed around the world


the data is flawed

flawed in so many ways that its completely meaningless

3G / LTE data is proxyed/altered ALL of the time while Wifi data only some of the time by the upstream provider e.g. DNS requests

interesting that opensignal earn money publishing it for the 3G/LTE providers though...

Up to three million kids' GPS watches can be tracked by parents... and any miscreant: Flaws spill pick-and-choose catalog for perverts



they have form for this kind of thing


(scary that the daily mail has a decent summary of the camera)

GPS watch is not a bad thing its how its used that could be a problem

(which is the same problem as a hammer its the users that are the issue)

The great and powerful Oz (broadband network): Revs rise, but nbn™'s exec bonuses don't


free data day...

anyone who remembers what happened to telstra's network when they offered free data for a day (because the network completely failed and billing/CS could not handle the refunds)

that day the entire network was terrible, the reason was they didn't have the capacity... 5G is great to get to the cell tower but they dont have the capacity in backhaul... they never will since its more profitable to charge HUGE amounts for very little data

maybe in 10 years time 5G will be some competition but its not going to have any effect in the next 3 to 4 years

This one weird trick turns your Google Home Hub into a doorstop


chromecast based

they used chromecast as the base which previously was just a screen rather than android as the base and this is what happens...

maybe just maybe they should have used android as the base which at least has been audited...

they could still update it to use the same codebase as android things...

It's been a week since engineers approved a new DNS encryption standard and everyone is still yelling


DoH no integrity Mozilla

Mozilla is going for cheap engineering

fine have your DNS over HTTPS but its pretty useless if you don't check the DNS answers

(thats what DNSSEC does)

Mozilla have constantly not implemented DNSSEC, there are even public patch's to NSS

believing that you get more integrity from a HTTPS connection and that Man In The Middle HTTPS systems do not exist would be rather foolish

Oz spy boss defends 'high risk vendor' ban


weasel words from lawyers

no evidence in a public forum...

much like the other old man named Burgess

'The inmates have taken over the asylum': DNS godfather blasts DNS over HTTPS adoption


thats not how it works...

sadly thats not how it works

your provider intercepts the DNS query (ISP's are required to do so by law US/EU/Asia) to stop child abuse etc and some territories go much much further

you only have to look at the the chinese or even turkey

this is the "state sponsored" manipulation and the "strong human rights argument" falls apart for DNS over HTTPS, it basically does not work... one of the reasons is root certificates, there are plenty of compromised issuing certificate authorities and sorting out the bad actors is near impossible you have to throw out the whole lot.

the secondary reason that you cant escape is even if you have a secure connection to a DNS over HTTPS server the answers that it provides are not signed and so you cant verify them

regardless people need to start using DNSSEC to actually verify... Mozilla etc have patch's and have done NOTHING

I wonder why...

Perfect timing for a two-bank TITSUP: Totally Inexcusable They've Stuffed Up Payday


IP address's

> Attack surface is reduced by reducing the ways you can reach it, ie only by IPv4 rather than both IPv4 & IPv6.

thats not how it works, just because a service is addressable via multiple IP address's does not increase or decrease its attack surface area

in fact you REDUCE the problems by adding IPv6 since the consumers do not have to hide behind their provider (BT/EE/voda etc) they can communicate directly and the provider can deny individuals


Re: simple questions for the banks

sorry @katrinab

maybe you missed the fact that pretty much all mobile connections are IPv6 then translated to IPv4 by the carrier/provider ?

that makes your 99.999999% not true

(for example linkedin has about 50% of its traffic via IPv6 )

Although if you think your attack surface is reduced by reducing the number of IP address's I think you have bigger issues...

perhaps time to invest in some education ?


simple questions for the banks

here are some questions for banks :

security : do you share any of your infrastructure with other providers ?

(while in most applications its perfectly fine to use "cloud" multi tenant infrastructure in banking it would be decidedly risky i.e. imagine AWS had Meltdown and Spectre problems and you hosted SSL keys there)

security : do you rely on shared or third party infrastructure for archival and compliance ?

(imagine having a american or south african company vet all messages to see if they are genuine and archive all financial data then expect their systems to be run for your benefit solely)

security : do you use up to date systems for communications such as IPv6 and DNSSEC ?

(imagine thousands of users all behind one IP address i.e. CGNAT and if that system fails to interact with a institutions load balancers correctly you might find problems equally it could be SSL handshake problems, this can be solved by advertising IPv6 address's to mobile phone providers and world at large equally to prevent interference by third party pretending to be your website address it might be wise to employ DNSSEC to sign your DNS responses rather than let dodgy wifi providers steal children's money )

have fun

Baddies just need one email account with clout to unleash phishing hell



the problem is that some UK uni's have outsourced lock stock their mail to microsoft and google etc so dont really have control...

if they retained their MX then they would have the ability to implement DNSSEC and DMARC to not only DENY but RECORD who is spoofing them

ironically Microsoft consume dmarc but dont send it out... you know its good when Microsoft will use it for their domain microsoft.com domain but refuse to help others...

DNSSEC would prevent DNS spoofing and combined with DMARC it gives a nice authenticated trail which you can still use outlook and gmail with... you just have to control the incoming...

