Posts by Antony Riley

Aside from the other OS side of things, it will presumably prevent you from running an older version of windows which don't have a signed boot loader. Seems like a very lucrative thing for M$ especially as recently they've had problems getting people to upgrade to newer windows versions in a timely manner.

I'd be a fan if they made it so the user had a way of modifying the list of keys the bios accepted, of course this needs to be protected so it can only be done through manual user intervention (i.e. not by a virus/trojan/root kit).

Last I checked signing a binary object with a private key is compatible with the GPL version 2 or 3, so I'm not entirely sure how this precludes GPL'd bootloaders, it just seems like another GPL scare story with little substance. E.G. most Linux vendors provide all their software signed with their private key these days.

Fail

And then there's the whole part where they planned to do it on a Saturday. Financial districts are typically dead on Saturdays, even the fast food shops close.

HAHA

Presentation on the current state of the accuracy of sun spot predictions from 2009 (excuse PDF).

http://www.leif.org/research/Predicting%20the%20Solar%20Cycle.ppt

Well one thing is for sure, it can't get much worse.

Epic Fail.

#1 Producing a report stating the bleeding obvious.

#2 Feeling the need to redact the bleeding obvious.

#3 Failing to redact the bleeding obvious.

Trolling the commentards?

Either that or it's April 1st in whatever part of the universe the author is from.

Proof

that the average iPhone user has more money than sense.

Pointless

There's already a healthy industry growing up around reprogramming the various computerised parts of a car. Any serious boy (or girl) racer is going to have a friend of a friend with access to the required equipment and tools required to disable any artificial limits on speed and radio volume.

Epic

Now I might buy a PS3.

I must have missed the point.

So:

1) You can't FoI the security services (we knew that).

2) If you give the security services your name, they'll probably put it in a little black book somewhere (we knew that too).

What's to stop you sending your FoI for a widely circulated document to someone who isn't the security services anyway?

Err.

People can typically track cars by their number plates, so yeh, that's a massive worry.

This sort of stuff amazes me, it's already been shown that most of the firmware on electronic components in cars is vulnerable to buffer overflows, spoofing and just about every other slopping programming mistake in existence.

Combine this with one sloppy mistake in the control software for the tire pressure sensors and you've got something out of a James bond movie.

Java?

There is no Java in Android.

These are not the droids you are looking for.

(untitled)

Surely diving in a river to cool off, then rolling in the mud on the bank is enough?

Works for Arnie.

Explanation.

Safari & Old versions of IE:

Visit any website and it could steal any information you've ever entered into a form which auto complete has remembered.

Firefox & Chrome:

Visit a website with severe security issues (such that people can steal your cookie and pose as you), and it might delete all your cookies for the site (typically results in being forced to log you out) or steal your login information by presenting a bogus login form which your browser will then dutifully fill out.

Basically if the website is vulnerable to XSS, these are probably not at the top of the list of your worries. To put it in context, if I reported these vulnerabilities to firefox or chrome I'd not expect to receive a bug bounty because it's akin to closing the stable doors after the horses have bolted.

The reporter is perfectly correct to only list Safari & IE as vulnerable in the byline, in fact it shows a level of understanding I'd not expect from most reporters.

Obligatory N900 Post

The rest of the phone/tablet/whatever might not be to your taste, but it does run Skype smoothly over your data connection.

Works too.

That's all.

Tested in Linux 32bit + Firefox + Adblock + Flash plugin + Java plugin.

I don't recall seeing java hang, but flash has plenty of times.

likes this story.

"Until then, remember that the number of “Likes” an ad or other piece of content boast on Facebook is largely meaningless."

When aren't they largely meaningless?

Bloggers.

Well not so long ago, you'd find many derogatory comments about bloggers in a typical serving of El Reg. Nowadays it's more like a blog site, pedaling more opinion and less facts, and of course all the anti-blogging rhetoric has vanished (So I have a couple of authors in mind here).

