* Posts by Time Waster

37 publicly visible posts • joined 18 Aug 2018

Reg reader rages over Virgin Media's email password policy

Time Waster

This comment started out short…

As far as I can see, there are several explanations for this story, ranging in likelihood:

1 - an attacker really is capable of performing the almost 1000000000000000 attempts required to guess a random 10 alphanumeric password in a day without being blocked / rate limited as a massive DoS.

2 - the customer in question’s idea of a random 10 character password is “Password12” and they are simply outraged at their inability to make it the intended “Password123” or “Password1!”.

3 - the attacker has gained access to Virgin Media’s internal password hashes (or plaintext database), making such a daily brute force at least theoretically possible (albeit at significant expense) but is thankfully only interested in messing with a single customer’s account.

4 - their machine has been compromised (and no amount of password strength is going to help them). If this device is in fact their phone, this may also render some methods of 2 factor authentication rather weaker than expected.

5 - they are using a password manager and their mystery attacker has managed to gain access to it.

6 - someone is simply spoofing their email address in emails to known contacts (phone apps commonly steal these, so I assume lists of known contacts are available for purchase to the well heeled hacker) and this reg reader has mistaken this as full access to their account.

Regardless of which of these possibilities I think is most likely, if I were in this situation, I’d probably start with leaving ISP email accounts in the 90’s where they belong! Likewise, while I understand some limits being placed on passwords (i.e. length / complexity limitations to help avoid exploitation of vulnerable password verification implementations), 10 alpha numerics is pretty shocking in 2022. Putting aside my personal hatred of any enforced “strength” requirements on passwords (adding an “1!” To the end of a dictionary word does not make it a pssword appreciably stronger - especially where this is enforced). How hard can it be to simply verify a user isn’t attempting to use a password on any list of compromised credentials and is not a reasonably guessable combination of dictionary words / phrases)?

Samsung calls it a day on liquid-crystal display, says quantum dot is really hot

Time Waster

Re: Apple holding out

How to make money for old rope?

Elon Musk gets thumbs up from jury for use of 'pedo guy' in cave diver defamation lawsuit

Time Waster

Re: Surprised

Perhaps, though I suspect they may have questioned the 190 million in damages.

Microsoft joins Google and Mozilla in adopting DNS over HTTPS data security protocol

Time Waster

Re: Windows Server

Indeed. Let’s not go starting rumours that DoH is somehow more secure than DoT. HTTPS is simply HTTP over TLS, so the only real difference between these protocols is that DoH is a text protocol beneath the encryption rather that DoT being binary (and actually designed for the purpose of efficiently performing DNS transactions rather than serving web pages).

Gas-guzzling Americans continue to shun electric vehicles as sales fail to bother US car market

Time Waster

The thing about housing is, an $800,000 house doesn’t really cost you $500,000 more than a $300,000 one. Assuming no huge economic shocks (this is quite an assumption these days, but bear with me), a house is an asset. The only real “cost” is the interest you pay on any loan to pay for it (or loss of interest on the capital tied up in it) which at current rates is almost zero. Then when you consider a 160km daily commute, presumably costing you a minimum of 2 hours a day, without even considering fuel costs / wear and tear, if I could afford the mortgage, I know where my money’d be going!

Junior minister says gov.UK considering facial recognition to verify age of p0rn-watchers

Time Waster

Do these people not have advisors?

I realise our government is entirely made up of technologically inept morons inventing ludicrous policies based on nothing but their misguided beliefs of what is achievable but how is it that there appears to be no halfway competent backroom staff steering them?

Even a few minutes consideration of this idea would surely highlight massive technical hurdles (alongside the ludicrousness of suggesting people effectively upload selfies to porn sites of themselves getting down to business). How, for example, are they proposing to address the question of hardware trust? Ie, any facial recognition system based on cameras that can be controlled by the end user is surely destined for failure. Even where the camera itself can’t simply be spoofed (ie a virtual device playing non-stop footage of the fuckwit who came up with this policy), most systems require specialised hardware to avoid simple subversion by holding up a 2D image / video. Are they proposing porn can only be watched on a device equipped with such a camera already? Or will government issued ones be available on request?

And I wasn’t even going to mention VPNs (or good old fashioned piracy).

