* Posts by john.jones.name

94 posts • joined 1 Aug 2017

Page:

How do you solve a problem like Galileo? With a strap-on L-band payload, of course!

john.jones.name
WTF?

Bent Pipe ?

why not utilise a bent pipe to effectively use SBAS ?

Get in the bin: Let's Encrypt gives admins until February 13 to switch off TLS-SNI-01

john.jones.name

so you can validate via DNS...

but you do NOT have to have DNSSEC...

some PKI scheme you have there...

NHS England's chief digital officer goes full digital, ditches health service for GP app biz

john.jones.name

STOP using 'apps' and start using a "webpage"

app's are just a waste of time if your providing a free service

they are only useful if your charging someone....

but what about video conferencing ? have you ever heard of WebRTC... these people have not a clue about how to deliver digital services.

if the NHS or GP's published a web site with video embedded they could bundle it in a app container for those that...

just look at rocketchat they have all the regulations etc...

Who cracked El Chapo's encrypted chats and brought down the Mexican drug kingpin? Er, his IT manager

john.jones.name

Re: Collateral damage

people operating in that sort of environment typically have some sort of dead man switch...

if you trust a company then you will end up compromised, personal relationships are far more secure and well understood

Welcome to 2019: Your Exchange server can be pwned by an email (and other bugs need fixing)

john.jones.name

exchange better than office 364 which still needs DNSSEC and DMARC

at least you can control exchange and hide it behind a firewall or inspection service...

e.g. office365 lacks DNSSEC and DMARC (even though Microsoft consume this information themselves customers are not to be trusted with actual security)

Happy new year, readers. Yes, we have threaded comments, an image-lite mode, and more...

john.jones.name
WTF?

Re: security ?

Marco good on your for responding,

That Said not many banks criticise theregister for its security practises nor do they publish articles about software security...

john.jones.name
Go

security ?

why oh why... since you use cloudflare...

how about adding a IPv6 address ?

how about enabling DNSSEC ?

These are simple to enable...

also your web developers could do with getting a better score than a F for Fail

https://observatory.mozilla.org/analyze/www.theregister.co.uk

https://observatory.mozilla.org/analyze/forums.theregister.co.uk

honestly the most important is DNSSEC

1. Log in to your Cloudflare dashboard.

2. Open the DNS app.

3. Scroll down to the DNSSEC module.

4. Click Enable DNSSEC.

5. A pop-up will open with instructions for how to add the DS record to your registrar.

Copy the DS record and paste it into your registrar’s dashboard.

Once your registrar publishes the DS record, your domain will be DNSSEC-enabled.

Amazon's homegrown 2.3GHz 64-bit Graviton processor was very nearly an AMD Arm CPU

john.jones.name

how clueless

I bet the team at AWS / Annapurna love this:

"It does poorly benchmarking our website fully deployed on it: Nginx + PHP + MediaWiki, and everything else involved. This is your 'real world' test. All 16 cores can't match even 5 cores of our Xeon E5-2697 v4."

complete and utter garbage...

how many optimizations does the ARM Compiler emit/use vs the number for Xeon ? NONE

same with the geekbench its all garbage... until AWS / Annapurna actually get GCC to emit / optimize for basic things like AES then they don't have a chance and you cant get it into the mainline tree until you want to announce it. so lets see the code...

so the question is how much has it been optimised for floating point and what is the IO bandwidth like

IF and its a BIG IF they have a decent IO speeds that can compete with the Intel Xeon THEN it will be more than a negotiating tactic with Intel

john jones

Mobile networks are killing Wi-Fi for speed around the world

john.jones.name

the data is flawed

flawed in so many ways that its completely meaningless

3G / LTE data is proxyed/altered ALL of the time while Wifi data only some of the time by the upstream provider e.g. DNS requests

interesting that opensignal earn money publishing it for the 3G/LTE providers though...

