Re: Sigh. Those were the days.
Remember when there were books (you know, those things with paper) that told people about all "the best" websites?
Posts by nagyeger
237 publicly visible posts • joined 2 Feb 2008
WWW = Woeful, er, winternet wendering? CERN browser rebuilt after 30 years barely recognizes modern web
Want to create fake web profile pics? This creepy AI tool makes them on demand. Plus predictive policing, and more
Monday 18th February 2019 12:54 GMT
Usage rights?
by generating fictitious people you can get past the problem of having to put faces in presentations without violating anyone's privacy.
Anyone know what usage rights thispersondoesnotexist images are out there under? I just know I'm going to be asked if I suggest this to a few people.
It's now 2019, and your Windows DHCP server can be pwned by a packet, IE and Edge by a webpage, and so on
Thursday 14th February 2019 07:41 GMT
Re: Job security
but nobody is hand ploughing the fields any more
Maybe not where you live. And truth-be-told, it's not as common as it was a decade ago here, but it still happens. Judging by how long the neighbour spent trying (failing) to get his tractor going at the weekend, he might be tempted to go back to hay-power.
Disk drives suck less than they did a couple of years ago. Which is nice
Heads up: Debian's package manager is APT for root-level malware injection... Fix out now to thwart MITM hijacks
Wednesday 23rd January 2019 09:48 GMT
Re: "Supporting HTTP is fine,"
Oh.... just read the original problem report... It's NOT tampering with the checksums, it's bypassing them, because (A) the inter-process channel (between apt-aquire and apt) quotes some progress stuff literally from the HTTP communication. and (B) the signature file can include pre-signature junk. e.g. an entire .deb!
Thanks to the extra junk in the channel, the master process gets fed the wrong signatures and dpkg gets told to install the signature file not the verified package, and I guess it ignores the trailing signature.
So it's really an out-of-band data / injection attack that sneaks in an extra payload after the cryptographic checks have passed, and it basically means that someone controlling a mirror can inject anything she likes to her users.
To my mind the roles of master/worker roles probably need rethinking, so that the type of filename replacement used here and such-like aren't possible in future versions, not to mention that the downloader shouldn't be responsible for only half of the security checks.
Wednesday 23rd January 2019 08:52 GMT
Re: "Supporting HTTP is fine,"
Yes, they are, but the checksums are equally unsafe, because ... they're downloaded via HTTP :)
But the checksums are in files which are themselves digitally signed, aren't they? That's why you can't just start using any old repo, but need to tell GPG about the repository signing key too.
And the public key arrives over https, from a keyserver.
Are they saying that despite requiring a key they're not using it properly? I don't understand...
Core blimey... When is an AMD CPU core not a CPU core? It's now up to a jury of 12 to decide
Wednesday 23rd January 2019 07:40 GMT
Re: Another frivolous lawsuit
I thought hyperthreading was basically a set of alternative registers for the same hardware?
My definition of core is probably wrong, but I'd have thought a core was defined by a patch of silicon that would continually (barring interrupts) burn cycles given "NOOP; JMP -1" and had a its own set of general purpose registers.
Hyperthreading fails at "continually" bit. it's just clever time-sharing. branch prediction units, etc. don't have a complete set of their own registers (unless I'm wrong), so they're not cores either. On-chip caches, FPU, prefetch and all the rest of the fluff that keep the bits flowing and feed spectre/meltdown so well cannot be part of the definition of a CPU core, otherwise you're saying that a 6502 / Z80 / 286 / atmega-328p don't have a core.
They bought X houses, and it turned out they were semi-detached. Sorry, you should have read the spec, it's still a house. Round here you can't even guarantee indoor plumbing in a house. Maybe you want it, maybe (because of where you're from) you expect it, but it's still a house without it.
The D in SystemD stands for Dammmit... Security holes found in much-adored Linux toolkit
Attention all British .eu owners: Buy dotcom domains and prepare to sue, says UK govt
Ticketmaster tells customer it's not at fault for site's Magecart malware pwnage
Microsoft polishes up Chromium as EdgeHTML peers into the abyss
Tuesday 4th December 2018 19:31 GMT
Re: I'm possibly not alone here.
Someone who's endpoint IP address said they're in the Ukrainian Republic has told their browser it's a
googlebot.... Which shows an odd attitude to security, since they' were about the only browser that can't talk TLSv1.2. connecting to a site I administer. They need to pretend to be something different or update their browser if they want to pretend that now.
