* Posts by Kanhef

615 publicly visible posts • joined 3 Nov 2007


Twitter claims Elon Musk bailed from sale with 'invalid and wrongful' reasons


Depends on who the delays hurt more. If Twitter can use in-house lawyers, it doesn't really add to their costs no matter how long it goes on for. Either the company gets $1B in cash, or their stock gets bought out at (currently) 50% above market value; seems like a win for them no matter what. Musk has a lot more to lose if they decide to make the process painful.

If he has to dump Tesla stock to make the deal go through, it will drive the price down; who wants to be holding when that happens? The lower the price of Tesla stock, the more he has to sell, which could lead to a rapid crash as investors try to get out before he has to sell.

Elon Musk considering 'drastic action' as Twitter takeover in 'jeopardy'


Next shareholder meeting should be interesting

The Twitter Board was very quick to agree to the sale, without considering if Muskrat was approaching it in good faith or not. With the shareholders not only losing out on a nice payout, but also seeing this fiasco tank the value of their shares, they could be motivated to replace most of the current board members.

Not enough desks and parking spots, wobbly Wi-Fi: Welcome back to the office, Tesla staff


Probably by design

As mentioned previously, His Muskiness probably wants to reduce the workforce to cut costs, but doesn't want to pay unemployment for laying people off, so he's trying to get them to quit on their own.

Google makes outdated apps less accessible on Play Store


Next time you open an app it will ask for permissions again, same as the first time it was installed. Even if it revokes permissions for an app you're using, it's not hard to grant them again. I don't see the problem.

California suggests taking aim at AI-powered hiring software


Re: I guess I will have to wait then

Rather than banning the use of automated systems, simply make a law that companies are liable for any bias in those systems, whether or not it was intended. Companies will either stop using it, or their lawyers will insist that vendors prove that their system isn't biased before using it. Win-win.

The AN0M fake secure chat app may have been too clever for its own good


Re: Or maybe ...

I was thinking it's been a clever psych ops mission. AN0M was distributed through a chain of trust, and according to other articles they initially pitched it to one kingpin (who interestingly enough, has not been arrested), and let him spread it to everyone else. After this, someone may well create a truly secure communication platform, but anyone who's been paying attention to the news will be paranoid that it's actually another backdoored system made by the cops. Even someone pushing to use an existing service like Signal would be viewed suspiciously; how can you prove that service is actually secure?

EA Games looted by intruders: Publisher says 'no player data accessed' after reported theft of FIFA 21, Frostbite source


Re: Frostbitten

Given that it's EA, I'm more curious to see how badly it's written.

Microsoft pokes Cortana's corpse to give her telepathic abilities on Windows 10


Didn't we already have an issue with TV ads accidentally waking up one of the voice assistants? I'm waiting for someone to craft a malicious ad that instructs voice assistants to do something expensive and/or destructive. Air once during a major weekend sporting event when lots of TVs are on.

Geneticists throw hands in the air, change gene naming rules to finally stop Microsoft Excel eating their data


Not just Excel

LibreOffice also likes to auto-detect data types, and then auto-format based on what it thinks you're doing.

One solution would be to have a setting for default cell formatting. Auto-detect can still be the default option, but let people set it so negative numbers are always red and in parentheses, for example.

US piles yet more charges on Theranos CEO, COO. We could do with good blood testing now... and this wasn't it


Re: I know they were a bit fraudulent but.....

"...if every overhyped claim by a company resulted in criminal charges most of our stock of executives would be in jail by now."

You say that like it's a bad thing!

IT exec sets up fake biz, uses it to bill his bosses $6m for phantom gear, gets caught by Microsoft Word metadata


Doing it wrong

The fake invoices tend to get noticed sooner or later. Instead, direct real purchasing and contracts to a company you control, which resells products and subcontracts the work. All at a healthy markup for profit, of course. Sure, the company could have spent less elsewhere, but it's hard to make that into a case for fraud.

If you could forget the $125 from Equifax and just take the free credit monitoring, that would be great – FTC


Reading the settlement, clause IX.D says that if funds remain in the Consumer Fund (i.e., for credit monitoring) at the end of the claims period, it shall be used to lift the Alternative Reimbursement Compensation Cap (the 'up to $125' part). So if no one wants the credit monitoring, there's potentially up to $425 million available as cash – enough to give the full amount to 3.4 million people. Slightly better, though I'd still rather have them have to set aside $18 billion to fully compensate everyone affected.

