* Posts by brotherelf

199 posts • joined 16 Jun 2014


We give up, Progressive Web Apps can track you, says W3C: After 5 years, it decides privacy is too much bother


Re: Optional

As if "there'll be collateral damage" ever stopped a browser vendor. Basic auth in iframes, not showing www/m prefix even if what's shown has no A/AAAA record, the default changing from rel="opener" to rel="noopener", abandoning the CA/B forum, the list goes on and on. We are rapidly heading back towards "best viewed in X/Y/Z because Y/Z/X is broken".

GRUB2, you're getting too bug for your boots: Config file buffer overflow is a boon for malware seeking to drill deeper into a system


Re: Hang on a second. Something smells funny.

Where's the SecureBoot flaw in there? It hands over control to a boot loader with a valid digital signature, which is the only notion of "trusted" at that point, and the fix on SB's side is a revocation list that invalidates that particular signature.

The flaw, if any, is that buggy software got signed, but putting that at SecureBoot's door is like saying CAs should miraculously not issue and revoke certificates for sites running old Wordpress versions.

I would be entirely unsurprised if there are boot loaders which have gone through formal verification, i.e. are mathematically proven to work correctly (on an abstracted machine model, i.e. still vulnerable to compiler and CPU microcode bugs)

No wonder Brit universities report hacks so often: Half of staff have had zero infosec training, apparently



I'm not worried about the 8% that report 5+ incidents. "Prof sends a mail to students and uses CC instead of BCC" is a data breach that technically needs to be reported. Frankly, "prof has former student's mail still in address book" is probably an incident in and of itself because the reason for processing is gone.

I'm worried about the 92%, because I fear 91% don't look or don't report, and only 1% is running a proper shop.

(And we all know that all it takes to make a university stop dead is a handful of current or former students requesting the full extent of information GDPR entitles them to. Yes, that includes paper files.)

Chinese tat bazaar Xiaomi to light a fire under Amazon's Kindle with new e-book reader


Re: Can Xiaomi make a go where Sony gave up?

Don't they still do those huge 13" ones? Oh bugger… those were always on my "decadent toy when I win the lottery" bucket list.

Twitter hackers busted 2FA to access accounts and then reset user passwords


Re: The bit that leaps out for me...

From my experience (in Edumacation), it is exactly the "very important people" who would insist that a single helpdesk person should of course be able to imMEdiately set a new password, without callback or other further identification, after all they already have the cheek of not giving out the original value of the password.

Remember when we warned in February Apple will crack down on long-life HTTPS certs? It's happening: Chrome, Firefox ready to join in, too


Re: That kinda sucks...

Point one: I've seen people who've done setups like that, by accident of incompetence. (I.e. they threw everything they had into the certificate bundle, including now-expired intermediate and root certs.) Not all browsers handle this. I don't recall if it was Firefox who'd pick an arbitrary certificate chain and fail if that one wasn't valid. Could've been Chrome, too.

Point two: I've not checked in detail, but I wouldn't be surprised if certificate transparency logs reject requests to log a certificate for the far-future. (And I don't think trusted CAs issue un-logged certs anymore.)

An Internet of Trouble lies ahead as root certificates begin to expire en masse, warns security researcher


Re: Expired but still valid

Last spin of the cycle, It's not the commercial CAs that want to reduce validity, it's the browser vendors (Apple and Google), presumably because they don't want to put more thought into their OCSP implementations.

DNS this week stands for Drowning Needed Services: Design flaw in name server system can be exploited to flood machines offline


He might be preoccupied with the RCE in qmail that seems to be a "surely this won't ever be larger than X (until it is)".

Danger zone! Brit research supercomputer ARCHER's login nodes exploited in cyber-attack, admins reset passwords and SSH keys


Re: @Korev

This – though, since both the GoDaddy hack and this one have rumors about infected sshd binaries, I'm not entirely convinced it's not the forwarding aspect of the protocol that is part of the issue. (I.e., if you connect into an infected host, it uses forwarding to log "you" into other nodes. That still doesn't explain the privilege escalation to modify sshd in the first place, though.)

GoDaddy hack: Miscreant goes AWOL with 28,000 users' SSH login creds after vandalizing server-side file


Re: And why...

Hashing doesn't matter if the process of logging in sends the password to the server and you've gained control of the server. The statement is carefully wishy-washy, my guess is the configuration was corrupted and delegated password checking to something under external control.

Getting a pizza the action, AS/400 style


Re: "Hopefully he also added a bit of text along the lines"

Oh good lard, the pretty new variant of "slider" toggles labeled with on/off where the slider isn't in a way to make it completely non-obvious whether they designate state or action.

