* Posts by ds6

319 posts • joined 17 Jul 2017

Page:

The Wristwatch of the Long Now: When your MTBF is two centuries

ds6
Coffee/keyboard

Re: Beware survival bias

I've got an original run X220T, Model M from 1986, and enough spare parts to service them for years to come. If they're ephemeral then I must be a ghost, and you'll have to take them from my ghostly ectoplasm-covered hands.

The Reg produces exhibit A1: A UK court IT system running Windows XP

ds6
Mushroom

Re: Maybe don't use Windows?

The real world sucks. When do I get to hunt replicants?

ds6
Gimp

Re: Is this as ususal software related?

The safe word is "don't stop."

ds6
Devil

Re: Is this as ususal software related?

No, there are air holes. Tape those up and we might have something...

HP Inc to Xerox: If you complete a hostile takeover, and try firing our chief exec, you will pay...

ds6
Coat

Have fun, honey. And don't get the Wutang! You know Crumb can't handle that with his asthma!!

Sadly, the web has brought a whole new meaning to the phrase 'nothing is true; everything is permitted'

ds6
Joke

Are you available?

ds6
Holmes

Re: "the evidence of our senses has become suddenly and comprehensively insufficient "

Hi,

And in just cases you can use by BitCoin wallet here : xYmvWgjmlDgBUOfbkyb

Thanks

Password killer FIDO2 comes bounding into Azure Active Directory hybrid environments

ds6

Or how hybrid Exchange environments require IE or else the embedded frames will not work?

ds6
Paris Hilton

Re: Get rid of the commercial middlemen

How is FIDO (the spec, not the people behind it) "[...] designed to require a commercial middleman"?

ds6

Re: Get rid of the commercial middlemen

Read the FIDO2 spec and you will see it is not inherently evil. It is perfectly workable by corporations, businesses, and end users without compromising security. It is not designed to track you and is not really capable of doing so. All communication is voluntary and E2E—no middleman, unless the the service you signed up with decides to use another service to authenticate you, but FIDO2/WebAuthn is simple and well supported enough that it should not need such a thing. Whether or not that will change in the future is up for debate, but if FIDO/U2F is still supported by the spec despite being obsoleted, I think there's hope FIDO2 will be supported for a long time coming.

There are plenty of other authentication modes and open source libraries/example code that you can choose from if FIDO2 isn't your cup of tea, including OTP-HMAC which is also widely supported.

But like others have said, this article is about Azure, which is already fundamentally compromised in the sense that your data is no longer in your own datacenter. The argument on whether or not FIDO2 is respecting of your privacy etc. is moot when the whole platform may or may not and there's no 100% sure way to know.

ds6
Big Brother

Re: Infrastructure

Working in the industry, I herald how great Azure and VMware are, but in private, I damn them to eternal hellfire for being huge PPI-vaccuuming monolithic monopolies.

I feel like I have two personalities. Or that I've joined the Bad Guys(tm) and am just being hypocritical.

ds6
Boffin

Next up, flying elephants

Nice, I JUST bought 2 FIDO2 keys yesterday. Thanks for being telepathic, vultures.

Hey, fatso. If you're standing desk-curious, the VariDesk Pro Plus won't break the bank

ds6
Childcatcher

Calibrate your monitors, vulture! Those colors are about as accurate as a blind child reproducing the Mona Lisa.

ds6
Boffin

Re: Varidesk, yes, had that.

Would have been funnier if you said Ctrl+D.

ds6

Re: Who cares about the desk?...

I have a 1982 M with the removable PS2 cable, and it is the most comfortable keyboard I have ever used, even more comfortable than newer M's. After a bit of oiling the keys have the perfect weight and travel for my hard-hitting fingers. I mash my keyboards like a gimp by his domme.

Unfortunately is is pretty clear with Unicomp that the original moulds are wearing out, as it's easy to see in the resulting plastic where they have patched up and repaired them. They also seem to use the newer variant moulds that aren't as thick and deadly like the older one I have. Keys don't fit as well as original M's either. Unicomp definitely put in a lot of effort and care into theirs, however; and if you want a "new" Model M with USB and mostly original tooling, it's your best if not only bet.

Also, their new compact versions are their own designs and feature new moulds, so the production value on them is much better.

What I really want now is eithet an original Model F or one of those reproductions that fellow made from that one website—you know, that guy.

Sophos was gearing up for a private life – then someone remembered the bike scheme

ds6

NASA's Christina Koch returns to Earth as the longest-serving woman astronaut – after spending 328 days in space

ds6
Childcatcher

Re: Brilliant job that Woman!

Let's not have the children be probed, dear.

RIP Katherine Johnson: The extraordinary NASA mathematician astronauts trusted over computers

ds6

Re: Exceptional skills

Take my upvote you rat bastard.

It is with a heavy heart we must inform you, once again, folks are accidentally spilling thousands of sensitive pics, records onto the internet

ds6

Re: Personal Data Security

Shill that Facebook alternative, friendo. It sounds interesting.