Behold, the insides of Samsung's Galaxy Fold: The phone that tears down all on its own


Re: "You're folding it incorrectly."

The obvious solution is to put an easily-removable protective film over the protective layer. That way, users will peel one layer off and stop fiddling with it.

Wells Fargo? Well fscked at the moment: Data center up in smoke, bank website, app down


Of course there were backups

They were in the next server rack over.

Fake 'U's! Phishing creeps use homebrew fonts as message ciphers to evade filters


That was my initial thought as well. For a general-purpose email filter, it would have to check quite a few languages in order to not block every email written in, say, Italian or Thai. Also needs to be context-aware, so they can't avoid triggering the filter by just putting half of Moby Dick in an HTML comment.

Might be simpler to have a check for embedded fonts. If found, render the message into an image, apply OCR, and run filters again on the result.

Tesla autopilot saves driver after he fell asleep at wheel on the freeway


Re: Self-driving cars don't need to be perfect to be deployed

An immediate slowdown or emergency stop at any uncertainty is extremely reckless and will kill people. Not could, will. It sounds like a great idea for a car on an empty road or test track, but think about the consequences if you're being tailgated, or are in dense 70 mph freeway traffic, or have a passenger who isn't wearing a seatbelt.

Remember that the majority of collisions with Google's self-driving cars occurred when they followed the rules of the road as written, but the person behind them wanted to run a yellow/red light.

Here are another 45,000 reasons to patch Windows systems against old NSA exploits



1.7 million hosts behind 45,000 routers comes out to an average of almost 40 hosts per router. Seems like someone's been targeting larger corporate networks, which really have no business using UPnP.

Groundhog Day comes early as Intel Display Drivers give Windows 10 the silent treatment


WINE is also a volunteer project, made by people in their spare time. They also had to reverse-engineer the entire Windows API, including its many, many quirks. Considering that, they've done pretty well.

Rather than re-implementing the same, 30+ year old, crufted together API, I'd rather see them design a new, modern OS with a WinAPI virtualization layer. Somewhat like what Apple did with OS X and the Classic environment.

Microsoft Windows 10 October update giving HP users BSOD


Re: Shove It Out The Door

In addition to an interest in computers, I spend a lot of time dealing with structural steel fabrication. It's astonishing how different the attitudes in these two worlds are. Computer programmers tend to take the approach of "it compiles - ship it". Security, efficiency, quality in general seem to be an afterthought at best. Structural engineering is governed by various industry codes, which make frequent use of the word 'shall', and often have the force of law. If a structure fails, and the designer or fabricator did not follow the relevant code(s), they can be held liable for that failure. I wonder if something similar is needed to tame the Wild West of programming: an RFC or ISO standard that establishes requirements for the design and testing of quality software. I wouldn't want it to be too restrictive, to allow development of new languages and methods of development, but at least set a minimum standard for proper engineering of software, extent of testing, what sorts of bugs identified during testing must be fixed before shipping.

It's probably impossible to prevent all bugs and security flaws, but we ought to be able to do something about this chronic parade of embarrassingly bad mistakes from companies that have the resources to do better.

'Oh sh..' – the moment an infosec bod realized he was tracking a cop car's movements by its leaky cellular gateway


Re: Default passwords? In this day and age?

And not only that, but 12345? Have people not seen Space Balls?

Boffins build the smallest transistor, controlled by an atom


Of course it has potential

they applied voltage to it.

How evil JavaScript helps attackers tag possible victims – and gives away their intent


Re: Obfuscated JavaScript and browser useragent redirects

Virus writers have been doing similar things for years. Over a decade ago, I found an infected website that used similarly obfuscated code to extract the browser and JS engine version numbers and sent them as part of a GET request to another domain, which presumably delivered the actual virus. Visiting that domain without providing a vulnerable version returned an empty document. Not too surprising that they'd be looking for other, more subtle ways to identify browsers.

Google Chrome: HTTPS or bust. Insecure HTTP D-Day is tomorrow, folks


Re: Not about encryption

Because they're worse than useless: they make a site look secure, but don't actually make it any more secure than an HTTP-only site. Anyone can write a self-signed cert for any domain, so MITM attacks are easy: the attacker just makes their own self-signed cert, and it looks just as valid as the original.


Re: Money talks...

What happens if and when someone is able to hijack the DNS record? By changing the public key, they can redirect traffic to a site they control which will be 'verified' as the real thing. Putting both address and authentication information in the same record creates a single point of failure.

Y'know... Publishing tech specs may be fair use, says appeals court


How far should it go?

