* Posts by Pier Reviewer

45 posts • joined 15 Feb 2018

PuTTY in your hands: SSH client gets patched after RSA key exchange memory vuln spotted

Pier Reviewer

Re: PuTTY's days are numbered

“People who like GUI front-ends don’t use ssh surely?”

X forwarding. Not sure what liking GUIs has to do with the price of fish. SSH is an amazingly versatile tool. I make extensive use of it every working day. Most of that is simply for a remote terminal. Some of it is not.

In hilariously petulant move, Apple shuts Texas stores and reopens them few miles down the road – for patent reasons

Pier Reviewer

“On one level the decision to move doesn't make a whole lot of business sense: its current locations are prime spots in a growing market. And its new store is close to another two Apple stores. But when an upset Apple exec doesn't get his way, all the toys come out the pram.”

I rather suspect those two retail stores don’t make $300m+ revenue* so it looks like a net gain if Apple avoid one spurious case. Plus, legal teams ain’t free/cheap. Just avoiding some cases can save them money. Missed the mark with this one guys and gals.

* I know Apple gear is ridiculously overpriced, but you’d have to sell at least 5 MacBook Pro’s a week to make that kind of money...

Linus Torvalds pulls pin, tosses in grenade: x86 won, forget about Arm in server CPUs, says Linux kernel supremo

Pier Reviewer

Re: Tere's simply no rational reasons to run ARM servers.

“Using ARM means your not stuck with relying on one manufacturer to supply CPU's who can increase prices as they like or might have supply issues.”

ARM don’t produce CPUs. They licence their tech to other people who usually modify the base design and get it fab’d. In other words, you can’t necessarily swap one ARM chip out for another. So yes, with a server grade CPU in reality you probably are stuck with one supplier.

Linus is talking about *servers* here, not general purpose computing. It’s a very different world. Userland devs don’t care about architecture. It’s abstracted by the kernel. Ergo kernel devs do care architecture as they’re the boys and girls doing the abstracting. ARMs relative addressing tends to make large blobs such as kernels even larger for example. You need trampolines all over the shop, especially for read+write data (unless you think marking instruction pages as writable to keep the data close by is in any way sane...)

Then there’s the issue with JIT. Incoherent instruction and data caches make it expensive.

I like ARM (I prefer PowerPC for RISC, but that’s a subjective opinion). I hope it grows in the desktop/laptop market in particular. However I can understand Linus’s opinion on *servers*. It’s a very specific market he’s talking about. He’s not talking about desktops/workstations etc.

Until now, if Canadian Uber drivers wanted to battle the tech giant, they had to do it in the Netherlands – for real

Pier Reviewer

I can’t speak for Canadialand etc, but in the UK I would expect IR35 to be the nail in the coffin for Uber’s argument. Fighting a bunch of drivers in court is one thing. Fighting HMRC is quite another.

If drivers only drive for Uber, it’ll be hard to avoid the finding they are employees. HMRC are not going to let loop holes develop. They wants their money!

'Year-long' delay to UK 5G if we spike Huawei deals, say telcos

Pier Reviewer

Re: What could possibly go wrong?

Bang on JetSetJim. Cisco wasn’t hurt in the western markets, as western buyers are more likely to think “well at least it was our side”.

How well do you think Cisco fairs in second world countries as a result tho? Do you think the GRU are a Cisco shop? :)

Backdoors in Huawei kit won’t hurt them at home. It will bury them in the West tho. That’s why I don’t buy it. They’ve spent a metric crap load of cash on “the Cell” (bleh) in order to be able to sell an even greater metric crap load of gear to the UK operators, and I imagine hopefully to countries aligned to the UK once they believe the risk profile is as manageable as the other vendors kit.

For them it’s business. Cisco et al are scared. Can’t blame ‘em. Big UK operators have bought their kit. Why pay top dollar for gear that hasn’t had some form of vetting when you can pay less for something that has been vetted to some degree? Cisco can’t compete on free market terms. They need to cut costs, provide a better product/experience for the operator or shout reds under the bed...

Pier Reviewer

Re: What could possibly go wrong?

Errr they’re not gonna play code golf to hide backdoors etc. That’s both a clear bit of code that should be fully investigated, and fairly trivial to clarify.