Up to three million kids' GPS watches can be tracked by parents... and any miscreant: Flaws spill pick-and-choose catalog for perverts

john.jones.name
WTF?

shocking

they have form for this kind of thing

https://www.dailymail.co.uk/sciencetech/article-5419989/Security-experts-discover-Mi-Cam-baby-cams-hacked.html

(scary that the daily mail has a decent summary of the camera)

GPS watch is not a bad thing its how its used that could be a problem

(which is the same problem as a hammer its the users that are the issue)

The great and powerful Oz (broadband network): Revs rise, but nbn™'s exec bonuses don't

john.jones.name

free data day...

anyone who remembers what happened to telstra's network when they offered free data for a day (because the network completely failed and billing/CS could not handle the refunds)

that day the entire network was terrible, the reason was they didn't have the capacity... 5G is great to get to the cell tower but they dont have the capacity in backhaul... they never will since its more profitable to charge HUGE amounts for very little data

maybe in 10 years time 5G will be some competition but its not going to have any effect in the next 3 to 4 years

This one weird trick turns your Google Home Hub into a doorstop

john.jones.name
Holmes

chromecast based

they used chromecast as the base which previously was just a screen rather than android as the base and this is what happens...

maybe just maybe they should have used android as the base which at least has been audited...

they could still update it to use the same codebase as android things...

It's been a week since engineers approved a new DNS encryption standard and everyone is still yelling

john.jones.name

DoH no integrity Mozilla

Mozilla is going for cheap engineering

fine have your DNS over HTTPS but its pretty useless if you don't check the DNS answers

(thats what DNSSEC does)

Mozilla have constantly not implemented DNSSEC, there are even public patch's to NSS

believing that you get more integrity from a HTTPS connection and that Man In The Middle HTTPS systems do not exist would be rather foolish

Oz spy boss defends 'high risk vendor' ban

john.jones.name
Headmaster

weasel words from lawyers

no evidence in a public forum...

much like the other old man named Burgess

'The inmates have taken over the asylum': DNS godfather blasts DNS over HTTPS adoption

john.jones.name
WTF?

thats not how it works...

sadly thats not how it works

your provider intercepts the DNS query (ISP's are required to do so by law US/EU/Asia) to stop child abuse etc and some territories go much much further

you only have to look at the the chinese or even turkey

this is the "state sponsored" manipulation and the "strong human rights argument" falls apart for DNS over HTTPS, it basically does not work... one of the reasons is root certificates, there are plenty of compromised issuing certificate authorities and sorting out the bad actors is near impossible you have to throw out the whole lot.

the secondary reason that you cant escape is even if you have a secure connection to a DNS over HTTPS server the answers that it provides are not signed and so you cant verify them

regardless people need to start using DNSSEC to actually verify... Mozilla etc have patch's and have done NOTHING

I wonder why...

Perfect timing for a two-bank TITSUP: Totally Inexcusable They've Stuffed Up Payday

john.jones.name

IP address's

> Attack surface is reduced by reducing the ways you can reach it, ie only by IPv4 rather than both IPv4 & IPv6.

thats not how it works, just because a service is addressable via multiple IP address's does not increase or decrease its attack surface area

in fact you REDUCE the problems by adding IPv6 since the consumers do not have to hide behind their provider (BT/EE/voda etc) they can communicate directly and the provider can deny individuals

john.jones.name

Re: simple questions for the banks

sorry @katrinab

maybe you missed the fact that pretty much all mobile connections are IPv6 then translated to IPv4 by the carrier/provider ?

that makes your 99.999999% not true

(for example linkedin has about 50% of its traffic via IPv6 )

Although if you think your attack surface is reduced by reducing the number of IP address's I think you have bigger issues...

perhaps time to invest in some education ?

john.jones.name
WTF?

simple questions for the banks

here are some questions for banks :

security : do you share any of your infrastructure with other providers ?

(while in most applications its perfectly fine to use "cloud" multi tenant infrastructure in banking it would be decidedly risky i.e. imagine AWS had Meltdown and Spectre problems and you hosted SSL keys there)

security : do you rely on shared or third party infrastructure for archival and compliance ?

(imagine having a american or south african company vet all messages to see if they are genuine and archive all financial data then expect their systems to be run for your benefit solely)

security : do you use up to date systems for communications such as IPv6 and DNSSEC ?