Fallover Friday: NatWest, RBS and Ulster Bank go TITSUP*


no DNS security or client-initiated renegotiation protection either

for a start the web server allows for client-initiated renegotiation, which is NOT good at all..

Although the option does not bear a risk for confidentiality, it does make a web server vulnerable to DoS attacks within the same TLS connection. Therefore you should not support it.

they have not enabled DNSSEC... so you can trivally spoof it even if your using the latest and greatest security !

maybe they should look at the top level domain .bank which requires security...



no DNS security

well they have no DNSSEC so changes are pretty instant...

Sealed with an XSS: IT pros urge Lloyds Group to avoid web cross talk


no DNS security or client-initiated renegotiation protection either

for a start the web server allows for client-initiated renegotiation, which is NOT good at all..

Although the option does not bear a risk for confidentiality, it does make a web server vulnerable to DoS attacks within the same TLS connection. Therefore you should not support it.

they have not enabled DNSSEC... spoof away !

New MeX-Files: The curious case of an evacuated US solar lab, the FBI – and bananas conspiracy theories


china... its all about china

energy from the sun you say... I think we want those blueprints, just post them to us...

Raspberry Pi supremo Eben Upton talks to The Reg about Pi PoE woes


not skookum

maybe open source the design files on github and have a competition for the best design after all plenty of undergraduate / Graduate eyeballs for V2

It's here! Qualcomm's new watch chip is finally here! Oh, uh, never mind


WHY such a clueless article...

ok why el reg is this full of marketing puff

first of all no one cares what nm process they are using... they care about if the process or layout gives efficiency (power in this case)

secondly WearOS and arguably Android do NOT run a JVM... thats pretty basic knowledge

Thirdly GPS does not need a huge power envelope it does when you bolt it on as a afterthought... the fact that the NEW Qualcomm 3100 does not include QZSS means they didn't think...

just because Qualcomm didnt think that anyone would like a EKG or anything useful doesnt mean you should follow the reddit crowd... please some useful reporting please

Prepare to have your minds blown, storage industry. 5 words: Client access Optane DIMM caching


DIMM interface vs NVMe

intel really are not even trying any more are they... they launched a competitor to a enterprise battery backed DIMM...

NVMe would have been 3.94 GB/s

No D'oh! DNS-over-HTTPS passes Mozilla performance test



so you make a query over TLS and can not verify the answer....

mandating DNSSEC as part of the spec is the only solution otherwise your just changing the attack surface not solving the problem

Vodafone, TPG propose 'merger of equals'


going to be interesting

TPG has always been marketed on price and buy cheap (laggy) bandwidth for their networks.

Vodafone invested a HUGE amount of capital in their network and optimisation and brand.

would you buy a business bundle from TPG ?

Network monitoring is hard... If only there was some kind of machine that could learn to do it


reason for SDN

one of the driving forces for SDN

How's that encryption coming, buddy? DNS requests routinely spied on, boffins claim


use DNSSEC otherwise that httpS website is not secure

Basically the government's routinely ask the ISP to intercept traffic to your servers / vpn / websites

(the USA GB DE and CN are all at it)

They routinely present certificates that are valid although obviously have been generated on fly for whatever resource your accessing and because most trust Certificate Authorities (some of which are compromised... all it takes is some...)

The answer to this is to trust whoever signs the root i.e. norwegians trust the .no root and british trust the .uk root

this reduces the ability of for example the UK gov to intercept CN websites and vice versa...

also it would alert you if you do not trust any of them and they are trying to fake your resources...

Amazon, ditch us? But they can't do without us – Oracle


its not about size its about speed...

RDBS usage at Amazon will be actually quite small data set compared to others and can be easily segmented and streamed for insights if required

Its about Speed and Intelligence...

over the years there is going to be a shed ton of intelligence and business logic built into the ERP (otherwise known as the shipping and warehouse) now you have to undo that rats nest AND make sure it performs as fast.

Now don't get me wrong I wouldn't employ oracle unless I really had to but I'll give them this, THEY MAKE A FAST DATABASE

Combined with the fact the USA has software Patents your in a bit of a problematic area...

good luck to them

Oz government offers privacy concessions on MyHealth Record



they can access your record then save the results...

are they completely nuts... this will go wrong very very wrong

better sort out the insurance company access before you do anything else or you will find past MP's denied insurance !!

Insecure web still too prevalent: Boffins unveil HSTS wall of shame


update to DANE at the same time...

simply pin your CA into your DANE DNS record and it buys you a little more coverage...

ReactOS 0.4.9 release metes out stability and self-hosting, still looks like a '90s fever dream


drivers drivers drivers

if they can actually make it possible to load legitimate (yet old) drivers combined with modern virtualisation drivers then they are onto a winner

there is a lot of code / programs that still work on windows NT and would pay HUGE sums to maintain those app's rather than pay third party dev's to maintain/update

just take a look at mainframe support contracts - offering support starting at 10k on virtualbox / vmware / hyperV would be interesting !

Western Digital formats hard disk drive factory as demand spins down


supply chain

they have agreements with other companies and not being able to say you have diverse supply chain will I suspect get some people rightly worked up...

