Posts by Adam 1

Re: hasn't really thought this through

I believe the Note7 came with toast making capabilities.

Re: Yeah but

Not so fast. Shirley if you run systemd, you get the additional protection of its built in ASLR and antivirus packages.

Re: I am an Audi driver...

Audi blinkers aren't for lane changing. They are rather used to signal that the traffic lane has been temporarily designated as a parking spot.

K. McCarthy goes ballistic. Intern's skills atrocious!

Re: Asking people if they're willing to share

I don't think that it is going to operate in the way imagined by some commentards. Whilst I would leave open the possibility of personal ownership, my money would be on these share vehicles being operated by a fleet company.

To the concern about not having a car in an emergency or having to wait 10 minutes, or being too rural, I don't think they are deal-breakers. How many families do you know with two cars, where for the most part one of them is almost only used to transport someone to and from work and maybe the odd errand? It can easily be 10K a year to operate a car once you include depreciation, insurances, registration fees, servicing, tyres and fuel. That is not to even talk of having to have additional garage/driveway/kerb space to store such vehicles for the most of the time when they are at home or at the shop or whatever. Public transport may not be an option between the places and at the times needed, or may add half an hour to each trip, or may feel unsafe waiting at a poorly lit bus stop awaiting a bus that may not arrive, so whilst we might argue that public transport is a better option, the reality is that public transport operators cherry pick the routes with the highest patronage.

If families kept their primary vehicle, then a compelling case could be made to ditch that second car and use some on demand system not unlike Uber. This could be a fraction of the cost of ownership. You don't have the inconvenience of getting the thing serviced or repaired or new tyres or checked for rego or having to decide when it's time to sell it. If you are going from suburb to city for business, you probably end up sharing a van with 3-6 others with your fee heavily discounted. Getting a new fridge? Take a ute with you to the shop. Actually, take whatever comes with you and order a ute home. Flying somewhere? No need to rent a car at your destination. No need to even pay the extortionate airport parking rates to leave a perfectly functioning vehicle a few 10s of Kms from home for a week.

It's not going to happen overnight. It doesn't have to. But my prediction is that most kids born in 30 years time will have a puzzled look when you tell them about how you used to spend a double digit percentage of your income on owning a car that you left in your garage except for a dozen trips per week.

Re: Bore off

@yogan

"However, we're told, there’s also CryptSIPVerifyIndirectData, which can be abused to green-light malicious applications with a counterfeit signature. The only thing you need are some coding tools and, oh yeah, admin privileges on the target computer."

If you are not mistaken then Iain is.

That might be a stretch. "Anyone" includes bad guys and TLAs.

What about hiding it in gcc / msbuild.exe so it injects the payload (ie the Ken Thompson Hack)

Re: Works here

Agreed. Seriously El Reg, they might ban you from WWDC if you aren't careful....

Re: Hashing and salt

Usually you to both. A secret string known to the server but not in the database, and a secret they is unique to each account. Your goal is to increase the cost of each guess that the bad guys need to make whilst not making your validation unfeasibly slow. They are used for protection against different attack vectors. Both will protect against a rainbow table (just a reverse dictionary measuring in GB or TB of millions or billions of hashes and the corresponding password). The power of a rainbow table is in reusability across multiple attacks and pretty much any reasonable length salt will mean that the hash won't be known up front (ie the bad guys need to invest a lot more, which is good)

A per server salt (rather per environment/application/etc) is useful because your validation logic knows that secret but it isn't in the database. That means that when the mongodb is left open to the world (don't get me started) it is still not possible to find the relation between password and hash.

A per user salt will inevitably require something accessible in the database (either encoded into the hash itself or in a field pertaining to the same field that doesn't change like username). The prime benefit of a per user hash is that if you and I use the same password because we like the same footy team or the same book (and we like most people don't follow recommended practice with password generation) then figuring out my password doesn't give away yours as it would if the hashes matched. Worse still, if my password hint gives away my password and my hash matched yours, that further weakens things. Worse again, I can find common hashes and collate all the password hints and join the dots. A per user hash solves all those.

Either way, don't roll your own scheme. Find a framework and use it. Recommended either bcrypt, scrypt or argon2 which use schemes that are much better at protecting against this and other attack vectors and generally require very little effort to implement.

Re: How many ads is too many?

Wow, what sites are you visiting? I've only got a very modest 123,830*

*On my phone. And that is connected via VPN which itself has built in as blocker.

@alan brown

You are presenting a false choice. The contention being that because dlink were/are dicks that the security researcher isn't acting like one here. My post made it very clear in the very first sentence what my thoughts about dlink's behaviour was.

If I had criticism of the first 8, it would be that he didn't disclose them for far too long a time. But I stand by my other point on the final zero day issue dump. He has a good argument in claiming that their security patching isn't up to snuff. Dumping 8 vulnerabilities after months of inaction would have made that point very well, but on the last one he had given their or droids an out. You now watch them deflect the legitimate concerns we all have with guff about irresponsible disclosure that anyone could be the victim of.

Re: Error 524

> Can I just say how comforting it is to be mercilessly pilloried for an errant apostrophe, I would miss this site.

