* Posts by Jon

28 publicly visible posts • joined 28 Mar 2008

Westminster forced to switch off digital CCTV cameras


Yep, 720 / 704 / 702 are all standards

I work in broadcast digital TV. The digital TV standard we use in the UK is 720x576 pixels. (And those pixels are not square, so the same 720x576 size is used for 4:3 and 16:9 widescreen content - a separate signal tells you how to stretch/crop it for display).

However, for obscure technical reasons, if you take an analog broadcast signal and digitise it you'll get a 702x575 picture in a 720x576 frame. This has 9 black pixels down the left side and 9 down the right (9 + 702 + 9 = 720). Half of the top & bottom lines are also black.

The digital TV standard we use is MPEG2, which encodes the picture in 8x8 blocks. Since 702 is not a multiple of 8, it's quite common for broadcasters to use a 704 pixel wide signal, with just 1 black pixel each side. (The other 8 black pixels each side are added automatically in your Freeview box). Tellies will chop off all this black.

If the content is originally authored as digital, then the broadcasters can and do use the full 720x576 frame - old tellies might chop off a little bit round the edges, but modern tellies can display the full thing.

And I think the purpose of this rule is to say "you can't use US 640x480 ATSC gear, or a 320x240 webcam". So it would have been better to mandate 702x575 as the minimum...

Acer sued for shipping Vista-book with GB of memory


@Ouch! / @Cheaper Ram

> $157.40 for ram? I added 1GB of ram to a laptop last summer for $50

Apples and oranges. You probably just bought it on the internet and fitted it yourself.

The people in this article had a problem with their computer. They took it to a local techie. The techie first had to diagnose the problem, then get the RAM and fit it. Hence there are labour costs, and the cost of having a physical presence. The techie probably also keeps RAM in stock, which is convenient for his customers but means he might pay more for the RAM (if prices are falling and he bought it a while ago), and also means he has the cost of keeping stock - there's capital tied up in stock, and he has the risk that his stock might not sell. The techie also has to pay sales tax, which you probably didn't.

Let's guess it took an hour of labour (look for viruses etc beforehand, fit the RAM, then test it to check the problem is fixed). Then we can guess some numbers like $75 labour, plus $25 premium on the RAM, plus $7.40 sales tax. That seems reasonable to me.

<Obligatory car analogy>It's the difference between me taking my car to the garage and saying "it's broken, please fix it" and someone else diagnosing the problem themselves, buying a part mail order and spending a morning fitting it. I may pay 3 times as much, but since I don't have enough car knowledge/skills to fix it myself I don't really have much choice.</car analogy>

Numbers should be portable, insists Reding


Easy way to stop slamming

If I get moved to a different phone company / gas supplier / electricity supplier without my consent, then there's no contract between me & the new provider. So I shouldn't have to pay them.

If they want to give me free phone calls / gas / electricity, then that's their problem.

I suspect that would fix the "slamming" problem pretty quickly.

Hulu yanks vids from TV.com


> steaming content

A steaming pile of [content]?

Or did you mean to say "streaming"?

Conficker seizes city's hospital network


WHY are these PCs connected to the Internet???!!!!

PC in operating theatre... seems reasonable.

Running Windows on it.... wouldn't be my first choice, but suitably locked-down it's reasonable, and has the benefit that people are familiar with the UI.

Turning off automatic updates... also reasonable (albeit counter-intuitive). Testing changes is extremely important; and the PC should be locked-down enough that it's not going to get infected.

Connecting life-critical PC in operating room to the internet... absolutely insane. Any life-critical PC should be air-gapped from the public internet.

(Also, any PC with my medical records on should be air-gapped from the public internet - not that the NHS would ever bother doing that).

Superworm seizes 9m PCs, 'stunned' researchers say


@Why not...

> Have the "central control" send a message to self destruct.

Because that would be hacking, which is illegal. I happen to believe that there should be exceptions in the law to allow trained Police officers to do that sort of thing (probably with judicial pre-approval for each specific case), but there currently isn't.

Also, you rapidly run into jurisdictional issues (even if it's legal in the UK the person who does it might find themselves extradited to the USA & prosecuted there for disinfecting a PC in the USA; and IP-address-based geotargeting isn't perfect). There are also major liability issues for when it goes wrong (and writing bugfree software that runs under every version of Windows is impossible, so it will go wrong).

