* Posts by jezza99

24 posts • joined 6 Jan 2019

Story of the creds-leaking Exchange Autodiscover flaw – the one Microsoft wouldn't fix even after 5 years

jezza99

Ignorance of certificate technology

I used to manage certificate services for my then employer, and as I gained skills became aware of how absolutely critical they are to modern IT security. Including the bit that clients must always fully validate any certificate they receive.

Yet knowledge of this technology is known to so few systems admins and application developers.

No wonder practical IT systems, including big name ones, still contain so many security holes.

One-size-fits-all chargers? What a great idea! Of course Apple would hate it

jezza99

Just think, if the EU had brought this in in 2009, when they started considering it, they would have specified an original USB connector, or maybe the round Nokia connector.

In 10 year’s time I’m sure USB-C will look just as dated.

For years now I’ve charged all my devices with a single Apple charger. I just swap cables if I need to charge a non Apple device.

In short, this is a really bad idea which solves a non-problem.

Australia rules Facebook page operators are legally liable for user comments under posts

jezza99

Re: Out of curiosity ...

This case was covered today in the Sydney Morning Herald. It is actually a straightforward extension of existing precedent in defamation law, and so is quite robust from a legal standing.

The High Court has determined that an organisation which publishes pages on Facebook are also publishers of associated comments, from a legal perspective. Note that the publisher is not the same as the author.

The judgement isn't about the defamation per se.

Personally I think it is time that social media platforms were required to identify the posters behind the vile comments that some seem to think are acceptable so that they can be sued directly. But that is a different issue.

30 years of Linux: OS was successful because of how it was licensed, says Red Hat

jezza99

Re: Linux is not an OS

I'd refine that slightly. An OS consists of a kernel and a standardised operating environment that application programs can assume will exist and make use of. So this may include a shell and will almost certainly include a set of libraries and utility programs. Some of the environment may be optional, for instance the X window system and associated libraries is an optional component of the Linux OS. An application which needs a GUI will use X but not all applications may need a GUI.

The utilities/libraries in an OS do not have to be exclusive to that OS, they may be used on a number of different operating systems.

Apple didn't engage with the infosec world on CSAM scanning – so get used to a slow drip feed of revelations

jezza99

Re: Not the problem

Indeed. It would be straightforward to use this technique to match photos against a hash database of, say, faces of people that a government doesn't like instead of a database of CSAM hashes.

The technical details really are irrelevant. It is the fact that Apple will scan your photo library at all which is the issue.

Don't rush to adopt QUIC – it's a slog to make it faster than TCP

jezza99

Re: TCP is wrong for most network transactions

The fact is though that both enterprise network equipment and modern kernels are massively optimised for TCP.

In a LAN environment, NFS was originally written on UDP. Some time later, NFS over TCP was defined, but the TCP overhead made it slower. However, for at least the last 10 years storage vendors have strongly recommended NFS over TCP for performance. The difference is kernel support on both server and client.

In the WAN, if you control both end points there are devices which will optimise TCP to radically increase performance, even with high latency. This means that you can use standard applications such as SFTP to transfer data efficiently between continents. As these devices work by managing error correction it is hard to see how they would work if that were done at the application layer.

I can see the advantage of including encryption as a tier 1 protocol feature though. If TCP were designed today it would surely have that.

FTC approves $61.7m settlement with Amazon for pocketing driver tips

jezza99

I continue to refuse to buy Amazon because I find their employment practises around the world to be abhorrent.

New Zealand hospitals infected by ransomware, cancel some surgeries

jezza99

It really is time that these ransomware outfits are treated like the terrorists they are.

Blessed are the cryptographers, labelling them criminal enablers is just foolish

jezza99

I find ACIC's comment that cryptographic apps on the internet are almost exclusively used by criminals to be criminally wrong!

Any time you use a web site with "HTTPS" you are using a cryptographic application. And almost all web sites (including El Reg) do that. Any that still use plain old HTTP cannot be trusted!

I use encrypted chat apps, because I value my privacy. I have yet to do anything criminal with them. Same for my friends and associates.

If the government breaks cryptography by forcing the use of back doors we will all lose!

Chrome 90 goes HTTPS by default while Firefox injects substitute scripts to foil tracking tech

jezza99

Re: No, this is wrong

Agreed! I would go further and suggest that all unencrypted protocols should be removed from RFCs. It is just too risky, even for intranets.

