* Posts by Ben Tasker

1880 posts • joined 23 Oct 2007

Spare some change, guv? UK's CCTV regulator pitches for £100k budget increase

Ben Tasker Silver badge

> In the SCC's legal submissions, barrister Andrew Sharland QC suggested it would be unlawful for police to take over existing CCTV camera networks and attach AFR recognition software to them.

The Home Office, presumably then, have already dispatched a missive demanding he's kicked out of the role. Can't have that kind of sense and reason encroaching on their AFR rollout.

Beware the fresh Windows XP install: Failure awaits you all with nasty, big, pointy teeth

Ben Tasker Silver badge

Re: Squirrel!

One of my colleagues had his fuel line chewed through by the squirrels in the office car park.

When one open-source package riddled with vulns pulls in dozens of others, what's a dev to do?

Ben Tasker Silver badge

Re: Minimize dependencies

> they are replicating stuff that's already available in the stdlibs or other imports.

Ah, you're being subjected to jQuery

US govt: Julian Assange tried to recruit hacker to steal hush-hush dirt and we should know – the hacker was an informant

Ben Tasker Silver badge

Re: Is the use of Agent Provocateurs legal in the US?

> If the alleged crime was instigated by the State, then surely there would otherwise be no crime but for the heated imagination of the State?

In this case, though, it wasn't instigated by the state was it?

Assange asked them for docs from those victims. It's not like they went to him and said "hey, we've got xxx, wanna buy it" and then have tried to prosecute him for being complicit.

Assange started it *and* the actual act was committed by people not involved with the state. It's just that those people were headed up by an informant (not an agent of the state, so different requirements would still apply).

Ben Tasker Silver badge

Re: They are doing this now?

Why would they do this earlier?

They hadn't started any public cases against him until much more recently, because he was hiding in his cupboard.

They may very well have been sat on this evidence for quite some time, partly due to there not being an appropriate venue to air it in, but also because of the "theatrics" that make up the US justice system.

Remember that they tend to like to sit on evidence, wait until you make a defense and *then* disclose the evidence that shows you're lying. That way they can discredit you, which may come in useful in other aspects of your trial when they refer back to it "so we're just to take the word of a liar?"

Laws on police facial recognition aren't tough enough, UK data watchdog barrister tells Court of Appeal

Ben Tasker Silver badge

Re: China's FR has been able to cope happily with face masks

I agree, you're reducing the number of identifying factors.

The important question, though, is the reduction sufficient to be effective? I.e. does the number of false outcomes increase significantly enough that you can't simply increase manpower when doing manual reviews and the like (i.e. when pulling out someone's locations)?

Given we're talking about a state's resources - and in this case a state that may not mind too much if it's occasionally incorrect, I don't _think_ the drop in accuracy is going to be sufficient.

There are plenty of other reasons we should all wear masks in public, but dodging FR tech likely isn't one - and as noted, if it did become widespread, would probably not remain effective for very long at all.

Ben Tasker Silver badge

I don't see where I said it was more accurate than anyone elses, you seem to have inferred that for itself.

What I said was that it's able to cope with facemasks.

In fact, the only time I implied theirs was better than others was when I pointed out that it's quite possible that our lot underpaid and bought an inferior product. That's not nearly the same thing as China being at the height of technology.

> They just have better propaganda promoting its use. It's a bit like the lie detector, which "works" only because the subect being tested believes that it works.

Possibly. Although the number of people being picked up despite wearing masks would tend to disagree with it being purely propanda. Of course, it may be that it wasn't FR which led to those arrests, and it's instead used as cover for an on-the-ground network.

I tend to think the false positive rate *will* increase with mask usage, but probably not so much so it can't be addressed with a bit of extra manpower put into checking the matches

Ben Tasker Silver badge

> COVID19 and the wearing of face masks have made the police use of facial recognition pretty useless anyway.

*If* that's the case, then it's only because the police have bought a less advanced product.

China's FR has been able to cope happily with face masks for a very long time now, it's certainly possible to do.

