* Posts by Crypto Monad

162 posts • joined 14 Dec 2017


ESXi-on-Arm is real and VMware will use it to run networks, storage, and security on SmartNICs

Crypto Monad

Re: "Disaggregation of the server"...

NIC development progresses like this:

1. Offload TCP to the NIC

2. Offload TLS to the NIC

3. Allow running of VMs on the NIC ?!

The NIC card now sees all your unencrypted traffic *and* can run arbitrary software. Sure, the admin will choose what they *want* running there - but it's not like there have never been security holes in hypervisors, or that code-signing certs have never been issued to malicious users.

Crypto Monad

"Disaggregation of the server"...

or "a new place for undetectable, persistent malware to run"?

Q: How does hydrogen turn into a metal? A: Hang on a second, I need to train my AI supercomputer first

Crypto Monad

Re: Neural net - nobody really understands how they work.

AI can also be easily fooled - such as when you change one carefully selected pixel in an image of a cat, and it classifies it as a dog.

AWS unleashes a new homegrown Linux that's good enough to bottle

Crypto Monad

Re: Missing tools? @Pascal

The article says that it is a kernel (and presumably sufficient libraries), but also says that the tooset is written in Rust (to eliminate security holes and memory leaks, apparantly). Has the full GNU toolset been ported to Rust? I think not.

The article says it *has* a kernel (Linux), not that it *is* a kernel.

Think of it as a massively stripped down GNU/Linux, with just enough userland to be able to run containers, and nothing more. It's a toaster for containers.

You're not supposed to *build* your container images on this. Do this on a dev system somewhere else (or do it inside a container).

There's no package management, no "apt-get install". The whole thing is just an image that you run, and can replace as a whole. This makes administration more like flashing firmware onto a router. Time to upgrade? Just reflash and reboot.

Relying on plain-text email is a 'barrier to entry' for kernel development, says Linux Foundation board member

Crypto Monad

"transparency and a really good software supply security model.”

This from the company that gave us the Microsoft Word Macro Virus. A gift that keeps on giving.

Fancy some post-weekend reading? How's this for a potboiler: The source code for UK, Australia's coronavirus contact-tracing apps

Crypto Monad

Apple-Google API

I can see Apple releasing an updated iOS with this API, and it being quickly picked up by the majority of iPhone users.

But a Google API? For most Android phone owners, who depend on updates being released by the manufacturer, they'll never see this. Seriously. If the API were released today, and even 10% of Android phones had it installed in the next 3 months, I'd be astonished.

It seems to me there's little point writing the Android tracing app to use this API, if almost no Android phones will have it.

Nine million logs of Brits' road journeys spill onto the internet from password-less number-plate camera dashboard

Crypto Monad

What address block was server's public IP address in? I am guessing it was a cloud VM, and somebody decided it would be a good idea to open HTTP/HTTPS access to the whole Internet.

As for the cameras - were the IP addresses public or private (RFC1918)? I would expect sort of overlay VPN for those.

Cosmo Communicator: Phone-laptop hybrid is neat, if niche, tilt at portable productivity

Crypto Monad

Re: I threw some money at this....

Android really struggles with running in landscape - a ton of apps, including just the chrome browser - really aren't expecting you to do that and often don't display their content in a sensible way.

Here here (speaking as a Gemini owner) - on the Gemini, Force Rotate is a three-step dance.

However, the main reason to avoid PlanetCom is that they orphan their devices from software updates very rapidly. I got my device (one of the very earliest) in March 2018, and the last software update was December 2018. A ton of Android security bugs have been found since then, but no subsequent updates. I contacted their support recently asking if support had been officially terminated, and they gave a bland non-committal answer.

For that reason alone, I would say don't waste your money.

Remember Tapplock, the 'unbreakable' smart lock that was allergic to screwdrivers? The FTC just slapped it down for 'deceiving' folks

Crypto Monad

Re: Well....

And another xkcd: relative importance.

Planet Computers has really let things slide: Firm's third real-keyboard gizmo boasts 5G, Android 10, Linux support

Crypto Monad

Re: CEO Dr Janko Mrsic-Flogel

> The Gemini also got an update in December but since then nada

Whereas Android for the Gemini got an update in December 2018, and nothing since then. Why abandon what is surely the most important platform?

