Posts by Ben Tasker

Re: "OBD-II port is mandatory on all cars sold since 1995"

My guess would be that it applied to all new models from that date, with an exemption for some period for models already on sale - that how a lot of regs like that tend to be.

It was mandatory from 2001 (petrol) and 2004 (diesel) on all newly manufactured cars (regardless of the age of the model range). It was fitted to some cars before that, other manufacturers (*cough* Citroen) used an OBD-II port as the physical interface, but didn't use spec-compliant protocols, so it looked like you could use your diagnostic computer when you couldn't.....

Definitely wasn't mandatory from 1995 though

Re: Sky and UHD

Is there anything on TV anywhere in the world where seeing it in UHD in an average living room would actually make a difference to the viewer?

Almost certainly - start overcompressing the shit out of their HD channels, to make 4K look worth having, - will be enough for 90% of their subscribers to start going with 4K instead.

To be honest, I'm still not that convinced of the benefits of HD in some contexts. IIRC there was quite a thing about football matches being in HD, why? As long as you can see the players and the ball clearly, do you need to be able to identify individual blades of grass?

Movies in particular benefit though, and will likely benefit all the more so from 4K, and at least (unlike 3D) it'll apply across the whole movie rather than being used for the benefit of a 2 minute scene.

Re: "Violated"

To know so little about how women operate in the world and what is a threat to them is worrying. You might think that the poor dears are fraidy-cats and not willing to have a laff, but men don't grow up in a culture of constant threat. Count how many girls and women have been raped and killed this year alone, compared to boys.

You seem to be under the impression that the rape of men isn't an issue (in terms of numbers). I'm assuming you meant men rather than boys specifically?

Taking the first hit in google (for the UK), 69,000 women and 9,000 men were raped a few years ago, _BUT_ there's a fairly pervasive theory (advanced by a woman, if that matters to you) that only in 1 in 10 male-on-male rapes are reported due to the social stigma.

Female on male rape, historically, hasn't been treated with anywhere near the same severity as male-on-female, so a reasonable number of victims either don't report, or get nowhere when they do report.

If you want to try and correct 'sexist' views, feel free, but making generalisations about rape rates simply makes you look an idiot - rape is an incredibly abusive act, whoever the victim, and comparing numbers does nothing but further dehumanize the victims.

There is no such thing as "it's just a cock pic" if the man and the woman are not in a relationship. It is always a threat. It doesn't have to mean that an attack is about to come, it just says, "I can rape you."

I think you're unfairly generalising here too. I know and have known women who would probably laugh this off just as some have been doing in the comments. I've also known blokes who would have been incredibly put out by receiving an unsolicited picture like this (whether cock or tits). People differ, simple as.

Not, mind you, that I'm saying it's ever appropriate to send something like that to someone you don't know.

The men who do not get this are seen by pretty much every woman as one of the men who will sens cock pics to women he doesn't know.

For the record, I disagree with most of the generalisations you've cast, but I'm definitely not one of the ones who'd think it was OK to send pics like that.

Just to add to your frustration (it certainly added to mine) with Assange. From the BBC news story

"There was no need for any of this. I am an innocent man. I haven't even been charged," said Mr Assange.

In a story about how the case was being dropped because they hadn't been able to interview him in time, and Sweden's requiring the suspect to be interviewed so charges can be brought. Of course he hasn't bloody been charged, because he's quite successfully evaded the step required before charges can be brought......

Although as he's voluntarily locked himself in a tiny embassy for years, "getting away with it" obviously isn't true.

The Ecquadorian ambassador has also, presumably, been getting a bit of come-uppance for sheltering him (he's a bail-jumper so regardless of your beliefs on the other charges, it seems a fair term).

Re: When is a BIOS not a BIOS?

That would require someone in Government who even understands what the problem is... no hope in UK then.... they are just a bunch of ignorant oldies who's kids use the internet... and who themselves think that IT is something to do with Candy Crush (played on ipads during work time).

And the Police are all stupid.....

Generalising like that is incredibly dangerous, as it leads to deliberately underestimating a potential enemy/adversary. Yes, there are a lot of people in Politics and the Civil service that don't understand computers, just as the private sector is full of the same types of people, but working on the assumption that there's noone who understands is a bad idea.

