* Posts by Marcel

44 publicly visible posts • joined 9 Apr 2012

Want an ethical smartphone? Fairphone 3 is on the way – but tiny market share suggests few care


This phone is not aimed at people who are wowed by a 64-core 5 GHz SoC and a billion pixel screen. That category should continue buying Chinese phones made by people who not yet committed suicide while financially supporting civil wars in Africa.

I own a Fairphone 2 and it looks much better than all those iPhones with cracked screens that people around me carry around. After almost 4 years my Fairphone 2 works pretty well. The problems I do have seem more Android/app related.

You can only upgrade phones for a few years because the SoC is not yet supported any more by the manufacturer (Qualcomm). Fairphone, as a small player, cannot force Qualcomm or Google to support their shit for longer. Blame them.


It comes with bootloader unlocked and Android installed by default (supported for 5 years). You are free to install any other OS you want. This is part of their sustainable design.

Heads up: Debian's package manager is APT for root-level malware injection... Fix out now to thwart MITM hijacks


Re: "Supporting HTTP is fine,"

It's even worse. It's 2019.

But yeah, no excuse to not use TLS.

OK, this time it's for real: The last available IPv4 address block has gone


Re: Compatibility

The IPv4-addresses-running-out-stories are getting old and so are the if-only-they-made-it compatible-with-IPv4-comments.

IPv4 uses 32-bit addresses. You can't stuff more addresses in 32 bits. So you need to make the addresses bigger. If you do that it is not IPv4 anymore. If you would even change one bit in IPv4 and make IPv4.1, still all devices using IPv4.0 need to be updated. So we need a *new* protocol with bigger addresses, 128 bits, which is IPv6. And while they were at it, they improved some other things that we didn't like about IPv4.

IPv6 was designed to run alongside IPv4 from the beginning. They work independently and you device might have IPv4, IPv6 or both and you would not notice the difference.

The reason we're dragging this so long:

- it's different, scary!

- we might need to buy new/updated device/software and it costs money!

Dutch name authority: DNSSEC validation errors can be eliminated


Yes, it's hard, but...

It's a chicken and egg problem.

Setting up TCP/IP stack used to be hard...

Setting up Linux with Apache and MySql used to be hard...

Setting up SSL/TLS on your website used to be hard...

Setting up DNSSEC is hard NOW, but as it matures, knowledge and tooling will improve and it will not be hard anymore and we will reap the benefits.

Just about everything in the world depends on DNS and it should be secure.

Man prosecuted for posting a picture of his hobby on Facebook

Big Brother


Also, having laws that prosecute people because something is "grossly offensive or of an indecent, obscene or menacing" is asking for trouble. It is very subjective and easily abused to prosecute basically anyone at any time.

The sad thing is that these laws are often the result of citizens calling on the government to "do something" about something they don't like or don't understand (and can't be bothered to). For politicians it's a cheap way to please voters and get elected next time. Too bad such laws are often the basis for totalitarian regimes.

Footie ballsup: Petition kicks off to fix 'geometrically impossible' street signs

Paris Hilton

Metric please

That 2¼ is kilometers, right? RIGHT?!?! No? Okay, maybe it's not mathematically incorrect, but at least it's mathematically stupid. Fix it.

Downloaded CCleaner lately? Oo, awks... it was stuffed with malware


Doesn't matter

If you need CCleaner it means you already have malware on your pc. Isn't removing malware with virus scanners and anti-malware software not just cleaning up after the fact? And is the problem not your OS/browser/behaviour?

Microsoft Surface laptop: Is this your MacBook Air replacement?


Re: ... but will it

Because you like the hardware, but not the software. Also, choice in "Linux branded" laptops is rather limited.

Dutch Senate votes to grant intel agencies new surveillance powers


Most politicians, like most citizens, who are not tech savvy, don't understand how useless such laws are in catching terrorists. Meanwhile, they hurt everyone by making us all more vulnerable by putting all of us under surveillance.

The good news is that a non-profit group of lawyers, the Public Interest Litigation Project (https://pilpnjcm.nl/en/), is already planning to fight this law in court.

Debian bins keys assigned to arrested Russian contributor

Black Helicopters

Shoot the messenger?

Either the police is dumb and think IP-address is proof owner did it (common mistake). Or they are not so dumb, and want to send a message to those pesky folks making anonymity possible by running a Tor node.

