* Posts by clanger9

144 publicly visible posts • joined 27 Jan 2010


The Palm Palm: The Derringer of smartphones


£350 for a locked phone?

I'm assuming this is locked to Vodafone? In which case, count me out.

Shame - the design looks brilliant.

Ticketmaster tells customer it's not at fault for site's Magecart malware pwnage


Re: Offsite scripts GAH!

Have a look at the TSB login page. Offsite resources include:





facebook.net (!)

This is on a bank login page FFS! How many trackers do you need??

At least they've removed the references to internal test servers that were present when they had their big meltdown earlier this year...

Internet overseer ICANN loses a THIRD time in Whois GDPR legal war


Re: Mind you I'm more than a bit uncomfortable

I love the idea of providing a premium rate contact phone number! Why didn't I think of that??

I have had to put up with idiot spam calls for years thanks to ICANN (on the basis that I already pay 'em enough for the domain, I'll be damned if I have to pay extra to have then not publish my phone number...).

Australia wants tech companies to let cops 'n' snoops see messages without backdoors

Black Helicopters

Re: how?

I agree. Some kind of screenshot/keystroke/audio cache on the device that can be queried remotely. Not need to worry about apps or end-to-end encryption. If they can see what's on your screen, they'll be happy...

Apple grounds AirPort once and for all. It has departed. Not gonna fly any more. The baggage is dropped off...


Re: There may be some good out of it

“I thought when a Time Machine partition was created on a Mac, it had to be converted back to HFS+“

Correct. But you can still create new backups to APFS. You just can’t convert an existing HFS+ Time Machine volume to APFS.


Re: There may be some good out of it

Time Machine works perfectly on the new apfs if you know where to look.

On High Sierra, Preferences > Sharing > File Sharing > right click Advance Options, check "Share as a Time Machine backup destination"

That's why they've abandoned the Time Capsule: they'd rather sell you another Mac to do the same job...

Who will fix our Internal Banking Mess? TSB hires IBM amid online banking woes



Indeed. More examples:

- The account list page is titled "holding list" (yep, in lower case).

- The pages are trying (and failing) to load resources from internal test domains.

This is pretty basic stuff that even cursory testing would pick up.

I'm sure there'll be plenty of blame to go around, but it does look like they went live with software that wasn't sufficiently tested. On the up side, the website is more-or-less working again now, so hopefully they're over the worst...

UK 'meltdown' bank TSB's owner: Our IT migration was a 'success'


18:00, day 4, still broke

So much for "we hope to be back up later this afternoon"! It looks like it's getting worse, not better.

While it was (briefly) working yesterday I managed to complete a payment from the app (not the website), but both have been down all day today.

I wonder if there's a point of no return? As more and more backlogged transactions pile up, the more the the pent-up demand is likely to flatten their systems when they are eventually fixed...


Re: Where did it go?

What press release? There never was a press release! Banco Sabadell prides itself on honesty and customer service yadda yadda...

Brit bank TSB TITSUP* after long-planned transfer of customer records from Lloyds


Re: 18:00 on Monday, still not working

Well, I can't log in at all now. It's claiming invalid credentials, even though my credentials are correct.

Ah, there it is: "https://test1.int.uk.tsb/14562512/SbtlTsbr_t.js" - clearly flagged up on the login page console.

I get the impression someone, somewhere is frantically restoring "direct_debits.xls" from last week's backup tape. I had no idea banking IT was so shonky...


Re: 18:00 on Monday, still not working

You're lucky.

My Direct Debit screen says "You don't have any Direct Debits set up for this account". Which is gonna come as one hell of a surprise to my mortgage company...

The web page title for the list of accounts screen is "holding list" - yes, in lower case.

It's a total clusterfsck. This is pretty basic stuff. Did they do ANY testing??


18:00 on Monday, still not working

I managed to log in and can see my account (woohoo!), but trying to do something radical like set up a "payment" seems to be too much for it to cope with and it throws an error.


Apple's magical quality engineering strikes again: You may want to hold off that macOS High Sierra update...


There is an issue with obsolete, unsigned .kexts

It can manifest itself in crashing, inability to complete install, inability to reboot etc.

High Sierra is supposed to mark existing .kexts as "safe" on install as part of the new-fangled (and annoying) SKEL system. Unfortunately, that process seems to crap out on some machines, leaving them unbootable (other than via System Recovery).

