* Posts by Chronos

1257 publicly visible posts • joined 21 Oct 2007

US congress wants a word with ZTE, Huawei

Chronos
Big Brother

Not so obvious

This is, IMHO, more to do with the ability to insert snooping systems into telco kit rather than the reports going the wrong way. The least of us know how to monitor and block such things. The real issue is that the USians have absolutely no control over ZTE and Huawei and no access to their codebase so back-doors and other such technological internal rogerings will be harder to implement.

Sunshine, you're the enemy they're really concerned about, not the Chinese.

British Minister likens Anonymous to fascists and racists

Chronos

Re: No....

That's like saying the turd that's floating is superior to the ones that sank. As with politics, the only difference is gas.

REVEALED: Everything Everywhere new 4G logo ... a SNAIL?

Chronos

Ex snail

Not only that but it seems to have gone belly up. For a gastropod, that's disastrous.

Kidney-for-iPad fanboi sues after illness strikes

Chronos
Thumb Up

The problem:

Three variants of the iPad but only two kidneys. This is not a sustainable business model for iFans.

Where there's brass, silver and gold ... there's also muck

Chronos
Pint

Again with the Olympricks?

This huge smorgasbord of money making for fat cats on Olympic committees and commercial sponsors ceased to interest me, oh, let's say a day after it was "awarded" to London. It was probably sooner than that but let's give it the benefit of the doubt. It's costing the taxpayer millions and we're going to see very little from it. Worse, it angered me that some poor sod legally and innocently riding his bike got ape-mauled and slung around by the idiots who think that somehow a symbol is more important than civil liberties. We should leave symbols to the symbol minded.

Beer. Too much of that makes you sick, too.

Firefox 14 encrypts Google search, but admen can still strip-search you

Chronos
Thumb Up

Thanks for the pointer to Disconnect. i missed that one in my usual privacy-enforcing toolbox.

Have an upvote ;-)

Firefox 'new tab' feature exposes users' secured info: Fix promised

Chronos
Thumb Up

Just use ESR

No, not the mad conspiracy/gun bloke, Extended Support Release which, according to the roadmap, is good until V17's release, at which point V17 becomes ESR. Also available in Thunderbird flavour. YKIMS.

Nicely hidden there, Mozilla. We'll always find these things eventually, though.

Wraps come off UK super-snooper draft plans

Chronos
FAIL

So much for The Great Repeal

...that we were promised when the coalition took power. Just goes to show you that George Carlin was absolutely right when he said that this shit we do every four or five years to shuffle things around means zip and is just an illusion to make you think you have control. That election shit? Doesn't mean a fucking thing. The real power lies with the lobbyists, corporations and civil servants; those don't change across parliamentary terms.

TalkTalk subsidiary's customer data placed on the web in IIS whoopsie

Chronos
FAIL

Re: @AC 09:31

Try not to be an annoying, petty, pedantic little nutsack for the rest of your life, eh? Have a day off. Stalk Stalk is what people have been calling this company since 2008 and the Phorm fiasco.

SWAG: It used to mean screwed without a GUI. Now it seems they're screwed even with one.

MCSE: Must consult someone experienced.

Backdoor sniffed in ZTE's US Android smartphones

Chronos
FAIL

Re: Moral of the story......

DOn't but cheap Chinese shit, no matter how cheap.....

I see your trollface but it's still utter tosh. How is a setuid binary on a ZTE any different to, say, Carrier IQ being present and put there by the network?

Is it 'coz they is Chinese? I thought we were supposed to be above xenophobia these days...

This is why those of us who care about our prvacy root our phones: Without root, these suid shenanigans have a free hand. With root, a remount rw and a chmod/rm cures the problem without having to wait for the fix.

'Catastrophic' Avira antivirus update bricks Windows PCs

Chronos
Flame

Brick?

No, it's bloody not bricked. Windows is not firmware. If it somehow overwrote the code on the motherboard's EEPROM, then it would be bricked. Until such time, it's a corrupt OS, i.e. soft and sod-all to do with hard or firm.

Mozilla and Google blast IE-only Windows on ARM

Chronos
FAIL

Re: Google Calling the Kettle Black

it is just not possible on Android to choose any search engine other than Google. Nor is it possible to turn off cookies and take other privacy measures that are possible with (say) Firefox on the desktop.

Say what? My default search is Duck Duck Go SSL no-javascript. My default browser is Zirco. My preferences have it dump history and cookies on close.

Oh, and my ROM is CM7.

PEBTSAC [1], perhaps?

