* Posts by djs

37 publicly visible posts • joined 26 Mar 2008

GoDaddy stopped by massive DDoS attack


Re: Hacker?

I am not defending the term "hacking". I'm suggesting that the media calling script kiddies "hackers" feeds their egos, and perhaps that is the actual reason they make a nuisance of themselves. Call them what they are.

Taking down a few DNS servers is not a massive challenge, and could be done by more or less anybody for the downloading of a script. Just like letting down car tyres.



Can we stop calling this morons "hackers", please? DDoS is about the intellectual level of letting the air out of car tyres. How about "obnoxious wanker" instead? It even sounds a bit like his handle. Maybe that's what he meant but he just couldn't spell "obnoxious".

British Waterways charity mapping data handed to Google for free


Re: Coming to a browser near you soon


Mozilla to drop Windows 8 Firefox bomb on IE 10


Re: IE still exists?

Chromium's core is webkit, which used to be KHTML, which was the rendered for the KDE project. KDE is a desktop environment for Unix, and Windows NT (hence XP, Vista, 7, 8, ...) is meant to be a Unix killer.

Firefox is based on gecko, which was the cross platform renderer for Netscape6. Internet explorer was specifically meant to kill Netscape.

Using either as the core of IE would not just be microsoft admitting that they had failed to kill Unix or Netscape (the technology, that is, since netscape the company is quite clearly dead), but actually admitting that after all these years of trying, they're still totally out-classed.

The 'one tiny slip' that put LulzSec chief Sabu in the FBI's pocket


Re: You need more Research

You also need to do more research if you think being capable of being used as a transparent proxy has anything to do with anything. Tor has many weaknesses and shortcomings where anonymity is concerned, but this isn't one of them.

Warp drives are PLANET KILLERS, Sydney Uni students find


every GPS enabled mobile phone contains a relativity corrector

Shhh! Keep your voice down! If Stephen Fry hears that he'll be postulating that reading email on his Jesus phone is theoretically capable of initiating time travel.

Stratfor so very, very sorry in wake of mega-hack


As you may have realised, my collision comment was in response to the comment about Gerhard Mack's password being wrong, and even then I qualified it with a lack of confidence in my inference.

As for encrypting the has store -- that's all well and good, until it turns out that your hash store is a database table, and the front end to that database is vulnerable to sql injection. No idea if that had anything to do with how they got the password and billing details, but since stratfor got almost everything else wrong, it wouldn't surprise me if simple script kiddie stuff played a big part.


Without knowing what hashing algorithm was used for the passwords, it's impossible to speak with confidence, but there's always a possibility of hash collisions -- you may have had the world's greatest password, but a weak hashing algorithm might result in a collision with "password"123.


My understanding is that passwords were hashed. It's credit card and other sensitive ID information that was not. md5 is useless for these things, because you need to be able to decrypt them for repeat billing and the like (otherwise it'd be safer not to store them at all)


I'm not convinced the DPA has much to say about an American company's American databases on their American servers in America.

Well, unless they also have something called "the DPA"

Carrier IQ meets feds 'to educate them'


In the same vein, I wonder if Carrier IQ have stopped beating their wives yet. I don't suppose anybody thought to ask them?

Private investor pays $1.3bn to don Blue Coat


Verb definition competition

Best definition of the verb "to internet" that makes sense when the infinitive is followed by "access" wins a feeling of smug self satisfaction.


Solar winds are blowing away the Moon's topsoil - NASA


I blame Maggie Thatcher ...

Potential ALIEN LIFE habitats FOUND ON MOONS


Do you really need the joke explained to you?

If you read only the upper case words, the headline is "ALIEN LIFE FOUND ON MOONS"

Or, in other words, it takes the piss out of the sun and its sensationalist headlines.

Scareware slingers stumped by Google secure search


Logically, if you need to suppress the Refer(r)er header when you cross from https to http for privacy reasons, it only makes sense to do the same when you cross from one domain to another when using https for both (since you don't want sensitive information from example.com to get logged in the access log for nosey-buggers.net)

Therefore, regardless of what rfc2616 requires browsers actually do, suppressing all referral information would actually be in the spirit of the document, while passing potentially sensitive information along would not.

I have no idea which google actually do, but since they call it "secure", I'd imagine they do the sensible thing and suppress for all.


rfc2616 isn't for google to play by -- it's the browser that does not send the refer(r)er field if it's crossing from a secure request to an insecure request, not the server.

UK punters happy to pay £3 to top up e-wallets


Let me tell you a story. A long, long, long time ago we had this thing called "paper money" and you could receive it from a "hole in the wall". There was a complicated arrangement where some of these things charged you for dispensing paper money if you didn't have the correct magic icon on your magic token.

People bitched like you wouldn't believe about this.

