* Posts by Andrew Penfold

22 posts • joined 22 Jan 2009

One Ring to pwn them all: IoT doorbell can reveal your Wi-Fi key

Andrew Penfold

Re: WTF?

Yes, that's the updated exploit - slightly more difficult this time:

Set up a wireless network with the same SSID as the one emanating from the property, but with no encryption and a much stronger signal. The doorbell MAY then hop onto that network (if it's dumb enough).

Then, you press the doorbell to make it do a firmware update - it then connects to your fake update server and downloads your "updated" firmware complete with code of your own design (if it doesn't verify the identity of the update server or use code signing on the update).

Gee THANKS: Cryptoscum offer a free decrypt in latest ransomware racket

Andrew Penfold

Free Decrypt button must download the key

Surely if you can press the button for "one free decrypt", the malware must then contact it's server to download the decryption key for your files? A bit of wiresharking later and you have the key.

Unless they've used a random key for EACH file, not just each infected machine. Or they use encrypted comms.

Oh. Nevermind!

15,000 London coppers to receive new crime-fighting tool: an iPad

Andrew Penfold


My first thoughts were: "Collecting statements from the public" + Autocorrect = CARNAGE!

(Yes, I know they wouldn't be official witness statements, these would be done down at the station)

Google's Schmidt strikes Carrier IQ off Xmas card list

Andrew Penfold

But didnt Schmidt also say...

...if you're doing stuff that you don't want anybody to know about, well maybe you shouldn't be doing it at all. (or something like that)

So I'm surprised he wasn't all for it, i.e. don't press any keys on your internet connected handset that you wouldn't be happy telling the world about!

iPhone 4: Perfect for everyone, except humans

Andrew Penfold

1 Unread Message...

Change your sweats chemical composition.

Not that big of a deal.



Sent from my iPhone

2012 Olympic mascots cop a shoeing

Andrew Penfold

think of the children...

Not only are they one-eyed snakes, but they're wearing "shag-bands" too, what a bad influence!

Brighton goes Green

Andrew Penfold

Protesting the meme only makes it stronger...

Well perhaps if you didn't have an ICON for it, you would be justified in complaining. It's called a meme is it not?



*Well they did only win ONE seat. Mwaa ha ha ha haaaa!

Researchers spy on BitTorrent users in real-time

Andrew Penfold

RE: If they were

But as soon as MPAA/RIAA connect to a torrent aren't they themselves uploading too? And if, once the download is complete and they check it, they find out that the file "Hit me baby one more time" was actually a pron flick, they themselves are now guilty of infringement and distribution, ha ha!

Why the banks aren't scared of the Robin Hood Tax

Andrew Penfold

Money in their vaults? LMFAO

How can you believe that banks still keep "money" in their "vaults"? Or was that a figure of speech intended to simplify things for those who think that people's savings are used to create loans.

When banks get deposits they invest them to so they can make some profit and pay the interest due to the investor, yes. But when they create loans they just write the amount of the loan into the borrower's account. They used to have to actually deduct some percentage of the loan (usually 10%) from their balance sheet (google Fractional Reserve banking). But thanks to Gordy removing the reserve requirements, even high-street banks can create money out of nothing, lend it out and then have the cheek to demand interest on it. Interest is intended to compensate the lender for loss of investment opportunity. But if the money didn't exist until it was loaned, where's the loss?

And where does the borrower get the extra money to pay the interest on the loan? Well, if you follow it for long enough it can only come from another loan, made to somebody else. Which in turn requires interest. So the whole system* creates poverty by design as there can never be enough new money created for everybody to pay off their loans, so some people always default and the bank takes their house / business to sell off.

It only works because most people don't know how it works. Somebody will come along in a minute to declare that the above is all just a conspiracy theory and everything's fine.

* The banking system, not capitalism.

Crap Scottish weather favours ginger hair

Andrew Penfold

Did the author read this back to himself:

"...long after humanity had exited Africa in search of less sunny climes..."

If "humanity" exited Africa, what does that make those who stayed in Africa? The Supreme Court called, they want their ignorance back.

*Note the joke icon - Not accusing racism just surprised somebody else hasn't already pointed it out already!

Kaspersky defends false detection experiment

Andrew Penfold

[Random musings] Would it help if...

...the likes of VirusTotal had a mandatory option you had to select when uploading a file:

* I believe this is a suspicious file

* I believe this is a false positive

And if others had submitted the same file (by checksum) you could view the proportion who chose each button? And the AV firms could also see that of course.

Also, it would be nice if Virustotal maintained a distinct list of the filenames submitted for each identical file (by checksum). If they appear random then it's more likely a real infection but if they are all named the same...

Oh, perhaps the volume of hapless users submitting files versus the small number of geeks doing the same would make the above ideas useless?!

Google Toolbar caught tracking users when 'disabled'

Andrew Penfold

BOTH parties?

