* Posts by Mike Cardwell

104 publicly visible posts • joined 16 Jun 2007


NBD: Adobe just dumped its private PGP key on the internet

Mike Cardwell

Re: Also all,previous data

Typically you encrypt with a public key so that only the holders of the private key are able to decrypt it.

You *can* encrypt with a private key, but the only real use case of that is for signing. Signing is basically generating a hash of some content, and then encrypting that hash with the private key so that anyone with your public key can verify that it was you that generate the hash.

Mike Cardwell


The private key is encrypted. Unless you know the password for it, you can't do any of the things that you're claiming with it.

Get coding or you'll bounce email from new dot-thing domains

Mike Cardwell

Harder than it looks

So when somebody comes along and enters something like "postmaster@öß.com" into an email field in a web app, where do I send the email to? Do I follow IDNA2003 or IDNA2008 or UTS46 rules. Do I do UTF-8 case folding? I.e, does the email ultimately get sent to "postmaster@xn--zca9b.com" or "postmaster@xn--ss-eka.com" ? Should I check to see if all of the various ASCII encodings exist in the DNS and fail with an "Ambiguous domain" error if there are more than one?

I'd like to support internationalised domains, but there doesn't seem to be a "correct" way of doing it at the moment.

It also doesn't help that none of the popular open source databases or mail servers have functions built in for doing the conversions. So I can't store the Unicode representation of a domain in a database and then expect my mail server to be able to transform the incoming punycode encoded version to Unicode before doing lookups against that database.

Skype IDs hijackable by ANY FOOL who knows your email address

Mike Cardwell


"it is also possible to download private chat logs for the compromised account" - This is why people should use OTR. If your IM provider doesn't have your chat logs, they can't leak them.

Password flaw leaves MySQL, MariaDB open to brute force attack

Mike Cardwell

You're missing the point

Shared hosting? Privilege escalation? Even if there were no MySQL installations in existance with an Internet facing network interface, this would still be a massive problem.

What downturn? Lenovo stuffs pockets with 54% extra profit

Mike Cardwell

Macbook vs Thinkpad

I had two IBM Thinkpads, then a Macbook, and now a Lenovo Thinkpad (T420). I haven't noticed any difference in quality between the Thinkpads. They've all been great pieces of reliable kit. The Macbook on the other hand had numerous hardware failures in the 3 years I had it. The power supply died, the battery died, the hard drive died, and the plastic casing started flaking off.

Why O2 shared your mobile number with the world

Mike Cardwell


HTTPS and SPDY both solve this problem. Personally, all of the Internet traffic leaving my mobile phone goes over a VPN to my server, so I get a clean connection.

Iomega TV with Boxee

Mike Cardwell


Boxee's pretty good. As long as you don't mind sending them data about everything you watch and when you watch it - https://grepular.com/Boxee_TV_Helps_Its_Self_To_Your_Viewing_Habits

T-Mobile 'fesses up to secure email ban gaffe

Mike Cardwell

No conspiracy theory here

As the author of the post, I'd just like to say something. All I described was what I saw, and how I got around it. I compared its "technical" behaviour to that of Chinas firewall, because both use spoofed RST packets to disrupt connections. I didn't provide any commentary on my opinions of why they were doing the blocking, or whether or not they should. I don't consider it a "news piece", rather a simple technical description of a problem and a solution, for people to learn from. A lot of people have twisted what I wrote to make it sound like I'm describing some sort of conspiracy. If that's what you think, read my article again. To be fair, TheRegister has probably twisted it the least amount. Compare it to the boingboing.net interpretation for a laugh.

Google preps Chrome fix to slay SSL-attacking BEAST

Mike Cardwell


SSL v1.0 was never released to the public, SSL v1.1 and v1.2 never existed. I think you mean TLS. There's a really good summary of the history of SSL and TLS on Wikipedia:


TLS 1.0, otherwise known as SSL 3.1, came after SSL 3.0.