Internet samurai says he'll sell 14,700,000 IPv4 addresses worth $300m-plus, plow it all into Asia-Pacific connectivity

Crypto Monad

Google, Microsoft and Amazon are infrastructure providers. In most cases, each individual VM fired up needs an IPv4 address. Cloud usage is going up, not down.

However, more importantly, Google is an advertising company, and its money depends on eyeballs on the adverts. They can't afford to cut off IPv4-only users, which are still the vast majority.

Think about what happened with IE5. For a long time, websites had to have a completely different version to support IE5, which was really painful and expensive. They continued to do so, until the number of people on IE5 fell to about 1% - at that point they felt safe to drop IE5 support.

The same will happen here. When 99%+ of the end-users on the Internet are dual-stack or v6+NAT64, content providers will feel it's OK to drop v4. Not before.

Look ma, no Intel Management Engine, ish: Purism lifts lid on the Librem Mini, a privacy-focused micro PC

Crypto Monad

Well-documented as in "Intel have released all the details of the management engine and other similar components, and we trust them to be complete?"

Or as in "researchers have comprehensively reverse-engineered the billion-transistor silicon, and to the best of their knowledge there are no additional backdoors to be found?"

I'm not sure either of those fills me with much confidence.

Crypto Monad

If the objective is to build something free of backdoors in the CPU, wouldn't you base it on OpenRISC, or at least ARM?

Android users, if you could pause your COVID-19 panic buying for one minute to install these critical security fixes, that would be great

Crypto Monad

Re: Another option

My (Android-running) Gemini hasn't received any update since "security patch level 5 December 2018".

I'm not expecting they will do anything this time - and not buying PlanetCom again.

Apple drops a bomb on long-life HTTPS certificates: Safari to snub new security certs valid for more than 13 months

Crypto Monad

Re: I understand

You don't need to open anything in your firewall if you use the DNS-01 challenge for renewal. Instead, you need to dynamically add a temporary TXT record to your DNS domain, and remove it afterwards.

This can be done using an outbound "push" to your DNS provider. There are many Letsencrypt agents which can do this, which integrate with many different DNS service providers.

Cache me if you can: HDD PC sales collapse in Europe as shoppers say yes siree to SSD

Crypto Monad

Re: What to do with old 2.5" HDDs?

> So a kind of JBOD where individual drives can be added to the pool, or marked for withdrawal and all the data migrated off.

LVM will do exactly that for you. Each drive is a PV, and you can tell it to migrate data off a PV before you remove it from the VG.

NexDock 2 revisited: Could it be more than a handy Pi hole?

Crypto Monad

Re: That brings us to thin clients again

> But how about corporates? Is buying a hundred or so of these + the Raspberry Pi + Citrix or open source equivalent a good option in real life as opposed to deploying desktops?

I don't think corporates will be buying Raspberry Pis. As far as I can see, the idea is they plug their employee's existing company phone into this, and the phone gains a full-sized screen and keyboard.

The phone is already set up for secure access to corporate resources, so this means one less device to manage compared to giving the employee a full-blown laptop or chromebook.

Brits may still be struck by Lightning, but EU lawmakers vote for bloc-wide common charging rules

Crypto Monad

Re: Hopefully the UK will follow this

> Have none of you noticed that the UK standard plug is only used in the UK

Many countries with ex-colonial links - Kenya, Ghana, Malaysia etc - use the UK (type G) plug.


Given that equipment in these countries is generally obtained from the cheapest supplier, and may arrive with US or European (Schuko) plugs, what you mostly find is Chinese "universal" power strips which can take any sort of plug, more or less. They are one step safer than using crocodile clips.

In the red corner, Big Red, and in the blue corner... the rest of the tech industry

Crypto Monad

Re: Hmmmm...

X.25 for the network layer. X.400 was E-mail.

How a Kaggle Grandmaster cheated in $25,000 AI contest with hidden code – and was fired from dream SV job

Crypto Monad

Re: And then...

> ... All it takes is one person to be curious to find the cheat.

Not necessarily.

ML models are basically black boxes. He could also have cheated by training the model on the additional pictures in the test dataset: this would not have shown any trace in the code.

A fine host for a Raspberry Pi: The Register rakes a talon over the NexDock 2

Crypto Monad

Re: Why some people keep on reinventing the ill-fated Palm Foleo?

