* Posts by Stephen W Harris

77 publicly visible posts • joined 8 Jul 2009


Hotel guest goes broke after booking software gremlin makes her pay for strangers' rooms

Stephen W Harris

Re: never use a debit card for credit ?

"many banks offer an SMS alert system which is useful to catch unauthorized payments and block the card quickly if needed."

My credit card number somehow got stolen and was used at a Domino's in Flushing (Queens) last week. I've never even been to Flushing. Because I have an app on my phone I got alerted within seconds and called the bank and got the card cancelled . I'm guessing a $19 pizza purchase was a trial purchase, so this probably prevented larger abuse.

Amazon Drive bans rclone storage client

Stephen W Harris

Re: Moving keys from source to a server won't fix the problem

The typical way the authentication service works is that the _service_ makes a call to the Amazon API and retrieves a token; that token is passed back to the client. The client uses the token to talk to the API. When the token expires (1 hour later) the client talks, again, to the authentication service and requests a refreshed token.

In this way the client API ID and secret are never exposed to the end user... but it means there are some risks:

1) @ncw doesn't abuse the authentication service and steals tokens :-)

2) Someone else doesn't compromise the service and steals tokens

3) @ncw has to commit to keeping the service running forever and ever (once the authentication service goes down then rclone will no longer work).

The alternative approach of passing the ID/secret to the client at "first run" prevents these risks _but_ effectively means they are no longer secret (as mentioned; add a print statement) and will be leaked, and Amazon will eventually ban them again.

As @ncw says, the google approach of allowing each user to generate and use their own ID/secret is much better.

Finally a reason not to bother with IPv6: Uh, security concerns...?

Stephen W Harris

How does this traffic get out?

Any network worth being called secure doesn't allow end points direct access to the outside world, by default. Desktops must use a proxy. Servers can't see the internet except by pre-approved firewall exceptions to a specific port.

So how does this 6in4 tunnel traffic work? Via HTTPS proxying? In which case the proxy can _easily_ detect the 6in4 setup sequence, same as it can detect ssh on port 443.

Hmm, the paper says "All network hosts can establish a direct connection to the Internet without proxies or any other connection handlers."

So we're not talking about a secure network, anyway.

Lovely. Now someone's ported IoT-menacing Mirai to Windows boxes

Stephen W Harris

Re: Bored of hearing crap about IoT

UPnP is needed on IPv4 to enable incoming port forwarding because of NAT (one IP address shared amongst many devices).

With IPv6 the firewall functionality of routers _should_ default deny incoming connections, so it doesn't matter if your IoT device has a public IP address; the firewall blocks the attempt.

In theory this might lead to a UPnP6 standard ("let my IPv6 device receive connections on port 12345").

So we need to ensure two things with IPv6:

1) Firewall configured for "default deny" incoming traffic (pretty much matching IPv4 with NAT in this case). Any firewall should default to this if it's going to be called a firewall, as opposed to just being a dumb router. So this basically means consumer equipment should have IPv6 firewall capabilities.

2) UPnP6 never takes off.

Penguins force-fed root: Cruel security flaw found in systemd v228

Stephen W Harris

Re: @Dan 55 right ..

@Hans 1 - you misread; xinetd is the standard RedHat one; the _service_ entry points to an NFS mounted executable. eg /etc/xinetd.d/myservice might have "server = /nfs/mounted/path/foobar"

Now xinetd starts before NFS is properly ready (standard RedHat systemd startup), it can't find "foobar" and so disables the service.

This only broke in RedHat 7; it worked fine for decades (and even via inetd on SunOS 4).

Stephen W Harris

Re: @Dan 55 right ..

@Gerhard Mack

Fun dependencies like this exist with systemd; for example if you have xinetd and a service binary on NFS... xinetd starts before NFS does and so the service fails. You have to force xinetd to start after NFS if you want this to work properly.