By the way, according to https://meduza.io/en/feature/2017/04/10/mathematics-teacher-accused-of-inciting-mass-riots-now-also-accused-of-supporting-terrorism-and-once-again-detained this guy "is a “very law-abiding person” and will not even cross the street unless there was a crosswalk.", according to his mom.

Linux remote root bug menace: Make sure your servers, PCs, gizmos, Android kit are patched


Re: android ecosystem ...

It's a choice of the manufacturer. And therefor a choice of the consumer. You could buy a Fairphone and enjoy it a bit longer than these disposable Samsungs.


Russia's bid for mobile self-sufficiency may be the saviour of Sailfish


Re: CE marked hardware

The Fairphone 2 (https://fairphone.com) is a EU-designed and CE-approved phone that runs Sailfish, although not officially supported (yet). See: https://wiki.merproject.org/wiki/Adaptations/libhybris/Install_SailfishOS_for_fp2

Great British Block-Off: GCHQ floats plan to share its DNS filters

Black Helicopters

Easy to avoid

Cybercriminals could:

- use IP-addresses instead of domain names (which they already do)

- use other people's computers (which they already do)

So basically it will not work, while creating yet another secret real-time website blacklist.


Re: Who uses the ISP DSN anyway?

Wouldn't that be illegal with a Net Neutrality law?

Come in HTTP, your time is up: Google Chrome to shame leaky non-HTTPS sites from January


Re: Really?

You visit BBC and The Reg's website because you believe they bring you reliable news. If it's over HTTP it's not reliable anymore. And maybe you don't give a damn about privacy, but I do. So please let me visit sites over HTTPS and you keep visiting the non-secure version of it.

Fight over internet handover to ICANN goes right down to the wire


Re: The devil you know?

The US doesn't shut down sites because of speech, but it does for commercial/legal reasons. FBI/DoJ has shut down many "illegal" websites, just because the .com/.net/.org domains happens to be administered from the US and they therefore have "jurisdiction". Some examples here: https://www.techdirt.com/?tag=domain+seizures

I don't want any single government to be able to shut down sites, for whatever reason (because they will always find a "legal" reason).

Crims set up fake companies to hoard and sell IPv4 addresses


Own fault

IPv6 development started 20 years ago or something. That was for a reason. If we started migrating to IPv6 10 years ago, IPv4 address scarcity would be a non-problem. Oh well, human nature...

BTW: theregister.co.uk --> IPv4-only

IP address clerks RIPE: Feds, come back with a warrant, er, web browser

Paris Hilton


First I read this: http://fusion.net/story/287592/internet-mapping-glitch-kansas-farm/

And now this article. Is it me or are LEAs completely clueless?

USB-C adds authentication protocol


It already exists for a while and it was indeed originally called the USB Condom: http://syncstop.com/

Microsoft joins Eclipse Foundation. Odd thing for a competitor to do

Thumb Up

Re: I'll start worrying when MS starts to commit code to emacs

I'm currently using Microsoft's Python Azure API (https://github.com/Azure/azure-sdk-for-python). On Linux. And it works too.

Samsung sued over 'lackadaisical' Android security updates


Re: but

This is what Fairphone is doing (see https://www.fairphone.com/roadmap/design/). Their phone costs a bit more and it's not as shiny as an iPhone, but it will last longer, can be repaired, can be upgraded and no children were harmed during production.

Trend Micro: Internet scum grab Let's Encrypt certs to shield malware


Trend Micro fail

Trend Micro probably relies on unencrypted HTTP connection to spy on your internet connection to detect malware. Until now, TLS encrypted connection were used for well-known non-bad sites and could be disregarded by virus scanners. Now that TLS is available for the masses everything gets encrypted, including bad things and Trend Micro can't easily check it anymore.

The malware problem is not a problem that has anything to do with Let's Encrypt. It has to do with webservers being easily hacked, badly secured advertising networks, DNS policies, leaky browsers, unpatched Windows machines, etc.

Let's keep on encrypting people.

Superfish 2.0: Dell ships laptops, PCs with huge internet security hole


Re: Feeling SO fine

Lenovo is doing it. Dell is doing it. What makes you think HP is not doing it?

GOOGLE GMAIL ATE MY LINUX: Gobbled email enrages Torvalds



He can write his own OS, his own version control system (Git), why can't he write his own spam filter? Or at least bother to setup his own LINUX server with a nice FOSS mail server and spam filter.