Also, @Where is government ? Where are the lawyers?:

> why is proof of identification not required to register a domain name?

Well you probably need at least a credit card. But it might be a stolen card. If I had an 9m-strong identity-stealing botnet, then providing a stolen ID to register a domain name would be kinda easy.

Newer Tech punts toaster drive dock

Paris Hilton

There are more flexible (but less "cool") solutions...

Yawn. I've had a "Scythe Kama Connect 2" for ages. This is a USB adapter for SATA and PATA drives (including both 3.5 inch and 2.5 inch ones). It works really well as a "whats in this HDD" device. Details & pics are here:


I don't really see the value in the toaster drive dock. I mean it's cool, but if I'm buying drives specifically for it then I'd rather put them in protective caddies (and I'd rather have the drive slot in horizontally to keep dust off the contacts). And if I'm using it with random hard drives then it needs to support PATA too. (And doing a "toaster style" device for PATA is impossible because the drive manufacturers all put the connectors in different places; one of the things they fixed in SATA was they standardised the connector location to make hotswap enclosures like this possible).

Maybe this is just ahead of it's time - in 5 years I won't care about PATA any more.

VeriSign remedies massive SSL blunder (kinda, sorta)



> The problem will be web-site owners (large corporations, banks, etc) not getting off their

> fat backsides and upgrading their old MD5 based certificates to SHA1.

Err.... no. That's not the vulnerability. MD5 still works well enough that an attacker can't just grab a bank's MD5 based certificate and use it on their attack site.

The new vulnerability is that a hacker could create two specially-crafted certificate requests - one for a domain they legitimately own, and one for a bank domain. They then get Verisign to issue a MD5-based certificate for their legitimate domain. Then they can tweak that certificate to apply to the bank domain.

This attack is possible while any CA issues MD5 certificates; now Verisign have stopped. But once someone has carried out the attack, they can keep using the fake certificate until it expires (typically 2 years).

The right solution is to immediately revoke all MD5 signed certificates (either by using revocation where possible, or by newer browsers just rejecting them). That would result in a lot of pissed-off website owners who had to immediately replace their SSL certificates. (In an ideal world they'd then demand decent security from their new CA vendors, and/or sue their old insecure CA vendors; in practise they're more likely to flame the browser manufacturers, which is why this probably won't happen).

Algae-fuelled* airliner test successful

Paris Hilton


> And a perfect textbook flight on the first trial of a new type of fuel? That sounds rather suspect

It's the first _flight_. But I bet they ran a _lot_ of tests in just an engine on a test stand, then a few more tests in an aircraft on the ground. So it's nowhere near the first time the fuel was used.

As a practical matter, the beancounters would have wanted to know it's going to work before they risk blowing up an expensive airplane, killing expensive pilots, and crashing into expensive houses full of expensive-to-pay-compensation-to-the-next-of-kin people. It's a lot cheaper if you just blow up an engine on a test stand (and there's much less bad PR).

Microsoft gives XP another four months to live


@XP is Aged.

> providing you don't run a load of legacy apps

What other kind of apps would I want to run? I use my PC for games, Firefox, Thunderbird, and OpenOffice. My games are of varying ages and obviously the game manufacturers don't update their 3-year-old games just cos MS release a new OS. And any (non-MS) new game will run just fine on XP.

At this point I'm wondering if Crossover Games (a Wine variant) on Linux would have better compatibility than Vista / Windows7.

> it actually uses your GPU

Games use my GPU just fine thanks. Oh, you mean Vista uses my GPU to display a lot of bling that I'm going to turn off? (I have XP's Theme junk turned off too, the Windows 2000 look & feel works fine on XP tyvm).

> More secure

How? I'm behind a hardware firewall so I don't care about the Windows firewall or remotely-exploitable windows services; I use Firefox so I don't care how buggy Internet Explorer is. And people have been trying to hack XP for years, so most of the security bugs have been found and fixed already.

> more stable

My PC is perfectly stable thanks. Therefore it can't possibly be "more" stable (but it might be less).

> certainly better than using an OS that's 7 years old

To a normal consumer, you can say "its old" and they'll think it's gone rotten or something. Software's not like that. To a Reg reader, "its old" means "its well tested and most of the problems have been found and fixed". An OS being old is only a problem when hardware manufacturers stop writing drivers, software manufacturers stop writing compatible software, or the OS vendor stops providing security fixes.

