* Posts by JavaJester

49 publicly visible posts • joined 21 Dec 2015

Cunningly camouflaged cable routed around WAN-sized hole in project budget


I am the Lorax

I am the Lorax. I speak for the trees, for the trees have no tongues. I am asking you sir at the top of my lungs. Oh, please do not run Ethernet cable through another one.

Tokyo has millions of surplus Wi-Fi access points that should be shared with blockchain, says NTT


Privacy Nightmare

So there will be a block chain record associated with a billing identifier for both the supplicant and access point provider? This sounds like an excellent resource to mine if I wanted to track the whereabouts of people. It is inevitable that a deanonymization attack will be developed to unmask the identity of the provers and supplicants.

Southwest promotes key staff right after that Christmas meltdown


No Warm Disaster Recovery Site?

What is mind boggling is they had no disaster recovery (DR) site for such an important system. Everywhere I've worked there was some kind of DR system that could be brought up in an hour or less. Those DR sites have async database replication from the production site so that only a few minutes at most of transactions are lost. After the malpractice of failing to provide a DR system, the people involved are promoted? If I had any Southwest stock, I would unload it before the next disaster strikes.


Re: Augmented Peter Principle

It's the Dilbert Principle. Promote incompetent employees to minimize their impact on productivity.

University orders investigation into Oracle finance disaster


People Without Money

Sounds like the system should be called "People Without Money".

Eggheads show how network flaw could lead to NASA crew pod loss. Key word: Could


A Crazy Idea

Perhaps if you have a multimillion / billion-dollar aircraft / spacecraft, it's worth the extra coin to have the critical systems on a physically dedicated network.

Hardware makers criticized for eco double standards


Nobody wants to be "that poor sod"

The standard will need to convincingly show that data recovery is impossible, or it would take orders of magnitude more time and money to recover the data than its highest possible value to an adversary. For highly sensitive data, the gold standard is complete high temperature incineration. For more mundane sensitive data such as PII and payment data micro shredding is considered sufficient. Whatever standard is adopted would have to demonstrate that it is at least as good as micro shredding the drives. Nobody wants to be "that poor sod" who leaked data on a massive scale because they didn't dispose of it properly.

AI programming assistants mean rethinking computer science education


Potential to move learning up the stack

Assuming these coding assistants mature and provide actionable advice without ethical quandaries*, it represents an opportunity to reimagine how programming is taught. The instruction could focus more on choosing which suggested solution has the best tradeoff for the problem at hand. Things like how to evaluate O(1) vs O(N) vs O(N²) complexity in suggested code would be appropriate to teach in beginner classes. Topics that used to be considered graduate level or at least Junior / Senior level undergrad could move down the stack to more basic and intermediate level instruction. I believe a focus in this direction would be far more profitable than trying to maintain the status quo by sniffing out "cheaters".

* Yeah, I know huge assumption. This technology is too useful to be abandoned. I think it is a "when" question not an "if" question.

Here we go again: US govt tells Facebook to kill end-to-end encryption for the sake of the children


No Guarantee of Privacy

Dobbs vs Jackson goes much farther than just the issue of abortion. That decision puts a question mark on the entire concept of privacy as a constitutional guarantee. I know, some may be quick to point out the fourth amendment: protection against unreasonable search and seizure. But what does that mean when privacy protections are eviscerated? A woman leaves a state that restricts travel for abortions pregnant and returns without a baby and not pregnant? What is to prevent that from being probable cause to trawl through her data? With the legality of birth control in question at the federal level, what is to stop a state from declaring that a controlled substance? What is to prevent mass surveillance of the movement women for compliance with these rules? Won't someone think of the unborn children?

Now more than ever strong encryption is necessary to protect the privacy of the US citizens from what I fear is becoming a minority ruled authoritarian theocracy. If the information is extraordinary difficult or impossible to obtain, that in itself will be a deterrent against demanding it.

India to upgrade mobile networks near Maoist insurgents to 4G


Faraday Cage or localized jamming?

Knocking all public wireless services offline to stop exam cheats seems like a bit much. Haven't they heard of a Faraday cage or localized jammers?