Grab your Bitcoin while you can because Purse.io is shutting up shop in June and you could lose the lot


Re: Respect

> There's a certain Mr T

I pity the fool!

Firefox 74 slams Facebook in solitary confinement: Browser add-on stops social network stalking users across the web

Black Helicopters

Re: Extend this mechanism

> We probably need a "work domain" and an "internet domain" as well.

*gets flashbacks of the IE6 security settings slider*


Re: "Log in with Facebook"

> Did OpenID bite the dust?

Yes, even the overflows removed it years ago. How about Mozilla Persona? No wait… How about Shibboleth/SAML?

Apple drops a bomb on long-life HTTPS certificates: Safari to snub new security certs valid for more than 13 months


Re: What's the benefit?

> They would have to steal your hopfully protected private key...

Well yes. The certificate is public anyway, the common parlance of "compromised certificate" can be a bit misleading there. (And no, a new certificate does not mean it must be a new private key.)

The extent to which you can protect the private key can be limited on servers you want to restart without human interaction.


Re: Super slowmo

>> Apple clearly wants to avoid an ecosystem that cannot quickly respond to major certificate-related threats

> Not that clear - if there's a major certificate-based threat then 1 year is absurdly long.

They have a point, in a very roundabout way – remember the joke about the clock flashing on your microwave because you just can't be arsed to read up how to set it and you forgot from the last time around and you think it's really not that important? That's what certificate hygiene is. Wait till it fails, tell the customer to click ok, find out the guy who did it the last time retired, and then find out how to do it yourself, and forget until next time. Until it's frequent enough for you to actually learn (or automate away).



How is it a pain? Don't ask me, ask the people running dnssec-tools.org or mozilla add-on update servers, those being two examples that come to my mind of sites that ran around with expired LE certs for quite a while.

It's a fun sport if you're so inclined: compare the certificates in use with the public ledger of issued certificates. If the auto-renew doesn't work, who knows what else doesn't work on those servers.

Instagram influencer fools followers into thinking Ikea photoshoot was Bali holiday

Black Helicopters

Re: Clearly a cover up

Well it is the All Seeing Coverup by Illuminati for Illuminati, after all, so I'm not surprised.

Internet's safe-keepers forced to postpone crucial DNSSEC root key signing ceremony – no, not a hacker attack, but because they can't open a safe


I wonder if it's the safe that was already hard to open in KSK39.

Because of course you can watch the videos of the ceremony. It's only mildly more exciting than watching grass grow, but makes a good sleeping aid.

You'll never select all and mark as read again after this tale of peril... Oh, who are we kidding? Of course you will


User problem: needed to be escalated.

Happy friday, I'm just here for the bad puns.

You want a Y2K crash? FINE! Here's a poorly computer


Re: Same as Audits

> old Perl script […] unreadable by any normal human

*buzz* Repetition of "Perl script".

Leave your admin interface's TLS cert and private key in your router firmware in 2020? Just Netgear things


.com is for comfiguration?

Well, there is nothing that stops browsers from implementing relaxed rules for certain TLDs, for example the ones reserved for documentation and internal purposes, in particular when they resolve to RFC1918 IPs. (Chrome has a flag for that for localhost, IIRC.) Then you'd just need the use the domains you're supposed to use for this kind of thing, and you'd be set.

Updated your WordPress plugins lately? Here are 320,000 auth-bypassing reasons why you should


Re: Are WordPress plugin developers the worst, or ...

There's also option c: it has enough market share to make this a headline. (Almost a decade with a Python-based CMS lets me assure you: people can code crap in any language.)

And always, there's option ℵ₀: all of the above.

FUSE for macOS: Why a popular open source library became closed source and commercially licensed


Re: @AC - I understand where the dev is coming from but ....

Sidenote: no, the author does not usually retain the rights, FSF projects require that you assign, to the maximum extent possible, all copyright to them.

The Windows Phone keeps ringing but no one's home: Microsoft finally lets platform die


Re: They didn't do it because of phones

> I want screens that emit 110 volts if touched

I've worked in front of Sun CRTs that were a bit like that. Those made your hair stand on end alright.

Why can't passport biometrics see through my cunning disguise?


Re: ePassport was originally a German project

Wow would I be "happy" to pay 80€ every five years for a new passport. I think the fastest way through the checks is still to go to the machine, fail the test, and then go to the counter which does not handle the normal queues but only the express lane and the rejects from the automatic machine.

OTOH, the machine at ABZ let me in, even if it took long enough to verify the picture that I'm pretty sure that's farmed out to those companies that otherwise farm money in online games and solve captchas for spammers.

Email! HUH! Yeah. What is it good for? Absolutely nothing...