Flash cells near shrinkage limit



I thought the same thing at first, but when I re-read it I realised that the article talks about 3 different types of flash including PCM and PMC... very subtle difference there. Similarly the 10^10 is for PCM, the 10^6 is for PMC.

Shuttle X27D


HD video playback

> the CPUs were only loaded to 50 per cent but playback was still jerky

Oh, the joys of benchmarking multicore systems. 50% of one core? or 50% of 4 HT virtual CPUs? or 50% of 2 cores (with HT turned off)? If the latter, then this probably means you have a normal ("old-fashioned") single-threaded video decoder (which can only use 1 core), and the CPU was the bottleneck.

I'm not saying you're wrong to blame the graphics chip though - a better graphics chip would do more of the work, which means less work for the CPU to do. And special-purpose hardware in the GPU can decode video much more power-efficiently than a software decoder running on an x86.

Norwegians spill Opera 10 alpha

Paris Hilton

@I wonder how they stay in business?

The default search engine is Google. (And maybe the homepage is too?) So Google pay them tonnes of money for driving traffic to Google's search adverts.

Mozilla have a similar deal for their Firefox browser.

No "piles of money" icon, so I chose the "person who has piles of money" icon.

Windows patching abysmal, and getting worse

Paris Hilton

Not a random sample

Beta version: Only used by early-adopter security geeks.

Release: Used by slightly less geeky people, maybe even the odd "normal".

Shock News! Security geeks more likely to be secure than normal people!!!!!

Congratulations, Barack — Now fix your websites


@Can somebody explain to me...

>...how the use of Google Analytics is a massive security flaw?

For the purposes of this explanation, I'm assume that Google wants to hack into the site. (I don't believe Google does, and I do believe Google has sufficient security that no-one else could do what I'm about to describe).

When the change.gov login page is loaded it loads some Javascript (urchin.js) from Google's servers and runs it in the context of the page. Google can change what that script does. For example, they could add code to it so when it is on the change.gov login page, it modifies the "Login" button to send the username/password to Google (via AJAX) just before it actually logs in. This might be a fraction slower than normal, but it's unlikely that the person logging in would notice. So as soon as an authorised administrator logs into change.gov, then Google get the password and can use it to access the website.


@If you can do, if you can't

> First the logon link does track to a https server - and is therefore secure


How do you _know_ the logon link goes to a https server? Every time you login, do you examine the source code for the entire page (including all included Javascript files) to make sure it's not going somewhere else? No, I didn't think so.

So basically it's secure if no-one changes your HTTP login page... oh wait, against an active attacker we just lost all the benefits of HTTPS. (Against a passive attacker who can sniff your traffic but not change anything, I'll agree with you that HTTP / HTTPS for the login page doesn't matter. But I think an active attacker is actually more likely than a passive one - e.g. see the DNS & routing exploits from the last year).

> sourceforge did the same for years

Once upon a time, HTTPS was new, incompatible, and slow. Fortunately the world has moved on, none of those excuses are valid any more.

Main BBC channels to be broadcast live via web



> A laptop powered by it's own battery would be covered under the viewer's home TV license.

Yes. The TV license actually says "powered by internal batteries", so this:

> I am unsure about the legality of a system connected to a UPS as it's technically running on a battery.

using an external UPS is not going to be allowed.

AT&T cops to Jesus Phone-as-modem app

Jobs Halo

To all you people complaining about tethering

AT&T offer "unlimited" internet on the iPhone. This does not mean that every user can saturate their 3G link 24hrs/day 365days/yr. If that happened, AT&T would have to either charge (much) more for their unlimited plan, or they'd go bankrupt. Instead, AT&T have figured out the typical usage patterns for a user on the iPhone (no Flash, streaming video is limited to YouTube, no Bittorrent downloads, no online gaming sessions, no big downloads) and priced their unlimited plan accordingly. Obviously some users will use more, and some will use less (or none) - that's the whole point of a flat-rate "unlimited" price plan.