Aside from some very clever t-shirt printing - https://www.wired.co.uk/article/facial-recognition-t-shirt-block - the only way to really avoid it is to completely cover your head (and then you'll stand out if you're the only one doing it, and other techniques like gait analysis would probably be rolled out if it became widespread)

On the other hand, the accuracy rate the police achieved with theirs probably tells you quite a lot about the quality of the product they're using, so it may well flag false positives based on what colour of mask you're wearing...

There are DDoS attacks, then there's this 809 million packet-per-second tsunami Akamai says it just caught

Ben Tasker Silver badge

Re: Solution, Billing = $

What happens when I find out your IP, decide I don't like you and regularly flood Akamai with UDP packets with the source address being yours so that you get billed? Even if you say "I've cleaned it", your ISP is going to get dubious quickly.

Not to mention, there are a lot of ISPs who couldn't be trusted with that responsibility

After huffing and puffing for years, US senators unveil law to blow the encryption house down with police backdoors

Ben Tasker Silver badge

Re: OpenPGP

Honestly, they don't really care about OpenPGP, because relatively few people use it compared to the low-hanging fruit of E2E comms like WhatsApp/Signal etc.

The whole intent is to be able to go back to dragnetting comms - just as they were before they got caught by whistleblowers, triggering a large uptake in E2E comms.

If their investigation leads to your PGP encrypted files, they've the resources (and mechanisms) to be able to focus on you - including simply locking you up for refusing to hand over the decryption keys.

Basically, they shat in the pool and hoped you wouldn't notice. Now that you have noticed and everyone's got out, they're trying to mandate that you have to swim in it. As long as they can get the majority in, they don't care about the relative few who scale the fence and escape (for now).

Google isn't even trying to not be creepy: 'Continuous Match Mode' in Assistant will listen to everything until it's disabled

Ben Tasker Silver badge

> we discovered that running an action under development is impossible if you have the Web and App Activity permission, which lets Google keep a record of your actions, disabled.


Our boiler went bang, so needed a new one - we went with a Combi as that was on our "todo" list for the future anyway - along with that came a need for a new controller and thermostat.

After much soul-searching I decided to swallow my objections, and let them install a NEST thermostat, on the basis that it'd probably save me money on heating, and I could trivially segregate it away onto it's own restricted wifi.

So, one of the selling points of NEST is the app, and the ability to see why it's changed the heating etc (as it "learns" over time).

Which brings me back to "Web and App Activity"

You can't use the sodding NEST App with a google-apps domain, freebie google domains only. You _can_ share access to the app via the Google Home with a google apps user, but *only* if the entire domain has "Web and App Activity" turned On.

So, you get to choose between

- Giving Google Permission to record basically everything you do

- Not being able to use the main fucking selling point of the product

We went with option number 2.

In Hancock's half-hour, Dido Harding offers hollow laughs: Cake distracts test-and-trace boss at UK COVID-19 briefing

Ben Tasker Silver badge

Yeah, but then you wouldn't have been able to award a £260m contract to people you know in order for them to suffer from Not-Invented-Here syndrome and piss about with approaches that everyone else already know don't work.

The aim wasn't just to get a working app - that's easy - it's to get a working app whilst filling their mates pockets. Embarrasingly for them though, turns out their mates are as incompetent as you might expect from people who's work seems to be solely derived from knowing the right people

An Internet of Trouble lies ahead as root certificates begin to expire en masse, warns security researcher

Ben Tasker Silver badge

Re: Um...?

> but there's a restriction in that you have to have lock screen security turned on.

And will get a permanent notification in your notification bar saying something along the lines of "network communications may be being monitored".

A long standing issue that Google, frankly, couldn't give two short fucks about - https://issuetracker.google.com/issues/36984301

If you're going to install additional certs on Android, the only real solution is to root the device

So you really didn't touch the settings at all, huh? Well, this print-out from my secret backup says otherwise

Ben Tasker Silver badge

Re: Paper trails...

I had a boss who _really_ had it in for me - to the extent I was put on paid suspension on some made up charges that, unsurprisingly, later fell through (I've written about it previously).

Anyway, one of the things they did was pore over my attendance, hoping to find some form of unauthorised or unexplained absence.

BINGO. They managed to find a date where my sheet said I was on leave, but the HR system had no record of leave on this date. Could I please explain why I'd not correctly recorded my leave for this date?

