* Posts by sweh

24 posts • joined 6 Jul 2017

Philips kills dependence on its Hue hub, pointing to a Bluetooth world


Re: All my bulbs are old now :-(

The hue hub does not need to receive incoming connections from the internet; it reaches out to a google cloud hosted service via https. It does this to receive firmware updates, and to allow for remote control when out of house, and for integration with voice assistants, etc.

And in current affairs... Apple recalls three-prong AC adapters after some shocking behavior



PogoPlug from 2009 did this (although it wasn't wireless). See, for example, https://zatznotfunny.com/2009-10/pogoplug-cloud-realignment/

London's Gatwick airport suspends all flights after 'multiple' reports of drones


Re: Why not kit out airports with anti-drone drones?

Flesh'n'blood hawks do the job just fine; https://www.youtube.com/watch?v=b5DEg2qZzkU

Equifax IT staff had to rerun hackers' database queries to work out what was nicked – audit


Re: I'd like to know

If the cert was being used for passive TLS decryption (a common technique for Data Loss Prevention) then an expired cert may not trigger alarms (the device manufacturer may consider that a normal case; certs do expire, especially if the cert store can handle multiple ones) but the TLS decryption would fail (also a normal scenario).

Since, in this scenario, it's passive no traffic gets blocked and data is no longer inspected.

Cert management needs to be proactive, not reactive.

Chromebooks gain faff-free access to Windows file shares via Samba



Hopefully it'll also work with Microsoft's Distributed File System (DFS) which makes a share look like \\domain\sharename and the service resolves to the best server to handle it (DR, regional replicas, etc). This is something Linux sometimes struggles with.

Security MadLibs: Your IoT electrical outlet can now pwn your smart TV


Re: It's Christmas!

Interesting demographic niche there: old enough to like "Merry Christmas Everybody", young enough to think Alexa is a good idea.

Or maybe old enough to be able to decide for themselves the pros and cons of Alexa and feel that the "fun" factor outweighs the minimal risk.


BTW, I'm 50 this year. Hardly a youngster.


UPnP? Ugh. That's just asking for remote attacks. Let's expose my IOT device to the whole internet. We've never seen that cause a problem before.

The other option is to have the devices reach out to a central server (which is what things like TP-Link Kasa, Frigidaire, Hue, Echo, TiVo...) all do. Now we're dependent on the central server keeping running! We've never seen those companies stop supporting devices or shutdown servers...

At least Kasa devices and Hue hub expose local network endpoints (unauthenticated so anyone on the local network can reach them) so if the central server does go away then at least freeware alternatives can be written.

There is no win... just various shades of lose.


It's Christmas!

"Shoot me now. Please, someone. Just end it before it gets any worse."

At Christmas time I plan on putting the tree lights on a smart switch and programming the echo so I can say "Alexa, it's Christmas!" and the tree lights will turn on and Slade will start playing.

Now that's smart :-)

EU wants one phone plug to rule them all. But we've got a better idea.


Re: Be much more interested in...

"NT4[...]stable and snappy"... yes, it dropped into that stable blue screen very very quickly!

Google Chrome update to label HTTP-only sites insecure within WEEKS


Re: @Tomato42

In the US, ISPs are mostly a local monopoly. You get your local cableco... or maybe Verizon if you're lucky. No real choice.

And when we've seen Verizon, Comcast, AT&T all MITM traffic...

And then you have people using Starbucks WiFi (are you sure you're on the Starbucks hotspot and not someone pretending to be it?) and other free hotspots...

Basically, the underlying transport must be considered insecure.


Re: http://www.bbc.com/

Yes, mixed content is not secure. The browser doesn't (shouldn't!) even attempt to access the http content, by default, which is why some people are screaming ("our ad network is http only; it'll stop working if we move the main server to TLS").

The ad networks will catch up. They'll have to.


Re: Shared Hosting

Umm, you might want to look at the Server Name Indication (SNI) field of TLS; it allows exactly for the situation where multiple hosts share the same IP address.

This solution is only about 10 years old. If your client supports TLS1.2 (and if it doesn't then you have bigger problems) then it should support SNI.

Smart bulbs turn dumb: Lights out for Philips as Hue API goes dark


I'm only 50, and I've seen failed switches. Admittedly that's in America, where I find the whole electrical setup to be scarily bad, compared to what I grew up with in England :-)


Expandability, flexibility, ease of installation.

Maybe the bulb of tomorrow will have a built-in Alexa. Or infrared sensors so they form part of your alarm system. Or speakers. Or motion control (think Kinect on steroids). Or...?

Big Brother

Google Cloud

I've been messing around with a Hues Emulator; a python script that runs on a VM and pretends to have light bulbs attached. The Alexa device detects these and adds them. Now when I use voice control I see a connection from the Echo (oddly, not the one I'm speaking to but another one in another room!) to the emulator. So Alexa voice control appears to be local (once it's been sent to Amazon for processing, of course).

For "out of home" connections, the Hue Bridge makes an outgoing persistent connection to a Hues website. My router conntrack is telling me it is currently connected to - which is "....bc.googleusercontent.com" and has a certificate for ws.meethue.com (signed by some Philips intermediate) - I'm guessing a websockets layer.

Given this is google cloud compute, it's likely Philips pushed bad code...

