* Posts by stubert

15 publicly visible posts • joined 7 Feb 2011

You can break EU cookie rules ... if your site breaks without cookies

stubert
Meh

Re: Triple-negative?

Exactly, if that is what this is all about it is fundamentally ridiculous as you can use your private browsing to anonymise that visit, cookies may still be stored for that browser session only and will not be connected to your non-anonymous visit.

I understood this legislation as being useful to prevent inter-website tracking of users without consent namely with third party cookies, social linking services and advertisers can aggregate information about users across websites, where they've been, what they've been doing, and use that information to target advertising. and the legislation covers any client-side storage method that can be utilised to do so, if this is not the case it is flawed by that I mean other methods can be used.

Session tracking can be done through the URL but is much much less secure and user preferences can be stored server side. If you don't want your current usage to be linked to an account you have like Danny says just use private browsing you will have a new identity for the website until you go back to your normal settings.

Even with this legislation in place, the technology itself is not the problem, the problem is aggregating data, even if anonymised, the trail itself leaves clues as to someones true identity and this tracking can be done at protocol level at various places throughout the internet stack.

Adding a few popup windows to confirm acceptance of a cookie is a nice little placebo and really the legislation is too roundabout to be effective in solving anything.

Online bookie can't scoop £50k losses made by 5-year-old

stubert
Stop

Re: To be secure, forms must be loaded by HTTPS as well as posted via HTTPS.

The comment above has been down-voted but should not be, the information is correct. It is very important to note that you should ensure the page the contains the form has been downloaded over SSL also and not just the page to which the form will post.

An man in the middle attacker can alter the action value (immediately visible using debugging tools or view source) or inject a script that hijacks the post event of the form (much harder to identify) and send the secure information in the form elsewhere. SSL stops the form from being modified and passed on. A man in the middle attacker can decrypt the form and modify it but will not then be able to re-encrypt the form to relay it to the victim.

Always check that the form you are filling is on a page that is SSL secured with a trusted certificate to prevent eavesdroppers.

Crypto shocker: 'Perfect cipher' dates back to telegraphs

stubert
Happy

@Stoneshop

Thanks, that cleared it up for me! So to make this practical and totally secure the key is the protocol whereby you send the key to the recipient, if you can do that securely in a way that guarantees the pad has not been modified or duplicated in transit, then the one time pad (given as someone stated that the entropy is large enough) is inpenetrable and can allow the sending time-critical messages securely over insecure channels.

stubert
Paris Hilton

The thing I never got...

I understand the randomness of the encryption means that it is an entirely secure method of encrypting your message PROVIDED you have pre-shared the one time pad. How do you deliver the key/pad securely, if you can transmit the encryption pad 100% securely why not also use the same method to deliver the message? The message cannot be brute forced and attempts to decrypt without the pad would be futile, but it shifts the attack vector onto the key sharing mechanism surely? Or is this just a problem outside of the scope of this solution? You need a secure channel to be able to share information securely over an insecure channel?

90% of visitors declined ICO website's opt-out cookie

stubert
Devil

Mmm cookies nom nom nom

You can't really track time taken on a page, bounce rate etc. without session detection as in order to pull those stats together you need to be able to associate one page request with another as part of a single user journey. You can detect general page flow using the http referrer and the current url to build general stats as to the direction of travel and from where it came.

With a session cookie (the sort you use to remember that a user is logged in by associating the browser with a server side data structure), you can do everything you can do normally but behind the scenes using a server as a relay between an analytics service and the end user. You could do so without cookies using the session id through the url method as metioned by Steven Roper above.

Cookies are not the problem it is the usage of the data gathered and that isn't remedied by this law simply because there are other ways to do it. If you wanted to store something on a user's machine there is localStorage and many other new data mechanisms. If you want to track a user and sell their data you can use other mechanisms that do not require anything to be stored on the users machine.

Cookies seem to me to be the fall guy for a deeper problems and that is being cavalier with data collected about your users. If you wanted to provide targeted ad space you can do so without providing ad companies any data about your users you simply tell the ad company what type of ads to serve and keep the to whom bit private. It is undeniably easier to just insert a couple of lines of third party code into your page though...

Man admits writing script that slurped celebrity iPad data

stubert
Facepalm

And yet no action taken...

On the valet service that parked the car and left it unlocked... Ok this could go on and on. If the hacker has distributed the list of information to anyone other than AT&T or the authorities then yes I agree he should be sentenced for putting that list of people in potential future risk. If he has used the data for his own ills he should be sentenced also. If however he has done none of these then on what grounds is he being charged?

Hackers are needed, you may not understand them and you may paint them all with the criminal brush but that isn't necessarily the case. Hackers highlight security holes in systems that would not get picked up otherwise. There are legitimate companies out there that do this kind of testing, however, they cost money and not all businesses are equally motivated to enlist these services.

Individual hackers often find what is overlooked, in their spare time because they can. Determining whether this is a criminal case or not boils down to what they do after the hack and not the hack itself.

stubert
Thumb Down

Trying a car door is different from boosting a car...

