* Posts by brotherelf

230 posts • joined 16 Jun 2014


Who would cross the Bridge of Death? Answer me these questions three! Oh and you'll need two-factor authentication


Ah yes, the chimneys.

2021 is the year of Google Robot Santa.

The AN0M fake secure chat app may have been too clever for its own good


Re: So, a backdoored encrypted chat, eh ?

> criminals do not have warrants at their disposal.

Well, unless…

(judicial oversight doesn't scale either, btw)

Seven-year-old make-me-root bug in Linux service polkit patched


_Another_ one of these?

Because we've had "return 0 in error case, oh, what do you mean, that's root's UID" in systemd before… what was it, service units with non-existing users?

A trip to the dole queue: CEO of $2bn Bay Area tech biz says he was fired for taking LSD before company meeting


> Personally, I believe that any mind expansion or mood change possible with street drugs is also possible by other non-drug means - e.g., fasting, meditation, and physical activity. There is long history of such.

Yes. This training is a bit easier if you know what you're looking for, though. (In a "now I know what I can give my consciousness permission to do" kind of way.)

AFAICT, even the proponents of psychoactive substances for mental health reasons don't say this is a pill that will fix your problem – it's possibly a way to make it easier to see things from a novel-to-you angle that will make it easier to do all the other stuff, like CBT, even if your current brain patterns try very hard to keep you in a routine that isn't healthy for you.

UK's National Cyber Security Centre recommends password generation idea suggested by El Reg commenter

Paris Hilton

Re: Mailbox password

Works the other way around, too. I have accounts in some places where I literally don't know the password and don't store it. The company I might order something from once every five years? It's faster just to do a password reset.

(I vaguely recall even The Bruce thinks this is a valid mode of operation, but don't quote me — or him — on that. Also, he has surprising views on on-paper passwords.)

How to ensure your tech predictions catch on in a flash? Do the mash


Re: Future Gazing

Oh, and hipster posters reading "This place is not a place of honor… no highly esteemed deed is commemorated here… nothing valued is here." which is a very interesting, if nerdy, rabbit hole to do down.

Easily distracted by too many apps, too many meetings, and too much asparagus


Re: wild asparagus

Ah, the "self-contained remote control slash". (I was very confused when that sentence didn't go where I thought it would.)

GPS jamming around Cyprus gives our air traffic controllers a headache, says Eurocontrol


Re: The blocker needs a present

Well fortunately, most legitimate GNSS signal sources are higher up. (I'd be totally unsurprised to hear of rogue jamming sats in orbit, though.)

The sooner AI stops trying to mimic human intelligence, the better – as there isn't any


Ah yes, Artificial Stereotyping.

It might be good for writing romance novels and sci-fi pulp, though? (Or at least as good as the current crop of acute adjectivitis.)

You want me to do WHAT in that prepaid envelope?


Re: Happy with a mouse..

Yeah, fine motor axis parallel is a bit difficult, and I curse people who stack their menus three levels deep.

The original (W95? 98?) drivers for my Trackball Optical had a setting that let you set the y axis at a not-90° angle to the x axis to help with that. (Say what you will, the old MS peripherals are pretty sturdy. I think my TO is old enough to vote now and still runs like a champ, as long as your fingers provide a bit of grime to keep it running smoothly.)

Housekeeping and kernel upgrades do not always make for happy bedfellows


Re: Delete is written rename

My boss agrees. All his cruddy perl scripts have the passwords right in the code, hardcoded next to the database name.

How do you save an ailing sales pitch? Just burn down the client's office with their own whiteboard


Re: " 220V on which South Korea operates"

Things even went iffy a couple of weeks ago. For values of iffy being "frequency went 0.3Hz off spec": https://www.entsoe.eu/news/2021/01/15/system-separation-in-the-continental-europe-synchronous-area-on-8-january-2021-update/

I'm so glad all I manage is a bunch of webpages for entitled academenteds and not power plants.

Transcribe-my-thoughts app would prevent everyone knowing what I actually said during meetings


Re: 10 minutes

I didn't know my company has mainframes!

Dnsmasq, used in only a million or more internet-facing devices globally, patches not-so-secret seven spoofing, hijacking flaws


We see the Golden Stream decision is having an effect.

"Red Hat […] and major Linux distributions." Bwahahaha.

Over long US weekend, GitHub HR boss quit after firing Jewish staffer who warned Nazis were at the Capitol


Re: what symbols?

