* Posts by Displacement Activity

378 posts • joined 2 Jun 2008

Page:

Here's how 5 mobile banking apps put 300,000 users' digital fingerprints at risk

Displacement Activity

Re: Assuming they were properly hashed

Well, colo[u]r me stupid, but my (limited) understanding is:

1 - either the server expects the hashed data, in which case the hashed data is, for all intents and purposes, the password/authentication token/etc, so the hashing process was completely pointless and adds no security

2 - or the server expects the plaintext data, but the app writer thinks that he/she is being clever by hashing the secret instead of storing it plain in the app, and unhashing before transmission. Which is pretty pointless, because the key must also be in the app, so you're adding minimal additional security by hashing.

Note that salting is irrelevant, for 2 similar reasons, which I won't bother to repeat.

Basically, if you need a secret to access a resource on the server, and you store that secret in your app somewhere, then you have to hope that (a) the attacker can't reverse-engineer your app, and (b) that the attacker can't break into the keychain and decode your TLS data to the server. And we all know at least one laptop manufacturer has done exactly that, and it would be pretty dumb to assume that your phone manufacturer hasn't done the same thing.

I think. In any event, I refuse to have a mobile banking app on my phone, despite regular requests from my bank.

Displacement Activity

Re: It's Not As If Banking Is Risky Enough Already

E-banking might be profitable for the banks but until they accept errors can & do occur, I suggest you check account activity regularly.

And read your letters. I normally ignore mine, but I did spot one a couple of years ago from TSB. They told me I had a bank account with them, which I don't. After a lot of to-ing and fro-ing, they closed the fraudulent account, and sent me a cheque for £0.67 as compensation. Seriously. And one of the girls on the phone eventually told me that you could open a bank account with anyone's identity if you had their mobile phone A/C data (but I have no idea what that means).

Post-quantum crypto cracked in an hour with one core of an ancient Xeon

Displacement Activity

Re: Observations

If a quantum computer is needed to break encrypted communications in a reasonable amount of time, the selection of what gets run through the machine will have to be limited. Having "quantum computing proof encryption" isn't a necessity.

We already have crypto which is resilient to attack by any computer, quantum or not. It's called, confusingly, Quantum Crypto. Currently, it's expensive, clunky, and relatively slow, but is deployed in the real world (even on [Chinese] satellites). It uses quantum mechanics, and not a mathematical algorithm which can be 'cracked'. What we're discussing here is conventional crypto, which is implemented with algorithms that researchers hope aren't amenable to cracking on future Quantum Computers (and, presumably, old Pentiums).

Microsoft Teams outage widens to take out M365 services, admin center

Displacement Activity

Remember: telephones exist

In the UK, at least, possibly not for much longer.

AMD targeted by RansomHouse, attackers claim to have '450Gb' in stolen data

Displacement Activity

"Reached out"?

"Reaching out" is something you do when you're trying to apologise to somebody. When you ask AMD for comment you, well, "ask them".

The Register talks to Microsoft's European cloud rivals about getting a fair deal

Displacement Activity

Re: Not impressed

> These people are whining because their [potential] customers want to use MS products.

That's what drove the growth in PC's !

Indeed. But, you misunderstood me. My point was that there's no point complaining if you haven't got what the market wants. Instead of complaining, and running off to the regulators, and creating industry organisations with fancy names, you should just get on with it and fix the problems that caused the market to go elsewhere.

Displacement Activity

Not impressed

These people are whining because their [potential] customers want to use MS products. Samo, samo. If they'd spent the last 25 years building a usable commercial alternative to Office, instead of complaining, then Windows would be dead and there'd be no problem. And now they're going to spend the next 25 years whining, hoping that a bunch of unpaid hackers will solve all their problems for them. It's not going to happen, and I'll be too old to repeat this comment next time the reg runs this story.

Ad-tech firms grab email addresses from forms before they're even submitted

Displacement Activity

Re: Unique emails

Agree. I've been using plussed addresses for 20-odd years now. It's a sendmail feature, but I think it's common: start with a prefix of some sort, add a '+' and some text (normally the vendor's name), and set up sendmail for the prefix only. If the vendor turns out to be an ***hole you block the combo. For some years, though, I was plagued by second-rate coders assuming that '+' wasn't a valid character in a mail address and rejecting the address as invalid.

