* Posts by diodesign

3495 publicly visible posts • joined 21 Sep 2011

Apple splats 'new' SSL snooping bug in iOS, OS X - but it's no Heartbleed

diodesign (Written by Reg staff) Silver badge

Re: What about this post?

And we've linked to it in the article. This 'ere is a closer look at the Secure Transport fix. But thanks for reading every thing we publish :-)

C.

EU: Let's cost financial traders $400m a day, because EVIL BANKERS. Right?

diodesign (Written by Reg staff) Silver badge

Re: Flash Boys

"it'd probably behoove the author to read it"

Hi new reader - Tim wrote about Flash Boys here, on the Reg, a couple of weeks ago.

C.

LOHAN's Punch and Judy show: The big fat round-up

diodesign (Written by Reg staff) Silver badge

Re: Classified piece of equipment?

Cripes. Quick - someone! What do we do now? Smash up some laptops in the basement?

C ;-)

OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts

diodesign (Written by Reg staff) Silver badge

Re: Exaggerated risk?

"CloudFlare have found it impossible to exploit the bug to steal keys"

Bad luck, ducky. It's utterly possible :(

"We confirmed that both of these individuals have the private key and that it was obtained through Heartbleed exploits. We rebooted the server at 3:08PST, which may have contributed to the key being available in memory, but we can’t be certain."

C.

diodesign (Written by Reg staff) Silver badge

Re: Exaggerated risk?

"CloudFlare have found it impossible to exploit the bug to steal keys"

Well, steal keys from a specific Nginx setup, but I take your point - and the Cloudflare blog is linked to in the article. I note that the Cloudflare heartbleed challenge site has updated itself to "Has the challenge been solved yet? MAYBE? (verifying)". Stay tuned.

In general, it is very tricky to steal private SSL keys (going to Vegas to put everything on red 14 seems like a better chance of success), but that doesn't stop the leaking of passwords and whatnot.

Plus, it's a rather fun bug. Code safe, everyone.

C.

diodesign (Written by Reg staff) Silver badge

Re: More issues with OpenSSL

Thanks for the links - I ran out of time and had other deadlines to hit to drop in Ted's comments. Worthwhile reading.

C.

diodesign (Written by Reg staff) Silver badge

Re: OpenSSL "blueprints"

It's an old writing habit from my tabloid days - avoid repetition, it improves your writing. So "blueprints" was used to avoid another use of source and/or code in the same sentence. That's all. I've written enough deep dives to expect Reg readers to get techy concepts.

On that note, thanks for the article comments - good discussion all round.

C.

It may be ILLEGAL to run Heartbleed health checks – IT lawyer

diodesign (Written by Reg staff) Silver badge

Re: NogginTheNog and Destroy All Monsters

I've tweaked that par – don't forget to email corrections@thereg if you spot any weirdness so things can be quickly fixed.

C.

Call of Duty 'fragged using OpenSSL's Heartbleed exploit'

diodesign (Written by Reg staff) Silver badge

Re: And yet

Yes, but admittedly with private test servers and a lot of patience. But it's easy enough to just watch people's passwords and other stuff going through the server pop up in the extracted blocks.

C.

Anatomy of OpenSSL's Heartbleed: Just four bytes trigger horror bug

diodesign (Written by Reg staff) Silver badge

Re: boltar

OK. Well, hopefully we can move past that and maybe now we can get back to the technicals - such as mitigation. You say you've implemented ASLR, so any thoughts?

Guard pages around individual sensitive allocations, causing this memcpy() to trigger a fault? It burns up virtual address space a bit, but worth it IMHO.

There's also this: http://article.gmane.org/gmane.os.openbsd.misc/211963

C.

diodesign (Written by Reg staff) Silver badge

Re: Re: Simple script?

"Which I think shows the general IQ level of the posters on this group. Doubtless these knuckle dragging mouth breathers will mark this down too."

I think you're being downvoted because you're coming across as a bit fighty.

C.

diodesign (Written by Reg staff) Silver badge

Re: boltar

"dropped acronyms into a post in an attempt to gain gravitas"

No, that wasn't my intention.

C.

diodesign (Written by Reg staff) Silver badge

Re: Simple script?

"Ruby maybe?"