Even the 1.0s claimed (their take on) germanic/norse culture, such as runes, so yes, quite empathically, yes.

The CIA's 'entire' collection of UFO records has been made available for you to sigh at


Re: multipage .tiff files

Well, I can see how he'd prefer PDFs with redacting rectangles just superimposed over the text that is still in the file.

'Following the science' rhetoric led to delay to UK COVID-19 lockdown, face mask rules


Ministers have switched back and forth between alarm and reassurance, while failing to drive home

Well, Margaret Ferrier and Dominic Cummings did that for them…

(Meanwhile, in "not all people are idiots", Kramp-Karrenbauer actually camped in her MoD office in Berlin instead of driving all the way across Germany to self-isolate at home.)

BOFH: Switch off the building? Great idea, Boss


"Well could force a fault condition then see what the lamp does?"

Ah yes, the good (rubber-insulated) hands-on approach.

(OTOH, I can't count the number of times I've had people ask me to fix things that weren't actually broken and they hadn't even tried them yet.)

Where's the mysterious metal monolith today then? Oh look, it's atop a California mountain


Steel yourself, not all are made from metal either…

A wooden statue that was surreptitiously um… erected, I guess?, in the alps has gone missing as well.


Thought the M3 roadworks took a while? Five years on, Vivaldi opens up a technical preview of its email client


:squint: What's the data flow here?

I'll be the first to admit I've manually IMAPped about once or twice in my life, but there was no place in the communication where I would even have been able to transmit an user agent.

So what's the data flow? App takes developer token to request to let end-user generate an app-specific transient IMAP passphrase? Which yes, is safer, because it can be revoked separately from other login credentials.

I work therefore I ache: Logitech aims to ease WFH pains with Ergo M575 trackball mouse


Re: Never found a replacement for the Trackman Marble FX T-CJ12

Still works fine in my VMs, and it registers as a five-button HID anyway, but I guess the specialized driver that, amongst other things, let you tilt the x and y axis, won't work anymore.

Still a fan of these beasts. Bought one in 2003 and it's still going strong.

[Checks meeting agenda...] Where does it say 'Talk cr*p and waste everyone's time'?


Re: Nad Watch Live!

I've now actually looked up "ring watch live" and I'm very relieved it wasn't what I had feared, even after the catch fire comment didn't sufficiently enlighten me. (I don't know what y'all do after a vindaloo supper in times of lockdown.)

Microsoft warns against SMS, voice calls for multi-factor authentication: Try something that can't be SIM swapped


Re: OMG !

Software costs money, too. (My "favourite" example is a purveyor of fine almost-never-breachable(tm) VPN solutions, a veritable fortiress of data security, who is very proud that they support RFC-complaint *OTP. Well yes, but the way to import the shared secrets is dongled to hell and back, so they still get to charge you money for nothing and you can't bring your own *OTP app.)

That being said, as with everything else in security, it's a tradeoff consideration. Would my elreg account warrant authentication by blood sample? Hardly. Can you afford to lose all customers who can't/won't use smartphones? Along with all using smartphones (authenticator and service app on the same device weakens security)? What's your fallback to re-authenticate when the 2nd factor is lost? If it involves a phone line, you've gained nothing. If it involves postal mail or physical presence, it will be slow.

Let's... drawer a veil over why this laser printer would decide to stop working randomly


Dear readers, I am disappoint.

There's several dozen comments and none have yet pointed out that the author has apparently never seen a DIP switch.

Did I or did I not ask you to double-check that the socket was on? Now I've driven 15 miles, what have we found?


Ah yes, USB switches.

Turn it off, rotate plug 180 degrees, turn on. If it still doesn't work, repeat.

Ho hum: If you're so artificially intelligent, name this song while my videos go viral


I can imagine it now…

"Unexpected honker in the masking area", and a shop assistant in full beekeeper hazmat suit will eventually shuffle over to sullenly swipe a card through the door to let you in.

(Also, unrelatedly: even though I never spent a second wondering what Dabbsie's voice sounds like, I didn't expect it to sound like that. Is that something that only happens to me?)

We don't need maintenance this often, surely? Pull it. Oh dear, the system's down


Yup, that exists.

In the very old days, LaTeX would at least sternly warn, thinking it was very unlikely there would not be updates in, what was it, three years?

Oh dear, what a pity! It seems you can't join the directors at the Zoom meeting today


I love the statement they released…

"""Support is working on getting it mentioned on status.zoom.us."""