If there is no evidence that anyone was victimised or suffered damages as a result of this "hack" how can charges be brought about, other than a large fine for AT&T for overlooking a elementary level of care in securing this data.

It is suspicious that someone would want to collect all of that data, but unless it can be proven that the data has been publicised or sold or used for phishing attacks or that there was evidence of a motive to do so, the data can be deleted and the situation sorted out amicably rather than a 5 year prison stint and massive fine. It assumes that the perpetrator's intent was malign.

I hope penetration testers go to prison for life! Which coincidentally if AT&T has bothered to put out cash for they could have avoided this debacle altogether... Whose fault?

Heavy coffee drinking wards off deadly cancer in men

stubert
Thumb Up

Feet size 10? Prepare for a sudden lay off from work...

And it has been proven that you are 35% more likely to get hit in a road accident if you get up on the right hand side of your bed.

So for 22 years these 47,911 people (presumably clones to rule out genetic bias towards prostate cancer) did exactly the same thing, ate exactly the same foods, exercised the same but one group had tea to drink, one group coffee, one group decaf coffee, one group water? Or did we just get a show of hands "Who drinks coffee?... Who died of prostate cancer?"

stubert
Stop

Oh and please rate this article down

Studies are for R&D companies to find avenues of investigation for controlled experiments and trials, this particular study sounds like scraping the bottom of the barrel really. They certainly should not be publicised with any significance in any news outlets.

Obama gov wants 3 yrs porridge for infrastructure hackers

stubert
Stop

RE: Don't do the crime, etc

However, if someone stood at the bottom of your drive with a big box, then called you up asking you to put all you belongings in said box, and you did, whose fault was that?

Microsoft resuscitates 'I'm a PC' ads to fight Apple

stubert
Thumb Down

Wrong market?

I think Microsoft may be gunning for the wrong personal computing market here, wing it on a prayer that these customers don't find out about iPads...

Windows is better for those who know a bit more about what their computer is made up of and want more choice and control over it: Gaming computers, servers, high performance machines, specific mirroring/backup configurations on their storage, crazy system setups, but want a fairly decent GUI which also allows them to control and configure this stuff.

Not tech heads and not home users but the inbetweeny tech enthusiasts/PC gamers. That seems to me to be the Windows market. Am I wrong?

Choosing a desktop OS

stubert
Thumb Up

It makes sense to remember

That there is no one tool that can do every job, the same with OSes.

Personally I run servers on Linux as its easier to lock down (less moving parts) and Windows for dev & design. I would possibly use Mac for design work due to better font rendering etc. but I am allergic to bowing down to the Jobsian overlord. Trying to do design with Linux would be like trying to draw using a power drill.

My point is that it is important to not fall into the trap or habit of forcing everyone on Win to prevent net admin headaches because Win isn't always the right tool for everyone and net admins seem to have headaches all the time anyway.

Google admits Android 'both open and closed'

stubert
WTF?

Stop whining...

Google are holding back their bleeding edge work, so what? They do not state Android would be a community project they merely say they will open source the code so no one company can restrict the market by having absolute control.

If you want to like Nuno stated you can fork 2.3, when 3 comes out and Google releases the source code you will be able to fork that too. You can install any OS you like onto your smartphone. You can use work Google has done for 2.3 and create your own OS if you want. You can set up a community open source project from 2.3. The same will be true when 3 comes out. What more do you want? Your own personal Google performing your bidding?

I'm still waiting for the source code for, well, any version of Windows... Oh and Apple OS... Well forget it.

Whine, whine, whine... Get a grip.

Flickr flap illuminates cloud concerns

stubert
Stop

Illuminates Cloud Concerns...?

Support operators with detached brains illuminate cloud concerns do they? I think it just illuminates shoddy support. There are ligitimate concerns with Cloud computing, I don't think this is one of those concerns. Plus it seems that everything nowadays is coined cloud computing are web applications now cloud as well?

Anyone who keeps data that valuable to them solely in the hands of another person or entity (even with SLAs) is misguided at best. If it is regarding the cumulative meta-data collected, perhaps that would highlight a different concern. An adequate export facility in Flickr perhaps?

UK police crime map website: Who's the victim here?

stubert
WTF?

Sorry but... Surplus to requirements perhaps...

£300,000 may not be a huge amount when it comes to development costs for such a project, but it's our money!

The government seem to see themselves as this business entity that needs branding, marketing and fancy websites that allow people to have pleasant experience in getting data from their databases. All the while costing the general public money we don't have and would rather it was spent on turning this country around.

How about just opening up the data for people who want to make nice usable interfaces for free, us general hobbyists that get bored as of an evening and decide to set up an open source project or two???

People could even get the idea of setting up businesses providing services that combine various datasets in useful and interesting ways and perhaps generate some money which they could pay to the government in taxes???

Wait a second... make money from this project... rather than spending money on it... Surely not!