* Posts by Tridac

139 posts • joined 30 Oct 2011

Reprogrammble routers axed by TP-Link as FCC bans custom firmware

Tridac

Re: But it's my router, I've bought it

I call BS. The synthesisers on those devices aren't programmable anywhere near gsm at ~800Mhz. They run at 2.4Ghz and have narrow band tx and rx filters, which you would need to physically remove, even if the synth chips were programmable to 800MHz.. It's no probalem anyway, as there are dozens of brands that are reprogrammable, as well as old faithfulls like the Linksys WRT54. We have had two of those running Tomato firmware for several years with no issue..

.

Ad-blockers are a Mafia-style 'protection racket' – UK's Minister of Fun

Tridac

Re: That speech in full

No, the idea is that citizens should be encouraged to learn how to make their own choices, not have nanny state decide what's good for them...

'I bet Russian hackers weren't expecting their target to suck so epically hard as this'

Tridac

Re: Unsigned....

Sigh. No, it won't have 101 iterations. It will keep counting down, past the initial 100 on it's way, until it wraps round. If it's a (signed) char, 8 bits, it will wrap forever, since the signed value, including the wrap around value, is always less than 200. Similar traps for the careless if you specify 16 or 32 bit int or long, but who in their right mind would code rubbish such as that ?...

Tridac

Re: Unsigned....

Would help to have a u++, rather than u-- :-). Also, such counters are often used to index arrays, which start at 0...

Tridac

Re: RIGHT!

Coming from an assembler background, where a bad choice of signed or unsigned branch can cause all kinds of subtle bugs, the rule here is never to use a signed type for what is basically an unsigned counting task.

You can fix the above easily by starting at zero and counting up to a less than the desired limit and it looks far more rational than using a signed type

unsigned int x = 0;

for (x = 0; x < limit; x++) {...

Or, use a do / while to get a similar result, which can produce better asm code, depending on the complier...

Reminder: How to get a grip on your files, data that Windows 10 phones home to Microsoft

Tridac

Re: Did you see the trial balloon?

Who cares, other than paranoid commercial environments that must have the latest and greatest hardware / os and slavishly install all patches because microslop say they need them ?. Once you get a system installed and stable, there's a good argument for locking it down frozen at that spec for good... As for performance, there really has been little advancement in processor performance over what is actually needed in years and most users would be quite happy with 5 year old or even older hardware to run their os and apps.

None of the hardware here is less than that in age and we are using 7 and even Xp for some work. All updates are switched off after install of the initial service packs and all machines are running only the services that are required to actually get the job done Windows is actually pretty good stripped down to essentials and we haven't had any malware probles for as long as I can remember..

Why does anyone need windows 10, when erlier versions are quite capable of running all the usual apps and will do for the forseable future ?...

Confused as to WTF is happening with Apple, the FBI and a killer's iPhone? Let's fix that

Tridac

Re: Simple solution...

...That key is a 256 Bit AES key. You can't brute force that

That's irrelevant, as the user entered key is only 4 decimal digits. There must be code in the system that relates that to the stored key. If you have access to the binary image, assuming that that is not encrypted in flash and that the aes stuff is done in software, the code could be disassembled to work out the algorithm. More difficult, but the same applies even if the encryption is done in hardware, since the pattern of accesses to that hardware could be analysed. It's not rocket science either, as code analysis is a standard technique to reverse engineer and, for example, maintain older systems for which no source or hardware docs exist.

There really is no completely secure method, given enough resources and i'd be surprised if people like the NSA haven't already done a complete analysis of all the major phone manufacturers products...

Chris

Tridac

Re: It's probably just a false flag case...

The more that they can convince people that it's uncrackable, the more likely it is that everyone will assume that it is, including the bad guys.

To avoid complacency, you have to ssume that *all* security devices can be cracked, given sufficient resources :-(...

Tridac

Re: It's probably just a false flag case...

It must be stored somewhere. Either in the flash, a serial eeprom, or perhaps they are using a hash of the processor internal hardware serial numer + algorithm + 4 digit code.

If the processor has a jtag port for things like initial factory firmware load or debug purposes, then that provides access to all memory and peripheral devices on the system. Not saying it's easy, but it could be done...

Brits unveil 'revolutionary' hydrogen-powered car

Tridac

Re: So the fuel cell will never need charging..?