Yeah, I know workplaces like that. "Do you know who can put things onto the status page? I usually ask Jack, but Jack seems to be on vacation since I got no reply? No, he's not marked as away. You know people always forget. I tried opening a ticket, do you know if anybody reads that queue? I really have no time to find somebody to do this, I get fifteen mails per minute from customers asking about this that I need to answer."

Beer, 'cause helldesk staff deserve one.

Chromium devs want the browser to talk to devices, computers directly via TCP, UDP. Obviously, nothing can go wrong


"Like WebUSB, WebMIDI and WebBluetooth, …"

at that point in the sentence, you should have become vvvverryyyy suspicious. And I say that even though I would probably benefit from the new API.¹

Also, what's this "[the API] will come with a higher barrier to use [than asking nicely]"? Are we seeing another step to Appstorification of the free and equal interwebs? "Yes, we have that API, but you can only use it from vetted code that you download through our AMP AppstoreMoneyProgram. This ensures your libraries and page will load quickly from our CDN, wherever in the world your users are. We even include 5000² free³ downloads every month⁴."

¹ because as soon as lethargy leaves me, I will write an homage to BarcodeBattler that uses TLS certificate data, and you can't introspect that from Javascript.

² subject to change ³ 49.99 setup fee; developer membership required ⁴ offer valid until September 9852, 1993

FYI: Chromium's network probing accounts for about half DNS root server traffic, says APNIC


Re: OR we could fix the root of the problem

Well we can turn _omnibox_ into a privacy issue, because every single-word search term is apparently handed to your DNS provider as a lookup. (Yes, I know that ironically, the usual privacy complaint is that it all gets handed to the search engine.)

This NSA, FBI security advisory has four words you never want to see together: Fancy Bear Linux rootkit


Re: 85th Main Special Service Center

They're busy servicing German Tanks. Apart from the 63rd, which is looking for polar-bear-sized aliens.

We give up, Progressive Web Apps can track you, says W3C: After 5 years, it decides privacy is too much bother


Re: Optional

As if "there'll be collateral damage" ever stopped a browser vendor. Basic auth in iframes, not showing www/m prefix even if what's shown has no A/AAAA record, the default changing from rel="opener" to rel="noopener", abandoning the CA/B forum, the list goes on and on. We are rapidly heading back towards "best viewed in X/Y/Z because Y/Z/X is broken".

GRUB2, you're getting too bug for your boots: Config file buffer overflow is a boon for malware seeking to drill deeper into a system


Re: Hang on a second. Something smells funny.

Where's the SecureBoot flaw in there? It hands over control to a boot loader with a valid digital signature, which is the only notion of "trusted" at that point, and the fix on SB's side is a revocation list that invalidates that particular signature.

The flaw, if any, is that buggy software got signed, but putting that at SecureBoot's door is like saying CAs should miraculously not issue and revoke certificates for sites running old Wordpress versions.

I would be entirely unsurprised if there are boot loaders which have gone through formal verification, i.e. are mathematically proven to work correctly (on an abstracted machine model, i.e. still vulnerable to compiler and CPU microcode bugs)

No wonder Brit universities report hacks so often: Half of staff have had zero infosec training, apparently



I'm not worried about the 8% that report 5+ incidents. "Prof sends a mail to students and uses CC instead of BCC" is a data breach that technically needs to be reported. Frankly, "prof has former student's mail still in address book" is probably an incident in and of itself because the reason for processing is gone.

I'm worried about the 92%, because I fear 91% don't look or don't report, and only 1% is running a proper shop.

(And we all know that all it takes to make a university stop dead is a handful of current or former students requesting the full extent of information GDPR entitles them to. Yes, that includes paper files.)

Chinese tat bazaar Xiaomi to light a fire under Amazon's Kindle with new e-book reader


Re: Can Xiaomi make a go where Sony gave up?

Don't they still do those huge 13" ones? Oh bugger… those were always on my "decadent toy when I win the lottery" bucket list.

Twitter hackers busted 2FA to access accounts and then reset user passwords


Re: The bit that leaps out for me...

From my experience (in Edumacation), it is exactly the "very important people" who would insist that a single helpdesk person should of course be able to imMEdiately set a new password, without callback or other further identification, after all they already have the cheek of not giving out the original value of the password.

Remember when we warned in February Apple will crack down on long-life HTTPS certs? It's happening: Chrome, Firefox ready to join in, too


Re: That kinda sucks...

