* Posts by petef

136 posts • joined 13 Sep 2010


GitLab scans its customers' source code, finds it's as fragile as you'd expect



I do hope that they were only scanning public repos and not private.

What a Hancock-up: Excel spreadsheet blunder blamed after England under-reports 16,000 COVID-19 cases


But they would use a spreadsheet to do that task.

It's Google's hardware launch day, and what do we get? A few Pixel phones, Nest kit, and another Chromecast


Hold For Me?

I wonder how well Hold For Me performs. I have had too much experience recently of contacting utilities, etc on behalf of an elderly relative. The general pattern is to play muzak for a bit and then tell you how important your call is to them. I had my hopes raised the first few times, I don't think a bot would fare much better. The worst was AA insurance who I gave up on after 45 minutes on hold. Their repeated message was "we are here for you 24/7", patently not. They eventually responded to my earlier email after two days. I say the worst but I am into my third month of waiting for BT to switch to the Basic account we are entitled to.

UK mobile network EE plumps for Nokia to provide that all-important 5G RAN equipment


Made in ...

So is Nokia gear all manufactured in Finland? Just asking.

NHS COVID-19 launch: Risk-scoring algorithm criticised, the downloads, plus public told to 'upgrade their phones'



Leaving aside support for Android 5 and earlier, Android 6 to 9 are vulnerable to click-free exploitation by BlueFrag if you turn on Bluetooth as required by the app. Android 10 can only be DOSed.

Security patches may be available, a security update of March 2020 addresses the issue. Unfortunately my Moto G5s is two years old and security updates stopped at August 2019. Customer support told me that no more security updates will be released. YMMV.

I have no other need to enable Bluetooth so I am left with a dilemma. Risk infection of my phone or myself and others. Proof of concept code for BlueFrag is publicly available so even skiddies can write exploits.

The app will not allow me to scan a QR code if Bluetooth is disabled, dumb logic.

Second lockdown? Perfect time to unveil Teams Breakout rooms and another ginormitor – the 85-inch Surface Hub 2S


Clippy 2.0

"hopefully not obscuring that critical bit of information with a giant head"

Now here is an original idea. The presenter could be represented by an avatar that hides little. How about a talking paperclip?

Funny, that: Handy script for wiping directories is capable of wreaking havoc beyond a miscreant's wildest dreams


Unix too

In the early days of Unix on PCs (Interactive Unix, pre Linux) my team had 386 workstations. My colleague asked me to remove my user account from their machine to free up space I did that but left just a login with a home directory of root. That should have been that but the owner then decided to completely remove my account, blithely answering yes to questions such as remove home directory. The re-install involved a box of floppies.

British Army does not Excel at spreadsheets: Soldiers' newly announced promotions are revoked after sorting snafu


Excel users == skiddies?

HUGO have given up the fight on naive use of Excel. There are many pitfalls for average users.


Toshiba formally and finally exits laptop business


Re: Not to put TOO fine a point on this comment, but...

Yes but as the saying goes it is not Toshiba's fault but it is its problem.

I could eke out more life by installing SSD. I did that with my old MacBook Pro as Apple were ahead of Microsoft on heavy disk I/O. But the keyboard is flaky and the battery needs replacing again.

On my personal laptop I happily run Arch Linux + LXQt on what is now venerable hardware.


As it happens I ordered a replacement for a 7 year old Satellite yesterday. It still just about runs but Windows 10 makes heavy demands. The 2004 update took 10 hours.

I got 99 problems, and all of them are your fault


I thought this would be a story of dual 5¼" floppies. Occasionally I had to retrieve one inserted between the two drives.

Wrap it before you tap it? No, say Linux developers: 'GPL condom' for Nvidia driver is laughed out of the kernel




Google+ replacement ‘Currents’ to end beta and debut in G Suite on July 6th


So should we refer to the July launch as current Currents?


That Google Currents was renamed to Newstand in 2014 before being discontinued in 2018.

'Beyond stupid': Linus Torvalds trashes 5.8 Linux kernel patch over opt-in Intel CPU bug mitigation


The devil you know

Leaving aside the performance hit for a moment what security analysis was done on the proposed feature? I'm not saying that it is obviously flawed but existing side channel attacks have taken a long time for white hats to identify.