They must have thought of that. There's no reason why the supercapacitors can't be charged during normal driving, even if at a fraction of the charge rate. It smooths out the fuel cell energy profile, reducing peak demand and probably extends fuel cell life. Braking energy recovery just adds to that.

The good thing about supercaps is that they will take very high charge rate over a short time period. Any other battery tech takes much longer to charge, due to limits on charge current because of the heating generated from the internal resistance and chemical energy conversion process. Another advantage is that supercaps, being based on electrostatic principles, don't suffer from the wearout mechanisms of normal batteries.

Brave idea and one more small step towards an electric vehicle future. Estimate 15-20 years before most light vehilces are all electric...

VW floats catalytic converter as fix for fibbing diesels

Tridac

Re: EU

That might be because diesel is cheaper to start with. However, iirc, in the uk, goverment tax on diesel is more than that on petrol, to remove that advantage...

Tridac

Re: Anyone else notice the DEAFENING SILENCE from the other car makers?

No, just not so good technically. If you want the best engines in the world, currently, go to Germany or Japan...

Tridac

Re: Why did I buy a diesel ?

@AC: 48 mpg mixed, 170BHP, 0-6 around 7.5 seconds..

But not all at the same time :-). The mpg gauge on my everyday car drops to about 5-8mpg if it's given some serious boot. Good economy isn't new, the old 60's twin cam Alfas would return 35-40mpg if driven gently. That was on twin Webers or Dellorto carbs + coil ignition btw...

To bring it back on topic, I think there was a VW Polo (diesel) advertised a few years ago which claimed 70+ mpg, better even than the self rightous and overcomplex Prius. People want economy and performance and diesel starts off at an advantage because of it's higher thermal efficiency.

It's crazy. Up until recently, engines were optimised for CO2, but now it seems we are obsessed with NO. When no one really knows what limits are safe, we get the usual over the top gold plating of everything, rather than risk assessment, cost vs benefit.. Aren't fashions, fads, agendas and ignorance a wonderful thing.?...

Tridac

Re: why did I buy a diesel?

You would never want to own one of the old 60's diesel Landy's, unless you want to be shaken to bits, not to mention the complete lack of forward progress. Old petrol ones are great though and have owned two in the past. Currently on a 3.0 td Isuzu, after 7 years with one of the old 3.1 models, which had mechanical injection and 340k on it when sold. The 3.0 is common rail, ecu and sensors in every orifice. Had a serious starting problem at one point, which turned out to be the rail pressure sensor.. The local Isuzu dealer charged me an hour's labour, but could not diagnose it with their own Tech II. Completely incompetent. I bought a Chinese Tech II copy on Ebay, which found it in minutes To me, the engine is the heart and soul of a vehicle and that 3.00, despite the reputation, really is magnifiicent. 4 Cyl 3.0 litre, balancer shaft smooth and the most torquey and flexible engine i've ever driven. Well over 30 mpg on a run as well, which is good enough. For what I use it for, could probably get the same result with a small van or large estate, but no better economy and far less towing ability. It earns it's keep, so what;s not to like ?...

Tridac

Re: Which cave did they dig you out from?

Well what do you expect from the US these days ?. Just look at the sort of dictatorial eco fascists running the EPA to get an idea what the agenda is. While i'm all in favour of reducing pollution, regs should be realistic to avoid increasing costs for everyone. Modern vehicles are a very good compromise between cost, efficiency, drivability and emissions, but it's still an engineering devil's bargain. Sounds to me like the US is trying to sink VW. The usual underhand protectionism tactics because VW are and have been very successful in the US for decades. I smell scapegoat, but at least it's given all the other manufacturers time to take similar hacks out of their own ecu code ^-).

A friend of mine who used to help me with engine rebuilds on my old cars, worked for a auto consultancy in the uk, before moving to China to run an engine test lab. He tells me that all manufacturers have been gaming the standards system for decades. It's seen as something of a challenge, with the industry seeing how far they can push the envelope without falling foul of the regs. They are all at it, since it's not possible to satisfy unrealistic requirements without adding cost or affecting stuff like drivability. The ecu sfotware may be designed to meet standards requirement testing, but it''s not the same as on the road conditions and driving styles, which can range from cold starts, crawling through city traffic, to open road. where you need power for overtaking. If you really could to test for all that, I doubt if any vehicles would pass muster unless the engine were strangled completely. In the EU, the regs are negotiated with the manufacturers, who have quite a bit of input to the process on the basis of how much benefit is achievable vs cost and vehicle performance. In essence, it's done on a best effort, what's possible with current or emerging technology.basis. The standards become more onerous on a rolling basis, but there are no scientific absolutes in benefit terms, just ongoing efforts to improve efficiency and reduce polution. However, all this will be irerelevant in a couple of decades, as the world will be electric by that time.

