Posts by Ian McNee

Re: Bribe developers with tee-shorts

Tee-shorts for penetration testers...and what line of business were they in again?? :-O

Re: Clicking links ...

@gazthejourno:

Except we all know that that's Fantasy Capitalism (tm) Gaz. Otherwise we wouldn't have had the Comodo or DigiNotar hacks, the RSA hack, the endless list of (often Blue Chip) companies threatening infosec researchers with legal action rather than engaging in public interest disclosure and fixing their "premium" crapware, an so on ad nauseum.

On the contrary while Open Source is no more free of security flaws there are far fewer of the commercial imperatives to behave badly when these are discovered. So no, it's not hard, when you disengage your prejudices and use your brain.

Re: I fail to understand...capitalism?

Were you thinking that the law is there to protect ordinary citizens? That's the window dressing. The law is there primarily to protect private property (i.e. of corporations - your house, car, etc. are small beer) and the accumulation of capital.

So a company like Experian that provides personal data to other corporations to allow them to better profit from you the ordinary citizen is deemed legal and proper. And yeah I think it sucks too.

Re: Honey Pot

@Noel and Jim:

(i) it's the Windows version that is very tricky to compile from source - and there are both benign and suspicious explanations for this;

(ii) Matthew Green has a good reputation technically and ethically - it doesn't seem likely that he would be involved in some game to pretend to audit TrueCrypt (unless you take the completely unworkable "trust no-one" tin-foil hat position).

Re: Does AV see FoxAcid?

As the article suggests, the Foxacid operations are more targetted, partially by NSA analysts and partially by automated means (browser user agent, etc.) and so what's delivered will vary: anything from known exploits up to 0-days for premium targets. Therefore these may or may not be detected by regular security software.

Inevitably the "tools" the NSA use will become public (in the sense that they will become known vulnerabilities, not that we will necessarily know that the NSA were using them) and fixed sooner or later. However given the size of the NSA's bugdet you can be sure that the "tools" they are using are constantly evolving and new ones coming on stream regularly.

As such I doubt the NSA would have much interest in forcing US-based AV vendors to compromise their products - whatever one thinks of the NSA (and I tend to with "nasty dangerous bastards") they have a remit in protecting US business and infrastructure and would be unlikely to compromise that role so generally by specifically weakening US commercial security products.

Re: This is nothing new - and standard practice

The police and security services are very good at: (i) lobbying for new powers that they insist will only ever be used in very specific and limited circumstances, and then (ii) being extremely creative in applying such new powers to as wide a set of circumtances as possible, to the point of testing the credulity of even the dullest of politicians and regulators. Never mind the circumstances in which they covertly break the law due to the lack of adequate oversight (plenty of coverage of this kind of thing here and in the Guardian recently re. the Snowden revelations).

This action by PIPCU (and elaborated in the post above) is an excellent example as are the well-documented misuses of RIPA and our extensive "anti-terror" legistlation. What makes it all the more worrying are the most recent revelations about the NSA & GCHQ subverting TOR and covertly compromising net users simply because they seek to protect thier privacy on-line.

Re: broken speed limit

Not a good idea - the max. speed limit is only 130kmh after all, check out them damned Dutch from Delft again!

Re: No forking technical reasons

Canonical have not chosen to go with Mir as replacement for X for technical reasons - they want to have their cake and eat it with the development and commecialisation of Mir. On the one had Canonical want community contributions to help develop the software and on the other they want to cash in on Ubuntu/Mir in the mobile/hand-held/embedded markets.

To this end Canonical have imposed a Contributor License Agreement that gives them the right to relicense any and all code as they see fit. This gets around the inconvenient fact that, as they are using community code, they are not the sole copyright holder and thus effectively allows them to block other developers from modifying (or even supporting) Ubuntu/Mir in the markets they seek to exploit.

For a full and more eloquent explanation see Matthew Garrett's posting.

Re: forking generally good for long term

@PyLETS: yes, agreed. But Canonical are not forking Wayland with Mir. The way Canonical are requiring contributors to Mir to agree to grant Canonical the ability to relicense their code in any way they see fit makes it pretty clear they have no intention of creating anything that can be fed back into the broader ecosystem in any positive way.

Ermm...

...how much for the amphibious assualt vehicle? Can't wait to rock up at work with that!

@AC 02:31 - out the window two and a half years ago...

Cast your mind back to the spectacular Anonymous hack of HBGary Federal in early 2011. Aaron "Fail" Barr shot his mouth off about how clever his social media scraping software was at tracking down Anons by graphing public social media connections. This was all part of bigging-up himself and HB Gary Federal to get fat FBI contracts as well as all sorts of other questionable deals with corporations and govt. agencies wanting to snoop on US and other citizens.

