* Posts by Crypto Monad

87 posts • joined 14 Dec 2017

Page:

Techie in need of a doorstop picks up 'chunk of metal' – only to find out it's rather pricey

Crypto Monad

Re: Have you ever heard a story about something you did told second-hand?

It's when you go searching on Google for a solution to a problem, and find the solution that you posted yourself six months earlier, that you know your brain is not what it once was...

Oracle exec: Open-source vendors locking down licences proves 'they were never really open'

Crypto Monad

Re: Java, anyone?

> As I recall, Sun placed Java in the public domain before Oracle bought the company

Then you recall wrongly. Placing something "in the public domain" has a very specific legal meaning, and they didn't do it.

They open-sourced specific parts of Java, meaning they granted a licence for certain types of use whilst retaining copyright themselves. The licence granted was first CDDL, and then GPLv2.

https://www.javaworld.com/article/2077658/core-java/it-s-official--sun-open-sources-java.html

Crypto Monad

So redis changed their license to stop someone running a pay-for cloud service based on it, but I can still download it and run it myself for free; and if I am sufficiently motivated I can also modify and extend it.

That's very different to Oracle's model.

Forget snowmageddon, it's dropageddon in Azure SQL world: Microsoft accidentally deletes customer DBs

Crypto Monad

Re: Holy crap, Microsoft....

"Transaction logs" is the key point here.

It doesn't matter if the backup was from 5 minutes ago or 24 hours ago - as long as you have all the transaction logs for the intervening period.

Hence does this mean MS do not write transaction logs for their cloud SQL service? Or they were discarded along with the affected databases?

It would be wise to keep transaction logs for a bit longer, methinks.

Oof, are you sure? Facing $9bn damages, Google asks Supreme Court to hear Java spat

Crypto Monad

Re: Far reaching repercussions...

"the free and open Java language (*)"

(*) terms and conditions apply

This case is also about misrepresentation, or even entrapment. Both Sun and Oracle heavily promoted Java as "open". But in the way Oracle have approached this case, it could not be considered "open" in any conceivable sense of the word.

Google built an entire Java-based ecosystem from the ground up, using only the APIs as the definition of how it should interact. If Oracle have copyright on this part, then the entire language is closed and proprietary, almost by definition. Not only that: any Java program that you write, which *consumes* that API, is subject to Oracle control.

The Apple Mac is 35 years old. Behold the beige box of the future

Crypto Monad

Re: 128K+

I actually upgraded my Mac 128 to Mac 512. It involved desoldering all the DRAM chips and soldering in bigger ones - and maybe a jumper link changing too, I can't remember that part.

This was in the days of DIL integrated circuits, which could be easily desoldered from PCBs. You could make a desoldering tool by taking the earth pin from a 13A plug, screwing it onto the end of a sufficiently meaty soldering iron.

Man drives 6,000 miles to prove Uncle Sam's cellphone coverage maps are wrong – and, boy, did he manage it

Crypto Monad

Re: Is anyone really surprised about this?

Of course, if every state performs the same exercise, and finds their coverage is equally below what was expected, then the $4.5bn will be divvied up in exactly the same way...

Oh, SSH, IT please see this: Malicious servers can fsck with your PC's files during scp slurps

Crypto Monad

> Apart from compromised servers, as others have mentioned, many sites mirror software on untrusted sites, making use of crypographic checksums to check authenticity.

And how does that relate to this article? It's nothing to do with the server serving a file with the wrong content.

The issue is when you ask your client to download a file from server A and store it in location X, the server could also send an instruction to modify location Y. With this scp bug, the client happily does what the server tells it.

So for example you could do:

scp remote:file1.txt file1.txt

and find that the server has overwritten /etc/passwd on your machine instead (or as well).

A comparable example from the web would be: if you click on a link to view a page, and the page can silently modify any file it likes on your local filesystem.

Crypto Monad

Re: When your whole backup solution is centered around SCP transfers...

scp and rsync are completely different protocols.

To use rsync, you need the rsync binary at both ends. It can either use raw TCP as transport (if you run rsyncd at the far end), or it can run over an ssh exec session as transport, but does not depend on scp. It's a streaming protocol in its own right.

The D in SystemD stands for Dammmit... Security holes found in much-adored Linux toolkit

Crypto Monad

Re: what?