So, in the meeting - with her boss present too - I produced the email where I'd checked with her about being off that date, and she said *she* would enter it into the HR system. I accompanied that email with a brief comment about how it was my understanding that a subordinate shouldn't need to check his manager had completed their tasks correctly.

Didn't go down very well.... She *really* had it in for me after that

Xiaomi Mi 9 owners furious after dodgy Vodafone software patch bricked their mobes

Ben Tasker Silver badge

Re: Identified Root Cause

The flip side though is that without automated updates, users don't voluntarily keep things up to date, meaning they miss out on security fixes.

But, I share your frustration, I don't want my UI fucked with *again* just for the sake of it.

Xiaomi emits phone browser updates after almighty row over web activity harvested even in incognito mode

Ben Tasker Silver badge

Re: What's the difference between Mi Browser and Google Chrome?

For one, I don't think Google have ever said "no they're wrong, we don't collect that". Their response seems to be more "Yeah we do, it's in the terms, piss off" than "fake nooos".

Also, Google actually tell you that Chrome will collect stuff, and they don't send full urls back

Xiaomi's issue here is derived from so much more than what their browser was doing. Their entire response to it has been utter shit - read their blog post (linked to in TFA), it's waffle that completely avoids the thing at issue, when it's not outright contradicting itself. It's that response which has blown it up into a brouha - had they said "yes, shit, we'll fix this" then there wouldn't have been nearly the same shitstorm.

Instead they went with "the people who found this are wrong"

UK snubs Apple-Google coronavirus app API, insists on British control of data, promises to protect privacy

Ben Tasker Silver badge

Re: Correction

Because private secrets never get leaked?

If spooks are hitting up a privately held database, it doesn't matter whether that private company considers it a secret, it's still more likely that information will leak than if the database is held by the spooks themselves.

The only way for 3 people to keep a secret is if 2 of them are dead etc

Ben Tasker Silver badge

Re: Correction

As a timely reminder of the kind of fuckery we're talking about incompetence wise, El Reg brings us Nine million logs of Brits' road journeys spill onto the internet from password-less number-plate camera dashboard.

People are more willing to trust Google and Apple because they at least appear competent.

Ben Tasker Silver badge

Re: Correction

> Secondly, location & cell data is already happily donated free-of-charge to Google/Apple anyway.

That's pure whatabouterry.

It's quite possible someone's willing to make the trade-off and let Google/Apple have this data because they trust them not to fuck up. It's just as possible that they don't trust the state not to fuck up.

It's not just about deliberate mis-use, it's about competence and perceived motivations. Govt historically doesn't do too well in either of those categories.

> If the spooks were that minded, there are much easier ways of gathering it.

There are, but if you're involving a 3rd party (i.e. Google/Apple) there's a much higher chance of someone disclosing that you've been accessing it. That risk is greatly reduced if you own the database and the system feeding into it, particularly when people are expecting that system to feed back the information you need

Ben Tasker Silver badge

Re: Three steps to avoid this

"I would rather get corona and die"

This is not just about you and your personal choices. You might rather get corona and die but your choice affects other people who might be much more susceptible to dying from it and would prefer to live a bit longer

Agreed, but there's a more privacy sensitive option available and they've chosen to disregard it for no tangible benefit (as the article notes, their claimed benefits are going to fall flat once there's sufficient demand, and they'll end up automating anyway).

Other countries have realised that the outcome of going the more privacy invasive way is reduced uptake. Why does our government (with it's fondness for data experts) think this will be any different - hell as "experts" they should probably realise that their very presence (and proven attitude to data protection) will make people more way not less.

Sorry, but I'll not be installing it either.

Why should the UK pensions watchdog be able to spy on your internet activities? Same reason as the Environment Agency and many more

Ben Tasker Silver badge

Re: @Whitter

> and a justice system not dealing with criminals.

Ah, another service that is massively underfunded for the demands that are being put on it. And that's before we consider Grayling and his "improvements".

Reg readers have not one, but TWO teams in Folding@home top 1,000 as virus-bothering network hits 2.4 exa-FLOPS

Ben Tasker Silver badge

Yeah, I found it too heavy-handed too, so I've moved it into a VM so that I can control the resources available to that and stop it impacting me while I'm working.