Similarly I have an rc.local script that sends an email to my phone each time my server reboots; postfix is running but can't do DNS resolution and so the message sits there waiting for retry. INN also suffers a DNS failure and so won't allow any incoming connections. I've not fully debugged those ones, yet!

None of those issues hit with sysvinit on CentOS.

Naughty sysadmins use dark magic to fix PCs for clueless users

Stephen W Harris

Re: Voodoo

A few years back I was in a hotel 4,000 miles from home. I was about to go to the bar, so stopped off at my co-workers room to collect him. He was on the phone with his wife; the TiVo had got into a reboot loop and he'd spent the last 10 minutes trying to fix it remotely. But nothing. In desparation he said to his wife, "I'm going to pass you over to Stephen; he's good at this stuff" and then paused... "Oh, it's working now!"

Sometimes just the treat of me is enough to scare devices into working, from a different continent :-)

Outlook.com is still not functioning properly for some Microsoft punters

Stephen W Harris

Seems to work fine for the spammers send me mail from outlook.com...

Docker taps unikernel brains to emit OS X, Windows public betas

Stephen W Harris

Every time you call "docker run" you're firing up a new container instance, so the /proc/cpuinfo and free commands were run in different instances.

And all those "docker run" commands are gonna leave traces behind ("docker ps -a"). It's better to use "docker run --rm" to clean up after your instance shuts down if you don't need to inspect the results ("docker log", "docker diff", etc).

In-flight movies via BYOD? Just what I always wan... argh no we’re all going to die!

Stephen W Harris

Oh great

So I get to watch a movie on my 5" phone screen (or spend $$$ on a tablet that needs lugging around) and need charging cables and adapters (I hope they have power to every seat) to last the whole flight? Uh, and a case for the phone/tablet that let it sit at the right angle on the seat table... which will need to be down and thus encroaching on the limited space already present in cattle class.


5% of drivers want Nigel Farage to be their in-car robo butler

Stephen W Harris





Paying a PoS*, USA? Your chip-and-PIN means your money's safer...

Stephen W Harris

US appears to be primarily going chip'n'sig

The web is DOOM'd: Average page now as big as id's DOS classic

Stephen W Harris


"Almost no point in a proxy cache now."

Proxy caches are close to useless in an SSL-everywhere world, anyway. The proxy can't see the traffic content.... unless you plan on MITMing everything!

'I hacked Facebook – and found someone had beaten me to it'

Stephen W Harris

Cert logs?

From the article:

"It also turns out the server had a *.fb.com wildcard SSL certificate installed on it. Misusing it would trip Facebook's cert logs, though."

Would that be true? I thought the cert logs only tracked SSL cert _issuances_ from CAs. If I was able to get their wildcard cert and copy it to my machine then I could use it and no CA would be involved and no new cert issued. How would the cert logs track that?

One-third of all HTTPS websites open to DROWN attack

Stephen W Harris

Why is anyone still configured for SSLv2 anyway? Yes, the openssl bug (CVE-2015-3197) that allowed SSLv2 to be used even when disabled means there's still an issue to be patched, but that's not the question.

We know SSLv2 is insecure. It's been on the bad-boy list for many years. So why do people still have it configured?

Hello, Kotlin: Another programming language for JVM and JavaScript

Stephen W Harris

Re: Not the first and quite late to the party ...

Not OpenSource, bloody expensive, and doesn't run on my platform of choice. Three strikes!

I really should look at Lazarus again...

Chip company FTDI accused of bricking counterfeits again

Stephen W Harris

Misleading title

The latest driver _isn't_ bricking the chip. What it does it detect counterfeit chips and then send a specific stream 'NON GENUINE DEVICE FOUND!' to the device instead of the requested data.

I'm glad that FTDI is highlighting the problem of fake chips. I wish they could be a little less heavy handed (just refuse to work).

As for those people talking about "critical" usage... if FTDI just refused to talk to the chip then you'd bitch and scream in the same way.