Anyway, Storm in a teacup. VW were dumb enough to admit to the "feature", but unless the EPA had access to the ecu source code and design docs, how could they prove anything ?...

UK energy minister rejects 'waste of money' smart meters claim

Tridac

A bit more info: The system will be built around, (per house or consumer), a zigbee encrypted wireless network (Home Area Network or HAN), with the electricity and gas meters reporting to a communications hub. Each hub will be interrogated and managed by the equipment (via 2.4 Ghz and ~800Mhz radio networks) at the Data Communications Company, who have been awarded the contract and are a subsiduary of Capita. DCC probably formed specifically for the task.

This seems like a whole load of infrastructure and systems to put in place just to read meters, so wonder what's next, once every home has it's private network comms hub ?. I guess water meters might be next, followed by "home security" systems, with cameras and microphones in every room.

Should I be worried about this, or am I missing something here ?...

Tridac

From Ledswinger, upthread:

https://www.gov.uk/government/consultations/smart-metering-equipment-technical-specifications-second-version

I’ve just had a quick scan though that. It’s still at draft stage, V1.58, as of November 2014. It’s a complex spec, based around a zigbee network, with separate hardware described for gas / electricity metering, communications “hub”, user interface / display and auxiliary load switching. Potentially a lot of hardware to install, though I guess some or all functions could be integrated into the same box. No mention of gsm, though the the hub could conceivably integrate or have options for gsm, wifi, ethernet and more.

It looks like it has very fine grained data gathering and load control capability. For example, control of several auxiliary load switches; active and reactive power import and export are measured, as are min / max loads against time. The import / export stuff accounts for grid tie systems and home generation, while reactive power measurement provides the ability for higher charges for users with poor power factor. Just as industrial users have been for decades. There’s lot more and quite interesting in an eyes glazed sort of way.

But, still even now at draft and a half baked spec imho. For example, the auxiliary contactor section doesn’t even mention current or voltage rating at all. Will the meter itself have the “main” contactor, or must there be at least one auxilliary contactor ?. Who will pay for all the voltage drop losses across the ssr ?. Let’s see now, 50 watts loss average * 20e6 meters = 10e9 watts losses !. Even if they use a mechanical relay, the holding coil will consume 5 - 10 watts, so not that much better. Meter itself < 4 watts, but the hub and gas meter are externally powered and thus paid for by the consumer…

Tridac

Re: How it works

Thanks. Too lazy to look this up so far, but that fills in most of it...

Tridac

Re: The paranoia!

Think, Big Data. I'm sure you must know that Intelligence gathering involves collecting seemingly unrelated data from many sources and then using analytics to find patterns.

Whether intentional or not, malice or not, it's yet another failry insignificant, but potentially very real invasion of privacy that all people are being subjected to these days, to an ever greater degree. Yet no-one seems to care...

Tridac

Commswonk: In an earlier posting Ledswinger (IIRC) stated that the smart meters have the capability of having an auxiliary switched output that can be controlled by the supplier. I can't speak for anyone else but I'm not going to rush to have duplicate ring - mains installed so that selected items can be switched off by someone else. The cost of that would be unrecoverable from any likely saving.

I guess here’s a real benefit from an efficiency and emissions pov to reduce the variations in demand on the grid, since this allows running the generators at peak efficiency more of the time. Someone else in this thead pointed to an EU report which discusses that in depth. One of the ways to contribute to that ideal is is to have a finer degree of control over appliances in the home and that ties in with the currently fashionable “internet of everything”, though much of that looks like hype currently, solutions looking for a problem. Should be good for employment rates though, as there's already a severe shortage of good embedded systems bods.

Agree about rewiring the house for the auxilliary circuit, but can see a future where all new homes will have internet included, metering and appliances connected and where for example, 1 out of every 3 13 amp sockets are switchable by the utility. If it could save money, I might even agree to it myself, but it will take decades to come to fruition anyway, by which time all the tech options and capability will have changed. It’s obviously uneconomic to try and convert all the current housing stock into a smart home state. It’s just not going to happen, but if every new appliance had an rj45 or wireless bult in, you could have the capability with no wiring changes

As usual, government is behind the curve and never radical enough to catch up with the constant flow of tech...