Mozilla Firefox to begin slow rollout of DNS-over-HTTPS by default at the end of the month

Time Waster

Interested to know whether the DoH server will be configurable (presumably not by DHCP though). If so, you could potentially carry on running your own DNS, just now it’s going to have to include an awful lot more cruft. This is my primary reason for disliking DoH so much. Given many people run DNS servers on relatively low powered machines (home routers being a classic example), why would you select a protocol that involves wrapping every transaction in plaintext HTTP? Resulting in not only the inclusion of an SSL / TLS server, but a seemingly completely unnecessary HTTP one too. I can see why Mozilla might prefer it, but why is anyone else going along with it?

Whistleblowing saboteur costs us $167m bellows Tesla’s accountant

Time Waster

Whose money?

Another question that doesn’t seem to have been asked is: even assuming the share price fluctuations were actually caused by what was said (let’s not even get into whether any of it was true), how exactly did this cost Tesla the amounts claimed? Yes, their market capitalisation dropped by those numbers, meaning Tesla’s shareholders lost out, but how many of those shares are owned by the company themselves (even if you include planned share issues)? If Musk were suing for the fraction of this “loss” equivalent to his personal shareholding, that would be one thing, or if this were some kind of class-action where the damages would be returned to all the investors / pension funds / etc that own those shares, that would seem reasonable too but claiming Tesla lost this money is frankly ridiculous.

Time to spin the wheel of pwnage! This week, malware can infect your…. Android set-top box!

Time Waster

Ignoring the question of IPv6, I can imagine some people will deliberately enable port-forwarding to allow remote access for managing recordings (and as mentioned, I’m sure some will automatically set this up for you with UPnP).

Electric vehicles won't help UK meet emissions targets: Time to get out and walk, warn MPs

Time Waster

Re: Hydrogen? Seriously?

Let’s not forget the time it takes to fill up. A petrol pump can fill a car every few minutes (and a good chunk of this time is waiting for the infernal pay-at-the-pump machine to do whatever it thinks needs doing between your inserting your card and it finally asking for a pin). Electric hookups are lucky to do one or two an hour.

Truckers, prepare to lose your jobs as UPS buys into self-driving tech

Time Waster

Delivery drivers do more than just drive

How are they planning on getting the parcels out of the truck and actually to the destination? I’m sure some crazy parcel vending contraption could be developed to allow the customer to get them themselves but you don’t hear or many startups researching that.... and I can’t imagine such a machine is going to improve the truck’s weight or load carrying ability. Likewise, how long will these things wait for you to come out and collect your stuff? I can only guess they’re going to be significantly slower than a driver who can get out and ring a doorbell. This would also be a significantly worse experience for many customers, having to lug potentially heavy packages from wherever it manages to find a parking space. In fact, in many cities finding a legal parking space is basically impossible, leading to the question of whether the AI would copy their human counterparts and simply ignore such restrictions? This seems even more far fetched than Amazon’s drone delivery marketing stunts.

Apple loses FaceTime patent appeal again. And again. And again. And again. And again... yes, it's the fifth time

Time Waster

Re: Hypocritical?

There is one very big difference between the two cases (clearly both patents are absurd). Apple did actually make a phone with rounded corners so were presumably (at least in their minds) simply attempting to prevent others from copying their design. VirnetX on the other hand...

UK taxpayers funded Grand Theft Auto V maker to tune of £42m – while biz paid no corp tax and made billions

Time Waster

Development costs

It’s easy to villainise companies for paying no corporation tax on seemingly enormous sales figures but it’s not always quite as simple as articles such as this make out. I haven’t looked at the actual figures but RockStar is potentially a good example of this. While worldwide, there’s little doubt they’ve made massive profits on this franchise. The UK, however, presumably makes up for a relatively small fraction of these sales. On the other hand, given the majority of their workforce is presumably based in the UK, I assume costs to this subsidiary are significantly higher than anywhere else in the world, naturally resulting in vastly reduced profits (or, as I assume from their zero corporate tax payment, a loss). There is not necessarily anything particularly immoral or sinister about this. In fact, were they to start booking profits from their other subsidiaries in the UK (in an attempt to pay more tax here), this would seem equally unfair to taxpayers in the countries these profits were made in (see the case of Amazon / Google / etc in the UK). Likewise, from the UK’s perspective, employing significant numbers of people here, resulting in higher costs, hence low / zero corporation tax is arguably much better than the Irish situation of booking all your profits there, paying trivial rates of corporation tax, whilst ensuring all your costs (i.e. staff / acquisitions / etc) are in higher tax jurisdictions where you would prefer to minimise profits.

