* Posts by Adam 1

2545 publicly visible posts • joined 7 May 2012

Signal says it'll shut down in UK if Online Safety Bill approved

Adam 1

Re: Stop operating?

> Stop operating? What does this mean?

Signal scoring a number of home goals on that front. Previously my goto recommendation for a combined messaging app. Now they seem to spend their time trying to be a social platform and the rest of the time removing actually useful functionality like SMS

Atlassian CEO's bonkers scheme to pipe electricity from Australia to Singapore collapses

Adam 1

Re: Ok, but…

You may be closer to the point of disagreement between Messrs Forrest and Cannon-Brookes than you know. One having significant alignment of investments in generating green hydrogen and the other believing this moonshot aspect being a core differentiator in securing funding (solar hydrogen projects are not exactly unheard of).

There are other complexities in the manufacture, storage and transport of hydrogen so it isn't necessarily a silver bullet. There are also other benefits to having the extension cord (it doesn't have to always export power, depending on weather etc). It also makes sense when you can align peak producing times for solar with peak consumption time because of timezone differences minimising storage requirements. But all that is a beard stroking session for another day.

Microsoft may be counting out $10 billion to inject into OpenAI

Adam 1

"Looks like you're writing a letter"

Might actually works

We'd rather go down in Down Under, says Google: Search biz threatens to quit Australia if forced to pay for news

Adam 1

Re: Google isn't the internet

> Google has indexed practically all the Web (except the few who tell it not to, of which there are zero honest businesses)

The surface web is estimated at only 4%-10% of the web (depending on who you ask). I'll accept of course that Google has indexed almost the entirety of the surface web. But even duckduckgo or Bing have indexed enough of the surface web to meet the needs of most people.

Frankly I can think of at least 3 Google services other than search that would be more important to Google for figuring out how to sell you to advertisers.

Upside down, you turn me, you're giving bork instinctively: Firefox flips as a train connection is missed

Adam 1

Upside down with an error message is still preferable to the trainwreck that is the new version of Firefox on Android.

Where there's a .mil, there's Huawei: Pentagon allowed to keep using Chinese tech deemed too dangerous for everyone else – report

Adam 1

Can we just appreciate that headline for 30 seconds? Bravo, well played.

'I'm telling you, I haven't got an iPad!' – Sent from my iPad

Adam 1

> It's harder to fake damage than people think.

Not really. You just need more volts.

Adam 1

You really need to take dup checkers with a good serving of salt. The one we use at work in our CI server has a wonderful bug that in some cases considers the method signature in your class to be a duplicate of the method signature of the interface being implemented by that class. Well, yes they do look the same. Funny that.

YOU... SHA-1 NOT PASS! Microsoft magics away demonic hash algorithm from Windows updates, apps

Adam 1

Re: "a legacy cryptographic hash that many in the security community believe is no longer secure"

I don't think anyone should be thinking of secure as a binary is/isn't. Rather, it is a judgement call on whether it would be worth an attackers time and money to pull off the attack.

The last research I have seen puts the cost of a chosen prefix sha1 collision in the $50K compute price range with a couple of months of running time.

So for intercepting some https traffic or signing a piece of malware so it looks legitimate, it's obviously becoming a real potential problem and we need to be moving to stronger hashes. But for defining your branches in git, it serves its purpose and will continue to do so.

'First ever' snap emerges of something vaguely resembling our solar system 300 ly away. We'll take 10 tickets

Adam 1

Re: Are those numbers right???

Whether or not the numbers are correct, it is a bit besides the point of they don't use sensible units of measure like linguines or double decker buses.

Imagine surviving WW3, rebuilding computers, opening up GitHub's underground vault just to relive JavaScript

Adam 1

My money is on them assuming it is some sort of religious artifact.

Apple warns developers API tweaks will flow from style guide changes that remove non-inclusive language

Adam 1

Or publish the expected weekly hours worked and average salary for their supply chain factory workers?

Adam 1

Did you read the article? It's about terminology being cancelled because the thought police think that it isn't inclusive. (master/slave, whitelists/blacklists etc). In that context, pointing out that git is similarly non inclusive seems a legitimate case of taking the argument to its logical conclusion.

Barclays Bank appeared to be using the Wayback Machine as a 'CDN' for some Javascript

Adam 1

Re: Once Flash finally dies

Well just make sure you're sitting down before you Google wasm.