Can you imagine if you had accidentally used a comma instead of a question mark,

Re: Data allowances

Your ADSL is 24? What do you live in the storeroom at the exchange? When I lived 150m from the exchange I got 22.8. Since moving it is closer to 6.

Also, that 100Mbps isn't happening when there is the slightest whiff of contention.

Also, here in the real world, 4G data allowances are sadly still a thing.

Re: To speak to someone?

@just enough

Just a slight tweak:

It's almost like different forms of communication on a mobile device have different strengths and weaknesses!

Now you're clear.

Re: Scraping the bottom of the excuse bilge?

Aye sea what you did the-arrh.

Re: "Scumbags" is understating matters

> they are quite capable of wiping out a substantial part of the ecosystem because they have no natural predators there. They really are no joke.

¿sɹǝpᴉds ɹno ɟo ǝɯos ʍoɹɹoq oʇ ǝʞᴉl noʎ plnoM

@def

I've definitely seen worse. The per user hash and thousands of rounds do prevent precomputed attacks and would certainly up the cost of any attack on your site. The hash iterations are there primarily to multiply the effort per guess (75K times in your case). That is obviously important but it is based on an assumed CPU time per iteration. You are somewhat limited in your iterations by the capacity of your own server (eg, it probably couldn't be a million iterations or your own server would be too unresponsive). And you are limited to the performance characteristics of a general purpose CPU. The attackers may rather use a GPU cluster or even an ASIC and be able to compensate for the additional rounds.

Other approaches try to max out some other resource (eg RAM). If a given guess expanded out to say 100MB then the idea of tens of thousands of parallel guesses isn't practical.

At the end of the day, use a framework. What you're doing is terrific for learning but it is so easy to stuff up (eg how random is your salt actually). I like the common password idea. We've done something similar. And minimum length is pretty much the most important metric. Mixed case/symbols/digits all simply serve to make your password hard to remember and given people use common substitutions (a/@ etc) they tend to add only limited additional security in practice)

Checkout scrypt, bcrypt or argon2 to handle password storage though rather than something bespoke. It will otherwise end in tears

Disclaimer <- I am not a security guy either

Re: Impossible

> it is possible to use multiple encryption programs in series (eg use 7-Zip to create a password protected Zip file then use ccrypt to encrypt the Zip file then use OpenPGP to encrypt the output from ccrypt.). Done properly there is no way of recovering the original message without knowing the keys even if one of the programs has a backdoor.

Obligatory

Also your idea whilst stopping attacks on specific ciphers does bit assist when said TLA compromises your RNG.

Re: Of course P≠NP....

The proof was much closer than it sounds though. It held for all values of N except N==1.

B+ Good effort

Re: Oh, yes

Jail!? But it was rogue engineers m'lord.

Re: a matter of pride?

> Why do people who vaccinate their kids care about people who don't?

1. Vaccines work really well to boost your kids'immune systems to fight of some pretty horrible diseases. Really well, but not 100%. You can be vaccinated against say whooping cough but still catch it. Your odds of catching it are much much lower but not zero.

So...

2. Herd immunity means that if less your 'herd' is carrying the virus then you are even less likely to catch it, so that's nice.

3. A very small percentage of the population cannot be immunised. Consider cancer sufferers on medications that suppress the immune system. Also newborns under 6 weeks fall into this category. Their only protection really is herd immunity (newborns might get something via breast milk but it isn't enough). Some people may also be allergic to some ingredients used in the vaccine or as stabilisers or as preservatives, so take them away as well.

4. Treating the disease is massively expensive. Doctors, medications and hospital beds are a financial burden on society and it is frustrating when the majority of cases were cheaply avoidable.

5. Many of these diseases cause long term disability in the survivors and society must pick up the tab on that too. Think polio and even things like rubella can easily kill an unborn child or otherwise cause deafness and heart issues if contacted by a pregnant woman (see point 3, you can't get vaccinated whilst you are pregnant)

6. If you choose to not vaccinate and heaven forbid find yourself watching your child struggle for breath plugged into a million machines or worse, you will have to live with your decisions.

Re: Who is benefiting

> is unlikely because if he has a good defence he is less likely to dog on his [alleged] accomplices.

TFTFY.

You had it right in the previous paragraph but if he's innocent then he has no accomplices to which to "dog on".

Re: iPhone?

Well now they have Jesus deciding on the phone so it makes sense. And now Cook is in charge, he doesn't need to enter into arguments over who is the Messiah.

Re: Utter Bastards

> And where the fuck are the people at GHCQ when we need them?

Er, 'bout that. Maybe you don't want to look at where the Wannacry miscreants stole that exploit from. I'm sure GCHQ would love to give them a stern talking to, just as soon as they finish handing over all the security researchers who have been assisting in other investigations.

Re: Hallelujah

Sorry guys. We've just been so busy figuring out how to compile a list of the most visited sites out there, we haven't had the time to pop a checkbox on the options page.

Re: Finally I'm the 1%

uBlock origin (for example) is on github and is GPLv3. The moment they stay any funny business will be the same moment the project gets forked. Whilst I'm sure they would appreciate your donations (and need some), the amount they actually need to survive and even thrive works out to be a very small amount by a very small percentage of users.

Asking "how does this thing make money" is never a bad idea though.