"You need both parties consent, or a court order (warrant) to intercept electronic communications, and you gave Google permission when you installed their application."

So you're the 1st party, giving your consent when you install the application. And the provider of the web site you are viewing (the other party) gave their consent how exactly?

Virgin Media to trial filesharing monitoring system

Andrew Penfold

[pedantry] DPI can't determine legality

"Virgin Media will trial deep packet inspection technology to measure the level of _____ sharing of copyrighted material on its network, ..."

There, fixed it for you. Of course, a DPI filter cannot determine whether permission was obtained from the copyright holder, nor can it determine if the law was broken since it is not an officer or court of law.

FDA takes aim at illegal net pharmacies

Andrew Penfold

Universal healthcare [flame bate]

"But some of them also serve an important purpose for Americans who don't have prescription insurance and cannot afford to pay retail for necessary medications. When I was poor and uninsured, cheap diabetes meds from a net pharmacy in India kept me alive."

Well Americans in the same situation today needn't worry about that, right? Those who can't afford insurance will have to pay a new tax of 2.5% of their income. And failure to pay that tax will attract a five year stretch in prison or a fine of up to $250,000.

Problem solved. Oh, wait...

Ammo rationing at Wal-Mart as panic buying sweeps US

Andrew Penfold


Wow... clearly not much original thought went into that diatribe. Regurgitating TWO mainstream media talking points in the same post, a) That talking about / believing in the constitution is a mental illness and b) any criticism of or disagreement with Obama, his policies, politics, party, or damn near anything to do with the man is racism.

I despair. That is all.

Counter terror cops prep for recession funding squeeze

Andrew Penfold

@John Dee

No, the alert level is primarily to keep the people afraid. It's currently near the top, so it must be reduced quietly now, so there is some head-room for an increase later. You know, when the next un-popular war needs to be pushed.

US senators demand boycott of Iran 'snoop' firms

Andrew Penfold

Pot, Kettle, Black

Two words: Retroactive. Immunity.

Put your own house in order first.

Opera 10 debuts with 'Turbo' boost

Andrew Penfold

Er, yes it does!

"Sadly, the browser has yet to implement a way to manage which websites get to execute Flash, javascript and similar client-side programs and which ones don't. (Instead, users get only a binary on/off check box.) That's a pity. The NoScript extension for Firefox has become an essential ingredient for users of that browser who want to protect themselves from the growing threat of website attacks. We thought Opera would have offered something comparable by now."

First you choose the defaults - whether Javascript, Plugins (includes flash), Java, Animated GIFs, Cookies, etc. are enabled for all web sites. All the above are set on and off independently and can be quickly toggled using the F12 menu. Then, if a particular web-site doesn't work without, say, Javascript, you can press F12 --> Edit Site Preferences and enable javascript for the domain or sub-domain you are on.

This has been around since Opera 8 at least. I'm not familar with Firefox and Noscript so I can't say which offers the most granularity, but Opera's features are at least comparable.

Microsoft aims 'non-security' update at gaping security hole

Andrew Penfold

won't prevent usb-stick viruses

...since they tend to use autorun.inf to re-define the default command for the drive, so that double-clicking doesn't open the root folder, but instead executes the malicious payload.

Even with auto-run disabled, windows still parses autorun.inf. So we still need the registry 'fix' here:


or here:


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]


NASA's CO2-scan sat set to launch

Andrew Penfold

Carbon footprint...

Does it take into account it's own carbon footprint?!

Did they let James Hansen anywhere near it, if so did they make sure to calibrate it properly?


Italian crooks use Skype to frustrate wiretaps

Andrew Penfold

RE: Sinking The 'Unsinkable' Ship

The Chinese have not "cracked" skype, but they don't allow their citizens to download the regular Skype client. Instead a special one is offered that forwards all communications to another server as well as to/from the person you're calling or chatting with.

IIRC it was the lack of security on these other servers that collected the "intercepted" communications that broke the story:


Disabling Windows Autorun - there's a right way and a wrong way

Andrew Penfold

The REAL way to disable the danger of Autorun / Autoplay

Look here:


Basically, the aforementioned registry keys and group policy settings only disable the automatic reading of a drive and either popping up the Autoplay menu or executing a program.

Even with these registry keys set, Windows still parses the autorun.inf, possibly resulting in new items added to the right-click context menu (when clicking on the drive) or hi-jacking of the default "Open" or "Explore" commands so that just double-clicking on the drive could execute a malicious payload.

Dan McCloy describes how to re-direct Windows away from Autorun.inf to a non-existant registry key. After applying the reg fix on my system, the only thing that happens when I insert either a CD or a USB thumb-drive is that Windows Explorer opens, displaying the contents of the drive. I can then click on the setup.exe IF I want to!


Biting the hand that feeds IT © 1998–2022