But it could drop root immediately after binding the socket.

Crypto Monad

Re: what?

Other "antiquated Unix philosophy" they didn't follow:

(1) small tools, each of which does one job well

(2) run daemons with minimum privilege

(3) reject unparseable configuration options, don't silently ignore them

Illuminating search: https://www.startpage.com/do/search?q=site%3Atheregister.co.uk+systemd

I had forgotten that systemd had won lamest vendor Pwnie award.

Crypto Monad

Security holes found in much-adored Linux rootkit

FTFY

Mark Zuckerberg did everything in his power to avoid Facebook becoming the next MySpace – but forgot one crucial detail…

Crypto Monad

And also how big is Retroshare compared to the alternatives like Diaspora or Mastodon?

I hadn't even heard of Retroshare until now, and it doesn't appear here or here.

Judging by Wikipedia, Retroshare has a lot of multi-hop file-sharing capabilities. It seems its real purpose is is to be like Bittorrent but where you are less likely to be caught.

American bloke hauls US govt into court after border cops 'cuffed him, demanded he unlock his phone at airport'

Crypto Monad

Re: Just say "Yes Sir"

No need to use well-encrypted cloud storage. Use a well-encrypted USB drive that you keep at home.

Keen for much-hyped quantum computing to finally land? Don't expect it for a decade

Crypto Monad

> And land. Let's not forget landing. Any idiot can take off and fly and largely be successful at avoiding other things in the air. But getting safely back on the ground again? That's the REALLY hard part.

Landing at an airport is actually pretty easy - commercial planes have had fully automated landing systems for years. It's very much following rules.

Landing safely in someone's garden wouldn't be that hard if the flying car has drone-like flying characteristics. Choosing a sensible landing spot might be harder, but at worst nominated "safe places" could be marked up on a map. Not landing on top of another flying car or human is probably the most difficult part, but that's comparable to the job a self-driving car has to do.

Crypto Monad

although crack AI, and you have driverless cards anyway

That depends on what you actually mean by "AI", which changes decade by decade.

Firstly it meant tree-searching algorithms (a machine that can play chess).

Then it meant fuzzy logic and expert systems (a machine that can diagnose disease).

Then it meant pattern matching and neural networks (a machine that can recognise faces).

None of these is anything like the public perception of AI, which is more along the lines of "I, Robot" or "Ex Machina": a fully self-aware, "living" machine.

If we get the latter, then it will be able to drive your car. Whether it chooses to or not, is another matter.

If you ever felt like you needed to carry 4TB of data around, Toshiba's got you covered

Crypto Monad

Re: Eggs. Basket.

Proper backups allow point-in-time recovery. What you have is periodic replication of the most recent state only.

Consider the following sequence:

1. you accidentally delete (or corrupt) a file, but don't realise immediately

2. you make your regular "backup"

3. you realise what you did in step (1)

You now have no way to recover the data.

Google: Psst, hey kid, want a new eSIM? Our Fi has one right here

Crypto Monad

Re: Overpriced?

"Pixels can be provisioned by Deutsche Telekom in Germany, EE in the UK"

So: one provider in each big marketplace.

Wake me up when there is a drop-down menu that lets me choose plans between multiple providers. Until then, the hassle of obtaining and plugging in another SIM is still going to work out far cheaper.

Huawei MateBook Pro X: PC makers look out, the phone guys are here

Crypto Monad

Re: I rather like it, but for one detail

The IPv6 Buddy suggestion was tongue-in-cheek - but if you google "usb numeric keypad", you'll find a ton of standard-layout ones, many for under a tenner - and bluetooth options too.

Crypto Monad

Re: I rather like it, but for one detail

You could always plug in an IPv6 Buddy

Boeing 737 pilots battled confused safety system that plunged aircraft to their deaths – black box

Crypto Monad

> We don't tolerate autopilot for trucks or chartered busses

Trucks have been suggested to be one of the first expected applications for self-driving vehicles.

A rumble in Amazon's jungle: AWS now rents out homegrown 64-bit Arm server processors

Crypto Monad

> The world needs competition to Intel for over 15 years now.

There has been a resurgence of rumours of Apple moving to ARM too.

Apple have done this twice before: Motorola to PPC, and PPC to Intel. Of course, you are best placed to do this if you own the OS and have good influence over the application ecosystem.

