* Posts by Martin Milan

134 publicly visible posts • joined 22 Sep 2007


Capita strikes again: Bug in UK-wide school info management system risks huge data breach

Martin Milan

Tell someone?

They haven't done anything too obvious like actually telling their customers about this though...

I am a school governor - first my school heard of it was when I called them 5 minutes ago...


Cutting custody snaps too costly for cash-strapped cops – UK.gov

Martin Milan

Database of hashes of deleted photos on PND, local forces obliged to check every x number of days and remove any photos on their own database with matching hash.

I'll waive my consultancy fee in the spirit of public service...

Cinema voucher-pusher tells customers: Cancel your credit cards, we've been 'attacked'

Martin Milan

Where to record credit card data when dealing with a payment gateway...

I work for a company that provides payment services to various customers, many of whom are household names...

When we deal with card data we have a very simple, delightfully inflexible rule. We do not store the full 16 digit card number, or the CCV in any sort of persistent medium. At all. Ever. Or, according the the MD, frankly else...

UK surgeon suspects his PC was hacked to target Syrian hospital

Martin Milan

Re: Hmm...

It's also not a place that stays static... They have been bombed before... David Nott, before this incident, has had his surgeons killed before...

As for the "What kind of power?" question, you're right of course. People are prepared to do this. Even supposedly religious people. We now need to see they are punished.

Martin Milan


First of all, we're talking about an improvised, battlefield hospital. You're not going to find it in Hospitals Weekly, and I doubt the building's architect had the slightest clue what it would eventually end up being used for...

Dr. Nott has appeared as a guest on Radio 4's PM programme several times, offering testimony of what is going on out there... We're talking about a very brave guy who has put his balls on the line for people he doesn't know for several years. If there is such a thing as a genuine war hero, then this guy is about as close as you could get...

The real story here is not how the coordinates were obtained (and I agree this might not be how Dr. Nott thinks), but what kind of power would bomb its own injured civilians like this. We also need to look at who actually pulled the trigger - was it a Syrian jet, or a Russian one? Whichever was involved, it was a war crime and those involved should answer for their actions.

Can you make a warzone delivery drone? UK.gov wants to give you cash

Martin Milan

When you think about it, isn't there a lot of obvious work to be done here?

Ok - step one. Soldier has his weapons fitted / manufactured in such a manner as to send a bluetooth notification to an Android device every time a consumable resource (like a bullet) is used. This, assuming the android device knows the "initial stock", allows the Android device to:

1 / Periodically send inventory back to central server, allowing the back office boys to order a resupply as needed.

2 / Order it's own resupply once inventory reaches a certain level / if soldier requests it.

Android device connects by cell network (Army takes its own onto the battlefield) to command, and also to assigned drone. Provides location updates, allowing the drone to fly to soldier and follow an instruction like "drop it 1 meter south of my position".

Another nice advantage of this is that you can set your weapons to only fire when connected to your Android device - rendering the gun useless to Tommy Terrorist if he manages to prize it from your cold dead fingers. Just in case he does, the Android device has to receive authorisation from command every 2 or 3 days - shutting down if none received.

Those are just a few quick ideas...

Payday lender Wonga admits to data breach

Martin Milan

Re: APR! = interest

If we believe your figures, that's 20% per MONTH.

Or 792% per year if you want the annual figure. Hardly a bargain - and that's just taking into account interest. Now you have to start thinking about late repayment fees, given that many people who hold these loans are on the absolute breadline and it is conceivable they can't afford the loan on the terms offered...

Here's how the missile-free Royal Navy can sink enemy ships after 2018

Martin Milan


It is indeed a tragedy that the Fleet Air Arm, and indeed the wider navy, have gone to pieces just as we have lost Captain Eric "Winkle" Brown...

This is what happens when you dispose of men of his calibre and replace them with a heddy mix of civil servants and lawyers.

Winkle will be spinning in his grave...


What's that, Adobe? A Photoshop for faking voices?

Martin Milan

Goodbye voice authentication - parting is such sweet sorrow...

