* Posts by artbristol

34 publicly visible posts • joined 5 Apr 2012

Buffer overflow flaw in British Airways in-flight entertainment systems will affect other airlines, but why try it in the air?


"Buffer overflow" has a specific meaning

Causing a crash by typing in too much text does not mean you found a buffer overflow. Could just as easily be a validation mismatch between front and backend. You don't even know if the program is written in a memory-unsafe language like C.

And if I may play the man not the ball, this security researcher doesn't even have HTTPS on his blog.

New Orleans! Microsoft emits v2.1 of scaling-for-dummies app platform


Grains or Beans?

Even the version number (2.1) Just sounds like a famous attempt from Back in the day.

Patch Tuesday heats up with pair of exploited zero-days squashed – plus 58 other vulns fixed


"exploited" zero-day

Pedantry alert. By definition it must have been exploited before the patch was available. Otherwise it's not a zero-day.

T-Mobile Austria stores passwords as plain text, Outlook gets message crypto, and more


outlook.com is not offering "end-to-end" email encryption

Obviously it's not end-to-end. Microsoft must hold the encryption keys, otherwise how would an arbitrary recipient decrypt the message?

The link you provide is to the desktop app, which supports S/MIME, which *is* end-to-end, but users need to deal with keys.

The Java release train is moving faster, but will developers be derailed?


Future of Swing, AWT from the horse's mouth

Check the Oracle whitepaper (http://www.oracle.com/technetwork/java/javase/javaclientroadmapupdate2018mar-4414431.pdf)

> Swing and AWT will continue to be supported on Java SE 8 through at least March 2025, and on Java SE 11 (18.9 LTS) through at least September 2026.

> Oracle has begun conversations with interested parties in the Java ecosystem on the stewardship of JavaFX, Swing and AWT beyond the above referenced timeframes.

They're ditching them, just like they've ditched Glassfish, Java EE, Hudson, and others.



Shame about JavaFX going - it's quite a nice cross-platform GUI. (Not really comparable to Flash and Silverlight, though I appreciate Oracle said that in their own PR.)

Swing and AWT - the older Java GUI frameworks - look like they're for the chop too, but not until after Java 11.

Hubris, thy name is Oracle: So, cloud is still totally for nerds, right?


Modern Data

"Modern data looks a lot more like Amazon DynamoDB or Microsoft Azure CosmosDB than the neat ones and zeroes of relational databases of yesteryear. "

Don't believe the hype. A well factored relational database will look after gigabytes of your data for years and years. Not everyone is running Netflix.

You can find me in da club, database full of faces… but this ain't privacy watchers' jam


"the bouncer checks that picture with the person in front of them"

That is remarkably similar to looking at someone's physical photo ID, except that now you've added a load of complexity and risk. What am I missing?

Apple whispers farewell to macOS Server


Calendar and contacts server included in MacOS server

I hope they keep up development on their rather nice open-source calendar and contacts server. It's written in Python, and even included in Debian these days.

UK Home Office spy powers unit pretended it was a private citizen in Ofcom consultation


It's only metadata we're interested in, not content

The irony.

Ubuntu Core Snaps door shut on Linux's new Dirty COWs


Snaps are not the solution to vulnerable software

Snaps include their own dependencies, a bit like a statically compiled binary.

To push them as a solution for software vulnerabilities is perverse. If a hole is found in an old-style unix library, it alone can be patched and all its traditional, dynamically-linked, dependencies are automatically protected (you may need a reboot). With snaps, you need every single snap that uses it to be updated.

Adobe issues patch to nix its Mac-killing Creative Cloud update



Presumably a bug along the lines of


BitLocker popper uses Windows authentication to attack itself


Passwordless Bitlocker?

How could that even work? If a bug in Windows can decrypt the disk without the user's password, then obviously some malicious code or recovery tool could do the same thing.

iCloud phishing attack hooks 39 iOS apps and WeChat


Cheap CIA knockoff

Isn't this - backdooring Xcode - exactly what the CIA were planning?


Android 5 lock-screens can be bypassed by typing in a reeeeally long password. In 2015


Is this accurately described as a buffer overflow?

Not trying to downplay the severity of this, but is it actually a C-style memory-corruption buffer overflow?

The patch to fix it just adds a maxLength to an XML file describing a screen layout. Maybe the lock screen just runs out of memory and is killed. There are plenty of badly written webapps that would crash if you put too long a string into an input field, but you're not exploiting a buffer overflow by doing that.

Salesforce plugs silly website XSS hole, hopes nobody spotted it


Input sanitization can only ever be a defence-in-depth measure. It cannot protect 100% against injection attacks (though you should sanitize anyway.)

The correct approach is to escape your outputs when mixing text into markup/SQL/whatever.

Google blames Flash for hobbling Chrome, says it sucks (too much power)


Yet more cross-browser incompatibilities for web developers to keep track of

I think the old setting of click-to-play was the best.

