* Posts by Richard Kay

215 publicly visible posts • joined 8 Mar 2007


Economists say P2P file-sharing fuels art

Richard Kay

Right to get paid ?

Only if you do what others are willing to pay you to do, and not based on coercion.

The rights of someone who can't make living other than through the creation of music, art or literature to get paid doesn't extend to surveillance of my private non-commercial communications or the ability to police and block anything similar or any kind of fair reuse for a century. It doesn't override the principles behind data protection law.

Overlong copyright blocks reuse which blocks new creative work. DRM blocks heritage preservation work. Legal protections of DRM (DMCA) lock down freedom of speech in respect of the ability of security researchers to publish their findings or consumers to know how remotely controlled equipment they think they own is spying on them. Secret copyright police surveillance of private Internet communication is not compatible with a free society or human rights legislation.

The fact that 8% of the Swedes recently voted pirate shows that a backlash is starting.

Insurance giant rapped on knuckles over DPA breach

Richard Kay

who paid when the Nationwide paid for this ?

The people who paid the Nationwide fine of £980,000 for a similar breach of the DPA a couple of years ago were the victims of the data loss, account holders like yours truly who own this non-profit making mutual. I still prefer it being a mutual to it being a private bank.

Wirelessly-powered phones on sale within four years, says Nokia

Richard Kay

ambient electromagnetic radiation ?

I seem vaguely to remember I've got a calculator at the back of a drawer gathering dust somewhere that used to recharge itself using a solar panel. The problem is that if too many consumer electronic device designers latch onto this idea too efficiently they will suck all the power out of the mobile signal, resulting in increased shadow the further away from the transmitter you get.

Then the mobile phone companies will have to double and quadruple their masts, and eventually they'll be providing free electrical power to all and sundry for any application. I kind of suspect different departments within Nokia might have a conflict of interest here.

McKinnon launches second extradition challenge

Richard Kay

Petition closes soon - please sign

If you are a UK citizen and either think Gary shouldn't be deported or the UK shouldn't have a one sided extradition treaty with the US and have not already signed it, please sign the petition opposing his extradition by 15 June:


Hulu headed for subscription service scheme?

Richard Kay

People will pay for timely quality content

Subscription is more likely to work when there is a strong enough community based around the content in question, and it is provided in a timely manner. lwn.net transferred from a failing ad driven attempt at a business into a sustainable subscription driven one when its writers were about to pull the plug but its readers didn't want to let it go. They took a couple of months to persuade the bank that the sudden rush of small credit card payments were legitimate though when the readers persuaded them to sell subscriptions. What they now do is provide all content for free but restrict premium content to subscribers only for a period of a week. So there is no incentive for a subscriber to put premium articles onto P2P - given that those who want it for free can get it soon enough, and will contribute in a minor way through advertising when they get it from the site directly rather than through P2P.

Frankly micropayments for occasional readers are too much hassle, and this model has never taken off. If a publication has enough regular readers a yearly subscription to the entire publication shouldn't cost very much - I get lwn.net for $60/year and pay yearly.

Obama urged to halt Google government takeover

Richard Kay

sever past connections and hire the best candidate

I don't see a problem with government hiring smart people from industry or vice versa. In this situation the contracts have to make certain that share options are fully cashed out and pension values fully transferred to avoid conflict of interest, so those appointed to government jobs have no other employer. Ex Googlers also have the same right to work for the government as anyone else, but the arrangement must ensure the severance with previous interests is effective.

At long last, internet's root zone to be secured

Richard Kay

@Robert Harrison

MD5 has been broken, now that people can create bogus HTTPS certificates which validate using MD5. So web browsers recently had to be updated to not accept MD5 signatures as valid, rendering invalid MD5 based certificates not by then updated. SHA is a family of hash algorithms, http://en.wikipedia.org/wiki/SHA currently going up to SHA512, likely one of the strongest currently known in widespread use. Some earlier SHA versions are now thought to have weaknesses, though probably not yet as readily exploitable as MD5 now is.

What having a signed DNSSEC root creating a heirarchical global PKI for the first time will mean is that much more attention will be given to the strength of the algorithms used, resulting incorrespondingly more fame and fortune for whoever publishes successful attacks.

We will never know that a particular algorithm is secure, we only know when published insecurities exist. What can be said about their security, for algorithms developed within the public domain, is what it would be worth to the person who succeeds in breaking it and publishing a feasible attack, from which we can estimate the amount of talented effort directed towards doing so without published success. (For the paranoid, we don't known what the NSA and GCHQ knows about unpublished weaknesses, but we can still assume their budgets for maintaining the loyalty of those who do know to keep this knowledge secret is finite. We can also assume they can only use their top secret knowledge for attacks of high enough value to them that these justify the risks of leaking this knowledge in the process of using it. )

In the past attracting this kind of effort has required large prizes on offer to the first successful published attack. But we will need be in no doubt about the fame and fortune that will come to a cryptanalyst who can publish a paper which describes a feasible attack breaking the algorithms used to sign the DNSSEC root.

