* Posts by djack

317 publicly visible posts • joined 16 Jun 2009


IT sent the intern to sort out the nasty VP who was too important to bother with backups


Re: muscle memory

Middle click to copy and paste the selection has been a unixy standard function for a loooooong time. Incredibly useful too, not only for time saving but you end up with two easily accessible clipboards (CTRL-C .. CTRL-V and middle click can contain different things so you have so much more flexibility). Complaining about that is on a par with complaining about the use of '/' instead of '\'

OpenTF forks Terraform, insists HashiCorp is the splinter group


Re: Cost models were/are crazy

Not just Terraform. We use Vault for PKI and secrets storage in an environment for a small team. I went looking for pricing, but there was no affordable option for a small business. I would imagine that if they had something between the free and megacorp price thresholds then they might be a bit more profitable.

False negative stretched routine software installation into four days of frustration


I have the opposite problem. often the phone says it is connected, but it sure as hell ain't anywhere on the car.

BOFH: We're an industry leader … in employing idiot managers


Industry Leaders

I stop short of mentioning that we're already an industry leader in employing idiots in management positions

Surely very much second in that regard to a certain blue chicken coop.

1,900 Signal users exposed: Twilio attacker 'explicitly' looked for certain numbers


Re: How can be…

You only actually need the phone for initial registration. Signal send a single SMS for 'verification'. After that, as long as whatever client you are using doesn't lose it's authentication data, you don't need to touch or use the phone again.

On the first day of Christmas, my true love gave to me... a coding puzzle and it's a doozy


Re: Rust?

Ot the perl module Lingua::Romana::Perligata:

i now have the sudden urge to try and learn Latin

Cleanup on aisle C: Tesco app back online after attack led to shopping app outages


The downtime was inevitable

All of those saying that this shows a massive failure in Tesco's BC plans are almost certainly wrong.

This wasn't a random hardware failure - someone (seemingly successfully) compromised a server. Unless their DR system is totally separate, running a completely different software stack, developed in isolation from the main site, then simply switching over to DR is not an option ..all that will happen is that the DR site will then be compromised too.

The correct way to do things is to take the financial hit - turn it all off. Investigate so you are confident you know what vulnerabilities were exploited, then secure the DR system and turn that on.

Doing that over a weekend is not bad going IMO.

Corsair's K70 MK.2 does nothing a cheaper keyboard can't, but the steep price gets you top-notch components


Re: "However, this largely feels moot as the keyboard itself uses two USB ports."

Why does a keyboard require two USB ports?

The second connection is for the port on the keyboard. Basically just acts as an extension. You don't need to plug in both plugs if you just want to use it as a keyboard.

No idea why they didn't just build in a USB hub into the keyboard.

This page is currency unavailable... Travelex scrubs UK homepage, kills services, knackers other sites amid 'software virus' infection


Re: Compliance....

Sadly not.

Buying foreign currency is classed as a cash advance as far as credit cards go.

That means you pay a charge on the transaction and the money is subject to interest charges immediately (unlike normal purchases which only accrue interest after the current statement period).

I learned this the hard way.

Fake broadband ISP support scammers accidentally cough up IP address to Deadpool in card phish gone wrong


I usually start whispering in an attempt to get them to turn up the speaker volume at their end before suddenly unleashing the deafening noise.

Oh my chord! Sennheiser hits bum note with major HTTPS certificate cock-up


The fix is just as bad

Now the software relies on a key that only Sennheiser privately keeps a copy of.

So they've just appointed themselves as a root CA. Wait until that key leaks and...

What would be better in this case would be to generate a unique key on install. If it's only to authenticate 'localhost' then no-one else needs access to that key or to trust it. Plus if an attacker manages to steal a key off someone's installation, it will affect .. no-one else. If they have access to be stealing private keys, your system is already hosed without Sennheiser's help.

Germany pushes router security rules, OpenWRT and CCC push back


Re: Giving the vendors a choice will give the users a choice

If you have enough knowledge about firewalls and how the Mikrotik works, it is a great bit of kit, but for the average user the default configuation leaves a lot to be desired.

It is quite obvious that Mikrotik devices are not aimed or marketed at the average home user. It's quite obvious from the feature-set, UI and documentation that these devices are aimed at networking professionals who should be expected to be able to secure their own stuff. I wouldn't recommend Mikrotik kit to Joe Average for the same reason I wouldn't recommend Cisco, Checkpoint, Juniper etc. etc.

