* Posts by Paul Frankheimer

18 publicly visible posts • joined 26 Feb 2010

Medical data, staff creds exposed as scores of apps bork the backend

Paul Frankheimer

Re: Misleading article

At no point in these flawed apps would I expect the people using the apps to have an opportunity to set up their own keys.

Of course that should not be something that a user has to do himself, it should be done by the app on the *user's phone*. However it should be a key unique to that user's phone (or maybe account) which is generated when the user installs the app and signs up for the service or links the app to the service.

You're quoting the right paragraph. However the conclusion is not entirely correct. Basically the BaaS services are providing a service to the app developer. The app developer has an ID and a key which he can use to access his service on the BaaS. The app developer is then responsible for developing an app which doesn't allow app user A to access app user B's account and data. The BaaS provider (e.g. Amazon AWS) doesn't give the app developer a user management solution. If they did and that was broken, the problem would be much bigger than the quoted 0,5% of apps.

Paul Frankheimer

Misleading article

After reading the Register article and the researcher's PDF, I have to say that the article here doesn't really explain the problem correctly.

The actual problem is that the apps don't use any keys apart from the keys needed to authenticate the app developer to the Backend platform. This key has to be saved somewhere in the application and that's OK. The individual *users* should however also have a specific key so that they are also authenticated with respect to the backend. And for the sample shown, there was no security at all at that level.

This open-source personal crypto-key vault wants two things: To make the web safer ... and your donations

Paul Frankheimer

Certificate expired

So the fact that the http://cryptech.is/ is using a certificate that just expired today is just so that the urge to the readers for giving a donation is made clearer. Please give us money, we need to renew our certificate!

Radio 4 and Dr K on programming languages: Full of Java Kool-Aid

Paul Frankheimer
Thumb Up

xkcd disses Haskell - jokingly

But they actually used it to power their April fool's comic in 2012. The code for the Haskell-based webserver is available at github:


Microsoft leads charge against Google's Android in EU antitrust complaint

Paul Frankheimer


If MS would release a non-crap App for Hotmail on Android, it would certainly show their willingness to compete.

British Library hands 200 years of history to Google

Paul Frankheimer


This is good news. Especially the fact that it can be republished also on a non-Google, non-BL platform like Europeana. Google seems to get more permissive with the license arrangements it offers to libraries and this is a good thing.

Aussie TV production house takes on Apple

Paul Frankheimer

the 30% cut makes a difference

Apple is not an innocent bystander in this case, since it reviews the apps and then takes 30% of the money. The way this could play out is that Jigsaw gets money from Apple and then Apple has to go after the kid to get the money back, since the developper probably also breached the contract he established with Apple (T&Cs)

Data-mining technique outs authors of anonymous email

Paul Frankheimer
Thumb Down

Finely tuned gives 80%

So this is not the standard of proof needed for a court of law. Especially when your set of potential senders is not nice and small and you don't have thousands of messages per sender. Why are they overselling this so much?

Are SPEC file benchmarks broken?

Paul Frankheimer
Thumb Down

Flash or drives, it's non-volatile fast storage

The major point is that it's non-volatile storage, not how exactly this is achieved. This is what makes it different from a huge memory pool, say. Of course there should be a price element, as well as an operational element (electricity used, cooling, wear and tear etc.) in order to make a buying decision, but running the benchmark in itself it clearly fair. It's as if the people selling punch cards said that disk drives shouldn't be allowed to compete against them because they're more expensive (although they're faster).

Mac market share slips worldwide

Paul Frankheimer

Dithering in graphs

Is NetMarketShare using Windows 3.1 to make their graphs? Or it thinks that while the Android usage is up, most people have a most a 16 color display?

Keep your PC clean - or we'll shut you down

Paul Frankheimer

How do you tell?

If there are simple, transparent rules on what constitutes infection, I'm all for it. However I fear that this is not simple. From the ISPs point of view, it can be difficult to detect whether traffic is sent by a malicious program or by something completely normal. Since DDOS tools nowadays communicate via encrypted peer to peer protocols, the only workable approach by the ISP would be to block peer to peer traffic. This is not what we want. Phishing software (keyloggers etc.) work through P2P, IRC or upload things on a webhost. Only the webhost is easy to take down and if it becomes standard practice, then phishers won't use that method anymore.

I fail to see how this could work in practice. It may work for some the problems we have *now*, but if the malicious coders simply adapt to using more seemingly normal channels, ISPs don't have means to provide a technical solution. And then, when there is no clear cut case anymore, the cut off becomes arbitrary and cue the lawyers.

Microsoft confirms code-execution bug in Windows apps

Paul Frankheimer



Yes, it's mitigated by the fact that on Solaris it's not possible to run anything with elevated privileges, but the potential to run something which you didn't want is still there. but in case, you will not want to change LD_LIBRARY_PATH to include the current directory. You could wreak havoc by replacing e.g. libcmdutils.so with something nasty. And since we're talking about viruses/trojans, as soon as you execute for one user you can assume there is an exploit which allows privilege escalation.