I don't see Dell and HP pushing ARM while they are so reliant on Microsoft; and all Microsoft's ARM products to date have been so awful, you'd think they did it on purpose just to keep Intel happy.

But Apple could tip it. Once people are happy with ARM on a laptop, an ARM Mac Mini could be the breakthrough into desktop and/or small server environments.

The other big selling point ARM have is the trustworthiness (of lack of it) in Intel chips.

Well now you node: They're not known for speed, but Ceph storage systems can fly

Crypto Monad

Re: 6ms+ w NVMe

> Maybe Ceph is short for Cephalopod

Err, yes it is. The company was called "Inktank" before being bought by RedHat.

Crypto Monad

Re: 6ms+ w NVMe

The article wrongly states that the reference architecture requires 3TB (!) of RAM in each node.

If you read the document, you find that the servers are *capable* of 3TB, but the reference configuration uses 12 x 32GB DIMMs = 384GB.

(Still quite a lot though)

A 5G day may come when the courage of cable and DSL fails ... but it is not this day

Crypto Monad

Re: 46.2Mbps fiber?

> VDSL2 gets up to 200-300Mbps.

Actually VDSL2 is what we use in the UK, but because we use profile 17a, the maximum speed is 100M (capped to 80M by OpenReach)

Some countries use profile 35b, which could do up to 300M in the best case. Unfortunately, OpenReach decided to do G.fast instead.

G.fast is crippled by skipping over the VDSL2 17a lower frequency bands, to avoid interference. But those are the frequencies which propagate better over longer distances. As a result, beyond about 500m, G.fast is actually *slower* than VDSL2.

Plus: because there are LLU providers with their own ADSL modems in exchanges, OpenReach run VDSL2 with a reduced power level to avoid ADSL interference. Again that reduces the speeds obtainable on VDSL2.

Behold, the world's most popular programming language – and it is...wait, er, YAML?!?

Crypto Monad

Re: No and yes [Was: HTML-only calculator?]

LISP is a programming language, and LISP is written in S-expressions; YAML is comparable to S-expressions.

Sadly, there are a bunch of programming languages which are indeed programmed in YAML. Two examples are Ansible and OpenStack Mistral. They are both excellent examples of Greenspun's Tenth Rule.

But that doesn't make YAML itself a programming language.

Cathay Pacific hack: Airline admits techies fought off cyber-siege for months

Crypto Monad

Re: Flight Pattern

> The lucky ones have excellent IT teams and hardware and appropriate budgets and can defend themselves to a certain point.

Or at least they have logs and/or other ways of detecting attacks.

The others have probably been attacked but just don't know it.

Lucky, lucky, Westminster residents: Who better to look after your housing benefits than Capita?

Crypto Monad

Automation and robotics?

ED-209 turns up at your door.

"Your council tax is overdue.

You have 20 seconds to comply."

Mourning Apple's war against sockets? The 2018 Mac mini should be your first port of call

Crypto Monad

Re: Macs typically have a longer usable life than Windows PCs ...

> Is any linux distribution from 2007 still supported?

Yes.

RHEL 5 (from March 2007) still has "Extended Life-cycle Support" available until November 2020. This "delivers certain critical-impact security fixes and selected urgent priority bug fixes and troubleshooting for the last minor release" - for a price.

See https://access.redhat.com/support/policy/updates/errata#Life_Cycle_Dates

RHEL 4 (from Feb 2005) is technically still in its "Extended Life Phase", but since support has ended, this doesn't count for much. "No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase". You just get access to the documentation and knowledgebase.

Crypto Monad

Definitely not trash.

If you want a powerful server that you can stick in your rucksack or airline carry-on bag, there's not much to match this currently.

The Intel Skull Canyon NUC is similar size and weight by the time you've included the PSU brick, but is limited to 32GB RAM and 4 cores (Mac Mini does 64GB and 6 cores). The NUC does have two replaceable PCIe SSD slots though.

It's been a week since engineers approved a new DNS encryption standard and everyone is still yelling

Crypto Monad

Re: Not one to nitpick but...

> what is stopping DoT from using port 443 too?

Because HTTP and DNS are different protocols with different payload format. The whole point of a well-known port is that you know in advance which protocol you are supposed to speak, when you open or accept a connection.