Huawei are there to make money. They’re actually rather good at it. Ergo Cisco lobbying the US gov to get them banned in as many markets as possible. They’re not going to put a backdoor in “just in case” they’re ever asked to supply one. Discovery would end the business, and Cisco etc will be desperately looking for one to do just that.

I’m not saying Huawei kit can’t be exploited, but the same goes for Cisco, Nokia, Eriksen etc. Don’t fall for the “think of the children” argument. This is about competition. If you’re concerned about security how about getting Nokia, Cisco etc to pony up their source code? No?

EU politely asks if China could stop snaffling IP as precondition for doing business

Pier Reviewer

>> Article 66 of TRIPS encourages developed countries to transfer IP to "least-developed" countries.

...

With skyscrapers dominating the skylines of the Middle Kingdom's supercities, it's debatable whether China qualifies as underdeveloped.

Least developed != under developed. The former is subjective, the latter objective.

The simple fact of the matter is the US/EU whinge about it (understandably) but keep doing it. If it’s that bad, stop doing it (i.e. pay to build capacity in your own backyard) or STFU.

German cybersecurity chief: Anyone have any evidence of Huawei naughtiness?

Pier Reviewer

Re: Maybe banned because there are no back-doors

“...for "performance reasons". DNS and DHCP. In kernel.”

Font parsing. In kernel. “For performance reasons”. Ring a bell? It’s not limited to Huawei. If you want to do something as fast as possible you have to avoid context switches. I’m not saying it’s sensible, but customers demand speed, and don’t say “security is paramount, fuck performance” so they get what they desire.

UK's BT: It's not unusual to pull Huawei from our core mobile networks

Pier Reviewer

Re: It's Just Retarded!

Uniformity of kit = uniformity of vulns :)

It’s probably part of the reason tbh. Another being that the extra oversight of the Huawei kit makes it a bit more of a faff to get signed off. I’m assuming you’d want the kit tested by HCSEC before you plug it in/upgrade the software. That’s one more speed bump BT can do without.

Plus, the change to the ESN possibly caused some puckering in the nether regions. Simpler just to bin the Huawei kit. Again it’s arse covering rather than a measured response, but if it’s easier and no less secure at worst then, hey. Why not?

Pier Reviewer

Re: It's Just Retarded!

It makes sense from an arse covering perspective.

Security-wise I think it doesn’t necessarily make that much difference. Huawei kit in the core and the radio access side could well carry risk (guy in field knows 0-day in radio side, gains access, then exploits 0-day in core from there).

Kit in the core is pretty hard to reach without a presence on the network, or some piss poor network config on the operator’s part. Even then you’d need to have internal knowledge of the network, or be able to scan the IPv6 range from a tethered phone.

Huawei kit on the radio side could be abused more easily - they could in theory pop an eNodeB which talks directly to the core. If they get hold of a Cisco/Ericcson core box, pull it apart and find a vuln your core is just as exposed.

Ofc if that’s the case is it any safer having Cisco/Ericcson boxes? To the best of my knowledge nobody publishes vulns in that class of gear. It’s not exactly cheap or easy to get hold of current hardware and software for it.

All theoretical? Ask Voda Greece...

Oz opposition folds, agrees to give Australians coal in their stockings this Christmas

Pier Reviewer

Re: You can read my SMSs but you can take my WhatsApps from my cold dead hands

“But, as the Snowden papers reveal, when governments talk about "lawful intercepts", what they mean is spying on everyone. ....so let's hear your definition of "lawful".”

Ah, I understand now. People don’t know what Lawful Intercept actually is :/ That’s a tad scary.

You are incorrect in that quote. LI has a particular meaning. Get your Venn diagrams out folks. All LI is communication interception but not all communication interception is LI.

LI specifically refers to the capability that telcos are *legally mandated* to provide to the state to give effect to court orders that require interception to take place.

The state doesn’t “tap” your phone. Your telco does. It has equipment in its core network for the task, and is legally required to have that equipment.

Sound familiar? That’s because that’s what various states want WhatsApp et al to be required to have.

Forget whether you agree or not. I know it’s not easy, but everyone (on both sides) needs to leave the dogma alone. The fact is, the model proposed already exists in the telco industry. Simple question - should it?