Point one: I've seen people who've done setups like that, by accident of incompetence. (I.e. they threw everything they had into the certificate bundle, including now-expired intermediate and root certs.) Not all browsers handle this. I don't recall if it was Firefox who'd pick an arbitrary certificate chain and fail if that one wasn't valid. Could've been Chrome, too.

Point two: I've not checked in detail, but I wouldn't be surprised if certificate transparency logs reject requests to log a certificate for the far-future. (And I don't think trusted CAs issue un-logged certs anymore.)

An Internet of Trouble lies ahead as root certificates begin to expire en masse, warns security researcher


Re: Expired but still valid

Last spin of the cycle, It's not the commercial CAs that want to reduce validity, it's the browser vendors (Apple and Google), presumably because they don't want to put more thought into their OCSP implementations.

DNS this week stands for Drowning Needed Services: Design flaw in name server system can be exploited to flood machines offline


He might be preoccupied with the RCE in qmail that seems to be a "surely this won't ever be larger than X (until it is)".

Danger zone! Brit research supercomputer ARCHER's login nodes exploited in cyber-attack, admins reset passwords and SSH keys


Re: @Korev

This – though, since both the GoDaddy hack and this one have rumors about infected sshd binaries, I'm not entirely convinced it's not the forwarding aspect of the protocol that is part of the issue. (I.e., if you connect into an infected host, it uses forwarding to log "you" into other nodes. That still doesn't explain the privilege escalation to modify sshd in the first place, though.)

GoDaddy hack: Miscreant goes AWOL with 28,000 users' SSH login creds after vandalizing server-side file


Re: And why...

Hashing doesn't matter if the process of logging in sends the password to the server and you've gained control of the server. The statement is carefully wishy-washy, my guess is the configuration was corrupted and delegated password checking to something under external control.

Getting a pizza the action, AS/400 style


Re: "Hopefully he also added a bit of text along the lines"

Oh good lard, the pretty new variant of "slider" toggles labeled with on/off where the slider isn't in a way to make it completely non-obvious whether they designate state or action.

Grab your Bitcoin while you can because Purse.io is shutting up shop in June and you could lose the lot


Re: Respect

> There's a certain Mr T

I pity the fool!

Firefox 74 slams Facebook in solitary confinement: Browser add-on stops social network stalking users across the web

Black Helicopters

Re: Extend this mechanism

> We probably need a "work domain" and an "internet domain" as well.

*gets flashbacks of the IE6 security settings slider*


Re: "Log in with Facebook"

> Did OpenID bite the dust?

Yes, even the overflows removed it years ago. How about Mozilla Persona? No wait… How about Shibboleth/SAML?

Apple drops a bomb on long-life HTTPS certificates: Safari to snub new security certs valid for more than 13 months


Re: What's the benefit?

> They would have to steal your hopfully protected private key...

Well yes. The certificate is public anyway, the common parlance of "compromised certificate" can be a bit misleading there. (And no, a new certificate does not mean it must be a new private key.)

The extent to which you can protect the private key can be limited on servers you want to restart without human interaction.


Re: Super slowmo

>> Apple clearly wants to avoid an ecosystem that cannot quickly respond to major certificate-related threats

> Not that clear - if there's a major certificate-based threat then 1 year is absurdly long.

They have a point, in a very roundabout way – remember the joke about the clock flashing on your microwave because you just can't be arsed to read up how to set it and you forgot from the last time around and you think it's really not that important? That's what certificate hygiene is. Wait till it fails, tell the customer to click ok, find out the guy who did it the last time retired, and then find out how to do it yourself, and forget until next time. Until it's frequent enough for you to actually learn (or automate away).



How is it a pain? Don't ask me, ask the people running dnssec-tools.org or mozilla add-on update servers, those being two examples that come to my mind of sites that ran around with expired LE certs for quite a while.

It's a fun sport if you're so inclined: compare the certificates in use with the public ledger of issued certificates. If the auto-renew doesn't work, who knows what else doesn't work on those servers.

Instagram influencer fools followers into thinking Ikea photoshoot was Bali holiday

Black Helicopters

Re: Clearly a cover up

Well it is the All Seeing Coverup by Illuminati for Illuminati, after all, so I'm not surprised.

Internet's safe-keepers forced to postpone crucial DNSSEC root key signing ceremony – no, not a hacker attack, but because they can't open a safe


I wonder if it's the safe that was already hard to open in KSK39.

Because of course you can watch the videos of the ceremony. It's only mildly more exciting than watching grass grow, but makes a good sleeping aid.



Biting the hand that feeds IT © 1998–2021