Try system_profiler SPExtensionsDataType > ~/Desktop/kextList.txt

If that process crashes & dies, you definitely have a duff .kext

Look in the output from that command to find any unsigned .kexts

They live in /Library/Extensions - remove anything old/suspicious here and try the upgrade again.

At last, someone's taking Apple to task for, uh, not turning on iPhone FM radio chips


Re: How does an FM radio "save lives"?

I get all that. Before the storm hits, mass SMS messages may be more effective (as is done for tsunami warnings). After the storm hits (when comms are down), how does an FM radio help?


How does an FM radio "save lives"?

This is a genuine question.

I'm struggling to imagine a scenario where having access to a working FM radio could make a difference between life & death. Could someone enlighten me?

Apple exits music player biz by killing iPod Nano, iPod Shuffle


Shame, really

I've had several iPods and I love my 16GB gen 6 (the little 1" square one with a touch screen). It's even survived being put through the washing machine. Hopefully it'll last a while longer, as it's tiny size means it's much more convenient than a phone for music for music listening.

Back to the future: Honda's new electric car can go an incredible 80 miles!


Re: 80mile range?

@Commswonk good question, because it's not obvious from the manufacturer literature how they solve the "heating problem".

I have a PHEV and it appears to have both a ~2kW heat pump and ~5kW resistive heating. The heat pump doubles up for air-conditioning duty in summer. Add in headlights, rear demist and heated seats and it can be pulling 8kW before it turns a wheel. That sounds like a lot, but it's still pretty small compared to the power needed to drive it along (max power on mine is 108kW, average is more like 20-30kW at speed).

The heating system makes for a nice, toasty warm cabin in winter (you can even pre-heat the cabin before you set off if it's really cold), but it does reduce battery range. My car manages 40+ miles in the summer on battery power, but this will fall to 25 miles or so in the winter (on a 10.5kWh charge). All because of the heating system. Granted, I can put the system into "eco" mode to save energy, but hey life's too short...

Different manufacturers seem to have different ways to solve the heating problem. I believe early Nissan Leafs only had resistive heaters, which aren't as efficient as a heat pump. I don't know how Tesla do it - they've got 85kWh+ to play with, so maybe heating efficiency is less of a concern...

'Mafia' of ageing scientists, academics and politicos suck at picking tech 'winners'


I'm all for policy-bashing

...but the article seems a it light on the usual level of El Reg insight.

What about the other (potentially promising) areas of the policy doc around energy systems and battery tech? We've got some good, successful companies in this space, may of whom are located in the North-West. Are you saying these sectors NOT worthy of support? Less worthy than "innovative pallets"?

Also, there's a bit of a weird Mersey fetish going on here. You Mancs and Scousers seem to be perpetually at each other's throats. This is a UK strategy, so how about dropping the regional rivalries for a bit.

New state of matter discovered by superconductivity gurus


Re: using liquid helium or liquid nitrogen, which is expensive.

It's not the the cost of the liquid nitrogen. It's the cost of keeping it liquid!

The energy (currently) needed to keep even a high-temperature superconductor cool is more than the energy that is lost by a normal conductor. Add in the extra cost of the superconductor itself and that's why we seldom use superconductors to transport electricity.

End all the 'up to' broadband speed bull. Release proper data – LGA


Still not enough to filter out incompetent ISPs...

Switching to SSE fibre (they're a reseller of Daisy) has been a disaster for me.

Sure, I get the advertised ~38Mbps EARLY IN THE MORNING.

Evenings? Forget it, Daisy's backhaul is so hopelessly saturated I'm lucky if I get 2Mbps.

Complete waste of time - and it seems there's nothing SSE can do about it.

My own fault, I should have realised the deal was too cheap, but even if there had been postcode-level mapping available, I would still have been suckered. I'm currently arguing with them to escape from my 18-month contract, on the basis that what they're providing isn't worthy of the term "broadband" :-P

WhatsApp is to hand your phone number to Facebook


Yes, you're right (and I already grok all of that).

However, the article seems to imply that they will add your WhatsApp mobile number to your Facebook account profile - something FB has nagged for for years and I've always resisted. No means no, right?

I realise/accept/hate the fact that *they* are able to identify "me", but I will also be very pissed off if they add my mobile number to my FB account without asking.


Assuming you have both, how can they link your WhatsApp profile (that has a phone number) which your Facebook account (which doesn't)?

Are they linking using the email address or what? I have a different one for both. I've never associated my mobile number with my Facebook account and have no intention of doing so...