TV industry gets its own 'dieselgate' over 'leccy consumption tests

Martin Milan

Re: There is a simple solution

Make Windows open source you mean? (in the case of PCs)

Alleged hacker Lauri Love loses extradition case. Judge: Suicide safeguards in place

Martin Milan

Re: Cooper who?

I would like to know the maximum sentence he might face, and whether or not he might be allowed to serve it in the United Kingdom before agreeing with this extradition...

60 years or whatever, 4'000 miles away from his family doesn't sound like justice to me - and that should trouble us.

That's before we bring his condition into it...

Pramworld admits mailing list breach

Martin Milan

Hey - Pramworld...

I'm not sure I'm prepapred to take their assurances that payment information etc has not been compromised at face value. Auditing select queries are we now?

I'd like to see a statement that payment info, if retained at all, was encrypted by AES or equivalent, and some assurance that there key management was competent.

What actually happened? Sounds like an XSS attack from the article text.

BBC telly tax drops onto telly-free households. Cough up, iPlayer fans

Martin Milan

Re: Jim'll fix it and you

I think you'll find, as a former TV lIcense campaigner, you are wrong.

You need a license to view / record live broadcasts (from anyone, not just the BBC). If you are just using a TV with a DVD player, or othersuch non-receiving apparatus, then you're fine.

Photographer hassled by Port of Tyne for filming a sign on a wall

Martin Milan

Re: Unfortunately... you're wrong

Theft really does require an act to permanently deprive... This isn't theft.

Martin Milan

Re: Pressing charges

Not entirely true - if you have money to burn then you have the option of a private prosecution... It won't do any good, but it is there...

Martin Milan


In order for this to be theft, the security officer would have to intend to permanently deprive the victim of his property...

Is there any comeback for what this actually is - namely illegal seizure...

Bleeping Computer sued by Enigma Software over moderator's forum post

Martin Milan

We're gonna need a better lawyer...

A review is, almost by definition, an expression of ** OPINION **

Good luck unleashing the legal beagles on that!

Women devs – want your pull requests accepted? Just don't tell anyone you're a girl

Martin Milan

Still not evolved beyond this?

Why the hell should it matter in this day and age if the author is female?

Maybe we're all scared of women seeking commit -m ent...

Asda slammed for letting vulns fester on its cyber shelves

Martin Milan

Re: horrible sign up process

If they are hashing passwords correctly, then the length of the password chosen by Johnny/Joanna User should be of precisely SOD ALL interest to them...

Sysadmin's £100,000 revenge after sudden sacking

Martin Milan

James is a dick...

Yes, it would be satisfying to leave knowing what was coming, and yes, technically this is the fault of management for not handling the exit process very well - had the same thing happen to me earlier in the year...

But here's the thing - I would have called / emailed them and said "You need to be aware of this...". True, my plans for revenge would be scuppered, but my former colleagues whom I presumably would have cared about would be able to continue to eat.

Coding with dad on the Dragon 32

Martin Milan

Ah - memories...

Anyone remember "Quest" - the BASIC game that was included with the Dragon32?

My mission to pop down and teach the Warlock a few things was made infinitely simpler when I discovered currency trading lol... You see, the game's internal currency was "gold coins", and lots of things could be bought and sold in the game - including, interestingly enough, gold coins...

Rather than correct this oversight and actually treat coins as currency as opposed to a tradeable inventory item, the developer decided not stop any naughtiness by checking that for blaggards like me who would offer to sell a gold coin for the princely sum of two gold coins - by writing a test that effectively looked for price_per_coin < 2.

Had that test been price_per_coin <= 1, the Warlock would have remained a happy man. Sadly, I rather got into the habit of selling coins for 1.9999999999 gold coins - building up quite a little nest egg for myself in the space of five minutes, allowing me to purchase a rather impressive militia to wonder down to warlock central to explain what's what - usually in one very decisive battle...

Happy times - and an example I still use to this today to illustrate decent validation to junior developers...

KARMA POLICE: GCHQ spooks spied on every web user ever

Martin Milan


Clearly we have intelligence agencies who aren't particularly troubled about democratic oversight, or indeed the need to operate within it.