Hackers break SSL encryption used by millions of sites

Mike Cardwell


Most sites don't check to make sure that the request was a POST rather than a GET. This is unimportant anyway, because creating cross-site POSTs is almost as easy as creating cross-site GETs:

<form method="post" action="https://target.site.example.com/changepassword.cgi">

<input type="hidden" name="newpassword" value="foo">

<input type="submit" id="submit" value="submit">


<script type="text/javascript">document.getElementById('submit').click();

There are defenses against this attack, but 99% of sites don't use them. And before you go off on one about sites requiring you to enter your old password as well, stop attacking the particular example, and think about the "class" of attacks that are available.

Mike Cardwell

"That's a choice."

"That's a choice."

I know that you *can* enable certificate verification. I've done it myself in Exim. That only happens in very limited and minor cases though. Where the two communicating systems know each other and the administrators of both systems have a reason to want to enforce it.

I'd bet at least 99.9999% of SMTP traffic is either not encrypted, or encrypted without certificate verification.

Mike Cardwell


In this attack, the cookies aren't being read using JavaScript. HttpOnly doesn't help.

Mike Cardwell

"How does your browser know that a request from another tab to the same site should be blocked?"

It doesn't need to block anything. The "secure tab" gets its own cookie store. When you log into a site inside that secure tab, the secure tabs cookie store contains your session cookie. Any other tab that tries to launch an attack against the site, will be launching it against a site which it isn't logged into.

This would also allow people with multiple accounts at the same site to log in multiple times from different secure tabs.

Mike Cardwell

I'm not convinced that the attack will *require* javascript to work. Will have to wait and see when it's demonstrated on Friday. If all it requires is lots of slightly different cross site requests, it can probably be initiated by injecting lots of hidden img tags or similar into the launch page, rather than injecting javascript.

He will only be susceptible to this attack if he visits other sites at the same time as being logged into the bank website. You shouldn't be doing this anyway because of the prevalence of XSS and CSRF vulnerabilities. This attack just gives you another reason.

Mike Cardwell

SMTP can already be trivally MITMd

SMTP can already be trivially MITM'd because SMTP servers don't do any sort of certificate verification. Basically the majority of SMTP is unencrypted, and even that which is protected by TLS is "protected" by self signed certificates that aren't even checked/verified.

SMTP TLS is good for defending against passive observers opportunistically, but if somebody can intercept the connection, on either the sending *or* receiving side, you're screwed.

Mike Cardwell

You misunderstood the attack

The javascript is being slipped into a http response from a site other than the target https site.

The trouble is, people visit https and http sites at the same time. If the target is logged into a https page, and then visits a http page on a different site. You can inject stuff into that http page that will initiate requests against the target site.

Eg, you could stick this bit of code in the http page if the target site is vulnerable to CSRF:

<img src="https://target.site.example.com/changepassword.cgi?newpassword=foo">

And if the target site doesn't use Strict-Transport-Security, and hasn't set the Secure flag on their cookie, you can cause the browser to initiate a non-ssl http request against the target to leak their cookie by simply slipping this into some unrelated http request to a different site:

<img src="http://target.site.example.com/">

You'll notice how both of those attacks work against browsers that have javascript disabled. This is why I use the Firefox addon RequestPolicy alongside NoScript.

Mike Cardwell

This is incorrect

My understanding of the attack is that the attacker MITM's a random non secure http response body, and injects javascript into it, which initiates cross site requests from the target browser to the target https page. The attacker then watches the https traffic and can learn interesting information from it.

The fact that your bank has javascript in their pages doesn't help or hinder the attack.

As I use the Firefox addon RequestPolicy, I should be immune from this attack. The attacker wont be able to initiate the cross site requests unless I tell RequestPolicy to allow them.

Go SMS Pro

Mike Cardwell

Encrypted SMS

I prefer TextSecure by http://whispersys.com/. Allows you to send/receive encrypted SMS, and also uses public key cryptograhpy to encrypt SMS on your device.

Called 999 recently? They've got your number

Mike Cardwell


The sort of kooks who write articles like this give a bad name to people who have legitimate concerns about data being stored which shouldn't be stored.

Of course the emergency services keep a record of who calls them! What the hell is wrong with that? I'm surprised they've kept the data for as long as 12 years, but still, it's not that big a deal...