PS I’m interested by Cuddles argument (“LI is here so we accept it”). Scary that we care so much more about the rights we have and might lose than those we’ve already lost...

Pier Reviewer

Re: You can read my SMSs but you can take my WhatsApps from my cold dead hands

You misunderstand. I’m simply asking two questions:

1. Are we ok with lawful intercept?

2a. If not, why is nobody saying this in these discussions?

2b. If yes, why should one messaging format be privileged and another not (ie why should we accept interception on one and not the other)?

I’m not saying there’s an argument for interception (or against it). I simply want to know if LI even crosses people’s minds in these discussions, and their opinions are on the area as a whole.

Pier Reviewer

You can read my SMSs but you can take my WhatsApps from my cold dead hands

Clearly this particular piece of legislation is an appalling mess. Particularly the failure to specify the differences between a TCN and a TAN given the looser (almost non-existent) controls over issuing TANs. That’s never going to be abused...

I am in no way surprised. What I am surprised by is that world+dog-intel agencies invariably cries foul at every such story, but never once mention lawful intercept (as in telephone “tapping”).

Am I right to think we’re all perfectly ok with big G sniffing our SMS messages, but Lord forbid they see our WhatsApps? Seems weird to me.

Why the apparent discord over what is basically the same thing. Yes, there are technological differences, but are we really saying how we send messages affects whether or not we’re ok with them being read by big G?

I understand the tech companies not folding. They’re in it for the money. Saying “no can do’s ville baby doll” keeps customers. Bending over likely loses them customers. But why do *we* the consumer care about the difference? Or do we just forget about lawful intercept?

The media appear to be failing in their job here to bring LI into the discussion. Assuming their job is to educate and create discussion rather than sell ads...

I honestly don’t know the answer to this. Any ideas?

I understand that some ppl require encryption for their safety, and aren’t stupid enough to send sensitive info over SMS/phone call. But generally speaking the states involved in that kind of behaviour don’t need a technological solution beyond an angle grinder. They’re not affected by any of this one way or another.

Google Spectre whizz kicked out of Caesars, blocked from DEF CON over hack 'attack' tweet

Pier Reviewer

Re: Surely there's a better venue for the next conference?

Yes, but Def Con is considered to be the BlackHat after party by many. You go to BH, see some decent talks, then feel abused by all the corporates selling “security”, and then go to Def Con to get rid of that feeling.

If you move to another place on the strip you have the same problems. You think Bally’s would have been any different after the Mandy Bay atrocity?

If you move away from Vegas, or even the US you lose the BH carry over. I’m not saying ppl won’t go, but there’s a risk not as many might, and risk is to be avoided these days. Ergo what happened to Linton.

Wah, encryption makes policing hard, cries UK's National Crime Agency

Pier Reviewer

Re: Wut?

“Show me on the doll where you can shoot someone in the face with an encrypted email.”

The same place you shoot them with a lottery ticket/bottle of stout/packet of amoxicillin I guess. Note how these things are all regulated.

As I said above - it’s all dogma here. The idea of anyone actually stopping to consider the possible pros and cons is laughable. Just as it is for the NRA. Just different areas of concern. It’s also one of (although by no means the only) reason terrible legislation gets passed around crypto in Blighty. The only voice against it is lots of dogmatic shouting. It would be better to educate your MPs around what crypto does to benefit us all, and how it’s dangers can be safely mitigated. Instead we get the laughable tripe above so guess what? You get ignored by the big boys and girls, resulting in shit regs :(

Pier Reviewer

Re: Wut?

“And how does encryption reduce detection of people glassing someone outside the pub on a Friday night, or of domestic violence?“

Nice straw man. At least I assume it is. Alternatively you may need to review the types of crimes the NCA deal with...

You are of course correct that encryption has benefits to society, along with causing detriment to it. It’s a balancing act.

What I find odd (actually I don’t) is that the firearms issue in the US is met on here with mostly a “more regulation!” argument. I agree with that argument wholeheartedly. Crypto on the other hand tends to bring out the “you can pry my AES256 keys from my cold dead hands”.

