* Posts by zerowaitstate

46 posts • joined 27 Apr 2015

No, Google you still can't have dotless, one-word domains


Re: In that case, I would like to register the name localhost

I would like to clarify this was only a joke. Some people are actually doing this, or something very similar: https://news.ycombinator.com/item?id=12198026


In that case, I would like to register the name localhost

I would like to register the dotless domain localhost, after my new company LocalHost, LLC. We plan to offer complementary MySQL hosting; in fact we will accept any user credentials you choose to submit, just to show you how generous we are.

Hillary Clinton: My promises to America's tech industry


I've heard all of this before

I've heard about Open Government and all. Obama made it his core platform. His governance was precisely the opposite. As opposed to what Hillary says at the moment, what she has actually done in the past suggests she will not follow through with most of this, except for the part about loosening visa restrictions.

Oracle to sue cloud sales 'whistleblower' for 'malicious prosecution'


Maybe their concern is copyright violation. After all, it appears their accountants traditionally have just copied numbers from one spreadsheet into another before working with them, completely disregarding the hard work that went into the creation of those numbers. A good accountant creates new figures which aren't shamelessly derived from someone else's work.

SWIFT threatens to give insecure banks a slap if they don't shape up


Re: Why not re-use the PCI standards...

The fact that it's international, that other national governments are involved in regulating (or preventing regulation), that banks are not necessarily trustworthy just because they're banks, and because there is an expectation that there will be a government rescue in the event of serious situation.

The usual first reaction I've seen in the last several incidents has been to demand a US government agency compensate banks for their losses, so it's clear they're focused on political solutions rather than technical solutions.

Why Oracle will win its Java copyright case – and why you'll be glad when it does


If Oracle takes the position that Google's use of their API's is invalid, then it calls into question why Oracle's HTTP client sends the same HTTP headers and sequencing as every other browser maker, without obtaining their permission to do so. I can take a wireshark result of what Oracle Java sends and what Chrome sends over the wire, and there are *multiple lines* of copied code on each request, duplicated seemingly verbatim. It's like their code is designed to steal intellectual property in an automated fashion, thousands of times a day. Not only that, but they copy the IP packet header structure implemented in literally thousands of other devices. And on and on.

FCC urged to pause its fight against America's $20bn cable-box rip-off


Small pay-TV providers

Is that a thing that still exists? I thought the FCC just inked a deal bringing the number of cable companies in the US to two (maybe three).

Stop resetting your passwords, says UK govt's spy network


Re: No words in any language

That's not exactly true. For a single character, the guesser has a probability distribution over roughly 100 symbols. There are many more words in the English language, so the probability distribution is over a much larger set. It's certainly smaller that the set of permutations of all characters that make up the word, but it's bigger than a single character, by a lot. The human brain is better at remembering words than single characters, so why not leverage that? It's only a problem if you limit the length of passwords to a small number of characters (which some systems stupidly do) or you use a password quality check that only takes into account simple things like number and type of characters typed.

I think the point they're making here is that there are so many out-of-band ways of circumventing passwords now (due to the difficulty in remembering them), that fewer hackers are going to bother with brute-forcing hashes from a table dump, when they can just request your credit history and marketing report and use those to answer your "security questions".

Also, Bruce Schneier pointed out that if a hacker gains access to an account, they'll use it immediately for bad things, so the 90 day window doesn't help limit the damage, either.

Oracle to kill off Java browser plugins with JDK 9


Re: Flash Next?

The issue is that OpenJDK would have eventually replaced their proprietary VM given time, had they not taken steps to improve their behavior. The monetization of Java was always on the enterprise end (support and app servers). Trying to monetize client installs was a bad approach, especially with capable alternatives.

UK police have 43 separate IT systems and it's putting you at risk


If only there was a way to connect networks together so applications on one network could share information with applications on another network. Since this is a novel problem no one has encountered before, the UK should set up a committee to examine the problem and develop a solution. That committee should be composed of experts in the field, such as James Cameron and Teresa May.

UK Home Sec wants Minority Report-style policing – using your slurped data


Re: That Minority Report reference...

The no-fly list in the US did not require a criminal act in order to prevent boarding of a plane. If you made a similar case for all public transportation, you could severely restrict a person's movement in a country like the UK, without any commission of an actual crime. The government has to choose which they want: secret state-enemy lists, or access to analytics on all citizens private data. Having both is an Egypt-style dictatorship waiting to happen.

200 experts line up to tell governments to get stuffed over encryption


From the geniuses responsible for leaving the door wide open at OPM, we have another winning strategy for protecting the country. I wonder how much it costs to do credit monitoring for 400 million epeople, forever?

Investigatory Powers Bill: A force for good – if done right?


That's simple, really. You throttle any data communication beyond your capacity to store.