There are two real problems, here, and neither are FTDI's making:

1) Fake chips and a lack of control in how they get into products. "Chain of trust" is a biggie, and this MUST be used in critical scenarios; if you're buying something that may impact life then damn well make sure you've bought from a vendor that has, itself, verified all its suppliers. Otherwise you, the purchaser, are culpable. And if it's a large reputable vendor then you might be able to get them to cover you...

2) Apply patches to production critical servers without having testing before hand. WTF, people? It makes me cringe; I've seen doctors and dentists use windows machines to do patient related stuff. I know they won't have a test bed, so any patches will be on live machines. This makes #1 even more important. (I wonder if this is why my doctor's systems were all down last year... hmm!)

FTDI have made some of the best USB chips around. So good that people are passing off counterfeit products as the original. On the streets of New York the cops will (sometimes) arrest fake Gucci street sellers. Where is the equivalent cops arresting fake FTDI sellers?

If you unknowingly buy stolen goods then you may have them confiscated. If you unknowingly buy conferfeit FTDI chips you may have them stop working.

Boozing is unsafe at ‘any level’, thunders chief UK.gov quack

Stephen W Harris

Re: Calling Ben Goldacre

In some parts of the US it's a legal requirement to show ID to buy boozahol regardless of age, depending on the type of store (eg a pub may have different requirements to an offie).

Sued for using HTTPS: Big brands told to cough up in crypto patent fight

Stephen W Harris

"I noted that there don't seem to be any Banks on the list" (@Public Citizen)

Banks have been trolled by Intellectual Vultures^WVentures for SSL/TLS in the past; see "Intellectual Ventures vs Capitol One", "Intellectual Ventures vs Chase" and so on. I believe the Chase one is still ongoing...

eg http://www.intellectualventures.com/assets_docs/Intellectual_Ventures_-_JPMorgan_Chase_Complaint_2013_1.pdf mentions 7634666 which is, basically, hardware accelerated public key encryption engine, and also 5745574 which appears to be SSL certificate authority stuff.

Doctor Who's good/bad duality, war futility tale in The Zygon Inversion fails to fizz

Stephen W Harris

"that phrase delinates the distinction between fiction and fantasy."

I think any SciFi story that requires FTL would disagree with you.

"Suspension of disbelief" is the willingness of the reader/viewer/consumer to allow the story to work on its own terms.

I don't think there's _any_ SciFi that doesn't require some level of suspension. It may be minor (eg Allen Steele's near space stories) or it may be major (Star Trek, Babylon 5),

Or even your Thunderbirds; really, a rocket ship launching from the swimming pool without setting fire to the whole island? Have you seen how far back the safety area is at Kennedy Space Center? Tracey Island would be obliterated first time Thunderbird One launched.

We ignore these "errors" because they don't get in the way of the story. We deliberately suspend our notions of reality to aid in the story telling process.

And it doesn't matter the genre. If it's fiction then it requires some level of suspension of disbelief. Do you really think that any best selling book doesn't require acceptance of the universe? Even a Barbara Cartland "romantic" novel requires the acceptance of some super-stud Italian... and let's not get started on '50 shades of grey" :-)

Doctor Who's Under the Lake splits Reg scribes: This Alien homage thing – good or bad?

Stephen W Harris

Re: Mid-season cliff-hangers aren't new...

Yeah... just to get started

Empty Child / Doctor Dances (May 21, May 28)

Rise Of The Cybermen / Age Of Steel (May 13, 20 May)

Impossible Planet / Satan Pit (Jun 3, Jun 10)

Daleks In Manhattan / Evolution Of The Daleks (Apr 21, Apr 28)

Human Nature / Family Of Blood (May 26, Jun 2)

and so on. Plenty of two-parters in the middle of a run.

Doctor Who returns to our screens next week – so, WHO is the worst Time Lord of them all?

Stephen W Harris

Colin Baker, by a mile.

