Posts by cbars 548 publicly visible posts • joined 11 Jun 2013
public key
That is what they are for. That is not a security hole. Don't just quote random shit from random places, look it up. Public Key cryptography is well understood and extremely secure. I believe the problem was Apple keeping a copy of the private key, which as someone else has pointed out, is no longer the case.
Sure, I'll automate that for you! No problem! :) :) :)
Just chuck my company £££'s/record and we'll sort that in [Jim, can you put an estimate in here? 6 months? Sounds good] 6 months!
There is no way I'll sell my company to anyone else. There is also no way we can lose the data before we've anonymity [sic] it! :)
"Are endpoints properly and fully authenticated? Ok, show it's trusted."
How do you do that? You have to trust someone. Back to square one please.
https = encrypted ("encrypted", doesn't mean well encrypted)
Not getting a giant warning/padlock/green address bar/whatever = authenticated
It's up to you which certificate authorities you trust. If you want to keep the defaults, that will work, and you'll get any old advertising network slinging crap at you. If you're 'paranoid' then you can only trust those certificate authorities your mates/employer/clients create.
@Camilla
"Thank you very much"
You're welcome.
Can you post a link to a research paper (not Arxiv) which is generally accepted to have discredited the Lawson criterion?
Otherwise, I suggest you stop judging things by your infinite wisdom, and think properly about them first. I eagerly await ITER, and then the actual power plant that will follow (if I'm still alive, it is a government project after all).
The nice thing about science is that when you're right, it doesn't fucking matter what some ignorant chump says. That applies to you as well as me, so let's just sit back, bookmark this argument, and see what the experimental physicists can (dis)prove.
1) Your taking it a bit further than you usually do, stop it, it's weird.
2) Since when did 'old technology' become bad technology? The wheels on my car, and the car itself, are working very well. They are old technology because they work very well.
3) Tokamaks (et al) are awesome! Intense electromagnetic fields are pretty much the only way to contain the raging power of the stars. Practising containment is extremely important if you want to run a continuous reaction for 50+ years as a power station, not for safety, for durability. We just need a big enough machine, come on ITER!
For reasons why this is true, please see theoretical physics.
A picture speaks 1000 words:
http://clivebest.com/blog/wp-content/uploads/2015/11/F3.large_.jpg
Based on that, I hope you'll see, the direction for the past 30 years has been bang on! Yay physics!
People don't like annoying things that stop them doing what they're trying to do (watch videos, read, whatever).
People don't like paying for things if they don't have to.
People can want mutually exclusive things (though that isn't necessarily the case here).
Wonder how much that survey cost, and whether it was using random sampling or quotas...
Clearly you Yanks don't understand.
No-one is should be above the law. If she's not in jail, it's your problem; either your legal system is utter rubbish (smirk), or she hasn't done anything beyond 'reasonable doubt'.
This is a stupid situation and I personally reckon she should be slapped hard with a wet fish. However I would have thought that without the convenient excuse. (That is a joke, I actually wouldn't have though that, as I had thought she would quietly divorce Mr Lover-Lover and sell some books)
Upvote for you TomPhan.
We must be careful to judge the work of others who go before us. There are many reasons for 'crap' in any code.
A bit like when your significant other walks through the hallway and moves the untidy stool in the hallway and goes out. You then get to practice your spider man moves as you get out of the loft 15 mins later....
This is organisations everywhere, all over. There is a key question, which is always brushed under the rug:
What does success look like?
Trying to Project Manage a hydra will never end well; because it will never end. Projects must end, otherwise they aren't projects, they are business as usual. Then again, that's what keeps the big boys in play.
Bit rude to lump us all in together!
You wouldn't want to buy comms systems designed/built by an organisation anywhere whose purpose it is to gather information from communications.
Probably a couple of smart liberals left in blighty who could build you a very nice system, thank you. Probably better to get an international panel together from a load of different universities to open source something.
Firstly:
https://www.xkcd.com/792/
Also:
"protected only by SSL/TLS"? What are you on about? Pick your enemy mate. TLA's don't need to sniff your SSL traffic to pwn you. This article was about passwords getting picked up by low level criminals (but: 'cyber' so they're scary), SSL is plenty good enough to protect that sort of information.
Hmm.
Indeed this is not a tech issue, this is a libertarian/privacy [sic] issue. It is the government demanding that all locks which get manufactured (including your door lock) get a master key designed in and posted off to the Home Office. Follow the links in this article:
http://www.theregister.co.uk/2016/01/18/keysforge_will_give_you_printable_key_blueprints_using_a_photo_of_a_lock/
to get a great explanation of how to fuck up a lock with a master key:
However, I can't let that slide... A certificate authority doesn't get a copy of your key. So it's not the same as your neighbour getting a copy. It's like someone asking my neighbour if I wrote that angry note they found on their car - and my neighbour checking it against that Christmas card I gave them, and saying: "yep, pretty sure he did, cbars is a dick".