As soon as you use your iPhone as a PC modem, all these assumptions are wrong. People who do that are likely to use much more data. So it's reasonable for AT&T to charge them more. And the only way they can do that, is by having "tethering" being off by default, and making it hard to switch on without paying. And to do that, they prohibit "tethering" applications other than their own, which will presumably check you've paid first. This all seems quite reasonable.

(Note: I don't know exactly what AT&T are charging; it may be that specific price plans are too expensive just because they can. What I'm defending is the principle of charging more for tethering).

US Navy SEAL uniforms: Now with built-in tourniquets



is short for "The War Against Terror"

London could get HD Freeview next year


Re: Plug in cards?


I'm not exactly sure what you mean by "the mysterious yet ubiquitous card slot" - you either mean the credit-card-size smartcard slot some boxes have, or the CI slot (the same physical size and connection as the PCMCIA expansion slots on older laptops). (CI slots are mandatory on TVs that have the digital receiver built in - it's a European rule). But neither of those slots will help.

Freeview HD will use the DVB-T2 transmission format, which is an improved version of the DVB-T we use for current Freeview. By analogy, when upgrading from 100Mbps Ethernet to 1Gbps Ethernet you're going to have to change your network card - adding other cards or software elsewhere isn't going to magically make your 100Mbps Ethernet card run at 1Gbps. It's the same when upgrading to DVB-T2 - you're going to have to replace your Freeview box (which has the DVB-T chip soldered to the main board).

Cross-site hacks and the art of self defence

Paris Hilton

Referer field?

Could this be detected and stopped by checking the old-fashioned HTTP Referer field? E.g. the only site that should have Netfix "add to my queue" links is netflix.com; if the Referer specifies a different host then the request is being forged. Netfix could detect this and deny the request.

Or is it possible to fake the Referer field using Javascript?

Security shocker: 75% of US bank websites have flaws



> If they can do a man in the middle attack, then you could be entering your password onto a secure page in the baddies website. No-one really checks the certificate, as long as the url bar changes colour or a padlock appears.

Most browsers will pop up a scary warning. Sure, totally clueless people will click through, but anyone with clue is protected. So in order to be undetectable, a MitM attack needs to leave SSL (HTTPS) traffic alone and just play with the HTTP traffic.

> The [login] page [...] doesn't have to be [encrypted].

Wrong. Let me explain...

> You already accepted / trusted it when you filled in the form.

Wahay, something you said that I can agree with. When you filled in the form you trusted it. E.g. you trusted that there wasn't a sneaky Javascript on the page that would use AJAX to send your username and password to the hacker just before you logged in.

(I'm use the standard security-person meaning of "trusted" and "trustworthy". If I ask you to hold my wallet for a moment, you're "trusted". If you then run away with it, you were still "trusted" but you weren't "trustworthy").

_But,_ how did you know the form was trustworthy? Did you audit the source code of the page and every included script & css file, every single time you login? No, you didn't, because most browsers "view source" doesn't show included files (and if you're requesting them a second time to audit them then you've no way to know if the server gave you the same file). And even if you could theoretically, it's not practical for everyone to do a code audit on their bank every time they log in.

So the only practical way to know that the logon page is trustworthy is if it's sent from your bank's webserver over SSL.

> It makes sense to keep using ssl while inside the "secure" section, because of sensitive data, but to require it for a blank login form is not useful. Think about it, what are you trying to hide ? Public data or private data ? The form is already public anyway, so why hide it.

There are 2 advantages to SSL. You're concentrating on the encryption, which I agree is not needed for a blank login form. But SSL also provides authentication. And you need the authentication that the blank login form really came from your bank.

> The only other way to go is to use ssl for the whole internet. Otherwise the man could get in the middle anywhere !

Online banking is a high-value target with a track record of being attacked. It makes sense to provide more protection to it than to (say) The Register.

> He probably has keylogging trojans out there anyway, so ssl could be moot.

It's only moot for people who get infected with a trojan. For the rest of us, SSL provides useful security.

Ubisoft pirates game fix from pirates


@Yay and stuff, but my question is..

Ubisoft programmers wouldn't alter the code by editing the .exe file. That's _hard_. Hell, I'm a professional C/C++ programmer and I wouldn't know how to do that. I could probably figure it out if I had to, but it's much much easier just to change the source code and recompile. That would've got rid of the "Reloaded" string in the .exe, and all the other changes made by the Reloaded team.