Parliament needs to kick arse, kick arse hard, and kick it NOW!

British killer robot takes out two Britons in Syria strike

Martin Milan

Re: Victims?

I on the other hand will continue to be rather concerned with this development...

Parliament explicitly voted against the use of our forces in Syria, and it's happened anyway (let's not forget we've also had RAF crews flying sorties on secondment to other powers).

Few people, myself included, will cry for the loss of a couple of Jihad obsessed idiots, but the fact remains that the government might well have acted illegally. We urgently need a statement from the Attorney General stating on what legal basis this mission relied...

UK.gov confirms it's binned extended Windows XP support

Martin Milan

"We expect most remaining government devices using Windows XP will be able to mitigate [b]any[/b] risks,"

Am I the only person who is really, REALLY suspicious of the word "Any" in there? It's almost as though we have some administrative managerial drone spouting forth without actually doing the research to understand what those risks might be - thereby elevating his/her confidence to the point where they might even speak of "THE risks"...

For heavens sake, you're responsible for holding masses of masses of our most sensitive information, and you are subject to the DPA. Running a maintained operating system on your kit really should not be that much of an ask...

Will the government compensate us when we all get powned by this one?

DRONE ALONE: US Navy secretary gives up on manned fighters

Martin Milan

Erm, hang on...

If these drones are being remotely operated, doesn't that provide next season's bad guy (tm) with a lovely new vector of attack?

Step 1 : Jam communications between drones and fleet.

Step 2 : Fly very slowly over forces of freedom, chortling as you go...

In fact, where are these drones being piloted from? Surely these facilities will become high priority targets, and when they do, might they not find their whole bricks and mortal, stuck in the ground nature to be a bit of a drag?

I don't like the way all this is going... I don't want to needlessly endanger pilots any more than the next guy, but sometimes there is so substitute for having a thinking, feeling lump of meat in the front seat. So is it needless?

Professor's BEAGLE lost for 10 years FOUND ON MARS

Martin Milan

Re: 'Position and shape'

And still they come...

Cops accessing journo sources with RIPA? Use your powers properly, moan MPs

Martin Milan

So predictable...

What troubles me most in all this is that there is no accountability for the officers who have misused RIPA for tracking journalistic sources. Naughty boys and girls of course as goes without saying, but noone's taken any action to suggest that misusing the law will have consequences (and it won't) - so there is no deterrence.

When people start losing jobs, other people will start listening...

Comet lander drill cliffhanger as last dregs of power used

Martin Milan

It's all very well saying this after the fact, but with an unpredictable (at the time the mission was devised) surface, and the possibility of cliffs and craters, I bet the wish they included an independent power source (nuclear) now...

SHARE 'N' SINK: OneDrive corrupting Office 2013 files

Martin Milan

Re: lol, "tight integration."

Excel files are basically just zip files anyway - containing a load of xml.

I've been there - I've seen things!


Austrian Tor exit relay operator guilty of ferrying child porn

Martin Milan

Aren't judges, tradionaly, supposed to show a little actual judgement?

I would like to know why they also didn't go after the phone company, and come to that the electricity supplier, on exactly the same grounds... They are certainly equally "complicit" - ie not at all.

It comes down to a simple question really - should we round up the gunsmiths, knife makers and inflatable banana manuafacturers (it could be done...) and charge them with all the murders involving their produce?


Because if not, the guy is plainly bloody innocent.

Passwords in plaintext? NOT OK, Cupid

Martin Milan

Not again...

No, No, No No No No No!!!!

DO NOT encrypt passwords.

Hash 'n' salt, but do not encrypt!

Why would you even want to be able to get back to the original password? Why even allow the possibility (that an attacker might get your key)

THOUSANDS of Tesco.com logins and passwords leaked online

Martin Milan

Re: Even worse

I know...

I remember discussing with colleagues how come we (pokey works management system at the time) were aware of salted hashes, and the team behind a site like Tesco.com, with multi-million pounds in transactions, either were not aware, or didn't consider it important...

