Ah yes, the chimneys.
2021 is the year of Google Robot Santa.
Posts by brotherelf
230 posts • joined 16 Jun 2014
Who would cross the Bridge of Death? Answer me these questions three! Oh and you'll need two-factor authentication
The AN0M fake secure chat app may have been too clever for its own good
Seven-year-old make-me-root bug in Linux service polkit patched
A trip to the dole queue: CEO of $2bn Bay Area tech biz says he was fired for taking LSD before company meeting
Friday 30th April 2021 05:10 GMT
> Personally, I believe that any mind expansion or mood change possible with street drugs is also possible by other non-drug means - e.g., fasting, meditation, and physical activity. There is long history of such.
Yes. This training is a bit easier if you know what you're looking for, though. (In a "now I know what I can give my consciousness permission to do" kind of way.)
AFAICT, even the proponents of psychoactive substances for mental health reasons don't say this is a pill that will fix your problem – it's possibly a way to make it easier to see things from a novel-to-you angle that will make it easier to do all the other stuff, like CBT, even if your current brain patterns try very hard to keep you in a routine that isn't healthy for you.
UK's National Cyber Security Centre recommends password generation idea suggested by El Reg commenter
Sunday 11th April 2021 07:04 GMT
Re: Mailbox password
Works the other way around, too. I have accounts in some places where I literally don't know the password and don't store it. The company I might order something from once every five years? It's faster just to do a password reset.
(I vaguely recall even The Bruce thinks this is a valid mode of operation, but don't quote me — or him — on that. Also, he has surprising views on on-paper passwords.)
How to ensure your tech predictions catch on in a flash? Do the mash
Easily distracted by too many apps, too many meetings, and too much asparagus
GPS jamming around Cyprus gives our air traffic controllers a headache, says Eurocontrol
The sooner AI stops trying to mimic human intelligence, the better – as there isn't any
You want me to do WHAT in that prepaid envelope?
Friday 19th February 2021 16:32 GMT
Re: Happy with a mouse..
Yeah, fine motor axis parallel is a bit difficult, and I curse people who stack their menus three levels deep.
The original (W95? 98?) drivers for my Trackball Optical had a setting that let you set the y axis at a not-90° angle to the x axis to help with that. (Say what you will, the old MS peripherals are pretty sturdy. I think my TO is old enough to vote now and still runs like a champ, as long as your fingers provide a bit of grime to keep it running smoothly.)
Housekeeping and kernel upgrades do not always make for happy bedfellows
How do you save an ailing sales pitch? Just burn down the client's office with their own whiteboard
Monday 1st February 2021 20:25 GMT
Re: " 220V on which South Korea operates"
Things even went iffy a couple of weeks ago. For values of iffy being "frequency went 0.3Hz off spec": https://www.entsoe.eu/news/2021/01/15/system-separation-in-the-continental-europe-synchronous-area-on-8-january-2021-update/
I'm so glad all I manage is a bunch of webpages for entitled academenteds and not power plants.
Transcribe-my-thoughts app would prevent everyone knowing what I actually said during meetings
Dnsmasq, used in only a million or more internet-facing devices globally, patches not-so-secret seven spoofing, hijacking flaws
Over long US weekend, GitHub HR boss quit after firing Jewish staffer who warned Nazis were at the Capitol
The CIA's 'entire' collection of UFO records has been made available for you to sigh at
'Following the science' rhetoric led to delay to UK COVID-19 lockdown, face mask rules
Monday 21st December 2020 18:17 GMT 
Ministers have switched back and forth between alarm and reassurance, while failing to drive home
Well, Margaret Ferrier and Dominic Cummings did that for them…
(Meanwhile, in "not all people are idiots", Kramp-Karrenbauer actually camped in her MoD office in Berlin instead of driving all the way across Germany to self-isolate at home.)
BOFH: Switch off the building? Great idea, Boss
Where's the mysterious metal monolith today then? Oh look, it's atop a California mountain
Thought the M3 roadworks took a while? Five years on, Vivaldi opens up a technical preview of its email client
Thursday 26th November 2020 05:51 GMT 
:squint: What's the data flow here?
I'll be the first to admit I've manually IMAPped about once or twice in my life, but there was no place in the communication where I would even have been able to transmit an user agent.
So what's the data flow? App takes developer token to request to let end-user generate an app-specific transient IMAP passphrase? Which yes, is safer, because it can be revoked separately from other login credentials.
I work therefore I ache: Logitech aims to ease WFH pains with Ergo M575 trackball mouse
Wednesday 25th November 2020 07:19 GMT
Re: Never found a replacement for the Trackman Marble FX T-CJ12
Still works fine in my VMs, and it registers as a five-button HID anyway, but I guess the specialized driver that, amongst other things, let you tilt the x and y axis, won't work anymore.