> block known DoH server IPs

That's called whack-a-mole, and it doesn't work.

Remember that the first provider of DoH services is CloudFlare. They could enable DoH on *all* their front IP addresses. In that case, it would be impossible to block DoH without also blocking all sites hosted on CloudFlare (including El Reg)

> I cannot see the logic in involving HTTP. ... why it makes any more sense to do so with DNS?

In other words: why are some people pushing for DoH rather than DoT?

Well, DNS is a request-response protocol which maps quite well to the HTTP request-response cycle (unlike SMTP or FTP).

But the real reason is because it makes DoH almost impossible to block. Your site's DoH traffic is mixed in with your HTTPS traffic and it's very difficult to allow one but not the other. That makes it a real pain for network operators, who may use DNS query logs to identify virus-infected machines (calling home to C&C centres), or to filter out "undesirable" content such as porn.

It's a question of whose rights prevail. Consider a university campus network. Does the network operator (who pays for the network) have the right to enforce an AUP, which says you can't use university resources for browsing porn? Or is this trumped by the rights of the student to use the Internet for whatever they like?

This has national policy implications too. In the UK, large ISPs are required to provide "family-friendly" filters, and this is generally done by DNS filtering. If the mainstream browsers switch to DoH, those filters will be completely bypassed. The ISPs can switch to blocking by IP, but there will be much collateral damage as one IP address can host thousands of websites - and if the undesirable site is hosted on a CDN like Akamai or CloudFlare, this sort of filtering may be impossible.

(Today you can also filter on TLS SNI, but SNI encryption is also on the near horizon)

GitHub lost a network link for 43 seconds, went TITSUP for a day

Crypto Monad

Re: re: Why did GitHub take a day to resync

What you also need is a mechanism which *guarantees* that there is no split-brain scenario: a provably-correct consensus protocol like Paxos or Raft. You want writes to be committed everywhere or not at all.

Some databases like CockroachDB integrate this at a very low level; whether it is fast enough for Github's use case is another question.

If you haven't already patched your MikroTik router for vulns, then if you could go do that, that would be greeeeaat

Crypto Monad

Re: Would anyone...

who regularly reads here, admit to owning a MicroTik router?

Yes!

The Mikrotik CCR1036-8G-2S+ is a rackmount box with 8 x 1G and 2 x 10G ports, and costs under £1K, with no charge for software upgrades or for turning on features.

A Cisco 4431 will cost you upwards of £5K once you've paid for the "performance licence" to unlock it from 500M to 1G. Plus you pay software maintenance every year on top of that.

If you want 10G ports in a Cisco you're talking at least an ASR1001-X at £12K+ (and that is locked to 2.5Gbps until you pay more)

There are a few foibles in RouterOS, but equally there are some very nice aspects to it as well. Cisco are just having a laugh with their 1990's pricing.

It's a cert: Hundreds of big sites still unprepared for starring role in that Chrome 70's show

Crypto Monad

""My guess for why organisations haven't replaced these certificates at this late stage only comes back to them not knowing the change is coming"

More likely it's that they don't even know what certificates they've deployed and where.

If you're very lucky, somebody might have a calendar entry for when they expire.

A web where the user has complete control of their data? Sounds Solid, Tim Berners-Lee

Crypto Monad

Would have been helpful...

...to link to any details about what Solid actually is or how it works.

Here you go:

https://solid.inrupt.com/

https://github.com/solid/solid-spec

There doesn't seem to be a huge amount to it: basically it's a web server with a complicated ACL mechanism. The social parts like "friends" and "followers" are not done yet.

How an over-zealous yank took down the trading floor of a US bank

Crypto Monad

Re: Unplugging the keyboard = kernel panic ?

Because when confronted with a message on a screen, people's understanding becomes astonishingly literal.

Like people who phone the helpdesk saying that they can't find the "Any" key.

https://www.theregister.co.uk/2003/09/25/compaq_faq_explains_the_any/

Crypto Monad

Re: Unplugging the keyboard = kernel panic ?

Almost as good as the infamous IBM PC boot error:

"Keyboard not found. Press F1 to continue"

You'll never guess what you can do once you steal a laptop, reflash the BIOS, and reboot it

Crypto Monad

Re: Physical Access

"But encryption keys aren’t stored in the RAM when a machine hibernates or shuts down. So there’s no valuable info for an attacker to steal."

