Posts by JavaJester

I am the Lorax

I am the Lorax. I speak for the trees, for the trees have no tongues. I am asking you sir at the top of my lungs. Oh, please do not run Ethernet cable through another one.

No Warm Disaster Recovery Site?

What is mind boggling is they had no disaster recovery (DR) site for such an important system. Everywhere I've worked there was some kind of DR system that could be brought up in an hour or less. Those DR sites have async database replication from the production site so that only a few minutes at most of transactions are lost. After the malpractice of failing to provide a DR system, the people involved are promoted? If I had any Southwest stock, I would unload it before the next disaster strikes.

Nobody wants to be "that poor sod"

The standard will need to convincingly show that data recovery is impossible, or it would take orders of magnitude more time and money to recover the data than its highest possible value to an adversary. For highly sensitive data, the gold standard is complete high temperature incineration. For more mundane sensitive data such as PII and payment data micro shredding is considered sufficient. Whatever standard is adopted would have to demonstrate that it is at least as good as micro shredding the drives. Nobody wants to be "that poor sod" who leaked data on a massive scale because they didn't dispose of it properly.

Potential to move learning up the stack

Assuming these coding assistants mature and provide actionable advice without ethical quandaries*, it represents an opportunity to reimagine how programming is taught. The instruction could focus more on choosing which suggested solution has the best tradeoff for the problem at hand. Things like how to evaluate O(1) vs O(N) vs O(N²) complexity in suggested code would be appropriate to teach in beginner classes. Topics that used to be considered graduate level or at least Junior / Senior level undergrad could move down the stack to more basic and intermediate level instruction. I believe a focus in this direction would be far more profitable than trying to maintain the status quo by sniffing out "cheaters".

* Yeah, I know huge assumption. This technology is too useful to be abandoned. I think it is a "when" question not an "if" question.

No Guarantee of Privacy

Dobbs vs Jackson goes much farther than just the issue of abortion. That decision puts a question mark on the entire concept of privacy as a constitutional guarantee. I know, some may be quick to point out the fourth amendment: protection against unreasonable search and seizure. But what does that mean when privacy protections are eviscerated? A woman leaves a state that restricts travel for abortions pregnant and returns without a baby and not pregnant? What is to prevent that from being probable cause to trawl through her data? With the legality of birth control in question at the federal level, what is to stop a state from declaring that a controlled substance? What is to prevent mass surveillance of the movement women for compliance with these rules? Won't someone think of the unborn children?

Now more than ever strong encryption is necessary to protect the privacy of the US citizens from what I fear is becoming a minority ruled authoritarian theocracy. If the information is extraordinary difficult or impossible to obtain, that in itself will be a deterrent against demanding it.

Faraday Cage or localized jamming?

Knocking all public wireless services offline to stop exam cheats seems like a bit much. Haven't they heard of a Faraday cage or localized jammers?

DoD is a contracting company's dream

I fairly recently worked as a DoD developer contractor. The place I worked (which will remain nameless to protect the guilty) is a contracting company's dream. A contractor can hire programmers, then hire CMMI* process stewards who will slow down the programmers with mandates for useless documentation. Obviously, that will require hiring of more programmers to compensate for the negative work generated by the CMMI camp and the requests from other teams. Then there are the network team, deployment team, architecture team, and myriad more all which must be cared for with proper documentation which unsurprisingly leads to needing more developers. You see where this is going. All the contractor has to do is set back and let the government bureaucracy and infighting do the work of creating new positions for them. They don't have to slow down the system to make more money. The customer does that for them.

* If you've never heard of CMMI, count your blessings. Think of the Agile Manifesto but with the phrases on each side of the word "over" reversed, and you have the right idea.

What's all the fuss about?

At least for me, Comcast and T-Mobile both provide an IPv6 network address that passes all of these tests. Facebook and Google's DNS return IPv6 addresses that work fine. When big tech companies see a use case that benefits from IPv6 they will use it. Otherwise, there is little point in reworking a functional system just to be on IPv6.

This slow thing would get run over by other drivers

With typical speed limits of 70 mph (approximately 110 kph) and drivers typically going above 135 kph, I wouldn't take it anywhere near an interstate. Perhaps as a way to get around city streets it is OK, but not as a serious mode of transportation.