2 factories in the same rainy country is not diverse at all

In non-startling news, EFF says STARTTLS email crypto is mostly done wrong


set it up right...

DANE is not time consuming (any more than a certificate is) you just have to set it up correctly.

you don't have to roll your certs if you don't want to and even if you do a script can automate it


Email transport could be better

You can enforce TLS and you can declare your certificate via DANE easily and simply.

The CA model itself is not all that robust, and there are still some critical vulnerabilities that can be exploited by a well-resourced attacker. Adding DANE TSLA records to the DNS signed zone then with an additional DNS lookup to fetch and validate the TLSA record is a small step, but a significant improvement to the overall security picture.



what this should be about is DANE


If people deploy this then things get a lot easier and trustworthy in TLS...

The bonus is that its not tied to a Certificate Authority (CA) if you don't want it to be, which most mail servers is a good thing as they often have self certified certificates and if you have a Certificate from a CA then hey use it and declare it via DANE...


you can test here : https://www.internet.nl/test-mail/

strangely the dutch security service demand this as a secure channel I wonder what they know (-;

Hipster horror! Slack has gone TITSUP: Total inability to support user procrastination


use one that you can plug into

why would you use slack when you can get a secure and opensource equivalent :


Xen Project patches Intel’s Lazy FPU flaw, VMware doesn't need to



banks are the type of people who run VMware in AWS...

no one else would pay twice...

No fandango for you: EU boots UK off Galileo satellite project


clearly no one with knowledge of the system...

so its clear that no one with any knowledge of the system made that decision as its completely pointless

americans have access to high precision corrections in fact anyone with a well surveyed site like the current command and control sites and knowledge/equipment of timing should be enough...

So if the UK military have any intelligence they will get in there and keep those sites and personnel going and simply feed the corrections back to any equipment needed.

the U.K. civil service did a number on the europeans and they didnt even realise, one less outgoing and they get to ask for a refund...

the loss will be to the Galileo project which I am actually sad about but thats what happens if you let bureaucrats rather than engineers and scientists run the show...

Qualcomm to keep server CPUs but avoids head-on Intel battle



Intel have done very well out of the networking / firewall / NVF

Qualcomm might have a chance if they show how they can do 40 or 100 Gbps accelerated connections better than others which would involve a fair bit of integrations into microwave and caching vendors...


Smart bulbs turn dumb: Lights out for Philips as Hue API goes dark


it went very wrong

I use hue lightbulbs and frankly they have been pretty awesome

thankfully if your on the same LAN segment or have a remote you can control them without the magical intermawebs

to be honest with a architecture like this what could possibly go wrong


so in truth they are useable without the internet connection and thats how all "IOT" things should work its the other end they screwed up...

Arm emits Cortex-A76 – its first 64-bit-only CPU core (in kernel mode)


CoreMark anyone, anyone ?

How about actually getting the benchmarks such as SpecFP or CoreMark ?

SPECpower or ULPMark ?

Amazon can't or won't collect sales tax in Australia


Re: Corporate Structure

yes its about the corp structure and not the way you think...

Amazon Australia is a hole in the sea that they are pouring money into

(AWS Australian region is awesome cash generating machine ).

So what better way to satisfy the internal politicking... REDIRECT ALL THINGS !!

its going to be hilarious if it works since the local hardly normal retail just complains about this constantly and no one will price match "offshore companies"

all for it personally

Zimmerman and friends: 'Are you listening? PGP is not broken'


they are right

the EFF deserves criticism in this case and so do those who write insecure mail clients...

I wonder if Microsoft is going to be patching their SMIME and HTML implementation ?

Servers crashed and burned. So, Qualcomm's back to Ctrl-C, Ctrl-V'ing Arm cores into phones


server for the basestations ?

ARM based servers are far from done witness ampere etc.

Qualcomm would do well to open their "server" platform to suppliers such as the Nokia (NSN) and Ericsson of the world...

that means selling to the network people and giving long term supply some confidence, which to be honest should not be all that hard, the hyperscale people just wanted predefined designs and created noise...

nbn™ isn’t fixing HFC, it’s ‘optimising’ it


the problem is that optus (and other 4G providers) intercept and cache

they intercept your DNS and manipulate it

they log everything you do (to improve it)

they dont have proper backup when things fail (very few controllers)

so yes its fine as long as you dont depend on anything...

Blighty's super-duper F-35B fighter jets are due to arrive in a few weeks



if you want a intercept - buy a missile

if you want surveillance - Buy a drone (glider and jet)

if you want deploy special forces - buy a helicopter

if you want to attack an enemy - buy a helicopter / drone

if you want to deploy a submarine hunter - buy a helicopter

complete and utter waste of money

Oz Budget 2018: Cash for 3cm GPS resolution, federated IDs, payments reform and blockchain


SBAS requires a bird in the sky

Current systems are all owned by other nations and $260m is not very much...

Having an open ground network would be a good start and coordination with accurate BOM sites would be nice but I realise that I'm dreaming when thinking about gov department coordination...


Biting the hand that feeds IT © 1998–2019