Martin Milan

Re: Oh dear

Here we go:


Exit stage left security team...

Martin Milan

Re: Unencrypted passwords ?

Like I said above, they were warned about this a year or two back...

Martin Milan

Oh dear

I seem to remember Tesco being covered on El Reg a year or two back. I also remember several people at the time objecting to their clearly storing passwords in clear text, as opposed to salted hash.

In short then, it's not like they were not warned...

I'm not certain about this, but I think they got shirty with the guy who originally exposed them as well.

'No, I CAN'T write code myself,' admits woman in charge of teaching our kids to code

Martin Milan

Oh really?

So then - people who don't know how to code (the "lead teachers") are going to be given a day's training, and then left to train other people who don't know how to code (the "grunt" teachers), who will in turn be training another group of people who don't know how to code, most of which don't want to code (the kids), to code.

Yeah - right. Someone ring the emergency services, coz there's one hell of a car crash just around the next bend...

Elderly Bletchley Park volunteer sacked for showing Colossus exhibit to visitors

Martin Milan

Re: You're doing it wrong...

I used twitlonger...

Martin Milan

You're doing it wrong...

Just tweeted the below to @bparkceo...

You know what? If you find yourself running a charitable trust, one charged with preserving the memory of a remarkable group of people who secured your freedoms, and you describe yourself as the “Chief Executive Officer”, you’re doing it wrong.

If you preside over a regime where, when I call to establish the facts BEFORE complaining to the National Heritage Fund, I’m told “There is a statement on the website and that is all I can say…”, you’re doing it wrong. If you don’t recognise the irony of having this regime in a place so instrumental in preserving your own liberty to think and speak as you feel, you’re doing it wrong.

If you really do consider yourself unaccountable to the public, you’re doing it wrong.

If you think it’s acceptable to receive money from the Heritage Fund, and then even consider erecting fencing to prevent people visiting Colossus, even if it is hosted by another body, you’re doing it wrong.

If you’re prepared to squander the most precious resource you have - namely the elderly volunteers who have both a knowledge and enthusiasm for the place of which you can only dream, you’re doing it VERY wrong.

If you’re really are doing things THAT wrong, then its time to consider stepping aside in favour of someone who knows how to do it right - and I can point you toward a few elderly volunteer types who would be one hell of a first guess.

KC engineer 'exposed unencrypted spreadsheet with phone numbers, user IDs, PASSWORDS'

Martin Milan

Re: WTF?

LOL. I'm scared to think you might, just might, be from the IT industry.

Martin Milan


... then allow me to enlighten you...

The issue is that this engineer now has credentials for accessing thousands of customer's email accounts. If the customer has been lazy (and most will be), he probably also has access to theiR facebook / twitter accounts as well...

There is no excuse for holding passwords in clear text - even back at base - nevermind on a remote worker's laptop.

Crowdfunded audit of 'NSA-proof' encryption suite TrueCrypt is GO

Martin Milan

Not an expert on this, but it seems to me that in order to have any credibility, the identity of the auditors must be known. On the other hand, once they are identified, the NSA / other such body can get at them and threaten all types of nastiness unless they get the result they want...

Seems to me then that we should be trying to keep the auditors identity a secret until the very moment the report is published...

Assange: 'Ecuadorian embassy staff are like my family'

Martin Milan

"It’s a bit counter-productive to trap me here, because what else can I do but work?"

Erm - how about throwing it all in, and going back to Sweden to face your accusers?

If you're innocent, great - best wishes clearing your name. If you're not, face the consequences.

In either event, grow up.

(I actually think he'd be somewhat safer from extradition to the US in Sweden than he is in the UK...)

Snowden journo's partner wins partial injunction on seized data

Martin Milan

Re: There's more going on here...

First of all, I am not sure (someone more learned than I might like to comment) that RIPA can be invoked in an Airport Transit area. It's important to remember that he wasn't, technically, stood in the United Kingdom.

Again though, we come back the "compentence" point. If they knew what they were doing, MIranda should not have had knowledge of the decryption keys. Surely even RIPA cannot be used to punish him for failing to disclose information to which he has never had access?