(imagine thousands of users all behind one IP address i.e. CGNAT and if that system fails to interact with a institutions load balancers correctly you might find problems equally it could be SSL handshake problems, this can be solved by advertising IPv6 address's to mobile phone providers and world at large equally to prevent interference by third party pretending to be your website address it might be wise to employ DNSSEC to sign your DNS responses rather than let dodgy wifi providers steal children's money )

have fun

Baddies just need one email account with clout to unleash phishing hell

john.jones.name

outsourced...

the problem is that some UK uni's have outsourced lock stock their mail to microsoft and google etc so dont really have control...

if they retained their MX then they would have the ability to implement DNSSEC and DMARC to not only DENY but RECORD who is spoofing them

ironically Microsoft consume dmarc but dont send it out... you know its good when Microsoft will use it for their domain microsoft.com domain but refuse to help others...

DNSSEC would prevent DNS spoofing and combined with DMARC it gives a nice authenticated trail which you can still use outlook and gmail with... you just have to control the incoming...

Fallover Friday: NatWest, RBS and Ulster Bank go TITSUP*

john.jones.name
WTF?

no DNS security or client-initiated renegotiation protection either

for a start the web server allows for client-initiated renegotiation, which is NOT good at all..

Although the option does not bear a risk for confidentiality, it does make a web server vulnerable to DoS attacks within the same TLS connection. Therefore you should not support it.

they have not enabled DNSSEC... so you can trivally spoof it even if your using the latest and greatest security !

maybe they should look at the top level domain .bank which requires security...

http://go.ftld.com/dnssec-implementation-guide

john.jones.name

no DNS security

well they have no DNSSEC so changes are pretty instant...

Sealed with an XSS: IT pros urge Lloyds Group to avoid web cross talk

john.jones.name
Stop

no DNS security or client-initiated renegotiation protection either

for a start the web server allows for client-initiated renegotiation, which is NOT good at all..

Although the option does not bear a risk for confidentiality, it does make a web server vulnerable to DoS attacks within the same TLS connection. Therefore you should not support it.

they have not enabled DNSSEC... spoof away !

New MeX-Files: The curious case of an evacuated US solar lab, the FBI – and bananas conspiracy theories

john.jones.name

china... its all about china

energy from the sun you say... I think we want those blueprints, just post them to us...

Raspberry Pi supremo Eben Upton talks to The Reg about Pi PoE woes

john.jones.name
WTF?

not skookum

maybe open source the design files on github and have a competition for the best design after all plenty of undergraduate / Graduate eyeballs for V2

It's here! Qualcomm's new watch chip is finally here! Oh, uh, never mind

john.jones.name

WHY such a clueless article...

ok why el reg is this full of marketing puff

first of all no one cares what nm process they are using... they care about if the process or layout gives efficiency (power in this case)

secondly WearOS and arguably Android do NOT run a JVM... thats pretty basic knowledge

Thirdly GPS does not need a huge power envelope it does when you bolt it on as a afterthought... the fact that the NEW Qualcomm 3100 does not include QZSS means they didn't think...

just because Qualcomm didnt think that anyone would like a EKG or anything useful doesnt mean you should follow the reddit crowd... please some useful reporting please

Prepare to have your minds blown, storage industry. 5 words: Client access Optane DIMM caching

john.jones.name

DIMM interface vs NVMe

intel really are not even trying any more are they... they launched a competitor to a enterprise battery backed DIMM...

NVMe would have been 3.94 GB/s

No D'oh! DNS-over-HTTPS passes Mozilla performance test

john.jones.name

DNSSEC ?

so you make a query over TLS and can not verify the answer....

mandating DNSSEC as part of the spec is the only solution otherwise your just changing the attack surface not solving the problem

Vodafone, TPG propose 'merger of equals'

john.jones.name

going to be interesting

TPG has always been marketed on price and buy cheap (laggy) bandwidth for their networks.

Vodafone invested a HUGE amount of capital in their network and optimisation and brand.

would you buy a business bundle from TPG ?

