* Posts by Pete Spicer

201 publicly visible posts • joined 28 Mar 2008


Google devs: Tearing Chrome away from OpenSSL not that easy

Pete Spicer

Because it's too difficult to have a webform that does this as well so I don't have to copy/paste the email address?

Four fake Google haxbots hit YOUR WEBSITE every day

Pete Spicer

What's really funny is that it's even easier than ever to identify the bad bots from the good because the bad guys haven't noticed that the physical GET requests have different headers to what they used to have several years ago.

Sneak peek: Microsoft's next browser (thanks, IE Developer Channel)

Pete Spicer

If it can run independently of IE11 does that mean they finally disentangled it from the OS again?

Waiting gamer slams no-show show: E3 – was that it?

Pete Spicer

Re: Mostly Harmless

Then of course we have Godus. Kickstarter, Early Access... months and months behind schedule and each release makes it worse not better.

Happy Birthday Tetris: It's flipping 30

Pete Spicer

In Mother Russia, Tetris plays you!

Thanks for nothing, OpenSSL, grumbles stonewalled De Raadt

Pete Spicer

As much as TdR is abrasive in style, he does actually care about security, and having been involved in forking software and having to deal with patches, I fully sympathise with his point of view.

In fact, I just donated to OpenBSD because the OpenBSD project actually cares about code quality - and that means users benefit too. That's really important.

Antivirus firm Avast! takes down forums after breach

Pete Spicer

They were not using their own platform, they were using the free and open source package SMF. Exactly what version of it is not entirely clear, and it's been modified beyond pure aesthetic changes from the stock distribution. The extent of modification is not entirely clear.

The method used by SMF 2.0.x series (which is what they're using) is SHA1(lowercase(username) + password), which is what SMF has always used, and the developers are upgrading that in coming releases. I could try and defend the reasons for staying with this but most of them amount to 'OMG we have to keep compatibility with hosts' which is why it wasn't until this week that the 2.1 series actually bumped its minimum PHP version to 5.3+ instead of 5.1+ (and 2.0 series will work on PHP 4.4.x)

There are no known vulnerabilities in the 2.0.6 or 2.0.7 releases (the 2.0.7 release strictly addressed minor bug fixes and PHP 5.5 compatibility after the preg_replace function deprecated use of /e, both of which are therefore considered 'secure' releases by the developers).

I still wonder, though, whether this was the fault of the software or someone with a bad password. It's certainly not unheard of for admin passwords to have been bruteforced - and all kinds of things that happen afterwards. Unfortunately there is a persistent stubbornness from the SMF team about allowing their package manager to do what it does (find/replace on raw code, which of course requires it be writable!), and anyone who bruteforces or otherwise acquires an admin account subsequently can upload any code they like to the server and most admins leave it insecure.

My understanding is that the developers have reached out to Avast to find out what happened, though details are apparently not especially forthcoming.

Disclaimer: I am one of the people that, in the past, has contributed to SMF. I am not trying to defend my contributions; all I worked on were minor bug fixes and new stuff for the current in-development version as well as providing support.

Shockwave shocker: Plugin includes un-patched version of Flash

Pete Spicer

I haven't seen anything in Shockwave in probably a decade - while in that time I've still seen a bunch of Flash and slightly less so for Java applets (mostly ones that I've been helping rewrite to be not applets!)

I honestly thought Shockwave was a dead thing... what can you do in Shockwave that you can't in Flash?

eBay slammed for daft post-hack password swap advice

Pete Spicer

Did they actually send out emails, because if they did I still haven't had one... (and yes, checked junk folders etc.)

Comcast exec says wired broadband customers should pay-as-they-go

Pete Spicer

Didn't we move away from this nonsense years ago in the first place?

The future's so bright, Google Glass now comes with shades

Pete Spicer

Re: PSS?

Peril sensitive sunglasses. Joo Janta 200 Super Chromatic Peril Sensitive Sunglasses, I assume he's referring to, which turn black at the first hint of trouble, allowing you to develop a relaxed attitude to danger by not letting you see anything that might alarm you.

Hitchhiker's Guide to the Galaxy is responsible for many such witticisms :D

Watch out, Yahoo! EFF looses BADGER on sites that ignore Do Not Track

Pete Spicer

DNT is great in theory, except it was doomed the minute Microsoft decided to make it on by default. A cynic mind might even suggest it was done deliberately to compromise the idea. Don't forget - this is not the first time something major has chosen to explicitly ignore DNT being set, on the basis that you couldn't actually rely on the user having made the choice.

Stephen Hawking: The creation of true AI could be the 'greatest event in human history'

Pete Spicer

I have no fear of true AI being created, mostly because if we can't consistently and accurately solve simpler algorithmic problems (c.f all the Big Security issues lately), what chance is there of us creating a program many more levels of complex that doesn't have fatal bugs in it?