Tridac

Re: Smart?

AlbertH:

That raises questions: Is the ssr controlling the main circuit, or the auxiliary circuit ?. 80 amp rating may not be enough for the main circuit at peak load, electric cooker, shower, storage heaters etc could reach 80 amps. Also, an ssr will drop 1-2 volts at least at full load, so a quick sum says 80-160 watts power dissipation in the ssr itself, which one assumes the consumer will be paying for. 160 watts dissipation would require a very big heat sink, or forced air cooling. Just how will they handle that ?. In this instance, a clunky old mechanical relay / contactor would be far more efficient. Finally, an ssr is normally off, so after every power cut, it will stay off until the meter has rebooted or it gets comms to reconnect the power

Have they really thought this through ?. Seems like they need some real engineers on the job, rather than arts graduates with no clue...

Tridac

Commswonk,

It was just a back of the envelope figure and yes, one second setup time is optimistic and assumes a single interrogating device. The point being that it would take a whole raft of added infrastructure to provide any real time fine grained control of load and they already have that at substations, so that reason is a bit of a red herring. The only reasonable value I can see in this is for firmware / tariff updates, but how many consumers would actually keep track ?. That faces the same problem in bandwidth terms, especially if the tariff changes are required to reflect real time grid loading. Perhaps something like Tetra is the answer, but gsm modem hardware is dirt cheap these days. My bet long term would be internet connected, which is more reliable and could be done for about the same cost of hardware.

It's clear that smart meters are of no benefit to the consumer at all, so what is the real agenda, other than for the snooper multinational / state data collection programs ?. Perhaps the eventual aim is real time 24x7 data collecton, so for extreme example, they could use load patterns vs time as supplementary evidence in dope growing trials. Yet another intrusion into privacy, imho...

Tridac

Re: Smart?

...£100 manufactured, certified, installed?

Interesting. Manufacturing cost should be low, as there’s not much more than a pcb and display in a modern meter. They don’t use an expensive current transformer, but a shunt, just a strip of metal, with all the power factor correction and calibration in the embedded firmware. There’s no reason why that should cost more than a few tens of pounds for production in the far east. The biggest cost will be the installation labour, but that’s a one time cost across the life of the meter and could be contracted out to telco / internet companies. As for “going wrong and other issues” the companies themselves should foot the bill, but doubt if that will be the case.

...Even now, it is only UK government interpretation of EU law than mandates smart meters

Ah, come the revolution (referendum), we might even get to the state of being able to tell the eu to fsck itself at last, then governments of any colour will have no excuse :-)…

Tridac

Seems to me that the main disingenuity here is that many non tech aware people will think that a smart meter will automatically save them money. That is how the idea is being sold, failing to mention that the only way to save money is to use less energy. Another agenda and half the story as usual. Can't imagine that most people will spend a lot of time looking at the meter to save every last fraction of a unit.

As for reading: Don't know how many meters they intend to install, but they could never read them all at once in real time. Assume 1 second per read and say 20e6 meters would take 231 days to read them all !!!.

Anyway, the rack of servers and old machines in my garage running 24x7 may show interesting statistics. Probably think i'm growing some unusual plant varieties :-)...

Tridac

Re: Smart?

Re: Smart

I doubt if there will be any facility to switch off the power within the meter. To do that would need at least a 100 amp contactor or solid state relay, which would cost more than the rest of the meter put together. Be assured that they will be made in China: Cheap, cheerful, unreliable and minimum parts count.

18 Billion does sounds a lot. Assuming 100.00 each manufactured and installed, 50 E6 meters = 5 Billion. So how has this been calculated ?...

Internet daddy Vint Cerf blasts FCC's plan to ban Wi-Fi router code mods

Tridac

Re: Licensed?

Would upvote 10 for that if I could. Didn't think to look to see if it was in an ism band. How stupid could they get and just goes to prove that you really can't get the staff these days :-)...

Tridac

Re: On Balance Mucking Around In The 5GHz Bands May Not Be A Good Idea

Sorry, but airborne wx radars are all X band, something to do with the frequency being ideal in terms of atmospheric absorption of the signal, though pushing knowledge base there :-). They may be using 24GHz for specilised apps these days as well. Also, C band needs much larger antennae, no use for airborned unless for some specialised mil application. As for S band, ~1.25Ghz, that's transponder, ssr stuff, nowhere near wifi frequencies.