Doesn't stop anyone harvesting your name and address, though. But, of course, I'm sure we always lie about those unless we need a real delivery.

Oracle already wins 'crypto bug of the year' with Java digital signature bypass

Displacement Activity
Meh

Oh dear...

The bug was introduced when part of Java 15's signature-verification code was rewritten from its native C++ into Java itself.

Nice to see that Oracle spends its days digging holes and filling them up again.

Why is IBM selling post-quantum crypto when it's still a pre-quantum company?

Displacement Activity

Acronyms, please

PQC= Post Quantum Crypto; agreed. But you say 'QC' is Quantum Computer. It makes more sense for it to be Quantum Crypto, without the Post.

QC= provably secure Quantum Crypto (barring engineering failures, at any rate); in production now, with people buying it, protecting data in transit. PQC = an algorithm which is not provably secure (I think), but which is not thought to be amenable to attack by an algorithm which has yet to be written, running on a computer which has yet to be built.

French court pulls SpaceX's Starlink license

Displacement Activity
Thumb Up

Re: French court freezes out non-French competition

IMHO, in this (one) case, good luck to them. We're sleepwalking into a future where we have tens of thousands of satellites in LEO, which are certainly at least sometimes visible, just to provide internet access to a tiny number of people who can't use other infrastructure *and* who are rich enough to get a receiver and a contract. Seriously, how is this ever going to be cheaper, or more environmentally friendly, than laying cables to remote villages in Africa? And, once you've got your cable down, you can use it for all your other comms, which is certainly not the case with satellite internet. Who exactly is going to benefit from this? Is it just the bankers?

File suffixes: Who needs them? Well, this guy did

Displacement Activity

Re: RISC OS

Long, long ago, a friend lent me his RiscOS machine so that I could port some SunOS C code. It took me a while to get the hang of extension-free .c and .h files. Before I got to that point, I typed in

delete *.c
or whatever the RiscOS delete command was (as I said, a long time ago). Anyway, it wiped the whole fe**ing disk.

Wi-Fi not working? It's time to consult the lovely people on those fine Linux forums

Displacement Activity

Similar problem with a monitor

About 25 years ago I got a shiny new colour mopednitor. Nothing fancy - probably about 16". Anyway, it was flakey, and frequently didn't work. Amazingly, it had an on-site repair warranty. I'd never seen one of these before, so thought I'd give it a go, and called out an engineer.

He arrived, put his hand behind the monitor, wiggled the power cable a bit, and it sprang to life. I've never been so embarrased. It turned out that the pre-IEC power cable didn't have a particularly good fit; he said it happened a lot.

Back to crappy forums - when you get as old as me you find there's another problem. You have an incredibly complicated problem, find a years-old thread somewhere, get to the end if it, and discover that the person who posted the solution was... you. Happened a couple of times to me.

'Windows 11 has been successfully downloaded,' says update for Xbox version of Microsoft Flight Simulator

Displacement Activity

Que?

To celebrate the launch of Windows 11, Microsoft Flight Simulator is lighting up some of the world’s most famous points of interest in Windows 11 colors! There is also a free livery for the EXTRA 330LT.

Another excellent reason to prefer X-Plane over MS Flight Simulator.

Reason 3,995 to hold off on that Windows 11 upgrade: Iffy performance on AMD silicon

Displacement Activity

Re: Good to see

in the REAL world, security does NOT mean a performance reduction. If there IS one, and it is NOTICEABLE, you need to re-think your architecture.

Wow. Pretty obvious how you got BOMBASTIC in your name.