Early! Do! Not! Track! Adopter! Yahoo! Says! It's! Rubbish, Bins! It!

Pete Spicer

Re: Call me cynical...

Except in IE10 (and possibly IE11) where it was ON by default, which sort of mucks up whether the user *intended* to turn it on or not.

Analysts: Bright future for smartphones, tablets, wearables

Pete Spicer

Re: Why should 64 bit drive demand?

I dunno, at the rate we're going, we'll be able to run Crysis on a mobile before long *snicker*

Report mash-up: Apple to sell 65 million $269 iWatches in first year

Pete Spicer

Re: @ Peter Spicer - You know they have reached market saturation

Who actually says Apple does? There's been a lot of speculation about it, sure, but only the analysts are saying it. Thing is, Sony's tried it a number of times, Samsung's Galaxy Gear met with limited success and even Apple isn't so blind that it would try to launch a product in those shown-to-be-lukewarm waters unless it knew it had an angle that was unique and inspiring because the iFaithful aren't *that* faithful.

Pete Spicer

Re: You know they have reached market saturation

If that was intended as a snarky comment about Apple's failings to deliver anything interesting, do remember that Samsung already brought a similar such device out, the Galaxy Gear...

Hotmail-gate: Windows 8 code leaker pleads guilty to theft of trade secrets

Pete Spicer

Doesn't theft also imply depriving the rightful owner of something? Copyright infringement != theft

Hot, young under-25s: Lonely slab strokers who shun TV

Pete Spicer

Re: Going against the trend

You do not need a TV licence to watch TV from a PC provided you are not watching 'live TV', i.e. shows as they are broadcast.

Ref: http://iplayerhelp.external.bbc.co.uk/help/about_bbc_iplayer/tvlicence

"You do not need a television licence to catch-up on television programmes in BBC iPlayer, only when you watch or record at the same time (or virtually the same time) as it is being broadcast or otherwise distributed to the public. In BBC iPlayer, this is through the Watch Live simulcast option.

Anyone in the UK watching or recording television as it's being broadcast or simulcast on any device - including mobiles, laptops and PCs - must, by law, be covered by a valid TV licence.

A 'live' TV programme is a programme, which is watched or recorded at the same time (or virtually the same time) as it is being broadcast or otherwise distributed to members of the public. As a general rule, if a person is watching a programme on a computer or other device at the same time as it is being shown on TV then the programme is 'live'. This is sometimes known as simulcasting."

Note you can substitute ITV Player, 4OD or 5 Catch-up (or whatever it's called now) for BBC iPlayer and everything still holds up true.

Didn't you know? Today's Patch Thursday! Adobe splats hijack bug in Shockwave Player

Pete Spicer

People still use Shockwave?

It's a BLOCKBUSTER: Minecraft heads to the silver screen

Pete Spicer

Re: money in same old .... out

And not, say, because they were trying to use his company's intellectual property without asking permission or signing a licence agreement.

Update your Mac NOW: Apple fixes OS X 'goto fail' SSL spying vuln

Pete Spicer

Perhaps it's an argument for always using { and } to indicate scope of an if statement even if the branch generated is only a single line. I'm not a fan, I only have so many of the { and } in stock, but perhaps I should order some more too...

My smelly Valentine: Europe's perfumers wake to V-Day nightmare

Pete Spicer

Re: "banning cheese next, followed closely by nuts."

I've seen *packets of nuts* with 'contains nuts' on it. Seriously, what is this world coming to?

PSST! New PCs with Windows 7 preinstalled are out there – and will be into 2015, at least

Pete Spicer

Re: Dear MS. Fek off. You owe us another decade.

2 years? No... Win7 debuted in 2009, so we're already 4-and-a-bit years in...

Facebook debunks Princeton's STUDY OF DOOM in epic comeback

Pete Spicer

So which C-list celebrity is going to buy it and prop it up in a few years then? Justin Timberlake is busy with MySpace.

Pete Spicer

I thought the original article had a reasonably intelligent point, but trying to debunk it with the same methods was never going to work. Note: this is all about discrediting the report by attacking its methods than about proving that it is flawed for any other reason... it's almost an ad-hominem.

Mozilla CTO Eich: If your browser isn't open source (ahem, ahem, IE, Chrome, Safari), DON'T TRUST IT

Pete Spicer

This puff piece is nonsense.

Open source, theoretically, should be more provable as secure than not. Which is fine, if you have the time, resources etc. to actually audit such code.

Real users do not, they do not download and compile from source (Linux on the desktop is increasing, sure, but it's still a rounding error compared to the Win/OS X userbase, and even then most of the time they're not building from source either), they download a 'trusted binary'.