Bingo. And by simple, I meant there's no screwing around with race conditions, crafting complicated structures, dodging ASLR, building ROP chains and what not. Just simply lie in a length header. Take the rest of the year off.

C

diodesign (Written by Reg staff) Silver badge

Re: I don't get it..

"Is the leaked data simply the junk that was in de-assigned memory?"

Yeah, it appears to be dead or alive blocks of memory allocated via some malloc()-like magic. If dead, one wonders why it wasn't zeroed on release.

"just suggesting, perhaps we could be a bit less crap at everything?"

This is why I'm learning Rust for its better pointer and array bounds handling, tho I'm not sure it could have helped here.

C.

White House blasts Samsung for tweeting Obama-Ortiz selfie

diodesign (Written by Reg staff) Silver badge

Re: Re: @David W.

"Bin Laden was at least evil, but you - you're just a hole in the air."

All right, chum, we get the point: is there really any need for this?

C.

Bank-raid ZeuS malware waltzes around web with 'valid app signature'

diodesign (Written by Reg staff) Silver badge

Re: Whose signature?

Correct - Comodo alleges the signing key belongs to Isonet AG, based in Switzerland.

C.

We don't want your crap databases, says Twitter: We've made OUR OWN

diodesign (Written by Reg staff) Silver badge

Re: Too many acronym repeats

I know what you mean - but I'm quite cheered that we have readers and writers spanning systems hardware engineering to database software development.

C.

In three hours, Microsoft gave the Windows-verse everything it needed

diodesign (Written by Reg staff) Silver badge

Re: Lots more than that -

Andrew wrote this piece about an hour before the Roslyn announcement. We've got something about that coming up.

C.

'Good job, NSA! You turned Yahoo! into an encryption beast'

diodesign (Written by Reg staff) Silver badge

Re: Was! Wondering! The! Same! Thing! Myself!

There, fixed.

C.

Google exposes its Andromeda software-defined networking

diodesign (Written by Reg staff) Silver badge

Re: Insert subtitle here

Nah, I'll allow it. Throb is an obvious cliche.

C.

Intel's DIY MinnowBoard goes Max: More oomph for half the price

diodesign (Written by Reg staff) Silver badge

Re: "but the 64-bit x86 Atoms"

Username is relevant.

C.

iFixit boss: Apple has 'done everything it can to put repair guys out of business'

diodesign (Written by Reg staff) Silver badge

Re: Stop your crying

"Never had a problem with getting support at the store and having a jailbroken device. So just shaddup with the 'jaikbroken? Then your screwed' crap already."

Ahem. From support.apple.com:

"Apple strongly cautions against installing any software that hacks iOS ... Apple may deny service for an iPhone, iPad, or iPod touch that has installed any unauthorized software."

PS: We're just reporting what the iFixit guy said. We don't have a strong opinion either way.

C.

AMD: Why we had to evacuate 276TB from Oracle DB to Hadoop

diodesign (Written by Reg staff) Silver badge

Re: intrigid

Yes, OK. AMD claimed it and we weren't awake enough at the time to think it through, but now we've tweaked that sentence.

Please, don't forget to email corrections@thereg is you spot something odd - we see those emails, but we can't read every comment.

C.

IBM PCjr STRIPPED BARE: We tear down the machine Big Blue would rather you forgot

diodesign (Written by Reg staff) Silver badge

Re: Refresh on early PCs

I understand that's true for various PC things out there. But the docs I'm looking at say the RAM was refreshed by the video electronics in the PCjr: that circuitry governed the first 128KB. From the IBM tech manual:

"Memory refresh is provided by the 6845 CRT Controller and gate array. The gate array cycles the RAM and resolves contention between the CRT and processor cycles."

I'm not aware of a DMA controller in the PCjr.

C.

UK.gov! frets! over! Yahoo! exodus! to! RIPA-free! Dublin!

diodesign (Written by Reg staff) Silver badge

Re: Enough with the exclamation points already

So! Why! Is! There! an! Exclamation! Point! On! The! Company! Logo! on! Yahoo! Dot! Com!?

C!

What kid uses wires? FCC supremo angry that US classrooms are filled with unused RJ45 ports

diodesign (Written by Reg staff) Silver badge

Re: Old Handle

"So he's saying wired ethernet is slower than wireless?"