Richard Kay

trusting trust on the Net

Currently with the lack of root zone signing, to verify a DNSSEC record for c.b.a you have to configure a trust anchor in either .a (the Top Level Domain) or in b.a. depending upon where secure DNSSEC provision starts. There is therefore nothing to prevent anyone willing to do the work involved who wants to verify the authenticity of whichever TLDs or lower level zones have DNSSEC from doing so directly. It's more work than deciding to trust the root key though, when the latter exists. But even having done so you don't need to look up the root signature every time if TLD signature trusts are cached, assuming you are less worried about a potential TLD key compromise and revocation than you are about misuse of the root key. Higher level zone key signature trusts will have to be cached for at least several days anyway, or AINA/Verisign or whoever else compiles the root zone simply wouldn't be able to handle all the lookup traffic.

So I think root key misuse, if it ever occurs, will tend to be a self-limiting phenomenon. If this ever happens then a more trustworthy root key signer and root zone will be adopted by the TLD DNS server operators within days. It's not as if the root zone, which is quite small, has to be updated very often and it isn't as if the many current TLD operators couldn't setup a mutually owned non-profit organisation to manage one in the event of demonstrated lack of competence to do so by Verisign.

What the latter strategy would make more difficult would be the politics associated with who gets to look after new TLDs, or an existing country code when a government is overthrown. The combination of these 2 issues - 1. politically motivated root zone changes where unilateral US authority over the International Internet becomes moot and 2. the need for secure root zone signing key management, will probably at some point result in IANA being managed by the ITU instead of ICANN: http://en.wikipedia.org/wiki/ITU .

Microsoft renames netbooks 'low cost small notebook PCs'

Richard Kay


The ex Kremlinologists must surely be detecting the flying chairs in the Redmond marketing department over this one by now. To get one of these devices useful at a sensible cost it has to have a low wattage chip because battery tech isn't improving as fast as silicon tech. So there is a market for 7-10 inch screen portable computing devices which can perform useful computing functions costing no more than a couple of hundred quid. It's just that XP SP3 is patchbloating too fast and coming out of effective security support too soon to run at any useful speed on these things. It's not as if the Windows 7 doublespeak edition, son of Vista by any other name, is ever likely to run much faster than a dead dog on this class of hardware either.

Consequently a third of this market has already gone to Linux. What to do when Eastern Europe starts breaking away from Kremlin control ? Anti trust rulings and fines have made it too expensive to send in the tank divisions. Politicians can still have their arms twisted but markets are more expensive entities to control. The still loyal XP proletarians are having their patience sorely tried while using too much battery waiting for bootup. So those managed by he who throws chairs are coming up with ever more inventive marketing speak to attempt to reclassify this market, to favour devices at double the above cost with fast enough CPU speed and enough RAM and hard disk to run Son of Vista, in order to exclude all else from their new hardware category.

Windows has already lost in the embedded and Internet server spaces. Now it's losing on small cheap computers. Most of those in the world who have never yet used a computer will be able to afford to use one within the next 15 years or so, but not with a CPU hot enough or a power supply adequate to run Vista spawn. This doesn't mean there won't be the odd Cuba and North Korea in the DRM-driven markets dictated by proprietary content providers. But these are games console and set top box territories - not general purpose computing devices.

BCS writes data Highway Code

Richard Kay

need more case law

The Nationwide was fined nearly a million a couple of years ago for losing a database containing members' addresses under the DPA. This fine should have come from staff bonuses rather than from members, given that the members own the society. But the principle of organisations being fined for breaches needs to be upheld - if there were more prosecutions and especially if the fines ended up costing those directly responsible, those looking after personal data would be more careful.

Virtualization moves to centre of mobile agenda

Richard Kay

For specialised processing requirements maybe.

"The results would be returned across the internet to the phone, speeding up tasks like graphics processing and supporting high end video or gaming. Intel even says CloneCloud would be able to decide dynamically whether a task would be better processed by the device itself or in the cloud, depending on its processing burden and the quality of the network connection."

Currently only somewhat specialised processing requirements benefit from this approach, where the latency requirement isn't fast and bandwidth requirements of the job input/output is small, but the compute/memory demand of the job is high. I do this currently for spam content analysis where the MTA virtual server processor in a datacentre that looks at an email and accepts or rejects it offloads the content analysis to a faster CPU at home with more memory but slower bandwidth. But I don't see either of network bandwidth or latency being fast enough very soon to enable this to be done for graphics processing or high end video gaming, where a lot of CPU and memory has to be very close to the display right in front of the end users' eyeballs. Getting a faster computed response to a deep strategy game, e.g. go, using a Monte-Carlo simulated annealing approach maybe, assuming a very large parallel supercomputer is available over the network link rather than in front of the player. But again, this is a more specialised requirement.