Can't comment on 5GHz wifi, as no direct experience, but doubt that would be a problem either. If you want the real elephant in the room for 2.4GHz, look no further than your friendly microwave oven.: ~2.4 Ghz range, with an frequency unstablised magnetron rf generator, 500-1000 wetts, orders of magnitude more than wifi, driven from half wave rectified 50Hz mains power and polluting a wide spectrum. Could not be a worse example of spectrum irresponsibility and has been driving the radio astronomy folks, who really are looking for very weak signals, mad for decades.

As for channels, if I run network stumber on the laptop, can see at least half a dozen nodes in this area, many of whom are on the same channel. How do they do this ?. Because spread spectrum tech is used with different spreading codes, perhaps using the mac address as key, whatever, but they all use the same nominal channel and they all work without interference. If you look at wifi on a spectrum analyser, it looks like white noise and is not only difficult to detect and hack, but also makes very efficient use of a limited spectrum assignment and bandwidth. Vorsprung durch tech indeed :-)...

Tridac

Re: Software vs Firmware

Software was historically seen to be an application or os running on the machine, the visible part. Firmware is code permanently programmed or "embedded" into the hardware, such as disk controller boot code, network and graphics adapter configuration etc. The bios image on your machine would normally be seen as firmware. Firmware usually ends up in flash or other type of non volatile memory, though the distinction becomes blurred at times, since mobile phones, for example, often have both os and apps permanently stored in flash memory.

The customisation of wifi firmware really got going when some of the vendors started using open source code in their firmware (eg: Linksys) and thus had to release full source code due to oss licensing rules. Later version of Linksys routers used the VxWorks real time os, where source code is not released, though hardware is slow to change between revisions and there are dozens that are modifiable.

It's a really a harmless experimenter / hacker pursuit that contributes a lot to the state of the overall art and is no threat to anything, so why all the fuss ?. Thankfully, we don't have such draconian rules here in the uk...

Tridac

Re: VHS vs Wifi

Sorry, absolute FUD. Out of all the perhaps 1000 housewives surveyed who use 3rd party soap powder, how many a) have the abilty or interest in retuning to different channels; b) Use amplifiers; c) Fit high gain antenea and d) Have the interest or ability to turn off the spread spectrum mode in software, even if that is possible and if that would be of any use or potential threat anyway..

Look, you can buy surplus and ready made transmitters for just about any frequency range of interest that are much more of a potential threat to established com services than any wifi router, yet there is no blanket ban on anyone buying such kit. Why ? - because other than the case of a handful of individuals, such usage has never been a problem.

That is the crux of the matter: Good law is made on a risk assessment basis and benefit / disadvantage basis. ie: where there is real need. Not to suit some civil servant using brain dead consultants for advice, to protect us all from a handful of individuals who may modify kit for illicit purposes. Otherwise, the law is brought into disrepute and mockery, even more than usual, though there is far too much of that getting in the way of getting anything done these days anyway...

Tridac

Re: On Balance Mucking Around In The 5GHz Bands May Not Be A Good Idea

Airborne wx radars used to be primarily at X band, ~10GHx, not C band (~2.5GHz), nor at the ~2.4GHz of Wfi devices. Would the few 10's of milliwats of such a device even be detectable by C band radar receivers unless it were right next door, spread spectrum that it is ?. Anyway, WiFi routers and devices are made down to a cost and use synthesisers to generate the frequencies involved and I doubt if the synthesisers are even capable of going far off band, if at all, though you could verify that via the Broadcom or similar data sheets for the device.

I agree that far more active spectrum usage needs to be regulated to avoid chaos, but this proposal just seems over the top and based on precautionary principle where in fact no threat exists anyway. I run modified firmware on my ancient wrt54g's, but just how many people actually do this ?, < 1000 worldwide ?. A none problem, imho, dreampt up by bureaucracy to justify it's existence....

Tridac

Re: VHS vs Wifi

These devices run at frequencies unrelated to any emergency or aviation services, have an output of just a few 10's of milliwatts and an effective range of 10's of metres, so are very unlikely to cause interference with any sensitive services. Also, they run in spread spectrum mode, which is designed for low interference with adjacent channels.

Just looks like another example of the US paranoid control state mentality. Land of the free my a**...

