Posts by Paul Crawford 5665 publicly visible posts • joined 15 Mar 2007
But is it an incorrect analysis of the situation?
Yes we can walk away with WTO terms, and if we don't reach agreement in 2 years that is our only option (short of the other 26 agreeing unanimously to keep on talking). And while that might be good for the government in terms of appeasing voters fixated on immigration / free movement of people, it would be a serious blow to our industry that has major trading relationships with the EU after 40 odd years.
Air gapping also gets interesting when WiFi or Bluetooth enabled components come into the mix.
That is a rather odd way to think of "air gapping". Really if you are accessible from the outside by wired or wireless means you are more vulnerable. Even with secure protocols it would still be relatively cheap to jam such systems from short-ish distances. Detectable for sure, but easier than getting inside a plant and depending on your attack it might just be enough to magnify the general chaos.
Or does it actually just need the attackers to get someone/something to carry their data into the plant, which is a whole different (and much easier) task, as Stuxnet and others have shown.
And you think some two-bit script kiddie can pull that sort of thing off?
Sure we saw Stuxnet as a major achievement in cyber-attack many ways, but if you have the combined might of USA & Israel determined to do something, it will be done. Or a bunker-buster bomb or three.
Yes, but air-gapping rules out the 3 billion internet-connected devices out there from having a go and forces any would-be attackers to actually physically infiltrate the plant.
And that is a difficult and very high risk approach as whoever is caught (assuming not shot on sight) can't wave their hands and say is was the Russians/Chinese/USA/Israel/etc with little evidence to back it up.
In short - not big enough and not American.
Take a look at the complaints about YouTube screwing over artists / producers since its inception and wonder if it did not have Google's might behind it and all that lovely campaign money to US politicians why it survived.
Edited to add: As Adam also raised the point - Google too has the ability to restrict copyright material but only if you sign up for a pittance from their services. https://www.theregister.co.uk/2016/04/14/you_and_your_wellies/
Pays your money, places your trust...
Even if they do have a SECRET spying agreement, do you think that would extend to telling your local councillors or school board about anything you / family might have been up to? Do you think that those TLAs would share such spying intelligence with insurance companies or job recruitment agencies?
In short, do you think that would matter to most people's activities unless very dodgy and they have a high security clearance?
"I can't speak for the VPN provider, I personally won't use them because unless they are in the Maldives"
You could do a little research such as:
https://torrentfreak.com/vpn-services-anonymous-review-2017-170304/
https://www.bestvpn.com/best-vpn-services/
(a bit advertorial, but they do cover country-of-origin in the pros & cons)
https://airvpn.org/
https://www.mullvad.net/
It is true that ultimately you are placing your trust in a VPN company instead of your ISP & government, but the flip-side of that is VPN providers depend on trust so they are more likely to honour that than ISPs that are (a) open to whoring you to advertisers, and (b) generally under the thumb of the government.
Which is another reason to ALWAYS get a VPN from another country - even if they do log your activity (against any stated policy) they are virtually guaranteed to demand a proper court order in their own country, and not answering some back-door surveillance law of your government. Oh, and don't forget to test your VPN with one of the many leak-detecting sites out there...
It sounds like a great solution for the technically-challenged that value their privacy.
Lets face it, most people have little to fear from the likes of GCHQ/NSA/FSB/etc because the majority of folk who are likely to be after them or pestering them won't be getting data from such agencies. However, if you are politically important or work high up in a 1$B business that is unlikely to be the same case, but then you would have some competent IT folk to take care of you and you would not use a skanky old Android phone would you?
Sadly many don't realise the long-term consequences of world+dog having all of their secrets on hand to monetize via advertisement or blackmail with down the line...
"given Google and Ubers current attitude to regulations"
One major difference is the big software businesses like Google, etc, have never had to write or certify safety-critical stuff.
Just now they hare playing at testing cars on the road but at what point is it all going to be subject to the sort of analysis, testing and approval that companies that write for aircraft systems, etc, have to do? And if not, why not? Why should a motorised object that are more than capable of killing and maiming be programmed by the sort of folk who write web browsers that randomly fall over with "Opps!" messages and they think its ok?
No, you just encrypt before using WhatsApp or similar. Unless they decrypt and check EVERY WhatsApp message then they won't see your message as having any unusual characteristics. By time they do it probably too late anyway.
Depending on how any back door is implemented the cost of decryption could be made very high, for example to thwart mass surveillance but keep to the letter of the law, so they would need to have prior knowledge of suspects to check and then you are back to square one - to crack the 2nd level of encryption you need to arrest them and so on to obtain the key, so its no longer usable for surveillance as the suspects know they are being followed.