Of course that particular episode had (at least partially) a happy ending as he was very publicly handed his own sorry butt by Anonymous. The story is well-documented on Ars Technica .

This line tickled me too...

"Barnes appears to have escaped with the support of his colleagues intact" - original euphemistic double-entendre? Never heard them referred to as "colleagues" before, exposed or otherwise. Paxman will be quizzing him about his outfitter sometime soon...

Re: Yeah but...that would be clever...

...IF it were true. But it's not. It was a joke and a few dim fanbois believed it. And bricked their phones.

Anything else Cliff?

Re: Blaming the victim?

This just is not how it actually works in the real world: a great deal of the "security" banks implement is designed to exonerate them of any responsibiltiy and "prove" that the user was either irresponsible (divulged PIN, lent card to friend, etc.) or attempting to defraud the bank. Browsing the banking security posts a Cambridge Computer Lab's Light Blue Touchpaper blog demonstrates that.

On the main topic it's no surprise the Get Safe Online campaign didn't take off: their advice is at best incomplete and full of platitudes and often just plain wrong, e.g. advising complicated hard to remember passwords.

And if this report is correct Mr Lyons isn't getting any cleverer: "attacks on computer networks could soon threaten critical infrastructure" (the usual security terror scare stories), "wearable technologies...will be...hacked" (oooh...bears/woods/pooh??), "Techniques developed to beat biology-based authentication systems, such as fingerprint recognition, will also be a major headache" (wow...no-one saw that coming...oh wait, 2002 is calling, a gummi bear wants the Chaos Computer Club to check if you have any significant brain function).

Until we have some real security people leading these initiatives rather than govt./business friendly PR wonks like Lyons we will get nowhere.

Re: I'm still waiting for them to respond to my request

Dear Mr G E

With regard to your recent request allow me to express the sympathies of the Agency over the passing of your dear friend Mr Wiggly.

However you will appreciate that with the appointment of the Civil Liberties & Privacy Officer the Agency are making increased efforts to protect the rights of individuals to freedom from intrusive state surveillance. As such, while I can neither confirm nor deny the existence of any photographs of Mr Wiggly in the Agency's data warehouses, I can assure you that we would never breach his privacy without prior consent.

I understand this may present you with a minor problem in obtaining any such consent from beyond the grave. However our colleagues at DARPA are working on one or two things that may help with this and I will keep you posted (on the QT naturally!) as to any developments in this area. In the meantime please make sure that Mr Wiggly is NOT defrosted as this may impair any future efforts.

Respectfully,

Lt. Gen. K. Alexander

Director NSA

Re: A bit late to the party arent they?

For sixty notes and a spec like that they can probably come to the party any time they like. The killer will be the true meaning of the words (from their web page linked in the article): "Hudl comes with easy access to the Tesco world and your favourite Google Apps."

If that means "we've encrypted and locked the bootloader, saddled you with Tesco shopping apps you can't remove and given you access only to a limited set of apps via Tesco Play" then it will be less good. Let's wait and see!

Re: The iPhone 5C would have been a sellout success

Or alternatively in Apple pitched the 5C in such way as to make the fruity fanbois think: "Oh my gawd, I don't wanna be stuck with a 5C, I GOTTA have a 5S to be a successful & stylish thinkfluencing barista!" Not that Apple would really do anything to ramp hysteria among the (not so) poor fashion victim community. No no. Not never. As if!

</tinfoil-conspiracy-fandroid-wanker>

Re: I expect to be greeting them soon - DITTO!

Whilst I wouldn't rejoice at anyone losing their job to redundancy, especially in the current climate, the burgeoning managment culture (at the expense of those who actually have to deliver) is a big problem in sectors with semi-monopolies and some parts of the public sector. It has certainly had a signicant role in the recent debacles at places like the BBC, the Mid Staffs NHS Trust and the generally poor performance of our privatised utilities.

Will this help improve Virgin Media? Well it's better than sacking the few remaining decent UK-based support and engineering staff! Fingers crossed...

Re: Anonymity

What this research demonstrates (and it's fairly readable and not too long - go for it) is that an avdersary with ISP-level network resources can deanonymise users in a statistically predictable time period - some shorter and some longer but a lot shorter and more predictable than previous analyses have shown.