However, for those that can handle them, they provide huge capability for the price.

That said, there's no need for insecure by default.

Mikrotik routers pwned en masse, send network data to mysterious box


Re: @marcus - Vulnerability is overstated

What complete idiot implements remote access in a consumer firewall ?

I wouldn't call Mikrotik a consumer firewall. They are squarely aimed at the semi-pro through to carrier market segments.

Plusnet customers peeped others' deets during system upgrade


Re: We've asked the Information Commissioner's Office to confirm it is aware of the issue. ®

PlusNet store your password in plain text

.. or at least encrypted in a reversible fashion.

Whilst this is not best practise for storing credentials, the PPPoE layer uses CHAP authentication. I've not kept up with PPP authentication methods but a few years ago at least, the options were send in clear, some sort of CHAP variant (where the server needs to know your credential in clear) or something proprietary that will restrict the type of router you can use. At this layer, they are making the best of a bad set of options.

and will email it out to you

This is where it all falls down though. They use the same credential store for access to manage your account and has accessible mechanisms to discover it. To my mind, they should be making every effort to make the credential store a 'write only' system.

Chap asks Facebook for data on his web activity, Facebook says no, now watchdog's on the case


Re: 'It's not clear whether he also has a FB account or whether he's a non-account'

The 'service' is not being provided to the individual, it's being provided to advertisers.

Hence they have no defence of it being stored as an essential part of the service to the subject.


Re: 'It's not clear whether he also has a FB account or whether he's a non-account'

But that's the thing with the GDPR, the potential fines are quite large.

If someone has the will (and I'll admit it's probably quite a big if) then this sort of case could cause some massive changes of behaviour in the tracking and advertising industry. Probably just for European end users though. It will either cost a shed load in fines or a shed load in lawyers fees (and then hopefully a shed load in fines on top! - Hey, I can but dream)


Re: 'It's not clear whether he also has a FB account or whether he's a non-account'

Let's take the thought exercise a bit further ..

They have a bunch of data that is classed as personal. You may even go so far as being able to deanonymise some of it making it potentially identifiable (don't ask me how, but the deanon crowd can be scarily inventive when they get a hold of big datasets).

For any particular data element, they can say that they don't know who it is about. Therefore there is no way that they can evidence any informed consent for the collection and processing of said data. The individual is not (necessarily) a user of Facebook so there is no way that the data is collected as an essential part of any service provided to the individual. Therefore, as far as I can see, they would have no legal basis to keep hold of the data and should therefore delete it.

That will probably save them megabucks in storage costs ;)


Re: 'It's not clear whether he also has a FB account or whether he's a non-account'

Why does it matter whether he's a member or not? It's personal data that they have collected about him.

From a technical aspect, if he's a member it should make it easier for them to extract and collate the relevant data. If he's not a member, they have no justification or permission whatsoever for collecting and processing that data in the first place.

Ticketmaster gatecrash: Gig revelers' personal, payment info glimpsed by support site malware


Barclaycard were a little bit proactive.

Dunno if it was related to this but Barcklaycard suddenly decided to revoke and replace my card over the weekend. This was a couple of days before the 23rd but other news sites indicate that people were aware of the attack before that date.

In non-startling news, EFF says STARTTLS email crypto is mostly done wrong


Re: Actually...

.. or if you use letsencrypt as the CA, which the mention of certbot seems to be advocating even if it's not explicitly mentioned in the text.

it's not difficult to do, even without an updated version of certbot.

Two's company, Three's unbowed: You Brits will pay more for MMS snaps


I had that same situation. It is likely a 'problem' with the configuration or provisioning of your SIM. I also thought it was because I was using a non-network phone. However, the last time I bought a new handset I needed to migrate to a nano sim. I made the mistake of getting a replacement sim (free and pretty much instant process in the local store). Ever since then it has been properly registering 'tethered' traffic.

Car-crash television: 'Excuse me ma'am, do you speak English?' 'Yes I do,' replies AMD's CEO


Re: F1 is a Car Crash

They do need to sort out the media rights again. Hopefully something more along the lines of what Formula E are doing

.. giving it to a broadcaster that does not care about it enough to show it consistently. You have to play guess the channel does not lead to audience retention. Will the next race be on Five, will it be Spike or will they find some other channel to dump it on.

their emphasis seems to be on fan engagement and large audiences.