And of course then there is the argument about compilers - I seem to recall a fantastic piece about compromising compilers from Ken Thompson. It was written 30 years ago, but here's the thing... when the Mozilla folks build the binaries for Windows, what do they use? I see from their Windows build requirements page that they use Visual Studio and cygwin in concert (VS for the compilation, cygwin for the linking, presumably? Not clear.) But you're still relying on those tools to be uncompromised. That means trusting VS and cygwin (and possibly gcc) - and you can't audit VS.

http://c2.com/cgi/wiki?TheKenThompsonHack is mildly scary reading. Not totally scary, but mildly scary.

We don't need no STEENKIN' exploit brokers: Let's FLATTEN all bug bounties

Pete Spicer

What about those of us that develop for open source web software? Should we somehow try to find that money too? (Not that the open source software I develop for has anywhere near that amount of money anyway)

RSA comes out swinging at claims it took NSA's $10m to backdoor crypto

Pete Spicer

"At that time, the NSA had a trusted role in the community-wide effort to strength, not weaken, encryption"

Wait, am I reading that right? Why would it ever be in the NSA's interest to make encryption stronger for the masses?

I mean, it wasn't until that long ago that encryption tools required a munitions licence to distribute because they were weapons of a sort. Seems to me that keeping an eye on the industry and maybe slipping the odd slight hurdle into it, on the sly, would absolutely be SOP for them. But maybe I'm just too cynical.

Microsoft bans XXXXBOX gamers for CURSING in online combat

Pete Spicer

Re: 15-18?

Sure, but that doesn't prevent uninformed, or uninterested, parents buying them anyway.

Huge horde of droids whacks code box GitHub in password-guess attack

Pete Spicer

Re: Actually, there are no unhappy SVN users because of this

Actually, there are unhappy SVN users because of this because Github provides a compatibility layer to allow use by SVN clients as per https://github.com/blog/966-improved-subversion-client-support

Winamp is still a thing? NOPE: It'll be silenced forever in December

Pete Spicer

Like some of the other commentators, I moved away from WinAmp with its 3.0 release.

Since I have a decent collection of tracker mods from ye olden games, I wanted a player that could handle reading all kinds of formats and ended up with XMPlay with one of the plugins (DelixTracker) which handles everything I can throw at it.

To the one person who asked about music devices, XMPlay lets you specify which device you want to use, including WAV encoding or LAME (for MP3) or OGG output should you need to transfer formats.

Sueball-happy patent biz slaps lawsuits on 14 tech firms

Pete Spicer

The choice of companies is interesting... I can't help but wonder if it's related to the non-standard disc format Nintendo uses for the Gamecube and Wii.

The reason I wonder that is because while Wii discs are weird, certain DVD drives can read them, especially models from LG...

The importance of complexity

Pete Spicer

Disclaimer: I don't have a degree, however I did tackle the fundamentals of this in Decision Maths as part of an A Level in Maths so while I may not be as boffiny as some here, I do understand what NP problems are and the relevance thereof.

The only time I can actually recall using the various things I learned was in the midst of writing bits for an RTS game, where pathfinding was required. Whether you go down the road of A* or D- or whatever in between, you're still talking dancing about with Dijkstra's algorithm to some degree.

Having an understanding of the differences between bubble sort, quick sort, exchange sort etc. is always useful too and where it can be an advantage not to use the good old quick sort (if the data is already mostly or completely in order, for example, quick sort may not be any use to you over a bubble sort)

The other algorithms covered - travelling salesman, shortest method of connecting a weighted graph (like network cabling) have applications out there in the real world but I've never encountered them, and neither have any of the folks I know, but I'm sure there are uses for them.

Sweet murmuring Siri opens stalker vulnerability hole in iOS 7

Pete Spicer

Wait... if you have to unlock the phone, surely you're already going to be able to access contacts anyway?

Samsung Galaxy Note 3 region-locking saga CLEAR AS MUD

Pete Spicer

Re: Please excuse this OT comment...

If Wikipedia is to be believed (both The Register's page and Orlowski's own page), he is the executive editor of El Reg.

Great Britain rebuilt - in Minecraft: Intern reveals 22-BEEELLION block map

Pete Spicer

Re: Braybrook?

I just wondered that myself. It seems almost fitting, really.

Hardbitten NYC cops: Sir, I'm gonna need you to, er, upgrade to iOS 7

Pete Spicer

Re: Disable Find my iPhone?

That's great, until you either want to actually use anything that's on the Internet - or shock, horror use the phone for the purpose for which it was designed, i.e. to actually talk to another human being.

Airplane mode just makes it, quite effectively, an iPod Touch.

One year to go: Can Scotland really declare gov IT independence?

Pete Spicer

I don't really care whether Scotland gets independence or not. My concern is that if they go 'independent', independence should mean total independence - no money from England at all except for things we actually buy from them. No bailouts, no handouts, nothing.