But, and it's quite a big but, it seems obvious from the paper that they are analyzing the bulk or Tor use (i.e. for which Tor is probably the only anonymity tool in use) rather than Tor plus anonymous proxies, encryption and the like. That work is yet to be done but it is likely that someone more technically competent than your average BitTorrent freetard attempting to avoid the RIAssA would take a lot longer to identify even with state-level resources.

That said Tor is clearly of interest right now to some big player or other as recently reported by Ars Technica. This will be interesting to follow in the coming months in light of the ongoing Snowden NSA/GCHQ revelations.

Re: Android Cheapos

SIM-free Nexus 4 8GB for a hundred and sixty notes anyone? Now that's about the best Android Cheapo you'll get this side of Xmas. Possibly even Xmas 2014!

NO! I'm Priyanka!

*ahem*

Re: same old routine ***STOP PRESS***

No - Nicola Sturgeon has just vetoed the deal saying "I'm not a fin of Microsoft".

SORRY!

Predicted consequences

More to the point, security researchers have been flagging-up these vulnerabilities for several years (e.g. Jerome Radcliffe and his Medtronic insulin pump) with the uniform response from device manufacturers: "Nothing to see here, this isn't a problem (and if it becomes a problem we may sue you for making it public)".

Given this attitude by device manufacturers (and the likelihood that the DHS's intervention is more to do with self-publicity/funding than genuine human welfare/security) the suggestions above that they will simply use this as an opportunity to inflate profits by producing "secure" devices (any bets on an "unhackable/terrorist-proof" wifi insulin pump "protected" by WEP?) seem all too likely.

</cynic>

Re: no way

@Mark .: you may be right about the Samsung alternatives but as Tony points out in the review the (Asus) Nexus 7 whips this tab's butt - as it has been doing most wannabe tabs since its launch.

And the more new 7-8" tabs are launched the more I think that Google shipped the Nexus 7 at little more than cost - smart move as Android tabs are now outselling iPhads and I still feel like I have the best one on the market seven months on.

</smug>

Re: What if...

It seems to me that Tony Blair was just another self-serving unprincipled shit who operated with the same arrogant sense of entitlement and impunity that infects the vast majority of ruling elites and their cronies everywhere.

There, I fixed it for you.

When what we already know about and have some real evidence for is really bad there is no need to invent more bad stuff which is entirely speculative.

Back on topic: in addition to all the other stuff mentioned above about Palantir, the fact that they had a significant association with HBGary Federal up until the point that it was revealed very publicly that HBGary Federal were astroturfing, smearing, snooping on behalf of corporations and government agencies and to the detriment of ordinary people simply trying to protect their jobs, privacy, environment, etc., demonstrates that they are not a very nice corporation. It doesn't prove that Prism == PRISM but that doesn't really matter: it's already clear enough that one should be extremely wary of Palantir.

Re: Good looking on Radio

@Corinne: check out BBC Radio 4 - you get the full gamut of shapes, sizes and looks in male and female presenters, journalists, comedians, etc. - IMHO two of the most talented people on R4, Eddie Mair and Jane Garvey, do not conform to the media-imposed norms of physical beauty.

Not that R4 is perfect - they have a significant London-centric middle class Oxbridge bias (again the two people above don't fit all those categories). And you are right that the media in general are far harsher on women over their appearance than men.

@AlbertH

Actually, unlike Linux, Android is not vastly more secure than the alternatives for three obvious reasons:

(i) all software has vulnerabilities and the more complex, the more vulnerabilities;

(ii) Android is very popular and by definition very connected and therefore very valuable to criminal malware coders;

(iii) as stated above in detail, device manaufaturers are essentially negligent in their provision of timely updates to fix known Android vulnerabilities.

As for the idea that malware could not possibly gain root access without manual user intervention, that's just plain not true. One of the main ways of rooting a good number of Android devices involved exploiting a vulnerability in the OS. All the user would notice if this were malware would probably be the device rebooting unexpectedly - hardly an unknown occurrence with quite a lot of mobile devices.

Don't get me wrong - I love Android, it rocks compared to everything else widely available at the moment, but let's get real. And likewise I have no remit for the AV companies, especially when they make such obvious "BUY ME!" releases like this one from Kaspersky.

Re: Google not evil enough

@Andy Fletcher: I think you're missing the point made by grammarpolice. The way I read it is that if Google had been more underhand in breaking the grip of H.264 and worried less about marginal current income then we would have had a better chance of video content not being encumbered with patented codecs, i.e. "best for the user."

There are no good guys and bad guys when it comes to major corporations, rather the interests of certain coportations occasionally coalesce around something good for the majority of users and on those occasions we should put our weight behind them.