Automating this would usefully require an extra layer in the exec() layer of an application which collects statistics based on input/output and CPU/memory loadings. The administrator of the system in question would need to choose to add the overhead of checking for suitability for selected candidate jobs, or the overhead added by the extra layer involved in checking for suitability of all jobs would outweigh the benefit for the few jobs which would benefit.

Microsoft breaks Windows 7 three-apps netbook handicap

Richard Kay

@Manny Caruana

"I look forward to seeing an equally strong candidate OS from the Linux camp, the various 'lite' offerings thus far fall way short of providing an ideal netbook experience."

In that case you really do want to try Ubuntu Netbook Remix. They are developing this to become an OEM offering, but it's easy enough to download and install, if you have a spare 1G or more pen drive you don't mind reformatting. I replaced the cut down Linux my Acer Aspire One was supplied with using UNR and it's really excellent.

A minor bug at the start was easily fixed by removing icons from the favourites menu selection, though I can now use favourites having done this - this was a daily development build. The aptitude package management system works perfectly so no problems updating and installing just about any Ubuntu Jaunty package. The only exception was Cgoban, an old style game which renders direct graphics which don't fit into the limited X server desktop resource, though it works fine on desktop machines. Everything else just works - wireless, wired, graphics, sound, DVDs and all the usual Linux application software.

Given that the Atom CPU performs similarly to a high end Pentium 3, there are sometimes delays of 2-3 seconds using Firefox, though no such problems using the Konqueror browser. Boot speed is very fast. Frankly I'd be surprised if anyone finds running son of Vista (Windows 7) as pleasant an experience on such low power/weight/size/cost hardware.

Getting real about Linux on the desktop

Richard Kay

narrowing niche ?

Interestingly Windows is being squeezed out at the high end, including supercomputing, servers, and use by developers, network professionals and computing scientists who need more control over and understanding of their systems. It's also being squeezed out at the entry level, including in netbooks, embedded systems and individuals who just want their computer to work without excessive cost or wanting to know how it works. Who can afford to throw computers out every 4 years and sacrifice much of the performance to an anti-virus program which they don't need on Linux due to the more reliable and trustworthy software integration, packaging and validation that comes from open source ? Then there are those who have power requirements more suited to the Atom chip than a quad core CPU consuming over 100 watts, which is likely to be a better fit to most people's electricity bills, particularly in developing countries where most computing users will be located within a few years.

So the question isn't so much as to whether Linux is "ready for the desktop". It's been ready for most desktop purposes for years. The question is how quickly the middle segment of the desktop market currently dominated by rich westerners lacking in computing education will be squeezed out by the growing segment of the market more concerned with computing capability/budget ratios and open source code level as opposed to closed binary compatibility.

Nork nuke quite a lot less powerful than Hiroshima

Richard Kay

delivery options - who needs rockets ?

19 kilotons could wreck the centre of quite a big city and a ground level explosion could make the site a cancer hazard for years afterwards. Who cares whether they can put it into a missile ? The idea that they need to do this to be effective is just a budget plug for the rocket science lobby whose career prospects will not be enhanced if politicians consider the well known and obvious fact that a standard shipping container can be delivered anywhere and anytime. When a terrorist group has the capacity to do a NBC attack the delivery vehicle is more likely to be a shipping container on the back of a lorry or on a ship that can make it into an inner city port than a name your range missile.

So the real question is could they get this one into a shipping container, and if they could, what is to prevent it getting to its intended destination and detonating there ? And if they can what do they gain by miniaturising the thing enough to put it onto a rocket propelled missile ?

D-Link exposes WiFi routers with new 'security feature'

Richard Kay

Use of salt versus complexity

The reason extra entropy is added to a password prior to hashing ( the crypt system call which performs this hashing has a parameter called salt with exactly this purpose) is to increase the required rainbow table size needed to crack the hashed result. Personally I doubt that using 2 hash algorithms in sequence is as effective as using the stronger of the 2 and a long and random salt. This is because a good rule of thumb to follow (Bruce Schneier's rule ?) is that complexity is the enemy of security and simplicity is its friend. Combining a known weak and a considered to be strong hash with similar objectives in mind, in my understanding is more likely to lead to design errors resulting in vulnerabilities.

SHA1 is now thought to have weaknesses, not yet known to have been exploited, though based on the history of MD5 these are likely to be exploitable in future. So some variant of SHA2 is probably now preferred, e.g. SHA512. For comparative information about the SHA family of hash functions see: http://en.wikipedia.org/wiki/SHA_hash_functions .