Departing Space Force chief architect likens Pentagon's tech acquisition to a BSoD


DoD is a contracting company's dream

I fairly recently worked as a DoD developer contractor. The place I worked (which will remain nameless to protect the guilty) is a contracting company's dream. A contractor can hire programmers, then hire CMMI* process stewards who will slow down the programmers with mandates for useless documentation. Obviously, that will require hiring of more programmers to compensate for the negative work generated by the CMMI camp and the requests from other teams. Then there are the network team, deployment team, architecture team, and myriad more all which must be cared for with proper documentation which unsurprisingly leads to needing more developers. You see where this is going. All the contractor has to do is set back and let the government bureaucracy and infighting do the work of creating new positions for them. They don't have to slow down the system to make more money. The customer does that for them.

* If you've never heard of CMMI, count your blessings. Think of the Agile Manifesto but with the phrases on each side of the word "over" reversed, and you have the right idea.

Russia 'stole US defense data' from IT systems


Partying like it's 1999

Recommendations include:

A patch management program

Antivirus Software

Strong Passwords

If these recommendations are necessary for such contractors, they are in worse shape than we thought.

APNIC: Big Tech's use of carrier-grade NAT is holding back internet innovation


What's all the fuss about?

At least for me, Comcast and T-Mobile both provide an IPv6 network address that passes all of these tests. Facebook and Google's DNS return IPv6 addresses that work fine. When big tech companies see a use case that benefits from IPv6 they will use it. Otherwise, there is little point in reworking a functional system just to be on IPv6.

Could BYOB (Bring Your Own Battery) offer a solution for charging electric vehicles? Microlino seems to think so


This slow thing would get run over by other drivers

With typical speed limits of 70 mph (approximately 110 kph) and drivers typically going above 135 kph, I wouldn't take it anywhere near an interstate. Perhaps as a way to get around city streets it is OK, but not as a serious mode of transportation.

SSL keys, sFTP passwords and more exposed after someone broke into GoDaddy Managed WordPress using 'compromised password'


Always be in doubt when asked your details

"Now would be a good time for GoDaddy users to be on alert for suspicious emails asking them to log in to, say, confirm their details: if in doubt, go straight to the GoDaddy website."

Any email asking to confirm your details is always suspicious. There is no "if" about that.

Server errors plague app used by Tesla drivers to unlock their MuskMobiles


420 Error -- driver impaired

A useful error would be a 420 error if the app detects the driver is impaired.

Apple is about to start scanning iPhone users' devices for banned content, professor warns


Why Stop with iPhones?

Now that Apple has shown the world that using technology to surveil and control users is appropriate, why should governments stop with iPhones? There is a whole world of electronic device waiting to be put into surveillance service. The company that ran the 1984 Super Bowl advertisement has all but invited 1984 surveillance on our portable telescreens.

AWS adds browser access to its cloudy WorkSpaces desktops – but not for Linux


RDP + SSH Tunnel = Linux Remote Desktop

A fairly straightforward way to get a remote desktop from a Linux type system on windows. Run xrdp and tunnel RDP port 3389 on the Linux to something like 3390 on the windows host (because Windows is already running its RDP service on 3389), then connect to localhost:3390 and ta da! A remote desktop.

AdGuard names 6,000+ web trackers that use CNAME chicanery: Feel free to feed them into your browser's filter


If you run a website, don't use a CNAME for an advertiser

This is a security shit show waiting to happen. If your CNAMEd advertiser has the same FQDN as your website, it is treated as a trusted part of the web site. Think a minute and let the full implications of that sink in. Its scripts can change the JavaScript runtime by binding to events or changing the prototypes of key objects. It can manipulate any data, exfiltrate any data (remember, same FQDN so those requests automatically get allowed). Intercept any browser tokens and masquerade as any logged in user. The attacks would be indistinguishable because they could be launched from the same browser the victim user is using.

Even if you fully trust your advertiser, still do not do this. If your advertiser gets compromised, the miscreants potentially own every website that has aliased their CDN records to them. This completely breaks and renders useless all browser defenses against cross site abuse of JavaScript and http requests.

Linus Torvalds issues early Linux Kernel update to fix swapfile SNAFU


Double Ungood

I love the reference to Orwell. I wonder if that is a subtle dig at those who complained about his use of language, or having to banish terms such as master from the kernel.

How do you fix a problem like open-source security? Google has an idea, though constraints may not go down well


Secured or Vetted Builds?

The same thing could be accomplished without changing the OSS community. An entity, such as Google or some federation of companies, could essentially mirror the various critical open source projects. They could create the signed builds they want. They could review each change and include changes that passed whatever reviews they wish to do. They would be free to make pull requests with improvement or perhaps even become a committer on the project. The people who want/need these security assurances should be the ones to provide them. They should not burden the OSS software nor try to change their culture.