You can be reasonably sure that the types employed by GCHQ do understand this, and the potential risks/benefits it presents (depending on what your aim is...), and if CESG or similar make a recommendation against using such kit, most departments will likely (at least half) bear that in mind.

Re: Biometrics

Precisely, even when we're 100% certain we've got it right, authentication tokens need to be revokable and replaceable for when we find out we were wrong.

As others have said, biometrics have a good potential use as an identifier (i.e. a username) but really are bugger all use as a single authentication method.

As part of a two-factor authentication method, they have some merit from being less fiddly, more straightforward than a otp generator. With the massive drawback of being irreplaceable the second a manufacturer cocks up. The solution in that case would be to revert back to hardware tokens, so why waste time/money on biometrics in the first place? Not to mention what happens about getting other sites/services/suppliers to stop honouring your biometrics.

And that's taking a somewhat generous view of the possible worst case scenarios..... so yeah, not for me...m

Re: Lazy people's problems

It's not really a suitable solution if you care about being sure the data is actually gone/unreadable.

For the paranoid, the following are just a few examples of the possible issues that might lead to the data being recoverable

- NSA has cracked it (as you say - though unlikely on it's own)

- Manufacturer has fouled up the crypto implementation, so it's not as well encrypted as you thought

- Manufacturer has bollocksed up the key erase, so they key's still there if you know how to access it

There are probably a good number of other possibilities too, and whether they're applicable depends on how much you need to protect the data, and who might get hold of the drive.

Ultimately, if you want to be sure the data is gone, the only solution is the physical destruction of the drive. For most people, that probably is overkill, but ISE is a "should be good enough" solution rather than a cast-iron guarantee.

Re: Clueless security firm discovers the '90s

Yes and no, if you read the actual paper there's some interesting stuff in there. It's not quite as simple as "If you let people edit templates, they can run code", which let's face it, should be a given.

There's an example of a Wiki which attempts to sandbox you, but exposes a method that will allow you to save as the user currently viewing. So rather than simply entering your payload, you wrap it in a call to check if the user is an admin, and if they are silently save as them. Given that the point in a Wiki is generally that anyone can edit, that's a pretty big flaw.

There are a few other bits in there, and it's definitely worth a read. I'd agree the baseline is pretty much common sense, but it's still worth 5 mins of your day, if only to see just how easily some of the sandboxes can be escaped.

Re: Peachy.. just peachy...

At least they were using a decent hashing mechanism for passwords, though it does feel like that's about where their attention to security may have stopped.

IANA is currently on a seperate network, but how many here believe that would still be the case if/after ICANN win the contract (especially in the long-term).

On the upside, this time round, it's of a scale similar to this - https://xkcd.com/932/

Re: At least WordPress' updating system is good...

Easy updating, to me, is a *major* selling point - some CMS'es I've seen are utterly appalling when it comes to updates, often requiring days (I'm not kidding) of work to upgrade them.

Unfortunately, even amongst those (like Wordpress and Joomla) with a decent update solution it's not always that cut and dried. There are 'web developers' out there who think nothing of hacking away at the core code in order to achieve their end result - happy client pays out for their new site and then finds the whole think breaks when they next update (or worse, are advised not to update because it'll break the site).

Obviously that's less of a risk if your build your own site, or use someone decent, but it happens often enough I figured it was worth mentioning. Some of the core hacks I've seen have been horrible, most have also been pointless in that it would have been no extra work to do them properly (i.e. without touching core code), the developer obviously just didn't know how.

The worst was a change to Joomla's authentication pages, it took me < 10 minutes to create an authentication plugin to achieve the same end, and without rendering 'protected' areas public at the next update. There's little worse than tidying up someone else's mess.

Re: Public sector it jobs

Yup, there tends to be one of two reasons for doing them

A) idealistic (e.g. serving my country)

B) No other choice (whether through proximity or some other reason, like pigeonholing yourself)

It's easy to see something like an FBI (or better GCHQ) role and romanticise it a bit (playing with cool potentially secret stuff), but whilst it may be true that you _might_ get to see and do stuff you couldn't in civvy street, we all need to put bread on the table, which, as a rule, is easier the more you earn.