NHS contact tracing app isn't really anonymous, is riddled with bugs, and is open to abuse. Good thing we're not in the middle of a pandemic, eh?



I have just had a reply from Motorola customer services confirming that my Moto G5S will not have its security level patched beyond its current Aug 2019 level. That is despite it being less than two years old. So my Bluetooth needs to remain disabled. A security level of Feb 2020 is needed BlueFrag can infect Android 8 or 9 without user interaction.

Australian contact-tracing app sent no data to contact-tracers for at least ten days after hurried launch



Android 8 and 9 are vulnerable to BlueFrag. That can steal personal data without the owner clicking anything. Android 10 is also affected but it only crashes Bluetooth, no data is stolen.

This is not directly related to the NHS app or Google's alternative but it spreads over the same channel. The only mitigation for BlueFrag on unpatched phones is to keep Bluetooth disabled.

The dodgy Android code was fixed in the Android security patch of Feb 2020. You can find out your patch level in settings, somewhere near the bottom usually.

My phone, a Moto G5S, is less than two years old but is only at an Aug 2019 security level. The Motorola web site confirms that is the latest. It seems that security updates end 24 months after the launch of a handset. So I leave Bluetooth off. I might consider short sessions in private.


From attacked engineers to a crypto-loving preacher with a questionable CV: Yep, it's still very much 5G silly season


Correlation is causation

What this really proves is that the coronavirus is building the 5G masts.

16 years and counting: How ESA squeezed oodles of bonus science out of plucky Mars Express probe


Obligatory xkcd

It's not ESA but still https://xkcd.com/695/

Hey, friends. We know it's a crazy time for the economy, but don't forget to enable 2FA for payments by Saturday


RBS have many things to answer for but did you mean to say Bank of Scotland in your institutions who are ignoring you?

Things I learned from Y2K (pt 87): How to swap a mainframe for Microsoft Access


Re: help!

A scam that is used by those who purport to be from your bank is to ask for characters 1, 4 and 6 from your password. Oh I didn't catch that, please give me 2, 3 and 5.

Verity Stob is 'Disgusted of HG Wells': Time, gentlemen, please


Re: phub

I was looking for “Chillaxing cockapoos phub the black swan” to be a pangram.

Brit banking sector hasn't gone a single day of 2020 without something breaking


Travelex Is Totally Stuffing Unwitting Partners

A user's magnetic charm makes for a special call-out for our hapless hero


I've been there. The colours were bleeding on my CRT TV so I got it down off its shelf, back off in front of a mirror, manual open to get going on static convergence. But the picture was fine. At that point I twigged that putting my HiFi speakers either side of the TV was not my brightest idea.

Deus ex hackina: It took just 10 minutes to find data-divulging demons corrupting Pope's Click to Pray eRosary app


Premature disclosure

Why have Fidus gone public with this now? It is customary to give reasonable private notice so that security holes can be plugged before every skiddie is given a chance to exploit. According to Fidus they reported the vulnerability on the 18th and it was patched on the 19th. That is way too recent to have rolled out to all users. Fidus should have kept quiet.

The '$4.4m a year' bug: Chipotle online orders swallowed by JavaScript credit-card form blunder


I have often wondered how many autofills populate hidden fields in addition to the visible ones.

Good old Auntie Beeb's mobile app berates kids for being rubbish online


I thought that our licence fee was meant to pay for huge fees to stars (or their PSCs) quality programmes. This looks to be out of scope.

Usenet file-swapping was acceptable in the '80s – but not so much now: Pirate pair sent down for 66 months


Re: Still use it

Sadly some groups are heavily spammed via Google groups. A shame really, Google were Usenet heroes for rescuing deja.com but now manage to outdo AOL.

The Eldritch Horror of Date Formatting is visited upon Tesco


Re: best way so far?

One of the drivers behind ISO8601 formats such as YYYY-MM-DD and YYYY-DDD is that they are precisely defined in the standard and not in prior use. So they are fairly unambiguous. Users of the formats will know that MM ranges from 01 to 12 and DDD from 001 to 366.