Looks like I've got a *lot* of catching up to do though.

Rethinking VPN: Tailscale startup packages Wireguard with network security

Ben Tasker Silver badge

> Perhaps the OP found the terminology a bit dumbed down?

Exactly that.

Ben Tasker Silver badge

It's not the admin screenshot I was referring to.

It's the use of the phrase "IP Numbers" in the article. They are IP addresses, and this is a technical publication - it was quite grating to read

Ben Tasker Silver badge

> the IP numbers

Am I the only one who felt really uncomfortable reading this in an otherwise excellent article?

I really have been quite impressed with Wireguard in the testing I've done with it though.

Hey, friends. We know it's a crazy time for the economy, but don't forget to enable 2FA for payments by Saturday

Ben Tasker Silver badge

Re: SMS is U/S for 2FA

> but I'd rather use an app as the second factor than a card reader.


One of my banks (I suspect same as yours) uses a card reader. When they introduced that they stopped being my primary bank because it just became too much of a hassle vs having a little code generator (as I have with another bank). I think they've actually scaled back how often you need the reader now though.

The (growing) issue I now have is banks who've taken their code-generating app and made it a full internet banking app too. I don't want that shit on my phone, I _just_ want the code generator (or better yet, for them to use TOTP so I can use my app of choice, and have just a single app)

Firefox now defaults to DNS-over-HTTPS for US netizens and some are dischuffed about this

Ben Tasker Silver badge

> I'd be more open to DNS over HTTPS if there was actually a number of resolvers people could run on their own equipment. Last I checked I haven't seen any (one recent forum thread on the topic here someone pointed me to a product but it ended up being a simple proxy to an already existing DoH provider, not capable of serving DoH from say a local BIND installation).

It's perfectly possible to run your own DoH Server. The post covers a few options for how you handle the back-end, but the base principle is

- Get the DoH terminator up and running

- Configure it to forward onto the resolver of your choice (which may well be a local BIND instance)

Personally I've got it forwarding into Pihole (for ad filtering), which then sends into Unbound (because I have some additional config in Unbound format). You can just as easily _just_ use Pihole, or install BIND etc.

I do fear the number of end user issues encountered as a result of split DNS on vpn systems where resolving some host externally results in a different address than internally and that behavior being intentional.

You _can_ address that to a limited extent where you're running your own DoH server. Basically, you need 2 and need to split-horizon those too. The internal one returns the VPN/local addresses, the external one the external addresses.

I've not done as much with that though.

FYI: When Virgin Media said it leaked 'limited contact info', it meant p0rno filter requests, IP addresses, IMEIs as well as names, addresses and more

Ben Tasker Silver badge

Re: Internet facing database?

A place I rented a while back had a convenant on it saying you couldn't have a rooftop aerial.

The reason was there was a community aerial, with the cable run and maintained by Virgin Media.

It had broken 5 years before, and Virgin never fixed it despite many complaints/reports over the years.

You might be unsurprised to hear that this led to them getting the princely total of 0 customers when they tried to push their cable/internet services on that particular road.

Virgin Media are, and always have been, completely and utterly crap. They entice you in with sweet offerings, attempt to lock you in, and then leave your services to rot for as long as they think they can get away with.

That they'd have done the same with a database is no real surprise

Come on baby light me on fire: McDonald's to sell 'Quarter Pounder' scented candles

Ben Tasker Silver badge

Re: "Please let it be a joke"


Come back when they're self lighting.

NBD: A popular HTTP-fetching npm code library used by 48,000 other modules retires, no more updates coming

Ben Tasker Silver badge

Re: Seems Optimistic

If your code relies on this module and you can't replace it in one full year or so then I think the problem is with your resource management.

You could say exactly the same about Python 2 <-> Python 3. And with that you at least don't have the issue of some module you use also relying on the deprecated module.

The world just doesn't work that way, even if it should.

A lot of businesses won't pay for refactoring of something that's currently working, and devs often won't go out and learn a new library if they've got one that works just fine (now) that they're very familiar with.