Both firearms and crypto can be used for good and bad. Appropriate regulation can help to ensure society benefits on the whole. Weakening crypto doesn’t benefit society. It makes us vulnerable to criminals etc. Allowing the state access to keys after following due process can help society. Ofc it’s all dogma here, so I don’t expect any agreement.

The usual argument in both firearms and crypto is that the bad guys don’t follow the rules. That’s true. Doesn’t stop us banning Tesco from selling crack/AR10s to ppl. If bad guys use crypto and refuse to abide by a court issued warrant they’re off the streets regardless.

Some very bad law has been created and proposed in this area. We need to do all we can to ensure it is fixed/does not come to pass. However no law may end up hurting society just as badly. Don’t be like the NRA. Try to view the issue a little more holistically. And of course, make sure your MP is very clear on their constituent’s concerns in the area...

Date engraved onto net neutrality tombstone: June 11, 2018

Pier Reviewer

Re: The International element has been ignored in this debate

Errr you do realise that USA != world? This changes what ISPs in the USA can charge their customers. It has zero effect on networks across the rest of the world. If you want guaranteed throughput/response time to Africa you still need to pay top dollar for someone to provide that service on their fat MPLS backbone.

This is purely about big business squeezing their customers. If you think it increases choice you are mistaken. Now you’ll effectively have to bundle your online services with your ISP.

I've got way too much cash, thinks Jeff Bezos. Hmmm, pay more tax? Pay staff more? Nah, let's just go into space

Pier Reviewer

1. National unemployment figures mean squat. There are pockets of high unemployment and poverty that Amazon actively exploit.

2. Zero hours contracts. If you’re on one, you’re not unemployed! Gov loves this. “Look at the record employment figures, aren’t we awesome?!” they crow. Meanwhile people are starving because they’re employed, but not actually getting paid a dime because they’re not needed this week.

The idea these ppl could just move on if they don’t like it is a fallacy. To what exactly?

Last attempt to find MH370 starts this week

Pier Reviewer

Re: It WILL be found...

I have my doubts sadly. Dick was found where they left him. The ocean floor is a rather less static affair. The scale of the two areas is significantly different too.

I think they’ll find some of it every now and again, but enough to figure out with any certainty what happened? Maybe, but I’m not heading down the bookies...

AWS sends noise to Signal: You can't use our servers to beat censors

Pier Reviewer

Follow the money

Russia proving once again that money > all. Signal’s theory was nice, but also naive. Russia bet on Google/Amazon doing a simple cost:benefit analysis and won. Operating in Russia makes them more money than they get from Signal. It’s an easy choice.

Once Google folded Amazon had no choice - it would leave Google free to take all of their customers in Russia.

I don’t see Signal winning this one. They’re just too small.

Apple debugs debugger, nukes pesky vulns in iOS, WebKit, macOS

Pier Reviewer

“And as for people moaning about split infinitives, they should be forced to use "unto" for the preposition and reserve "to" explicitly for infinitives, as happened in ye olde days. Mainly.”

I’m so doing that! Until I get bored / beaten up by the bigger kids.

Critical infrastructure needs more 21qs6Q#S$, less P@ssw0rd, UK.gov security committee told

Pier Reviewer

Re: Hmmmm, Was This a Tongue In Cheek Comment....

“I agree that it is an easy statement, but then, why would Huawei (China) tell Huawei (UK) all the secrets if the people employed at the cyber security centre are UK nationals ?”

I think that’s a very good point, but I respectfully disagree with the other concerns you raise.

There is one balancing fact that will help to reign in any of Huawei’s riskier ideas should they ever be tempted to execute them - they want to make money. The U.K. market not only lets them sell a good chunk of very expensive kit, it may also open up other markets. Ok, not the US or Aus (who are to all intents and purposes the US’s bitch), but countries in Europe might look at the U.K. model and think “hey, maybe it can work after all? Let’s look at buying Huawei kit”.

The point to remember here is that a lot of the rhetoric is just ppl finding different words to express the sentiment of “reds under the bed!!!11!1”.

We hear a lot of hand wringing* about Chinese carrier gear, but who here remembers the Voda/Ericsson debacle in Greece? No Chinese involvement there. Which country was the finger pointed at again?.. Why is it never mentioned when there’s talk of the dangers of foreign carrier gear peddlers?