Always be in doubt when asked your details

"Now would be a good time for GoDaddy users to be on alert for suspicious emails asking them to log in to, say, confirm their details: if in doubt, go straight to the GoDaddy website."

Any email asking to confirm your details is always suspicious. There is no "if" about that.

420 Error -- driver impaired

A useful error would be a 420 error if the app detects the driver is impaired.

RDP + SSH Tunnel = Linux Remote Desktop

A fairly straightforward way to get a remote desktop from a Linux type system on windows. Run xrdp and tunnel RDP port 3389 on the Linux to something like 3390 on the windows host (because Windows is already running its RDP service on 3389), then connect to localhost:3390 and ta da! A remote desktop.

If you run a website, don't use a CNAME for an advertiser

This is a security shit show waiting to happen. If your CNAMEd advertiser has the same FQDN as your website, it is treated as a trusted part of the web site. Think a minute and let the full implications of that sink in. Its scripts can change the JavaScript runtime by binding to events or changing the prototypes of key objects. It can manipulate any data, exfiltrate any data (remember, same FQDN so those requests automatically get allowed). Intercept any browser tokens and masquerade as any logged in user. The attacks would be indistinguishable because they could be launched from the same browser the victim user is using.

Even if you fully trust your advertiser, still do not do this. If your advertiser gets compromised, the miscreants potentially own every website that has aliased their CDN records to them. This completely breaks and renders useless all browser defenses against cross site abuse of JavaScript and http requests.

Double Ungood

I love the reference to Orwell. I wonder if that is a subtle dig at those who complained about his use of language, or having to banish terms such as master from the kernel.

Secured or Vetted Builds?

The same thing could be accomplished without changing the OSS community. An entity, such as Google or some federation of companies, could essentially mirror the various critical open source projects. They could create the signed builds they want. They could review each change and include changes that passed whatever reviews they wish to do. They would be free to make pull requests with improvement or perhaps even become a committer on the project. The people who want/need these security assurances should be the ones to provide them. They should not burden the OSS software nor try to change their culture.

Elevator Article a Work of Art

I am impressed with the Elevator Colony article that the bot wrote. It looks like the kind of thing worthy of the Onion or satire articles that appear on April 1st.

The Lady Doth Protest Too Much Methinks

Absent evidence that Epic is using Unreal Engine to sabotage the iThingy, this looks like lawyer BS to try to get leverage over Epic to bring them to heel.

Expiration Date?

A good first step would be to require the manufacturer to set an expiration date for when they will no longer provide patches for the phone. The manufacturer and seller would be required to prominently display this date. For starters, it should be required to be on the manufacturer's website, the box or other consumer materials (including ecommerce product information), and in the information section of the phone itself. In the event support is not provided up to the expiration date, the owner is entitled to a cash refund of the prorated amount purchase amount (up to the retail list price) remaining to the expiration date.

This might motivate the ecosystem to make changes to allow say Google to support the phone by better hardware abstraction. Making this a more "in your face" issue may allow the market to do its thing by having longevity be something companies compete on.

It Doesn't Seem to Help Lusers, lets Hide It!

At least in the past few years, the security interface of Chrome has gotten worse because a focus group populated with untrained lusers has no clue how to read a URL. Firstly they hide https / http and the www part of the URL. Surprise! Some miscreants figure out how to use a DNS cache poisoning attack with a twist: they poison www.example.com but leave example.com alone. The genius of this is that when people are warned about www.example.com and are using chrome they proceed because after all it says "example.com" in the address bar. When they call their administrator to check on example.com, all appears to be well because example.com wasn't impacted. Terrible, terrible idea. At least you can use the Suspicious Site Reporter to undo that behavior. Hopefully there will be a way to override this madness as well.

Why is it assumed to be a UX flaw when the user doesn't understand browser security features? Wouldn't a better solution be a campaign to educate the users? Perhaps some kind of bubble that explains the significance of the company name the first time it is seen when using the browser? Hiding information from the user is never the right answer. Hiding information invariably gives hax0rz a way to exploit the user.

Microsoft Doesn't Matter at This Point

Chrome, Safari, and Fire Fox account for over 80% of browser market share according to StatCounter Global Stats. If you operate a public facing website, the shorter cert expiry is a done deal. The only thing left for Microsoft is to decide if they want to be consistent with the other browser makers.

Obsolete on Arrival?