Markus Kuhn has summarized ISO8601 though nowadays there is also Wikipedia.


Re: Dates? Don't talk to me about dates...

The proper format is YYYY-MM-DD if you follow the international standard ISO8601 extended format. Using a period instead of hyphen would give some of the same benefits but it is not standard.


Re: Julian dates WTF

Julian day number was well understood by astronomers and other savvy time watchers but then IBM in the 1970s IIRC started to use Julian day to mean ordinal day of the year. There is no connection to Julius Scaliger or Caesar.

Cloudflare gives websites their marching orders to hasten page rendering automatically


Re: Speed freaks

Er not quite, it will load the adverts on your next pr0n site twice as fast.

Want to learn about lithium-ion batteries? An AI has written a tedious book on the subject


As more AI generated content gets published what measures are there to stop the next round from reusing it instead of keeping to original research?

SPOILER alert, literally: Intel CPUs afflicted with simple data-spewing spec-exec vulnerability


Another simple mitigation

Does not ASLR mitigate against this attack?

A once-in-a-lifetime Opportunity: NASA bids emotional farewell to its cocky, hardworking RC science car on Mars


Re: Thanks Opportunity!

And let us not forget Spirit.


Wow, fancy that. Web ad giant Google to block ad-blockers in Chrome. For safety, apparently


Re: Go for it, Google!

Yes, Opera is based on Chromium but its ad blocker is part of the browser not an extension.

Fake 'U's! Phishing creeps use homebrew fonts as message ciphers to evade filters


No custom font is needed if you write uʍop ǝpᴉsdn. However I think that even the most gullible phishee would spot that.

HCL picks up Notes, spanks total of $1.8bn at Honest John's IBM software sale


My company had a recent meeting of all employees as we are in the midst of a merger. A spontaneous cheer went up when it was announced that we were dumping Notes.

No, you haven't gone deaf – the Large Hadron Collider has been wound down for more upgrades


Are they waiting for the Windows 10 1809 update?

Using a free VPN? Why not skip the middleman and just send your data to President Xi?


The Opera browser has offered free VPN for the web for some time now.

Your RSS is grass: Mozilla euthanizes feed reader, Atom code in Firefox browser, claims it's old and unloved


Re: Goodnight, Firefox

I recommend https://feedly.com. Content is synchonized across all devices. You can import and export OPML when migrating from/to other readers.

Card-stealing code that pwned British Airways, Ticketmaster pops up on more sites via hacked JS


@2Nick3 I meant undisclosed in the current incident. I agree with you that it is unlikely to be zero-day.


Most people seem to be missing the point of these recent hacks. It is not important that the tool was Magecart, the language was JavaScript and the infected code was imported from a third party.

The server was compromised. The bad guys either exploited some as yet undisclosed weakness elsewhere on the server or did an inside job.

British Airways hack: Infosec experts finger third-party scripts on payment pages


The RiskIQ report builds a plausible argument from the evidence it gathered.

What is not explained is how the copy of the Modernizr JS hosted by BA was compromised.

Neutron star crash in a galaxy far, far... far away spews 'faster than light' radio signal jets at Earth


Re: Hope it's true

AIUI special relativity say that objects with non-zero mass cannot attain the speed of light because energy applied to them just makes them heavier. There is nothing to say that objects cannot travel at the speed of light or faster, just that they cannot achieve that state from sub-light speeds.


Re: Just a side note

Not quite. Antimatter has antiprotons and antineutrons at its core with positrons (antielectrons) orbiting (in the Bohr view).

Disk will eat itself: Flash price crash just around the over-supplied block


Of course HDD is a cyclical industry.

Python creator Guido van Rossum sys.exit()s as language overlord


Larry Wall for BDFL

Let Parrot flourish

Chrome, Firefox pull very unstylish Stylish invasive browser plugin


Re: Stylus

Thanks for pointing out Stylus, I shall migrate.

One of my prime reasons for using Stylish is to read El Reg without the gratuitous headline images.



Biting the hand that feeds IT © 1998–2020