Fanboost needs to die in a fire. Having a popularity contest contribute directly to the available power a driver has isn't racing. Sam Bird is at a massive disadvantage, I reckon most Brit racing fans are traditionalists so he never wins the vote yet he still brings home the points.

An next year's Formula E car looks like something straight out of the Hot Wheels factory

yep, the Gen2 car looks hot hot hot. They actually designed in the halo instead of just plonking it on top like a pile of scaffolding.

I love F1, i also love FE. I don't understand the "it's slower" argument. The cars in an F1 race are going slower than in Qualy yet you don't say there's no point in watching the race. The enjoyment in the race is in watching the drivers getting very close to each other indeed and battling to get past/stay ahead through corners. there's typically much more of that in FE than there is in f1 nowadays. That said, both series were blessed with cracking races this past weekend.


Re: Might not look scripted, but they've prearranged the interviews and for how long in advance.

Pretty much all of the gridwalk interviews is based on spur of the moment judgement, luck and being well-known enough that the drivers want to talk to you.

Brundle is pretty much the king of the art. I do remember one (not by Brundle) where the hopeful interviewer didn't have any luck. the entire gridwalk was basically repeating "Let's go and speak to <x> ... oh, he's gone to the toliet"

Keep it light, and keep doing something. Even if it goes horribly wrong the viewer will hopefully let out a sympathetic chuckle.

Nvidia: Using cheap GeForce, Titan GPUs in servers? Haha, nope!


Re: Note to Nvidia

Why is it 'abuse' anyways? and why is one type of 'abuse' a licensing issue an another ain't?

if I decided to massively overclock a card, push 1KV where it's expecting 5V or dissolve the thing in acid, that can be construed as 'abuse' of the card but no-one is gonna come round and try and sue me for doing so, the worst that would happen is laughter if I tried to claim a replacement under warranty.

Consumer cards aren't designed to be run at full power 24x7. OK, state that and state that it's not covered by warranty if it breaks, that should be the beginning and the end of ir.

Security pros' advice to consumers: 'We dunno, try 152 things'


Re: Don't open unexpected attachments

Malware can harm a company even without elevated privileges. Even if everything a user has access to is regularly backed up, a ransomware attack can still cause great disruption and expense.

Whilst there are gateway systems that can extract all "non-active" content from incoming files and just deliver that, they are not perfect, can throw away important content and are currently insanely expensive. Until that sort of system is perfected and commonplace, this sort of attack vector is going to be a massive risk.

Although we don't expect normal staff to "be" security guards, we expect them to not open the fire exit doors because some randomer wants to be let into the building. (That said, we all know that people hold open access doors for unknowns far too often) A bit of awareness is not an unreasonable thing to ask. Yes, mistakes will happen from time to time but "don't click links or attachments in unexpected emails" and awareness that emails may not be from who they say they are should not be difficult concepts for anyone performing pretty much any task in an organisation.

Star Wars: Big Euro cinema group can't handle demand for tickets to new flick


Re: spoilerific

No, that's the gerbil out of g-force it's part of the Disney Cinematic Universe now, Kermit the Frog's in episode 9 in a role not dissimilar to Yoda, "here, hi-ho, Kermit the frog I am".

Surely it'd have to be Miss Piggy as Yoda.

Sofa-jockeys given crack at virtual Formula 1 world championship


Re: Tight squeeze

dont forget swears constantly and hurls abuse at everyone else in the game

Why does that make them unfit? You could almost believe that the team radio conversations are in morse code!


Re: Clarification by a simracing bore

winner of which will win a contract to be a test driver in their Formula 1 Simulator at the Mclaren Technology Centre.

That's basically what I do at the moment.... I'm sat in a chair wondering when/if my car will be fixed and emerge from the garage.

Sonos will deny updates to those who snub rewritten privacy terms


Re: Farewell Sonos

If you did own a Sonos I wonder if changing the T&Cs to something you no longer agree with provides a case for you to return the goods for a full refund?

I don't believe that anyone managed it when Sony released a firmware update that removed functionality from the PS3.

IIRC, they used a similar sort of language as Sonos in that if you wanted to keep the OtherOS function, you simply didn't have to install the (unremovable) update. Though in reality if you wanted to play any games released after that, you had to install the 'optional' update.

Sainsbury's IT glitch spoils bank holiday food orders


Re: Round these parts ...