None of this is the problem/fault of the requests maintainer of course, I was simply commenting on the fact that I think he's still somewhat underestimated the inertia.

Ben Tasker Silver badge

It's a node thing.

Quite some time back, builds started breaking because a dev withdrew his modules.

The biggest breakage - left-pad - a module to pad the left hand side of a string with zeros/space, very much a built in for strings in most other languages.

It was at that point that NPM realised they needed to prevent devs from removing their code, otherwise breakage is near certain.

Ben Tasker Silver badge

Seems Optimistic

11 months notice seems a bit optimistic to me.

Python 2 had it's EOL extended by five years, yet there were still people complaining about it's EOL earlier in the year because they hadn't started using Python3 for new projects (or porting old code over).

I don't overly blame the guy for ending support (you've got to at some point), but I think even his caveated position is a little overly-optimistic on how long it'll take for people to move to something else. As long as request works, people'll continue using it because they're familiar with it (path of least resistance).

At some point there'll probably be a short-sharp shock as some bug/vuln is found and people start to actively realise what it means to introduce unsupported dependencies into a project

It's a Bing thing: Microsoft drops plans to shove unloved search engine down throats of unsuspecting enterprises

Ben Tasker Silver badge

Re: Questions II?

I stopped using Google Search a while ago.

I don't use Bing directly, but use Ecosia which uses Bing as the underlying SE.

I've not had any issues with it really. I tried Bing when they first launched and found it more or less unusable, but it does seem to have come a long way.

Ben Tasker Silver badge

Re: More of the same

> Well the whole point of setting the default web search to Bing in a corporate setting where Office 365 Pro is in use is to ensure that search terms do remain “confidential” (at least, they remain within the agreed data bubble with the company and MS).

One of the original complaints, though was that this claim simply does not hold up to scrutiny.

What you're actually potentially doing here, is training employees that it's OK to type confidential/sensitive information into the omnibox.

Which is all well and good when the search goes to MS (the agreed provider). It's not so good if the user is in a browser who's search engine hasn't been changed (or has changed back). That might simply be because they're working from home today, or might be because they got fed up of Bing serving them porn and changed it back to Google.

So, you may actually be increasing the risk of information being exposed, not reducing it.

Google's second stab at preserving both privacy and ad revenue draws fire

Ben Tasker Silver badge

"insisting that people do prefer targeted ads over untargeted ones"

I'm a sample of one, but here's my experience in this respect.

My site has Google Ads on it. When GDPR was becoming a thing, and Google _finally_ gave us the option, I turned off behavioural targetting.

The ads are now chosen based on the content of the page (as crawled by Google, rather than "real time").

> "I think something like TURTLEDOVE is feasible, and is necessary for dropping 3p cookies without trashing web sites' ads revenue,"

My ad revenue has grown considerably since then, and not in proportion with growth in traffic. My explanation for this is that the ads are *better targeted* based on the surrounding content than they are if they're based upon stalker-ware. So there may be some truth in the idea that people prefer better targeted ads, but what that actually means is they prefer more relevant ads. Google and other advertising networks are seemingly crap at making ads more relevant with stalkerware.

As a "publisher", I wouldn't go back to behaviourally targeted ads. Quite aside from the moral side of things, the un-targeted ones seem to be far more profitable. (I also don't run any anti-adblock stuff, the ads are there to help me keep the lights on, but if you don't want them then blocking is fine with me.)

Hey GitLab, the 1970s called and want their sexism back: Saleswomen told to wear short skirts, heels and 'step it up'

Ben Tasker Silver badge

I didn't miss your point, it's just that it's a strawman.

No-one is sitting and pulling people's words apart in this story.

Ben Tasker Silver badge

Re: Quit wearing heels

I remember sitting in on a conversation between the bloke tasked with overseeing H+S and a woman in the office.

He took the position that she needed to be issued some safety boots in order for her to go out onto the shop floor, what with it being full of (heavy) aviation stores and the like.

She took the position that she didn't like the boots and wanted to continue wearing her open-toed sandals, and that changing in and out of the boots for her trips onto the shop floor was too much hassle.