AWS outage killed some cloudy servers, recovery time is uncertain


Re: Isn't cloud supposed to be fault tolerant?

No, clouds are not meant to be fault tolerant. "The cloud" may always be there and running, but individual instances inside the cloud may die at any time.

Clouds allow you to build applications that are fault tolerant. Indeed, applications should be designed to assume failure. There are many design patterns that can help with this.

This is why "lift and shift" doesn't buy you anything except "outsourced data center". If you build traditional applications and deploy them to the cloud then you need traditional HA solutions as well; duplicated service in a different datacenter, data copying, "DR" processes...

The responsibility for availability in the cloud rests solely on the application owner.

Cryptocoin investors sue Chase Bank for sky-high credit card charges


Re: MasterCard 'clarification' of MCC/SIC code?

This is most likely what happened.

Chase has not changed policies. The surcharge for cash advances has been around for many many years.

Merchant classifications, however, change all the time. Mostly you don't see them because you (as the card user) don't really care. It can affect what merchants may be in-scope for "5% bonus points" promotions, and end of year breakdowns, but normally it's invisible to you. Given the millions of merchants, it would be pointless telling you of changes.

So if this particular merchant had their classification changed so that it now counts as a cash advance then Chase would be perfectly entitled to put the surcharge on.

I fully expect this case to be dismissed.

Gmail is secure. Netflix is secure. Together they're a phishing threat


Re: TL;DR but what is it with ****ing developers

If you're using an American site, then you're better with "011" as the international access code.


Next; tech; meltdown..? Mandatory; semicolons; in; JavaScript; mulled;


Re: What's old is new again

"I'm sure I've encountered a langauge which use double-semicolons as statement terminators but can't remember what it was"

shell script "case" statements use ";;" to end the case


case $a in

x) foo ; bar ;;

y) baz ;;

*) echo Ooops ;;


Judge rm -rf Grsecurity's defamation sue-ball against Bruce Perens



This all reminds me of the early-ish days of WRT54G router hacking. Early/mind 2000s. A company called Sveasoft produced some quite interesting firmware, but then went to a subscription only model; pay a subscription, get their firmware and (to be GPL compliant) get the sources. However if you then passed the source on (as is your right under the GPL) they would terminate your subscription, your support, and refuse to sell to you ever again.

All the discussions around GRSecurity are the same as the discussions around Sveasoft.

Some fun at https://slashdot.org/~TheIndividual/journal/ and http://wrt54g.oliver-arp.de/

Sveasoft are now dead in the water (there's a stub web page still taking subscriptions, but I don't think James Ewing actualy delivers anything any more - http://www.linksysinfo.org/index.php?threads/sveasoft-did-i-just-mess-up-here.33599/ - It's been 10 years quiet), while OpenWRT, DD-WRT et al are going gangbusters.

Sprint CEO straight out accuses Verizon counterpart of LYING


AT&T offer free HBO; T-mobile offer free Netflix; it's not surprising Verizon Wireless also offer these promotions just for "feature parity" (especially since Verizon FIOS regularly has free HBO bonuses; there's probably existing commercial agreements between Verizon and HBO).

It's interesting to note that Sprint's current TV adverts are "within 1% of Verizon in terms of reliability", which doesn't address the coverage issue; yes the service may be as reliable... in the areas where coverage is available, but Verizon have the better coverage. Of course, for 70% of the US population that extra coverage doesn't make a difference. (See https://www.komando.com/happening-now/388850/the-truth-about-these-cellphone-ads for a breakdown).

It's also interesting that Sprint position themselves as the cheapo option ("would you pay twice as much for 1% more"); given how many people pay for Apple's premium branding, I wonder if they've thought this through :-)

Me, I still have an area on my daily commute (New Jersey heading to New York) where there's no signal. Yay :-(

Judge yanks plug out of AT&T's latest attack on Google Fiber


Re: Google in Kansas City MO

In my town in NJ, Verizon FIOS is costing me $95/month for gigabit internet. speedtest results on my desktop give 805/515 as "real" speeds.

And that's with almost no competition (cablevision tops out at 400/40).

AT&T are just trying to protect their revenue by any means they can, 'cos they know they'll lose money if they have to compete.

Linus Torvalds may have damned systemd with faint praise


Re: Not surprising. At all.

"For security reasons, our new policy is as follows: No new deployments with systemd - no exceptions."

Put it in a Docker container and don't run an init system at all. Then your customers can chose what platform they run Docker on :-)

Create a user called '0day', get bonus root privs – thanks, Systemd!



FWIW, POSIX doesn't say that a leading digit is disallowed.



To be portable across systems conforming to POSIX.1-2008, the value is composed of characters from the portable filename character set. The <hyphen-minus> character should not be used as the first character of a portable user name.




3.282 Portable Filename Character Set

The set of characters from which portable filenames are constructed.


a b c d e f g h i j k l m n o p q r s t u v w x y z

0 1 2 3 4 5 6 7 8 9 . _ -


So we can see that "0day" is a perfectly valid username.

It may be a bad choice for a username because it can expose bugs but it's _valid_.

(Fun: "1234" is a valid username... just imagine the chaos that'd cause!)


Biting the hand that feeds IT © 1998–2020