Now if you're a developer you have to figure out whether chrome is going to relegate your flash to 'inessential'. This is the kind of thing Microsoft used to do with IE. 'Enhance' the user experience at the expense of standards.

Cisco says GHOST is more Casper than Sleepy Hollow



"The other restrictions that had already been identified by Qualys ... are, Cisco says, quite unlikely in any real-world application."

Yeah I'm sure a hacker wouldn't dream of making up a hostname that fit those restrictions.

Reminds me of the time I was re-educating a developer on SQL injection, and asked him what would happen if there was a quote in a user-supplier input:

"Chances are less"

... sigh ...

Who wants to be a millionaire? Not so fast, Visa tells wannabe pay-by-bonk thieves


Tinfoil wallet

That's why I have one of these


Apple takes blade to 13-inch MacBook Pro with Retina display


Re: 1000 quid!

Here's one with a 3200x1800 13" display for around £650, depending on how you configure it. https://www.pcspecialist.co.uk/notebooks/optimusV-13/



El Reg's gloves come off

A marked change in the tone of your coverage over the last few days.

Well done, I say.

Bank-raid ZeuS malware waltzes around web with 'valid app signature'


Isonet have some explaining to do

It's their signing key that was used, according to the linked Comodo blog post.

OpenID Foundation launches XML-free ID handler


Why the XML hate?

You can have a simple XML data structure if you want. Changing it to JSON doesn't make it simpler. Sure, it's very slightly easier to deal with in Javascript, but that's about it.

Reg HPC man relives 0-day rootkit GROUNDHOG DAY


Battle between virus and antivirus...

...was lost a long time ago. Not to say antivirus is useless, it'll prevent maybe 50% of rootkit infections - but there are advanced nasties out there, and most of them don't play random audio, so you're never going to know you've been compromised.

Prevention is better than cure these days - run noscript, don't open email attachments, reimage regularly etc.

PSST! New PCs with Windows 7 preinstalled are out there – and will be into 2015, at least


Article fails to mention service packs

Windows 7 will be supported well beyond 2015, if you are happy to update to SP1. Similarly, XP support only ended in 2009 if you ignore SP3.

Down with Unicode! Why 16 bits per character is a right pain in the ASCII


Should be titled "Down with UTF-16"

Unicode is a good standard and it was written by clever guys. There's nothing wrong with Unicode's approach of mapping each character to a code point, and adding an intermediate step requiring encoding it into bytes. Far better than the ugly mess of codepages that preceded Unicode.

UTF-8 is part of Unicode and it's a damn good encoding.

Smartwatch craze is all just ONE OFF THE WRIST


Hourly chime

Although I haven't worn a digital watch for 20 years, I still have the muscle memory for how to switch off the hourly chime on a Casio.

Czechs check cheques, reject £680m 4G auction


basic microeconomics

Tim Worstall wouldn't be happy with this article. Mobile operators will charge high prices based on market demand, not based on what they paid for the auction. Failing to auction the licence is basically putting money in the pockets of the shareholders of the mobile operators.

Malware-flingers can pwn your mobile with over-the-air updates


Specific hardware combinations

If a single attack works against iPhone 4, 4S and 5 (for example - I'm not trying to single out Apple), then that's 30% of mobile users already. So it's actually quite dangerous.

Google buys parcel storage service for Christmas


Why didn't the Post Office / Royal Mail invent this?

The nearest equivalent is that ancient relic the PO Box - which is expensive and bureaucratic (min 6 months signup!).

Adobe Connect breach pops lid off 'Letmein' logins of gov, army types


"MD5, a cryptographic hash function that's known to be insecure."

MD5's insecurities are nothing to do with its unsuitability for storing passwords; it's failing to salt the password (and to iterate the hash function to slow it down) that's the problem. And the quoted guy is a 'security researcher'?

Blizzard pwned: Gamers' email, encrypted passwords slurped


Wrong advice

You need to change your SECURITY QUESTION, if that's what the hackers have. Bad luck if you used the same one on multiple sites.

How politicians could end droughts forever But they don't want to


Re: Desal is expensive. Start simpler and smarter.

The problem in Australia is politics - it's ten times worse than in the UK. 'Normal' water consumption (domestic, industry etc.) is dwarfed by consumption by farmers. There is no need for the dry south east of Australia to be growing that much food, when it could be grown and imported from the wetter north.

And of course, politicians there prevent the price of water from varying enough to put the farmers out of business, which it blatantly would if domestic users were allowed to compete in a free market for it.

Ofcom calls for end to 0800 charges on mobiles



0800 numbers are a ridiculous hangover from when people cared about the cost of landline calls - surely most people must be on an unlimited-landline-calls package by now. My £15/month mobile plan provides it all the time AND my basic Talk Talk package includes it on evenings and weekends.

Companies, PLEASE just give us an 03 or geographic number and forget about freephone!