Re: What a string of cockups

"which you then ignore as part of your daily checks"

FTFY. Because yup, I get that kind of mail, and 80% of the entries are stuck on "error" and I'm in no position to fix them and even when I tell the person responsible to fix it, I don't know how long it will take until it actually is fixed. Red tape at its flypapery best.

GitLab pulls U-turn on plan to crank up usage telemetry after both staff and customers cry foul


Well, the corporate attitude to the law is easy: the question is not whether it's legal or not. The question is whether the expected (in the stochastical sense) fine is larger or smaller than the extra revenue it generated.

(Do we have court decisions already on whether breach of GDPR falls under unfair business practices? Because which end user is going to go and bring the charges against GitLab?)

Microsoft explains self-serve Power platform's bypassing of Office 365 admins to cries of 'are you completely insane?'


Re: Desperate attempt at generating revenue

I have two words for you: Ribbon Hero. Look it up. I still hope that was an elaborate hoax.

BOFH: Judge us not by the size of our database, but the size of our augmented reality


Almost pint o'clock,

so hop to it, chop chop, attabot!

Excellent classic BOFH this week.

A History of (Computer) Violence: Wait. Before you whack it again, try caressing the mouse


Ah yes,

I used to have the reverse. Remember those computer desks with pull-out keyboard/mouse drawer? If your mouse cable is just so, or your mouse is optical, pushing the drawer back in will register as movement and cause screenload/unsuspend. Easily fixed by getting a trackball, though.

Oh dear... AI models used to flag hate speech online are, er, racist against black people


Re: Is anyone surprised ? Really ?

Which is why there'll be a flag for "culturally appropriating", most likely. And AIs to train for that, probably. Because surely the reason we've not solved the social problem of people being rude assholes by technical means is that we've just not tried hard enough.

Not a death spiral, I'm trapped in a closed loop of customer experience


Re: Eggmaster

I will forever be grateful to the eggmaster 4000, because it introduced me to the joy that is Uncle Bumblef*ck. https://www.youtube.com/watch?v=ydwaz2oPWY0

(Hey, there is an icon appropriately titled "eat this". Thank you, maybe not.)

The safest place to save your files is somewhere nobody will ever look


ISTR that in a stroke of UX genius, OS/2 named it "shredder" instead of faffing with retaining/undeleting.

And my workplace has seen customers who do this with their shared mail accounts. Until somebody new joined the team and had "empty trash on exit" enabled on their Outlook.

Father of Unix Ken Thompson checkmated: Old eight-char password is finally cracked


Sorry, if it doesn't have an adjustable iteration count, it's not a modern password hash algorithm.

(And no, I don't make the individual UX/load/security tradeoff for every individual machine either, even though for local auth on a desktop, where the password is checked only on login/unsuspend/screenunlock, I could easily set the iteration count to the equivalent of half a second without any serious effect.)

Behold the perils of trying to turn the family and friends support line into a sideline


Re: "Is the cable plugged in?"

Twenty seconds later, somebody gets to find out if and how loop detection works.

Finally! A solution to 42 – the Answer to the Ultimate Question of Life, The Universe, and Everything


Re: Nice.

> Nobody I ever met believes that Fermat really had a proof.

I'm not much of a believer in afterlife, but I get a chuckle out of the idea that Fermat's corner of hell, for whatever reasons, is everybody recognizing him, looking at his proof in the margin, and going "you forgot a minus at the beginning there, mate".

For Foxit's sake: PDF editor biz breached, users' passwords among stolen data


Re: Storing passwords in plain text?

I hate to tell you, but there's protocols that are actually somewhat underspecified in terms of what encoding the password should be in, effectively reducing you to 7bit ASCII as common denominator. (HTTP Auth, I'm looking at you.)

And your hash-in-the browser scheme is somewhat flawed: whatever you give the service to recognize you by, that's de facto the password. The server can't tell if you use 2000 rounds of bcrypt every time to derive it from your first pet's maiden name or if it's just wgo4387gwheo34 by chance and you send that directly. Yes, you can build something like "Server tells the client to run X iterations, server runs N-X iterations and only has the N-iteration hash on file", which is basically challenge-response, but frankly, the answer to "the service has something like my password" is public key crypto, and that's even baked into TLS (client auth), and HTML5 had extra support for that by way of the keygen element, but browsers are actively removing those capabilities, and the UI was always pretty horrible, and server-side, it was always a bit of a dark art.

Dry patch? Have you considered peppering your flirts with emojis?


Re: Why can't we use emojis when...

No. Recognizing PoP by its codepoint is one of the merit badges of the nerd classes, along with mojibake path deciphering, spotting md5, sha1 and sha256 of the empty string, and doing ROT13 in your head.

Top tip: Don't upload your confidential biz files to free malware-scanning websites – everything is public


Re: What sites?