Additionally were I in their shoes, I would almost certainly have used a hidden partition, with something pleasingly innocent on the exposed partitiion to keep the boys in blue happy...

I think the only thing we do know here are that there are a lot of things we don't...

Martin Milan

There's more going on here...

Am I really the only techie here who can see this?

From what we've been told, the "data" was encrypted - and given Mr. Snowden's involvement in all this, together with the fact we are dealing with a journalist who specialises in security stories, one or two questions really do demand answers...

1/ The UK Government are claiming, in court, to know the content - to have read it and understood it. It follows from this that they have the clear data. Surely we are not being led to believe they have cracked the encryption in 5 days?

2/ Miranda has apparently given passwords to the computer and to his social media accounts. From what I have read, he hasn't divulged any decryption keys.

3/ If Snowden / Greenwald know what they are doing (and we have to assume they do...), far from revealing decryption keys, Miranda shouldn't even know them. He should, for all intents and purposes, merely be moving a lump of plastic and silicone from country A to county B. There are good reasons, as I'm sure he know appreciates, for Miranda to know nothing at all about the security measures taken...

4/ *If* they don't have the data, and to be honest I rather suspect they don't, then the government are lying - to a court. Given the number of illegal acts Snowden has already exposed, it's sadly no longer difficult to imagine that our security services / government would have a problem with doing this...

Like I say - there's more going on here than meets the eye...

Bradley Manning is no more. 'Call me Chelsea,' she says

Martin Milan
Black Helicopters


There's a Facebook post doing the rounds amongst techies in the United Kingdom that compares the sentance Chelsea has received to the far more lenient sentences that have been given out to other members of the military for the killing of non-combatants - even harvesting body parts in one case It's enough to make anyone with a brain stop and think.

As for the gender reassignment thing - I'll go with her views on how she wishes to be addressed. She acted to try to start a debate on the actions of US Forces, and that debate is needed. The US is no longer the land of the Free by any stretch of the imagination. Nor is it the bogeyma - but things have happened that need to be challenged, or at the very least considered carefully... For my money, I respect her enough for what she has done that I'll call her whatever the hell she likes.

It's a fiddle! Funnyman's Irish tax flashmob floods Apple flagship store

Martin Milan
Thumb Up

Re: 'bout time

Always liked Mark Thomas - ever since the comedy product...

Met him on a few occasions, and he's a real nice guy...


Furious Stephen Fry blasts 'evil' Reg and 'TW*T' Orlowski

Martin Milan

Let's call it a draw...

Having actually met Stephen Fry (during TwitterJokeTrial) I can assure you that he's not merely a pontificating buffoon speaking as an expert on what he doesn't understand - he's also a decent chap with decent values.

OK - so he carps on about some things in IT of which he has a rudimentary understanding... That's how half of my colleagues - hell, even me from time to time - make their living.

As for the Reg being vicious - no Stephen, it normally isn't... I learn more about happenings in IT from El Reg than I do from almost any other source...

Council IT bod in the dock for flogging scrap work PC parts

Martin Milan


The point you're all missing here is this:

The council was disposing of it's equipment, and failed to notice that hard drives etc were not making it as far as their approved disposal agent.

Since said agent would doubtless raise concerns if machines started turning up missing such useful components, it seems to me unlikely the agent was receiving the machines in question. This leads us to "whole machines were likely not making it to the disposal agents, and nobody noticed".

This chap might have been a well intentioned (if naive and poorly informed) chap, diligently wiping material etc before selling devices on. But what if he wasn't?

Data Protection For Dummies to the IT Dept I feel...

Do Not Call Register operator breaches Register

Martin Milan

Re: 30 Days?

I suspect the reason for this is to avoid having to implement one central webservice, which in light of the number of requests it would receive would either need to be ran on beefy iron, or would become one central point of failure.

The current approach allows the register to simply give the data to the call centre chaps every 30 days, and the call centres can then use their own systems to check it.

UK High Court split over Twitter airport bomb joke

Martin Milan

Re: In the near future

I already use one on occasion... Not here though, usually...