* Posts by clocKwize

84 publicly visible posts • joined 24 Nov 2011


Just say the 'magic password': Boffins turn up potential backdoor in SQL Server 2012, 2014


Not news

"code with administrator privileges able to perform actions only an administrator should be able to do"

This is not news, nor a vulnerability. Show me an application that can't be hooked in to in some way given the necessary permissions on the machine.

This is literally what people cracking applications do to remove licencing restrictions and game cheats do to hook in to a game and add extra functionality (like seeing through walls, automatically aiming at people, etc)

On the other side of the argument, its an impressive thing to reverse engineer an application to this extent, especially one so complex!

That Telegram feature that let you delete your private messages on recipients' phones? It didn't work properly


Yes that's a likely occurrence and has also happened to me. People get notifications for messages received, if they're looking at their phone when it comes in, they'll see it before you delete it, even if they haven't read the message and be confused when they go to read it fully and there is nothing there.

Many things happen between sending a message and it being read. It just isn't that simple.. People expect it to be and get sad though.


Anything that happens outside of your control is not guaranteed and should be treated as such. When I use "Also delete for X", it is in the knowledge that I'm really just trying to avoid confusion and keep the chat history tidy, I have no expectation that the other person never saw it and won't have it stored in some kind of chat log somewhere.

Fine, if you're using Telegram to transfer top-secret secret documents - I hear it's protocol encryption is pretty good (but I do not know for sure). But if you are - maybe just have the 1 chat with your MI5 contact on it, keep your 1000 person cat gif group chat separate.

PIN the blame on us, says Monzo in mondo security blunder: Bank card codes stored in log files as plain text


People who consider this evidence that Monzo isn't (as) secure as other banks are living in a dream world. Incidents like this slip through the net sometimes, and get noticed and fixed, at every company, everywhere - Humans aren't perfect. Monzo is being transparent about it and resolved it really quickly. Other banks, it is kept quiet. The only time it wouldn't be kept quiet is if someone external noticed, at which point they'd have to own up to it, but they'll do that in a way that diverts blame from the company.

Sky customers moan: Our broadband hubs are bricking it


"New and exciting feature"

Yeah, can I just have some plain old internet please?

You are an internet service provider, you should just provide internet.

My water provider just provides water.

If they cut my water supply by accident while installing a new and exciting banana milkshake pipe to my house, I'd be pretty pissed off.

Wanted – have you seen this MAC address: f8:e0:79:af:57:eb? German cops appeal for logs in bomb probe


I don't think it matters if the mac address is legit, spoofed or changed often, or if the phone has been binned.

If someone contacts them and says "Hey, I just checked my logs, someone connected to our Cafe's WiFi with that MAC address at 10:15am on the 35th of Febtober, and I checked the CCTV and there is a shifty looking guy sipping a coffee in a corner, surrounded by fireworks and empty boxes of nails, scrolling through facebook - want to check it out? I have the credit card number he used to buy his coffee" that'd be pretty damn useful.

They say software will eat the world. Here are some software bugs that took a stab at it


I think its wrong to say its always managements fault, and we as developers should look at ourselves, BUT if management are allow it to the get to the point that everything *has* to be rushed, because of unrealistic deadlines, scope creep, bad planning, etc, etc, the developers *have* to cut the corners, regardless of wanting to do so or not. Goes back to the Cheap, Good and Fast. Except Fast is "faster than is possible, because nobody knows how big it is or how long it will take"

Microsoft polishes up Chromium as EdgeHTML peers into the abyss


Re: Diversity

I don't want diversity. I want every website to work in every browser I use on whatever device I use it. Chromium the rendering engine is open source and isn't developed by few in one organisation. Yes its the engine behind Chrome, but then it is also the engine behind other browsers. I'm happy for there to be diversity in browsers, pick which ever one you think has the most usable UI (everyone has a different opinion). People shouldn't really care what rendering engine it uses, as long as pages look the same for everyone everywhere, which really is the goal.

That sphincter-flexing moment for devs when it's time to go live


Great analogy with changing a car engine while on the motorway. I've experienced this a few times. It is not fun. Sometimes these things have to happen though.