It sound like some poor support person wanted to help customers dispite utter cluelessness from the company. So they just took the crack, changed the documentation, renamed it from leet_warez_crack.zip to official_supported_patch.zip, and uploaded it. Now they're probably going to get fired.

Asus quietly demos Eee Box


It's not a "TV tuner link"

> There's another port below it - the power connector's near the base - that some reports maintain is a TV tuner link.

If that's a "TV tuner link" then where's the audio out for my speakers? You know, that "TV tuner link" looks suspiciously like a 3.5mm audio jack...

External TV tuners are usually connected by USB anyway (even my internal "PCI" one is really the guts from a USB tuner and a PCI->USB chip on the same PCB). I don't know why anyone would invent some proprietary standard.

Home Office defends 'dangerously misleading' Phorm thumbs-up


They should go to jail

> As far as I can see, all that remains to be determined is how big a fine and how grovelling an apology BT should have to face...

No way should they get off that lightly. The people involved broke the law. You think YOU would get away with a fine of a few day's pay if you tapped a phone line?

I want the senior management involved to go to jail. I've got more sympathy for the techies - they were just following orders, so they should get community service.

Maybe that way other people will think twice before doing something so stupid.

Google sued for ad fraud



The plaintiff is an idiot who doesn't know what "default" means.*

The complaint says that the idiot filled in a box labelled "default CPC bid" but left blank the box labelled "content CPC bid (optional)". (Para 12 in the complaint). Well duh, that makes your "content CPC bid" the same as your "default CPC bid".

And his lawyers are a bunch of incompetent ambulance-chasers who can't even get the defendants name right. (Para 7 says "Network Solutions" instead of Google"). A class action for more than $5m? (Para 9). In their dreams. (US lawyers typically get around a third of the recovery; so they're dreaming of getting $1-2m for filing this garbage lawsuit)

(Oh, and someone missed page 2 when they scanned the complaint? From the fax headers it looks like page 2 was faxed to the court, but it's missing in the PDF).

* From http://www.answers.com/default&r=67: "default" means "The current setting or action taken by hardware or software if the user has not specified otherwise."

Phishers offer credit card discounts to prospective marks


VerifiedByVisa/SecureCode is hideously insecure anyway

The procedure for me to sign up to Verified By Visa a few years ago was:

- HSBC send me a letter on headed notepaper telling me to call them on this number or else they'll disable my ability to use my card online

- Being a suspicious person, I call HSBC telephone banking line; they tell me they no nothing about it but I should call the number on the letter (which they don't verify).

- "HSBC" person on phone asks for all my credit card details. They then give me web address to visit, and assign me a guessable username and a temporary password of "password" (no I'm not kidding).

- I go to web site. it's https://something.arcot.com - secure site, but SSL certificate owned by a company I've never heard of, no obvious links to HSBC (other than the easily copyable logos).

- I enter the username and password they just gave me.

- I confirm some details & enter my new Verified By Visa password.

You'll note that there was no way in any of the above for me to be sure I was communicating with HSBC. I might have just given my details to a phisher who sent out real snail-mail letters. (Actually I spent half an hour doing research & eventually decided that Arcot (http://www.arcot.com/) are probably a legit but incompetent provider of security services to banks.)

Now, what about entering my VBV password when I buy something? Well, it's done inside a frame on the merchants site. So it's hard for me to check that the frame I'm about to enter my password in is really HSBC's "secure" VBV web site, because I can't see the URL (unless I right-click & choose properties - which I'm not going to do every time). And even if I did, it's an arcot URL, not a HSBC one. So the merchant could use a classic man-in-the-middle attack - serve the VBV password page from their own secure web site, remember the password & pass it on to HSBC. Once the transaction goes through, the merchant has a record of my VBV password in addition to all the other credit card details, and can go spend my money at other VBV sites. I can imagine the conversation with the bank: "But they used your VBV password! It must have been you! And if not, then your PC must have a virus so tough."

Dot Mobile goes titsup


Re: eh?

MVNO = Mobile Virtual Network Operator

In the UK only Orange, O2, Vodafone, T-Mobile and 3 own their own mobile phone network (i.e. all the masts around the country). Anyone else you've seen selling mobile phone services (there are loads) is a MVNO - they sell the handset, bill the customer, but buy access to to someone else's network.