> You could go with something like this. Not quite as cheap but easier to carry.

There are some others in that space, all rather expensive:



If you want to do this on the cheap, then search for "HDMI capture" devices on Amazon (the thing gamers use for uploading their adventures to YouTube) - starting at £55. You may have to put up with a second or two of video lag.

This leaves you with the need for a keyboard. You can buy tiny USB keyboards easily enough, but making your laptop act as keyboard to a remote device is harder than you think. One option might be to use a Pi Zero with serial port on one side and USB running in target mode on the other, but you get to write the software yourself.

Latest patent brouhaha: Sonos wheels out Doomsday device in bid to block Google Home sales.... The Register

Crypto Monad

Re: Buy-out?

That would be a risky strategy for Sonos stockholders though. Firstly, stock may plummet on the news of the Google spat - meaning that even if Google eventually buys it, they get it at discount price. Secondly, Google already has a directly competing line of products, so little incentive to buy another. Thirdly, the risk that during litigation it comes to light that Sonos is unknowingly already violating Google's massive patent collection in some way.

Aside: that to me also seems an absurdity of patents. You do something in the only obvious way, without looking at someone else's patents or products, and you can still find yourself in violation just because somebody else wrote it down first.

Crypto Monad

Pot calling kettle

"The harm produced by Google’s infringement has been profoundly compounded by Google’s business strategy to use its multi-room audio products to vacuum up invaluable consumer data from users"

Funny how Sonos has forgotten that is changed its T&Cs a few years ago, so that anyone using their products had to agree to having their data used by Sonos.

Sadly, it looks like this is the end of Sonos. I don't think they will survive a pounding from Google's lawyers.

Hash snag: Security shamans shame SHA-1 standard, confirm crucial collisions citing circa $45k chip cost

Crypto Monad

Re: Is there a database somewhere keeping track of these 'deprecations' ?

> I keep saying that we need a website, with a queryable API, that returns things like:


> MD5: Insecure.

And the authenticity of the response from the website will be verified how, exactly?

Crypto Monad

Re: Other Problems

Two points:

1. git allows signed commits and tags to record the authenticity of a commit. This relies on the SHA-1 for integrity. If you can't trust the SHA-1, you can't trust the signature.

2. with git, you necessarily don't need direct write access to someone's system to mess their data - only the system which they pull from. This could be some cloud service or some self-hosted server.

No horrific butterfly keys on this keyboard, just you and your big, dumb fingers

Crypto Monad

Re: I watched the video

I would guess it tries to guess the most likely words you are typing, based on relative movement of your fingers, and on the previous words typed - i.e. predictive text on steroids.

Probably fine for the odd message home. Not so good for coding.

Reusing software 'interfaces' is fine, Google tells Supreme Court, pleads: Think of the devs

Crypto Monad

Re: This is a hard one

Why market your language as "open", entice all the users in, and then sue the crap out of anyone who tries to re-implement it from scratch?

Oracle are basically the Child Catcher. Oh wait, there's an icon for that -->

Exploring AWS CodeGuru: New automated code review has smart features – but Java-only

Crypto Monad

Can I check I understand this right. Amazon trained their code review tool using machine learning on a bunch of open-source Java code on Github. Then when run against your repo, it makes suggestions how to change *your* code to make it look more like open-source Java code on Github?

Hold my Bose, we can do premium: Sennheiser chucks pricey wireless cans at travellers

Crypto Monad

Re: Noise cancelling

Hand them one of these.

(We live in a world where it's impossible to tell if this is a spoof or not - despite being on indiegogo)

100 mysterious blinking lights in the night sky could be evidence of alien life... or something weird, say boffins

Crypto Monad

Re: blinkenlights

It's an IT crowd in-joke. Sorry it's a bit of a damp squid.

Crypto Monad

Re: blinkenlights

I think you'll find the correct term is "on a pedal stool"

GlaxoSmithKline ditches IR35 contractors: Go PAYE or go home

Crypto Monad

"it emerges that GlaxoSmithKline is ordering contractors to switch to pay as you earn tax arrangements or leave the company."

Isn't that exactly the outcome which IR35 was intended to deliver - more people ending up on PAYE? It's unlikely government would backtrack on that, if it's what they wanted to happen in the first place.

More likely outcome: more IT work outsourced to other countries.