Autonomy ex-boss Lynch tells of poisonous life within HP in High Court showdown

Tridac

Re: anxiously: They killed Compaq/Dec and 3Com as well.

HP became a pale shadow of their former self, where attention to detail, obsession with doing it right and bleeding edge innovation were originally the order of the day. I worked freelance at both Digital in Reading and 3Com in Hemel years ago. Digital were bought out by Compaq, then by HP. All three really good companies that just got sunk without trace once HP got their clumsy claws on them. They may have paid too much for Autonomy, but perhaps due diligence not their strong point, or was that sort of business "fashionable" at the time ?.

The days of HP being the best test equipment and top end computer vendor are overr, just a set of box shippers and ink suppliers these days. A classic example of corporate greed and board room gross incompetence bringing a company down. Sic Transit Gloria, or what ?...

How to build a server room: Back to basics

Tridac

It's called power factor here in the uk and iirc, the US. Bad power factor means that the current is not in phase with the voltage in terms of the load, which can appear as though the systems are drawing more amps than the watt hour meters would suggest. It means that heavier cables must be installed to carry that wattless current. Older IT equipment was very bad in that respect and often presented a bad harmonic load to the supply as well. However, modern servers nearly all have power factor correction within the power supplies and it's not anything like the problem it once was...

Tridac

Re: [UPS] "batteries are only good for 3 to 5 years"

Battery life depends primarily on ambient temperature, but also on charging and load profiles. For example, telco quality batteries often have a rated 10 year design life, but that's only at 15-20 C ambient. If you increase that to 35 C, for example, you might only get a year or two design life. It's all on the data sheets for such batteriies and the cooler you can keep them within reason, the longer the life.. Charging regime needs to be right as well and even a few 10's of mV increase in float charge voltage can significantly reduce life. Float charge voltage also needs to be temperature compensated. Finally, every time you load test your ups on these usually cheap underrated gel cell batteries, you typically put 10's of amps load on a battery which may only be rated at 10 ampere/hours capacity. This puts a lot of strain on the battery and reduces it's life significantly, if done on a regular basis...

Ashley Madison made dumb security mistakes, researcher says

Tridac

Re: So...

Store them encrypted in (for example) a parallel directory to webroot, then use compiled cgi bin slip functions to decrypt on the fly, access the resource, then clear any buffers used. The encryption doesn';t even need to be complex - bit shifts and exclusive or is probably enough and is fast at cgi bin level...

Tridac

Re: application development and security

web_programming != (software_engineering || systems_engineering)

Tridac

Noone with any sense would ever store external server ip addresses, passwords etc in plain text within readable web site code. There are various simple methods to make life difficult. For example, if you use a compiled language for sensitive code, with cgi bin executables, you can encrypt sensitive data as arrays within the binary, or store elsewhere, decrypt on the fly to access the resource, then immediately clear any buffers used. This means that an attacker has to access the binary, disassemble the contents, work out what the code is doing in terms of the on the fly decryption to get anywhere, Reverse engineering the code becomes even more difficult if you are running on non X86 hardware, such as Sparc or Power, since even fewer people are fluent in the assembler than for X86.

Web sites seem to get more and more complex, which only inceases the attack surface area and makes it more and more difficult to show the code is provably secure...

Linux Foundation releases PARANOID internal infosec guide

Tridac

Re: "Good security starts at the perimeter"

Good point. I work from home mainly, with separate hardware interface subnets for domestic, lab and other services, so the chance of cross corruption is perhaps limited. I've never checked printers, but they are all so old that I doubt if they would be a target.

One client I worked for had a serious internally generated infection that cost days it not weeks of development time. They bought in a cheap batch of usb memory sticks (with virus installed), didn't check any of them, plugged in and wondered why nearly the whole site became infected. That could have been avoided simply by disabling autoplay using Tweakui, whatever. It's amazing just how many sites don't have unified securiy policies that would cover that sort of thing.

I'm not obsessive about security, but, for example, would ideally like all internet facing systems to be none Intel architecture, though that is getting more difficult to do as the cpu arch gene pool continues to shrink...

Tridac

Good security starts at the perimeter and if you are using a dedicated hardware based firewall with dpi and other goodies, that should trap a lot of the bad stuff. The rest is common sense use of the internet and things like Adblock and Noscript on Firefox to provide fine grained control over scripts and cross site references that are allowed to run.