Windows 10 Pro goes Home as Microsoft fires up downgrade server


Re: Contractor rights

my gaming PC popped up with a "windows needs to be activated" watermark much to my displeasure. Hopefully it goes away in a day or 2, but it is certainly not the end of the world.

The D in Systemd stands for 'Dammmmit!' A nasty DHCPv6 packet can pwn a vulnerable Linux box


Re: Contractor rights

why don't we stop writing code in languages that make it easy to screw up so easily like this?

There are plenty about nowadays, I'd rather my DHCP client be a little bit slower at processing packets if I had more confidence it would not process then incorrectly and execute code hidden in said packets...

I wish I could quit you, but cookies find a way: How to sidestep browser tracking protections


Re: Contractor rights

Its very hard to apply these wide sweeping policies. "Third party" cookies are not all bad. My company builds software which our clients embed in their site. That makes it hard for us to place cookies on the users browser, even though we have every right to be there, we have permission to do so as the user has agreed to cookies on the site, which we are a integral part of. We have workarounds in place, but its worrying that totally legitimate cookies are being dropped due to ever moving policies.

ReactOS 0.4.9 release metes out stability and self-hosting, still looks like a '90s fever dream


I just installed this in a VM. I'm impressed for several reasons.

1. It works, it works really well

2. The sheer amount of effort involved to do this is astronomical

3. They didn't give up in 22 years. Its basically redundant before its reached beta. There might be some uses for it, I guess. I liked windows 2000 more than I like anything released after, but there is no mass market for going back to it.

My hat tips in the direction of the developers who have worked on this. Its a massive achievement.

Off with e's head: E-cig explosion causes first vaping death


Re: My personal battery failure

Thanks for the story. I'm sorry it happened to you and I'm glad you shared it. Really hits home.

My brother had a battery vent out of his own stupidity, his battery wrap was coming lose so he ripped it off and tried to use the battery. Which is obviously a stupid idea. He managed to throw it outside luckily and no harm was done. Now he has far more respect and knowledge, luckily.

He really had no idea about battery safety at all, which is worrying given the amount of readily available information.

I inspect my batteries regularly, change the cardboard circle on top and rewrap them when they're damaged. It costs about £3 for 25 sticky-back cardboard circles and £5 for about 20m of battery wrap, which will probably last me forever.

As much as I hate articles like this making out like my hobby (I guess you can call it that? I barely have any nicotine now, 1.5mg) is terribly dangerous, it might open people's eyes a bit that an 18650 battery isn't a toy and that they need proper maintenance and thought when handling.

Just reminded me of the guy who kept them loose in his pocket along with keys and coins. That didn't work out too well either.


RE: Lighten up, jeez. I was less defensive than this when I smoked ciggies...

That may be because when you smoke and people tell you its really bad for you and you're probably going to die, they're actually repeating scientifically verified facts. So you can't really get defensive can you?

Its slightly different when people are repeating bad things about vaping that they read in The Sun, who got it from a research paper "sponsored" by a tobacco company, that got shot down with real science almost instantly.

DOJ convicts second bloke for helping malware go undetected


I do find it hard to believe that not sharing some information with an anti-virus company can be considered a criminal offence. It doesn't make what they were doing illegal. They were providing a service that others provide, but with the ability to keep things anonymous, as someone else stated, you might be testing proprietary software and not want an analysis of it shared with security researchers, if it flagged up a false positive.

I'm not saying they weren't in business to help malware authors, but I'm sure it was all written in a way that made it look legit, they didn't call it test-your-malware.com. Which brings it down to, they didn't do anything to stop criminals using their service. But then, there are many services used by criminals, WhatsApp isn't called TerroristSafeChat, they don't actively stop criminals using it, because its encrypted, they can't see who is talking about what, so can't do anything about it.

Just seems a bit of a stretch to me.

The whole extradition thing is crazy. Jurisdiction is such a grey area now the internet is a thing.

Microsoft programming chief to devs: Tell us where Windows hurt you


Such hate. I haven't developed for windows in years but I have read with interest all the stuff about .NET core and things - all moving in a good direction, seems positive.

To say that .NET is a shit copy of Java is a bit harsh..