Blockchain study finds 0.00% success rate and vendors don't call back when asked for evidence
Monday 3rd December 2018 08:17 GMT
Re: FWIW
I'm told that there are those who think the market is seeking the stuff's true value which is very likely $0.
I'm looking forward to the time when owning bitcoin is taken as strong evidence of operating some kind of bot-net, selling something illegal or dining on the blood of polar bear cubs (or other global-warming victim), and thus the value in several sectors of society is negative.
Then I can say 'told you so' as I get my coat.
Warning: Malware, rogue users can spy on some apps' HTTPS crypto – by whipping them with a CAT o' nine TLS
Talk in Trump's tweets tells whether tale is true: Code can mostly spot Prez lies from wording
Super Micro chief bean counter: Bloomberg's 'unwarranted hardware hacking article' has slowed our server sales
Another Meltdown, Spectre security scare: Data-leaking holes riddle Intel, AMD, Arm chips
Thursday 15th November 2018 07:36 GMT
Just imagine...
Just imagine that inside your box there were 2 devices. One which you trusted and only ran code that you'd actually installed yourself, and anything that ran anything else (e.g. Javascript) ran on "untrusted" hardware. Then you'd need need to have a way of communicating safely between the two, with some user interface devices and the ability to send data from one to the other, and a fast bus/network between the two. And some machines would have all the oomph in the trusted box and others in the untrusted box for games and stuff, and there'd be a hardware video multiplexer doing it's clever stuff, like an updated version of what we had back in the days of video overlay cards on VGA, so that you don't need to try shoving 120fps video down the network pipe.
Then high spec machines would include extra separate modules hanging off the bus/network so that eg. game engines didn't interfere with google docs.
And there'd be a some kind of manager thingy on the main computer to make sure that let you interact with the different untrusted-compute devices while maintaining isolation. Actually, maybe the display/HID ought to be a separate device, maybe with a really simple RO filesystem, and everything work via that main UI box too. ...
Oh. prior art, my UI box has just basically become an X server hasn't it?
It's been a week since engineers approved a new DNS encryption standard and everyone is still yelling
Wednesday 31st October 2018 16:12 GMT 
kid control / smut filtering
As a parent of teenagers and youger, it's quite handy knowing that my kids are not going to be able to do some involuntary bitcoin mining for nasty.smut.site without going to extreme measures, nor stumble on disturbing rubbish. Blocking DNS except via trusted (blacklisting) servers does that for me, has done that for me, and I hope will keep doing that for me.
Except that firefox has now published a 4 step process to break that entire model.
Given that practically everything uses SNI and so sends the destination host out as plain text these days, the 'poor guy in china' security red-herring is just that, unless he's also using a VPN. In which case, why are we having this conversation?
To my mind this is at least 95% about ensuring that the smut industry can deliver their filth. I really cannot see any other party that benefits from it.
Need a modest Arm Cortex-A CPU in your custom chip? Just apply online. Plus $125,000
Decoding the Google Titan, Titan, and Titan M – that last one is the Pixel 3's security chip
Super Micro China super spy chip super scandal: US Homeland Security, UK spies back Amazon, Apple denials
Decoding the Chinese Super Micro super spy-chip super-scandal: What do we know – and who is telling the truth?
Friday 5th October 2018 07:40 GMT
Re: Should we be worried ?
This sounds like a great ignoble prize research topic: (chipped) animal behaviour influenced by external RF sources, via the nice warm neck (or wherever the chip got put) syndrome. What you need to do is set up another (identical) router a few feet away and alternate which one has it's WiFI transmitter on. Correlate with cat's favourite resting place...
Do not adjust your set, er, browser: This is our new page-one design
Raspberry Pi supremo Eben Upton talks to The Reg about Pi PoE woes
Y'know what? VoIP can also be free from pesky regulation – US judges
Monday 10th September 2018 15:54 GMT
Re: "you cannot call emergency services if there is a power outage"
"Add a small UPS, and it will keep on working - the other endpoint should already have it. That should become part of the standard install, though."
It should but they don't, not even round here where power cuts are commonplace.
FYI, there are loads of CCTV type sealed lead-acid battery-backed up 12v power supplies out there, some of which are complete with a nice box and low voltage cut-out to stop you under-voltaging the cells. Cost is around 30quid. Add a low-drop 12v regulator (or a step-down DC-DC converter if you need 5v) just in case your ISP's box doesn't want 14v with ripple, and Bob is the brother of one of your parents, as they say.