Cybersecurity giant FireEye says it was hacked by govt-backed spies who stole its crown-jewels hacking tools


Exhibit "A" - Why you don't weaken security for Law Enforcement (or anyone else)

Only naive fools assume that a "secret" master key, global "friend", deliberately introduced vulnerability, or other such technical measure for LE use remains in the hands of the "good guys". Once you make the assumption that any such backdoors will be discovered by an adversary, the only conclusion is good security without exceptions.

Linux Foundation, IBM, Cisco and others back ‘Inclusive Naming Initiative’ to change nasty tech terms


Down the Newspeak Rabbit Hole We Go

So will the Red-Black Tree become the Ruby-Obsidian tree? Because after all, in the world of the easily offended, colors like red, yellow, black, brown and white can't just be colors. They are "guilty by association", like the term master used by itself.


Re: What are we going to do about the embedded devices?

Excellent point. I suppose if we must go down this newspeak rabbit hole, that should at least use words that start with the same letter. So if master/slave becomes main/secondary the acronyms still work.

CERT/CC: 'Sensational' bug names spark fear, hype – so we'll give flaws our own labels... like Suggestive Bunny

Thumb Down

Might as well use Newspeak

You could have names like "Doubleplusungood CVE #", "Plusungood CVE #", "Ungood CVE #", or just the CVE # depending on how severe the finding is. This scheme would actually impart more information than the proposed naming scheme: you would have a good idea of how bad the vulnerability is by the name.

Someone not only created a comment-spewing Reddit bot powered by OpenAI's GPT-3, it offered bizarre life advice


Elevator Article a Work of Art

I am impressed with the Elevator Colony article that the bot wrote. It looks like the kind of thing worthy of the Onion or satire articles that appear on April 1st.

Apple takes another swing at Epic, says Unreal Engine could be a 'trojan horse' threatening security


The Lady Doth Protest Too Much Methinks

Absent evidence that Epic is using Unreal Engine to sabotage the iThingy, this looks like lawyer BS to try to get leverage over Epic to bring them to heel.

Not content with distorting actual reality, Facebook now wants to build a digital layer for the world


Black Mirror Arkangel

This reminds me of the Black Mirror Arkangel episode, albeit with the ability to remove the glasses. Over time the glasses could become so instrumental to day to day life that removing them would put the person at a disadvantage. Kind of like our portable tracking devices phones have become.

In the market for a second-hand phone? Check it's still supported by the vendor – almost a third sold are not


Expiration Date?

A good first step would be to require the manufacturer to set an expiration date for when they will no longer provide patches for the phone. The manufacturer and seller would be required to prominently display this date. For starters, it should be required to be on the manufacturer's website, the box or other consumer materials (including ecommerce product information), and in the information section of the phone itself. In the event support is not provided up to the expiration date, the owner is entitled to a cash refund of the prorated amount purchase amount (up to the retail list price) remaining to the expiration date.

This might motivate the ecosystem to make changes to allow say Google to support the phone by better hardware abstraction. Making this a more "in your face" issue may allow the market to do its thing by having longevity be something companies compete on.

GRUB2, you're getting too bug for your boots: Config file buffer overflow is a boon for malware seeking to drill deeper into a system


Install your own boot loader

If you are able to modify the grub config file, wouldn't you modify it to have the system run an evil bootloader rather than stuffing random crap into the file to trigger a buffer overflow to (drumroll...) run an evil bootloader?

Google to bury indicator for Extended Validation certs in Chrome because users barely took notice


It Doesn't Seem to Help Lusers, lets Hide It!

At least in the past few years, the security interface of Chrome has gotten worse because a focus group populated with untrained lusers has no clue how to read a URL. Firstly they hide https / http and the www part of the URL. Surprise! Some miscreants figure out how to use a DNS cache poisoning attack with a twist: they poison www.example.com but leave example.com alone. The genius of this is that when people are warned about www.example.com and are using chrome they proceed because after all it says "example.com" in the address bar. When they call their administrator to check on example.com, all appears to be well because example.com wasn't impacted. Terrible, terrible idea. At least you can use the Suspicious Site Reporter to undo that behavior. Hopefully there will be a way to override this madness as well.