No, and I'm sorry if I wasn't able to make that clear enough. The broadband speed and the Wi-Fi are two separate things. He's upset that all this money is going into wired networks when students and staff prefer to use wireless devices wherever they want.

Then, even once they're connected, getting out to the internet is a PITA anyway.

I'm sorry this isn't clear enough.

C.

Seattle pops a cap in Uber and Lyft: Rideshare bizs get 150-driver limit

diodesign (Written by Reg staff) Silver badge

Re: Final Seattle vote was unanimous

Edit: We got an earlier non-binding sub-committee meeting mixed up with the binding full city council meeting, although the overall gist of the story is correct (thankfully). Hopefully now the article is accurate - thanks and my apologies.

PS: Please, email corrections@thereg next time you spot something wrong. I may not see your complaint in the comments.

C.

GRAV WAVE TSUNAMI boffinry BONANZA – the aftershock of the universe's Big Bang

diodesign (Written by Reg staff) Silver badge

Re: "expansion of space briefly exceeded the speed of light "

"Not really a good way of describing"

How would you describe it?

C.

diodesign (Written by Reg staff) Silver badge

Re: "detected"

"an observation of distant possible effects that very closely match theoretical predictions"

That won't fit in a headline, mate.

Also, our prof says: "It's the first detection of gravitational waves."

C.

US govt: You, ICANN. YOU can run the internet. We quit

diodesign (Written by Reg staff) Silver badge

Re: What if ICANN goes renegade?

That's the $64,000 question. We can only hope there's enough oversight built into ICANN to keep it steady.

C.

Commentards Ball

diodesign (Written by Reg staff) Silver badge

Re: Commentards Ball

Perhaps, what happens at Commentard Club stays in Commentard Club? :-)

But I understand a good time was had by all.

C.

Behold, the TITCHY T-REX that prowled the warm Arctic of long ago

diodesign (Written by Reg staff) Silver badge

Re: And this is filed under Security?

Finger trouble. Security and Science look so similar in our publishing system.

C.

What did you see, Elder Galaxies? What made you age so quickly?

diodesign (Written by Reg staff) Silver badge

Re: Yet another paper made meaningless in popular science coverage...

Please for the love of all you hold dear, please email corrections@theregister.co.uk with any problems you spot. We get those emails immediately whereas here I am, a day after publication, catching up with comments and finding a disagreement.

C.

Cloud Overlords

diodesign (Written by Reg staff) Silver badge

Re: Cloud Overlords

This barely deserves a response. The Register is independently owned (see Companies House), and there is never, never any pressure on editorial to write one way or another. Come on, man, look at these articles:

http://www.theregister.co.uk/2013/06/08/what_about_a_us_tech_boycott/

http://www.theregister.co.uk/2014/02/24/richard_clarke_csa_comments/

http://www.theregister.co.uk/2013/12/17/cios_still_cloud_wary/

http://www.theregister.co.uk/2013/08/06/prism_revenue_wobble_worries/

http://www.theregister.co.uk/2013/10/17/european_commission_no_fortress_europe_for_cloud_but_if_prism_scared_you/

These are in the first few search results for "cloud", a mix of coverage. You're accusing editorial of corruption. That's really nice. Please post here your name, address and workplace so I can turn up and accuse you of corruption to your boss and customers :-/

C.

Roku flashes $50 HDMI TV web dongle at anyone sick of Google's stick

diodesign (Written by Reg staff) Silver badge

Re: Local content?

Pretty sure the Streaming Stick is a pure over-the-internet streaming device. You'll need the more expensive Roku 3 to do something like local streaming (or possibly a lot of fiddling with the Stick).

We've asked Roku for some more info; I'll update the story if that comes in.

C.

Hey, Nimbus Data. What you doin' with those 4TB flash slabs? Making a 96TB box? We KNEW it!

diodesign (Written by Reg staff) Silver badge

Re: Bandwidth starved

"Even if the Reg has misquoted"

Edit: Yes, it should be 40GB/s not 40Gb/s total throughput at full scale. That's been fixed. Please, please, guys, email corrections@thereg with any problems you spot. I can't read every comment for typos :(

C.