Have never used any antivirus software here, but none of our machines have experienced any bad stuff in > 10 years. There are risks, but there's loads of FUD around on this subject as well...

The Ashley Madison files – are people really this stupid?

Tridac

Gross stupidity and yet another example of how illiterate users and web site owners can be about online security. What's the betting that all the website code was in a scripting language in easily accessable subdirs, easily found even by schoolboy script kiddies using wget or similar.

Who in their right mind would give all their personal details and card numbers to a dodgy site like that and secondly, did the site really store all that data in a plain text database, rather than encrypted ?. Sorry, but they all deserve what they got...

Pirate MEP: Microsoft's walled garden is no consumer pleasure park

Tridac

If you really need windows for a particular application, then consider using a windows server, rather than a desktop release. Earlier versions are not expensive on the usual site and the system management tools for things like security lockdown are streets ahead of the desktop release. What's left ofr unneeded services can be whittled down so that you have only a handfull of processes running in the task list. If you run on server class hardware, you even get all the install tools from the vendor as well. Have been doing that for several years here without problem for the sw dev machines . Server releases do seem quite a bit more robust, as well as running all the apps needed for day to day work. Everything else is Linux, apart form a couple of unix servers and laptops on Xp, none of which have ever been a problem. Windows runs here on sufferance only. I wouldn't go anywhere near W10 and don't see any need for it ever, either. It's going to be a disaster for personal and company information security.

I need to have full visibility of everything running on the machines here and don't expect any of them to do anything other than which has been explicitly programmed to run or enabled...

Global spy system ECHELON confirmed at last – by leaked Snowden files

Tridac

Re: Nice article...

One has to ask, if they monitored and thus knew everything, why were they not aware that 9/11 was about to happen ?. Cynic might say that perhaps they didn't want to, in the same way that Churchill might not have shared intel, that then brought the US into WWII. International politics can be a dirty business and not for the faint hearted. It's no use wringing hands and bleating about the rules, if the opponent ignores then to advantage.

Some monitoring is obviously necessary, with ISIS and other groups at the gates of Europe. Some of them will eventually get through. As for the data, if you want to see the size of the task, just look up the data flow per hour on the internet worldwide. I doubt if they could monitor more than a small fraction of that, much of which will be encrypted anyway. Targetted intercept is the only way it can work and I doubt if they are really that interested in the colour of your other half's shorts :-)...

Bloke cuffed for blowing low-flying camera drone to bits with shotgun

Tridac

Re: How about ....

No BS. Something like an old Ecko or Bendix weather radar. Iirc, around 25-50Kw pulse power, as used in a lot of older aircraft and appear regularly on fleabay. More modern airborne weather radars are probably a lot more power and at X band, the antenna size is manageable as well. You would not want to be standing on axis close to the antenna if you value your eyesight, or reproductive kit, even on the older models. You don't have to look very far on the web to find instructions. Here's one that looks like it uses a microwave oven magnetron:-

http://fear-of-lightning.wonderhowto.com/how-to/making-electromagnetic-weapons-directed-microwave-energy-0133231/

Thinking about it a bit more, you don't even need to do anything that complex, just jamming the telemetry link should drive the device out of control.

The US military have been experimenting with this stuff for years. Much higher power, but they have devices that will fry / disable missiles (for example) at quite a range...

Tridac

Re: How about ....

An old avionics X band radar should do that quite well at short range, or you could build a directed EMP box. Either would fry any unshielded sensitve electronics on the drone and be undetectable as well, thus avoiding arrest.

Typical US, brute force approach, even if it does sortof get the job done :-)...

Contractors who used Employee Beneficiary Trusts are in HMRC's sights

Tridac

Meanwhile, the multinationals get away with billions through tax (evasion) planning. Wouldn't it be a far better use of hmrc resources to pursue them, rather than go after entrepreneurial individuals for limited return ?.

Oh, I know, the big boys fight back and must be *so* much work for those poor souls at hmrc...

Windows 10: THE ULTIMATE GUIDE to Microsoft's long apology for Windows 8

Tridac

Re: Multiple desktops

Unix / cde had that from the start iirc, but if you want that on older windows versions, sysinternals have the low footprint "desktops" addon that does just that...

Moto fires BROADSIDE into the flagship phone's waterline with X Play and Style

Tridac

Re: Shame about the intercept..