This is the European Commission speaking, largely a mouthpiece for the various EU governments. As such the tech companies should call their bluff and force it to a vote on a law (with explanations of how such a back door won't be discovered and abused) to the European Parliament. Many MEPs don't share the same authoritarian streak and it might just get kicked back when the public realise how their own privacy is being screwed over.
If you really want something stable and under your control - don't use any ISP-supplied router / wifi point.
Get something half-decent that supports an open firmware such as DD-WRT or Tomato (say Linksys WRT1900ACS or similar, maybe also a switch or fancier device to do both) and spend an hour or so reading up on it, installing and configuring it.
Don't forget to set up a separate IP range for "guest WiFi" so your visitors and any dodgy devices (like most Android phones...) are not on any moderately trusted internal LAN's range (also you can bandwidth limit that so they don't throttle your business use). You can also set up a VPN on such a router if you value your privacy, but depending on your usage it might be better to keep the VPN option for mobile devices and/or any machines you use for sensitive data and don't need top-speed or the fixed IP address.
So we have an example of beliefs being used against someone, but because its not, for example anti-Semitic or anti-Muslim there is little legal challenge of it not any apparent need for those in charge to fully justify their actions. Even the accusation of witchcraft these days will get little mention.
Has his interest in Gorean role-playing caused any harm? Have there been any cases of play-partners presenting stories of abuse? If not the Drupal team should shut-the fsck up and get on with developing software, not acting as moral police for communities who are probably able to make their own minds up (no matter how odd it seems to most of us).
If I could up-vote you 100 times I would!
The sad thing is we are dealing with vain and ignorant politicians who want to appeal to the tabloid-reading masses and thing that a "technological solution" like backdoors will make that quick and cheap.
It won't, it will fail in its prime goal and cause untold damage to the millions of innocent law-abiding people who have a right to privacy and to secure business dealings.
If you look around you should find:
http://library.sciencemadness.org/library/books/ignition.pdf
Its an informal history of the development of liquid rocket fuels. It is an eye-opener of a read for anyone with interest and even a basic grasp of chemistry. Some of they stuff their considered and even tried just beggars belief! But given the original goal was to deliver terminal global nuclear destruction to the Earth I doubt the toxicity or handling problems were very high on the agenda of the day...
(Note the PDF won't show correctly in Firefox but looks OK in evince or probably other PDF readers of your choice)
"FORTRAN is basically a universal assembler"
Not really. While *ALL* compiled languages eventually result in assembly-level instructions, C is a slightly special case in that it allows quite easy means of arbitrarily addressing memory locations and interacting with asynchronous events such as signals/interrupts. It also has many bit-wise sort of options in terms of manipulating integers, bit fields in structures, etc, that are useful for hardware driver I/O, etc.
That is not part of the usual FORTRAN syntax nor (I presume, not used) COBOL. E.g FORTAN 77 had no memory allocation support, you had to define fixed-size arrays at the start.
It is also available free to FOSS projects.
While there are numerous warning that can be ignored, the golden rule for all such code-profiling tools is to make sure you understand the nature of the warning before you fix it or ignore it.
Also worth a mention are some free (at least on Linux, maybe others?) memory checking tools like valgrind and the good old electric-fence library. While not checking your source code as such, they do help with detecting run-time memory errors such as double-free, leaks, etc.
Remember this: C is basically a universal assembler, created to allow an OS to be written in a largely machine-independent manner. As a result it allows all sorts of potentially dangerous actions (in particular pointers, but not helped by some of the more odd/obscure syntax that sticks around).
Rule #1) If you can't program in assembler with any degree of success then don't use C
Rule #2) C++ adds some better features, and adds some worse features
Rule #3) If safety is more important than performance or universal support use another language.
Rule #3.9999999) Don't use flaky Pentium FPUs
Lets face it, you can already get high quality rips of practically everything on the torrent sites. This is unlikely to change those dedicated pirates one bit.
But for the rest of the world it makes sense, if you can get stuff legally and without hassle its worth paying a modest amount for.
Good to see the crap-ware has not been forgotten by the decent press.
Maybe Lenovo could look at what users want and are willing to pay for, off the top of my head:
1) No crapware or shitty trials to clean off a new machine
2) Choice of OS perhaps? OK MS stopping Win7 ain't going to help.
3) Good screen size and resolution on laptops. None of the shitty <= 900 lines stuff.
4) Useful connector option: at least a couple of older USB-2 style, HDMI, Ethernet and maybe USB-C reversible types.
5) Some hardware switch to hard disable camera, microphone and wifi/bluetooth. Oh and status LEDs to match in a visible place (same for HDD activity and power LED - wtf were HP doing putting them on the side out of view?) so you know if on or off and don't arse around wondering what software is broken.
"But can you REALLY trust those VPN providers to actually have the servers located in the countries listed AND not talk to Five Eyes on the sly?"
In any absolute sense - no
But the probability that they do honour the privacy guarantee is much higher than the probability of my ISP preserving my privacy.