Now there's a much simpler arrangement where only a few machines charge you money and they announce how much in big letters on the screen. Also, it's not that much.

It seems to me that some people do not wish to learn from the past. In the meantime, I'll stick with good old fashioned paper money. It's a lot harder to steal than any of the high tech alternatives.

Anonymous hacktivists turn rapper on YouTube, iTunes



"People need to understand that lyricist jinn is a fully independent artist with limited capabilities, listen to the lyrics and humble yourselves."

Should read:

"People need to understand that lyricist jinn is an individual with limited abilities."

PayPal to move into the shop - without cards or NFC


Employing door lurkers to check the receipt on your phone does more than move the problem from the checkout to the door, it actually makes things worse by taking multiple short, parallel queues and turning them into one long, serial queue.

Hey dumbo, Facebook isn't sharing telephone numbers


Re: Too easy

You are absolutely correct. However, that flies in the face of facebook's business model, which is to harvest as much information about EVERYONE as they possibly can, so that they can turn it into targeted advertising revenue.

It is not in their interests to do the right thing, so they won't do the right thing. This is true for all businesses, whether it's google, facebook or Tesco (you don't really thing clubcards and nectar cards are about getting you a better deal on your shopping, do you? The POS terminal is a dataharvesting device and loyalty cards are the GUID that helps stores to tie transactions together)

Congratulations, 1984 arrived a very long time ago.

Will the looters 'loose' their benefits?


Re: unbelievable

If the circumstances were right, I would be a looter. I'd be among them. I freely admit it.

I wouldn't be looting jesus phones, crackberries and plasma televisions, though. I can live quite happily without that crap, and so can they,

Food. I'd loot food, if I were starving (or the world had just ended and I felt a sudden need to stockpile for the future.)

Things would have to be pretty damned hairy for me to take something that I have no right to, though, and I can imagine no situation so dire that I would go out on the rob for a new telly.

How LulzSec pwned The Sun


Rare, not rare earth

Nobody said it was rare earth. Just rare, like gold or platinum (which also aren't rare earth metals, but are rare all the same).

Credit processors targeted in fight against spam


Stopping spam in two less easy steps

1. All mail client producers (including webmail outfits) must update their software to REJECT HTML/rich email. Let's be honest, nobody really needs to be able to send email in fluffy pink comic sans. This almost completely neuters phishing (sure, you can try the old http://www.paypal.com@mynefariousdomain.net trick, but it's a lot harder to dupe people when you can't hide behind <a> tags). This also makes it harder for image spammers (popular with the pharmaspam crowd) to get their image looked at.

2. Encourage the widespread use of public key crypto. Educate people to use it. have all mail clients refuse to accept mail that hasn't been both encrypted AND signed. MUA providers should have their tools mark mail signed by a key that is not in your WoT as untrusted so that the user gets a visual cue to approach with caution. When you sign up for a service, you should receive their public key and they should be able to receive yours (either by direct submission from you, or from a public keyserver). This would freeze spammers out by making it less likely that their mail would ever get read. This might even get rid of those annoying boilerplates about "misdelivered email" -- if it's been encrypted with YOUR public key, then it stands to reason that YOU are the intended recipient, right?

Okay, so there might still be some spam, but it's unlikely to be profitable and should be much more manageable (unless the spammers find new ways to be sneaky).

If you want some extra homework, consider deeper architectural changes to how email works, such as DJB's IM2000.

Desktop Linux: the final frontier


Oh, and a point of pedantry

It wasn't a script. It was a command, typed on the command line, directly at the point of interaction. It could be made into a script easily enough, but it wasn't one.


VBScript and SMB?

If you are prepared to arse about with substrings, VBS may well be able to do what my bash does. I'd rather not have to write it, though. Powershell may be a better bet (since it was intended to provide unix shell-like scripting capabilities to windows, which, in microsoft's estimation, were lacking. Make of that what you will), but you'd know better than me.

We could have used SMB (via samba), but we didn't because only a complete tool would use SMB for a one off transfer, and it would have taken considerably longer (not in set up time, which is near instant, but in transfer time -- SMB/CIFS is very, very slow -- we might as well have used netcat over wireless if we wanted it to take an hour. We could also have used WebDAV (again, not fast) or NFS (absolute PITA)).

AFAICT, windows hasn't improved since windows 3.11 (I have vista for work, which I try to avoid using. Not impressed)


Name one thing ...

Okay, I'll bite the troll-bait ...

There is nothing you can do on *nix that you cannot do on windows without a little thought. However, if you know *nix WELL, there are things that you can do very easily and naturally that are neither easy nor natural on windows.