Also for many purposes a system using a weak hash algorithm and password is likely to be secure enough if the attacker can't obtain a copy of the hashed password and many repeated failed login attempts in a short period are logged and blocked. For similar reasons your home probably doesn't need a bank vault style lock and multilayer fireproof reinforced steel front door. There is very little entropy in your banking PIN, but banks having to balance user support against fraud costs seem to prefer people to have short PINs they can easily remember without having to write these down.

Organised crime cops seek international hacking powers

Richard Kay

@Gene Strong

"And exactly why am I supposed to believe this government hacking is a good thing and the govt. can be trusted ?"

Well it's likely that the democratic process in which you have a vote will have to clarify the powers the police have to do this. I don't think this has occurred so far, but if you want any response you make to such proposals through any consultation they engage in, or by writing to your MP or ministers concerned, to have any influence you should attempt to balance the needs of the police to do their job with the legitimate rights of citizens to prevent police powers being excessive, e.g. by being allowed to do this for all but the most serious of crimes or these powers being extended to local authority dog wardens etc.

To answer your question more directly, you're not supposed to believe anything, but avoiding participation in the process that decides this, whether you like the outcome or not, is a guaranteed way to ensure that your concerns in the matter won't be part of what comes out of it.

Richard Kay
Black Helicopters

police acts outside normal legal boundaries

It is recognised in other areas that speeding laws don't apply to a police car in a high speed chase up to the point where this gets so dangerous that the police have to back off. Laws against someone breaking your door down and filling your house with heavies at 5 in the morning don't apply when the police are specifically warranted to do this, but it has to be something sufficiently major they are after for this to be warranted, not a petty shoplifter who can be arrested at a more civilised time with less damage caused.

I guess the extent to which the Computer Misuse Act (section 3, access unauthorised by the system owner/controller ) can be legitimately waived in similar situations, and the precautions to ensure such powers are not used excessively also need to be clarified.

Just as having doors, windows and walls strong enough to defeat likely police early morning raids before the occupants of a house are woken by the noise isn't illegal, neither is running a system without zero day exploits known to the police together with strong crypto. The legal problem will arises when under the RIPA the owner of the seized but secure system or media is required by the police to disclose the key and they claim to have forgotten it or refuse to divulge it. This one could end up going all the way to the European Court of Human Rights.

McKinnon supporters petition Downing Street

Richard Kay

Please sign

I've just added my name to the petition. If the allegations against him are true he should get 100 hours' community service and a year's probation in the UK. Certainly not having years of threatened extradition to a country that tortures prisoners, or whose citizens can't be extradited to the UK.

Dell punts £199 10in netbook

Richard Kay

couple of weeks late for me

As I just purchased an Acer Aspire One with very similar spec and price. Had to put Ubuntu Netbook Remix on it myself though, as the Linpus lite was a bit limited for my needs.

Adblock developer offers 'please unblock me' tag to sites

Richard Kay

If a site is good enough it will get subscribers

The idea of the browser deciding how to render the page was part of the architecture of the web from day 1. I subscribe to a technical news site (lwn.net) that, based on insufficient advertising revenue was going to close down, but enough readers including myself persuaded the providers to open it for subscriptions that it now continues on the basis of these. Non subscribers can still access the content, but they can only obtain premium articles on the site after a delay of one week.

Ireland bucks trend with anti-blasphemy law

Richard Kay

blasphemy laws discredited long ago

Considering that the one charge against Jesus at his trial that stuck, (i.e. of blasphemy in declaring Himself to be God), isn't it time to get rid of these laws ? I'm all in favour of freedom of speech and minority rights which mainly originated within Christian societies and scarcely elsewhere, so have no problem with laws against incitement of hatred if sensibly discussed and carefully drafted based upon these objectives. But this central premise of my own Christian faith was blasphemy to those who didn't accept this then as it is to those who don't accept it now.

Thankfully it is possible to discuss these matters with those of other belief systems respectfully of the views of others, but the idea of blasphemy was discredited when God became man and was crucified for it.

Jobs bloodbath at Brit, Danish wind turbine factories

Richard Kay

Fossil fuel and nuclear subsidies

Supposing the owner of an adjoining property was allowed to put up a factory there which spewed waste over my property and I was unable to prevent this or obtain compensation for the mess. Either of these remedies would increase the costs of operation of the factory to avoid me picking up this cost. If no such remedy were available I could reasonably claim that I was subsidising the factory next door.

We're all subsidising the use of carbon fuels because those who extract, sell and burn these don't pick up the cost of cleaning up the mess. We all have to pay the insurance costs of extreme weather and the cost of uninsured losses. The fact of this subsidy, together with chaotic, purposefully manipulated and unstable markets for fossil fuels, makes investment in renewable energy a more risky and less profitable activity than it would be given a level playing field.

When are we going to stop subsidising fossil fuels ? The subsidy given to nuclear power through taxpayer funded research and waste cleanup lifecycle costs make nuclear massively more expensive than renewables.

UK.gov to spend £2bn on ISP tracking

Richard Kay

@Paul Barnfather

"They still don't know who I talk to (Skype is P2P and encrypted)."