Possibly. "This endpoint allows you to retrieve a live feed of absolutely all uploaded files to VirusTotal, and download them for further scrutiny, along with their full reports."

It's not part of the free public API, but I've not investigated what amount of background checks they do for access to the for-pay private API.

Web body mulls halving HTTPS cert lifetimes. That screaming in the distance is HTTPS cert sellers fearing orgs will bail for Let's Encrypt


Nothing indeed. It's not even necessarily a key change (though I can see LE starting to refuse issuing certificates to keys they've seen before, because will nobody think of the children), and it sure as hell doesn't fix any key exfiltration vulns either.


Re: Certificate transparency/logging and CAA DNS records better than shortening cert lifespans?

I'll grant them this: CAA is a time-of-issue check done by good-faith actors (with working software – not everybody's is). Once the certificate has been issued by whoever, CAA doesn't mean anything.

And CT is along the same lines: a public time-of-issue message published by good-faith actors. Yes, doing that might be a pre-requisite for getting into root certificate stores. Do we have technical certitude that $bigCA does not have mechanisms to bypass CT, if a three-letter agency with signed warrants compels them? No. (It would be in their own interest, though, to make it technically impossible.)

The thing you are looking for is the now-defunct (Chrome dropped support, Edge did not get support so far) HPKP HTTP public key pinning, which did not take off, because it actually forces you to think about what you're doing for two minutes, or otherwise your website will be unreachable for long timeframes if you are unprepared for a key change. (Also, technically it had a TOFU risk.) The hordes of "I click deploy on cloud" have overrun the greybeards.

German privacy probe orders Google to stop listening in on voice recordings for 3 months


Re: Fundamental to the product

I'm sure it's handled as "anonymized quality control" in para 437 of the privacy statement that "you" had to agree on after you've already bought and paid for the device. (Whatever happened to the shrinkwrap EULA cases of the 90s?)

The other pertinent question, of course, is: does that imply consent by anybody in earshot? I see a future of "to opt out, please have a Genuine Google Android device with Bluetooth enabled on you at all times. This is necessary to transmit your opt-out decision to the device. Your location data may be stored and processed for privacy and quality control purposes."

I am fairly certain we can get "using voice-activated assistants in public spaces violates GDPR" quite easily, but that hammer might fall on the owner of the device, not the company that makes it, unless somebody pulls quite stunning tricks around how you've only licensed rights to use the software and don't own it.

Office 365 verboten in Hessen schools: German state bans cloudy Microsoft suite on privacy grounds


Re: Private Eye always has

"Funny you say that, the former head of the Stasi is on record as saying they had nothing like the facilities most democratic countries intelligence agencies have nowadays."

Yes, exactly, and look at how much of a panopticon they built with that.

Usenet file-swapping was acceptable in the '80s – but not so much now: Pirate pair sent down for 66 months


Good ol' days of usenet.

I remember my compsci teacher looking over my shoulder, seeing me reading a nethack newsgroup, and telling me "I don't mind, but others might, be a bit less flagrant about it". But new posters who didn't bother to read first made that mistake, too, including the one guy whose lawyer father received a printout of the post by mail. (At that time, the provider would use the phone number as part of the message id, or something like that, and reverse phone search already existed.)

And the capital-S Shun you got in de.* if you dared post with an obvious pseudonym.

And the scary devil monastery.

Memories. My beard feels grey now.

Years late to the SMB1-killing party, Samba finally dumps the unsafe file-sharing protocol version by default


Re: Now we wait...

Why, that already happened, when it got turned off-by-default in Windows long ago.

FWIW, I'm surprised that "we'll ship a different default config" warrants an article. Reading the leader, I expected it to be "this is now a compile-time switch that defaults to off", and frankly, I'd be not surprised at all if all major distros already ship a stronger default config.

I don't know but it's been said, Amphenol plugs are made with lead


Re: So why did it have a dead power supply?

Been there, seen that. Also, rack full of dual-PSU servers, all connected to a single-PSU switch.

BOFH: On a sunny day like this one, the concrete dries so much more quickly


Re: Early Lessons

Lager is german for storage or warehouse. It's the little trivia like that that can save your (cough, I mean, the BOFH's) day.

NASA's JPL may be able to reprogram a probe at the arse end of the solar system, but its security practices are a bit crap


everything comes with a "yeah but"

… but at the same time, they need to grant wide-ranging access to their collaboration partner in $elsewhere. And they don't know for what and for how long and won't tell you when to remove access again, the original "Do What I Mean" permissions.

Must watch: GE's smart light bulb reset process is a masterpiece... of modern techno-insanity



did the entire article not have a single "have you tried turning it off and on again" reference? Shame!



Biting the hand that feeds IT © 1998–2020