Cell phone search needs no warrant, say Cal Supremes

Mike Cardwell

PGP Email

Also, to use PGP on Android install APG (Android Privacy Guard). Then to use PGP with email install K-9. It's much better than the standard email client anyway, but it also plugs in to APG.

Mike Cardwell


People with Android phones. Use TextSecure from Whisper Systems. It's a drop in replacement for the standard SMS app, and works almost exactly the same. It uses public key encryption so your SMS are automatically encrypted, and to view them you have to enter the password for your private key. It also uses public key encryption to encrypt messages over the air between two TextSecure users.

Of course, the police can always go to the network providers who will have a log of all SMS transmitted, but messages encrypted over the air are safe from content inspection.

And of course, if you're in the UK, the police can simply throw you in jail for not handing over the password :( US users are safe from that shit though.

'Porn lock' heralds death of WikiLeaks, internet, democracy, universe

Mike Cardwell

Registered porn viewers?

I wonder how long it would take before an unencrypted copy of one of these registered porn viewer lists gets left on a usb stick on a bus.

Terracotta dumps Big Java's garbage problem

Mike Cardwell


"As servers with hundreds of gigabytes of memory have become the norm"

When did that happen?

Opera Mobile pops up on Android

Mike Cardwell

Not for G1's

Runs dog slow on my G1. Keeps crashing, and doesn't seem to ever finish loading any pages. Didn't have problems like this with Opera Mini. Opera Mini was only very slow, not dog slow, and didn't render lots of pages correctly.

Mike Cardwell


Great. Opera Mini is crap, but I don't want to use the bundled browser because I'm one of the two thirds of Android users who are still on <=2.1, ie running a trivally exploitable default browser. Hopefully this version is better than Mini at rendering websites.

Researcher outs Android exploit code

Mike Cardwell
Thumb Down

Opera Mini

I don't like Opera Mini, but I've just set it to be my G1's default browser. Bah.

Scroogle busted again after Google tweak

Mike Cardwell

New owners?

Daniel doesn't sound very keen about keeping this service running anymore. I wonder if somebody else would be willing to take it over. A trusted authority like the EFF maybe?

Interestingly, DDG no longer seems to require JavaScript. I might try them out now:


Their privacy policy is superb: https://duckduckgo.com/privacy.html - They don't log IP addresses or User Agents, they have a Tor onion address, and they even go out of their way to prevent search terms leaking to the destination site via referers...

Google boss: 'Creeped out by Street View? Just move'

Mike Cardwell

Unclear? Really?

"it's unclear whether the comment was meant as a joke."

I can see how that would be unclear to a baffoon yes. To a thinking person, it's pretty clear it was a joke, so suggesting otherwise is disingenuous.

I'm not commenting on the tastefulness of the joke.

Facebook to encrypt user IDs to block 'inadvertent sharing'

Mike Cardwell


DuckDuckGo addressed a similar problem with information leakage through HTTP headers a few months back:


Facebook is 'killing privacy for commercial gain'

Mike Cardwell


"Or rather, no sign-up is needed. After all, every time you use a search engine (ANY search engine AFAIK), you give away data for free that ad agencies will use to slam targeted ads in your face."



"If you're on the Internet, they probably know all about you already"


Firefox + AdBlock + Beef Taco + Flash Block + HTTPS Everywhere + NoScript

Web marketers pledge easier targeted ads opt-out

Mike Cardwell

Solved problem

No Script + Flash Block + Better Privacy + Cookie Monster + AdBlock + Ghostery + Beef TACO

Piracy threats lawyer mocks 4chan DDoS attack

Mike Cardwell


Whilst I agree with his sentiment, provoking 4chan is not a good idea.

Code for open-source Facebook littered with landmines

Mike Cardwell


Bugs are to be expected, but there's no reason to have things like XSS flaws and bad user input validation, even in "pre-alpha" software. That just suggests bad coding practice and generally sloppy programming.

Mobile phones for minimalists

Mike Cardwell


A lot of people have smartphones these days that barely last 24 hours before needing to be recharged. I would definitely buy one of these phones to take camping, on holiday and on weekends away along side my smartphone.