On the one hand I don't mind informed bloggers posting their opinions so much, and many blogger do post informed opinions (not necessarily the ones people follow).

Some might accuse news agencies of doing little more than pedaling their own style of opinions on other peoples news, and they'd probably be right in a lot of cases.

I think Steve's opinion is only half the story, the half which helps him sell more shiny toys.

People seem to like opinions that fit in with their own, heaven forbid we have to think for ourselves.

Java

For some time java updates have left historical versions of java around. (E.g. upgrading from 1.4 -> 1.5 etc, leaves the previous version hanging around on your drive). I think the idea is to support previous versions of java fully.

Java 2 is Java 1.2 or higher (Sun never did use easy-to-understand version numbering).

Java Webstart is the thing that's causing all the security related issues, not applets.

It's a shame because other than the recent insanely stupid security hole Java Webstart is a very nice cross platform way of deploying a java program to a client machine, securely and with a nice "Do you really want to do that Dave?" popup if you want local file access / network access etc.

An example of stuff that can be done in webstart can be found here:

https://j3d-webstart.dev.java.net/test/

This is not stuff you can do in an applet, and you don't have to worry about "Microsoft VM for Java" because it doesn't support web start (thank god).

It would be reasonably accurate to say "Microsfot VM for Java" is responsible for the bulk of Java related security problems over the years, and for the majority of applet compatibility problems. You would be forgiven for thinking it was a successful attempt by Microsoft to sabotage Java in the browser. No, I'm not bitter, much.

You get Microsoft VM for Java if you don't install a JRE from Sun (at least up to and including Windows XP, I don't know about Vista/7). I'd rather <strike>pull my toenails off with pliers</strike> have the Sun version myself.

Oh yeh, it's Oracle Java these days, forget everything good I said about it, it will take your first born.

Oh ffs,

If it wasn't the police that had told nominet about the domains being used for criminal purposes, and they pulled them for breach of contract we'd all be praising nominet, for giving a shit.

The sites were taken down for breach of contract, if you breach a contract, you can't complain when it gets pulled, this is life.

Chrome / Firefox / Sunspider

Firefox 3.0.16 -- 5349.8ms

Firefox 3.5.6 -- 2013.8ms

Firefox 3.7a1 -- 1405.8ms

Google Chrome 4.0.249.43 -- 729.6ms

Ubuntu Jaunty x86 running on a AMD Athlon(tm) 64 X2 Dual Core Processor 4000+

That's with ad block plus installed (no noscript, it breaks the web) on all 3 firefox.

Personal choice: I run firefox 3.7. Chrome is unstable with flash sites, and likes to flicker when redrawing the screen.

Regards IE8, I think it does appallingly in most javascript benchmarks, so I don't know why the article mentions it as a contender. For religious reasons I refuse to use any version of IE (Anyone who's done any reasonable amount of web development / javascript over the years should be able to understand that).

Smells like a virus.

Someone press the publish button on next years April fool?

DNS

For the last 10 or so years I have been running my own local recursive DNS server because I do not trust other people to be capable of running a DNS server.

The reasons are:

1) Reliability - You'd think ISPs could run working DNS servers, this is the reason I started running my own initially.

2) Security - There's been numerous DNS cache poisoning exploits over the years, by running my own DNS cache behind a firewall I manage to avoid a lot of them (not all).

3) Hostname filtering - DNS is not the place to do hostname filtering, and recently ISPs in many countries have started implementing block lists at the DNS layer, either at the behest of government or of their own volition.

Google could certainly manage to run a reliable and secure DNS service (certainly better than most cash strapped ISPs). When it comes to hostname filtering they'll probably cave in to governments, they have quite a bad track record on this.

However anyone who's ever run a tcpdump for DNS traffic knows quite how much about your browsing habbits, and even what software you have installed leaks out on to the internet. Google already has enough data about your browsing habbits, why give them even more.

"Rare but remote" ???