Implementing HTTPS is trivial.

Bothering to upgrade the iPhone 12 over older models has proven to be worth its weight in gold for Apple

jezza99

Re: "The iPhone – Apple's hottest seller – brought in revenues of $65.597bn"

The last smartphone I owned with a replaceable battery (a low end phone used for travel) had a woeful life. It couldn't even get through a morning without wanting the charger. I never even bothered trying to buy a replacement battery.

Even the last low end travel phone I bought had a non-replaceable battery. And could almost make it from morning to evening!

jezza99

Re: "The iPhone – Apple's hottest seller – brought in revenues of $65.597bn"

It's pretty simple. A replaceable battery is more than twice the volume of a non-replaceable one, as it must have a hard plastic case in order to be safely handled by a non-technical customer.

People prefer smaller phones to replaceable batteries.

Apple worked this out years ago. As usual, everyone complained, but then the other vendors quietly started doing the same, to gain the same advantage. It doesn't cost all that much to get Apple to replace your battery, relative to the price of the phone.

The non-replaceable batteries also save all that hard plastic which would otherwise go to landfill.

Must 'completely free' mean 'hard to install'? Newbie gripe sparks some soul-searching among Debian community

jezza99

I guess from this discussion that 2021 is the year of Linux on the desktop!

Who watches the watchers? Samsung does so it can fling ads at owners of its smart TVs

jezza99

I'll stick with my older, definitely dumb, Panasonic TV thanks. Has great picture quality and acceptable sound for a flat screen TV.

Microsoft sides with Epic over Apple developer ban, supports motion for temporary restraining order

jezza99

Re: Cynical

Indeed. Most of these apps are free to download and install, and only start charging you once you actually use them. Games in particular are notorious for enticing you in for free, then having to purchase things to actually progress in the game.

If Apple can't make a margin from in-app purchases then its platform would not be viable.

Utes gotta be kidding me... University of Utah handed $457K to ransomware creeps

jezza99

Are they kidding? If I were a hacker I know which University I would target next.

I can’t see how paying a ransom is ever a good idea.

You weren't hacked because you lacked space-age network defenses. Nor because cyber-gurus picked on you. It's far simpler than that

jezza99

In a corporate environment this is a hard to solve problem.

At home I patch now and ask questions later, as is best practice.

But in my last employer they were dependent on software by vendors who did not get computer security at all. And some of them are big names in the field. We were forced to run versions of MacOS and others that we knew were insecure as a result.

Then there’s Windows and Active Directory. Do they support dictionary checking passwords out of the box now? If not, why not?

Brit unis hit in Blackbaud hack inform students that their data was nicked, which has gone as well as you might expect

jezza99

Don't do business with them

Personally I would never voluntarily do business with a business which pays ransoms.

I hope that these universities are chasing alternative suppliers right now.

The end really is nigh – for 32-bit Windows 10 on new PCs

jezza99

Wow are Windows users still suffering this 32 or 64 bit rubbish?

Apple resolved that years ago.

If you never thought you'd hear a Microsoftie tell you to stop using Internet Explorer, lap it up: 'I beg you, let it retire to great bitbucket in the sky'

jezza99

I wonder how many “enterprise” apps still need IE6 with old versions of Java and all the security settings switched off? I used to manage fibre channel switches which did this.

Remember that Sonos speaker you bought a few years back that works perfectly? It's about to be screwed for... reasons

jezza99

Better stick with old stuff

My NAD sound system, circa 1985, seems to still play music just fine, and with excellent sound quality. I think I'll stick to it.

Let adware be treated as malware, Canuck boffins declare after breaking open Wajam ad injector

jezza99

I get so many ads for scams served up by both Google ads and Facebook I wouldn’t trust anything advertised on the internet anyway.

Apple, Samsung feel the pain as smartphone market slumps to lowest shipments in 5 YEARS

jezza99

Re: Just one question

Funny my iPhone 6 (4YO) seems to be running the latest iOS and apps. Which phones don't have updates after 12-18 months?

Fake 'U's! Phishing creeps use homebrew fonts as message ciphers to evade filters

jezza99

Since the phish requires a custom font, that must mean that the email client will download and use a font from an unverified source.

Seems like a pretty basic security hole. Which email client(s) suffer from this?

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2021