I think it would be crazy to outright trust the Chinese firms in the U.K. CNI, and that cyber security centre looks to be a good way of managing the risk. I also think it’s crazy to focus solely on the Chinese...

—-

* can you hear hand wringing?

Pier Reviewer

Re: Hmmmm, Was This a Tongue In Cheek Comment....

Out of interest, what sway do you imagine Huawei hold over the staff at the cyber security centre by virtue of paying their wages?

And what sway do you think HMG has over those same staff without paying them a penny? Would that change if they paid them their wages? Would those wages be the same, higher of lower, and what effect would that likely have on who is attracted to that work?

A lot of questions I know, but I think it’s important to look at more than simply who pays the wages. That’s a little tabloid I feel (I know, I know, I can see the red banner :)

Brexit has shafted the UK's space sector, lord warns science minister

Pier Reviewer

Re: ESA is not an EU organisation

Alas it does have an impact - the ESA has contracts with various businesses for goods and services. Some of those are in the U.K. post Brexit goods might be more expensive to shift betwixt the U.K. and the EU. There is currently no legal provision allowing the “trade” of services from outside the EU.

Basically, nobody has a clue how business will be conducted between the U.K. and the EU. Contracts get sorted years in advance. At the moment nobody wants to risk signing multi million Euro contracts with U.K. businesses as they might not be able to carry them out. Ergo the U.K. space sector is out in the cold.

Pier Reviewer

Re: An insider speaks

“Just because the Daily Mail wants us out, doesn't mean the EU's not without fault.”

True, but not an entirely logical statement to make. There’s no causal link there. That’s exactly how a lot of the propaganda online and in the media operates - state an apparent (although often false) axiom, then state the “fact” that must also be true as a result.

There’s also the issue that “without fault” is a pretty high hurdle to leap. Let he who is without sin and all that malarkey.

Leaving the EU (or whatever else) because it isn’t without fault is a little OTT. Leaving because it gives you more power/money on the other hand makes sense. Ofc for the great majority that doesn’t apply. It just happens to be that some rich white blokes who live overseas might just benefit...

Oracle demands dev tear down iOS app that has 'JavaScript' in its name

Pier Reviewer

“Sorry, but Oracle are just setting out to destroy every possible reason to ever go near one of their properties...”

Setting out? It feels like that ship sailed a long ways back. This is just another stop on a very long cruise.

OK, this time it's for real: The last available IPv4 address block has gone

Pier Reviewer

Re: About the only one that hasn't figured out IPv6 are enterprise & SMB

“And then you woke up from the dream and had to face reality..”

Mobile (in Europe at least) is virtually wholly IPv6. Yes you’re often NAT’d to v4 at the carrier network edge, but that’s a necessity if you want to access a v4 only server.

It’s not particularly difficult to go dual stack, end eventually retire v4. It’s just that there’s very little incentive to do so at the moment. It needs both a carrot and a stick. As it stands there is neither, so nothing will change.

PCI Council releases vastly expanded cards-in-clouds guidance

Pier Reviewer

Defence in depth - we’ve heard of it

“All public-facing web applications must be protected, either by deploying an automated technical solution that detects and prevents web-based attacks or by employing application vulnerability security testing”

Say what now?! Explains a lot.

Dev: so we gonna get the Ninja App tested to make sure it’s secure?

Mgr: Nah, we’ll buy a WAF.

Rudd-y hell, dark web! Amber alert! UK Home Sec is on the war path for stealthy cyber-crims

Pier Reviewer

Re: Lots of our money being spent

“ ...they then point you at some London-based cyber-crime reporting unit...”

Makes sense to be fair to have a centralised info sec crime unit. Specialisation is very important in complex matters. The fact it’s in London is irrelevant. The fact there is basically one place that deals with it is not.

There are other forces with good capability - Durham force for example is surprisingly effective in that area. Other forces just don’t have the skills, time or money. I’d rather my case got reported to someone with specific responsibility for dealing with it, rather than my local force spiking it as they had no clue what I was talking about.

There’s also the issue of knowledge sharing. Info sec crime is rarely perpetrated on your door step (there are example though). If 40 forces have a bit of intel each on a scammer chances are the scammer gets away with it. Give the bigger picture to one force and something might come of it.