It was eventually "resolved" with an agreement that he'd issue the boots, and a letter explaining how important they were, and that she'd do what she felt was best and accept that the employer was going to try and deny all liability if she ended up toeless.

She did occasionally complain of having hurt her feet too - almost always through dropping something like a bolt - easily handled by safety boots.

To this day, I've never been able to work out what the hell was going on in her head.

Ben Tasker Silver badge

I disagree. If it bothered them, they would be justified in saying "I don't feel comfortable doing that" - whether male, female or non-binary.

They would indeed be justified. But some (a lot) of people don't enjoy being put in the position of having to say that to their employer (who, after all, they rely on financially).

The whole point is that you shouldn't be put in that position in the first place.

Your position is like claiming it's fine to say "'ere love, fancy a fuck?" to every woman you meet because she's allowed to say "no". That's really not how this works

Ben Tasker Silver badge

> Avoiding possibly insulting someone is hard if people are going to pick apart your every word, and decided they're going to be offended on someone else's behalf, isn't it?

You seem quite put out by the idea that it might not be OK to tell women they should wear short skirts and heels to a work do.

I'd suggest that the issue isn't that the world's generally gone mad and is getting upset over every little thing, but that you're simply perceiving that to be the case based on very little.

> decided they're going to be offended on someone else's behalf, isn't it?

If you actually read the story, you'll note that at least one of the people objecting is in the group that were told to wear short skirts.

EU tells UK: Cut the BS, sign here, and you can have access to Galileo sat's secure service

Ben Tasker Silver badge


If I remember correctly we also developed the rule that said that non-Member states can't have access to the secure parts - and then insisted on it.

Not call, dude: UK govt says guaranteed surcharge-free EU roaming will end after Brexit transition period. Brits left at the mercy of networks

Ben Tasker Silver badge

Re: Bankers

As opposed to the mindset that says "everyone should do this, or they're wrong", and has absolutely no contingency in place for the fact that the majority will probably stick 2 fingers up and carry on the way they were and not give a toss if you think they're wrong?

When you're designing a solution to something, you *have* to factor in existing behaviours and use-cases. It doesn't matter whether you think they're valid or not, if they exist you need to work out how you're going to either accommodate them or smooth the transition for users.

To take your example, we know a simple way to reduce our impact on the environment - use less stuff, throw less stuff away. It's a simple message, but simply using that as a message isn't really working is it? Whereas designing solutions that fit into common use-cases - replacing tungsten bulbs with increasingly energy efficient bulbs - is working. The overall benefit is less than if everyone stopped being shits overnight, sure, but the latter simply isn't going to happen.

There's even a common saying in relation to this - "Don't let perfect be the enemy of good"

Ben Tasker Silver badge

Re: Bankers

If your solution to a problem is to tell the users they need to massively change the way they're doing things, then it's not a good solution. Getting a local PAYG SIM isn't an option in a good number of countries.

You also tend to find that "just another business cost" has knock on effects too - whether that's the cost being passed onto customers, or those increased costs meaning departments are less able to spend on other important stuff.

It's not the biggest issue with Brexit by a very long fucking shot, but it's not quite as easy to dismiss as you seem to think it is.

It’s not true no one wants .uk domains – just look at all these Bulgarians who signed up to nab expired addresses

Ben Tasker Silver badge

> retain the .uk equivalent of someones .com or .net, pack th site with opages that look the same and offload some nasties on the off chance that they will stick

Somewhere there will be a rule that says you can't serve malware under .UK and Nominet will probably consider it the registrants responsibility to report themselves if they are in fact serving malware.

Apple: EU can't make us use your stinking common charging standard

Ben Tasker Silver badge

Apple argued any move compelling it to ditch the Lightning port, which has been a staple of the iPhone for almost a decade, would inconvenience its customers, simultaneously creating an "unprecedented volume" of electronic waste.

Bit of a cheek there given the idea of a common charger was suggested nearly a decade ago. Had Apple got on board then, then there'd be a decade less e-waste that they'd have generated. Not to mention that that e-waste impact doesn't seem to be as big a deal to them when they do things like change connectors and/or remove ports.

Hapless AWS engineer spilled passwords, keys, confidential internal training info, customer messages on public GitHub

Ben Tasker Silver badge

Re: Another take home...