The sanity of subsidising such companies with government handouts is another matter entirely, though I vaguely recollect at the time the general consensus was that it was a positive move in encouraging the industry to the UK and some concern that GTA might not actually qualify.

Facebook's Libra is a terrorist's best friend, thunders US Treasury: Crypto-coins dubbed 'national security risk'

Time Waster

Monopoly Money

I’m waiting for them to try paying the $5bn fine with these.

Gee, SEC, how did that get out?! 'Leaked' Tesla email claims big boost in Model 3 production

Time Waster

Re: Tricky

It is perfectly possible for Tesla to succeed without their share price increasing. If by succeed you simply mean becoming one of the world’s largest car manufacturers, simply compare their current market capitalisation with that of Ford. If Musk were more interested in the environmental benefits of electric cars gaining traction than profits, it’s entirely possible he could (continue to) sell cars at a loss, eventually running the company into the ground. Many might still argue this a success.

Backup your files with CrashPlan! Except this file type. No, not that one either. Try again...

Time Waster

Re: Just change the filenames ?

And if even that fails. Change the extension on that encrypted zip to docx / pptx / etc and you’re home free!

Want a good Android smartphone without the $1,000+ price tag? Then buy Google's Pixel 3a

Time Waster

Re: As an iPhone user

I have a horrible feeling they thought that’s what they were doing with the XR. Just Apple marketing bods’ idea of cheap may not quite align with many of their potential customers.

What's that? Uber isn't actually worth $82bn? Reverse-gear IPO shows the gig (economy) is up

Time Waster

Re: I'm not sure I see how they get to profitability

Good point on the cost of Johnny-cabs, I’d not considered that major change to the business model. Realistically they’re nothing but a pipe dream / marketing gimmick anyway. Whilst self driving tech is undeniably improving, surely even Uber execs can see there is no way the technical, legal, logistical, ethical and image problems of entirely driverless cars are likely to be solved any time soon. Certainly not soon enough to appease shareholders demanding profits.

Age verification biz claims no-payment model for 40% of Brits ahead of July pr0n ban

Time Waster

Re: One Account

I thought it sounded familiar. RBS’s oneaccount.com still seems to be active. Hard to see how this is going to stand up to the inevitable Trademark / “passing off” litigation.

Apple, Samsung feel the pain as smartphone market slumps to lowest shipments in 5 YEARS

Time Waster

Apple feels no pain

Apparently Apple shareholders do not agree with this sentiment. 13% increase in share price today (and counting), rocketing them back to “most valuable company in the world”, with a market cap of well North of a trillion dollars. If this is a bad set of results, I’d hate to see what happens on a good day!

Defense against the Darknet, or how to accessorize to defeat video surveillance

Time Waster

Re: Defense against the Darknet

Yes. British keyboards (the same may be true of all non-Apple ISO layouts, though I can’t be certain) have a dedicated ‘#’ key. Also, for touch typists, ‘\’ / ‘|’ is significantly easier to reach than on American (ANSI) layouts. I’m actually surprised there isn’t a US ISO layout keyboard, which I would imagine most coders would (eventually) prefer.

Intel: Let's talk about SGX, baby. Let's talk about 2U and me. Let's talk about all the good things, and the bad...

Time Waster

Can someone explain the point of SGX? I’m sure there is probably some cloudy explanation for it, but from where I’m sitting, the only people looking to run code in ways invisible to the rest of system are malware authors. Maybe DRM too, but as far as I’m concerned that pretty much falls under the definition of malware, as code that is serving no conceivable benefit to the user who is (normally unwittingly) running it.

Ready for another fright? Spectre flaws in today's computer chips can be exploited to hide, run stealthy malware

Time Waster

Re: AFAIK Amdahl's law is still in effect.

Please tell me this cellular architecture you’re describing uses Befunge as its instruction set!

Bad news for WannaCry slayer Marcus Hutchins: Judge rules being young, hungover, and in a strange land doesn't obviate evidence

Time Waster

What was he thinking

"I wrote code for a guy a while back who then incorporated it into a banking malware." - This could be true of just about anyone contributing to open-source libraries.