Re: Sorry, chaps

Depends on your point of view really, Sky TV is what £15 a month, or more if you want a decent selection. That's £180 a year.

Amazon Primeis £79 a year, so less than half.

Netflix is (I think) £6.99 a month, so slightly more expensive that Prime. IMO, Prime have got a better catalogue than Netflix too, though things change.

Of course, the major difference is, Sky will let you pay month by month whereas Amazon want the lot upfront, which (to me at least) does make it less attractive, but personally I wouldn't call it a lot of dosh in comparison to the competition.

I've a few other bugbears with Prime, but the overall cost isn't really one of them.

Re: Driver Clashes

I think the point is, if Microsoft are going to force updates on people, they need to be damn sure those updates are not going to break any of the myriad of configurations out there.

When there's an ability to disable and vet updates (i.e. < Win 10), you've some scope for saying "95% of systems handle the updates fine", because the other 5% can disable automatic install and perform due diligence.

When you're insisting that updates install automatically, you have far less wriggleroom to be able to justify not making sure 99.999999% of systems won't get killed by your updates.

I had that rollercoaster feeling last week.

Brown envelope turns up along with a sense of dread

Contains letter saying I've overpaid by a fair bit, sense of delight

Realising that's the money I'd been sending to offset my _next_ return, sense of dissapointment

Re: Dear hacking team

Especially with the "if it had been a media company".

Had the media's voicemail (don't like calling it phone hacking) scandal come out as a result of their systems getting compromised, I've a feeling people would have been just as upset

Re: Correlation, causation, and conclusions

Botnets are decreasing in abolute terms? Interesting. Botnets decreasing in relationship to aggregating personal computers numbers with devices/platforms that may, or may not have relevance to botnets? What does that mean? Anything?

It also appears to ignore the fact that higher value targets are seemingly being preferred when building/adding to a botnet.

Commandeering a few crappy PCs on crappy DSL connections vs commandeering a single server on a high-quality 10/100/1000 connection..... statistically, the botnet is smaller if you do the latter, but it's also far more capable for certain tasks.

I've been seeing a lot of it as well, annoyingly combined with stuff that's obviously spam making it into my inbox.

I don't quite get how a thread I've replied in can get marked as spam, whilst "I'm a 21 years old, so I desire 2bang you" gets an A-OK.

Re: AFC Kredieten

Well AFC Kredieten must have a really low credibility rating if they thing the gutter is a good place.

Having just taken a look at their website and seen a Plesk default holding page, I think it's safe to say credibility is pretty low. Them using Plesk probably also answers 'how did they get in'.

Re: Seems Fair

Or, what if I shorten it http://bit.ly/1r8EgyY. Am I in trouble, or is Bit.ly?

Re: Rape victims not a great example

@Drewc

Those accused of rape aren't though. Someone has a false allegation made against them, ends up in the papers and forever has their name tarnished.

Though, to be fair, I don't believe the right to be forgotten is the way to fix this. For crimes that have a strong knee-kerk emotive link to them, the accused needs to be guaranteed anonynimity too (until the point of conviction).

Re: The Real Story About The Bitcoin Blockchain

> I've gone from crazy to "a stretch". That's progress.

One argument simply being a stretch doesn't stop the theory from being crazy, though hyperbolic would likely have been a fairer original description.

> I assure you that a court would consider adding an official block to the blockchain to be a consideration passed from the miner to bitcoin in order to qualify for a prize.

I don't doubt you could find _a_ court who'd consider it, but realistically the court you'd ultimately need to convince in the US is the Supreme, and there's still the rest of the world to think about.

You could also argue that the blockchain is a community asset, and that in fact there isn't a sole entity acting as a lottery operator - not only does that make it harder to shut down, it's a little harder to prove that there's sufficient benefit to call it a lottery in the legal sense.

There's also the difficulty of how they'd manage the confiscation if it were to come to pass, but that's not something you'd consider when having the is/isn't argument.

I doubt the US govt would think twice if it brought them financial benefit, mind, so that's not to say it couldn't be made to fit

Re: Local control

Presumably, if .fk were to be taken away (not that I think it would), the fallback would be precisely that...