Tell us what's wrong with the DMCA, says US Copyright office


I could tell them what was wrong with DMCA, but that would be a violation of DMCA, so I won't.

Slimmed-down Verizon looks to lop off another piece of itself


Their wireline business seems more costly because they transfer liabilities to the wireline side of their business via some creative accounting. LTE data speeds cannot be supported over copper backhaul. The wireline side of the business is required to make the wireless side function. What Verizon is trying to get rid of is POTS and other subscriber access facilities, because they compete with their wireless business. It isn't that wireline isn't profitable, its just that their profit is split between the two and they would rather just give everyone an LTE modem and charge $15 per GB for data while they squat on half their allocated spectrum.

Verizon stated up front that their rollout of broadband in the US is done. The only thing FCC has to decide is whether they will allow other providers to serve the market Verizon abandoned after getting their grant money.

Riddle of cash-for-malware offer in new Raspberry Pi computers


Probably James Comey, trying to fake a Chinese dialect.


Probably wanted them to stick it on the reference ISO somehow. As many of the users are kids and students its especially scummy.

Congress strips out privacy protections from CISA 'security' bill


Re: No, not quite

Vote how? At the electronic voting machine, whose software the NSA will be given remote access to in exchange for legal immunity to the makers of the machine?

'Unauthorized code' that decrypts VPNs found in Juniper's ScreenOS


I guess they've finished their full-take NSA program and are trying to get into heaven now.

TPP: 'Scary' US-Pacific trade deal published – you're going to freak out when you read it


Provision against source code requirements

Why is this not an attack on open-source licenses like GPL? The sentence plainly states that GPL licenses aren't legal. The author of the article said that interpretation is nonsense, but doesn't explain why. A plain reading of the sentence says that, unless it has been lifted out of context.

Top cops demand access to the UK's entire web browsing history


Re: Will be struck down ....

In the US we required these requests to go to a court also. However, what the surveillance service (NSA) did was request a wiretap on "Verizon", and made it essentially open-ended, to which the court agreed, saying that simply named a telecommunications company you want to tap is specific enough. They then automated the process of siphoning off records from the telco, arguing that it wasn't actually "collected" until someone typed something into a search box (meanwhile conducting neighbor analysis on the data in an unattended fashion). So when you say "warrant", and "specific person or IP address", you shouldn't be surprised when the person is "Mr. British Telecom" and the IP address is actually a set of subnet masks that cover the entire country.

15 MILLION T-Mobile US customer records swiped by hackers


My bet is stale user account

If it was this quick to fix, chances were it was an old user account that had never been removed, or some other abuse of misconfiguration of permissions/accounts. I also think it's highly unlikely it just pertains to T-Mobile customers, but given that the news originated from T-Mobile, who for liability reasons cannot discuss any other parties.

Ahmed's clock wasn't a bomb, but it blew up the 'net and Zuckerberg, Obama want to meet him


If this were the first incident like this that I had read about recently, I would have given the LE's the benefit of the doubt. However, I read story after story about LE's going after kids who develop an interest in no-go topics such as chemistry, electronics, or rocketry. Last story I read was about a kid who was nearly killed by police because he had an amateur chemistry lab. The problem is that nearly any technology is dual-use in the sense that it can be used to injure people. It takes someone who understands what they're looking at to know the difference. Citizens over the past few years have been encouraged to "contact the authorities" if they see stuff that is suspicious. The implication is that the authorities who respond will have a better understanding of the threat. That simply isn't true when it comes to stuff like this, which is why see-something-say-something snitch campaigns result in these wild overreactions.


Actual terrorists use remote detonators. They don't put a giant LED clock on it like a James Bond thing from the 1960's. It's conceivable that they would want to confiscate it. What I don't understand was the reason he was arrested. And don't tell me they are keeping the reason for his arrest a secret to protect his privacy. They freaking sent out a letter to all the parents about the incident.

Netzpolitik spy journo treason case stalls, chief prosecutor told to quit


Pot and Kettle

Given that the prosecution was political (treason is pretty much a political charge by definition), it makes sense that the defense would also be political.

US OPM boss quits after hackers stole chapter and verse on 21.5m Americans' lives


...and another one bites the dust.

Bernie Sanders wants FCC to probe broadband prices (but wait, is there an election coming?)


I frankly don't see how the FCC can execute its mission of analyzing the market impact of mergers (I.e., like the TW Comcast one) without knowing this information. The FCC should know this stuff already, at least for those companies which have requested big mergers of their broadband businesses. And if the FCC technically doesn't, the FCC board members, which are all lobbyists/CEOs of major telecoms, certainly do.

