* Posts by Michael H

16 publicly visible posts • joined 27 Aug 2011

Boeing 737 Max chief technical pilot charged with deceiving US aviation regulators over MCAS

Michael H

Re: Some extra info

The first quote is definitely important and will probably be put forward in this case, because while it might not materially have affected the MCAS situation, it does demonstrate something very imporant to the case of the prosecution: clear evidence that the pilot was broadly engaged in deceiving regulators, by knowingly submitting training materials that by his own admission were not acceptable. Even if this isn't a crime, it's a fairly damning indictment of the character and conduct of the guy in question.

PIN the blame on us, says Monzo in mondo security blunder: Bank card codes stored in log files as plain text

Michael H

Re: Should have gone to Starling

I gather you haven't been near any London public transportation for the last 2 years?

Android clampdown on calls and texts access trashes bunch of apps

Michael H

Re: Why on earth would Google have a problem with BlackBerry Hub?

You've never actually used an iPhone, have you?

'Sorry, I've forgotten my decryption password' is contempt of court, pal – US appeal judges

Michael H

How does this affect TLS?

With perfect forward secrecy enabled (which basically all servers have now), the key for TLS can't be recovered unless there was a bug in the implementation. Can you be held in contempt for being unable to decrypt subpoenaed HTTPS traffic?

A Rowhammer ban-hammer for all, and it's all in software

Michael H

Re: Should't be possible.

Apparently, ECC is not a totally effective mitigation for rowhammer, since ECC is only guaranteed to detect single-bit errors, whereas rowhammer can flip multiple bits.

Google's Chromecast Audio busted BT home routers – now it has a fix

Michael H

Re: BT Homehubs and Amazon Echo

It's not been fixed, only mitigated. It seems that the Echo struggles with the BT default settings of broadcasting 2.4GHz and 5GHz APs with the same SSID (I've noticed quite a lot of devices struggle with it actually, so I split them out in the settings a while back)

Google engineer names and shames dodgy USB Type-C cable makers

Michael H

Re: So... the news is USB doesn't work in real life...

Actually, the only support for Unicode in the Win32 APIs is through UTF-16, so Windows software uses it lots. Considering the Wintel environment the original USB spec was borne from, it's probably the reason USB uses it.

Apple: Samsung ripped off our phone patent! USPTO: What patent?

Michael H

Re: Taketh away

This one was actually rightfully rejected - and for amusing reasons.

The patent that Apple is asserting in this case was filed using a dubious method - they take an earlier failed patent application and submit a completely different concept as a refiling, so that if it's granted, the patent will receive the filing date of the earlier first filing.

This is where things get interesting. The original filing was made in January 2007 - making it before the iPhone's release. When the USPTO reviewed this patent in the course of the case, they noted that the design patent granted differed substantially from the initial application. Because of this, they changed the filing date to when the refiling was submitted, which was August 2008.

So the two pieces of prior art that invalidate the iPhone's design patent are the iPhone and iPhone 3G! Whoops.

GitHub jammed by injected JavaScript, servers whacked by DDoS

Michael H


Anyone who knows owt about JS could pretty easily tell what that code is - unless your idea of semi-obfuscated is 'contains no comments', in which case the majority of code in circulation is probably semi-obfuscated.

(For the record, it randomly picks a target to send AJAX requests to based on the current time and continues to hammer the pages for 30 seconds.)

Google not sabotaging YouTube on Windows Phone after all

Michael H

Kind of an odd stance from MS

"Windows Phone invested additional engineering resources against existing APIs to re-architect a Windows Phone app that delivers a great YouTube experience. ... Microsoft did not receive any additional technical support to create the Windows Phone YouTube app."

In other words, reverse engineering, which Microsoft itself despises and works against (particularly with Skype)?

Google's Brin admits he under-estimated Chinese censorship

Michael H

You've either misunderstood me or not read what I've written

Facebook and Google are all about identity consolidation and profiling in order to gather advertising metrics, which all rely on key aspects of the way the internet and web browsers work. Projects like Tor and Freenet attempt to engineer networks and software which preserve free speech by anonymity, and so undermine the ability of advertisers and analytics firms to track and profile users, a seriously large part of their business. Firms like Yahoo, MS, Google, Facebook, Alexa, etc will never support these projects on a significant scale because it would destroy the foundations of their internet businesses, full stop.

Michael H

@AC 16/04/2012 17:53 Google are not philanthropists

The fact of the matter is, this won't happen. As much as people like to think, Google isn't a philanthropic organisation, sworn to protect all free speech on the internet. Google is a publicly-traded for-profit company with a market in advertising and web analysis, and a swarm of shareholders to keep happy.

As projects like Freenet and Tor undermine the traceability of users, which is the cornerstone of their whole profit-making operations that subsidise the squishy PR parts of Google, there's no way they will invest anything significant into their R&D.

They have provided some small contribution to Tor (under $100k incl. stipends paid out to GSoC participants according to their website), but this is another part of their PR creed of "Do No Evil". It's not enough to make a significant inroad to censorship prevention, and it's certainly not enough to turn it into global censorship resistant network capable of supporting the world's general population. What Google can do and what they will do are not the same.

As for the Hong Kong move, that was most likely a business move with a PR to appeal to Western consumers. My assumption is that their boardroom felt that the cost of complying with Chinese takedown orders frequently wasn't worth continuing in that market, especially considering they probably felt helpless to compete with a Chinese company that probably had big friends in the party and the national pride of a large part of the billion-strong population.

US lawmakers claim Huawei sold censor tech to Iran

Michael H


...is also German, not American.

Michael H

Oh the irony...

Isn't it strange how these law makers:

A) Have 'conveniently not noticed' that Juniper and Cisco (both American networking moguls) are providing similar products and services to pro-censorship regimes?

B) Are currently trying to rush a bill through in their own country that instates such a regime?

You can tell that American politicians are desparately trying to clutch on to their country's status as the economic leaders in the technology sector by the repeated bogus or hypocritical accusations they levy at Asian tech firms like Huawei, and every patent case in favour of the Silicon Valley software giants.

Android upgraded to be more resistant to hack attacks

Michael H

ASLR might stop people exploiting buffer overflows...

...but it still isn't going to stop J. Random Luser (the sort who uninstalls their AV protection because "the update balloons were annoying") from installing an app off the market that runs up a £4000 bill in premium rate dialing scams. This is where the real security issues in Android lay. (Of course, enabling ASLR is still an improvement, I'm not deriding that)

I'm firmly of the belief that background services in Android should be restricted from texting and calling, and bring up a confirmation when done by third party apps in the foreground, without explicitly setting it otherwise in the preferences. Not nanny state, just opt-out protection for those who don't know what they're doing.

Phishing email used in serious RSA attack surfaces

Michael H


...thanks to the "helpful feature" that is Microsoft's COM, any ActiveX plugin can be inserted into office documents. Of course, Microsoft doesn't care about how flawed and insecure COM is, especially as a feature in Office documents. But why have security when you can have buzzwords and lock-in?