Many specifications reference other standards. For example, say you want to build a data center. Most jurisdictions will require that you follow the International Building Code (IBC) for the structure, and I'm not even touching fireproofing, electrical, HVAC, etc. here. For the steel frame of the building, IBC says it shall be constructed in accordance with AISC 360. That will in turn require you to follow AWS D1.1, which invokes other standards for several things. Then you have steel decking, rebar, concrete, soil preparation, and so on. Even if the standards incorporated into law themselves are made available, they directly and indirectly require the use of dozens of other standards. Should all of those be made freely available as well?

Hey cool, you went serverless. Now you just have to worry about all those stale functions


Article reads like

someone had £10,000 to spare.

In the last 20 years, I've come to expect quality from The Reg, not 'articles' that are just dressed-up industry PR pieces.

Wish you could log into someone's Netgear box without a password? Summon a &genie=1


That's no vulnerability

It's a deliberately coded backdoor. Time to start investigating why it was added to the firmware, and who was behind it.

Portland posts full report on Uber's dirty dealings with Greyball


What employees? They're all independent contractors.

How to pwn phones with shady replacement parts


Most shops don't have the ability to fabricate or program components like this; I'd worry about problems starting much higher in the supply chain. I can see a (probably Chinese) component manufacturer being paid to include ad-injection code. Not terribly different in principle from the bloatware cruft that PCs come preloaded with so often, but much harder to get rid of.

Overcharge customers, underpay the serfs. Who else but Uber (allegedly)


As far as user experience, this wasn't a bad idea. It's fairly common in some industries (e.g., restaurants) to provide worst-case estimates of wait times, so that when customers are provided service sooner than estimated, they are pleasantly surprised. So it's not unreasonable to give the passenger one estimated arrival time, while giving the driver a route that will get there slightly earlier, barring unexpected traffic delays.

What will get them in trouble is if they have been calculating charges and payments separately, as the lawsuit alleges. Without highly-improbable macroscale quantum effects, both routes cannot be taken at the same time, so either passengers are being charged for more time and distance than they actually spent in the car, or drivers are being paid for less time than they actually spent driving. Whichever one it is, that's a pretty strong case for fraud.

Bluetooth-enabled safe lock popped after attackers win PINs


Re: Bluetooth lock reasons...

It's the same reason many companies have switched to electronic door locks. When properly implemented, each person has a unique access code. Hard to duplicate, usage can be tracked, access can be revoked without affecting anyone else. Of course, when it's not properly implemented – as in this case – it ends up weakening security.

Windows 10 Anniversary Update completely borks USB webcams. Yay.


Re: Just a thought

I've been struggling to come up with a reasonable situation in which one would do this.

If you're sending video from one webcame to multiple recipients, you're probably using a single program to do it.

Using multiple programs for multiple video sources could make sense (for example, videoconferencing on a webcam while sending security camera footage to archive storage), but that situation is unaffected by this change.

I suppose you might want to split a video source if you want to stream live footage over the internet and record it at the same time, but only if you're using brain-damaged programs that can't do both.

Classic Shell, Audacity downloads infected with retro MBR nuke nasty


UAC limitation

A lot of FOSS isn't signed – many developers don't seem to want to bother with the hassle – so the warning isn't too unusual. The only way it would have prevented an infection is if someone had installed the program enough times to notice that it's usually signed, but this time it wasn't.

VC vampire: Peter Thiel wants to live forever


Garlic is not an onion

They are both alliums, but they are not interchangeable.

TechCrunch defaced by self-professed 'white hat' hackers


Probably not even hacked

The 'we never change our passwords' bit suggests that they found his login information in a data dump from a years-old breach and decided to see if it still worked.

Microsoft's 3D Jedi phone explored


Interesting idea. Since it seems to have trouble with too many things moving at once, I wonder if it would work better for desktop monitors and large, fixed displays rather than phones.

Microsoft's cringey 'Hey bae <3' recruiter email translated by El Reg


Re: What could go wrong?

At least Microsoft has helped answer the question of why women don't want to work in the tech industry.

FBI's iPhone paid-for hack should be barred, say ex-govt officials

Black Helicopters

Obvious loophole

As long as they keep at least one ongoing investigation using a given vulnerability, it never has to be disclosed. If they're only using an exploit on one person, drag out that investigation until they can get another one started.