Re: Am I missing something? - no sir, well said

And to be fair to Mr. Fry he is touching on a piece of computer science esoterica - I still have nightmares about ploughing through Minsky's "Computation: Finite & Infinite Machines" as an undergrad.

There does seem to be an unhealthy backlash against Turing's legacy because there is a dispute over the matter of his persecution by the British state. The fact is that he that he stands out as a very bright light in a pantheon not short on bright lights in the theory of computation. And if Stephen Fry slightly misunderstands the technicalia in aiding the well deserved recoginition of Turing we should not really care.

Re: How is this different from other spyware?

It's different in that Gamma International will almost certainly have a cosy relationship with the British and German security services who are so keen to snoop on their own citizens with the sanction of their respective political classes...***WHHOOOOSSSSHHHHHH***...hey did you hear that? The sound of Tory & Lib Dem politicians who had previously opposed Labour's GHCQ mega-snoop legislation swiftly changing their position when they entered Downing Street. Who knew?!

Business as usual...

As a long standing domestic VM customer this is no surprise. Standard practice is:

(i) Don't admit to anything on the service status page if at all possible;

(ii) Direct support calls to overseas call centres who are not provided with relevant information about outages;

(iii) Tell customer that the problem will be investigated and they will be called back but fail to do so;

(iv) Fill the forums with employee sock puppets who tell users how great the service is.

Most of the time the service is good but on the occasions that it isn't there is a total failure to give a shit at VM.

Other Contracts Are Available...

@James 51:

SIM-free device + monthly rolling contract = stress-free life when mobile service provider f*cks-up.

Simples.

Or worse?

Some analyst sitting on a pile of Apple stock that has fallen by 30% in the past five months is worrying about how he will confinue to fund the condo, kids private education *and* his coke habit? "Hey! Let's roll out the hackneyed Android Fragmentation scare story - there's plenty of tired tech journos out there to spread some FUD!"

</cynical_wanker>

So in an open free-market ecosystem some companies make crap? *yawn* bears-trees-poop, meh.

When you can get a good SIM-free ICS smartphone (e.g. Huawei Ascend G300) and a good 7" JB tablet (e.g. Storage Options Scroll Evoke) for a little over £200 it's bleedin' obvious to all those who aren't supping the Cupertino/Redmond kool aid that Android fragmentation ain't the problem it's cracked up to be.

On and just how much quality smartphone+tablet hardware and software can you get for less than 250 notes from Apple or a Windows source?

</smug>

Re: Phone numbers

You don't have to provide Google with a phone number, doing so simply provides one method of enabling two-factor authentication and one method of regaining access to your account in the case of lost credentials. The former can be done via the Authenticator Android app (verified by a single-use activation code) and the latter via another e-mail account or single-use login codes.

Too right, Google are no angels and I doubt they really give a stuff about our privacy, but for the vast majority of people who use the net for significant aspects of their life an e-mail account is almost certainly the most important attack vector for the bad guys to pinch your identity and your money.

It's all very well to take a privacy holier than thou (or worse a lazy "it's a pain to use all the time") attitude but balancing minor privacy and inconvenience issues against your life being in the hands of some anonymous criminal is a no-brainer and that's how we should be educating lay users.

Re: OF COURSE they should've expected this.

DAMN! I am fed up of some commenters here generating hysteria around use of the word "expect"!

"Veber should have expected this response" =/= "It is perfectly OK for a small minority of idiots in the Python community to send abusive e-mails and make abusive phone calls"

Jamie Jones and others: those of us who used the word "expect" simply EXPECTED that you had the intelligence to see that we were merely pointing out that anyone with a modicum of net savvy could have seen this coming, not that it is in any way justified.

Let me guess: you're applying for a position at the Daily Wail?

</pointless_rant>

Re: I think it sends out a positive gender message

@Christian: all good points but this Playmobil kit is so 20th century: where's the card skimmer for the ATM??

Re: Ok, fine so far

And on my 32GB Nexus 7 I have even more free space than a 32GB iPad. And it's 3G. And it's half the price of and iPad. And it's a third of the price of a Surface Pro. And it flies like hot shit off a shovel.

</smug>

If I work hard I can see that some people for whom budget is less of an issue can justify an iPad. Surface Pro? Less so.

Re: Isn't that cute...BUT IT'S WRONG!

@AC 18:44: it may have escaped your notice but Google actually only create a few apps for Android, the overwhelming majority are 3rd party creations. Should Google compel every developer who understandably wants to create apps for Android also make a version WinPho? Oh yeah...that's gonna happen!