Call us immediately if your child uses Kali Linux, squawks West Mids Police

ds6
Pint

Re: The obvious result of this

You're at the shop with your 9yo daughter and upon happening along this poster, you ask your daughter: "Honey, what's a Kali? Is it a kind of drink?"

Your daughter idly remarks you will not be given supper this evening.

ds6
Boffin

Re: "How many arms did she have?"

After demuxing your statement, I have deduced that you may have gone to a school for tarantulas.

ds6
Black Helicopters

Re: Positive Diversions

Can't stop me, thought police! I'm wearing tinfoil!

ds6
Windows

Re: Be a government informer! Betray your family and friends! Fabulous prizes to be won!

Right proper chef to ignore a joke and talk about more culinary tools.

I always thought it looked like he was eating a burrito.

Crypto AG backdooring rumours were true, say German and Swiss news orgs after explosive docs leaked

ds6
Gimp

Re: Spies gonna spy

Oh yeah baby, I do swing both ways... After all, no matter how you look at it, someone's getting it up theirs.

— Unknown CIA asset, undercover sex worker

If you're running Windows, I feel bad for you, son. Microsoft's got 99 problems, better fix each one

ds6
Headmaster

Re: Just how many lines of code

Freudian slip?

Google Chrome to block file downloads – from .exe to .txt – over HTTP by default this year. And we're OK with this

ds6

Re: Annoying tho

I still refuse to use Pale Moon for the whole petulant children incident, and WaterFox phones home just as bad as mainline does. And even if I hate that Mozilla killed off XUL and Jetpack, there aren't a whole lot of reasons for me to go back, since everything I need has either been ported or its functionality recreated; there's also no denying that Quantum is leagues less heavy and significantly faster than old Firefox/Pale Moon.

IceCat and Ungoogled Chromium work just fine for me at this point.

Google's OpenSK lets you BYOSK – burn your own security key

ds6

Re: It's all very fascinating

There are multiple ways to use security keys like this. The FIDO2 spec is the standard right now so I'd look into that if I were you. There are multiple modes you can use with it, including private/public key-based authentication, one-time keys that cycle based on an algorithm known fully only by the device (and can be solved on the authenticating end using the number yout device spits out), and third party PKIM authentication where you set up a chain of trust like you mentioned and the third party is contacted to verify your identity with a signed root certificate.

Here are some useful links to see how the technology is used in practice from a low but not too low level:

https://docs.microsoft.com/en-us/azure/security/fundamentals/ad-passwordless

https://developers.yubico.com/#learn (features all U2F modes!)

Unlocking news: We decrypt those cryptic headlines about Scottish cops bypassing smartphone encryption

ds6

Re: Extracting encrypted data?

Technically all encryption can be broken, the only reason it's considered safe is it will take a very, very long time with current methods and technology to defeat it.

More directly, the length of you password doesn't matter if your phone is already booted and has been unlocked once, as the decryption key can be siphoned out of /data/misc/vold; encrypted partitions are not unmounted when your phone locks, even if you trigger Lockdown. Your password is only used to unlock the phone and to encrypt the key used to encrypt the /sdcard filesystem (and other filesystems/per file encryption). Keep in mind there are sometimes 20-30+ partitions on an Android device, varying by vendor/ROM, and only a handful of them are encrypted.

If you have Xposed, Magisk, root over ADB, or root shell available and the passwords for any of those are either not enabled or easy to guess, then data can be easily exfiltrated. I don't think Xposed Manager, EdXposed Manager, or Magisk even have the ability to lock module installs behind a password.

It could also be possible to attack memory, flash a new bootloader, attack proprietary firmware like the baseband and/or wireless controllers, or use social engineering to get you to install a malicious APK.

ds6

Re: Extracting encrypted data?

A combination of hardware/software exploits and brute force leads to data being exfiltrated. Just because your storage is encrypted doesn't mean there aren't other attack vectors, like the bootloader or baseband.

Remember those infosec fellas who were cuffed while testing the physical security of a courthouse? The burglary charges have been dropped

ds6

Re: State is not county

Not all county jurisdictions are equal. Some municipalities don't have the ability to override the state like in this situation. It's understandable they got caught up in this, even if it could have been avoided.

Lest we forget, Sheriff Big Pants could have said "oh makes sense" and just left. The instigation was all due to not wanting the state to have its way, not because the guys were innocent or guilty. They were about to be sacrificed in the name of political bickering.

Why is a 22GB database containing 56 million US folks' personal details sitting on the open internet using a Chinese IP address? Seriously, why?

ds6
Paris Hilton

Re: late capitalists

Talk to a VAG mechanic if you don't believe me.

A gynecologist?

ds6
Megaphone

Re: late capitalists

Just because people don't mind paying exorbitant prices doesn't mean they are not paying exorbitant prices. The guy stated that service costs are high and made no attempt to attack anyone that owns one, nor was it implied. You are pushing a false agenda.