Two examples from my real life:

Several years ago, I was asked to rename all of the (few thousand) image files in a directory so that they had the string "_dpr" between the stem and the extension. I came up with a bash incantation looking something like this:

cd /path; for ext in jpg png gif; do ls | grep "\.$ext$" | while read file; do mv "$file" "$(basename "$file" ".$ext")_dpr.$ext"; done; done; cd "$OLDPWD"

(On windows you'd either spend all week on the task or install cygwin and use a *nix style shell to run a *nix style command, so it's possible, but not particularly natural).

A few weeks ago, a friend and I wanted to exchange a few GB of data. With no USB sticks to hand, we fished out a length of crossover (because the wireless network would have been painfully slow) and used netcat (he typed 'nc -l -p 1234 >file.dat'; I typed 'nc 1234 <file.dat'; it took about a minute, maybe two)

On windows you might manage to find a native build of netcat, or you might set up a one-off FTP server, or you might go out and buy a USB stick, so you could do it, but it would be neither easy or natural (and it would probably take you longer than a minute (including faffing about time), even with a length of crossover).

I have a few more (increasingly boring) anecdotes in a similar vein. I tend to acquire one every couple of years.

It may be that the converse of my thesis is also true, that there are things you can easily and naturally do on windows that are neither easy nor natural on *nix, but if there are, I am yet to find them. Perhaps you could furnish us all with an example or two, that you have experienced in your real life?

Penguin chief: Linux patent and copyright FUD 'not relevant'


It is FUD when Microsoft says linux violates a patent or 370

Particularly when they do not specify which patents they are referring to.

The patents in question may be at the end of their lives.

The patents in question may be trivial to avoid, once you know about them (see tridge's vfat patch, for example)

The patents may be blindingly obvious, and unlikely to survive reexamination.

The patent may not actually be infringed at all -- just because microsoft's opinion is that it is doesn't mean that anyone else sees it that way.

If you can't see the patent, you just don't know. If end users and potential integrators cannot inspect the patent to decide for themselves, they are encouraged to assume that the claim is valid, cannot be worked around, and may make linux a liability.

And THAT is why every microsoft patent claim to date has been FUD. They have served to create (some, minimal) Fear, Uncertainty and Doubt in the market. If they weren't FUD, Microsoft could just say "Patents X, Y and Z are infringed, mofo, now make your house clean." (or whatever the appropriate legalism is)

They haven't, and this is very telling.


If Linux Foundation members are "a bunch of angles"

I'd like to nominate Oracle and Google for obtuseness.

FSF to Google: Free Gmail's JavaScript now!


Re: @Guus

The OSI disagree with you.

The FSF say that you have fallen into the open source trap.

I merely point and laugh.

You probably don't care either way :-p


Re: Isn't JavaScript...

The FSF _NEVER_ use the term "Open Source", except when explaining why they don't use it. They are stressing "Free" because they always stress "free"


Re: Bless your hippy mentality FSF

There are no secrets here. The evil hax0rz can already read the javascript in question, as can the competition.

Lindsay Lohan ditches her surname



Light INDependent Space AnchovY

Just don't forget the salty fish payload.

PARIS concocts commemorative cocktail



The classical companion to PARIS was always HELEN (who was the Paris Hilton of her era),

Backronyming HELEN is left as an exercise for the reader.

Facebook Places checks in to UK


Re: The gnomes again

1. As you say

Step 2 is a compound step:

2a. Notice that every Thursday Mrs Jones takes the Jones children to "the park"

2b. Notice that every Thursday at about the same time, Mrs Smith goes to "fleapit motel"

2c. Notice that every Thursday Mr Jones also goes to "fleapit motel"

2d. Conclude that neither want Mr Smith nor Mrs Jones to learn of this

2e. I think you can see where this is going.

3. Profit (again, as you say).

Former FBI agent slams defence tactics in McKinnon case



In the mid 1980s, when the KGB employed a bunch of coke addled German script kiddies to search American military networks for information, and got caught, the US authorities didn't seek extradition. Hell, when told about the activities by some hippie astronomer who'd stumbled across the scheme, they didn't even bother securing their computers.

If activities conducted by proxies working on behalf of the KGB didn't warrant an extradition, why should some some geek with a UFO obsession suddenly be in need of such expensive justice?

‘Wikipedia killer’ pilfers blogosphere, taunts bloggers


About what you'd expect

The same Sys-Con that _still_ employs Maureen O'Gara? Seems to me that generally abusive behaviour fits pretty well with their established track record.

I suppose running a blog aggregation site is all you have left when your real journalists and editors resign in protest. I'm just surprised it's taken them this long to notice that nobody seems to write for them any more.

Wikipedia scores $3m donation


"Wikipedia represents a quantum leap in collecting human knowledge"

Isn't a "quantum leap" a jump of the smallest possible non-zero increment? Sounds like real value for money to me...