I don't use smart phones at all, due to security and privacy concerns mainly. If I need mobile computing, I use a netbook with or withouit gprs, or if serious computing, a desktop. A mobile is just for making calls or texts, not the meaning of life. If I miss a call and it's important, they can call me back.

As for companies, remember Google are a *data* gathering and sales company, while Microsoft are still pretty much a tech company. A fundamental difference and I know who I would trust more to protect privacy....

Are you a Tory-voting IT contractor? Congrats! Osborne is hiking your taxes

Tridac

Re: The Joys (and not) of Contracting

Hah, well, my other car is nearly 21 years old and I still do most of the maintenance as well, though it seems that’s an old fashioned idea. I guess the point was that money and material goods are not the main driver. If there’s enough to pay the bills, keep the tech up to date and the occasional treat, that’s good enough, though the leccy bill can be astronomical if you keep machines running 24x7 :-).

The fundamental problem with employed status is that the system seems geared so that the majority only just keep up with the monthly outgoings. I see that as a kind of entrapment and severely limits the choices you can make. You have to accept that there are no long term careers in industry any more. No status to strive for either. For example, tube drivers with a few months training earning the same or more than an engineer with a lifetime of experience and ongoing requirement for continuing education. Not that I begrudge them, but why spend years learning and keeping current with a subject if you can achieve the same salary for less effort ?. Most work to live, not for it’s own sake. For most people, a mortgage + 2 kids + paye job = trapped in the mill for 20 years at least. No surprise that many tell the system to spin on it and go freelance. If you live frugally, you can end up with a wedge of cash to invest in projects or other business ventures. A springboard to something you really enjoy doing, rather than a mundane job with no choices. A bleak and insecure future stretching out to retirement…

Tridac

The Joys (and not) of Contracting

I’ve been a contractor since 1985 and can’t imagine working any other way. In the early days, you could work contract as a sole trader, but that changed when the agencies became liable for tax default by the contractor, though not if you had a good relationship with your agent. The good ones used to take you out for pub lunches every so often to make sure everything was running right and, I suspect, gain intel about the company. In those days, rates were such that you could be earning double or three times the basic salary of a permanent employee, but not now. Employed salaries have increased significantly, while contract rates have been essentially static for 10-15 years. There has been some increase recently, which is the clearest sign to me that the economy is picking up, but there’s a lot of catching up to do.

You can get a lot of flack from the permies at some sites. Petty jealousies about remuneration and difference in ability, or they just don’t want any contractor, as it can show them up and the games that are being played. It can be a real problem, but it’s usually the result of company culture / management failure. Not valuing their workforce, riding them hard with no encouragement or reward. You see that more and more these days, but find a well run company where people are respected, valued and encouraged to get the best result and you can make a real difference to a project. A good contractor will often have far greater experience and knowledge base due to the variety of companies worked for and projects worked on. Don’t expect any of that to cut any ice though. Contractors are often brought in only when a project is in serious trouble anyway, looking for someone to blame and an atmosphere you could cut with a knife J. If you find that, move on as it’s already too late to save the ship.

Although the (potentially) added income can be great, it was always more for me about the freedom and scope to find the sort of work that I really want to do. Full time employment just takes up far too much time. Ideally, a year or two contracting, followed by 6 months or a year off to catch up with fresh skills, work on some of my own projects etc seems the ideal way to live. The downside is that you can be in real trouble in a recession and there have been periods of up to 2+ years without regular work. Even that isn’t so much of a problem now, as you can buy and sell on Ebay etc to keep the wolf from the door. You just need to be very adaptable and prepared to take risks, which doesn’t suit everyone. What it has done for me is given me more choices, kept me up to date with the tech and allowed me to fit out a better equipped dev lab than many of the companies I work for. Still running a 12 year old car though, but so what ?…

RC4 crypto: Get RID of it already, say boffins

Tridac

Re: WPA or WPA2?

There may be unbreakable systems, but if you are resposible for the security of an organisation, the only safe assumption is that single point encryption can be broken. ie: the channel is assumed to be insecure facing an adversary with sufficient resources. . There are probably any number of ways to mitigate weak wifi encryption. ie: encrypting the data before it reaches the wifi router and at an access control level, doing things like mac address filtering and using radius server. Not foolpropf, but makes the task more difficult.

Good security is not just about one aspect, but should be an integrated approach where as many of the possible holes are accounted for. Engineering applies: Speed, Security Cost. Pick any two :-)...

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2020