I want to try assuming intent too: It sounds like you are in the group of people that own one of these vehicles and feel the need to vehemently defend yourself over any percieved criticisms in order to validate your expensive purchase. Wow, that was fun!

Sometimes shining a light on a nuclear problem just makes things worse

ds6

Re: Scintillating!

You can't change the current reality and the zone kick you out.

Oh, wrong emission?

Hundreds of millions of Broadcom-based cable modems at risk of remote hijacking, eggheads fear

ds6
Boffin

Re: "That's not a bug, it's a feature" is now a malapropism

No, TwinTurbo® SiteBoost™ is much more important.

What does it do? Who fucking cares it's got a cool name with no spacing yeeeeah!!

ds6
Alien

Re: "How do I know for sure that this isn't an elaborate hoax to get be infected?"

The aliens will probe you! Trust me, I'm still sore...

IT exec sets up fake biz, uses it to bill his bosses $6m for phantom gear, gets caught by Microsoft Word metadata

ds6

Re: How to be a thief

Easy to break the law, hard to not get caught.

~ Confucius Kabbaj

ds6

Re: Silly question, maybe

Probably close to CIO: the guy that signs all the checks, talks politics to the board, and knows little about what he's overseeing.

Patch now: Published Citrix applications leave networks of 'potentially 80,000' firms at risk from attackers

ds6

Re: SSL VPN?

Citrix calls it that, Sonicwall calls it that, elreg too... the hot buzzword is SSL VPN likely because no one has updated their documentation.

ds6
Mushroom

Re: By anybody...

Hey, that was a cohesive post.

Is the sky falling or is it just me?

ds6

Stop, with the puns, this is a red alert!

...

Mozilla locks nosy Avast, AVG extensions out of Firefox store amid row over web privacy

ds6
FAIL

Re: fajensen

Nice comeback, bro.

If you're gonna complain about an antivirus product doing what it advertises re: SSL (actually, it's TLS...) then you should probably look into CloudFlare MitM on probably 80% of sites you visit; guarantee you'll blow a gasket. Even el Reg used to use them, seems like they don't now though.

Hundreds charged in internet's biggest child-abuse swap-shop site bust: IP addy leak led cops to sys-op's home

ds6

Re: Bitcoin anonymity

There is a common misconception that because most cryptocurrencies including Bitcoin are not managed by a central bank or controlled by a government that they are anonymous. I do believe that's the reason for our good friend bob's sarcasm. Or I could be way off the mark and bob's blown a gasket again.

ds6

Re: Bitcoin anonymity

See:

It's only as anonymous as the individual allows, i.e. if you make no attempt to hide your identity you will be easily found out.

Of course, it is possible to obscure transactions and launder coins—and based on the article they may have tried to do so—but the point I was trying to make was that there are cryptocurrencies out there that are altogether better at it without the user having to do anything. Still the only completely untracable way is to remove any third parties and mine your own.

Remember that competition for non-hoodie hacker pics? Here's their best entries

ds6

Re: "you all love to hate"

No, my name is John.

Time to check who left their database open and leaked 7.5m customer records: Hi there, Adobe Creative Cloud!

ds6

Re: What price Photoshop?

Wish we would have when they killed off Device Licenses, and for three months did not offer an alternative; meaning no CC for our clients in the labs, despite the fact that materials had already been updated for it. Imagine how many schools were thrown out of whack when their device licenses just stopped working.

Help! I bought a domain and ended up with a stranger's PayPal! And I can't give it back

ds6

We're going too deep, cap'n.

Tesla has made a profit. Repeat, Tesla has made a profit – $143m in fact

ds6

Re: Smart Summon used "more than one million times"

When I say "anonymize" I more readily mean clumping data sources together and stripping as much metadata as possible.

For driving locations, I would be fine with generating a heatmap based on mass grouped datasets, eg. Model 3 users drove around a lot in LA. Anything more I believe to be entirely irrelevant to anything except tracking individual driving patterns and improving GPS navigation. Of course, there still is a problem of single drivers being in weird locations like you said, but I normally take a stance against all telemetry so it's not like I've ever put that much thought into it.

For tracking statistics, you could keep vehicle-local controls that trigger thresholds to eg. indicate safe vs aggressive driving, and pass on a limited subset or set with reduced accuracy on to the server. This (and any delivered data) should not be bundled together, eg. so that location information cannot be mapped to driving style.

And of course the user should be able to disable all of this as they see fit, as no matter how anonymized every system has a risk factor.

ds6

Re: Smart Summon used "more than one million times"

That's why I refuse to buy a Tesla until it's open sourced, as Elon said they would eventually do. I also wouldn't mind if the telemetry was heavily anonymized and delivered in bulk at say the end of the month, but that isn't how it goes.

Sudo? More like Su-doh: There's a fun bug that gives restricted sudoers root access (if your config is non-standard)

ds6

Re: As a ex sys-admin....

And how ELSE can you remote-admin a system without su and sudo ????

doas

:-]

As a luser that grew up on FreeBSD, I have wheel set up for all my sudo rules.

Page:

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2020