Still a fan of these beasts. Bought one in 2003 and it's still going strong.
[Checks meeting agenda...] Where does it say 'Talk cr*p and waste everyone's time'?
Microsoft warns against SMS, voice calls for multi-factor authentication: Try something that can't be SIM swapped
Thursday 12th November 2020 06:52 GMT
Re: OMG !
Software costs money, too. (My "favourite" example is a purveyor of fine almost-never-breachable(tm) VPN solutions, a veritable fortiress of data security, who is very proud that they support RFC-complaint *OTP. Well yes, but the way to import the shared secrets is dongled to hell and back, so they still get to charge you money for nothing and you can't bring your own *OTP app.)
That being said, as with everything else in security, it's a tradeoff consideration. Would my elreg account warrant authentication by blood sample? Hardly. Can you afford to lose all customers who can't/won't use smartphones? Along with all using smartphones (authenticator and service app on the same device weakens security)? What's your fallback to re-authenticate when the 2nd factor is lost? If it involves a phone line, you've gained nothing. If it involves postal mail or physical presence, it will be slow.
Let's... drawer a veil over why this laser printer would decide to stop working randomly
Did I or did I not ask you to double-check that the socket was on? Now I've driven 15 miles, what have we found?
Ho hum: If you're so artificially intelligent, name this song while my videos go viral
Friday 23rd October 2020 13:59 GMT
I can imagine it now…
"Unexpected honker in the masking area", and a shop assistant in full beekeeper hazmat suit will eventually shuffle over to sullenly swipe a card through the door to let you in.
(Also, unrelatedly: even though I never spent a second wondering what Dabbsie's voice sounds like, I didn't expect it to sound like that. Is that something that only happens to me?)
We don't need maintenance this often, surely? Pull it. Oh dear, the system's down
Oh dear, what a pity! It seems you can't join the directors at the Zoom meeting today
Tuesday 25th August 2020 05:01 GMT 
I love the statement they released…
"""Support is working on getting it mentioned on status.zoom.us."""
Yeah, I know workplaces like that. "Do you know who can put things onto the status page? I usually ask Jack, but Jack seems to be on vacation since I got no reply? No, he's not marked as away. You know people always forget. I tried opening a ticket, do you know if anybody reads that queue? I really have no time to find somebody to do this, I get fifteen mails per minute from customers asking about this that I need to answer."
Beer, 'cause helldesk staff deserve one.
Chromium devs want the browser to talk to devices, computers directly via TCP, UDP. Obviously, nothing can go wrong
Saturday 22nd August 2020 05:38 GMT
"Like WebUSB, WebMIDI and WebBluetooth, …"
at that point in the sentence, you should have become vvvverryyyy suspicious. And I say that even though I would probably benefit from the new API.¹
Also, what's this "[the API] will come with a higher barrier to use [than asking nicely]"? Are we seeing another step to Appstorification of the free and equal interwebs? "Yes, we have that API, but you can only use it from vetted code that you download through our AMP AppstoreMoneyProgram. This ensures your libraries and page will load quickly from our CDN, wherever in the world your users are. We even include 5000² free³ downloads every month⁴."
¹ because as soon as lethargy leaves me, I will write an homage to BarcodeBattler that uses TLS certificate data, and you can't introspect that from Javascript.
² subject to change ³ 49.99 setup fee; developer membership required ⁴ offer valid until September 9852, 1993
FYI: Chromium's network probing accounts for about half DNS root server traffic, says APNIC
This NSA, FBI security advisory has four words you never want to see together: Fancy Bear Linux rootkit
We give up, Progressive Web Apps can track you, says W3C: After 5 years, it decides privacy is too much bother
Sunday 2nd August 2020 07:17 GMT
Re: Optional
As if "there'll be collateral damage" ever stopped a browser vendor. Basic auth in iframes, not showing www/m prefix even if what's shown has no A/AAAA record, the default changing from rel="opener" to rel="noopener", abandoning the CA/B forum, the list goes on and on. We are rapidly heading back towards "best viewed in X/Y/Z because Y/Z/X is broken".
GRUB2, you're getting too bug for your boots: Config file buffer overflow is a boon for malware seeking to drill deeper into a system
Thursday 30th July 2020 05:35 GMT
Re: Hang on a second. Something smells funny.
Where's the SecureBoot flaw in there? It hands over control to a boot loader with a valid digital signature, which is the only notion of "trusted" at that point, and the fix on SB's side is a revocation list that invalidates that particular signature.
The flaw, if any, is that buggy software got signed, but putting that at SecureBoot's door is like saying CAs should miraculously not issue and revoke certificates for sites running old Wordpress versions.