“I used to write malware“ - maybe not so smart...

Anyway, how long does it take to actually get to court in the US?! He was arrested 18 months ago for a crime he apparently carried out in 2014. Also, does this time forced to stay in the States (away from friends, family and job) against his will count against any potential sentence?

Use an 8-char Windows NTLM password? Don't. Every single one can be cracked in under 2.5hrs

Time Waster

correcthorsebatterystaple

Much as I tend to agree that a memorable long password beats a non-memorable short one, I can’t help but worry that these aren’t really that much stronger. Yes, there are (apparently) upwards of 170,000 words in the (Oxford) English Dictionary, making this on paper appear to be 170,000 to the power 4 (a roughly 70 bit number) but the reality is that most educated native English speakers only know a fraction of this number. Assuming a 35,000 word vocabulary (a number I’ve seen mentioned as an upper bound on real vocabulary size), this quickly reduces to only 60 bits. Assuming all 4 words are fairly common, as with “correcthorsebatterystaple”, the vocabulary size required falls to less than 10,000, rendering this weaker than the random 8 character (53-bit) password, though obviously more memorable.

Another issue with the long password, and one I’ve fallen foul of many times, is whilst they are fine when typing on a real keyboard. Try entering one with your thumbs on a phone screen, or worse, using a PlayStation / Xbox controller and they start feeling less of a great idea. Even more so if there’s a risk of shoulder surfing (the extreme case is with the PlayStation / Xbox), where the random mess of letters and numbers is relatively quick to type and tricky for an onlooker to remember. A set of English words, they may struggle to forget even if innocently observed.

My personal favourite scheme (though I must confess, not one I always employ) is taking initials from a memorable sentence. Ie, the password “ihpcrbtmplm”, can be simply remembered by the phrase “i hate password complexity requirements because they make passwords less memorable”, which is roughly the same strength as each of the above mentioned schemes but obviously quicker to type than “correcthorsebatterystaple” and far easier to remember than “ff3sd21n” (which, being all numbers and lowercase, I can’t see being much better than 41 bits anyway).

Ivan to be left alone: Russia preps to turn its internet into an intranet if West opens cyber-fire

Time Waster

April fools?

This must be some kind of elaborate joke. How does the bear-chested one think anything is going to work following this move? Does Russia not use credit cards? Or international banking (they sell oil, how do they get paid for this)? In fact, are Kaspesky themselves not rather reliant on connectivity to their millions of international customers (updates / cloud AV)? Or is the real plan to simply cut the plebs off from the outside world?

Jammy dodgers: Boffin warns of auto autos congesting cities to avoid parking fees

Time Waster

Re: It will create a new market

Who gets to use it at weekends / Christmas / take on holidays etc? This might be OK for the work commute (though not if their shifts are consecutive) but I can’t really see this working in practice. Also, none of this cuts down on actual vehicle mileage (energy usage / lifetime of vehicle) so I don’t really see how sharing with others at work makes a great deal of sense. The real fix is to address the reason everyone has to work the same hours in the same places, where nobody can afford to live. I suspect this will be sorted long before self driving cars are allowed en mass on city streets.

Germany has a problem with the entire point of Amazon's daft Dash buttons – and bans them

Time Waster

Drawer full of buttons

My biggest gripe with these buttons has always been the sheer number of products which would “require” them. If you’re going to bother getting a button for, let’s say, washing powder, logically you should probably grab one for washing up liquid, bog roll, fabric softener, furniture polish, scouring pads, multi surface cleaner, kitchen towels, glass cleaner, dishwasher tablets, rinse aid... and that’s just the under sink cupboard. The question is, where are you supposed to store all these buttons? Maybe what we really need is an Amazon keyboard. Or, better yet, perhaps some kind of touch screen device we could carry around in our pockets...

As others have mentioned, at least they’re better than subscribe and save, where you seem to end up entering an agreement to make future purchases at a price that will be determined (by Amazon) at some later date. If the buttons are deemed illegal, where at least you can cancel / return the order if you seriously disagree with the price, how is this subscribe and save feature OK?

Amazon exec tells UK peers: No, we don't want to be dominant. Also, we don't fancy being taxed on revenues

Time Waster

Re: Heh?

Now, my maths is pretty rusty, but I make that more like 2%. Clearly your point still stands.