Why is it assumed to be a UX flaw when the user doesn't understand browser security features? Wouldn't a better solution be a campaign to educate the users? Perhaps some kind of bubble that explains the significance of the company name the first time it is seen when using the browser? Hiding information from the user is never the right answer. Hiding information invariably gives hax0rz a way to exploit the user.

Linux kernel coders propose inclusive terminology coding guidelines, note: 'Arguments about why people should not be offended do not scale'


Re: Some more interesting possibilities

Another one: the red-black tree index is in danger of causing heads to explode. Because we know that certain colours must always be racially insensitive terms in 2020.


Dummy Value and Sanity Check are on the naughty list?

Where will it end? Will we require a new kind of IDE plug in, kind of like a spell checker but searches for naughty words / phrases and suggests alternatives? Will it need have its naughty word database hosted as a service so it can keep up with the flood of new verboten words that High Priests (oops, I didn't use a gender neutral word), er I mean High Clergy Members of the Offended deem unfit?

Does anyone really think that "dummy value" or "sanity check" is casting aspersions on anyone intelligence or sanity? Is it really necessary to infantilize the language to this extent? As the article points out, the further we go into this Rabbit hole the more the effect will be to discriminate against non English speakers.

Remember when we warned in February Apple will crack down on long-life HTTPS certs? It's happening: Chrome, Firefox ready to join in, too


Microsoft Doesn't Matter at This Point

Chrome, Safari, and Fire Fox account for over 80% of browser market share according to StatCounter Global Stats. If you operate a public facing website, the shorter cert expiry is a done deal. The only thing left for Microsoft is to decide if they want to be consistent with the other browser makers.

Nokia's reboot of the 5310 is a blissfully dumb phone that will lug some mp3s about just fine


Obsolete on Arrival?

It doesn't seem like a good idea to buy a phone that only supports spectrum living on borrowed time. The US announcement of 2G/3G sunset dates is the canary in the coal mine. Others will soon follow. That spectrum is too tempting a target for low band 5G.

Copy-left behind: Permissive MIT, Apache open-source licenses on the up as developers snub GNU's GPL


Vaccine License is the First Brick of the Yellow Brick Road to Hell

The OSI should go nowhere near something like the Vaccine License. What's next? A license that requires users to call authorities for people in the country illegally? Perhaps licensing that requires supporting "religious freedom" discriminatory stances? Perhaps licensing that requires the opposite? Imagine the fun of using contradictory licenses simultaneously and facing punative consequences as a result. Imagine a dystopian world where installing a program imposes such obligations to the users. This sounds like great material for a Black Mirror episode, but a terrible idea for the real world.

Silence of the WANs: FBI DDoS-for-hire greaseball takedowns slash web flood attacks 'by 11%'


ISPs: Configure your networks properly

"Essentially, you launch a load of small requests at a bunch of devices on SSDP UDP port 1900, spoofing the source IP address as your victim's IP address." Network operators have switches and routers that allow a packet traversal of a packet from within the network but claiming to originate from outside of the network to anywhere within their network or the public internet? How embarrassing. They should get their act together and configure their network properly. It would make launching this sort of attack using their infrastructure impossible.

AT&T, Sprint, Verizon, T-Mobile US pledge, again, to not sell your location to shady geezers. Sorry, we don't believe them


FCC's ability to protect privacy eviscerated by the Republican Party

Wouldn't it be great if the FCC could make regulations to protect privacy? Too bad, they can't! The Republican controlled Congress and President eviscerated their ability to make such regulations by approving a resolution of disapproval for FCC privacy regulations, which also forbids any similar regulations.

"Those rules would have required ISPs to obtain users' consent before selling their personal data – including location, browser history, health and financial data and other sensitive information – to advertisers."

In light of recent developments, the "– to advertisers." caveat was too optimistic.


Tech support discovers users who buy the 'sh*ttest PCs known to Man' struggle with basics


UI Guidelines mandate saying "Press a key to continue"

I worked at a company that had UI guidelines that included command line and text interactive programs. The guidelines actually mandated to never use the words "any key". The correct phrasing was "a key". The document went on to reason that clueless lusers would search in vain for an "any" key before driving up helldesk costs with their calls. If "a key" was used, the users would search, and their search would not be in vain: they would find an "a" key.

Personally I think those guidelines were inspired. They were probably written by someone who had gotten their start from the helldesk and answered that question many, many more times that anyone should have to.