I would guess that the encapsulating packet addresses contain enough information in Sype to

identify the endpoints, even if the encrypted tunnel scrambles the conversation. So I suspect that unless you use a VPN through an offshore gateway, the UK Gov can obtain information about who is talking to whom and when and for how long, if not being able to tap into the relevant conversation. Also I don't know what kind of encryption is used in Skype or anything about the security of Skype key management.

In general I would agree that being subject to this monitoring is voluntary in exchange for cheapness. But to opt out of deep packet inspection and traffic analysis of encrypted content you will need to proxy all applications to an offshore gateway VPN server and insert some plausible chaff on the connection, as well as using a secure VPN technology and being careful with key and host management.

Ireland scraps e-voting in favour of 'stupid old pencils'

Richard Kay

e-voting is the laughing stock

E-voters have to trust the exotic and rare skills of system security experts like yours truly to audit an otherwise opaque e-voting system. Why on earth should they ? Doing the whole election using pencil and paper methods means every one of the many election officials and counters who are involved can visibly see how the system works. If a system like this is to be improved upon it won't do this by removing the simple and obvious visibility of it to everyone involved with it.

I teach systems security at university level and have also stood for city council elections and acted as election agent - and much prefer a voting system which doesn't require those who have paid for the specialised education I offer to be able to see that a system isn't rigged and is operated fairly. Frankly I've never met anyone I respect with knowledge of my subject who would want to touch any e-voting system that doesn't involve a paper trail which can be confirmed manually at every stage of the process. This should include printing a paper ballot inspected by the voter that goes into a traditional ballot box, usable as master copy manually to confirm the electronic count in the event of a close result or machinery dispute.

Confidence in democracy starts with everyone knowing someone who is involved in the counting e.g. a council employee who is a friend or neighbour, and everyone involved being able to see what is going on.

It's also not as if there aren't enough other systems that need securing that system security professionals are likely to be out of a job any time soon.

Attempts to reduce the cost and time of voting tend to be based upon the assumption that speed and cost reduction are more important than transparency - which couldn't be further from the reality. The laughing stock was the country that had to have its supreme court judges decide whether votes allegedly spoiled by worn machinery weeks after election day (i.e. punched voting cards with hanging chads) had to be counted in an election to choose its President, not countries which use pencil and paper voting methods and can count all the votes within 24 hours.

New non-volatile memory promises 'instant-on' computing

Richard Kay
Thumb Up

Ferroelectric Random Access Memory

I worked on testing an experimental ferrite ring with wires through hole RAM module in the seventies. It had 16KBytes then - and was a fair bit larger and more expensive than the similar capacity silicon memory modules then, but the latter were not thought reliable enough for the processors that controlled phone exchange switches.

Music industry sites DDoSed after Pirate Bay verdict

Richard Kay

Culture wars

Culture 1:

Information is property. Giving it away denies a living to those whose only business model is selling information packages on a per package basis. From this point of view, copying must be made difficult and controlled or impossible.

Culture 2:

The purpose of computers, networks and most electronic appliances is to make copying easy. Information can't be controlled and from this point of view ensuring it is made it available with as few restrictions as possible (GPL) maximises the value of the information.

Realistically it seems unlikely that either side in this conflict will be eliminated entirely by the efforts of the other in the near future. But we are likely to see legal and other attacks used by either side to try to gain an advantage. Sony were not being strictly legal either when their music business installed rootkits on their CD customer's computers to try to disable copying capabilities either.

Richard Kay

Culture wars

Culture 1:

Information is property. Giving it away denies a living to those whose only business model is selling information packages on a per package basis. Copying must be made difficult and controlled or impossible.

Culture 2:

The purpose of computers, networks and most electronic appliances is to make copying easy. Information can't be controlled and ensuring it is made it available with as few restrictions as possible (GPL) maximises the value of the information.

Realistically it seems unlikely that either culture will be eliminated entirely by the efforts of the other in the near future. Culture 1 seems likely to continue restricting use of its output over certain DRM-controlled networks using by trusted/treacherous computing. This seems to me more a set top box and games console specialist appliance market though than in connection with anything genuinely intended to be general purpose where the market won't carry the DRM cost and the values of culture 2 are likely to prevail.

So I don't see the sale of XL net connections, blank media and unrestricted computers going down any time soon.

Boffins build super-accurate atomic clock

Richard Kay


You don't need one on your wrist. My £20 wristwatch synchronises to atomic clocks by picking up a radio broadcast. It also handles GMT/BST seasonal changes so doesn't need any adjustment until I travel to a different timezone. Interestingly, my computers now also synchronise to atomic time using NTP (Network Time Protocol) so I can read logged adjustments relating to when they have leap seconds, resulting from atomic time being more accurate than earth rotation time, needing a minute with 61 seconds every few years to keep the earth's rotation adjusted to atomic time.