Export control laws force student to censor infosec research


Re: Security by Obscurity wins out again,

Actually what it does is ensure that the government is the only entity which can receive/triage information about vulnerabilities, which is the whole point. It takes self-defense out of the hands of people and makes it a national security policy issue. Why pay the market rate for vulnerability research when you can make the entire existing market illegal and make yourself the market? Then, when new vulnerabilities are discovered; you get exclusive access to all of them before the general public is aware of them. If your focus is to gain leverage on domestic industry, then it's a smart move. If your focus is national defense, then probably not, because nation states always find a way around export controls.

Big Brother

If you live in the UK, possibly. Who can say for sure? The law is vague on several points. Welcome to the police state, brother.

OPM data breach: Looking at you, China! National Intelligence head stares out Beijing


In a cyber war, like other forms of mutually assured destruction, it turns out the side that loses the most is the side with the most to lose. In IT, that's definitely the US. I'm not surprised at all that this happened. What surprised me, and what continues to surprise me, is that the President and Congress can't recognize the huge conflict of interest the NSA has when it comes to assisting with defense against malware. Any time NSA discovers a vulnerability in critical infrastructure, they face a choice: expose it to the developer and let it get fixed, or keep it a secret and hope you can exploit it against a future adversary. The choice is almost always the later, because they don't get rewarded for hacks NOT happening. The USG has intentionally crippled its own defenses, and is working hard on crippling defenses of private companies, through efforts like the new "cybersecurity" bill. This is the logical, natural result.

Hey Google, what’s trending? Oh, just the death of journalism


So instead of settling for simple rumors we can now base our journalism on metarumors, i.e., rumors about rumors.

Hacked US OPM boss: We'll fix our IT security – just give us $21 million


Re: Apparently

Sunday Times beat you to it. It's all over the news right now, complete with a sort-of retraction where they said they just print what 10 Downing St tells them.


Re: Of course...

Well, not to worry. They're offering CIA case officers 18 months credit protection. That ought to take care of everything.

China's hackers stole files on 4 MEELLION US govt staff? Bu shi, says China


These are the people who want a backdoor into your network to help strengthen your cybersecurity.

Cops turn Download Festival into an ORWELLIAN SPY PARADISE


Re: brilliant

Not very accurate. I would expect the GUID to be hex and not decimal.

FTC lunges at Kickstarter bloke who raised $120,000 – and delivered sweet FA


I'm pretty sure I had to do that at an airport one time.

FBI: Apple and Google are helping ISIS by offering strong crypto


They already do that in some places. Unsurprisingly, its hard to get a "license" if you're a minority. Who knew?


Re: I'm sick of these people....

Its only a crime when little people do it.


Re: Lawmakers listen to this garbage?

It's past time to start calling them what they are: crypto deniers.

We stand on the brink of global cyber war, warns encryption guru


Warfare via computer networks isn't soft power.

This is, I believe l, the most pressing problem with so-called cyberwarfare. States that are involved in it think it merely causes financial damage (I.e., lost productivity), and so routinely conduct attacks without the self reflection they would use prior to actual bombing or othet kinds of military offense. Network attacks are no longer no-harm-no-foul. IoT means network attacks have the potential to actually hurt or kill people if the designer of the malware mistakes a pacemaker or vehicle guidance system for a desktop PC and kills it over the wire. I worry that cyberwarfare, as it is called, will start an actual very deadly war entirely by accident.

OK Google, how much of my life do you observe and disturb?


Re: Gmail is the only Google service

In fact, you don't even need to be using a Google service, have a Google account, or be using the Google Chrome browser. Many browsers today implement a "safe browsing" feature where they use remote metrics to figure out whether a site is a malware site prior to visiting it. Guess whose checking service those browsers send their usage data to?

I did some testing and we verified that Google is using built-in browser "safe browsing" features in Firefox for user fingerprinting.

UK surveillance commish asks CCTV operators to please be good


Re: Quick point

If surveillance generates good paying jobs and results in pension funds increasing in value, it cannot possibly be a bad idea.

FCC: Thanks for the concern, telcos, but we're not delaying Open Internet rules


Re: Glad to see the FCC is doing this.

They will, I promise you. Anytime a federal agency expands its own mission and it costs big dollars to a private company the size of a teclo, you're going to have a court case. There's no way around it.

Burger me! Microsoft's chainsaw rampage through sacred cow herd


Re: Overtaken by irrelevance

You realize a lot of companies in that list of analysts probably own positions on that stock.


They literally have no choice

Their whole business is a vertical stack. The whole thing revolves around funneling business into Windows and Office. All of It lives or dies together. This is as much about risk management as long-term strategy; the platform lock-in might otherwise be the coffin their business is buried in.

NINETY PER CENT of Java black hats migrate to footling Flash


This could have been solved 10 years ago if they allowed third party windows updates for java and flash for desktops without requiring sccm. Even free operating systems do a better job of patch management.


Biting the hand that feeds IT © 1998–2020