RSA booked TV's Stephen Colbert to give the final speech. This is what happened next

diodesign (Written by Reg staff) Silver badge

Re: Upworthy-style click-bait

Ah, that was my fault. I couldn't help myself. You know we hate UpWorthy headlines, so I'm going to play the it-was-an-ironic-gesture-on-a-friday-afternoon-after-a-week-of-RSA-conference-hangovers card.

C.

Black and white please.

diodesign (Written by Reg staff) Silver badge

Re: Black and white please.

See the discussion here.

C.

Font Change?

diodesign (Written by Reg staff) Silver badge

Re: Font Change?

I've pinged our front-end web guys in the UK. As someone else said, I think we just have to replace the toner...

C.

Europe: Apple. Google. Yes, you. Get in here. It's about these in-app bills

diodesign (Written by Reg staff) Silver badge

Re: Is El Reg running out of e-ink?

I've flagged this up with our front-end web guys, who are in the UK. I believe this is a bug. Do not adjust your set. Please stand by.

C.

Update your Mac NOW: Apple fixes OS X 'goto fail' SSL spying vuln

diodesign (Written by Reg staff) Silver badge

Re: Re: This is funny

"it mentions the drama headlines by the Register"

Have you got a link? I can't see it on their website. This should be fun.

C.

diodesign (Written by Reg staff) Silver badge

Re: Piss poor reporting

"Indeed the reporting of this issue was so poor"

Your understanding is wrong, I'm afraid.

1. Any router between you and your website can take advantage.

2. No, that was a curl bug unrelated to the grave SSL cert issue; all network connections boil down to IP addresses anyway.

3. It was reported on Friday after Apple dropped a 0-day on everyone with no fix available and with no fix delivery date.

Keep it coming. I'm loving it.

C.

'G-WIZ like' object doing 40,000 MPH CRASHES on the MOON

diodesign (Written by Reg staff) Silver badge

Re: Must have been impressive....

We couldn't help ourselves.

C.

(Sometimes, these things happen.)

Chipzilla just won't quit: Intel touts 64-bit Atoms for Android phones, tabs

diodesign (Written by Reg staff) Silver badge

Re: Re: So in summary

"segments vs. flat address space"

All modern OSes on Intel x86 use flat address spaces. Segmentation is flattened.

C.

Apple Safari, Mail and more hit by SSL spying bug on OS X, fix 'soon'

diodesign (Written by Reg staff) Silver badge

Re: Does this affect versions earlier than 10.9?

No. If you're running 10.8 or lower, you're good. The change was introduced in OS X Mavericks.

C.

diodesign (Written by Reg staff) Silver badge

Re: Merton

FWIW Safari 7.0.1 using the default config on a Reg Mac running 10.9.1 can reach gotofail.com, and is flagged up as insecure. I included the link in the article because it's a simple test. YMMV.

C.

Update your iThings NOW: Apple splats scary SSL snooping bug in iOS

diodesign (Written by Reg staff) Silver badge

Re: Re: IP address say whotttt?

Scratch that - it appears to be even worse. I've updated the story.

C.

diodesign (Written by Reg staff) Silver badge

Re: IP address say whotttt?

"And if they've just simply turned off CN validation (which is what everything's pointing to at the moment) for all iOS handled SSL connections [...]"

Yes, that appears to be it.

C.

Beware Greeks bearing lists: Bank-raiding nasty Zeus smuggles attack orders in JPEGs

diodesign (Written by Reg staff) Silver badge

Re: John Tserkezis

Fair point, but I believe it changes from crook to crook - the source code is even on Github. Zeus is a highly configurable and modular piece of software :-( Appears it can also screenshot your desktop and open a VNC connection.

Anyway, Facebook, PayPal, Bank of America, YouTube and others are in the defaults. It doesn't have to be a complete URL. Just having 'login' in the URL could be a trigger, or anything connected via HTTPS. I would just assume that if you are infected by Zeus, you're gonna have a real bad time whatever you do online until you get rid of it.

C.

diodesign (Written by Reg staff) Silver badge

Re: Re: Not steganography

"Paah, the articles qualification was an edit made after I posted"

I disagree :-) It was in there right from the start, tucked in at the end of a paragraph. I've now moved it into its own line just so that no one misses it.

IMHO it's concatenation; more generous readers will let it slide as very primitive steganography (seeing as it's obfuscated).

C.