UK taxman told to chill out 'cos loan charge is whacking tax dodgers and whoopsies alike

Time Waster

Payday loans

If you accept payment by your employer as non-taxable loans, whilst I’m trying to remain open-minded, I’m struggling to summon much sympathy. I’d actually be very interested to know what happens in such an arrangement were the employer to become insolvent. I would imagine when the liquidators spotted those “loans”, the tax man would be the least of your worries!

Ericsson's very good bad quarter, Mozilla encrypts SNI, new TIP projects, and more

Time Waster

Given the public key for this is shared via DNS, prior to the TLS connection, why not encrypt the whole handshake with it? Presumably this would help protect against downgrade attacks and the like as well? As it stands, this seems a lot of effort to encrypt just one of the many fields in a client hello. Especially when, in the vast majority of cases, that field is (and will continue to be) announced in a cleartext DNS request. Also, unless I am completely misreading that draft, there appears to be no suggestion of encrypting the server certificate, meaning that this will likely also be observable in the CN / SAN returned by the server, which would appear to make the whole venture rather pointless?

You like HTTPS. We like HTTPS. Except when a quirk of TLS can smash someone's web privacy

Time Waster

Re: This is why I set Firefox to clear cache, etc... on close

You sure clearing Firefox’s cache clears NSS’s TLS session tickets?

Microsoft pulls plug on IPv6-only Wi-Fi network over borked VPN fears

Time Waster

Re: Why do we need IPv6

That’s in addition to 240.0.0.0/4 (268 million addresses) “reserved for future use”, in addition to 224.0.0.0/4 (same again) multicast addresses. Given multicast is realistically only usable in highly limited environments (not across the public internet), does this really necessitate a 16th of the total IPv4 address space? As for future use, how is now not the “future”? That’s not even getting into why we need 16 million addresses for localhost (127.0.0.1 is merely the most commonly used from 127.0.0.0/8). I realise many OSes / network devices couldn’t cope with these addresses being publicly routable, but would assume it would be a relatively minor software / firmware upgrade to fix that?

Time Waster

IPv5

I’m going to start pushing IPv5. The crucial difference being 64-bit addresses. These will obviously more or less halve the network overhead, are twice as easy to write / remember, halve memory requirements on network gear and, rather handily fit into current 64-bit CPU artitectures. The one downside being, only 2.5 billion IP address per person on the planet, so we’ll have to be frugal with our IOT devices!

Just for fun, might as well make it backward compatible with IPv4 (6 can go whistle).

Solid password practice on Capital One's site? Don't bank on it

Time Waster

Re: Single figure entry

Thumbs up for the idea of storing hashes of different combinations. Though there’s no way I credit many banks with coming up with (or caring about) doing so. Realistically if, like my bank, they only ask for 3 characters at a time, it wouldn’t take much to brute force those hashes anyway... My bank does ask for a secondary password (I think they call it a memorable word), which I guess (again, assuming a massive amount of faith in their security / engineering teams) they could be storing hashed with these different pre-chosen combinations...

2-bit punks' weak 40-bit crypto didn't help Tesla keyless fobs one bit

Time Waster

Re: Problem-solution dichotomy

I’m with you on avoiding excessive and often unnecessary technology. Keyless entry being a case in point. How hard is it to press a button on a remote to lock / unlock your vehicle, a remote virtually all “keyless” systems still require. Such buttons have the rather handy features of knowing whether you’ve actually locked your car, and rather neatly preventing relay attacks from your hallway / coat pocket. However, going back to physical keys is a step too far even for me. Car thefts have decreased rather dramatically since the 90’s (last I looked, they were down over 80% in the UK) and I can’t help but suspect this may be related to swapping old-school key barrels (which are all too easily old-school hot-wired) for more electronically integrated remote systems. Whilst I’m sure there are some professional car thieves taking advantage of such holes in current technology, I’m pretty sure there are far more teenage oiks with a brick and a pair of pliers looking for some quick thrills.

Self-driving cars will be safe, we're testing them in a massive AI Sim

Time Waster

Re: L5

Whilst no doubt this is true. Any L5 system on sale cannot simply refuse to drive down particular roads or in certain conditions. What if I buy this vehicle and live down such a road? Or jump in a taxi and it starts snowing? Or live in Bangalore?