Russia lifts restrictions on Telegram messenger app after it expresses ‘readiness’ to stop some nasties

Adam 1

Two Questions

1. Who gets to define bad?

2. If telegram is truly a secure E2E platform, how can they possibly determine the content of a message in order to cooperate with authorities?

Switzerland 'first' country to roll out contact-tracing app using Apple-Google APIs to track coronavirus spread

Adam 1

Re: Why do they keep repeating that ?

I guess in theory if they know your contact with an infected person occurred at a specific restaurant where you sat on an adjacent table, they could contact trace on bookings to catch those without the app.

Ok, that's a benefit, but on the other side of the equation is that government tracking citizens is really problematic in a democracy, and if you have less people trusting the app then it is much less useful. So that's the trade-off they aren't considering. By demanding more information, they will end up with less information in total.

This is why the zero knowledge solutions from Apple Google are best in my opinion. Widely accessible, no privacy concerns and allows users to know to isolate and get tested.

Then you have the next tier like Singapore and Australia version which to their credit attempt to limit their slurping but are not zero knowledge. They at least have user consent before uploads. Whilst I have some misgivings about how it demands a phone number and how the proximity judgement is performed server side, I don't think those downloading it are crazy or ill informed.

But at the bottom you have the UK version in with these, as it doesn't even try to maintain privacy. Not sure why the author saw fit to group trace together/Covidsafe with the UK version.

Adam 1

Re: Is there anything stopping...

Google and Apple won't publish an app using this new API unless you are a particular countries country's health authority. So now you are side loading APKs or jailbreaking to get it installed.

There's a new comet in town and you don't need a fancy multi-million-dollar telescope to see it. Just regular eyeballs

Adam 1

Re: I'd like to see it

˙ʇı ɹoɟ ʇno səʎə ɹno dəəʞ ll,əʍ

Australians can demand visitors to their homes run contact-tracing app

Adam 1

Re: Discrimination...

As a general provision, yes, providing it is worded well. There are homes that double as workplaces (eg, some day cares, some dental surgeries, vets, tax agents, etc), and if you take the "this is optional" thing seriously, you have to make sure customers and employees are free to decline without getting the sack. You would also want to be explicit in noting that no onus is on anyone to allow anyone else to view their phones to validate that the application is indeed running.

Apple-Google COVID-19 virus contact-tracing API to bar location-tracking access

Adam 1

Re: What about outdated phones?

That's not how the OEMs operated back then. (particularly certain middle Kingdom manufacturers who forked Android 5.1 to add their own shameless iOS clone UI).

Fragmentation in Android is much lower these days, but again, I am yet to find another app which reports it is incompatible with my device.

Adam 1

Re: What about outdated phones?

Outdated phones? Well Covidsafe (Australia's effort) requires Android 6+ to install, which my phone purchased in early 2018 doesn't support. Love to know why they used that baseline given the stated need to have high installation base.

Zoom's end-to-end encryption isn't actually end-to-end at all. Good thing the PM isn't using it for Cabinet calls. Oh, for f...

Adam 1

Re: To be clear ...

I'm not sure why you think I'm disagreeing with you or defending their claim. They should not be claiming end to end encryption. Anyone clever enough to implement encryption correctly knows damn well what that term means and TLS between server and client is not sufficient.

Point 1 is absolutely correct. It should not share the key with the server if you are not asking for a cloud based MP4 to be available. It does though, hence the controversy.

Point 2 would work, but that isn't what the feature does. You are trading off convenience of a sharable MP4 link for the complexity of requiring a bespoke player and a way to securely distribute the keys to your recipient. Again power to you if that's how you want to share it.

I agree 3 would be a reasonable compromise.

On your dial in suggestions, point 1, faking your dial in number is orders of magnitude easier than compromising the key.

Point 2 would work of course, but now your company needs an extra 50 phone lines for that once a week call. Similar to point 1, there are some security compromises in proving that the incoming call is the authorised party. It also means that all audio of that call is going through a public phone system, so that's where the weakest chain link is.

I don't disagree with point 3. If I ask for an end to end encrypted call, I expect any feature that cannot operate under that constraint to disable. It is wrong to create a false impression of security.

Adam 1

Re: To be clear ...

It could be done that way, but I an describing the feature as it currently exists, where I can email you an Uri, you click it and MP4 starts playing in your browser. As I described, the server needs the session key for that functionality.