I would be entirely unsurprised if there are boot loaders which have gone through formal verification, i.e. are mathematically proven to work correctly (on an abstracted machine model, i.e. still vulnerable to compiler and CPU microcode bugs)
No wonder Brit universities report hacks so often: Half of staff have had zero infosec training, apparently
Wednesday 29th July 2020 09:08 GMT
Worryingly?
I'm not worried about the 8% that report 5+ incidents. "Prof sends a mail to students and uses CC instead of BCC" is a data breach that technically needs to be reported. Frankly, "prof has former student's mail still in address book" is probably an incident in and of itself because the reason for processing is gone.
I'm worried about the 92%, because I fear 91% don't look or don't report, and only 1% is running a proper shop.
(And we all know that all it takes to make a university stop dead is a handful of current or former students requesting the full extent of information GDPR entitles them to. Yes, that includes paper files.)
Chinese tat bazaar Xiaomi to light a fire under Amazon's Kindle with new e-book reader
Twitter hackers busted 2FA to access accounts and then reset user passwords
Tuesday 21st July 2020 08:13 GMT
Re: The bit that leaps out for me...
From my experience (in Edumacation), it is exactly the "very important people" who would insist that a single helpdesk person should of course be able to imMEdiately set a new password, without callback or other further identification, after all they already have the cheek of not giving out the original value of the password.
Remember when we warned in February Apple will crack down on long-life HTTPS certs? It's happening: Chrome, Firefox ready to join in, too
Tuesday 30th June 2020 09:39 GMT
Re: That kinda sucks...
Point one: I've seen people who've done setups like that, by accident of incompetence. (I.e. they threw everything they had into the certificate bundle, including now-expired intermediate and root certs.) Not all browsers handle this. I don't recall if it was Firefox who'd pick an arbitrary certificate chain and fail if that one wasn't valid. Could've been Chrome, too.
Point two: I've not checked in detail, but I wouldn't be surprised if certificate transparency logs reject requests to log a certificate for the far-future. (And I don't think trusted CAs issue un-logged certs anymore.)
An Internet of Trouble lies ahead as root certificates begin to expire en masse, warns security researcher
DNS this week stands for Drowning Needed Services: Design flaw in name server system can be exploited to flood machines offline
Danger zone! Brit research supercomputer ARCHER's login nodes exploited in cyber-attack, admins reset passwords and SSH keys
Thursday 14th May 2020 11:04 GMT
Re: @Korev
This – though, since both the GoDaddy hack and this one have rumors about infected sshd binaries, I'm not entirely convinced it's not the forwarding aspect of the protocol that is part of the issue. (I.e., if you connect into an infected host, it uses forwarding to log "you" into other nodes. That still doesn't explain the privilege escalation to modify sshd in the first place, though.)
GoDaddy hack: Miscreant goes AWOL with 28,000 users' SSH login creds after vandalizing server-side file
Getting a pizza the action, AS/400 style
Grab your Bitcoin while you can because Purse.io is shutting up shop in June and you could lose the lot
Firefox 74 slams Facebook in solitary confinement: Browser add-on stops social network stalking users across the web
Apple drops a bomb on long-life HTTPS certificates: Safari to snub new security certs valid for more than 13 months
Friday 21st February 2020 12:16 GMT
Re: What's the benefit?
> They would have to steal your hopfully protected private key...
Well yes. The certificate is public anyway, the common parlance of "compromised certificate" can be a bit misleading there. (And no, a new certificate does not mean it must be a new private key.)
The extent to which you can protect the private key can be limited on servers you want to restart without human interaction.
Friday 21st February 2020 08:27 GMT
Re: Super slowmo
>> Apple clearly wants to avoid an ecosystem that cannot quickly respond to major certificate-related threats
> Not that clear - if there's a major certificate-based threat then 1 year is absurdly long.
They have a point, in a very roundabout way – remember the joke about the clock flashing on your microwave because you just can't be arsed to read up how to set it and you forgot from the last time around and you think it's really not that important? That's what certificate hygiene is. Wait till it fails, tell the customer to click ok, find out the guy who did it the last time retired, and then find out how to do it yourself, and forget until next time. Until it's frequent enough for you to actually learn (or automate away).
Friday 21st February 2020 08:19 GMT
Re: PITA?
How is it a pain? Don't ask me, ask the people running dnssec-tools.org or mozilla add-on update servers, those being two examples that come to my mind of sites that ran around with expired LE certs for quite a while.
It's a fun sport if you're so inclined: compare the certificates in use with the public ledger of issued certificates. If the auto-renew doesn't work, who knows what else doesn't work on those servers.