America's cyber-security proto-laws branded 'surveillance in disguise'


So, how exactly will this information sharing make us (or them, I'm not American) any safer?

I imagine this information sharing to be something like this:

"Hey FBI, I found this critical zero day and I think you might can use it to spy on bad guys. xxx, NSA"

"Hey Microsoft, can you please not yet patch this critical Windows vulnerability, because we're using it to hack terrorist right now. Regards CIA"

"Hey Whitehouse. Seems like we're being hacked by some kid in Russia and we have no clue how to stop him. Seems like we're screwed badly. Are you hacked too? Better have your spokesperson call it a cyberattack by a nation state, so at least we don't look stupid. Regards, Sony"

"Hey Apple, we can't really crack you iPhone security. Can you please build in a backdoor for us. Thanks, NSA"

Checkmate, GoDaddy – Google starts flogging dot-word domain names


More interested in certificates

I'd love to see https://letsencrypt.org/ give away free certs later this year. Certificates are a much bigger scam than domains.

E-cigarettes fingered as source of NASTY VIRUS


Re: Use a "USB Condom".

Indeed, use a condom: http://syncstop.com/

Stops computers being infected by malicious cigarettes. Stops your smart phone being infected by malicious chargers.

REVEALED: Reg trails claw along Apple's 'austerity' 21.5-inch iMac


There are alternatives

Create your own all-in-one: get a Gigabyte Brix with Core i5, put in 8 GB RAM, a 500 MB HD (or SSD), a nice looking 24" IPS screen. Hook the Brix on the back of the screen and you have an upgradeable all-in-one for about 700 euro (much cheaper even if you go for a Core i3 or Celeron).

You are ALL Americans now: Europeans offered same rights as US folks in data slurp leaks


Human rights are non-negotiable

So the USA starts by granting all non-Americans no rights at all. Then when we complain, by the grace of God, they grant us *some* human rights in exchange for collboration with their unethical behaviour. F**k you, Eric holder and your soon to implode land of the free.

Iran brands Facebook boss Zuckerberg an 'American Zionist', bans WhatsApp


People in Iran should download Tor while they still can.

Google buddies up with Intel for this year's big Chromebook push


Linux please

I love Chromebooks, except for the OS.

Anyway, isn't a Chromebook without Chrome not a Netbook, the sort of laptops that were doomed (according to the Intel et al)? Innovation By Sticker™

Well done for flicking always-on crypto switch, Yahoo! Now here's what you SHOULD have done


Re: Quite!

It's good for people to realize what is actually happening with their mail. Most don't and tech companies abuse this by giving us half solutions. Anyway, in my opinion, using TLS on all connections will at least make it much harder to do wholesale mass surveillance. It's pretty cheap to implement and pretty expensive to crack.

Anyway, meanwhile, people think of new alternatives such as Mailpile. Check it out.



SMTP connections are (often) still unencrypted

Lately I have been trying to figure out whether the connection between Yahoo's mail servers and the recipient's mail server is encrypted. It seems that most of the cases it is not using TLS thus unencrypted a.k.a. plain text. I'm not quite sure what causes it to sometimes use TLS and sometimes not. It might be that no common cipher can be negotiated. Or that Yahoo has many servers which are not all configured in the same way.

You can test yourself by sending email to/from your Yahoo mail with another email account and then check the mail headers. How to view those depends on your mail client. In Yahoo mail you can do it by clicking on "More" below the email and then choose "View Full Header". In Outlook view the Message Options box. In Thunderbird press ctrl-U. Google for others.

You will see several "Received:" headers which will show the path of the nodes your email passed by (in reverse order). Now look for the top most (usually) "Received:" header where the mail is handed over from the Yahoo mail server to your ISP's mail server (or vice versa). There is will something like "with ESMTPS" or "with SMTP". The second S stands for secure. So ESMTP is good, SMTP is bad.

NSA gets burned by a sysadmin, decides to burn 90% of its sysadmins


Better solution

First he wanted to double the number to sys admins to make it more secure. Now he wants to get rid of 90% of them. I guess someone whispered in his ear that is would be cheaper.