I'm gonna go against many people and say the McCoy was a really good Doctor. He's definitely in the top half. Yes there were some crappy stories (especially in his first season), but there were some good ones as well (I really liked Silver Nemesis, Battlefield, Remembrance, Fenric, Survival).

Colin Baker, though... ugh.

From the old series:

Hartnell: grumpy old man

Troughton: bit of a clown, flighty, panics

Pertwee: action man, "snazzy" dresser, kindly gentleman

Tom Baker (my favourite): joker, tried to be mysterious

Davison: weak, always a step behind

Colin Baker: arrogant arsehole, worst Doctor evuh

McCoy: brough some sense of fun back, had some good and _awful_ scripts

McGann... I try to forget that film.

Modern Who...

Eccleston: a good way to reboot. Chipper, not too serious, dynamic

Tennant: started off a little too wild and short-attention-span but settled down. In the end I think I liked him more than Eccleston.

Smith: started far too young and was far too weak; too many echoes of Tennant. But grew into the role.

Capaldi: grumpy old arsehole. Not liking him, so far.

Now I'm hoping this upcoming series will be better. I think there's potential, but so far he's the worst of the new Doctors and possibly the second worst Doctor thus far.

New York State plots broadband future

Stephen W Harris

Re: Go ask New Jersey

Works well for me; I'm paying for 75Mbit/s Verizon FIOS. Here are some regular "wget" calls I make to check the speed from http://cachefly.cachefly.net/100mb.test

2015-01-20 13:50:11 (9.99 MB/s) - `/dev/null' saved [104857600/104857600]

2015-01-20 14:05:11 (10.0 MB/s) - `/dev/null' saved [104857600/104857600]

2015-01-20 14:20:12 (9.99 MB/s) - `/dev/null' saved [104857600/104857600]

2015-01-20 14:35:11 (9.99 MB/s) - `/dev/null' saved [104857600/104857600]

2015-01-20 14:50:11 (10.0 MB/s) - `/dev/null' saved [104857600/104857600]

2015-01-20 15:05:12 (9.99 MB/s) - `/dev/null' saved [104857600/104857600]

2015-01-20 15:20:11 (9.99 MB/s) - `/dev/null' saved [104857600/104857600]

Mozilla, EFF, Cisco back free-as-in-FREE-BEER SSL cert authority

Stephen W Harris

Re: Do I understand this?

SSL certs are already free, from places like StartSSL; the green padlock doesn't really prove much. It's definitely not proof of identity.

Reg hacks see the woods or the trees In the Forest of the Night

Stephen W Harris

Re: Some vapid netheads ...

The Clangers? They've already been on Doctor Who. "The Sea Devils"; https://www.youtube.com/watch?v=dOK1YdWalOw

Stephen W Harris

Re: It's all gone to pot

Old series; Tom Baker was "my Doctor". Although I think McCoy could have been the best if he'd been given the chance. He re-introduced some of the mystery around the Doctor.

New series... I immediately liked Ecclestone. He was great. It made a good reboot and made me a fan of the new series. Disliked Tennant when he started, but got used to him within a few episodes. Smith was too young but he grew into the role (seriously, look at him standing up to the Atraxi in his first episode and thinking "cute, kid"; compare to almost any of Series 7; Journey To The Center Of The TARDIS; in just 2 years he'd grown up).

Capaldi I'm actively disliking. His character is an arsehole. Not Colin Baker levels of dislike ('worst Doctor ever!'), but definitely the worst of the new series.

Ofcom will not probe lesbian lizard snog in new Dr Who series

Stephen W Harris

Re: Did the BBC just troll people?

Google "Dr Benjamin Spock". His name was the "Spock" that people knew long before Star Trek existed, and "Mr Spock" vs "Dr Spock" was a common mistake at the time.

Stephen Fry MADNESS: 'New domain names GENERATE NEW IP NUMBERS'

Stephen W Harris

Re: Well...