[1] Touch screen. Nothing attached to an Android device or anything else "smart" can be described, even loosely, as a keyboard. Perhaps one of those Bluetooth wotsits that is twice the size of the 'phone, but that's about it.

Bought a new Mac Pro? 1-in-100 chance it'll destroy your data

Chronos
Devil

Isn't that a "feature"...

...of HFS+ anyway? You know, fill it up with tunez from iWotsit and it goes mams vertical with no space left just as you finish ripping your last CD.

ICO mulls stiffer probe into Google Street View Wi-Fi slurp

Chronos

Re: Wireless Telegraphy Act 2006 s48?

The WTA(2006) is Ofcom's jurisdiction, specifically the RIS as-was. The rozzers will do nothing except assist the RIS if and when needed.

Chronos
FAIL

Re: They've actually broken another law.

No, they haven't. To whom have they disclosed? Only themselves, which is quite correct and intended usage. Google, however, even have my MAC mapped despite SSID beacons being disabled since wireless went in at this location, a pretty clear indication that I don't want my access point being used in this way, and are disclosing it to all and sundry so they can locate the device seeing the MAC.

How do I know? Samy knows.

I say again, it's illegal. If Sergey could wave a magic wand and end up in a jurisdiction where they're subject to no laws, he'd do so. He has said as much. This, however, is the real world.

I have even appended my SSID with _nomap, even though it never gets broadcast. I suspect they'll take as much notice of that as they do SSID broadcast being disabled. Or would, if I had left the thing connected.

Chronos

They've actually broken another law.

Wireless Telegraphy Act 2006, Part 2, Chapter 5, Section 48:

Interception and disclosure of messages

(1)A person commits an offence if, otherwise than under the authority of a designated person—

(a)he uses wireless telegraphy apparatus with intent to obtain information as to the contents, sender or addressee of a message (whether sent by means of wireless telegraphy or not) of which neither he nor a person on whose behalf he is acting is an intended recipient, or

(b)he discloses information as to the contents, sender or addressee of such a message.

(2)A person commits an offence under this section consisting in the disclosure of information only if the information disclosed by him is information that would not have come to his knowledge but for the use of wireless telegraphy apparatus by him or by another person.

(3)A person does not commit an offence under this section consisting in the disclosure of information if he discloses the information in the course of legal proceedings or for the purpose of a report of legal proceedings.

(4)A person who commits an offence under this section is liable on summary conviction to a fine not exceeding level 5 on the standard scale.

(5)“Designated person” means—

(a)the Secretary of State;

(b)the Commissioners for Her Majesty's Revenue and Customs; or

(c)any other person designated for the purposes of this section by regulations made by the Secretary of State.

The offence is disclosure of the contents of the beacon packets (i.e. MAC address and location of the transmitter) where the transmission was not intended for their reception. The whole using other people's equipment to provide a location is an offence in the UK.

Ofcom: The Office of Screwing Over Murdoch?

Chronos
Thumb Up

Re: Jim Morrow Gets it wrong

Secondly El Reg commentards have a duty to avoid [using the] emotive word hacking [to describe] the trivial task of accessing voicemail.

Nicely put, sir. At last, a bit of sense. I'd go a little further and say that hacking should not have the negative connotations that The Media[TM] attach to it within this community but your admonition will do nicely.

Martha Lane Fox hits caps lock, yells at small biz websites

Chronos

Re: Go on...

Problem is, all the sandwiches will be egg...

Boffins, tourists threaten Antarctica with alien invasion

Chronos
Trollface

Would that be...

Professor Chown -R www:www, to give him his full title? Relative of little Bobby Tables, by any chance?

Powerful, wallet-sized Raspberry Pi computer sells out in SECONDS

Chronos
Facepalm

Just asking

Who ate all the Pi's?

Woman spanked for dissing ex in Facebook snapshot

Chronos

@NoneSuch

What, you're going to sign on as an extra on East Enders?

Attention tweeters: Your chance to win undying GLORY

Chronos
Stop

BMW?

You mean Audi, Shirley?

http://livesniffpetrol.s3.amazonaws.com/wp-content/uploads/2010/07/LetterFromAudi.jpg

Polish lawmakers don Guy Fawkes masks to protest ACTA

Chronos

Anonymous

"Earlier this week, hacktivisits self-identified as members of Anonymous"

Right, time to clear this up. Anonymous isn't a group or organisation, it's not exclusive to "hacktivists," it's not a script-kiddie collective and you can't be a member of something that doesn't exist. What it is is a badge you can hang upon yourself to identify with a cause, which may not be the same as someone else's cause when using the Anonymous moniker. Apparently, the Polish parliamentarians got this exactly right.