Brutish SSH attacks continue to bear fruit

Richard Kay

Lock them out after a few bad guesses.

Denyhosts is a program which is easy to install and configure. It checks the logs for brute force password guesses and locks out the addresses which try. You still want to choose fairly strong passwords.


Cable-cutting vandals disconnect Silicon Valley

Richard Kay

Well-planned attack

I used to work for a contractor on major trunk cables in the UK and have wondered what would happen if someone who knows the way the infrastructure works decided to attack it with the right tools in several places at once. Now we know. This isn't to do with single points of failure, because the attackers seemed to know that they would have to cut a number of cables in different places at the same time.

This is a difficult kind of attack to defend against, because these underground cables can be attacked almost anywhere along their route. I guess the AT&T staff and contractors will all be asked to watch out for any vans they don't know and report number plates wherever people are lifting manhole covers whether appearing properly equipped or not. Keeping a database of contractors vehicles and getting members of the public to phone license plate numbers in whenever they see a manhole cover being lifted could increase the risk of arrest for those involved in this kind of thing.

I've been told in some African countries telecoms can't involve underground line plant because thieves rip out the cables and sell these for scrap.

Conficker botnet stirs to distribute update payload

Richard Kay

Linux attacks

The password guessing attacks on Linux secure shell servers are occasionally successful so those running Linux can't afford to be complacent either. Installing Denyhosts or something similar, using strong passwords, not allowing direct root logins, only allowing accounts needing remote login access, and having user account names which are not obvious all help minimise the risk of a successful password guess.

AFAIK the reason Linux machines are compromised by this means is because a compromised Linux machine can be used to act as a command and control server within a much larger botnet of infected Windows machines.

Russian schoolgirl invents inertioid-driven Venus rover

Richard Kay

Auras are not a new observation

Just look at the halos in religious art. I guess the simplest explanation is that these observations are evidence of synaethesia of the artists and mediums who depict and report these things.

The Wikipedia article on the subject:

http://en.wikipedia.org/wiki/Synaesthesia claims one person in 23 experiences a genetic form of this condition.

Hadoop - Why is Google juicing Yahoo! search?

Richard Kay

What to open source ?

Google are hardly likely to open source their search algorithms. But they have as much interest in keeping proprietary secrets in how massively parallel processing is done as Microsoft have in how a transistor works. The advantage of open sourcing stuff that you have to do but but which is a cost centre as opposed to your cash cow is sharing the cost with others who have to buy into the same technology area.

Google digital book 'monopoly' feels heat

Richard Kay

A problem caused by overlong copyright

Copyright terms relevant to the incentive to create new work ( the sole reason the public benefits by copyright being granted) would be much shorter, between 5 years in the case of computer software, 10 years in connection with books and music, and a maximum of 20 years for movies. Orphaned work means that copyright property exists with no identifiable or contactable owner, which is of great disbenefit, because it places reuse or preservation into a legal limbo, where rights to reproduce or preserve can't be obtained at reasonable cost yet the threat of litigation and liability when someone does this remains. For this period of limbo to extend for several decades or longer is culturally destructive.

This whole system is a mess in increasing public disrepute. Automatic copyright should only exist for 5 years from first publication. After that copyright should only continue to exist if it has been publicly registered in such a manner that anyone can easily search to see if ownership has been registered so is able to contact the owner. The registration of a work should have to be renewed every 5 years or it automatically lapses.

Radiohead and chums demand copyright 'fair play'

Richard Kay

copyright extension results in public contempt

The longer the duration of copyright the more difficult it becomes to persuade consumers whose interests are sidelined by these deals to behave in a manner that respects copyright. The UK Gowers report and recent US Supreme Court rulings found there to be no commercial purpose in extending copyright beyond the period needed to incentivise the creation of work which otherwise would not be created. The reason these copyright extension deals are struck is because politicians like to be supported by the interests vested in it and not because of any defensible public benefit.

The rest of us who are taxed without representation by these disreputable backdoor deals are given ever less reason to behave as if copyright mattered.

Worm breeds botnet from home routers, modems

Richard Kay

hardware authenticators

Software password security will only get you so far before the limited capacity of human password memory is insufficient for brute force password guessing techniques. Locking out a guesser temporarily after a certain number of bad guesses helps, but this adds complexity. The solution has to be a standardised protocol for hardware authenticators so that everyone can carry their own around on a keyring and plug it into a USB or use Bluetooth. This will use public key cryptography and an embedded secret key within a tamper resistant device which no-one needs to know.

With enough support behind a fully open protocol the cost comes down to where every security application can implement it and everyone can carry one. If the key device can recognise the fingerprint of the owner so much the better.

