* Posts by petef

120 posts • joined 13 Sep 2010


NHS contact tracing app isn't really anonymous, is riddled with bugs, and is open to abuse. Good thing we're not in the middle of a pandemic, eh?



I have just had a reply from Motorola customer services confirming that my Moto G5S will not have its security level patched beyond its current Aug 2019 level. That is despite it being less than two years old. So my Bluetooth needs to remain disabled. A security level of Feb 2020 is needed BlueFrag can infect Android 8 or 9 without user interaction.

Australian contact-tracing app sent no data to contact-tracers for at least ten days after hurried launch



Android 8 and 9 are vulnerable to BlueFrag. That can steal personal data without the owner clicking anything. Android 10 is also affected but it only crashes Bluetooth, no data is stolen.

This is not directly related to the NHS app or Google's alternative but it spreads over the same channel. The only mitigation for BlueFrag on unpatched phones is to keep Bluetooth disabled.

The dodgy Android code was fixed in the Android security patch of Feb 2020. You can find out your patch level in settings, somewhere near the bottom usually.

My phone, a Moto G5S, is less than two years old but is only at an Aug 2019 security level. The Motorola web site confirms that is the latest. It seems that security updates end 24 months after the launch of a handset. So I leave Bluetooth off. I might consider short sessions in private.


From attacked engineers to a crypto-loving preacher with a questionable CV: Yep, it's still very much 5G silly season


Correlation is causation

What this really proves is that the coronavirus is building the 5G masts.

16 years and counting: How ESA squeezed oodles of bonus science out of plucky Mars Express probe


Obligatory xkcd

It's not ESA but still https://xkcd.com/695/

Hey, friends. We know it's a crazy time for the economy, but don't forget to enable 2FA for payments by Saturday


RBS have many things to answer for but did you mean to say Bank of Scotland in your institutions who are ignoring you?

Things I learned from Y2K (pt 87): How to swap a mainframe for Microsoft Access


Re: help!

A scam that is used by those who purport to be from your bank is to ask for characters 1, 4 and 6 from your password. Oh I didn't catch that, please give me 2, 3 and 5.

Verity Stob is 'Disgusted of HG Wells': Time, gentlemen, please


Re: phub

I was looking for “Chillaxing cockapoos phub the black swan” to be a pangram.

Brit banking sector hasn't gone a single day of 2020 without something breaking


Travelex Is Totally Stuffing Unwitting Partners

A user's magnetic charm makes for a special call-out for our hapless hero


I've been there. The colours were bleeding on my CRT TV so I got it down off its shelf, back off in front of a mirror, manual open to get going on static convergence. But the picture was fine. At that point I twigged that putting my HiFi speakers either side of the TV was not my brightest idea.

Deus ex hackina: It took just 10 minutes to find data-divulging demons corrupting Pope's Click to Pray eRosary app


Premature disclosure

Why have Fidus gone public with this now? It is customary to give reasonable private notice so that security holes can be plugged before every skiddie is given a chance to exploit. According to Fidus they reported the vulnerability on the 18th and it was patched on the 19th. That is way too recent to have rolled out to all users. Fidus should have kept quiet.

The '$4.4m a year' bug: Chipotle online orders swallowed by JavaScript credit-card form blunder


I have often wondered how many autofills populate hidden fields in addition to the visible ones.

Good old Auntie Beeb's mobile app berates kids for being rubbish online


I thought that our licence fee was meant to pay for huge fees to stars (or their PSCs) quality programmes. This looks to be out of scope.

Usenet file-swapping was acceptable in the '80s – but not so much now: Pirate pair sent down for 66 months


Re: Still use it

Sadly some groups are heavily spammed via Google groups. A shame really, Google were Usenet heroes for rescuing deja.com but now manage to outdo AOL.

The Eldritch Horror of Date Formatting is visited upon Tesco


Re: best way so far?

One of the drivers behind ISO8601 formats such as YYYY-MM-DD and YYYY-DDD is that they are precisely defined in the standard and not in prior use. So they are fairly unambiguous. Users of the formats will know that MM ranges from 01 to 12 and DDD from 001 to 366.

Markus Kuhn has summarized ISO8601 though nowadays there is also Wikipedia.


Re: Dates? Don't talk to me about dates...

The proper format is YYYY-MM-DD if you follow the international standard ISO8601 extended format. Using a period instead of hyphen would give some of the same benefits but it is not standard.


Re: Julian dates WTF

Julian day number was well understood by astronomers and other savvy time watchers but then IBM in the 1970s IIRC started to use Julian day to mean ordinal day of the year. There is no connection to Julius Scaliger or Caesar.

Cloudflare gives websites their marching orders to hasten page rendering automatically


Re: Speed freaks

Er not quite, it will load the adverts on your next pr0n site twice as fast.

Want to learn about lithium-ion batteries? An AI has written a tedious book on the subject


As more AI generated content gets published what measures are there to stop the next round from reusing it instead of keeping to original research?

SPOILER alert, literally: Intel CPUs afflicted with simple data-spewing spec-exec vulnerability


Another simple mitigation

Does not ASLR mitigate against this attack?

A once-in-a-lifetime Opportunity: NASA bids emotional farewell to its cocky, hardworking RC science car on Mars


Re: Thanks Opportunity!

And let us not forget Spirit.