RIP Sir Clive Sinclair: British home computer trailblazer dies aged 81

Displacement Activity
Thumb Up

RIP

Nice guy, will be missed. I worked for him while I was a student in the summers of '80 and '81, on Kings Parade in Cambridge (I programmed Fortran on a mini in '79, but bought a £400 Nascom and got the bug). He normally hid away in a back room working on the flat screen TV, but he always came down to the pub with us after work. It was a very small operation back then - about a dozen girls doing mail order, who we never saw, and basically Clive and 3 guys, and the accountant occasionally, and another 2 when work on the Spectrum started. I used to answer 'technical queries' on the phone and do the odd bit of engineering. The 'technical queries' were almost always 'what will a computer do for me'; I particularly remember one lady who spent a lot of time betting on the horses, who wanted to know why she should buy a computer. I seem to remember that we had an ad saying that you could run a nuclear power station with one of these things - I hope no-one tried!

And the stuff about late deliveries, stuff that didn't work - well, that's life - get over it. It was a bright shiny new world. Everyone in the business had the same problems, to a greater or lesser extent, and we were all learning. I worked for a Cambridge start-up a couple of years later, and designed a more sophisticated computer for them, but they went bust in '84. Everyone was always one step from bankruptcy, which could make life challenging. At the end of the day, Clive inspired a lot of people, myself included, and that's what he'll be remembered for.

Oh, and still got a Sinclair Scientific down in the basement somewhere, which I got for my O'levels. It's actually my second - I had to send the first one back because it didn't work... :)

UK VoIP telco receives 'colossal ransom demand', reveals REvil cybercrooks suspected of 'organised' DDoS attacks on UK VoIP companies

Displacement Activity

Re: Calling OfCom and Openreach...

@gerdesj: it's hugely distributed. It doesn't require any power to the premises. It may be the only technology that survives a zombie acopolypse, at least within an exchange area. Have you never actually seen a disaster movie? Or been in a blackout? Duh.

Dozens of Iranian media websites devoured by the Great Satan, apparently

Displacement Activity

Get a grip, Reg

Your readers are fairly technical. So:

  • How did the websites get taken down?
  • How did a .tv site get taken down?
  • Are domain registrars based in the US subject to some US laws we should know about?
  • Does the US think it has control over .com and .net domains?
  • It appears that Verisign agreed to transfer ownership of .com and .net domains without the authority of the current owners. Should we all bail out of .com and .net?

And so on.

And, while you're at it, maybe an opinion on the meaning of 'truth' and who polices it.

When software depends on a project thanklessly maintained by a random guy in Nebraska, is open source sustainable?

Displacement Activity

Here is a list of open source components shipped with MS products: https://3rdpartysource.microsoft.com/

That's impressive. But it would be more impressive if large parts weren't 'Redistributed OSS', bits for Android, and so on.

God bless this mess: Study says UK's Christian beliefs had 'important' role in Brexit

Displacement Activity

RANT

Dear Reg,

it would make life a lot more interesting for us poor readers if we could vote on the story itself, rather than the opinions of other commentards (which can be, to be frank, a bit dull and irrelevant).

So, how about it? Please make sure to include a wide range of alternatives including, for example, "Study authors are deluded morons who are seeking to legitimise their own simplistic prejudices by writing a load of bollocks".

Spy agency GCHQ told me Gmail's more secure than Microsoft 365, insists British MP as facepalming security bods tell him to zip it

Displacement Activity

Re: O365 but not as you know it

So...

it's "provided for all the cloud working capabilities", but "only within an enclosed environment".

Surely that's an oxymoron?

Someone defeated the anti-crypto-coin-mining protection for Nvidia's 'gamers only' RTX 3060 ... It was Nvidia

Displacement Activity

Re: Gamers also have to contend with bots and scalpers looking to make a profit

I'm on XPlane! Sort of, anyway - it's unusable on i7/Intel UHD. I can't get 2080 cards. There are some UK retailers with expensive 2060s, and there are a couple of good 2060 results on the speadsheet, so maybe I'll go for that.

Displacement Activity

Re: Gamers also have to contend with bots and scalpers looking to make a profit

Anybody spending megabucks on gaming is truthfully trying to "keep up with the jones" and show off, rather than be into "hyper competitive gaming".

Actually, no. I've spent the last couple of months trying to get any graphics card that will give me a decent frame rate on a flight sim. You can't buy anything for love or money. Not really "gaming", but I imagine the shoot-em-uppers have the same problem.