I now get at least 8 hours's internet/phone compared to around 1 hour if the thing was going up to mains freq and back to 12v again.
Cobalt cybercrooks phry up phishing campaign to phling at phinance orgs
Friday 31st August 2018 10:49 GMT
2 URLs
It's probably just a little bit of consumer preference/user interface testing. Where are people most likely to click? The link at the bottom or the one in the middle of the screen the user accidentally triggers while trying to persuade their stupid phone to do respond to that really complex user interface interaction known as "scrolling back up to find the delete button".
Or is that just me?
Give yourselves a pat on the back, top million websites, half of you now use HTTPS
Tuesday 28th August 2018 21:36 GMT
Re: I'm not surprised.
Yes, this would be the point that makes me think of rolling out HSTS. But I'm also thinking of dumping TLSv1, and those two decisions put together means some of our readers (the ones with android 4 devices) get kicked off the site....
Maybe I need to convince relevant people we need a mobile version of the site which does older TLS versions, and conditional redirects / header setting.
EU wants one phone plug to rule them all. But we've got a better idea.
Friday 17th August 2018 21:13 GMT
Re: Be much more interested in...
You forgot:
In Europe, the half-hearted attempt at safety shutters on Schuko/french sockets relies upon the pins pushing sloping shutters out of the way, a motion which is only made possible by the presence of some kind of lubricant. When said lubricant has melted/vanished/gone sticky or when the track/pivot on which the shutters are laughingly described as moving is no longer in perfect condition, the only way to get the pins into the socket remaining is wiggle, twist and apply extreme force, e.g. with a large hammer. Said tool of course further damages the shutters and does bad things to the cable, and the whole process may lead to bruising of the head against nearby brick walls.
Add to this the disaster known as "switched socket, what's that?" and you have to unplug / plug in the stupid things far more than you would in the UK.
Google shaves half a gig off Android Poundland Edition
Thursday 16th August 2018 22:39 GMT
Re: Old Linux ?
32K? Thirty two? What luxury! You could play acorn invaders and rat race in 3K, as long as you could get the volume right on the tape player.
3K of RAM really taught you how to watch your code for bloat.
The first Linux distro I used fited on 2 floppies, if I remember right that was including including gcc.
Google risks mega-fine in EU over location 'stalking'
When's a backdoor not a backdoor? When the Oz government says it isn't
Tuesday 14th August 2018 11:40 GMT
data rate
Whats the baud rate for a tin cup and and a piece of string?
If you can get hold of some light, inextensible string, as beloved by high-school physics teachers, then your signals arrive instantaneously (0 propagation delay, since the string will not extend) and depending on the mass of your cup then your data rate could exceed that of all known network cables.
Unfortunately the last time I looked, they'd stopped making it. Something about the laws of physics.
The age of hard drives is over as Samsung cranks out consumer QLC SSDs
Tuesday 7th August 2018 17:08 GMT
Re: Ah, but
C15? C15? Wow, you lucky guy!
Try finding your program when it's somewhere on a C90 and the tape counter's broken.
Not to mention the pain of discovering that even after upgrading to a whopping 3k of RAM you don't have the space to implement a high-score table well as use colour graphics.
Youngsters these days...
Google Chrome update to label HTTP-only sites insecure within WEEKS
Wednesday 4th July 2018 13:19 GMT
Re: Shared Hosting
One little-discussed 'gotcha' of SNI is that, unexpectedly to the user who's been told 'no one can see
what you're browsing with https' ... with SNI they can. Because SNI isn't sent encrypted.
This gets significant when you, say, live in Iran and want to visit 'www.how-to-become-a-christian.org', (or in USA and want to visit 'diy.nuke.designs.nk')
WannaCry is back! (Psych. It's just phisher folk doing what they do)
Google plays cloud catch-up and moves into a place of its own
Buggy software could lock a Jeep's cruise control
You know that silly fear about Alexa recording everything and leaking it online? It just happened
FBI to World+Dog: Please, try turning it off and turning it back on
Microsoft gives users options for Office data slurpage – Basic or Full
Thursday 24th May 2018 20:10 GMT
Re: @Herring`- "is there a chance of any document data being sent to MS?"
Back in the days pre-Y2K, I was a postdoc researcher in space debris impact science, we had various bits of data about the properties of highly compressed metals we were using (for entirely peaceful purposes) that originally came from one of those ^^^ .