If you support or oppose something that lots of other people support or oppose, don a V for Vendetta mask and you're all one of the same collective by discarding your identity and other opinions for this one issue. Unless you have two heads, ballot stuffing isn't a problem. It's really that simple - no violence, rhetoric or effort required apart from turning up. Stupid shit like "members of Anonymous hacked my cat-flap" really is nonsensical. Anonymous is a way to leave your own political views aside and join the greater good, to say "On this issue, I'm with the silent majority." It really is a subtle and elegant concept, which is why so many people just don't "get it."

X Prize: Build a Star Trek 'tricorder' and win $10m

Chronos
Devil

Disambiguation

"In Star Trek, there were three potential types of tricorders: the medical one, an engineering one and a "standard" tricorder used for scouting out new territory."

ITYM "standard" tricorder used to make loud noises to draw hostile phaser fire towards the accompanying cannon fodder/security ensigns. This is in addition to really bright hand lamps and people who couldn't pass unnoticed in a riot.

Fire at will, unless his last name's Riker. As for medical tricorders, one message is "5cc's of something technical and attach a doofer with LEDs to the patient's head" (thereby drawing more phaser fire from something with more latex on it than a dildo) and the other is "parrot sketch."

http://www.youtube.com/watch?v=JswhkwvtMV4

Word and Excel creator: How Gates, Jobs and HAL shaped Office

Chronos
Devil

The eyes, oh god the eyes!

What is the reason behind Microsofties with that fanatic stare in all of their stock photos? Ballmer has the prototype too-scary version but they all seem to have it to some extent. The explanation would make a good article, I think...

Please get it off the front page: It's frightening the dogs and is almost as bad as Billy G draped over an XT or Michael Dell's smug mush.

What should a sci-fi spaceship REALLY look like?

Chronos
Joke

No mention...

...of the small rouge one? Fie! For shame! ;o)

Software maker sorry for trying to silence security researcher

Chronos
Headmaster

Shirley...

...you mean "CHARGE!... Run away!"

Chronos
Thumb Up

YES!

Another intrusive bully bites the dust. Well done Trevor and the EFF.

Drama as Thai frogmen struggle to save world PC market

Chronos
Coat

Re: Or put another way...

"...my hard drive is OK at the moment so I can afford to get righteous and preachy."

*ZZZT* *Tick*

*ZZZT* *Tick*

*ZZZT* *Tick*

Oh, bugger!

Natwest net and phone banking goes titsup

Chronos
Devil

To err is human

To really fuck up requires a machine.

Stallman: Did I say Jobs was evil? I meant really evil

Chronos

If it were anyone other than rms?

Is the message wrong, or is it just because it's rms, who is an idealist, bringing the message that draws all the harshness?

They're *both* wrong. Non-free software can be ethical, providing you have a choice in what it does and how it is used. Unfortunately, Apple takes this one step further and produces non-free *devices*. Tell me truthfully, who owns your iPhone? Apple? Your service provider? If you've answered "me!" then you haven't thought about the principle of ownership. How can you own something when its software dictates to you?

What is owned is you, by the device. Continue along this slippery slope at your peril.

El Reg in email address blunder

Chronos
Thumb Up

Well done

See, you lot, this is how full disclosure is done. Hands up, we ballsed up. Anyone can make mistakes; it's how you own up to them that inspires confidence.

Apple iOS 5.0 downloads drive all-time UK net traffic high

Chronos
Trollface

The baaaandwidth!

So that's why it has been like wading through cold treacle this week. Pray excuse me while I go club some fanboys and/or their iShinies to death with a maul...

Steve Jobs memorial brings out tech titans... and Bono

Chronos
Gimp

Meh

When is the dmr memorial? Without Dennis, there would have been no OS X, iOS or any of the shinies you all adore so much.

Would you let your car insurer snoop on you for a better deal?

Chronos
Big Brother

How long

...until this turns into standard premiums for the "withs" and inflated premiums for the "withouts"? It's inevitable.

iPhone 5 a no-show at Apple's 'Let's talk iPhone' event

Chronos
Angel

Antennae

Antennas. It's radio, not insects.

Sorry, pet hate. I actually prefer "aerials" even though that's not a good term for things that are no longer exclusively up in the air.

Now, where's my "Steve Jobs with a lossy ringo ranger on his head" icon gone?

Ten... Androids to outshine the iPhone 4S

Chronos
Big Brother

re: Mandatory Google ID

And I just skip it entirely, install a custom notROM (currently CM7 nightly as the CM7 stable suffers from a most annoying hard-lock when charging on the Blade) without all the Google spyware muck and have done. There are plenty of .apks outside of the market to keep you busy, including some gems (ATide) that you can't get from Ogle.