However, the case is moot since you would never change LD_LIBRARY_PATH to include an untrusted directory or the current directory, just like the current directory is not in the PATH.

Paul Frankheimer

Problem affects probably 90% of applications

>The attack works because many applications ignore best security practices and search for the >library based only on the file name, rather than the full directory path, the advisory said. When the >current working directory is set to one controlled by the attacker, it's possible to cause load a >malicious file.

This is a bit disingenuous. This is the way Windows loads DLLs for you. So the chances are that *any* program which:

a) has dlls

b) has an associated file type

is vulnerable to this is very high. Since it's the way Windows works and has worked for years, I can see why people didn't change it. I would put the blame on MS, although they can do nothing to fix it now, unless they want to break a lot of applications.

Technically, unix is also vulnerable if you have set up your LD_LIBRARY_PATH to include the current directory before the /var/lib paths, however here you can customize it and no sane person would do this. Maybe MS could give out a patch that lets you turn off this behaviour as an option, so that people can test whether their applications still work after applying it.

As far as I can imagine scenarios, I cannot see one where an application would prefer to use a DLL in the current working directory over a DLL in the directory where its own EXE is. However programmers are inherently devious, so there will probably be lots of programs doing it anyways.

3D films fall flat

Paul Frankheimer


US film critic Roger Ebert is having none of it. He said: "Technicolor is a waste of money and Hollywood's current crazy stampede toward it is suicidal. It adds nothing essential to the movie-going experience. For some, it is an annoying distraction. For others, it creates nausea and headaches."

RAC prof: Road charges can end the ripoff of motorists

Paul Frankheimer

Using bad stats is always nice...


This has led to a serious lack of capacity. Of the top 27 countries considered by the World Economic Forum, the UK ranks 24th for its roads (20th for rail). Considered against an average of the top 5 EU nations plus the USA, Canada and Japan, UK roads carry two and a half times as many people and twice as much freight.

Ok, compare like with like. England has a population density of 1000 people per square mile. Naturally roads will be more congested when they are linking bigger populations and you don't have lots of country roads that aren't used as much. A valid comparison would be the Netherlands, which has roughly the same population density. And then, the usage figures are suddenly different.

Photographers slam British Library's mission creep

Paul Frankheimer

So many misleading statements

- "The project certainly isn't Freetard friendly. In fact, it demands money for access to material that's free to view today in Colindale"

It will still remain free to view in Colindale. It's an added access, not replacing the old one. It seems like you prefer to wad through microfilm rather than use full text search and instant access to issues by date.

- "It's questionable whether the Library has the rights to the stuff it is digitizing"

The Library doesn't say it has all the rights to all the stuff. Hence the periods that are potentially in copyright are handled by them through negotiations with the publishers.

- "While it has a historical exclusive license, this doesn't cover online rights"

It certainly has no "historical exclusive license". That term doesn't even make sense. It holds paper and microfilm copies of historical newspapers that probably few other places in the world have. The content before 1860 is almost certainly in the public domain (written at 20 years old, author died at 100, copyright elapses this year). Anyone who has the paper copy can scan it, republish it, etc.

- "This is not simply being done for posterity, nor to make free access for library users easier, but also for commercial gain via a paid‐for website."

Free for library users directly (provided they go the BL reading rooms), free after 10 years for everyone. This sentence is just wrong.

- "The move is strongly opposed by major publishers"

The major publishers are the only ones who could potentially lose out. The small publishers (not to mention that a great majority of pre-1900 publishers don't exist anymore) are too small to do digitization and selling the back-catalog themselves. If the big publishers are opposed, then the BL will not digitize their in-copyright periods. However I even doubt that they are opposed. This guy makes so many false statements that I really doubt he actually spoke to the big publishers and got their answer as opposed to talking out of his behind.

- "Earlier this year the Library vowed to archive the UK web - again, a load of other people's stuff"

Apparently this guy doesn't like history or checking sources. Since there is constantly stuff disappearing from the web and since the web has de facto become an important medium in the life of people, the country and democracy, it's quite important that in 100 year's time researchers will still be able to retrace what happened in the world after 2000. Archiving doesn't mean it's made available to the internet 5 minutes later with a BL logo. It means saving the stuff so that it's still around when the original websites are not around anymore.

If the Library doesn't archive the web and keep it, it will disappear. Archive.org is an alternative, but too sparse in many instances. In any case, this guy is probably dead against archive.org as well.

- "There are many other alternative approaches that can benefit us punters as well as the creators, without creating permanent jobs for the bureaucrats. We'll explore some of these next week".

Oh. I'm certainly interested how you want to save 19th century newspapers from falling to dust and get them be more accessible to the public. If it's about yesterday's newspaper, I don't care.

Irish civil rights group takes aim at iPad launch

Paul Frankheimer

So what does ipad mean in Gaelic?

The non-gealic, non-educated masses demand an answer.

British Library wants taxpayer to gobble the web

Paul Frankheimer

Probably not

Well, probably not. If the legal deposit law gets changed as has happened in other countries, you will have to consent to being harvested.