Also I don't really have much to fear from the "five-eyes" style of secret service spying, but I do have much to consider if I end up in some dispute with some petty local bureaucrat who can access my web history and I can't access theirs. That is the whole point - to reset that asymmetry in power that the snooper's charter provides.
very simple: use a VPN provided from another country, ideally one without odious retention policies.
Don't use the PPTP protocol as its pants in security, ideally use OpenVPN. Then check the VPN is doing its job by visiting one of the test sites (such as ipleak.net or check.ipredator.se etc)
But as others have pointed out, using DD-WRT or similar on your router plus ad-blocking will go a long way for this particular attack. You can even buy routers pre-configured with DD-WRT and VPN in there so all of your home devices get privacy (not too cheap though).
Exactly, if you use NTP and lose the time server link you get drift, but if you have local stratum-1 servers (i.e. time-servers that get their time from an atomic clock either directly, or most commonly from GPS time-transfer) that simply should not happen.
Still, all that using 'time' as a marker does is reduce the window of uncertainty in any split-decision issues, its not like an atomic (computing sense) transaction counter or similar that could be used to eliminate it. After all, you will get some variation in packet delays from originator(s) to SQL-like server(s) so time is not an absolute marker for event order in this case, but if you know your worst-case error is only tens of microseconds then you can at least narrow the window of event/decision uncertainty to be resolved.
Also (back to another rant of mine) to Google time-smoothing - that is a bad idea, but only needed or possibly justified if you use time_t / UTC as your system clock. How do you guarantee drift at stable rates? Keeping all system clocks on atomic time (e.g. GPS, or TDT) avoid the leap-second issues and allows reliable syncing to an atomic-disciplined local clock.
Nope, just checked and it is IEC 61000-4-5 for lightning and industrial surges. Category 4 is 4kV / 2kA surge typically modelled with a double-exponential 8us rise time and 20us decay time.
Somewhere I remember reading that generally normal 220V/240V main is limited to around 6kV peak in any case as the wiring and sockets, etc, tend to flash over if you get more than that incoming (say farm at end of long overhead wires).
Its voltage gradient that matters, i.e. (volts)/(distance). Going from 2000m to 5000m typically involves a 48% increase in creepage and clearance distances for PCB design, etc.
Edited to add @imanidiot - its not just the operating voltage, which can easily peak to a significant fraction of 1kV in a SMPUS, but also the need to pass a 6kV lightning surge test for typical safety reasons. That is why most distances are several mm (e.g. 8mm or more) for mains clearance, etc.
Wrong, the ionisation voltage drops with pressure until you get really low (like near-vacuum) when it rises again. Its a risk for satellite HPA design, for example, as high-Q filter coils and similar with high voltages can arc wile it de-gasses, but stops once it really is a space-level of pressure. Which is why neon bulbs are at low pressure...
https://en.wikipedia.org/wiki/Paschen's_law
Also of note is the Chinese safety standards (stop laughing at the back!) specify to 5000m, not the more usual 2000m for UL.
There was a time, I distinctly remember it, when web browsers had simple menu options to disable autoplay and animations. Opera was very good at that sort of nicety.
Until the went as a chrome re-skin, of course. And Mozilla decided to chase Google in the "lets dumb down the browser" competition.
Same for many aspects of security & privacy, a lot comes down to who you can place some trust in to help keep your own stuff safe.
When using a VPN then do you trust the provider more than your ISP? Maybe, depends on your ISP and gov of course. More than "free wif-fi"? Almost certainly if its a half-decent paid provider. But in every case you would still use an encrypted link like https or SSH, wouldn't you?
When using any AV or end-point service capable of seeing inside your network and gathering data with admin privileges? It a much higher bar to meet, you really have to trust them to:
1) Not screw up and bork the OS
2) Actually stop malicious actors with a high probability
3) Not to leak your secrets deliberately or through incompetence
The distro-upgrade usually only works if you have a fairly simple mount arrangement, I have tried it and sometimes it works a charm, other time it failed miserably on machines with odd mounting setups and/or MD RAID in use.
My advice is always put /home on a separate partition, and if you have the space leave a blank ~50GB one as well. Next distro comes along, install it in the unused partition, and once working edit its /etc/fstab file to mount your old /home partition again.
Once happy, you can overwrite your old root partition when yet another new distro is available.
16.04 is the obvious way to go...but it has stupid systemd-related problems that are still not fixed "out of the box" a year on. Such as:
NTP failing because ntpdate is taking longer https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1577596
Shut-down/reboot scripts hanging for ~1m30 https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1594658
Stuff added in /etc/modules being ignored because its in a blacklist (e.g. watchdog drivers) which is fscking stupid - blacklisting is supposed to only apply to auto-detected modules. https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1535840
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