Note well that there is currently no unlock solution for the Skate/Monte Carlo aside from those silly X-SIM adaptors that don't work very well with USIMs. The Blade/SanFran is still the budget phone to get if you want a half-decent system, some major de-Oglage and SIM-freedom and its absence here is a serious oversight.

Firefox devs mull dumping Java to stop BEAST attacks

Chronos
Thumb Up

Re: mod_gnutls

Just so everyone knows, mod_gnutls enables TLSv1.1 and 1.2 on Apache 2.2 without any issues. Works fine with IE9 on Windows 7 as long as you enable the two later TLS protocols in Internet Settings. The config is almost 1:1 's/SSL/GnuTLS/g' except that mod_gnutls needs GnuTLSPriorities setting for all virtual hosts.

http://modgnutls.sourceforge.net/downloads/docs/mod_gnutls_manual-0.1.html

Chronos
Angel

@Ken Hagan

Agreed. I see your point now. Apologies for not recognising it before.

A lot of the discussion on the OpenSSL lists has been met with "we mitigated this in 2006/7 with padding" which really isn't an adequate response. Yes, it may be fixed in OpenSSL itself, but those servers and clients that are relying on its crypto libraries aren't protected by the mitigation.

Using GnuTLS' OpenSSL compat is no use either; you're stuck with exactly the same situation where the calling process knows nothing of its other features. However, we can use mod_gnutls in place of mod_ssl on Apache to get TLS v1.1/2 support. I can see this becoming the solution of choice for Apache users if it delivers what it promises to, although we're still stuck with the client situation. I'm going to have a fiddle with it later on a test box.

http://www.outoforder.cc/projects/apache/mod_gnutls/

As for browsers, it's still either RC4 lockdown or Opera/IE on Windows 7.

Chronos

Re: FFS!

"How does this help? For an end-user whose bank doesn't use RC4, all your advice will do is force that end-user to switch browser to one that cares less about security."

In a standard LAMP stack, the switch from AES to RC4 by default is two lines, one if you disable all the other ciphers. Disabling SSLv2 completely is one more They can be globals, so no faffing around in virtual hosts. It helps because RC4 is not vulnerable to this attack.

If the bank in question is too idle, stupid or both to make the necessary config changes, that's their lookout. They're the ones encouraging insecure behaviour, not the browser vendor if they do the right thing. My bank and Paypal, the usual excuses people keep wittering on about, support RC4 128 at least. You just have to tell the browser to prefer it. It is hardly rocket science and is an adequate stopgap measure while the industry tackles this prime example of multiple fail. Disabling various bits of functionality in the meantime is only going to destroy whatever good will the browser vendors have built up for something that isn't entirely their fault.

Oh, and @mangobrain, sticking GnuTLS on a server won't help. It supports TLSv1.1 and 1.2 but only Opera supports it on the client side. What's that, about 2.3% of market share in August? We need OpenSSL support for those protocols soonest. They will then find their merry way into at least Fx, Konq and Chromium.

Chronos
Facepalm

FFS!

Just turn off all ciphers bar RC4. Google have been running with RC4 as the default for years (although for performance reasons not security) and, with it not being cipher block-chaining, it's invulnerable to this attack. It's not as strong as AES, but AFAICT it hasn't been compromised yet. That would give them time to develop a proper fix or browbeat OpenSSL into supporting TLS v1.1/1.2.

But no, let's just make this a rip out features exercise. I can see why they're doing it: They want to make the problem visible so that hopefully someone with nous in the right place will take note.

about:config on existing versions will help you get RC4 only set up client-side. Very easy to enforce with Apache and OpenSSL, too.

W3C announces web-tracking privacy protection group

Chronos
Flame

Right.

Here's the deal, Big Business [TM]. You get caught using tracking cookies, DOM storage, flash or any other form of "supercookie" against users' wishes three times and we'll boot you off the web, take away your legal recourse and right to appeal and make you sit there and fester until we decide you can come back, which will probably be a fortnight after never.

You can't possibly object since that what you want to do to users who cross your own self-defined lines of "common decency." What's sauce for the goose...

No, didn't think so. So pack it in. If you don't want measures like this, don't make them necessary. The next step is legislation which you won't be able to bitch and moan your way around, barring the odd "bought" representative.

Kernel.org Linux repository rooted in hack attack

Chronos
WTF?