Maybe not - but if they can reflash the firmware, they can put in a keylogger or whatever trojan nonsense they want.

The missing laptop is "found", "handed in" to the hotel, returned to its owner, gets used again, and is p0wned forever more. This is the well-known Evil Maid attack.

Official: Google Chrome 69 kills off the World Wide Web (in URLs)

Crypto Monad

Re: Are they keeping HTTP(s)?

> I'm sure http://www.<mydomain> and http://<mydomain> are technically different - I recall cases where one would work and not the other though please someone feel free to explain why?

1. In the DNS, "www.example.com" and "example.com" are two different names. They can point to two different IP addresses - that is, the user would end up connecting to two completely different servers. Or: one name might have an IP address and the other does not, in which case trying to use the other name would give a DNS error.

2. Even if both names point to the same IP address, the web browser sends a "Host" header containing the hostname part of the URL. The web server may respond with different content depending on which host was requested. It might not be configured with one of the names and return a page not found error instead.

(A fairly common example where you want different content is when "www.example.com" is the real site, and "example.com" just returns a redirect to the real site)

3. For HTTPS sites, the certificate might have been issued to "www.example.com" only. This would mean that a request to https://example.com/ would be flagged as insecure, because the certificate name doesn't match.

You can have a certificate which contains two subjectAlternativeNames - or you can have two different certificates and use Server Name Indication to select which one to use. But not everyone remembers to do this.

Crypto Monad

Good news for the owner of www.com!

$ whois www.com

Domain Name: WWW.COM

Registry Domain ID: 4308955_DOMAIN_COM-VRSN

Registrar WHOIS Server: whois.uniregistrar.com

Registrar URL: http://www.uniregistrar.com

Updated Date: 2014-09-23T18:24:31Z

Creation Date: 1998-11-02T05:00:00Z

Registry Expiry Date: 2024-09-20T04:16:04Z

Registrar: Uniregistrar Corp

Now they can create subdomain "paypal.www.com", add a LetsEncrypt certificate, and have it display as "paypal.com" with the green Secure flag.

Strewth! Aussie ISP gets eye-watering IPv4 bill, shifts to IPv6 addresses

Crypto Monad

Re: Has anyone truly made the switch?

I suspect that the average CIO confronted with the spectre of finding money to replace/reconfigure every router and switch in their network, and reconfigure every computer in the building(s), and probably do something cute and costly with some expensive custom gear -- all without shutting down operations for more than a holiday weekend

If it were possible to *switch* from IPv4 to IPv6, this would be perfectly feasible. You'd run dual-stack for a week or a month or however long you needed, and be left with a pure IPv6 network at the end, job done. Dual stack, in fact, would be an excellent tool for this sort of transition.

But that's not feasible, because you'd disconnect yourself from the IPv4 Internet. You still need *some* IPv4: including for inbound connections such as VPN (I've never stayed in a hotel which provides IPv6)

So you have three choices:

1. Run IPv4 and IPv6 dual stack across your whole network indefinitely. This gives you double the number of firewall rules, and hard-to-debug problems when a particular device becomes reachable over v4 but not v6, or vice versa. Increased on-going expense and pain, for no business benefit.

2. Migrate to IPv6 and use NAT64/DNS64 - in other words, IPv6 replaces your RFC1918 private IPv4 addresses. Some places are experimenting with this approach, even Microsoft themselves. But you will still have islands of dual-stack required, and lots of pain with legacy devices, in particular legacy applications which can only listen on an IPv4 address. You end up doing nasty things like NAT464. Again, little obvious business benefit to demonstrate.

3. Stay on IPv4 just as you are today, which works as it always did, and avoid all the pain.

Guess which option almost everyone chooses.

What I'd like to see is that at least for "green field" networks, they could be built single-stack IPv6. This doesn't work today unless you're happy to build your own NAT64 infrastructure (*). And even if you do, your NAT64 still needs an IPv4 address from your ISP, so you may as well just do NAT44 instead.

(*) A few ISPs today do provide NAT64/DNS64 for those who want to try it (e.g. AAISP).