Network monitoring is hard... If only there was some kind of machine that could learn to do it

john.jones.name
Go

reason for SDN

one of the driving forces for SDN

How's that encryption coming, buddy? DNS requests routinely spied on, boffins claim

john.jones.name
WTF?

use DNSSEC otherwise that httpS website is not secure

Basically the government's routinely ask the ISP to intercept traffic to your servers / vpn / websites

(the USA GB DE and CN are all at it)

They routinely present certificates that are valid although obviously have been generated on fly for whatever resource your accessing and because most trust Certificate Authorities (some of which are compromised... all it takes is some...)

The answer to this is to trust whoever signs the root i.e. norwegians trust the .no root and british trust the .uk root

this reduces the ability of for example the UK gov to intercept CN websites and vice versa...

also it would alert you if you do not trust any of them and they are trying to fake your resources...

Amazon, ditch us? But they can't do without us – Oracle

john.jones.name

its not about size its about speed...

RDBS usage at Amazon will be actually quite small data set compared to others and can be easily segmented and streamed for insights if required

Its about Speed and Intelligence...

over the years there is going to be a shed ton of intelligence and business logic built into the ERP (otherwise known as the shipping and warehouse) now you have to undo that rats nest AND make sure it performs as fast.

Now don't get me wrong I wouldn't employ oracle unless I really had to but I'll give them this, THEY MAKE A FAST DATABASE

Combined with the fact the USA has software Patents your in a bit of a problematic area...

good luck to them

Oz government offers privacy concessions on MyHealth Record

john.jones.name

any INSURANCE COMPANY can access ANY RECORD !

they can access your record then save the results...

are they completely nuts... this will go wrong very very wrong

better sort out the insurance company access before you do anything else or you will find past MP's denied insurance !!

Insecure web still too prevalent: Boffins unveil HSTS wall of shame

john.jones.name

update to DANE at the same time...

simply pin your CA into your DANE DNS record and it buys you a little more coverage...

ReactOS 0.4.9 release metes out stability and self-hosting, still looks like a '90s fever dream

john.jones.name

drivers drivers drivers

if they can actually make it possible to load legitimate (yet old) drivers combined with modern virtualisation drivers then they are onto a winner

there is a lot of code / programs that still work on windows NT and would pay HUGE sums to maintain those app's rather than pay third party dev's to maintain/update

just take a look at mainframe support contracts - offering support starting at 10k on virtualbox / vmware / hyperV would be interesting !

Western Digital formats hard disk drive factory as demand spins down

john.jones.name
WTF?

supply chain

they have agreements with other companies and not being able to say you have diverse supply chain will I suspect get some people rightly worked up...

2 factories in the same rainy country is not diverse at all

In non-startling news, EFF says STARTTLS email crypto is mostly done wrong

john.jones.name

set it up right...

DANE is not time consuming (any more than a certificate is) you just have to set it up correctly.

you don't have to roll your certs if you don't want to and even if you do a script can automate it

john.jones.name
Holmes

Email transport could be better

You can enforce TLS and you can declare your certificate via DANE easily and simply.

The CA model itself is not all that robust, and there are still some critical vulnerabilities that can be exploited by a well-resourced attacker. Adding DANE TSLA records to the DNS signed zone then with an additional DNS lookup to fetch and validate the TLSA record is a small step, but a significant improvement to the overall security picture.

john.jones.name

opportunity

what this should be about is DANE

https://tools.ietf.org/html/rfc7671

If people deploy this then things get a lot easier and trustworthy in TLS...

The bonus is that its not tied to a Certificate Authority (CA) if you don't want it to be, which most mail servers is a good thing as they often have self certified certificates and if you have a Certificate from a CA then hey use it and declare it via DANE...

https://www.ncsc.nl/english/current-topics/factsheets/factsheet-secure-the-connections-of-mail-servers.html

you can test here : https://www.internet.nl/test-mail/

strangely the dutch security service demand this as a secure channel I wonder what they know (-;

Hipster horror! Slack has gone TITSUP: Total inability to support user procrastination

john.jones.name

use one that you can plug into

why would you use slack when you can get a secure and opensource equivalent :

https://mattermost.com/

Xen Project patches Intel’s Lazy FPU flaw, VMware doesn't need to

john.jones.name

BANKS

banks are the type of people who run VMware in AWS...

no one else would pay twice...