Re: @Chronos

In the linked article on Phalanx and evolutions of the same: "The attacks appear to use stolen SSH keys to take hold of a targeted machine and then gain root access by exploiting weaknesses in the kernel." Which is, coincidentally, what my peer told me had happened on his network recently before this story broke.

It was, of course, communicated as a vuln in OpenSSH. IMHO, it's nothing of the sort. OpenSSH is doing what it was designed to do, allow ssh access to anyone with the correct credentials that can reach whatever port it is bound to with the correct client and protocol. Once you're in as a local user, you might as well be sat at a serial console with those same credentials (IINYCAM). Your problem is credential and privilege management and those are OS functions. Everyone is so eager to shift the blame across to Theo and the "masturbating monkeys" of BSD that they're conveniently ignoring this little fact.

So just how does Phalanx II get root, hmm? In the recent past, local privilege escalation attacks have been predominantly via null pointer dereferencing errors and the OS's impotence where these happen. I *am* thoroughly sick of those, as are any number of people who have been bitten by them, so much so that the bsd.security.map_at_zero sysctl was created in double-quick time and my standard CFLAGS set now contains -fno-delete-null-pointer-checks. In fact, you'd better pray that it is because, if it isn't a null pointer deref, you've got some serious crap on your hands; in that case nobody yet knows what the hell the mechanism is or where it is and it has been proven to be exploitable from an unprivileged user's shell, which means this could bite people from many, many angles in the not too distant future. Either that or some numpty has been careless with bloody sudo, in which case they got what they so richly deserved.

It's either a failure on the part of the admin to enforce standard operational policy or a weakness in the OS. I'd much rather take the conclusions of a group of security experts than some random commentard who hasn't realised yet that all software sucks and it's only degree of suckage that separates it all.

So, uninformed or spreading FUD? You decide, dear reader. I've neither the time or patience for this ad-hominem shit. There's a problem. Arse covering isn't going to help. Whose fault it is matters very little in the grand scheme of things to anyone but a PHB. Looking in the right places for vulnerabilities, however, does matter. Greatly.

Chronos
Facepalm

Gets root via kernel vulns?

Yet another null pointer deref issue? I am thoroughly sick of dealing with these. Isn't it about time mmap() at zero was globally disabled and anything that relies on this broken, insecure behaviour reworked so that it doesn't? Stopping the thing from getting root so it can install itself should be the first step, not piddling about blaming OpenSSH for insecure storage.

BTW, I did get a heads-up on this last week from a colleague in academia who got owned by a similar beastie. Looks like the same issue.

A Farewell to Oates: Adios, El Reg

Chronos
Joke

Re: "B" Ark

Red hats or blue?

Chronos
WTF?

Is everyone buggering off?

Rob Malda

John Oates

Steve Jobs <- the one that affects me the least

WTF is this, musical chairs? Some sort of wind-up? The 1337 leaving with the aliens? Tell me it ain't so! ;o)

Good luck in your future endeavours, John.

Amateur balloonists hit record 40,575m above East Anglia

Chronos
Facepalm

Re: Repeater input query

I doubt Brian was concerned about interference to the repeater. More like interference to your telemetry due to someone *using* the repeater which could have been anywhere in range given that you're on the input.

Oh, and best wisheses to you too ;o)

Man reveals secret recipe behind undeletable cookies

Chronos
Unhappy

Re: Redirecting the kissmetrics traffic?

Not so simple. The IP range in question is Amazon WS which I doubt you want to block completely. I have kissmetrics.com in the squidGuard blacklists already but that's trivial to circumvent if they start hosting that script locally or adding A records pointing to that host on the client DNS.

Bit of a bugger, really. I'm tempted to create a ClamAV signature matching that script's content and use Squid's Clam redirector. That would stop it dead - until they change the script. Snort might also come in handy...

RIM to turn in BlackBerry-using looters after London riots

Chronos
Thumb Up

@TeeCee

Nicely put, sir. Even the language is justified here as it's all these scrotes understand.

There's a world of difference between standing up for the rights of the individual and out-and-out criminality. What started out as something I might just understand protesting over (the death of an individual at the hands of the police) has now turned into just another excuse to behave like idiots, destroying other people's property and livelihoods.

DIY aerial drone monitors Wi-Fi, GSM networks

Chronos
Boffin

Re: milliGoogles

That's being redefined by ISO. It used to be a measure of hacking skill but now it's one of the two standard units of how much personal information you're willing to let escape to have a shiny toy or the latest bit of software.

One Google is equivalent to 333 millisteverts, defined on the basis of a comparison between Android and iOS PII leakage. The official term is "privacy decay" which happens in two types of emission, alpha and beta. The decay for transGoogle elements is usually beta.