European Commission redacts AstraZeneca vaccine contract – but forgets to wipe the bookmarks tab

Displacement Activity

Re: Substituted Article 5 (page 11)?

Interesting. Are 5.1 and 5.4 inconsistent? Unfortunately, I got the scanned version on Friday. I can't find a link to the pdf version anywhere in the article or the comments. The scanned version is absolutely clear, though - the commission hasn't got a leg to stand on.

Also pretty astonishing that there are 140+ comments and only 2 or 3 people appear to have read it. The rest is just noise.

The killing of CentOS Linux: 'The CentOS board doesn't get to decide what Red Hat engineering teams do'

Displacement Activity

Re: So?

You forgot number 0. Give everything away to Bill Gates.

LibreOffice rains on OpenOffice's 20th anniversary parade, tells rival project to 'do the right thing' and die

Displacement Activity

Re: But Office365 is free!

Really? Details appreciated. I'm on 2010 because the cheap 5-licence 'Home and Student 2010" appears to allow far more than 5 installs. Still, not keen on the cloudy bits.

We've heard some made-up stories but this is ridiculous: Microsoft Flight Simulator, Bing erect huge skyscraper out of bad data

Displacement Activity

Roof

Back in the day (20 years?) I could land on the roof of the Willis Tower in Chicago on the MS flight sim. Moved on to a better sim.

'We stopped ransomware' boasts Blackbaud CEO. And by 'stopped' he means 'got insurance to pay off crooks'

Displacement Activity

"Subset"?!

"Like a lot of companies, we get millions of intrusion attempts a month and unfortunately one got into a subset of our customers and a subset of our backup environment."

Curious that Blackbaud lost my school data and my university data. Seems like this subset may be rather large.

Intel's 7nm is busted, chips delayed, may have to use rival foundries to get GPUs out for US govt exascale super

Displacement Activity

Can't see it...

TSMC now has 2(?) Fabs in mainland China. Ok, Intel's masks would probably never get beyond Taiwan, but I can't see the PRC connection helping.

And Philips must have been kicking themselves for the past 30+ years, after bankrolling TSMC and then walking away.

Teardown nerds delve into Dell's new XPS 15 laptop to find – fancy that – screws and user-serviceable parts

Displacement Activity

Re: HP Microserver Gen8/Gen9 and their failiing NAND chips used for iLO system monitoring.

Hadn't heard of the flash problem, but I reckon GenX in general is pretty much done. Gen8 excellent, I had to give away my Gen9 after it bricked, Gen10 ok but too much cost cutting. Pity.

I was screwed over by Cisco managers who enforced India's caste hierarchy on me in US HQ, claims engineer

Displacement Activity

Re: General concern

The UK has the class system

You've been watching too much Monty Python. I have spent decades working in British engineering and have never seen any form of discrimination based on 'class'.

Hey, Boeing. Don't celebrate your first post-grounding 737 Max test flight too hard. You just lost another big contract

Displacement Activity

Re: El Reg, a little reporting accuracy??

And, of course, airlines around the world have been regularly flying maxes to boneyards.

You wait ages for a mid-air collision spoofing attack and along come two at once: More boffins take a crack at hoodwinking TCAS

Displacement Activity

Don't get it...

They've built an SDR TCAS, which is not really interesting. To get it to do anything, they have to get it *close* to an approaching aircraft - it's physically impossible to pretend to be close, without the next-gen faster-than-light SDR2. And, if they have managed to get their kit near an approaching aircraft, then the target aircraft should get out of the way anyway. There may be some limited mileage in putting it on the ground, spoofing their altitude, and hoping that they can persuade passing aircraft to gently ascend or descend.

Note that 'security' doesn't mean authentication here. ACAS uses 64-bit messages. The Wikipedia article makes the point that it can't be extended to even 128 bits because it would then be too slow to handle high-traffic scenarios.

The only interesting thing here seems to be the comparison of Python and C++.

Belief in 5G conspiracy theories goes hand-in-hand with small explosions of rage, paranoia and violence, researchers claim

Displacement Activity

601? Seriously?

They surveyed 601 people. So how many loons did they find? 6? 10? Seems a pretty poor basis on which to be writing papers and drawing multiple correlations. Or are they perhaps running out of grant money?