You're confusing an expansion of a finite number with the value of the number. "PI" and "sqrt(2)" are both finite numbers (we can bound them; eg 3<PI<4) but any expansion of that number would take infinite space.

The "decimal expansion of 1/3" is infinite (0.333 recurring) but no one would claim 1/3 was infinite :-)

Stephen W Harris

Re: Well...

There's actually no such thing as "nearly infinite".

For a number to be "nearly infinite" it must be a finite distance ("delta" away, and so has a value of "inf-delta"... which is, itself, "inf". So any "nearly infinite" number is, itself, infinite... contradiction.

Alternatively, all finite numbers must be infinitely far away from infinity and so are clearly not "nearly infinite".

Stephen W Harris

Re: Isn't a number that is almost infinite, er, infinite?

0.999 recurring is exactly equal to 1.

Real numbers are different if there's another number that can be placed between them (a !=c if there exists b such that a<b<c. I typical example would be "(a+c)/2"). In the case of 0.999(rec) there is no value "b" which can be placed between it and 1; therefore 0.999(rec) == 1. It's not "almost 1", it's "exactly 1".

US govt: You, ICANN. YOU can run the internet. We quit

Stephen W Harris

Re: What if ICANN goes renegade?

@Dougs, who asks "How is .london any worse than london.com, london.org and london.net? The new TLDs are stupid, but they aren't creating any new problems that didn't exist when there were only a few TLDs that any respectable organization was willing to use."

Without an organisation controlling the global namespace you will get fragmentation. My .london may be different to your .london; goes to different places or doesn't go anywhere at all. You'll end up with handful of distinct and separate name spaces.

At least, today, london.com goes to the same place for everyone.

Curiosity now going BACKWARDS

Stephen W Harris

Re: There's no spare parts shop on Mars

Amazon Prime... whadya mean the Bezos drone doesn't go that far?

Dropbox outage was caused by 'buggy' upgrade: DDoS us? You hardly know us...

Stephen W Harris

Re: 1775Sec

5 minutes is only 300Sec; these guys are greedy and want almost a whole half hour.

Ten classic electronic calculators from the 1970s and 1980s

Stephen W Harris


The first calculator I used was a PYE P-630 ( http://www.vintagecalculators.com/html/pye.html). I wonder what happened to it...

El Reg Contraption Confessional No.1: The Dragon 32 micro

Stephen W Harris

Still new things in retro-computing

Not only do I still have my original Beeb from 1983 but I also have a second one, and a Master. I've also built an Econet, and built my own expansion boards (additional user ports; NVRAM) for it. I'm doing more with my Beeb, today, that I ever did BITD!


Did Linux drive supers, and can it drive corporate data centers?

Stephen W Harris
Thumb Down

Re: What's in a name?

Binary incompatibility does not demonstrate "not unix".

Try running an AIX binary on Solaris (both Unix). Or a SCO Unix binary on Solaris 86 (both Unix).

Microsoft's cloud leaves manual transmission behind

Stephen W Harris

The point of "cattle vs pet" isn't to stop you having your unique and precious snowflake; it's to have you _define_ your unique snowflake in such a way that if it breaks (hard disk failure; hardware failure; whatever) then it's quicker to rebuild than to repair. SMEs benefit from this. An environment with 1000 OS instances definitely benefits.

Godmother of Unix admins Evi Nemeth presumed lost at sea

Stephen W Harris

Must be _really_ old EPIRBs 'cos the ones in the early 90s would automatically activate in water. At least the ones we had onboard our ships did.

Apple loses round to Amazon in 'App Store' name dispute

Stephen W Harris

Re: Let me get this straight... @Neill Mitchell

See "WIMP": http://en.wikipedia.org/wiki/WIMP_%28computing%29

eBay frets as right to resell comes under scrutiny

Stephen W Harris


I'm not selling it; it's free! Just a small handling and postage fee to cover my expenses of shipping it to you...

iOS 6 maps can't find Sydney Apple Store

Stephen W Harris
Thumb Down

Re: Map errors

I see errors in google maps all the time. Interestingly the main maps.google.com site gets it right, but the app on my phone gets it wrong. It's placing shops a mile away from where they should be.