Pro-filesharing Swedish party hopes for seat in Brussels

Richard Kay

No taxation without representation

The reason for having copyright law was originally so that the public would

benefit from works which otherwise would never be produced. But it's gone way beyond that:

a. in terms of how long it lasts and

b. the extent to which it is considered by minority vested interests to trump rights to privacy of communications of everyone else.

It's now a question of how much the politicians will suck up to media bosses who tell crusty voters who to vote for, and how much politicians think they look cool pictured next to aging rock stars who haven't produced a good song in years who are worried about having to sell the odd yacht and country house to pay for their retirement.

Those for whom not being spied upon for sharing stuff is a more important issue than whether or not a few old rockers will have to go on tour again in order to maintain their drug habits know when they are being screwed over.

Either copyright terms will be greatly shortened, and the extent of enforcement reduced so it no longer interferes with private non-commercial communications, or it will be held in growing and deserved contempt by a growing and increasingly organised sector of the electorate.

No welcome in the valleys for Welsh incinerator

Richard Kay

A modest proposal (with apologies to J. Swift)

Obviously the poorest place in Wales has to take the rubbish from all the richer places in Wales. This stands to reason. Poorer people live shorter and more miserable lives so killing and maiming a few from the dioxins resulting from rich people's right to go shopping without concern for all the disposable packaging and non-recyclable consumer waste results in much less harm than if richer people had to suffer the toxic and environmental effects of their own waste.

It obviously wouldn't do for well-off people to have to deal with the consequences of their own rubbish or to have to think twice about the consequences of their shopping habits. The whole economy would grind to a halt if that happened. Having poor people somewhere else doesn't help richer people live better lives unless the poor can be made to do literally anything in order to get a few more pennies coming into their community from elsewhere. Makes me glad to be an economist - I certainly couldn't go along with this if I were to let any sense of ethics get in the way.

One-eyed man creates prosthetic 'surveillance' eye

Richard Kay


No need to reverse the image. The neural circuitry does this for you in a day or two, according to those who have experimented with image inverting spectacles. After you take them off it takes a similar time period to get back to normal.

Microsoft sues GPS maker TomTom

Richard Kay

Bad for US innovation and employment

This lawsuit will only affect Tom Tom's US sales where US software patents apply. There is also a chance Tom Tom will fight it out and get support from manufacturers of similar products who also have something to gain if they can point to a precedent throwing these bogus patents out next time the Microsoft lawyers come knocking on their doors.

It seems as if Microsoft executives are looking at bad sales trend figures and deciding they are having to go for higher risk strategies to boosting revenue if they are to avoid posting losses and their employee share-option pyramid collapsing.

If Microsoft win or get something from an out of court settlement all this achieves, apart from making lawyers and Microsoft a bit richer and Tom Tom a bit poorer, is to make it more likely that research and development will occur outside of the US in future due to the higher costs of doing business there because of all the patent trolls that have to be paid off.

Kaminsky calls for DNSSEC deployment

Richard Kay

@Keith Langmead

"Signing DNS and SSL certificates are two completely different things, and serve completely different purposes."

At first sight yes this seems to be the case. But I think DNSSEC goes further than what it claimed to do in the first instance. There is clearly an overlap in the sense that both provide assurances concerning ownership of a domain name. DNSSEC extends to providing a more complete PKI coverning applications in the sense that the difference between rich@example.com and rich.example.com is one of syntax and not semantics.

Also As I understand this RFC4398

http://tools.ietf.org/html/rfc4398 "Storing Certificates in the Domain Name System (DNS)"

concerns using DNS for storing, authenticating and providing certificates for the purpose of applications other than DNS.

Richard Kay

@Hugh McIntyre

"A possibly bigger political question is what the companies who sell HTTPS certificates will make of this, given that DNNSEC may overlap or reduce some of the need for HTTPs, and the current market for HTTPS certificates makes a bunch of money. This therefore raises the question of who would get the money for all of the DNSSEC certificates if there's a single root signer."

You normally pay annually to have a name in .org or .com or every 2 years to have a name in .co.uk . With DNSSEC the domain registrar will have to provide cyrypto certification services along with domain registration. So I expect the fee for both services will be combined and will go to the registrar, with a share going to the maintainer of the next level up as currently occurs. By killing 2 birds with one stone, this neatly deals with a significant cost in maintaining a cryptography chain of trust, in the sense that keys need to have expiry dates and rollover if revocation lists are not to grow without limit and become unusable over time.

Root zone server operation as I understand this is a collective and not a dictatorship see: http://www.isoc.org/briefings/019/ .

There seems little preventing this collective from deciding to accept another provider as the compiler of the root zone file, which is a tiny set of data that doesn't have to change very often. I imagine that some of the costs of domain registration will go to covering the costs of the organisations which operate the root zone servers and the much smaller cost of compiling the root zone itself. As I understand these, the politics associated with the maintenance of the two letter country code TLDs ( e.g. .uk ) are more defensible than those associated with the global three letter TLD codes (e.g. .com or .org).