Lester Haines: RIP


Thanks for all the laughs

Sad, sad news. Taken way too early.

7,000+ stories is a good ol' legacy! You made us smile & laugh, that's what counts...

TeamViewer denies hack after PCs hijacked, PayPal accounts drained


Re: Possible attack vector?

I has a quick check with a clean install of the TeamViewer client. There is no need to set up a TeamViewer account. First of all, it asks if you want to set an "unattended access" password. Hmm: I wonder if some people set this on first install with a memorable (possibly re-used) password and then forgot about it? This is clearly a different password to the TeamViewer account password (which is what you use to log in to the service if you set an account. It has 2FA etc).

Next screen implies remote control is now possible with a 9-digit ID (presumably set by the TeamViewer servers) and a 4-digit PIN (presumably randomly set by the client). A quick look with Wireshark shows it opens an SSL connection to integratedchat.teamviewer.com every 5 minutes - presumably to announce its presence to the TeamViewer servers. It defaults to allowing "Full Access".

Nothing looks obviously insecure, but that "set unattended access password on install" combined with "default allow full access with 4 digit PIN" suggests that there are a couple of ways a default installation might be compromised.

I agree with psychonaut that you seem to need the 9-digit ID to connect (rather than just an IP address as I said earlier). Perhaps someone found a way to get that ID from the TeamViewer servers? Or maybe you can just try random IDs with a brute-force on the PIN until you get lucky?


Possible attack vector?

Just joining together a few threads:

- Apparently you can connect to TeamViewer clients by IP address. It's not restricted to the registered account (by default)

- Apparently TeamViewer sets a less-than-random 4-digit one-time use password for remote access (by default)

I did not know either of these things. It seems you have to go into the settings to remove the OTUP if you don't want it and enable whitelisting to prevent connections by IP address.

So, if you can somehow get a list of IPs using TeamViewer (using a DNS DDOS, perchance?) and you've semi-cracked the "random" OTUP generator, then you're in.

Does this sound feasible? I'm unconvinced that this is a simple password re-use problem, despite what TeamViewer are claiming.


Re: Nope, Teamviewer is the tool, not the source

"a Windows Trojan disguised as an Adobe Flash update that's doing the rounds using TeamViewer to backdoor machines."

Hmm, you got any evidence for that? While you can never be 100% sure when people claim not to have installed a rogue Flash update, the fact that one of the first actions for some of the TV attacks is to dump the Chrome password list suggests (to me) that they don't already have the user's passwords.

Why would they dump the password list via TeamViewer (not the most subtle approach) if the machine is already compromised by a Flash trojan?


Re: I could be wrong but

Probably naive.

I understand TeamViewer has the ability to start (privileged?) executables remotely. A number of the posts on Reddit report the upload and running of "webbrowserpassview.exe" (for example) that dumps saved passwords from Chrome.

You can still do harm with TeamViewer without gaining control of the desktop...


Re: It's not the accounts that got hacked, it's the client

Maybe, maybe not. My guess is that it's not unrelated to recent attacks on their DNS. Something possibly involving hijacking responses/chatter between the client and the TeamViewer account servers.

Without knowing how TeamViewer authentication works, it's hard to be sure...


It's not the accounts that got hacked, it's the client

The TeamViewer service accounts seem to be OK: 2FA, no evidence of a hack anywhere.

What seems to be happening is that miscreants have found a way to connect to TeamViewer clients, somehow bypassing the authentication. This has happened to a guy at work last week: TeamViewer account fully secure, unique password, 2FA, etc. While using his laptop, someone connected via TeamViewer and started clicking around. Fortunately, it wasn't a serious hack attempt, seemed more like a skiddie.

TeamViewer now uninstalled everywhere here until we find out more. The software client is broken somehow.

Pure speculation on my part, but that's my take on it.

Air-gapping SCADA systems won't help you, says man who knows


Re: Excellent

Sure, you can try to air-gap. Enforce it all you like.

But you can't stop there, you have to assume it'll be breached and watch for the breaches.

I've lost count of the number of times I've heard "it's secure, we have an air-gap". Yeah, right.



The myth of air-gapped SCADA needs to die once and for all.

On a closed secure site: fine, give it a go. If you can manage to operate efficiently without any link to the outside world then I'm happy for you. Most business don't work that way.

For anything remotely distributed (i.e. most utilities) the air gap WILL be breached somewhere and no, you won't know about it - until it's too late...