I am not an expert on this, but I was under the impression that PGP only encrypted the message body, and maybe the subject - for exactly the risk you highlight. Also, if you encrypted the whole bloody thing then you couldn't deliver the message. So if you get 200 emails you get a load of plaintext headers, and some blobs of data. 200 is not a lot if you're looking to crack the key by brute force.
He was tipped off via IRC... so....
who got there first?
As it took a couple of months for this to get 'fixed', somebody else has (potentially) got the keys. Have they re-created the private keys? Would they have done if he hadn't got his hands on them, or would they just have patched Ruby?
So people are already confident enough on that road to ignore a 50mph speed limit. Your argument is to lower that limit? To what end? Higher fines for the motorists?
If there is a genuine safety reason for needing slower moving traffic on that stretch of road (I am not familiar with), then the best option is traffic management. Reduce the lane width, chuck a traffic light in there, or an overpass for pedestrians... I don't know.
However I do know that reducing the limit on a wide open road only serves to increase infringement, not safety.
You're telling me! All governments, globally, seem hell bent on passing ridiculous, over-reaching, dangerous legislation and waiting for the judiciary to sort it out later (maybe - it's a "nice to have").
The periodic revolutions/civil wars throughout history have always baffled me; haven't we been heading steadily toward an enlightened and idealised age?
Nope, it makes complete sense. Off with their fucking heads, they aren't using them anyway.
Who am I kidding? I have run out of expletives, like some commentards on an earlier forum, I'm drifting ever more toward apathy. I wonder if I'd be happier being ignorant...
"the separate desktop malware was hopping air-gapped machines"
It's a company that, get this, produces multiple products. (I reluctantly use the word product)
Not that it even had to be. What happens if you connect your little android handset to that air gapped machine to charge it up? Yea. Nice gap you've got there.
Tor with a blacklist.
Can't one of these law enforcement agencies publish a blacklist of domains/IP addresses for the seriously bad sites? Don't make it a mandatory inclusion for a Tor exit node, just make it available.
I realise this hands over a nice (look over here) to the paedoterrorists, but it would also enable a fair minded and democratically interested party to set up a Tor node with some protection. Sure you can browse anonymously through my connection - but I don't want you looking at that shit.
Granted, if you're trying to avoid censorship then that is not the perfect solution. But if the censorship you are trying to avoid is on BBC news, or to whistle blow etc, then that should work pretty well.
You should still be able to set up an unfiltered version, but then yes, you'd probably have the old bill round and have to waste your time answering the inevitable questions.
Oh yea, I wasn't implying she doesn't like it this way.
I just want her to have a couple of references for why the pitchfork wielding populace turns up outside her door.
Of course, that won't happen, as anti terror legislation will enable the riot police to preempt that kind of organisation.
Pretty much.
If you buy a Dell and I buy a Dell.
I can use the private key on my dell to generate the aforementioned nasties. I can then install them on your Dell, and it will trust them, as I am using a certificate which is included in your list of trusted certificates. (ish)
So anyone with one of these Dell's can screw everyone else who has one, so long as they keep trusting that cert.
It's a bit like if a bank gave everyone who rented a safety deposit box the same key. Except the box is your laptop.
While I have no data to compare our knowledge-bases or indeed intelligence; I'll offer the following hastily written summary - I apologise if it is not 100% accurate:
Software signed with a trusted certificate will run on your machine. A leaked root certificate means that anyone with it can sign any piece of software and your machine will trust it (if you have that root certificate installed).
A leaked root certificate means anyone with that private key can generate new public SSL certs so your browser, for example will trust the site. This exposes you to man in the middle attacks in places where an attacker hijacks your connection and presents http://haha_suckers_this_is_a_drive_by_site.com as https://facebook.com.
Combine those things, and you have an easy way to install malware on any machine using an open wireless connection - for example. But in reality there are many ways that this could cause trouble
"It's a Dell trusted certificate that is mentioned in the OS. It doesn't cause any threat to the system"
Totally true.
Just like posting my bank details, home address, name and security answers all over the internet doesn't do any harm.
Or jumping off a building.
It's the bit afterwards that we're worried about. Cheers for the advice though, business as usual yea?
Online retailers are the worst for this! But Hotels are worse!
Why do you need my email address? I'm paying you!
My details at any hotel I stay in are:
test
test
10 Downing Street
London
SW1A 2AA
test@test.com
Feel free to phish me :)
(That worst > worse thing. Yea, that's irony)
I think we (in IT) are pushing the wrong solution. I've opted for a completely predictable (but relatively hard to guess) password pattern (which does change, but only slightly), but change my email address for every site - then forward them all to my 'real' email address. You rarely need to know the login, and can look it up - or store it in your browser cache with impunity.
That way, one site getting popped means sweet FA (depending on the site). No automated script is going to guess which random(ish) email you used for the other sites you use.
As long as the websites use rate limiting, you're pretty much good for most situations.
TLA's? That's another game.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