VMs: Imperfect answers to imperfect problems, but they're all we have

Pier Reviewer

Cost

Time is expensive. Storage is cheap (assuming the flash fabs aren’t flooded out again...)

Containers et al are probably a kludge, but it works. I don’t see a better alternative on the horizon at the moment. I think most organisations would prefer to buy a few extra terabytes of storage than spend extra time standing up/fixing apps. Dependency hell is the worst kind of hell. Containers can help to mitigate that.

Containers and VMs are also much more portable than running directly on iron. That means you can get more flexibility out of your hardware if you design things appropriately. Migrating VMs and containers around (or between) data centres tends to be a simpler affair than moving servers.

Cinema voucher-pusher tells customers: Cancel your credit cards, we've been 'attacked'

Pier Reviewer

Re: CREST- who the hell are they

They’re a not-for-profit organisation (which is another way of saying the shit ton of money we get for doing very little goes to the C Suite pay bucket) that is meant to provide a degree of certainty that the penetration tester you’re paying for isn’t shit.

Sodexo are clearly blame shifting here - “pen tester said it was fine”.

Ofc Sodexo went with the cheapest option, which doesn’t mean the lowest day rate, it means the lowest number of days. Give a pen tester a couple of days and they’ll find the easy stuff, but that kind of time boxing leaves them very little chance of finding the truly interesting stuff.

Then you’ve got scoping issues - PCI compliance testing is all about getting as little stuff tested as possible (because it’s faster, and time is money). A pen tester won’t touch an out of scope box, else it’s career over. If Sodexo didn’t provide sufficient info to allow the engagement to be appropriately scoped then a vulnerable box might not get tested (chances are the pen tester didn’t know it existed).

Attackers on the other hand don’t give a damn about scope. They’ll go poking until they find something, then move laterally looking for exciting new toys to break.

I’d wager the initial breach was via an unscoped box. I’m not certain, but it’s not uncommon.

Mind the gap: Men paid 18.6% more than women in Blighty tech sector

Pier Reviewer

Re: Oh please

Tim along with 97% of commenters here to date have missed the entire point of the article.

The moment a person is conceived, the statistical likelihood of their achieving a salary above the median is already determined.

Commenters are entirely correct to point out that time off from work for having children has a large impact on the pay gap. They’re wrong to say that is fine - not because women should get paid the same as men with more experience. That’s unlawful and unhelpful.

Women of child bearing age are less likely to be promoted when in competition with an equally qualified man. The woman might go off to have kids, and then you need to fill that position. You want stability in that management role. But what if she doesn’t want kids? Can’t even have kids? It doesn’t matter - businesses see risk, and prefer the male over the female.

We can all see that it seems a sensible decision. It’s also unlawful. The problem is it’s very hard to stop.

It will get very slightly better in the U.K. since the change to shared parental leave, but that will take decades to truly filter through. Until then, women will find it more difficult to get into higher management roles on average. That is the issue here - women systematically discriminated against in their access to high paid jobs.

Society needs new people. That’s how pensions get paid. No new people = stock market implodes = bye bye pension. Given that men physically can’t bear children, women have to do it. Should they be punished for that capacity?

Watchdog growls at Tesla for spilling death crash details: 'Autopilot on, hands off wheel'

Pier Reviewer

Wrong type of snow

"The reason this crash was so severe is because the crash attenuator, a highway safety barrier which is designed to reduce the impact into a concrete lane divider, had been crushed in a prior accident without being replaced”

He crashed into the wrong type of wall? It feels a little like blame shifting doesn’t it?

Tesla have a big interest in protecting their image, and an even larger bank balance with which to do it. Hopefully people that buy these things will heed this example and use their cars appropriately. You don’t want to be on the wrong end of a large corporation (or a few hundred tons of concrete)

Intel outside: Apple 'prepping' non-Chipzilla Macs by 2020 (stop us if you're having deja vu)

Pier Reviewer

Spelling

“There is apparently a project within Apple, codenamed Kalamata”

It’s spelt “calamity”.