Mitsubishi 'fesses up: We lied in fuel tests to make our cars look great


Re: Energy in = energy out

Max efficiency of an i/c engine is only around the 30% mark. Efficiency of a typical i/c car (from fuel to forward motion) is ~15% (when I last checked - maybe a bit better these days). There's still plenty of scope for improvement...


Re: Only 10%?

"measure a vehicle's emissions whilst it achieves its stated 0-62 time for example"

Now there's an idea to put the fear of God into the motor manufacturers. Have you ever been behind a modern performance car while it accelerates on full throttle? *cough* *splutter*. The muck that comes out of the back of these things on full tilt is amazing.

You get the impression that the pollution control gear is there solely for the purpose of getting through the tests and does pretty much f-a the rest of the time...

BT dismisses MPs' calls to snap off Openreach as 'wrong-headed'


Re: Publicly owned business

This is the nature of nationalised public services. They are uniformly awful. The socialist ideal is fine but when it hits the buffers of reality it all falls apart. Like every socialist ideal.

Counter-example: Vienna's public transport system. Fully integrated tram/bus/rail. Cheap. Everything runs on time, regardless of the weather. The tube runs all night and there's a fill-in night bus service that can get you to more or less anywhere on the network at 4am if you don't mind waiting around. They regularly extend the network with major construction projects through densely populated areas and these projects seem to mostly run to time and budget. And it's state owned, using the 'silent owner' approach described above. Like in London, public transport is seen as a strategic asset for economic wellbeing of the city, not something to make a quick buck from.


I don't know how or why it works, but it does. Heck, it's not even inefficient: 900 million passenger journeys and 8,000 staff compares favourably with TFL's 2.4bn journeys with 28,000 staff!

Bone-dry British tech SMBs miss out on UK.gov cash shower

Thumb Up

Good to see this on El reg

Terrible proofreading aside, it's good to see this kind of thing getting some media coverage.

In fairness to Innovate UK, if you are lucky enough to get an award from them, they are pretty supportive and easy to deal with - a far cry from the bureaucratic nightmare that was the Technology Strategy Board (TSB).

The funding criteria and awards process are truly bizarre, though. They have funded all sorts of ¡Bong! 'digital' nonsense, but seem really wary of anything vaguely industrial. The placing of the Energy Systems Catapult in the Midlands was another huge missed opportunity, especially when most of the industry and backers for it are located in the North West.

Definitely lots to complain about, but also a potential force for good. We all need to keep the pressure on...

LastPass in 2FA lock down after 'fessing up to phishing attack


Re: KeePass Cross Platform Synching

Yes: 1Password does subscription-free cross-platform self-sync, with the password vault stored in a place of your choosing.

No vested interest (other than being a happy customer). Sure to be other options out there.

UK's super-cyber-snoop shopping list: Internet data, bulk spying, covert equipment tapping


Re: Please explain this.

I think it's trying to say:

"We will keep a history of all connections by default. We will trawl this history whenever we feel like without a warrant and if we find anything interesting, we'll get a warrant to look at any new content"

So, it's storage of connection records and access (on demand) to new content. Historic content is not stored by default, but you can put a warrant in place and then just hit "Save".

As someone said above, goodbye end-to-end encryption...


Re: The devil is in the detail ...

...aaaand there you have it:

"...a record of the communications service that a person has used"

"a record" - could contain anything, as a minimum likely to be who it's from, who it's to, a timestamp and probably a geographic location. "See, it's just metadata. No content data at all, m'lud!"

"the communications service" - Email, Whatsapp, Skype, Facebook, Instagram, Snapchat, dating sites, your online banking service, the works basically.

"a person" - no fuzzy IP addresses here, mate, none of that rubbish. We're talking RealID (TM), backed up by biometrics and the FORCE OF LAW. Ha ha!!

Sheesh. It would be helpful if someone (anyone?) in the mainstream media could get out there and explain this stuff properly.


Re: I haven't heared so much bull$h1t since the last time she stood up...

Worse than that, I don't see how this "itemised phone bill" could possibly be used to work out who is talking to whom (if it's just a "list of websites"). Who the hell communicates via a "website"??

If they really want to know who is talking to whom, they are going to need to go MUCH deeper. This really suggests logging at the service/protocol level.

It'd be helpful if someone could explain what the Bill actually says as it appears to be in foreign. If it requires communication providers to provide such a log, then it would effectively outlaw any end-to-end encrypted service (as well as P2P).

I suspect this is not the "watered down" Bill you are looking for...