Neither, we blame the weather.

Dell to patch AMT-vulnerable systems


Re: Poweredge T20?


Mine is still well within its warranty period, so there's absolutely no way it should be unsupported.

Red alert! Intel patches remote execution hole that's been hidden in chips since 2010


Re: PANIC!!!!!!!!!! :-)

That test looks flawed to me.

AMT sits between the physical ethernet controller and the os. only represents the visual lo loop back device and therefore goes nowhere near the network hardware. Even doing that to the ip address assigned to your nic wouldn't work as the kernel would know that it doesn't need to send across the network.

Try it from another host on your network towards your i7 and you will get more accurate results.

Linux kernel security gurus Grsecurity oust freeloaders from castle


Re: WindRiver?

There is no licensing issue. GrSecurity's kernel are license under GPLv2 which specifically allows the recipient to re-distribute.

However, you are not obliged to re-distribute and nor are grSecurity obliged to do business with you, so if they find that you have distributed the kernel they are entirely within their right to refuse to give you their next version.

The use of the grSecurity trademark is a different matter and I suppose the usage of it depends on what they are claiming in the associated documentation.

Hutch's Three UK users ripping through over 6GB a month


Re: fortunately 3 do reasonable all you can eat data packages

It actually seems to be done via the SIM or network.

For whatever reason, they used to be unable to differentiate between my tethered and non-tethered traffic. I changed phone (direct from manufacturer, not from three) and realised I needed a nano SIM. Not having one of those hoe-punch style things to hand, I went to the local store where a helpful chap swapped my SIM out for free.

Result : my tethered traffic is now registering as being tethered - on the new phone and the old - no special firmware required. I can only guess that my previous SIM wasn't provisioned correctly.

As a long-term customer who doesn't (often) take the mick with the unlimited data, I enjoy a very significant discount on the unlimited service. they've bumped me off my old plan the other month but as it was the first price increase in about five or six years for me I'm not too aggrieved.

Solarwinds sends customers each others' complete client lists


Re: @GingerOne

I would be very angry if any customer I looked after had had their details leaked knowing what could be on the way after such a breach of information.

if I were a Solarwinds customer in this case, I'd be worried what level of legal liability I would have to my customers if their data was involved in this.


Re: The Cloud...

That's a case in point. It was a dedicated NHS system so the 'damage' was contained with in the NHS.

Aside from a deliberate act, there's no conceivable way that, say, everyone's data can be sent to BUPA. However if they both used a shared third-party cloud platform, you cannot make such an assertion.

Tablets become feebleslabs as sales spiral down


Re: Everybody who wants one, got one

For example, I am typing this on my Nexus 10, which is getting to be close to 5 years old. However, it still works fine, and anything mid-range I could get to replace it won't be an improvement in terms of the screen quality, which is the crifical requirement for me.

I also have a nexus10 though sadly the battery is on it's way out, after a couple of hours usage the thing just dies with very little warning ((battery monitor would be 60-70% not long beforehand). It has also started to feel a bit sluggish.

Totally agree that there seems to be nothing at a reasonable price that comes close to the screen quality - I almost wish I hadn't got used to the Nexus as then what's available now would seem like an upgrade.

Furby Rickroll demo: What fresh hell is this?

Black Helicopters

Spy Furby

Wasn't there some hysteria years ago that furbys might record voice and could be used as a spy device? This got them totally barred from many establishments even though the recording and playback was pretty much uncontrollable.

If you can change it's programming then this one could definitely be used in that way.

Oh, the things Vim could teach Silicon Valley's code slingers


Of course releases are slow..

They are feature complete, do the job well and aren't chasing constantly changing standards or dealing with complex data in a changing security landscape.

That said, I agree that there's a lot to be said for stability, there should be different streams for browsers, one with feature updates and another concentrating with just bug and security fixes. I think that Mozilla have tried this with their esr(?) releases.

How can you say that the likes of vim and emacs are so much better than modern software that "feels like reinventing the wheel for the sake of it" when just in the previous paragraph you lauded Emacs' ability to render HTML.

Finally, yes if you have something written in a language or environment that can only be learned about by trawling through archive.org it should be re-written. The application is pretty much un-maintainable and the underlying infrastructure is obsolete and will therefore be crumbling. What happens if the execution environment has security issues or does not function in the next version of $OS?