Bind has suffered heaps of exploits of various sorts over the years. I'm with DJB, it's a pile of steaming poo, even if he is an opinionated old git.

For comparison:

http://www.kb.cert.org/vuls/byid?searchview&query=bind

http://www.kb.cert.org/vuls/byid?searchview&query=djbdns

http://www.kb.cert.org/vuls/byid?searchview&query=nsd

I'd agree with DJB more if he didn't have to rewrite syslog to implement a good dns server.

Lay off catholisism.

The vast majority of Catholics do not believe in a literal interpretation of the bible.

You are getting confused with several other cults, such as Jehovah's Witnesses, and whatever form of Christianity is prevalent in the USA where they believe creationism has a place in science/schools.

If you want to criticize Catholicism stick to more obvious subjects like condoms, lack of female priests and the special hell you will go to for not going to church/confession periodically, also the psychologically unsound practice of chastity for priests and nuns and the belief in black magic arts.

I was brought up as a Catholic, and am now an Athiest. It's OK though, as long as I ask forgiveness I can still get into heaven.

Linux Fail.

You've been able to do this in BSD with most hardware for years.

Linux, haha, yeh right, the wireless stack is more of a mess than the audio stack.

DoD/Open source

Parts of the DoD are quite familiar with open source, a project that comes to mind is Shadow IDS (GPL, NSWC, now abandoned).

An old, but non the less valid example.

What they should have done...

Is blacklisted the plugins Microsoft installed via an operating system update from day zero.

If Microsoft want to provide Firefox plugins, they are quite capable of managing to do it the same way everyone else has to.

Conference Win

Anyone attending and complaining should be informed that anyone at the event could have been snooping on the network, it's just a switched network so you could easily spoof the arp address of the gateway for instance and intercept all outgoing traffic (you know, the part that usually contains unencrypted credentials).

So why are they complaining that the event organisers did it as an exercise in education?

Pretty good piece of education if you ask me.

A better piece of education is that everything which says "secured" on the tin isn't necessarily secure.

Evil Google?

I seriously doubt the plugin contains code which calls home to Google. In any case it would be easy to prove if it did, because unlike Google's Chrome browser, it is entirely open source.

So until someone comes up with concrete proof (which should be pretty damn easy), I suggest that the people calling Google evil should probably shut the hell up for now.

Not that Google isn't evil, just that writing plugins for competing browsers to make them 10 times faster and something resembling standards compliant probably isn't indicative of evil.

RE2: Is there a need for a 64 bit browser?

Myths:

1) 32 bit ones may not runs as fast or may have problems.

Typically 64 bit apps run slower because they use more memory for their data structures as they have to store 64 bit address pointers instead of 32 bit. As for reliability this is down to the individual program, it would be easy to conclude 64 bit applications are more unstable because they are not tested as well (or even at all), and they do not have as many users to find and complain about bugs.

2) If you have 64bit hardware you ought to use a 64bit OS.

Why, it also supports 32 bit. The only real advantage 64 bit gives you is the ability to have more than 4 Gb of address space, which in the real world translates to the need to run processes which use more than 2Gb of memory total for most people (or if you use XP and have more than 4Gb of memory total, because XP does not understand PAE).

Admittedly having both 32 bit libraries and 64 bit libraries can be hard to setup for some users.

3) 64bit chips have some virtualisation functions built in too, not sure if these work under 32 bit OSs.

They do, you can even run a 64 bit guest OS under a 32 bit OS if this floats your boat. Just don't expect to be able to use more than about 2Gb of RAM for your virtual machine (see addressing limits under (1).

So to sum up, the reasons for running a 64 bit browser:

1) Your browser uses more than 2Gb of memory (almost believable with Firefox).

2) You are incapable of configuring 32 bit libraries on a 64 bit system.

3) It was easier to install the 64 bit browser because it came like that.

4) You are an idiot who thinks that higher numbers are always better.

Facebook SECURES!

See title, HAHA

I'll get my coat.