We strained our eyes with Lenovo's monster monitor: 43.4 inches for price of five 24" screens

Crypto Monad

Re: Vertical space rules

Reminds me of the xkcd phone with 4K screen (50 x 80 pixels)


Sure, we made your Wi-Fi routers phone home with telemetry, says Ubiquiti. What of it?

Crypto Monad

Re: another workaround to this

A better solution IMO is to use VLANs.

With unifi APs, the management IP address is always on the native (untagged) VLAN - and you can assign the wireless SSIDs to other (tagged) VLANs.

Therefore: put the management IP on a separate device management subnet that has no external Internet access - and no outbound access to any of your other networks, for that matter.

Then there's the question of what you do with the management software, which isn't currently implicated in phoning home. I'd suggest you stick that on the same untrusted device network and then you don't have to worry about it. If it's a Debian/Ubuntu box, you can give it access to an apt-cacher proxy so that it can download software updates when you choose, but nothing else.

Microsoft welcomes ancient Project app to the 365 family, meaning bleak future for on-prem

Crypto Monad

Re: How much?

> MS will ultimately move Windows to a monthly license fee model though. It's inevitable really.

I doubt it. That's the *one* thing they could do which would make a significant proportion of PC owners try switching their desktops to Linux.

Charge 5p for a carrier bag and the vast majority of people will bring their own...

The eagle has handed.... scientists a serious text message bill after flying through Iran, Pakistan

Crypto Monad

Re: Global roaming charges are evil

"My provider charges $1000 / gig"

Nope. Never heard of that sort of charge at all, and I use O2 who are famous for charging extortionate fees. Perhaps you meant $10 per gig?

Ha ha.

If you use your mobile phone in various third world countries - including Canada - Three still charges £6 per *megabyte* for data roaming - that is £6,000 per gigabyte. (Or £6,144, depending on how you define a gig)

But in the "Go Roam" (formerly "Feel at home") countries, including USA, roaming is free - it just comes out of your UK inclusive data allowance.

You have to be extremely careful about where you turn Data Roaming on and off!

Crypto Monad

Re: Global roaming charges are evil

No need for GPS geo-fencing.

A GSM terminal knows the ID of the network operator it's connected to (MCC/MNC, a 5-digit number) - so you just whitelist the operators that you want to use with this SIM.

Kiss my ASCII, Microsoft – we've got one million fewer daily active users than you, boasts Slack

Crypto Monad

Can someone develop an app that polls all these apps to work out which one the person you are trying to contact is using and then route the conversation to that?

Insert Obligatory XKCD

BBC said it'll pull radio streams from TuneIn to slurp more of your data but nobody noticed till Amazon put its foot in it

Crypto Monad

Re: BBC still coming in "loud and proud" in sunny Spain.

Just tested it: Radio 2 via TuneIn on Sonos still working for me this morning (in UK)

Switch about to get real: Openreach bod on the challenge of shuttering UK's copper phone lines

Crypto Monad

Re: For 2025 read 2075

> Running a fibre link for miles to serve a single house makes very little economic sense.

Except this article isn't about replacing copper with fibre: it's about withdrawing analogue telephony services over the copper. The copper can still be used to deliver data services: FTTC (from the cabinet) or ADSL (from the exchange). Voice will become VOIP over that. That's what's being talked about for 2025, no more.

In a completely unrelated development, Boris said we should move forward the aspirational target for replacing copper with fibre* from 2033 to 2025. That one will almost certainly go out of the window as undeliverable. If we get to even 50% fibre coverage by 2025 it would be a huge achievement.

*He's already watered down "fibre" to "gigabit-capable". That's so that properties covered by Virgin Media will count, once they've upgraded to DOCSIS 3.1.

Aside: as for whether running fibre for miles to serve a single house makes sense: fibre is cheaper to buy than copper, fails less often, doesn't need those pesky powered street cabinets, and allows customers to buy higher speed (and hence more expensive) services. So in the end, yes it will make sense: but when there's existing copper, the payback period for upgrading could be long.

The NetCAT is out of the bag: Intel chipset exploited to sniff SSH passwords as they're typed over the network

Crypto Monad

Re: Local access and you get ever so much!

> If they could monitor the server's traffic they could see the pauses directly.

Which is a much bigger hole than this one. Even someone *listening* to your typing can attack this way.