Saying everything should be developed natively is far too optimistic in this day when everyone wants the same app on their PC (windows), their laptop (mac), their phone (android) and their TV (WebOS or whatever). No company wants to develop the same app in different ways many times and support them all individually. Attempts at cross platform frameworks are not perfect by any means, but they're better than the alternative.

NASA dusts off FORTRAN manual, revives 20-year-old data on Ganymede


Re: Contractor rights

You'd think with the cost of building, launching and controlling Galileo, when they had the data, they'd spend the time and resource analysing it properly... surely that cost is a drop in the ocean compared to the initial outlay..

SecurEnvoy SecurMail, you say? Only after this patch is applied, though


Baking in encryption does not mean something is secure. Who'd have thought?

Most IT contractors want employment benefits if clobbered with IR35


Thats long term hopes and dreams, not the current situation. It would be awesome if all companies in the country were to pay everyone more, train people up, etc. I can't see it happening though. No business looks that far ahead these days.


Re: Sick Pay?

You're right of course. People keep cash in reserve for many reasons including when they want to pay themselves while sick. Permanent staff don't. Keeping cash in reserve is still removing it from your "take home pay" at some point.


Re: Contractor rights

Good catch/nitpicking! Doesn't invalidate any of the points made though.


Re: Sick Pay?

That isn't the entire pay though is it, that is for tax purposes (fully legal ones, if you could take part of your salary in another legal way and pay a bit less tax, you'd do it right?).

Lets use the monthly take home pay after all the taxes and compare that to a permanent employee. If a contractor has a day off sick, it will decrease. As a permanent employee, it will not.


Re: Contractor rights

You don't really get £1000 a day tough do you, taking off the 20% corporation tax, thats already less than 3 times than the example permanent person is earning per day. Then take off all the other taxes, insurances, personal pension contributions and loss of money for sick days I can't be arsed to work out. You'll arrive at a very similar number, with far more hassle and less security.

In my area of tech, the contractor average is around £400 a day, as a guestimate. I've contracted in the past for between £375 and £500 a day for around 3 years. Its truly difficult to quantify as a simple salary what you earn as a contractor but I can tell you I'm permanent now (and have been for over 3 years) and its a lot less hassle for probably £10-15k a year more after all is said and done and that was all outside IR35. I can switch jobs and get £10-15k more as a permanent employee, so what does it matter?

I think all the permanent employees who feel jealous toward contractors need to try it. It was a good experience and now I can see the argument from both sides. I'd do it again but it is my opinion that it isn't worth it any more. Which is fine - I went perm. I haven't bitched about it. I like my perm job too.

Contractors are often required by employers for whatever reasons. Now there are far fewer, or they cost far more. It isn't the contractors or ex-contractors that are really losing out here, is it?

Tech bad-boy Uber crafts tool to make staff follow the rules in future (er, coding rules, that is)


Why is this news? There are many linters. This one isn't special, other than being created by a company thats generally in the news for other reasons.

Microsoft downplays alarm over Windows Defender 'flaw'


Re: The revelation...

Hooking these calls in other processes is something that would require admin privileges, and if its against a built-in app (explorer, etc), would have to disable something (can't remember what its called) to work still... Chances are, if you're that far in, you don't need to get around defender any more

Chap tames Slack by piping it into Emacs


He spent how long getting this working? All in the name of reducing distractions so he can get on with his job...

The power JavaScript: 'Gandalf of JS' Wirfs-Brock on ECMAscript 2017


Its getting better. Evolution is happening. It has its quirks like every language, but its definitely getting better.

Shoddily-set-up Elastisearch hosting point-of-sale malware


I don't know about MongoDB, haven't used it extensively. ES on the other hand seems to do a very good job of cluster management and is pretty performant. The query syntax makes my eyes (and brain) bleed though.


Yes, I was also confused. You shouldn't be able to get remote code execution from an unsecured ES instance. If so, it needs to be patched - maybe the 2 versions mentioned are ones that have a vulnerability, but that also sounds weird - why would AWS lock you in to a vulnerable version of a piece of software?