Crypto Monad

Re: Has anyone truly made the switch?

my pick is somewhere between 18 months to 2 years for IPv6 to move from 40% to 90% of connectivity and traffic

"traffic" and "connectivity" are two very different things. Anecdotally, a dual-stack network already gets about half its traffic over IPv6 - because much of the traffic volume comes from a handful of huge content providers like Google (YouTube) and Facebook. But in terms of the proportion of sites reachable over IPv6, it's still tiny.

As for migration, the low-hanging fruit has been picked already - things like mobile networks (heavily CG-NAT already) and university networks (where they have the time to play with IPv6), and it will only get slower now. Some university networks have even turned it off, as the ongoing costs of running two networks in parallel become apparent.

The solution I've proposed for a long time is for the big CDNs - e.g. Cloudflare, Akamai, Google - to offer a public NAT64 service. Then it would be possible to build a single-stack IPv6 network at the edge and still access the vast majority of the Internet.

Crypto Monad

Re: Has anyone truly made the switch?

You are right. Only a tiny, tiny fraction of the Internet is reachable via IPv6. Turning off IPv4 would be equivalent to disconnecting yourself from the Internet.

So it's not an either/or choice. You still need IPv4 addresses to talk to the vast majority of the Internet.

What this provider is doing is using CG-NAT to make multiple users share the same IPv4 address. Separately from that, they will run IPv6 along side; then at least traffic to Google/YouTube and Facebook will bypass the CG-NAT, for those customer-side devices which support IPv6 anyway.

The other option is to do NAT64, but that's messy. You have to spoof DNS responses with DNS64; it doesn't play well with DNSSEC. And you are still doing NAT, and you are still sharing IPv4 addresses. On top of that, the NAT64 solution forces *all* devices at the customer site to be IPv6-capable; if you've got an old IoT device or games console which doesn't do IPv6, then it's completely useless.

So basically the title of this article should be "Strewth! Aussie Broadband gets IPv4 bill, decides to do IPv4 address sharing"

Google cracks down on dodgy tech support ads

Crypto Monad

How many ads?

Google said that last year it took down more than 3.2 billion ads that violated its advertising policies.

I seriously doubt this is 3.2 billion distinct ads.

32 ads, each of which had already been served 100 million times before being taken down? More likely. But in that case, the damage has already been done.

London's Gatwick Airport flies back to the future as screens fail

Crypto Monad

Nobody has yet asked the obvious:

Does Gatwick have an online departures board? You know, the sort of thing that people could access with those mobile screens that they carry around with them?

And was it affected by this outage, or not?

Drama as boffins claim to reach the Holy Grail of superconductivity

Crypto Monad

Interesting how the immediate response without seeing any supporting evidence at all was 'this is clearly bullshit'.

Not exactly. The immediate response upon seeing that the supporting evidence is obviously faked is "this is clearly bullshit".

Australia's Snooper's Charter: Experts react, and it ain't pretty

Crypto Monad

Re: Still Puzzled!

> How does this legislation, with or without backdoors, help the so called "good guys" gain access to their messages?

AFAICS, it doesn't. It would apply only if a "service provider" were helping them to keep their messages secret: such as the vendor of the equipment they were using, or some managed encryption service they were using.

If they build their own devices and write their own software, then it seems they are not affected.

However, if they provide these devices and software to others, then they become service providers and so may be required to add law enforcement back doors (even though they're not called "back doors")

The assumptions seem to be:

1. Most people are lazy and/or don't have the skills to build this stuff themselves

2. There won't be a black market in genuinely secure devices for use by criminals

(1) is a reasonable assumption, (2) rather less so.

If manufacturers or distributors of secure devices refuse to comply with back door requirements, I guess they will be in violation of the law. But what does that do for open-source crypto apps? Does github need to be blocked?

Crypto Monad

Two options

It seems to me there are only two options to give law enforcement access to cleartext messages:

1. Find and exploit unintended vulnerabilities in devices and/or algorithms

2. Get manufacturers to add specific mechanisms to allow law enforcement access

If 2 isn't adding a "backdoor", I don't know what is.

Put WhatsApp, Slack, admin privileges in a blender and what do you get? Wickr

Crypto Monad

Obligatory XKCDs

Two which are particularly relevant:

https://xkcd.com/927/

https://xkcd.com/1810/

Page:

Biting the hand that feeds IT © 1998–2019