One of them, your boss shouts at you, the other he laughs at you

Remember that Sonos speaker you bought a few years back that works perfectly? It's about to be screwed for... reasons

Ben Tasker Silver badge

Re: Ludicrous

> I would like something that take input from Android as well, ideally, or a central music store

Have a look at Subsonic - http://www.subsonic.org/pages/index.jsp

I switched from Play music over to self-hosting ages ago. My only real criticism of it is - did it *have* to be in java :(

So you run subsonic in a VM and then your clients stream from it (and locally cache where possible).

There's Android apps available, the free one's a bit meh IMO, but DSub works *very* well for my needs. If you google Jamstash you'll also find a HTML5 interface you can drop on it to have kiosk stuff (like a Pi with a touchscreen) just go to a simple webpage for playback

I now buy my music from wherever, and download it into the NFS share that Subsonic looks at, and it's available to all our devices as well as a few "built in" appliances I've put into some rooms.

Vivaldi opens up an exciting new front in the browser wars, seeks to get around blocking with cunning code

Ben Tasker Silver badge

Re: I'm puzzled...

In fairness, WhatsApp Web is an absolute shit-head for browser blocking in general - it's not just Vivaldi that gets impacted.

I've had it block Chromium, and just occasionally decide the Firefox on Linux can fuck off too.

I tend to just have UA switcher tell it I'm on Safari on Mac now, and everything works fine. In fact, I think WhatsApp Web was my first experience of being blocked based on UA in nearly a decade

Icon because the WhatsApp developers have gimped their own product

Tricky VPN-busting bug lurks in iOS, Android, Linux distros, macOS, FreeBSD, OpenBSD, say university eggheads

Ben Tasker Silver badge

Re: Security layers

> Nesting VPNs would probably be a workaround unless the method used here can be used to drill down through the layers.

Because of the way it works, that wouldn't help you much either.

If you have the following interfaces on your system



Where tun0 is the VPN virtual interface and eth0 is your physical NIC.

The way this works is that the attacker sends SYN-ACKs towards your eth0 with the dest IP in the packet header being for then .2, then .3 to see what responses it gets. Eventually when it reaches it'll get a response - a RST packet.

They now know what the IP of your tun0 is, and can start the rest of their process.

If you nest your VPNs the way most people do, you'll just end up having tun0 and tun1. You may buy some time if they stumble on the IP of tun0 first and try and inject using that, but the process isn't too different if they find tun1 (though the extra padding of having another tunnelled connection might throw them off).

The article didn't mention it, but Amazon Linux followed up with an interesting use of this attack where (with some effort) an attacker could use this to spoof DNS responses from a "trusted" DNS server at the other end of the tunnel

Bose customers beg for firmware ceasefire after headphones fall victim to another crap update

Ben Tasker Silver badge

>> Active noise cancellation needs code to execute to work.


> No it doesnt. Just in these ones it does.


> Active noise cancellation has been a feature way before headphones needed firmware updates.

I'm not saying you're wrong about it being possible to do noise cancellation purely in hardware, but not needing firmware updates isn't the same thing as not running software (having code execution).

It's not been at all uncommon in the past for something to run software but for updates not to be provided, or at the very least not be provided (or referred to) in any kind of a self-serve manner.

Much the same way as _most_ people didn't talk about updating software on their cars 10 years ago. Software updates were available and generally installed by dealers though. The fact you can self-install the updates (on some models) now doesn't change that older cars also had software running


Ben Tasker Silver badge

Re: Noise cancelling

> Much like it makes my skin crawl when I see people riding motorbikes without wearing proper bike gear. Sure - it's their skin that'll get taken off by gravel rash[1] but I have just about enough empathy to feel it..)

I remember being told, back when I was a teenager, that at 30MPH for every second you're sliding on tarmac (not rougher concrete) it'll take an inch off the depth of your skin

Now obviously because of friction you don't slide for very long, but sanding even 1/10" off your skin?

I always wore my leathers after that, and with the benefit of hindsight, it's just as well, I've fucked myself up enough without shaving bits off too


Biting the hand that feeds IT © 1998–2020