Creaking protocols are threat to EU's telecom infrastructure security

Pier Reviewer

Re: Oh Good Grief

The issue isn’t the internet. It’s about the trust relationship within the SS7 network. Someone at a telco in <insert dodgy country> can rent out access to their SS7 endpoint, allowing said renter to issue SS7 queries to any attached network (e.g. Voda in the UK).

And when I say they can rent access, I mean they do. Other than segmenting the whole thing (bye bye roaming) it can’t really be fixed. It wasn’t designed to deal with nefarious folk. It’s old!

Pier Reviewer

Re: Built in but not turned on

2G and 3G support authentication of the handset+SIM to the network. 4G adds authentication of the network to the handset+SIM to mitigate the rogue basestation problem.

AFAIK there are no public exploits against 4G. There are however plenty of downgrade attacks that basically block 4G forcing people onto 2G/3G and then exploit any of the myriad of issues in the older tech.

In terms of voice calls the rogue basestation attack works regardless simply because you can’t make calls over 4G atm. Your phone drops down to 2G/3G for voice.

If you think Intel are terrors re: backwards compatibility you ain’t seen nothing like telco. I can’t see 2G (and thus the insecure protocols) being dropped for a very long time. At least 15 years. It’s easier to retrofit security in the form of IDS type boxes than to reengineer the whole system. Everything is moving to IP now so it’s much simpler to filter and monitor traffic on SIGTRAN etc than when it was when it was over FR etc. It sure ain’t perfect, but it’s easier than getting an agreement at 3GPP etc to replace it all.

Cambridge Analytica's daddy biz had 'routine access' to UK secrets

Pier Reviewer

[quote]

The letter went on to say that, since delivery, SCL has continued to support the group "without additional charge to the MoD", which involved "further testing of the trained product on operations in Libya and Afghanistan".

[/quote]

Interesting that they did additional work for free. It seems to suggest they valued access to certain data the work gave them. What’s the betting they were attempting to “win hearts and minds”*?

If you’re looking to sell to the private sector, having a military contract always helps.

* I think the alternative spelling is “propaganda”

Microsoft loves Linux so much it wants someone else to build distros for its Windows Store

Pier Reviewer

Re: @AC - PowerShell is that thingy

Evidently you don’t use Powershell. That feature prevents admins (or anyone else for that matter) *accidentally* running scripts.

It’s trivial to disengage it if you so require.

Why must all articles involving MS or Linux descend into a playground fight about which is best? Usually marked by arguments from people that have little to no experience of using either platform in anger.

I like the fact I can actually choose to use Powershell or Linux command line tools depending on the job at hand.

Galileo, Galileo, Galileo, off you go: Snout of UK space forcibly removed from EU satellite trough

Pier Reviewer

Re: Democracy - only for the elite. Right?

No - I think the point is that the general population can (and will) vote on a matter for spurious reasons. “I don’t like Cameron, he says vote X so I’ll vote Y”.

That’s the voter’s right. But what comeback does anyone have? Whereas if an elected representative acts like an idiot they can be voted out of office. That’s the difference.

We vote for representatives in the expectation (hope?) that they act in a certain manner. They lose their job if they don’t accord with that expectation. Democracy is for everyone*. It’s just that we shouldn’t vote on everything first hand.

—-

* with some small exceptions ofc

Tiangong-1 re-entry window shrinks: Duck from March 30 to April 3

Pier Reviewer

Re: can these things be blown up?

Yes, but you really don’t want to.

It’s travelling at around 7km/s, roughly the same speed as an ICBM during reentry. That’s a very hard target to hit. So hard, that the people tasked with designing a solution to that thorny problem decided throwing a bunch of nukes at the inbound object and blowing them up in front of it was the only viable solution.

So, yes, they could blow it up, but it would involve popping a bunch of nukes inside the atmosphere. It doesn’t seem like a better proposition, would confirm defensive tech to “the other side”, and ppl tend to get twitchy when nukes get launched.

Fingers crossed it doesn’t hurt any one. With a bit of luck, given it’s shape, speed and the fact it wasn’t designed to land most of it will be destroyed by the atmosphere. Ofc “most” doesn’t mean much to the folk it lands on :/

FYI: AI tools can unmask anonymous coders from their binary executables

Pier Reviewer

StackOverflow

Some guy on stackoverflow.com is going to have a lot of code attributed to him...