I'm not advocating anyone use that feature, but if you do then that is how it would work. But if you disabled phone in and didn't record to cloud then no it should avoid sharing the session key to the server itself or remove that end to end encryption claim.

Adam 1

Re: To be clear ...

If using it's record to cloud feature (as opposed to record to this PC), the server would need to be given the session key used for the AES streams of that meeting. It is effectively another client for that call.

The telephone dial in numbers would also need the session key.

Microsoft nukes 9 million-strong Necurs botnet after unpicking domain name-generating algorithm

Adam 1

Yes, the malware authors could read this and simply reconfigure their name-generating algorithms. Unfortunately for them, they can't push those updated algorithms to the malware in question because those potential domains where they could have put a payload to update to a newer name generation algorithm have been blacklisted for the next 25 months.

Adam 1

Re: Financial analysis?

I doubt they would need to register all the domains. That's 8000 per day, or about one every 10 seconds . The #*#£heads behind it can just figure out the 6 domains that'll resolve tomorrow at 4:13 pm and leave the payload on whatever fly by night aws site that resolves to. Have it delay execution of that payload for a few hours and determining the particular culprit domain might even be tricky.

You could even host a JPEG image on a site which contained a steganographically encoded IP address, pull that out and download the payload. The site then looks legitimate if only not looking deeply at the patterns.

Unfortunately, the defenders need to block it every time. The attackers only need to succeed once.

You'll get your money – when this bank has upgraded Windows 7... or bought extended support

Adam 1

I'm normally up for a pin, but can't think of any atm.

As Australia is gripped by bog roll shortage, tabloid says: Here, fill your dunny with us

Adam 1

That's a crazy stupid idea! Who thought that giving the spiders any additional weapons was a good idea?

Death and taxis: Windows has had enough of clinging to a cab rooftop in the London rain

Adam 1

If I'm honest, I can't really see the point in putting Windows under a taxi. On top makes perfect sense to me.

Not a Genius move after all: Apple must cough up $$$ in back pay for store staff forced to wait for bag searches

Adam 1

Why does it take 5 minutes, let alone 45? If it was 30 seconds then no-one would care, but they clearly have understaffed their security team if you have that sort of queue. Either stagger the finish times, employ more security staff or change the bag search to a random search. Or provide a locker system where they can securely store their personal effects outside the stock security. What kind of manager thinks this is a "normal"request of an employee.

Crypto-upstart subpoenas Glassdoor to unmask ex-staff believed to be behind negative reviews. EFF joins the fray

Adam 1

Re: Business Model

According to aunty, the reviewer in that case wasn't a customer. But an interesting side note in Australia (but not necessarily related to that case) is that truth is a defense you could run. That is to say, if you can back up the claims in your review with evidence the company may find themselves with a judgement against them. A nice tag line in your review pointing out how these facts have now been established in a court of law would be epic.

Welcome to the 2020s: Booby-trapped Office files, NSA tipping off Windows cert-spoofing bugs, RDP flaws...

Adam 1

Re: Confusing.

<tinfoilhat>

From NSA advisory:

Certificates with named elliptic curves, manifested by explicit curve OID values, can be ruled benign. For example, the curve OID value for standard curve nistP384 is 1.3.132.0.34. Certificates with explicitly-defined parameters (e.g., prime, a, b, base, order, and cofactor) which fully-match those of a standard curve can similarly be ruled benign.

---

So basically the unexplained magic numbers in the published standard are totally secure.

Hmmm. I'm sure I've seen this movie before ...

</tinfoilhat>

Flying priests crop-dust Russian citizens with holy water to make them stop boozing and bonking

Adam 1

Re: Bonkers

No, the bonkers were on the ground.

Look, we know it feels like everything's going off the rails right now, but think positive: The proton has a new radius

Adam 1

Re: Difference in size explained

If it were up to me, I'd create a more positive environment by getting rid of some of them.

Divert the power to the shields. 'I'm givin' her all she's got, Captain!'

Adam 1

Re: Measuring standards pedant alert!

I prefer to remove all ambiguity and just use 256 nanoWales.

HTTP/2, Brute! Then fall, server. Admin! Ops! The server is dead

Adam 1

Absolutely no one who isn't authorized can even access it. How much more secure can it be?

Google to bury indicator for Extended Validation certs in Chrome because users barely took notice

Adam 1

Re: Security is hard

> It is quite hopeless, but removing a valuable indicator just because 85% don't pay attention means that the 15% that do will have to do without.