Well, I have a even better solution: why don't you decrease your world-wide data vacuuming by 90% (and actually do what your agency is supposed to do). This has several advantages:

- cuts costs

- you don't break the law

- 90% less chance less of leaks

- you don't piss every on Earth off so much

Space boffins, oil giants, nuke plants 'raided' by mystery code nasty


Install updates

It's beyond me why companies involved in top secret research and military don't update software that is used throughout all of their offices and has vulnerabilities that are rated "critical" or "severe" and contain words like "remote code execution".

So yeah, let's continue building multi-billion dollar/euro cyber armies and buy multi billion dollar/euro cyber security products, while all we need to do is:

- right click blinking icon in bottom right corner

- press Update Now

- press Next

- press Finish.

Phone, internet corps SNUB US government's cybersecurity ABCs


Common sense

These 20 controls are common sense and obvious and should be required for ANY company or government to implement that is in any way connection to the internet. It worries me these telcos can't or won't implement it. Most likely it was just the legal department talking, to prevent litigation by customers for not implementing it. Anyway, they suck.

New class of industrial-scale super-phishing emails threatens biz

Thumb Down

Re: super-phishing emails threatens biz

All the scary security news of last few years comes from marketing departments of security firms. Firms like Symantec and McAfee pump out these things on a daily basis. I think news sites should start to filter this kind of "news".



Doesn't spearfishing imply it's a very targeted attack with personalised emails? Sending so many messages to so many companies sounds more like regular phishing.

Since we will never solve the problem of users being misled and tricked to click a link, when will there be software that doesn't cause your computer to be p0wned only by clicking on a link?

APT1, that scary cyber-Cold War gang: Not even China's best


More critical reading is needed

The evidence linking hackers to a government or to a certain group is very thin or non-existent. What seems to be happening is that all of the thousands of hacks that happen every day are grouped into categories, then labeled as being from a common source.

All this is being done by governments with political agendas, soon-to-be-unemployed army generals looking for the next war and security vendors with gear/services to sell.

I take all this with a grain of salt. Meanwhile, all these companies moaning about being attacked are wise to teach their employees not to get caught in phishing attempts, install the latest patches on *all* of their equipment and start using encryption a little bit more (anyone using S/MIME or PGP?).

Chinese PLA soldiers 'mastermind cyber-espionage Cold War'


Not hard evidence

I have read the report and I don't see much hard evidence. There are a lot of facts in the report, but how they are linked together or where the facts come from stays a mystery. Not much substance and some dubious assumptions, in my humble opinion.

For example, how do they link the attacks to PLA's Unit 61398?

- They found that all attacks come from 4 /16 IPv4 net blocks (a total of 262k addresses), all owned by China Unicom. China Unicom is the 3rd largest telco in the world, with 273 million (!) customers in 2008.

- Then they link the netblocks to a city, Shanghai (the largest city in China, population of 23 million).

- Next they conclude that because the office of the Unicom engineer listed as contact person for the netblock is in the Pudong area

- The PLA Unit 61398 is also in the Pudong area

- Hence the IP addresses must belong to the PLA and is the source of the attack

Let me translate this into English:

- Suspect IP address belongs to a netblock owned by BT and is used in greater London area

- The BT engineer's office is in the centre of London according to whois

- MI6 is in the centre of London

- Hence the attack came from MI6.

Amazon, eBay, banks snub anti-fraud DNS tech, sniff securo bods


I had the same question

I have often wondered why there aren't any big sites using DNSSEC. Sure, it's a little complicated for the average Joe. But it's must be a piece of cake for big banks and e-tailer that already have large IT-departments and millions worth of infrastructure. They have the resources to have a guy or 2 or 3 devote themselves to DNSSEC and just implement it.

RIPE NCC handing out last European IPv4 addresses

Black Helicopters

Why don't we just take Iran's IPv4 addresses?

An American lobby group, United Against Nuclear Iran (UANI), is seriously pressuring RIPE (and ICANN) into cutting Iran off the internet. That's also a way to get some more IPv4 addresses...


P.S. Cutting a whole country off internet because their government supposedly does naughty things, is a very bad idea in my humble opinion.

WTF is... UltraViolet


The End Of Owning

This UV is the mother of all DRM. It's it's meant to be the end of piracy for once and for all. You will have no more freedom. Want to watch a movie? Want to listen to music? Want to watch a tv show? Come to the content companies who thought of this and be their slave. You will never own any content again. You will rent rent rent, even though they make it sound otherwise. This is bad and must be stopped.