The perfect CRIME? New HTTPS web hijack attack explained

Stephen W Harris

Re: Mitigation

Doesn't work for large corporate environments where all traffic goes via a cluster of proxies; each request _could_ come from a different IP address.

Wouldn't solve the problem in the case of a cafe WiFi or a hotel where all the traffic might be NAT'd to a single IP address.

IP-binding of information has never worked too well; even in the early days of the web, all AOL-users would be proxied.

Google whips away card, leaves just clouds in your Wallet

Stephen W Harris

Re: Bah!

It depends on the type of pre-paid card. Some of them are treated as "real" cards for billing/pay-down and reporting purposes. Someone with a poor credit rating can use these to gain a history of "paid on time" and thus improve their score.

Stephen W Harris

Phone NFC credit cards - too much work

Choice 1: take phone out of pocket, unlock phone, start up relevant app, enter whatever PIN/authentication that app needs, wave phone over NFC reader.

Choice 2: take out credit card, wave card over NFC reader.

In the US many NFC enabled cards (eg PayPass) don't even need PIN or signing for low value transactions (between $20 or $50 depending on card and outlet). Using the phone strikes me as a lot less convenient.

BOFH: Shove your project managementry up your mailbox!

Stephen W Harris

Re: Cricket bats versus baseball bats

The rules of cricket say "the ball" has to cross the boundary, not part of it. Thus the whole PM needs to cross. If the ball splits in half then the umpire must signal a dead ball. If the PM splits in half then the PM is declared DOA at the hospital.

Computer error triggers mass rocket launch

Stephen W Harris

I blame the leap-second...

Amazon cloud knocked out by violent storms in Virginia

Stephen W Harris

I think the storm was an excuse; it was the leap second that did it!

FCC: Let's kill analogue early, fob diehards off with converter boxes

Stephen W Harris

Re: Our cable already did

When Verizon FIOS turned off their analogue channels in my area they offered a free converter box to customers. I took one for my basement TV (my main TV was already using digital via TiVo). This box will remain free as long as I keep FIOS TV service at this location. The result is that I now get all the "basic" FIOS SD channels for free on this second TV!

Brit judge orders Facebook to rip masks from anonymous cowards

Stephen W Harris

Re: Facebook has a real name culture

The Naming of Cats is a difficult matter,

It isn't just one of your holiday games;

You may think at first I'm as mad as a hatter

When I tell you, a cat must have THREE DIFFERENT NAMES.

First of all, there's the name that the family use daily,

Such as Peter, Augustus, Alonzo or James,

Such as Victor or Jonathan, George or Bill Bailey—

All of them sensible everyday names.

There are fancier names if you think they sound sweeter,

Some for the gentlemen, some for the dames:

Such as Plato, Admetus, Electra, Demeter—

But all of them sensible everyday names.

But I tell you, a cat needs a name that's particular,

A name that's peculiar, and more dignified,

Else how can he keep up his tail perpendicular,

Or spread out his whiskers, or cherish his pride?

Of names of this kind, I can give you a quorum,

Such as Munkustrap, Quaxo, or Coricopat,

Such as Bombalurina, or else Jellylorum-

Names that never belong to more than one cat.

But above and beyond there's still one name left over,

And that is the name that you never will guess;

The name that no human research can discover—

But THE CAT HIMSELF KNOWS, and will never confess.

When you notice a cat in profound meditation,

The reason, I tell you, is always the same:

His mind is engaged in a rapt contemplation

Of the thought, of the thought, of the thought of his name:

His ineffable effable


Deep and inscrutable singular Name.

- TS Elliot "The Naming Of Cats"