I would argue that it is unimportant as to how many notice that it was there. Rather, it only matters how many of those 15% of people would notice that was is later missing, and of those tiny fraction of 15%, how many of those would consequently avoid the site after noticing.

I would also argue a direct negative of EV is that same process introduces delays in reissuing a cert that you need to revoke.

Pair programming? That's so 2017. Try out this deep-learning AI bot that autocompletes lines of source code for you

Adam 1

mine is far less CPU intensive

1. Search for current line on stackoverflow.

2. Locate any answer with 5 or more upvotes and suggest it in auto complete.

Oz watchdog claims Samsung's leak-proof phones ad campaign doesn't hold water

Adam 1

opinions don't matter

In Australia, we have the Australian Consumer Guarantee which covers all products and services.

This states that products must:

"match descriptions made by the salesperson, on packaging and labels, and in promotions or advertising"

And also

"be fit for the purpose the business told you it would be fit for and for any purpose that you made known to the business before purchasing"

Samsung is in rather a spot of bother if they have been rejecting repairs on the basis of them getting wet.

Sunday seems really quiet. Hmm, thinks Google, let's have a four-hour Gmail, YouTube, G Suite, Cloud outage

Adam 1

Re: Didn't notice...

What do you mean? 404 was not there.

/My coat, thanks

Planes, fails and automobiles: Overseas callout saved by gentle thrust of server CD tray

Adam 1

not following

> Brad finally found the server ("almost the last rack we searched")

So if he found it, why did he keep searching?

Germany mulls giving end-to-end chat app encryption das boot: Law requiring decrypted plain-text is in the works

Adam 1

why not?

Australia has the same requirement to not weaken encryption yet somehow provide technical assistance.

All they need to do is to make sure their laws usurp the very honourable laws of mathematics. (Quoting someone who pushed those laws of mathematics over 30 times before losing, with the irony being that the mathematics behind those 30 polls now seems very questionable in light of recent events.)

Oracle AI's Eurovision horror show: How bad can it be? Yep. Badder

Adam 1

Re: The official campaign for Oracle to enter Eurovision 2020 is needed

As opposed to Azerbaijan or Georgia? (totally not North East of Iraq). I'm led to believe that even Israel competes.

Dedicated techie risks life and limb to locate office conference phone hiding under newspaper

Adam 1

> DON'T ASK ME STUPID QUESTIONS, JUST GET YOUR ASS OUT THERE AND FIX THE [expletive deleted] PROBLEM

Ok, read right to the end and still can't figure out why the donkey was necessary.

Microsoft emits free remote-desktop security patches for WinXP to Server 2008 to avoid another WannaCry

Adam 1

In the days of credential stuffing, byod, and every man and dog being allocated email irrespective of their actual role in the business, I don't think that merely having a VPN layer at the edge solves the problems. Even an internal only terminal services machine is at risk from a wormable exploit.

Accenture sued over website redesign so bad it Hertz: Car hire biz demands $32m+ for 'defective' cyber-revamp

Adam 1

Sounds like you're presuming that the same clown who wrote the server side code wrote the stored procedures. My money would be on these being the responsibility of separate teams, so rather than use an efficient for-purpose stored procedure, they improvised with what was already there. As far as performance testing, that's another team right? As for showing any form of initiative, if they ever had any then I am convinced that their training involved beating it out of them.

Ozzy app maker cancels hump day: We've tripled profits! scream slackers

Adam 1

> "By the time we get to Thursday it's like a Monday again. You get a new feeling of enthusiasm and cracking on with work, collaboration."

Um. Can someone let her know that feelings of enthusiasm and cracking on with work collaboration have been associated with Mondays by precisely no-one.

Adam 1

Re: So let's see here

Yes, cassowaries can be dangerous. It is best to keep your distance and keep well clear of their chicks. But for perspective here we have never lost a war to them.

Firefox arrives for Snapdragon Windows and Slack sidles up to Office 365

Adam 1

Re: Skype for Business

Won't be shedding any tears though. The stupid design calls like not being able to switch your mic/speakers to headset from within a conference call without minimising it and going through the main UI and hitting the config from there. And the times that it just drops the audio quality to the point you have to fire up TeamViewer. Or the times you click join and it just hangs. It's Skype in name only to me. Nothing like the original game changer Skype originally was.

Kent bloke incurs the anchor of local council after fly-tipping boat

Adam 1

Whilst that may be true, he still deserves quite a stern warning.