Re: Randomising MAC address

> It's only the MAC address used when probing for known networks that is being randomised. As soon as you connect (or try to connect) then you're using your real MAC address. More details here.

That's how iOS 8 does it, but not how the experiment was run. The devices MAC was randomised before connecting to a new network but wasn't then reverted back to the real address.

They essentially ran

MAC_ADDR=06:`openssl rand -hex 5 | sed 's/\(..\)/:\1/g;s/^.\(.\)[0-3]/\12/;s/^.\(.\)[4-7]/\16/; s/^.\(.\)[89ab]/\1a/;s/^.\(.\)[cdef]/\1e/'`; sudo ifconfig <WLANIFACE> ether $MAC_ADDR; networksetup -setairportnetwork <WLANIFACE> <ESSID> <WiFi KEY>; echo $MAC_ADDR >> <PATH_TO_LOGFILE>

(they used the 06 at the beginning to identify trial participants and DHCP/VLAN them differently).

More info on mentor - https://mentor.ieee.org/privecsg/documents

There's some interesting reading there actually....

Re: like son like father?

According to wookiepedia (seriously), yes - http://starwars.wikia.com/wiki/Mark_Hamill - just before filming closed for the first film.

Re: To Append A Necessary Phrase.

Partly true - if it was viewed that they weren't likely to become self-sufficient we should cut food aid (so starve them).

But also, if we viewed that a particular region had more promise than the country as a whole, we should encourage a seperatist movement.

So to my mind, that's tantamount to starving them into starting a civil war.

He also floated the idea of mass sterilisation via the water supply and then discounted it on the basis that there hadn't been enough research into it.

I know we're talking about a doomsday scenario, and hard decisions would need to be made, but if you're going to effectively sentence an entire country to death (leaving aside the 'who has the right?') at least make it a bit more humane than starvation y'know?

Re: Looks like, walks like, talks like...

The point of a federated system is that you can choose an identity provider which you trust,

I'm being slightly pedantic, but, Given the providers involved, I think it's more a case of choosing the provider you distrust least. Take a look at the list

Barclays

Digidentity

Experian

GB Group

Morpho

PayPal

Post Office

Royal Mail

Verizon

I'll admit to having had to google digidentity, Morpho and GB group (which means they're distrusted by default - I know nowt about them). Are there any on that list you could say you actively trust? I'm not sure I could.

I think I'd need to default into choosing whichever company I felt already had sufficient information on me (as it's too late to change that).

Re: Bu****it!

Even then, it's not always that straight forward once marketing get involved

This plan allows you to make an unlimited number of phone calls* to anywhere in the U.S.

* of a duration of 5 seconds or less, calls exceeding 5 seconds will be charged at normal network rates

Or

* calls charged at normal network rate

The problem with 'Unlimited' broadband is the same as the example above - they're taking a different interpretation of exactly which part is unlimited.

They're not imposing a 'limit' on how much you're allowed to download that month, they're simply reducing the rate at which you can do so - obviously ignoring the effect the latter has on your abilities in respect of the former.

The whole thing's a joke and has been since it's inception, but simply defining the word unlimited isn't enough, you've got to get them to admit which part of the sentence it relates to and any caveats that might impact the picture that marketing are trying to paint.

TL:DR The ISPs who sell 'UNLIMITED' need more than a language lesson, sadly.

Re: Bharti Airtel and Flash Networks

> The issue isn't that this person did a quick "View Source", it's they the published someone else's IP to

> a public site. That is theft, plain and simple.

So, in your world - if rather than View Source, Ctrl-c, Ctrl-v he'd taken and posted a filtered packet capture showing the issue where would he stand?

If I'm troubleshooting why I'm having problems accessing your site and take a quick pcap to investigate, am I breaching your copyright? What about if I chuck it up to Cloudshark

> Injection of various assets to provide improved service (or pay for a free one), is common practice and

> people accept its benefits.

Not sure that people accept the 'benefits', I think they just put up with it. In cases of ISP injection it rarely leads to an improved (or cheaper) service, just higher profit margins for the ISP in question.

It's also an incredibly nasty and potentially dangerous thing to do IMO and I'd drop my ISP if I caught them doing it.