'Pure technical contributions aren’t enough'.... Intel commits to code of conduct for open-source projects


Recommend singular "They" for Inclusive Language

At the risk of infuriating language purists: "Using welcoming and inclusive language" could also recommend using the singular "they" over "he". This can be immediately understood by any English speaker. Although alternating "he" and "she" can achieve the same effect, it can make a complex workflow with many actors more difficult to follow as the genderfluid actors randomly change gender as the flow progresses.* Since that doesn't often happen in literary books, it can by jarring and confusing when reading such technical material. The singular "they" also avoids this mess of proposed alternative third person pronouns. You would need to take a class just to know how to use all of them. https://en.wiktionary.org/wiki/Wiktionary:List_of_protologisms_by_topic/third_person_singular_gender_neutral_pronouns

* Why is the CM manager editing code now? Why is the Developer reviewing the CM workflow? Oh, my fault, the CM manager has become a "he" now, and the developer is now a "she". True story when I was learning about a new CM processing by reading its documentation. It is why the alternating "he" and "she" is unloved by me.

Redis does a Python, crushes 'offensive' master, slave code terms


Developers Who Say "Ni!"

The Developers who say "Ni!' demand a sacrifice. Your Git project has a branch called "master". We demand that its name be changed at once to "Ekke Ekke Ekke Ekke Ptang Zoo Boing!" and you bring us a Shrubbery.

Seriously, Cisco? Another hard-coded password? Sheesh


Why not Machine in the Middle?

If you change Man in the Middle to Person, then you must change the acronym to PitM. This will serve to confuse new comers reading past literature, and experienced practitioners reading new literature. It will likely be off-putting enough that after a few eye rolls it will be added to the to do never list.

If you change it to Machine in the Middle, the acronym stays the same and the gender neutral goal is accomplished. Historical literature using the MitM acronym remains understandable without any additional burden to the reader (assuming new entrants to the security field who are taught the new terminology), and experienced practictioners do not have to learn another acronym for an arguably flimsy reason.

Kentucky gov: Violent video games, not guns, to blame for Florida school massacre


The Guns are Not the Cause You're Looking For ... Move Along

One of the oldest NRA mind tricks: It isn't the real guns that spray bullets and kill people that are the problem, it's the pretend ones in video games that are the threat. This gun fetish must not be pandered to any more. How many people need to die before America wakes up and has the political courage to try the obvious solution of limiting access to deadly weapons? Australia and the UK did it to great success.

You can resurrect any deleted GitHub account name. And this is why we have trust issues


It's Not GitHub's fault

The fault is dynamically loading code from random folks accounts on GitHub rather than from a proper repository and then hosting either in a CDN you control, or within the application itself. The Maven/Gradle model, where the code VCS is divorced from the code repo is a much more grown up way of doing things. I don't see why JavaScript libraries can't either use the central repository, or come up with something like it. With this model, if my project states that it uses version 1.1, then that's what it will use until I update my dependencies. My site won't suddenly go batshit or start mining cryptocurrency because of some change in a library. I won't get the new version until I ask for it. To me, this is a much better way of doing things than to rely on a third party repo that could change and bork my application. It buggers my mind that people would want to always get the latest changes from third party sites the don't even know, let alone control.

FCC douses America's net neutrality in gas, tosses over a lit match


Achievement Unlocked - Capture the FCC

Playing as a telecom provider, regulatory capture the FCC by installing a majority of puppet commissioners.

Software dev bombshell: Programmers who use spaces earn MORE than those who use tabs


C Requires Tabs?

The C programming language has never required tabs, or even spaces for that matter as the Obfuscated C Code site http://www.ioccc.org/ demonstrates.

So what's the internet community doing about the NSA cracking VPN, HTTPS encryption?


Shor's algorithm

Shouldn't there also be an effort to use post quantum cryptography? All the effort to increase keysize will be for naught if a practical quantum computer exists to defeat it.

Gaming apps, mugging and bad case of bruised Pokéballs


Golem Searches for Pokémon

Must find Pokémon... The Precious Needs more Pokémon... Pokémon Go is our master now...

How to log into any backdoored Juniper firewall – hard-coded password published


Oddly Appropriate Juniper Related Quote

1 Kings 19:4 "But he himself [Elijah] went a day's journey into the wilderness, and came and sat down under a juniper tree: and he requested for himself that he might die;"