Licence to snoop: Ipso facto, crypto embargo? Draft Investigatory Powers bill lands


Re: DNS and SSL - flawed proposal?

Yes, but they also keep saying that the purpose of this legislation is to enable them to establish who is talking to whom. If that is indeed true, I don't see how a FQDN gives you that.

There must be something else being legislated here.


Websites != "communication"

Does anyone understand what is being proposed here?

On Radio 4 they were saying that they need to know which "websites" people visit. In the next breath, they're saying that this is so they can find out "who is communicating with who, like we used to be able to do with telephone records".

How the hell is a list of FQDNs going to tell them that? Who communicates via a "website" anyway (apart from grandparents on Facebook, I mean)?.

If they want to know who is talking to whom, they're going to need to compromise every comms platform out there and/or mandate some sort of server-side comms logging. Heck knows how they'll deal with P2P comms. Will P2P just be made illegal? Yeah, that'd "solve" a few other problems along the way, wouldn't it? Hmm.

There must me more to this legislation than the party line of "It's just a list of websites blah blah blah". Can anybody fine the /really/ relevant clauses?

Jeremy Corbyn: My part in his glorious socialist triumph


Full of win

Pam Ayres in a burqa

"enormous desire to spend other people’s money"


- genius! :-)

Hyundai ix35 Fuel Cell: El Reg on the hydrogen highway


Re: Fuel tank rated to 10,000psi

"whereas a fuel cell can offer over 90%... "

Hate to break it to you, but fuel cell conversion efficiency is actually much, much less than that: about 30%, not 90%.

The 90% figure you're quoting includes the waste heat (for CHP schemes and the like). Yes, fuel cells are usefully better than an internal combustion engine, but not by much.

Sadly, end-to-end process efficiency for H2-powered vehicles is "a bit pants".

Just look at all the cooling ducts on the BMW's i8 fuel-cell prototype. That tells you everything you need to know...

Watch out Sonos! Here's the second coming of Yamaha MusicCast


Looks nice, couple of questions...

These multi-home streamers tend to have a few underlying niggles which they may have kept quiet about the the demo.

1. Will it handle gapless playback? This is just about possible with uPnP (but not always). Linn added some (proprietary but open) extentions to produce OpenHome (http://www.openhome.org/wiki/Oh:Overview), but only Linn seem to use it.

2. I presume it does multi-room synchronous playback? This is hard to do reliably over wireless, especially if you also deal with issue #3. Sinos has this pretty well covered.

3. What is the buffering delay/lag like? AirPlay has huge delay, which means it's not much use for directly connected video. Linn get around this issue by reducing the delay (at the expense of reliability) for video sources.

Anti-privacy unkillable super-cookies spreading around the world – study


They put the phone number in the header??

Good God, that's a spectacularly clueless idea. I'd like to know which mobile providers actually do that. Anyone able to name names?

Global spy system ECHELON confirmed at last – by leaked Snowden files


Re: Wrong targets

> So, why are we told that it's ok to bring in mass surveilance for one problem, but not for more serious ones?

Simple. Terrorism threatens politicians' well-being. Car accidents threaten yours.

W3C's failed Do Not Track crusade tumbles to ad-blockers' Vietnam


Re: Google Scripts

Try Ghostery. It seems to block the Google tracker without breaking the site (mostly).

Amazon cloud threatens to SMASH the fundamental laws of PHYSICS


Re: Note the free 5GB service has now gone

Update: Amazon seem to have reinstated Personal Docs - I haven't signed up to the free trial, but it's working again.

Cock-up rather than conspiracy I guess. Yay for customer service, at least they fixed it within a day.


Re: 30 Days to back out - there's your limit

I think there's a local sync app (a la Dropbox). So you can maintain the mirrored files locally and the sync app should diff the changes to the cloud.

That also helps get around the problem of getting your data back if you cancel the service: maintain a local mirror. The storage limit is then the size of local storage array.


Note the free 5GB service has now gone

OK, no sympathy for freetards etc, but my Kindle 3G now won't accept any new personal documents because my (previously free) Amazon Cloud account is now deemed "over quota".

Among all the hoopla about the new unlimited storage, most news outlets have forgotten to mention that the old "5GB for free" service has been removed.

Unfortunately, the only way for me to access my account to bring it under quota is by signing up to the trial. Something I don't particularly want to do (having been nearly burned by an accidental "free" Amazon Prime trial in the past...).

Note to self: never *EVER* buy hardware that is tied to cloud specific services. Especially free ones...