It doesn't seem like a good idea to buy a phone that only supports spectrum living on borrowed time. The US announcement of 2G/3G sunset dates is the canary in the coal mine. Others will soon follow. That spectrum is too tempting a target for low band 5G.

ISPs: Configure your networks properly

"Essentially, you launch a load of small requests at a bunch of devices on SSDP UDP port 1900, spoofing the source IP address as your victim's IP address." Network operators have switches and routers that allow a packet traversal of a packet from within the network but claiming to originate from outside of the network to anywhere within their network or the public internet? How embarrassing. They should get their act together and configure their network properly. It would make launching this sort of attack using their infrastructure impossible.

FCC's ability to protect privacy eviscerated by the Republican Party

Wouldn't it be great if the FCC could make regulations to protect privacy? Too bad, they can't! The Republican controlled Congress and President eviscerated their ability to make such regulations by approving a resolution of disapproval for FCC privacy regulations, which also forbids any similar regulations.

"Those rules would have required ISPs to obtain users' consent before selling their personal data – including location, browser history, health and financial data and other sensitive information – to advertisers."

In light of recent developments, the "– to advertisers." caveat was too optimistic.

https://www.theregister.co.uk/2017/04/04/fcc_privacy_rules_myths/

UI Guidelines mandate saying "Press a key to continue"

I worked at a company that had UI guidelines that included command line and text interactive programs. The guidelines actually mandated to never use the words "any key". The correct phrasing was "a key". The document went on to reason that clueless lusers would search in vain for an "any" key before driving up helldesk costs with their calls. If "a key" was used, the users would search, and their search would not be in vain: they would find an "a" key.

Personally I think those guidelines were inspired. They were probably written by someone who had gotten their start from the helldesk and answered that question many, many more times that anyone should have to.

Recommend singular "They" for Inclusive Language

At the risk of infuriating language purists: "Using welcoming and inclusive language" could also recommend using the singular "they" over "he". This can be immediately understood by any English speaker. Although alternating "he" and "she" can achieve the same effect, it can make a complex workflow with many actors more difficult to follow as the genderfluid actors randomly change gender as the flow progresses.* Since that doesn't often happen in literary books, it can by jarring and confusing when reading such technical material. The singular "they" also avoids this mess of proposed alternative third person pronouns. You would need to take a class just to know how to use all of them. https://en.wiktionary.org/wiki/Wiktionary:List_of_protologisms_by_topic/third_person_singular_gender_neutral_pronouns

* Why is the CM manager editing code now? Why is the Developer reviewing the CM workflow? Oh, my fault, the CM manager has become a "he" now, and the developer is now a "she". True story when I was learning about a new CM processing by reading its documentation. It is why the alternating "he" and "she" is unloved by me.

Developers Who Say "Ni!"

The Developers who say "Ni!' demand a sacrifice. Your Git project has a branch called "master". We demand that its name be changed at once to "Ekke Ekke Ekke Ekke Ptang Zoo Boing!" and you bring us a Shrubbery.

Why not Machine in the Middle?

If you change Man in the Middle to Person, then you must change the acronym to PitM. This will serve to confuse new comers reading past literature, and experienced practitioners reading new literature. It will likely be off-putting enough that after a few eye rolls it will be added to the to do never list.

If you change it to Machine in the Middle, the acronym stays the same and the gender neutral goal is accomplished. Historical literature using the MitM acronym remains understandable without any additional burden to the reader (assuming new entrants to the security field who are taught the new terminology), and experienced practictioners do not have to learn another acronym for an arguably flimsy reason.

Achievement Unlocked - Capture the FCC

Playing as a telecom provider, regulatory capture the FCC by installing a majority of puppet commissioners.

C Requires Tabs?

The C programming language has never required tabs, or even spaces for that matter as the Obfuscated C Code site http://www.ioccc.org/ demonstrates.

Shor's algorithm

Shouldn't there also be an effort to use post quantum cryptography? All the effort to increase keysize will be for naught if a practical quantum computer exists to defeat it.

Golem Searches for Pokémon

Must find Pokémon... The Precious Needs more Pokémon... Pokémon Go is our master now...

Oddly Appropriate Juniper Related Quote

1 Kings 19:4 "But he himself [Elijah] went a day's journey into the wilderness, and came and sat down under a juniper tree: and he requested for himself that he might die;"