When I tried out a mongoDB and ES, working through the getting started guide and seeing the "we don't provide HTTP authentication, thats not our job, put as behind a reverse proxy" My immediate thought was that at some point, someone is going to scan for all unsecured instances and steal a lot of data. Why didn't mongoDB or ES see that coming?! If they used the "do one thing and do it well" philosophy to decide not to include authentication, their definition of "one thing" is not big enough. Storing data is part of the job, another part is making sure nobody can steal it.

Humanity is doomed: We watch 45 BILLION hours of YouTube a month


Youtube has a lot of learning material. People don't just watch cat videos. Some people use it as a tool to better themselves.

First-day-on-the-job dev: I accidentally nuked production database, was instantly fired


So.... there is no data security, if the production credentials are in a dev guide...

So.... there are no backups of production data...

So.... they let a junior developer who is totally new to their system set up it up on their own...

We all mess up once in a while. That is why we do things in such a way that its really damn hard to do things like this, without knowing what you are doing.

Sure at my company I can connect to our production system, and in theory could wipe it, if I wanted to. It would have to be very very deliberate. If it did happen, we have several layers of backup we can fall back on to. Fortunately it has never happened.

If something like this can happen so easily by accident, it is not the junior developers fault, it is the CTO for not ensuring that the systems are built with consideration for such things.

Hopefully the CTO gets fired. He deserves it. I'd like to say the junior dev could file for wrongful dismissal, but try explaining the above to a judge who has no idea how to computer. It'd be a waste of everyones time.

Bixby bailout: Samsungers bailing on lame-duck assistant


Even if Bixby was amazingly clever, I still wouldn't use it. My Bixby button switches to the most recently used app, good for switching between 2 things. That is far more useful than a voice assistant (even a good one).

Toyota's entertaining the idea of Linux in cars


After playing a fair bit with BMW computer systems, the key thing I noticed that I thought made it robust and easy to swap parts in and out was the fact that pretty much everything has its own individual computing module, which communicates with everything else via a network of some kind (CAN, Ethernet, Fibre for media stuff). This means if one module breaks, AC for instance, your airbags still work..

Putting everything in 1 module with containers sounds like half way to disaster. Sure if 1 container goes wrong, it can probably be easily restarted or fixed or whatever, but sounds like when something worse happens, the whole car will be useless until you buy a new computer for it..

WannaCrypt ransomware snatches NSA exploit, fscks over Telefónica, other orgs in Spain


So, erm, I'm going to say it first.. This is why government organisations shouldn't hoard vulnerabilities. They will get leaked and they will get used by others who are less trustworthy (grey area..). If you find a vulnerability and don't want to be a part of breaking the internets, please submit it in privacy to the vendor.

Don't waste your energy on Docker, it says here – wait, that can't be right...


NEWS FLASH: Doing more uses more energy

Car hacking's dynamic duo offers to save others $1m in research


I love reading stuff like this, absolutely fascinating. When will manufacturers of devices that are accessible over any kind of network (routers, ip cameras, clever cars, washing machines..) realise that they must do it responsibly or it will ruin their reputation and in the worst case, cause safety issues (cars crashing) or global internet fails (ip camera botnets)

I suspect a consultancy headed by these guys is the next step. Will manufacturers just continue to bury their head in the sand and continue to hope nobody looks to hard at their systems though?

GitLab.com melts down after wrong directory deleted, backups fail


The only way to be confident in your backup plan is to have tests to make sure its working.

If you backup nightly, you could automate grabbing the latest backup, restoring it to a throw away instance, ensuring that it completed properly by checking record counts in various tables. You could run that every other day. Or better yet, once your backup process has completed, to verify that it has indeed worked properly.

You could still get caught out in many ways but verification to some extent would give you more confidence.

I can understand how this has happened though, start-ups are not the same as large corporations with the resource to have people spent a long time ensuring backups are rock solid and testing disaster recovery efforts monthly etc. In an ideal world, that'd be quiet high on the agenda, but realistically, breaking even is the first hurdle and you don't (technically) need a backup plan for that, so it gets put to the bottom of the list.

Why don't people secure their IoT gadgets? 'It's not my problem'


Non-tech people don't understand the implications. They want a "smart" X because the marketing hype makes it sound awesome and that it'll make their life easier.

