Posts by Colin McKinnon

Is it just me?

....Millenium Edition,

Myalgic Encephalomyelitis,

Management Engine

and now Malware Engine

HP/PC World are worse

At least Apple are selling some electronics wizardry for the price. PC World want to charge me £70 for a failed retainer clip (little piece of plastic costing pennies) when it failed after 30 hours of use and "not covered by manufacturer's warranty".

(and PC World managed to "lose" the broken part as well, so I can't claim under the Consumer Acts right)

"“lack of native file-based encryption unfortunately makes it a nonstarter"

Yeah - because we really want embed (lots of incompatible, independently developed implementations of) encryption within the filesystem rather than using well managed code sitting on top or beneath the it.

If only....

"Insist on proper EPUB files. You will thank me for this"

....once you've found an e-book reader that works properly. Unfortunately there are a lot of bad ones out there.

Even just differentiating code from narrative by styling becomes a major logistical exercise - nevermind attempting some of the more complex typographical feats of daring-do which are run of the mill in technical books such as footnotes, callouts etc.

http://lampe2e.blogspot.co.uk/2015/01/file-formats-in-wild-wild-west-review.html

Fool rule fuels fullz

(sorry, just had to get that one out of my system)

Sympathy for the devil

When I first published "LAMP Performance end-to-end" the top hits for searches in Google (ranked above Amazon, Google play, Smashwords and other places where this is legitimately for sale) were for book club scams offering "free access" - the sites pop up like wack-a-moles.

(From what I've been able to determine there are 2 entities which are behind the majority of these, but setting up a website anonymously and artificially boosting the search rankings is very easy)

In recent months such have declined in the rankings - probably as a result of these bulk takedown notices. It might be a blunt instrument but as a result, content owners benefit and so do consumers. The only people being inconvenienced here are Google and the scammers.

Not enough people studying for A-levels

"But the subject remains a minnow compared with..."

It seems to be attracting a lot more candidates than A-Level Surgery and A-Level Airline Piloting.

Must try harder

"you need to hack the coffee shop's router" - no you don't. You even explained why this not necessary in the preceding paragraph.

"Certificate pinning, though, is limited to Google sites at present" - no it's not

"Some browsers such as Chrome use a new technique called certificate pinning" - That would be Chrome, Midori, Firefox, Opera, but not MSIE/Edge currently (not aware of status of Safari).

Naked photos of insurance marketing exec linked to Ashley Madison incident

Not SMTPauth - HTTP SSLStripping

The linked post seems to be of the opinion that the cause of the problem was a bogus web login page (or, SSLstripping+sniffing).

If SMTP (and POP and IMAP and active sync) were hard configured to use SSL, then no details would have been revealed - the client would not fall back to a non-encrypted connection.

It begs the question of how the attacker was able to redirect a browser to the non-SSL login page - at a guess the login page must be the gateway to a captive portal.

"wasn't encrypted [...] So a MiM attack is pretty straight-forward" - disagree - the layer at which you implement encryption is not nearly as important as how you implement the encryption.

OMG.....NO!

While I have been extremely frustrated by support services (regardless if I'm paying for them or not) it costs money to develop, man and maintain these. Recovering some of the costs from a revenue share means that the costs are not being passed on to the customer via another route.

Removing charges from support services means anyone who

- takes time to RTFM

- bothers to think about their problem

....will be subsidizing the stupid and the lazy.

But worse - it actually ecourages people to be stupid and lazy.

At least with a charged model you have the opportunity to recover at least some of the costs - when it's 'free' you'll never get your money back when it's the service provider's fault.

hmm, 500Mb at 20Mb/second

Even assuming that's MegaBYTES of data and megaBITs of bandwidth, that's 200 seconds to use up your quota (if we conveniently ignore congestion avoidance).

Wow - amazing software!

How did it know they were Sun readers?

(thought|pre)crime?

I'd like to believe that Mr Sutherland bases his opinions on a rather idealised view of civil liberties.

Under his proposals, I would be a terrorist suspect if I am seen to behave like a terrorist (by which I mean shopping in the same places, accessing the same websites - rather than more blatant terrorist behaviour like blowing things up).

I shouldn't be too bothered about being a terrorist suspect since surely our criminal investigation bodies would never tamper with evidence, the courts would never convict someone wrongly, and I wouldn't be disadvantaged indirectly by, say getting the sack from my place of work due to investigation as a terrorist suspect?

Except there are lots of documented cases where exactly that has happened.

At least I am innocent until proven guilty, and can't be jailed without a public trial? Wait a minute....no, that's not the case any more.

While we do have to put up with people pimping there warez regardless of their effectiveness, I think its sad and pathetic that in the past 15 years we have replaced a legal enforcement structure deigned to protect the innocent with one designed for punishing the guilty (with little regard to the collateral impact on the innocent).

Civil liberties have intrinsic value for protecting the innocent.

C.

Follow the money.

+ instead of either acting itself or providing incentives for the private sector

+ the government insists that users are ultimately responsible for their own security

...but apparrently not *liable* for their failures. If someone runs an open SMTP relay, or fails to install patches or does not have an adequate firewall they will become the unwitting accomplices of the black-hats. While establishing a basic standard of culpability is nearly impossible (although IIRC the London Stock Exchange require listed companies to demonstrate compliance with at least part of BS7799) without accountability in such cases there is little hope of decreasing the amount of abuse and the authorities have little opportunity to track back to the origin of the problem.

It is not simply a problem of jurisdiction which prevents states from implementing effective controls - the biggest barrier is that the problem has already got totally out of control.

I'd like to believe that the newer generation will pressure service providers to provide good and effective security which works both ways (other than its SSL certificate - how does your bank/betting site/ISP... demonstrate that it truly is the organisation you have chosen to place your trust in?) but am far from impressed by the quality nor the independence of IT education in schools.

+ In the case of phishing sites, surely the first defence should be that the ISP

+ running the phishing site has an 24 hours per day instant take-down

+ obligation

Please! This would open the flood gates to a whole new denial of service vector - one which is already being exploited, but fortunately only in a few cases. I can see this would be attractive to the state because it moves the problem out of their domain into that of private litigation. This would automatically favour those who would abuse the system and disadvantages the ISP, the site owner and the end user.

I don't have the answer to these problems (unless its to install Linux!). Certainly as far as the vendor is concerned it seems to demonstrate how a market for lemons evolves and the problems inherent in monopolies.

C.

yes, the money - but whose opinion is this?

"Chaired by Microsoft with the DTI and several key industry representatives..."

Forget the long spoons - looks who's hosting the party.

While I couldn't agree more with the sentiments expressed in "I've said it before and I'll say it again" I worry that there are other agendas at work here. Should we allow corporate bodies (particulary foreign and multi-nationals) to have a controlling hand in steering education policy?

I'm sure every experienced IT professional has at least one story about the industry certified programmer/operator/administrator who demonstrating a complete lack of knowledge outside the approved curriculum. But at the moment, the primary and secondary education systems only seem able to provide ICT facilities by jumping in to bed with a single vendor.

Education, at least within schools, should equip our children with lifetime skills and a basis for making value judgements. I would rather my children were denied access to ICT than exposed to a corporate driven regime.