Solution: use a password manager for all your passwords. Then you paste them in one big splurge, with no gaps. This is an easy and comprehensive solution, and of course lets you use strong random passwords too.

Using RSA/EC private key authentication for ssh helps too - but you're still going to end up typing some passwords over ssh sessions (e.g. sudo password)

Dear Planet Earth: Patch Webmin now – zero-day exploit emerges for potential hijack hole in server control panel

Crypto Monad

Re: At least a responsible response

> So it may have become known by someone leaking the existence of the vulnerability.

Or somebody decided to compare the webmin distribution tarball with the source on github.

Top tip: Don't upload your confidential biz files to free malware-scanning websites – everything is public

Crypto Monad

Re: New service!

Email me your passwords, and my algorithm will check if they are compromised.

Already been done - e.g. https://haveibeenpwned.com/Passwords

(TBF, that particular implementation takes a lot of care not to send the password to the server)

Web body mulls halving HTTPS cert lifetimes. That screaming in the distance is HTTPS cert sellers fearing orgs will bail for Let's Encrypt

Crypto Monad

Re: An issue of Google's own making ...

> I *can* teach my mother to avoid a website that Chrome (other browsers are available) labels as "INSECURE".

I think what you mean is, "I can teach my mother to avoid entering her banking details into a site which Chrome etc labels as 'INSECURE'". Even that minor toe-hold goes away when all sites are HTTPS. But it never really helped in the first place.

The theft of sensitive data by packet-sniffing of unencrypted traffic is only a tiny part of the problem. The main problem is entering data into fake sites which look legitimate. If the web site looks like her bank's website, your mother will use it. It may even proxy to the real site behind the scenes.

Anyone can register a plausible-looking domain like "halifax-online-services.com" - and could also register a similar-sounding company name if they want an EV cert (but why bother, since 99% of users ignore them anyway?) I expect most users would enter their login details at "halifax-secure-banking.dyndns.org" if the content looked right.

"Secure" (in the weak sense provided by HTTPS) is very different to "trustworthy".

Crypto Monad

Re: DV's only

That's correct. EV certs are dead, since Chrome and Safari stopped displaying them, because users ignored them.

The *only* thing that an SSL/TLS certificate assures you is that when you make a connection to xyz.com, you you are exchanging data with someone who controls the domain xyz.com - that is, the connection is not subject to DNS spoofing or active man-in-the-middle attack.

In particular, it does not tell you anything about whether xyz.com is a good or bad actor, e.g. if you enter your credit card details they will be used for evil purposes or not. And it never did.

Crypto Monad

> What does this have to do with SSL encryption?

It's more about SSL authentication. For example, remember when MD5 was broken: people were still issuing MD5-signed certs for a while after that, and then if the final signed cert had a 3-year lifetime, you had to trust MD5 signatures for another 3 years too.

I could throttle you right about now: US Navy to ditch touchscreens after kit blamed for collision

Crypto Monad

> Throttles split across different consoles.


> That sounds like a recipe for the Chuckle Brothers 'To me... To you.'

Or Air France 447.

Yubico YubiKey lets you be me: Security blunder sparks recall of govt-friendly auth tokens

Crypto Monad

Re: FIPS stands for reduced security

It's funny that you pay extra for a FIPS-certified device, and receive something which is less secure than the regular one.

Similarly, there's a FIPS version of OpenSSL. Nobody uses it - except those required to by policy. What you get is effectively an old version of OpenSSL with a bunch of features stripped out.

If there was even a chance that it was any more safe than normal OpenSSL, there would be plenty of people who would choose it for that reason. But they don't. That tells you all you need to know about the value of FIPS certification.

Finnish and Russian comms giants shake hands on submarine cable across Arctic Sea

Crypto Monad

Re: Map projections

I guess they must have their reasons for cabling at sea rather than overland (shorter overall distance? Siberian conditions the bigger maintenance nightmare?)


Bad news. Asteroid 1999 KW4 flew by, did not hit Earth killing us all. Good news: Another one, Didymos, is on the way

Crypto Monad

Re: That is damn close

My chemistry teacher was always bemused that the "kilogram" was chosen as the SI base unit for mass, and argued that we should weigh small amounts of things in "milli-kilograms"



Biting the hand that feeds IT © 1998–2020