Apple beckons fanbois back into its golden era... of, er, 2010

Pete Spicer

Re: That's not the right way to do it

I didn't have any problem using the current (not beta) versions of Xcode, including the 6.1.3 APIs and whatnot to push a build of my current app to my first gen iPad, which still runs 5.0 (it can run 5.1 but 5.0 was memory hungry enough on it)... Depending on how far back you want to go you might have to jump through a few hoops but that's par for the course when using any of Apple's dev tools.

iPhone rises, Android slips in US, UK

Pete Spicer

Re: I wonder if it's straightforward role reversal

He's not calling you a Chev, he's referring to Chevy - Chevrolet - the car manufacturer. As in 'as a fashion statement they are right up there with Chevrolet', a brand not entirely known for its fashionability, except the Corvette (as noted by the poster)

Microsoft Xbox One to be powered by ginormous system-on-chip

Pete Spicer

I'm intrigued by the whole 'shared memory' thing because it's nothing new at all. I'm not talking about the setup that PCs have had in recent times where the video memory was carved out of the main system memory, but every time I've seen it mentioned, I've just remembered the Amiga.

For those not familiar with the Amiga's innards (and this is a simplification, the real picture is more complex but I've forgotten most of the detail), there were essentially two kinds of memory hived out of the total system memory. The first was 'chip' memory, which could be read by all the main chips, which is where graphics and sound had to be stored. The second, was 'fast' memory where only the main controller could access, meaning that you stuffed application code there where possible, because the CPU could access it faster than it could if it were reading from chip memory. It was also possible to switch some from one to the other (e.g. like the later Amigas had a ton of chip memory but a lot of programs expected that if it saw that much memory, some of it had to be fast memory and promptly went splut)

So yeah, sharing memory between subsystems on a more unified level is not a new concept, especially when you're talking about memory that both the CPU and graphics setup can share between and essentially allow the graphics to grab from memory without the CPU being involved... it just reminds me of 1986 or thereabouts...

ISPs scramble to explain mouse-sniffing tool

Pete Spicer

Re: Baffling

Because we're talking about visiting websites and tracking where people are moving their mice on said websites... which means JavaScript...

Pete Spicer

Re: Baffling

Fairly sure that SIMs, MACs and IMEIs are not exposed to JavaScript on any device... but IP address is. And if you happen to be using 3G, the relevant ISP will be able to tie it to a device and thus an owner. But if you're using Wifi, the only thing that should be exposed to the ISP in the browser should be your IP address.

Tesla tops $20bn as Elon Musk claims arm-wave design tech

Pete Spicer

That's true, however I'm reasonably sure the current look and feel of Tony Stark had something to do with Elon Musk; did the original Iron Man comics have the same lovely holographic imagery and handwaving UIs?

Apple's iTunes Radio to launch next month with abundant ads

Pete Spicer

Given the whole 'it's ad free if you have iTunes Match', you might be surprised to see how many people use that instead...

Fanbois taught to use Apple's new killer app: Microsoft Windows

Pete Spicer

Friend of mine is using a 3 year old iMac... and using Parallels to run Steam games where there isn't a native version of the game for OS X. I was watching him play Assassin's Creed III on it the other day and it performs surprisingly well on a 3 year old machine running through an emulation layer. In fact, when we rebooted it and ran it through Boot Camp (i.e. native Windows), it wasn't actually significantly better.

Me, I'm using a MacBook Pro (developing for the mobile things) and I'm in Boot Camp most of the time. Don't know what it is but Parallels just doesn't run very well for me. Guess my friend is the lucky one.

WoW gold farmer throws sueball over real world gold theft

Pete Spicer

Not understanding what the problem is here... she had gold bullion (physical item) in her house, which was stolen.

Unless there was some exclusion in the policy against gold bullion, I can't see that they have much of a leg to stand on... it wasn't obtained illegally as such... are they claiming the gold was proceeds from a crime? If so, what crime, actually, was committed? Seems to me that the worst that could be claimed was breach of contract (her with Blizzard) which in any case is neither a criminal matter nor anything the hell to do with the insurer refusing to pay out for the gold bullion.

What I could imagine, though, is that the gold bullion was worth more than what she had insured and that she wasn't going to get the full value back...

Silent Circle shutters email service

Pete Spicer

Except that there are documented vulnerabilities even in SSL (e.g. CRIME, and much more recently, BREACH) and of course there are all kinds of things like MITM attacks to be concerned with - SSL is not a magic bullet to these things. It's one aspect of it, but far from the only aspect.

Windows kernel bug-squish, IE update star in July Patch Tuesday

Pete Spicer

Re: Boring without Eadon

There was a big rant from Eadon calling Trevor Pott an MS shill (which he most certainly is not) and one of the senior folks banned him. I do miss the occasional entertainment though.