No fandango for you: EU boots UK off Galileo satellite project

john.jones.name
WTF?

clearly no one with knowledge of the system...

so its clear that no one with any knowledge of the system made that decision as its completely pointless

americans have access to high precision corrections in fact anyone with a well surveyed site like the current command and control sites and knowledge/equipment of timing should be enough...

So if the UK military have any intelligence they will get in there and keep those sites and personnel going and simply feed the corrections back to any equipment needed.

the U.K. civil service did a number on the europeans and they didnt even realise, one less outgoing and they get to ask for a refund...

the loss will be to the Galileo project which I am actually sad about but thats what happens if you let bureaucrats rather than engineers and scientists run the show...

Qualcomm to keep server CPUs but avoids head-on Intel battle

john.jones.name
Go

networking

Intel have done very well out of the networking / firewall / NVF

Qualcomm might have a chance if they show how they can do 40 or 100 Gbps accelerated connections better than others which would involve a fair bit of integrations into microwave and caching vendors...

.

Smart bulbs turn dumb: Lights out for Philips as Hue API goes dark

john.jones.name
WTF?

it went very wrong

I use hue lightbulbs and frankly they have been pretty awesome

thankfully if your on the same LAN segment or have a remote you can control them without the magical intermawebs

to be honest with a architecture like this what could possibly go wrong

https://twitter.com/internetofshit/status/986540999047630849

so in truth they are useable without the internet connection and thats how all "IOT" things should work its the other end they screwed up...

Arm emits Cortex-A76 – its first 64-bit-only CPU core (in kernel mode)

john.jones.name

CoreMark anyone, anyone ?

How about actually getting the benchmarks such as SpecFP or CoreMark ?

SPECpower or ULPMark ?

Amazon can't or won't collect sales tax in Australia

john.jones.name
Mushroom

Re: Corporate Structure

yes its about the corp structure and not the way you think...

Amazon Australia is a hole in the sea that they are pouring money into

(AWS Australian region is awesome cash generating machine ).

So what better way to satisfy the internal politicking... REDIRECT ALL THINGS !!

its going to be hilarious if it works since the local hardly normal retail just complains about this constantly and no one will price match "offshore companies"

all for it personally

Zimmerman and friends: 'Are you listening? PGP is not broken'

john.jones.name

they are right

the EFF deserves criticism in this case and so do those who write insecure mail clients...

I wonder if Microsoft is going to be patching their SMIME and HTML implementation ?

Servers crashed and burned. So, Qualcomm's back to Ctrl-C, Ctrl-V'ing Arm cores into phones

john.jones.name

server for the basestations ?

ARM based servers are far from done witness ampere etc.

Qualcomm would do well to open their "server" platform to suppliers such as the Nokia (NSN) and Ericsson of the world...

that means selling to the network people and giving long term supply some confidence, which to be honest should not be all that hard, the hyperscale people just wanted predefined designs and created noise...

nbn™ isn’t fixing HFC, it’s ‘optimising’ it

john.jones.name

the problem is that optus (and other 4G providers) intercept and cache

they intercept your DNS and manipulate it

they log everything you do (to improve it)

they dont have proper backup when things fail (very few controllers)

so yes its fine as long as you dont depend on anything...

Blighty's super-duper F-35B fighter jets are due to arrive in a few weeks

john.jones.name

STOP BUYING FIGHTER PLANES !!

if you want a intercept - buy a missile

if you want surveillance - Buy a drone (glider and jet)

if you want deploy special forces - buy a helicopter

if you want to attack an enemy - buy a helicopter / drone

if you want to deploy a submarine hunter - buy a helicopter

complete and utter waste of money

Oz Budget 2018: Cash for 3cm GPS resolution, federated IDs, payments reform and blockchain

john.jones.name

SBAS requires a bird in the sky

Current systems are all owned by other nations and $260m is not very much...

Having an open ground network would be a good start and coordination with accurate BOM sites would be nice but I realise that I'm dreaming when thinking about gov department coordination...

Page:

Biting the hand that feeds IT © 1998–2019