Wow, fancy that. Web ad giant Google to block ad-blockers in Chrome. For safety, apparently


Re: Go for it, Google!

Yes, Opera is based on Chromium but its ad blocker is part of the browser not an extension.

Fake 'U's! Phishing creeps use homebrew fonts as message ciphers to evade filters


No custom font is needed if you write uʍop ǝpᴉsdn. However I think that even the most gullible phishee would spot that.

HCL picks up Notes, spanks total of $1.8bn at Honest John's IBM software sale


My company had a recent meeting of all employees as we are in the midst of a merger. A spontaneous cheer went up when it was announced that we were dumping Notes.

No, you haven't gone deaf – the Large Hadron Collider has been wound down for more upgrades


Are they waiting for the Windows 10 1809 update?

Using a free VPN? Why not skip the middleman and just send your data to President Xi?


The Opera browser has offered free VPN for the web for some time now.

Your RSS is grass: Mozilla euthanizes feed reader, Atom code in Firefox browser, claims it's old and unloved


Re: Goodnight, Firefox

I recommend https://feedly.com. Content is synchonized across all devices. You can import and export OPML when migrating from/to other readers.

Card-stealing code that pwned British Airways, Ticketmaster pops up on more sites via hacked JS


@2Nick3 I meant undisclosed in the current incident. I agree with you that it is unlikely to be zero-day.


Most people seem to be missing the point of these recent hacks. It is not important that the tool was Magecart, the language was JavaScript and the infected code was imported from a third party.

The server was compromised. The bad guys either exploited some as yet undisclosed weakness elsewhere on the server or did an inside job.

British Airways hack: Infosec experts finger third-party scripts on payment pages


The RiskIQ report builds a plausible argument from the evidence it gathered.

What is not explained is how the copy of the Modernizr JS hosted by BA was compromised.

Neutron star crash in a galaxy far, far... far away spews 'faster than light' radio signal jets at Earth


Re: Hope it's true

AIUI special relativity say that objects with non-zero mass cannot attain the speed of light because energy applied to them just makes them heavier. There is nothing to say that objects cannot travel at the speed of light or faster, just that they cannot achieve that state from sub-light speeds.


Re: Just a side note

Not quite. Antimatter has antiprotons and antineutrons at its core with positrons (antielectrons) orbiting (in the Bohr view).

Disk will eat itself: Flash price crash just around the over-supplied block


Of course HDD is a cyclical industry.

Python creator Guido van Rossum sys.exit()s as language overlord


Larry Wall for BDFL

Let Parrot flourish

Chrome, Firefox pull very unstylish Stylish invasive browser plugin


Re: Stylus

Thanks for pointing out Stylus, I shall migrate.

One of my prime reasons for using Stylish is to read El Reg without the gratuitous headline images.

ICANN pays to push Whois case to European Court of Justice


ICANN seem to be taking their non-profit status quite seriously.

Russian battery ambitions see a 10x increase in power from smaller, denser nukes


Re: Specific Energy

A fair point but the mass of an engine can be amortised against a large fuel tank if we are talking about many years of operation.

BTW I upvoted you and would have given an extra if I could for the obligatory XKCD reference.


Specific Energy

3300 mWh/g is about 12 MJ/kg, the units chosen on Wikipedia. That is ~20x better than an alkaline cell though a quarter of that of petrol.


I got 257 problems, and they're all open source: Report shines light on Wild West of software


Re: At least the command line is OK

As long as you have patched for Shellshock.

Oracle demands dev tear down iOS app that has 'JavaScript' in its name


You use the word JavaScript 12 times in your article. Expect a letter from Sue, Grabbitt and Runne.

Must go now, there's someone pounding on my door.

Elon Musk's mighty erection fires sperm at orbiting space station



The less gentle readers are directed to Kurt Vonnegut’s short story “The Big Space F***” published in Again, Dangerous Visions in 1972. The asterisks are mine.

IBM thinks Notes and Domino can rise again


I use Notes at work and it is truly appalling. I have been objective and built a list of its faults which currently has 120 entries.What is the worst? Maybe that I cannot read webmail on my smartphone because most on my email is filtered into folders and Notes actively prevents you from reading them.

Until last week, you could pwn KDE Linux desktop with a USB stick


Obligatory XKCD reference

Exploits of a Mom

From July, Chrome will name and shame insecure HTTP websites


When email introduced security measures such as SPF and DKIM the Bad Guys were in the forefront of adopters in my observations. I expect malicious web sites to be ahead of the game in supporting HTTPS. A green padlock can be used to sell snake oil.

Crypto-jackers slip Coinhive mining code into YouTube site ads


The Opera browser added a blocker for mining a few weeks ago. That is in addition to the built-in ad blocking.

Facebook invents new unit of time to measure modern attention spans: 1/705,600,000 of a sec


Re: That's not news

Indeed, here is a quote from the BBC story:

A flick, derived from "frame-tick", is 1/705,600,000 of a second - the next unit of time after a nanosecond.

Take notebooks: About those new Thinkpads...


In Windows I turn on what they call Toggle Keys in Ease Of Access. That makes the computer beep whenever the caps lock (and num and scroll) key is pressed.

As Apple fixes macOS root password hole, here's what went wrong


Pro tip: You can log into macOS High Sierra as root with no password





Biting the hand that feeds IT © 1998–2020