Posts by The Mole 490 publicly visible posts • joined 18 Apr 2007
Sounds like a well executed plan, and scary if the numbers are accurate as to how many people fell for it.
What got me is the request is so obviously a scam "send me money and I'll send you twice back", most people should have thought that was too good to be true. I would have thought they would have had a better conversion rate if they had said "Donate 1 bitcoin to this address and I'll match your donation to help COVID", that I think would have got past more peoples mental barriers.
To be fair to them this wasn't a normal phishing attack it was a highly targeted one.
The main way people spot an attack is if the domain name looks funny, but the name in this case was GitHub - ok with an unusual TLD but in a world where adverts tell you just to Google the site rather than give the domain name what do we expect?
It's also not helped that many company emails do look like phishing attacks, particularly with single sign on and the use of cloud based services which means the it department might well be managing this through a different domain.
The only other red flag is that a new laptop is too good to be true.
That seems at best a rather dubious assumption at best.
Building a system to handle 1 million users isn't going to be the same difficulty as building ten systems that handle 100k users.
With 100k users you can rather trivially hold the state of all those users in memory at all times within that single machine. You could do query operations by linearly searching through that list (e.g. find every body with e in their name) without much noticable lag.
For a world wide resilient solution host may orders of magnitude more users clearly proper optimized distributed algorithms are needed. with realt databases etc. These have very different scaling characteristics and different bottlenecks will be the most important. The bigger the system the bigger coordination/synchronization issues become a bigger cost.
I think you've got it wrong there.
They almost certainly a teaching practice, this means they can get doctors doing a 6 month rotation as part of their course before they have graduated. I'm not sure if they need to pay them (or get paid for the supervision) but it does mean they don't even need to worry about having to let them go at the end of hte 6 month rotation (or whatever the period is).
IANAL but my understanding of case law is that if the police break your door down to search the property then they don't legally have to pay for repair for it... even if they've gone to completely the wrong address and you are completely innocent. I imagine that the same principle applies if they've broken the door of your phone down.
The problem is they will start looking at return on investment and soon realise the best thing to do is fine lots of little companies for technical violations - the ones who will probably just pay up with a simple lawyers letter threatening a full investigation. That's for more efficient and low risk than going against big organisations with proper legal teams who might fight and win.
But there is a big difference between literally enforcing the laws and enforcing justice. If someone intended to park legally/get back to the car in time but were unable to for whatever reason by a tiny amount, then it isn't in the public interest to punish someone in that case. If the intent or impact is criminal then indeed they should be punished. Society tends to agree with the view that law enforcement should have some discretion as it is far more efficient than having to get laws exactly perfect.
Having incentives that encourage the removal of common sense can have known on implications for society.
Not really, this should really be covered by unit tests of the low level methods. I'm really struggling to understand what the bug could be to cause such an odd behaviour - I don't buy the comment on it being memory related, presumably some divide by zero issue but for that to blank out all displays is just staggering in how such a design could happen.
Testing all possible runways really shouldn't be needed as there shouldn't be anything special about them this fundamental, you can't test every possible starting position either.
Can someone explain why which way round the live and neutral are matters.
We are talking about alternative current, it doesn't have a direction of flow (or more correctly the direction of flow alternates). 50% of the time the 'live' will have the higher (or equal) voltage and 50% of the time the 'neutral' will have a higher (or equal voltage)
I had the same thought and am surprised they didn't hold it until tomorrow.
Technically NHS England is a "Non-department public body" which according to wikipedia "are not an integral part of any government department and carry out their work at arm's length from ministers" so I guess there is an argument they aren't discussing political decisions - though ultimately ministers are still responsible.
There were two distinct groups of top level domain (TLD) originally.
The country codes (.uk, .us, .de, .io etc) which are operated under license from respective country. These domains are great for sites with a specific geographic location and help avoid name clashes, and also give useful information to end users of where the content is targetted to. In some of those codes they were then subdivided into categories (.co.uk, .org.uk, .ac.uk etc) whilst others just allowed domains directly below them.