The marketing doesn't tell them it will require them to keep on top of updates if they like keeping their personal information personal. That'd be bad marketing, people will think "damn, I don't really want more things to worry about, and I don't want to spend more time administering my smart cat flap, because if I spend *any* time doing that, it basically negates its usefulness".

If your smart cat flap stops a neighbouring kitty getting in your house, thats awesome. Its one less thing to worry about, and will save you potentially an hour in the next 5 years. But if you have to spend half an hour updating it once every 3 months because someone worked out how to use it as a backdoor in to your network, whats the point?

Could this be you? Really Offensive Security Engineer sought by Facebook


I've always said this - its a game of cat and mouse, someone finds and exploits a bug, then it gets fixed. The only way to get ahead is to pay some cats to do it for you. The kind of people who'd happily spend days searching for something to exploit or sit staring at thousands of lines of assembly code trying to find a weakness. The same kind of person who'll be doing it without your knowledge. This is a different kind of job than someone who secures your systems and networks against attack. Both are required

Y'know that ridiculously expensive Oculus Rift? Yeah, it just got worse


I went to a friends house last night and played with a Vive for the first time. its far better than I expected and thoroughly enjoyable. If I could justify £700 on gaming, I would definitely buy one. This is all.

Ransomware scum build weapon from JavaScript


I don't think the problem is something that executes when you a file.. there are a lot of file types that do this, not just js files.. people just need to not be idiots and download and run files when they don't trust them.

Apple quietly launches next-gen encrypted file system


I tried using a case sensitive file system on osx once already. never again. Lots of software just doesn't work, because it expects osx to be case insensitive.

Most importantly, Photoshop won't install (almost as important Hearthstone won't install).

I found some old thread about photoshop issue, boils down to the application linking to apple frameworks and xcode not being able to handle it, which left adobe basically saying, we can't fix it. It could be them passing the buck but either way, its something that'll need to be addressed by lots of application developers and apple themselves.

But good job on apple for bringing file systems in to the 21st century.

Developer waits two years for management to define project


Re: Crash Pad

Was this in Camden by any chance? Sounds just like the place I used to work...

UK's 'superfast' broadband is still complete dog toffee, even in London


Is is possible that a large percentage of the population just don't have a need for super fast broadband? I would feel inconvenienced without at least 40mbps, but my in laws are very happy with their 3mbps even though there are bigger and better plans available, they can do all the things they need, so why pay more?

URL shorteners reveal your trip to strip club, dash to disease clinic – research


The whole premise that short urls are based on is in the name. They shorten urls to smaller ones. Whoever put pre-authenticated urls in to a short form should be shot. Its not the problem of the short url.

You won't believe this, but… nothing useful found on Farook iPhone


The FBI don't know the procedure to unlock it? So they just let some random guy/company have their possibly important piece of evidence to unlock it, without any idea how they were going to do it?

If i were the FBI, I'd want to know exactly what was being done and how it worked to ensure that it wouldn't in any way damage any evidence on the phone..

What if they attempted it and then it triggered the wipe procedure? Whoops sorry guys.. They'd have thought about that situation and would have sense checked what was going on themselves first.

Admin fishes dirty office chat from mistyped-email bin and then ...?


Invasion of privacy

Nothing to do with the admin, he shouldn't be reading the emails, should just forward them on.

Why even have a catch-all for misspelt emails? Let the user receive an undelivered mail message like every other mail server does.

Sounds like an excuse to read other peoples mail.

'$5bn for Slack?! I refuse to pay!' You don't pay – and that's its biggest problem


My company also loves slack - we use email for formal bits, everything else is on slack. Much quicker to communicate and bonus cat gifs.

Does it really matter what protocol it uses? You can hook in to it in several ways without caring..

Council IT system goes berserk, packs off kids to the wrong schools


Re: This:

People forget things sometimes, that doesn't make them an idiot, it makes them human. I see this as a failure of the team and processes. Code committed wasn't reviewed before it was pulled in to the main code base and there was no testing of the changes before they went live. And also, you'd expect a bunch of tests to pick up on the fact emails weren't trying to be sent to the right place. You can't place those failures on a single developer.