The top doc, the FBI, the Geek Squad informant – and the child porn pic that technically wasn't


Re: For the sake of argument...

If it was a legitimate medical image, why is it taken on his personal phone, not on a hospital/surgical system?


Re: My 2p worth

<quote>I am not sure which of the two makes me sicker, some of the peodos are mentally ill, so some small sympathy, but the lawyer is scum.</quote>

Nope, the defence lawyer must and should do everything in their ability. The accused should get absolutely the best defence. that way any eventual conviction is rock-solid and beyond all doubt.

The laws against unwarranted searches etc.are there for very good reasons to protect society as a whole and the way of life you are accustomed to. They were put in place by people much cleverer in such things than you or I. Law enforcement should absolutely follow the spirit and intent law. By the sounds of it, the guy should absolutely be put away but he should have been caught in some other manner.

However, quite how a 'borderline' still from a known child sex abuse video would not be sufficient to get a warrant (wether the still was indecent or not) is beyond me.

Itchy-fingered OnePlus presses refresh, out pops value champ 3T


Re: 'The capacitive buttons ... make it vastly easier to operate the phone in the car'

That has always been the case, the law has not changed. Anything that distracts you enough so that you are not paying enough attention to driving - whether that be a phone call, fiddling with the radio or talking to the person in the passenger seat - is dangerous and can lead to a charge of driving without due care and attention. The hand-held mobile law is different as it is illegal even if it isn't obviously affecting yur driving at the time. I think that the penalties have changed recently though.

Murdoch's 21st Century Fox agrees £18.5bn Sky takeover deal


Re: 168 year old paper

I'm sorry, but I can't agree with any sentiment for people to die.

If you'd said to send the money grabbing human turd-nozzle to jail then I'd be in total agreement.

It's now illegal in the US to punish customers for posting bad web reviews


Re: Trump might want to repeal that, especially because he said this about journalists:

I was just thinking of this tweet

Uber to Cali DMV: Back off, pal, our 'self-driving cars' aren't self driving


Typical Uber

Their drivers don't work for them.

Their self driving cars aren't self driving (unless you want to claim that the driver is working for them).

Next week : their app isn't an app and the money you're paying them isn't paying them.

Work ends on Open Virtualisation Format


OVF doesn't work

.. At least with vmware.

It's a great idea to allow interoperability between hypervisors. As the article says, the knowledge needed to convert between formats is well known and ovf was intended to be the standard to enable that. However, when the best known play only pays lip service then you have to ask what's the point...

Create a vm in virtual box and export as an ovf. Now try and import into esx or (shudder) vcloud. Even though all the required information is present in the ovf, vmware refuses to register the vm. You need to read the hardware details from the ovf, manually convert the virtual disk and manually create the vm. Btw, the import tool can clearly parse the ovf configuration and the disk conversion tool is part of esxi.

I hope that people have it better in the hyper v and xen space but from my experience ovf has failed.

Amazon's Netflix-gnasher to hit top gear In December


Re: Yarrgh


Not on the Amazon app on my Samsung TV, alas.

There is on mine, but it's not immediately obvious (and resets to 'everything' at any opportunity). Try pressing the Green (B) button on the remote.

Lenovo intros monster disk box

Paris Hilton

Is maths broken??

1.5x the capacity of the 5U HPE D6000, which holds 70 3.5-inch drives

OK, 70 x 1.5 .. so it can hold 105 drives? Impressive.

Hang on..

the D3284 JBOD, a 5U enclosure holding up to 84 3.5-inch disk and/or solid-state drives.

Hmm .. my brain hurts.

UK's 'FBI' hit by DDoS barrage


Re: Haven't they just been given oodles of cash to protect us agains this kind of thing?

Because their website has zero operational impact and pretty much zero value to them.

Unlike most businesses, no-one is going to use their website in an attempt to use their services. The site is totally distant from their operational networks, it is pretty much a place to put out press releases and PR material.

Given that an outage has no impact, there is no ROI on spending thousands on DDos protection - money that could be far better used doing what they are meant to be doing.

Stickers emerge as EU's weapon against dud IoT security


Other Warnings

There should be other (ralated) mandatory stickers in bright red on white in inch high text like

WARNING : This product sends your information to other people

WARNING : This product will be an expensive paper-weight when <company> closes or decides it does not want to continue running it or wants you to upgrade.

Anything requiring those stickers don't go near my home.