Richard Kay

@Chris C

If you don't like the idea of the US managing the top of your chain of trust in domain names there is little to prevent you and a few others with like minds operating another root server which contains a certificate you do trust signing the TLD DNS servers you consider to represent the names in question. Then configure your DNS clients and servers to trust your root server instead of the one operated by the US. You'll need pretty good bandwidth and resilience though, but the budget to do this isn't beyond what a well organised activist group could raise, and could grow with demand for an alternate DNS root.

Also if you don't want to go that far then decide which TLDs you do trust and configure your DNSSEC trust anchors there which override any changes made in the US government root server, and trust the US root server for other TLDs.

Setting up an alternate DNS infrastructure isn't impossible, given that the schools have done this to filter adult content based on domain name, see:

http://www.opendns.com/ .

OpenDNS do this based upon their customers' and users' agenda, so there is nothing to prevent those who don't trust the US to sign the root zone to setup and configure a root zone they do trust. But learning and paying for and operating the technology will give you a lot more traction here than idly arguing the politics if you are not willing to put your money and time where your mouth is.

Google antitrust suit: Is there a case?

Richard Kay
IT Angle

Evil sure. So why should we care ?

For the last umpteen years the strictly limited attention I have been able to spend opposing evil monopolies has been directed against another evil empire, and not the one that employs open-source programmers.

IBM was version 1. Journalists loved Microsoft Abuse of Monopoly 2.0 because it meant they could all use the same computing platform and they didn't have to learn much about computers in order to do so. It wasn't as if Microsoft was manipulating their industry. But it was and still does manipulate the industry of El Reg. readers.

So in what sense does Google Abuse of Monopoly 3.0 adversely affect the interests of programmers and IT technologists ? In one sense the fact that something similar comes along to manipulate the interests of those who have some part to play in forming wider opinion about the undesirability of evil monopolies in general has to be welcome. The one way journalists might be able to broaden any kind of coalition here would be by campaigning for all evil monopolies alike to be made to release source code to algorithms giving unfair monopoly status under open-source licensing.

UK.gov to tap BT as data harvester

Richard Kay

@Captain Jamie

'@ AC 10:14 "Use a proxy/VPN with encryption and an endpoint outside the UK." - please could you put that into non-techie speak?'

My thoughts exactly (using an encrypted VPN that is). Having an endpoint outside the UK involves renting a virtual private server in a country whose laws and enforcement you have reason to trust more than the UK. VPN means virtual private network. This tunnels your internet connection using strong cryptography. Those monitoring the connection just see scrambled packets between your home and the virtual server. Those you interact with using the Internet see all your connections as if these originate from or terminate at your virtual server as opposed to your home address.

Cost of a VPS: about £15/month, cost of OpenVPN: free

As you need an interpreter, you'll probably also need to hire a Linux consultant to set this all up and manage/support it for you. Ask at your local Linux user group or a LUG local to the endpoint server in country of your choice.

Further reading:



MS puts up $250K bounty for Conficker author

Richard Kay

How to blackmail domain owners

"Microsoft is partnering with security researchers, the Internet Corporation for Assigned Names and Numbers (ICANN), and operators within the domain name system to disable domains used by Conficker"

So all you have to do is program a botnet worm so it can be controlled by the domains you want to get disabled. Then blackmail the owner of said domains to get these removed from your list.

Which wireless technologies will get credit crunched?

Richard Kay

standardised DC power

The standard that seems to matter here is USB. You can now buy mains bricks that recharge USB fed devices and a growing range of rechargeable gadgets need no other power supply.

Asus unwraps 10in Eee with 9.5-hour battery life

Richard Kay

No Linux no sale

In my case. And I will be buying a competitor that does very soon now. Linux users are more likely to want one of these things to access applications on the Net elsewhere, rather than to store data locally so why we would want the cost and battery drain of a local hard disk given flash storage sizes and prices beats me. Frankly Windows client support for ssh aware and X forwarding applications leaves far too much to be desired.

Intel plucks power from TV signals

Richard Kay

How long before this wipes out reception ?

If everyone starts harvesting power from TV/radio transmitters this will very soon kill the range of these, as those behind the harvesters will be shadowed and in poorer signal strength areas than would otherwise occur.

However, having a single transmitter locally would enable very many low power devices to be used within a building without needing wiring. Perhaps a frequency needs to be researched and allocated for this purpose

Russian rides Phantom to OS immortality

Richard Kay

Prior art ?

I've developed a few simple database classes in Python for my web application development which means my applications don't have to open/read/write/close files directly in order to persist data. This gives the benefit of managed concurrent access too, in case more than one user wants to update the same record at the same time. Any web application developer who uses a back end database and a reasonably useful database API does something similar.

Interesting idea to develop a full OS around the concept possibly for mobile/embedded use, though the concept isn't a new one.