Then there were the non-geographic domain names (.org, .gov, .com, .edu). These were principally designed for sites which didn't have a specific geographic location, but the US org tended to just use them anyway (everything is in america right?) hence .com becoming the dominant domain, and many US schools using .edu etc rather than the more correct co.us or ac.us if they had followed the UK scheme.
There is no real technical reason why you need the additional subdivision - as can be seen in countries that didn't do it, however humans do like categorisation and by splitting up companies from charities or schools it does allow the names to be repeated in different contexts, and also quick and simple recognition of what the subject is likely to be before reading it. E.g. originally an email coming from a .co.uk is likely to be marketing, from .org.uk a donation request and .ac.uk something academic.
More recently the industry have gone to the extreme of having lots of generic top level domain names (.bargains, .charity, .dating, .xyz). The only convincing argument for why these are a good thing is for those who wish to make money from them.. otherwise they just add confusion.
Don't forget the option of making a claim from your credit card company as they are jointly liable (if you brought it on credit card) and if Visa start getting enough of these I imagine they would be having quiet words with BOSE (nice shopfront you've got here, shame if anything happened to your car processing fees)
I am impressed, it looks like civil servants have come up with the cheapest possible solution whilst still meeting the law.
It also addresses the concerns about the risk of volunteering information to the authorities, presumably no body is going to actually be reading the emails.
The only time they will look at the emails is when someone contests against the police adding another charge to whatever else they were planning to get them on.
Lots of ways it can happen, two simple options are:
1: two separate systems. System 1 says room 123 is allocated.
Clark scribbles down room 132 into the card/paperwork, types that into the card machine writer and then reads it back and tells the customer that that is what their room is.
2: a race condition, two people checking in at the same time, the room is empty when both requests do the lookup for empty rooms, they both then create allocations for the room and store it back (after waiting to confirm details etc). Due to bad database/system design it doesn't realise the two entries have been written and both are left allocated to the same room for the same time period.
"[...] the Brits are out of it with that Brexit farce and their de facto two party system"
Also I'd point out their isn't a British two party system currently, Northern Ireland has its own set of parties (and the DUP is even relevant at the moment), Scotland and Wales both have their nationalist parties which currently do exceedingly well in elections.
Even in England (where traditionally it has been a two party system and dominating the rest of the country) currently the lib dems in some polls are beating labour and the brexit party is not that far behind. The next election could be really interesting, although long term a two party system will probably re-establish itself (though which 2 parties?)
Agreed, but surely LinkedIn's pages are also in the same category, I can go into a library and access a book for free but still can't copy the contents. Just because LinkedIn exposes their pages on the internet doesn't (shouldn't) equate to Public Domain either - particularly if you need to log in to access that data.
Would be interesting to see how the case pans out in the UK (and I'm sure if they wanted to linked in could make some of the profiles only available by servers in the UK and therefore cause a move jurisdiction).
Firstly it will clearly violate GDPR - there's personal data in those linked in profiles and users haven't consented to the third party firm holding and processing it.
Secondly there is the concept of 'database rights' in UK law. FA cup match results are public knowledge, however the collection and aggregation of that data merits protection, services that provide result summary's can't legally just have the content immediately copied by their competitors whilst the news is still 'hot'. LinkedIn have invested a significant amount of effort in gathering their data so I imagine the UK courts would consider that it is protected even though it is publically accessible.
I'm surprised even under US copyright law that there isn't a case of violation - afterall the contents of books are in the public domain and you can't just copy that.
Because 123.234.345.456 might be hosting thousands of different websites under lots of different hostnames so just knowing the ip isn't sufficient to target you. Knowing what you've just resolved to get the IP is a cheap and easy way to find out. For HTTP connections they could just look at the Host header, and even HTTPS connections they can look at the SNI header (which isn't encrypted) to find it out but that's more expensive and alternatives to SNI might be widely available at some point.
I can see that this potentially can be used as a privilege escalation method. If the process runs with higher rights (and/or the file permissions are owned by a privileged user) it may well be the DB is world writable so other users can store data in it - with the assumption the worst damage they can do is erasing the data. An attacker might therefore have minimal privileges sufficient to attack the DB file but not anything else. If/when another higher privilege user executes the application (or process reloads db etc) then the attacker can escalate.