RetroPie 4.6 brings forth an answer to 'What do I do with this Pi 4 I bought last year?'

Displacement Activity

Re: Pi 4 mouldering?

+1 for effort. Got my 4B about a month ago. Loaded lots of software, and it worked great until I tried to plug an audio DAC on, which is what I got it for. It now pretty consistently fails to boot.

So, it's mouldering in a drawer, while I try to find the time to (a) work out what the power management firmware updates are all about, or (b) send it back during lockdown and hope for the best.

Academics: We hate to ask, but could governments kindly refrain from building giant data-slurping, contact-tracing coronavirus monsters?

Displacement Activity
Meh

Are we still reporting 'letters from academics', then?

While you're at it, I would rather like to hear Bob Geldof's view. And perhaps Lily Allen.

Cloudflare dumps Google's reCAPTCHA, moves to hCaptcha as free ride ends (and something about privacy)

Displacement Activity

Re: what the f*ck is a "sidewalk"?

Weird. I was going to post with title "WTF is a sidewalk", or possibly crosswalk. Any Why TF do I always have to do it more than once??

Anyway, fixed it in my current website. The contact form justs asks the user to answer a very simple (technical) question, and there are several valid one-word answers. Anyone who's on the website and wants to contact me will know the answers, and I don't want to speak to anyone else.

High-resolution display output or Wi-Fi: It seems you can only choose one on Raspberry Pi 4

Displacement Activity
Meh

"mini computer" != "minicomputer"

<pedantic-nerd-mode>

I've still got my copy of Mick and Brick, which was the bible of bit-slice (and mini) design. On p259 a '16-bit time-sharing CPU' is described as the heart of a 'minicomputer'. Even more bizarrely, I've still got the handbook for the Varian 72, which I used in an early job, published in March 74. It describes itself as a 'minicomputer'.

OTOH, a 'mini computer' is just a miniature computer.

In more recent news, I'm just about to get a Pi Zero...

</pedantic-nerd-mode>

Stallman's final interview as FSF president: Last week we quizzed him over Microsoft visit. Now he quits top roles amid rape remarks outcry

Displacement Activity
Thumb Down

Linux; sod GNU

Been using Unix since the 80s, on V7, I think. I'm currently running 7 different flavours of Linux. Over the years I've come to the conclusion that the one thing that has really screwed Linux, and kept it as a backwater (if you ignore Android, of course) is... Stallman. I presume he was a moderately competent programmer, since his name is on Yacc and, I think, bits of emacs. Maybe he should have left it there.

Ex-Microsoft dev used test account to swipe $10m in tech giant's own store credits, live life of luxury, Feds allege

Displacement Activity
Meh

He got caught because of "service provider records that point to Kvashuk", and because he used a device with a "specific device identifier"? Seriously? What a plonker.

And Microsoft pays $116,000 (£93K) for a testing job? WTF? You'd think they could produce some useful software for that sort of money.

And I'm not quite sure what the problem is with having assets of $1.76M on a salary of $116K. That's a multiplier of 15, which doesn't sound like it's completely out of the question. Unless you're a banker, of course, in which case it's way too low.

ReactOS 'a ripoff of the Windows Research Kernel', claims Microsoft kernel engineer

Displacement Activity
Thumb Down

@Lee D: really? @ReactOS: WGAF?

"Reverse engineering those "affected" files in the normal way would easily reveal private symbols".

Please explain how you would get macro names out of this process. I assume the code is in C, in which case the copiler doesn't even see the macro names, as per 5.1.1.2, 6.2.1, etc.

@ReactOS: Anyone who has the extraordinary lack of imagination which would be required to reverse-engineer and copy a Microsoft kernel deserves everything they get, and more.

Dev's telnet tinkering lands him on out-of-hour conference call with CEO, CTO, MD

Displacement Activity

Yes, alpha particles

<nerd mode>

Cosmic rays cause soft errors in memory chips and general circuit failures. At sea level, 'cosmic rays' are primarily high-energy neutrons. Neutrons are uncharged, so don't themselves cause circuit upsets. However, when they're captured in a nuclei in a circuit element, they produce charged secondaries, including alpha particles, which do cause circuit upsets. See https://en.wikipedia.org/wiki/Soft_error#Cosmic_rays_creating_energetic_neutrons_and_protons, for instance.