Astroboffins' discovery gives search for early life a left hand. Or right


Re: As Science notes, propylene oxide isn't an organic molecule;

To be pedantic, organic chemistry originally was the study of compounds found in living things, and inorganic chemistry was everything else. After Friedrich Wöhler demonstrated that urea (a known organic chemical) could be synthesized from inorganic compounds, they had to scrap that definition and redefined organic chemistry to be about carbon instead.

FFS, Twitter. It's not that hard


Conversation-based ads

Ads based on a celebrity event, or sports game, or TV show are reasonable. Nobody really likes ads, but they can understand why they're there and no one will raise a fuss about it.

Then someone like David Bowie dies, and everyone talking about it sees ads for Bowie-themed merchandise, and it looks like a crass attempt to cash in on someone's death.

Then you get an incident like what's currently going down in Orlando, Florida, and everyone sees ads for guns. People get upset, looks like Twitter is happy to profit from a tragedy, lots of drama and PR damage control.

So maybe this isn't the best idea.

RIP ROP: Intel's cunning plot to kill stack-hopping exploits at CPU level


The problem with having a software-defined return address stack is that there's nothing to keep malicious code from manipulating it; as far as the processor is concerned, it's just another region of the process' memory. A hardware-defined shadow stack can more effectively restrict access: the processor itself is the only thing that should manipulate this area of memory (as a side effect of call and return instructions), so any attempt to alter it directly can trigger an exception.

I'm not intimately familiar with x86 instructions (I'd rather be dealing with Power or ARM), but it looks like this could be defeated if there's a way to write arbitrary data to the EIP register. Overwrite EIP, call the next instruction, and you've put your desired return address on the shadow stack.

Mark Zuckerberg's Twitter and Pinterest password was 'dadada'


Re: Making a hash of things

If someone steals the database, they don't need to reverse the hashes. They'll just throw a dictionary file at your hashing algorithm and look for matches. Doesn't take too long to brute-force every password up to 6 or 8 characters long as well. This is why you should be salting the passwords before hashing them, and forcing users to have sufficiently long passwords.

Game of P0wns: Malvertising menace strikes Pirate Bay season six downloads


I suspect the ad networks' inaction is a deliberate strategy, even though poisoned ads have been a known problem for years. As long as they act as a neutral host without filtering anything, they can claim they're not liable for anything that happens. If they try to block bad ads, they could be blamed for anything that they don't catch.

Corporate lawyers can suck snozzberries.

Nest's bricking of Revolv serves as wake-up call to industry


Unfair comparison

A tub of hummus is quite useful – and delicious.

Confused by crypto? Here's what that password hashing stuff means in English


Re: Question

I think it's just a matter of efficiency: the hash is much shorter than the original message, so encrypting and decrypting the hash takes less time than double-encrypting the entire message.

Norman Conquest, King Edward, cyber pathogen and illegal gambling all emerge in Apple v FBI


Thirteenth Amendment

bans both slavery and involuntary servitude (except as punishment for a crime), so it's actually quite relevant here. The judge may not agree that it's a good argument, but it's not unreasonable to try to make that argument.

'Boss, I've got a bug fix: Nuke the whole thing from orbit, rewrite it all'


The biggest problem I see with the OpenSSL code is that it leaves you at the mercy of your compiler/optimizer. You have to trust that the optimizer will properly traverse all possible code paths and not strip out the entire if (0) block as unused/unreachable code. It may work fine for whichever compiler and optimization settings the developers used, but there's no guarantee it will work for everyone else.

Google to snatch control of Android updates from mobe makers – analyst


Re: And the FCC will say ... exactly what to this?

If Nokia hadn't sold out to Microsoft and killed Symbian, there might still be a viable alternative for manufacturers to switch to. Ironically, it probably would be easier for Win10 to get a foothold in the market if it was more fragmented between iOS, Android, and Symbian.

Socat slams backdoor, sparks thrilling whodunit


Re: Interesting point.

Definitely not obvious - at least it didn't end in a 5 - but at the same time, any decent factorizing program would have reached 271 fairly quickly, so it's clear they didn't double-check the number in the code for primeness. Since one of the factors is so small, my guess is there was a typo of some sort; if I wanted to backdoor an encryption routine, I'd use a semiprime whose only two factors are roughly equal in length (~150 digits in this case), so it would take some significant number crunching to discover that it's not prime.

Sorry slacktivists: The Man is shredding your robo responses


As I recall from when the FCC was soliciting comments on net neutrality, they essentially analyzed responses for uniqueness and discarded duplicates. Seems like a good way to keep form letters from dominating the responses without having to scrap the entire thing.