That said there are almost certainly plenty of other vectors if you have access to files.
That's not actually true.
At least in TV advertising the channel only gets paid for the proportion of the viewers in the demographic that the advertiser are targeting.
This is also true in 'static' advertising. The Register is likely to get significant higher revenue per user if they can show 80% of users are IT professionals and therefore in the target audience. If another advertiser is targeting IT students then they might only pay 10% of the price to cover that 10% of the audience. 100% accurate targeting would allow ElReg to get both sets of revenue at the same time - by showing the 10% of students the adverts for the company wanting to target students, and the 80% of IT professionals the ads from the company only wanting to target IT Professionals. The other 10% might be randomly distributed and they effectively wouldn't get any money for those users
That's only a slight mitigation though, either the radio coms are secure or they arne't. With the right transmitters/receivers NFC can still operate within the range of meters (or just get the target to walk through a specific door). Mitigates the possibilities slightly but not significantly enough.
Agreed, or for that matter just get permission from a copyright holder and use that.
Of course all they have proved is a finger print system is only good whilst it can create matching finger prints. Do we even have evidence that YouTube's system is even ML rather than just a clever algorithm of fingerprints? Then they throw 'ML' at the problem rather than manually come up with the algoirthm to distort the audio. It doesn't appear they've even done proper 'learning' of training their algorithm against pass/fails on youtube to identify the smallest set of changes needed.
Whilst I agree it isn't easy, I think you are being a bit hard there. What the available network speed is should be irrelevant - if zip files can transfer it then some other properly encrypted archive can also be transferred (possibly with either better compression).
There are plenty of existing tools available that should solve this problem - many of them small, cross platform, low power and open source. So in theory there shouldn't be any real burden on existing even if old hardware as long as the right choices are made and take these requirements into consideration. Ok that's a big if.
I think where you do have it right is the fact you are dealing with such a large number of end users with ranging abilities, and likely refusals to put any effort into changing away from something that seems to work. The hard part is making it so the tools are so simple and easy to use that minimal training is needed, and getting it coordinated across such large estates.
So probably a multi billion government project which will end in failure then..
I'm certain that the reason they aren't keeping it quiet is because they expect Microsoft to reconsider and come back with more acceptable licensing terms.
This is afterall what has happend when other large goverment organisations (German councils or something if I recall) announced open source projects.
Sensitive personal information shouldn't be transmitted in plain text over email to begin with, particularly to a third party mailbox where it will be travelling across the open internet.
Its not like a secure webform/storage is hard and has the benefit the data likely ends up in a more normalized and efficient to process format. Though I wouldn't be surprised if they used an externally hosed one of these and then it emailed out the resultant uploads..
he testified to the High Court that he "violated this with permission and tolerance and guidance at times", before agreeing that in general, there was a "zero tolerance policy" towards breaking the "no side agreements" rule.
Must be a sales and marketing definition of zero then, that looks to be a 1% tolerance of 'no side agreements', certainly not zero tolerance if they sometimes tolerated it.
I hope this issue gets rolled into the court case as I think it is actually more significant, a bricks and motar store getting 30% of the RRP price isn't that unusual, it is the cost of having it available for advertising (excessive probably in the digital case but not totally unprecedented), what is pretty much unprecedented in consumer relationships is that shop then claiming 30% on secondary sales which occur within the product.
I assume it is because of this "Manning has stated in the past that she objects to the secrecy of the grand jury process" she is doing it on a matter of principal - I doubt she would have got much press coverage if she just said no comment to the questions (as presumably being in secret the press wouldn't even know).
Passport control is much much simpler, you've got one stored photo (based on the passport being presented) and are comparing it to another live photo all the computer needs to do is be 90% sure it is a match (or pick your own tollerance). You also have to look at the camera just the right way, with perfect lighting, possibly no glasses, definitely no hats etc.
In comparison trying to match thousands of moving people wearing anything against hundreds of pictures, both of which might be poor quality is a really really hard problem.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
