* Posts by Testy McTester

14 publicly visible posts • joined 11 Nov 2011

The perfect CRIME? New HTTPS web hijack attack explained

Testy McTester

Re: Theoretical ?

Because it's trivial for a sniffer to read the inner packet. Considering that your proposed "packet wrapping" protocol will have to be well known for a useful number of servers to actually support it, sniffers will know about it too.

It's called security by obscurity, and it works very badly.

UK boffins get £3.8m pot to probe 'science of cyber-security'

Testy McTester

Virtual organisation

"The lab [...] is a virtual organisation involving several universities."

So not really organised then.

Firefox 14 encrypts Google search, but admen can still strip-search you

Testy McTester

HTTPS does not prevent tracking.

"The move also quietly undermines Mozilla’s crusade in the past years on maintaining the privacy of netizens by using Do-Not-Track to anonymise users' searches."

"Do not track" does absolutely nothing to anonymise users' searches. All it does is add an extra HTTP header, "DNT: 1", indicating to the server that the user does not want to be tracked. This is a political, not a technical, approach, and I worry that users will think it actually gives them some sort of real protection. In fact I think it's rather amusing how a web browser can basically say, "please do not track me! Thanks. And by the way, the unique identifier you gave me last time is ac2983b6."

Using HTTPS by default is a good thing, even if it is only for Google searches. HTTPS authenticates the server and provides confidentiality from anyone intercepting or tampering with the connection between your browser and the web server, so your ISP, or the shady laptop user in the corner of the café, cannot see what you're searching for. It has nothing to do with whether the web server can track you or not.

"Additionally, using HTTPS helps providers like Google remove information from the referrer string."

If Google suppresses tracking when you use HTTPS (which I doubt), it's because Google decided to do that. Using HTTPS neither helps nor hinders.

"If you happen to click on an ad on a page you hit then the encryption is removed and advertisers can see who you are and where you’ve been."

Advertisers probably see that information without your clicking on it. HTTPS is to stop people intercepting your connection, it does nothing to control what the remote server does with the information you send it. (Note that advertisers don't intercept TCP connections to gather data, Google gives the data to them.)

Testy McTester

Re: Easy peasy

I always have the referer header disabled. The only problems I've noticed (that I remember) are an on-line banking site not working, and the links to W3C's mark-up validator. Try it. It breaks fewer sites than you might think, and it's very easy to put it back again.

Pyrotechnic boffin poised to light LOHAN's fire

Testy McTester

Re: <- Obligatory

*views image information*

It's a PNG. Bother.

Microsoft 'didn't notice' it had removed Browser Choice for 17 months

Testy McTester

Re: Err...

Never admit as a balls-up what you can get away with calling a "technical error".

Password flaw leaves MySQL, MariaDB open to brute force attack

Testy McTester

The C library was not at fault.

This is an integer overflow vulnerability resulting from the mistreatment of the return value of memcmp.

The memcmp function can return any integer, but MySQL converted its return value to my_bool (a typedef of char), causing an integer overflow if memcmp returned a value outside the range of a char (typically -128..127). An implementation of memcmp that returned values in -128..127 would hide this vulnerability, but another, equally valid implementation of memcmp returned values outside that range.

What is most shocking is how few programming languages (even "modern" languages like Java, Caml, ...) actually bother to handle integer overflows properly.

Smoke-belching flash drive self-destructs on command

Testy McTester

Re: Disk encryption?

It need only delete the encryption key. Besides, is overwriting with random data really that insecure? This just seems like the idea of someone who likes blowing things up and selling replacement storage devices.

Testy McTester

Disk encryption?

And the problem with disk encryption was...?

Best and the Rest: ARM Mini PCs

Testy McTester

No competition.

The article starts with:

"The Raspberry Pi – if you can get your hands on one – isn't the only small, inexpensive ARM computer around these days."

Pity the article didn't mention any ARM computers remotely as cheap as the raspberry pi.

Sony Tablet P split-screen Android fondleslab

Testy McTester

Split screen

And how is that any better than using a window manager on a single screen?

Boring BOFHs want cash prize more than space flight

Testy McTester


I'd have thought that would've been obvious. Perhaps if you think of the question slightly differently: if you could afford a space flight, would you do it, or would you spend the money on something else? Considering what else you could do with the money, compared to how short a space flight would be, I'm not surprised.

Dud Mars probe's explosion will spare Earth's cities

Testy McTester

Then it would be typical...

that we'd be trying to communicate with many cheap probes in low-Earth orbit, to find out why they all failed to leave their orbits.

Where are all the decent handheld scribbling tools?

Testy McTester

A real pocket computer

"My Ben Nanonote never leaves my pocket, very portable but the keys lack travel for comfy typing (does fine for a quick note or an on-the-go Quake or Nethack game though)."

And you do all that, without even taking it out your pocket? Amazing!