The nice guys who let us play with their data would have been rather unhappy at the thought of, say, a (very strictly internal!) report that included such gems being exported to wherever MSoft decided to send it.
I vaguely seem to remember that thermite was one of their recommended disk-disposal methods to ensure compliance with arms non-export / non-proliferation regulations, when more serious tools weren't available. Just imagine the help-desk call for that one.. Hello, I have reason to believe you've just slurped some nuclear secrets. Where do Uncle Sam's guys with the thermite need to go to ensure that it doesn't proliferate?
Advanced VPNFilter malware menacing routers worldwide
Big bimmer bummer: Bavaria's BMW buggies battered by bad bugs
Wednesday 23rd May 2018 05:57 GMT
firewall
Excuse me for being stupid... if I was designing something to connect the engine management system to entertainment system - presumably for display purposes? - it would be strictly one way, probably with 1-way, physically separated opto-couplers, so that some kid pouring coke into the entertainment system had zero chance of inflicting, say, 50w of audio signal onto the can-bus.
Why would anyone want to let the stereo muck about with engine management?
Whois privacy shambles becomes last-minute mad data scramble
Thursday 17th May 2018 11:44 GMT
Re: I'm still waiting for e-mails from Facebook(*) and Google
Isn't this wrong? There are multiple options for the legal basis, consent is only one of them. They might decide they ought to be able to claim that knowing my browsing habits is a legitimate business requirement.
The biggest "problem" is when they used to rely on 'we could do it, and we're too big to bother with fines, so we did it.' For some reason that isn't in the GDPR.
It's Galileo Groundhog Day! You can keep asking the same question, but it won't change the answer
It's not rocket science! Actually it is, and it's been a busy frickin week
Eight months after Equifax megahack, some Brits are only just being notified
It's April 2018, and we've had to sit on this Windows 10 Spring Creators Update headline for days
Thursday 12th April 2018 07:06 GMT
GDPR rights vs MS
I wonder what happens if/when someone (on May 26th) demands MS (a) hand over all the data they have on them (b) delete it, (c) never collects any more, (d) does not contact them for advertising purposes.
Does MS send them a complementary copy of Windows 95, freedos, or ubuntu?
We need to go deeper: Meltdown and Spectre flaws will force security further down the stack
Monday 26th March 2018 10:30 GMT
Oh joy. Added complexity...
My wife half-expects that at some point the sum total of IT/networking/power distribution will become so complex and (for want of another term) balkanised into specialisms, that it essentially becomes impossible for humanity as a whole to maintain it, and then something will break and we'll be back to heating with wood and communicating with pen an ink (or maybe IT jobs will become more critical to society than doctors/nurses and we'll all die from treatable diseases??).
When you add in obsolescence, shortening product-lifecycles and lost/outdated skill-sets (is anyone anywhere employed as a thermionic valve designer any more? How many people can read amd64 assembler compared to the numbers who could write 6502 or Z80 30 years ago?) then I tend to agree with her.
Linux Foundation backs new ‘ACRN’ hypervisor for embedded and IoT
HTTPS cert flingers Trustico, SSL Direct go TITSUP after website security blunder blabbed
Friday 2nd March 2018 06:55 GMT
the oldest bad practice in the book.
I <it>have seen</it>, in a book my son was lent by his school teacher, about a year ago, exactly this sort of code. Take variable from $_GET, build string by concatenation, pass to SQL. No input checking at all.
Someone - big name publisher - made money selling that book. Someone wants to make money selling the revised version, which I'd hope talks in detail about sanity checking and prepared statements.
Someone ought to be offering a permanent recall on the early version of the book and free-replacement including shipping to anyone with a copy, because it was plainly never fit for sale. Instead, copies are still being lent to school kids by teachers because the school budget can't afford to restock the library.
Ob disclaimer: I have no connection with anyone in the above certificate fiasco. And I expect that no one bothered fixing it because that would take time. WHY do CAs who ask for your private keys still get any custom?
PCI Council and X9 Committee to combine PIN security standards
Thursday 15th February 2018 19:36 GMT
...to the darkness bind them
I thought the whole thing about the one pin, was that assuming you don't want to be subject to the evil overlord, you needed to throw it into Mount Doom? (see icon for effectiveness >>>>)
Now all we need to do is work out how you that to the customer services bod....
Biting the hand that feeds IT