</nerd mode>

Amid Trump-China tariff tiff, Cisco kit prices to resellers soar up to 25%

Displacement Activity

Meh

"Chinese-built components coming into the US" are almost certainly assembled PCBs and systems, and are unlikely to be anything with any significant IP attached.

I've been with companies (in the UK) who have outsourced assembly to China for 35+ years. Everybody who does this has always lived in fear that they'll be ripped off and their IP will be stolen. The upside is maybe 50% off your end-user price, and the downside is potentially losing your IP and your market completely.

Whatever Trump does or doesn't actually say or believe, if anything, it's a fair bet that everyone in the electronics business (outside China) is breathing a sigh of relief, whatever they say in public. The dust will settle eventually, and the end result will either be that the Chinese start to play ball, or that manufacturing will return on-shore. Both of which are Ok by me. Sure, the US will take a hit short-term, but that's someone else's problem.

Nokia reinstates 'hide the Notch' a day after 'Google required' feature kill

Displacement Activity

Re: Can't make sense of this.

And... umm... what is a 'notch' anyway?

Official: Google Chrome 69 kills off the World Wide Web (in URLs)

Displacement Activity
Thumb Down

WTF?

And what if you have set up DNS to route *only* 'www.foo.com', or *only* 'foo.com', to your server?? This isn't particularly unusual - my local hardware shop is 'www.woc.com'. 'woc.com' isn't routed and doesn't work. So, go there with Chrome, and you think you're on 'woc.com', which doesn't exist. Or does Google want to run DNS as well?

Those tossers have already achieved the impossible, which is to make me start using MS's excuse for a search engine. Chrome is next on the delete list.

Google keeps tracking you even when you specifically tell it not to: Maps, Search won't take no for an answer

Displacement Activity

Not really news, and How To Screw Maps

I've been using Google exclusively for 15+ years without problems. Then, a couple of months ago, they started swamping my searches with ads. Not just at the top - mixed in throughout the search results, even when I'd clicked the invisible 'hide ads' button, making the real results unusable. Really, really dumb ads, and all for the same thing - say, 8 different ads for Dubai hotels, all on the first page of results. The connection? I had *flown* over or through those places, with a maximum stay of a couple of hours, over the last year or so, with maps turned on. Seriously. I've never been to Jersey, but flew over at 35,000ft, and got pages of ads on camper van hire in Jersey. In case I crashed, presumably.

My fix is to to dump Google. MS has screwed me in thousands of ways, but their search engine hasn't quite got to this level of stupidity. And duckduckgo if I can be bothered.

RIP: Sinclair ZX Spectrum designer Rick Dickinson reaches STOP

Displacement Activity

RIP

So long, Rick. We spent many happy nights in the Baron after work, along with Jim and Dave, and occasionally Clive, back in 80/81. If there's a bar where you're going, get me one in.

BCC is hard, OK? Quite a lot of orgs blurted your email addresses in GDPR mailouts

Displacement Activity

Re: BCC is actually slightly hard

Sounds like mine is pretty much the same - also for a kid's club I helped to run (small world!). I've got an extra level of security - everyone gets their own club address, and has to post through a proxy, which modifies all the mails so that no-one ever gets a 'real' outside-world mail address. It never uses BCC, of course - it's far too wooly.

Displacement Activity
Meh

BCC is actually slightly hard

I've written a mass mailer, which uses anonymised addressing. The main confusion is that your mail program talks to the rest of the world over SMTP, which knows nothing about "BCC". Quick overview here:

https://stackoverflow.com/a/26611044/785194

Comp sci world shock: Bonn boffin proposes P≠NP proof, preps for prestige, plump prize

Displacement Activity

Re: "And P=NP is completely irrelevant to crypto in general. "

Posted by someone with absolutely no understanding of the subject they are posting about.

Curiously, I'm probably the only person writing here who works in precisely what I was writing about, full-time.

Page:

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2022