However, it doesn't mention SMS, and by the sounds of it, it doesn't support SMS. That rules it out for me. Like most people, I spend more time talking via SMS than via voice...

Coalition launches extradition treaty review

Mike Cardwell

Missing information

"62 people, including 28 UK nationals or dual citizenship holders, have been extradited from the UK to the US"

Is this more or less or the same as it was before the changes in 2004?

Group Test: smartphone satnav apps

Mike Cardwell

T-Mobile UK PAYG

"Android users on contract tariffs with bundled data, but will raise issues if you are on PAYG or roaming abroad. "

T-Mobile UK PAYG does a really good data deal. I pay 20 quid for a 6 month booster which gives me 1GB of allowance each month. That equates to £3.33/month. You don't get charged if you exceed that limit, but they will warn you about it. You're not going to hit 1GB a month unless you're downloading videos every day or doing a lot of tethering. Perfect for navigation+web browsing+email though.

I'm not associated with T-Mobile other than as a customer.

Android gets talk-tastic Froyo upgrade

Mike Cardwell

American accents only

You forgot to mention that it's American English accents only at the moment. It doesn't cope with British accents yet.

ASA: You can't say 'f**k'

Mike Cardwell


Is "fsck" allowed?

New 'Tolpuddle Martyrs' demand £50 a day

Mike Cardwell
Thumb Down

"Unite's press release doesn't note how many hours the guides put in"

A pretty vital piece of missing information. You're journalists aren't you? Do some journalism and find out...

Vonage offers free 3G calls for iPhone, Droid Facebookers

Mike Cardwell

Re: T-Mobile

Is that enforced? Ie, do they block ports/ips to prevent you from doing it?

Mike Cardwell

VOIP != Streaming Music

"I already drive around streaming spotify without issues...until I go out to the countryside that is."

Streaming music over 3G bares no resemblance to VOIP over 3G. If you're streaming music, latency isn't an issue because it can buffer the content. You can't buffer VOIP though, even a small amount of latency would cause gaps in the conversation. You need a constant, stable, low latency connection in order to have a reasonable quality conversation and 3G simply doesn't provide that in practice.

VOIP over 3G works, but it sucks badly. I don't know why anyone would choose to use it. In fact, I doubt anybody does. Does anyone here do it? Has anyone here tried it and then gave up because of how shit it is?

Mike Cardwell

Re: Free?

> Is this "free" as in "uses data allowance" for those not on an unlimited contract?

I would assume so. I'm on T-Mobile UK PAYG and with their £20/six months Internet booster I get "unlimited" (1GB) of bandwidth each month for £3.33, which is practically free.

Opera Mini de-betas on Android

Mike Cardwell


My God. It still doesn't support line-height. What sort of a modern browser doesn't support line-height. It was in CSS version 1 ffs. Think I'll stick with the standard browser for now. At least it renders websites properly.

Privacy watchdogs: Silence isn't cookie consent

Mike Cardwell

HTML5 - Local Storage

Is this really just for cookies? If so, it's a little short sited. Local storage in HTML5 anybody? Most adverts require JavaScript in order to work anyway, so there's nothing stopping the advertisers JavaScript from storing data locally in the web browser, and then fetching it later when another advert is loaded from JavaScript on the advertisers domain. All without using cookies.

Man charged with malware 'sextortion' plot

Mike Cardwell


If he is guilty of those crimes, then the two year maximum sentence is insane. I'd have thought at least ten years... Two years inside is an annoyance, ten years is punishment. The guy is clearly a deranged asshole.

Firefox comes over all cloudy

Mike Cardwell


Why would you use this, when XMarks exists? http://www.xmarks.com/ - Synchornises your bookmarks between Firefox, Safari, Chrome and IE. Also supports password and tab syncing.

Superslim iPhone 4 enough to fend off Android?

Mike Cardwell


"Now, at least, the handset has a front-facing camera - present on most smartphones for video calls"

Present on "most smartphones"? That's a load of bull crap. *some* smartphones have front facing cameras, the vast vast majority don't. No Android phones have a front face camera for example...