FYI: There's a cop tool called GrayKey that force unlocks iPhones. Let's hope it doesn't fall into the wrong hands!

Pier Reviewer

Re: Lamers ! Who needs that level of security ??

Why should phones (PCs, tablets etc) be considered different to other physical stores of information?

You raise an interesting idea. The police can use info to blackmail people. I bet it happens fairly regularly. Should the source of that info matter? How is using photos from a cracked smart phone different from photos in a locked safe?

If you’re worried about this type of product allowing the police to carry out abuses (and I believe that to be a fair concern) and think that banning it is the solution I’d have to disagree. You don’t solve that problem by stopping them decrypting phones. That’s the kind of solution government ministers come up with (no offence intended). It takes a great deal of effort to solve the root cause. If the police commit abuses now, without access to such tech, banning it isn’t going to change anything. It just gives criminals an obvious place to store their dodgy info. You and I can still be abused by the state, and criminals can impede investigations into their activities. Doesn’t sound like the best place we could be in to me.

Ex-GCHQ boss: All the ways to go after Russia. Why pick cyberwar?

Pier Reviewer

Re: False flag?

No - dick swinging. Putin feels the need to look like the big macho man prior to the elections. “Look at me, strong man, leader, rawr! Russia act with impunity against traitors. UK weak” etc.

Not entirely sure why to be honest - there’s little chance of a loss in the elections. It’s most likely about trying to put other potential defectors off by setting an example.

The U.K. isn’t about to go to war because a Russian traitor got killed on its soil. It’s a pretty safe move from Putin’s standpoint.

The only country making a concerted effort to weaken Russia is the USA. Fracking (to cause oil and gas prices to bottom out) and the ongoing arms race will likely see a repeat of the last Cold War. Money wins. Every time. The US is happy for Russia to develop super duper weapons tech because development is expensive. They’ll run out of cash again.

MIT gives one-star review to Lyft, Uber over abysmal '$3.37/hr' pay

Pier Reviewer

Re: Judge by what people do, not what they say they want.

“They may make a mistake and try out a gig for a week, but as soon as they identify it as a losing proposition, they'll stop”

The difficulty is it’s not necessarily obvious you’re losing money. I’ve got a car already. I’ll need to buy extra fuel. That’s about as far as most people driving for Uber etc tend to get.

They don’t consider the additional depreciation over and above their normal family use of the car. They’ve got extra mileage, tyre and engine wear etc. The resale value is therefore lower, and their MOT and service is going to cost more overall.

They also (hopefully) paid for additional insurance.

If they do quit after a week they’ve got the Job Centre asking why they quit their job. Your choice to quit means no JSA. Good luck living on thin air. This kind of business traps some of the most vulnerable in what is pretty close to modern slavery. The only way to make money is to cut corners, which is bad for everyone.

Taxi drivers are hardly rolling in cash to begin with. Throw in someone like Uber spending VC money to kill off the competition and their quality of life isn’t about to improve. The whole “flexible working” argument is a fig. It’s not about flexibility. It’s about avoiding responsibility. The last thing Uber etc want is actual employees on the books. Employees means rights. Can’t be having that.

Essex black hat behind Cryptex and reFUD gets two years behind bars

Pier Reviewer

Re: Blighty is the place...

https://www.legislation.gov.uk/ukpga/1990/18/section/3A

Thanks to the wording of the CMA 1990 being wider than Marlon Brando during national pizza week it is a criminal offence to possess or supply tools that may reasonably be believed to be used to commit an offence under the equally widely defined sections 1-3.

So yeah, he was always likely to lose that case. He doesn’t appear to be the most beneficial guy to society, but given that selling knives to 16 year olds gets you a maximum of 6 months in clink, 2 years for selling SaaS seems a little odd. Ofc knife crime tends to disproportionately affect poorer people, whereas tech crime is more likely to affect white guys with money.

I’m not saying I feel sorry for the guy, but he picked the wrong potential victims. Should have targeted foreigners/women/the poor/etc if he didn’t want to get a birching :/

PS - who’s got a Kali install?... get your excuses/defence ready

Biting the hand that feeds IT © 1998–2019