* Posts by Blazde

473 publicly visible posts • joined 11 Jan 2019

Page:

Wyze admits 13,000 users could have viewed strangers' camera feeds

Blazde Silver badge

I saw it mentioned elsewhere that they may have had this problem all along

Aye,

"The company introduced a number of measures to prevent the incident from recurring, including adding a new verification layer before users attempt to view Event videos."

Makes it sound like there was a pre-existing access control issue which a race condition in caching merely helped innocent users exploit. Several things have to go wrong for data to actually be shoved in the face of an involuntary 'attacker' rather than the more common scenario of an attacker with know-how to bypass poor security actively doing so.

Cutting kids off from the dark web – the solution can only ever be social

Blazde Silver badge

Re: Root causes?

the general level of acceptance of violence as entertainment is objectively pretty high. As the baseline is so high, the threshold for deviance into extreme behaviour is closer to the norm that it should be

It's been pretty conclusively shown that young people are blessed with brains able to distinguish real violence from fictional violence, and experience very different reactions to the two. There isn't a 'ban 1st person shooters, they're numbing our kids empathy' narrative to be found here. If anything games & sport provide an emotional outlet as well as a time sink that displaces real violence.

The problem is that a small fraction of the population don't have empathy in the first place, exposure to violent media or not. Most regulate themselves because they recognise going to prison isn't so fun. Brianna's killers mystifyingly believed they could get away with it, so perhaps teaching kids about the strong criminal deterrents already in place would be a good starting point. I don't know what it's like now but when I was in school there was zero education on the law or criminal justice system, which is a bit bizarre when you think about it.

Southern Water cyberattack expected to hit hundreds of thousands of customers

Blazde Silver badge

Re: As a Southern Water customer*, When they said "Sorry we leaked your shit"...

even government departments

You appear to have misspelled 'especially'. It's easily done.

If the water companies were not in arm-length/private ownership they'd be dumping their sewage selectively in rivers running through opposition party constituencies, while MPs from the governing party would frequently be pictured proudly opening brand new sewage treatment plants in their constituencies.

On this matter I'm sure a moderately serious Offwater wrist slapping is coming Southern Water's way. A stern letter might even get sent.

Rust can help make software secure – but it's no cure-all

Blazde Silver badge

Re: FALSE

The issue is the order / state of calls that ultimately called that 2) section.

No. The issue is that you're dropping data without being sure there aren't continuing references to it (if I understand the example). So the issue is in section 2 - your unsafe code is bad, The fact that there *might* not be continuing references if all the rest of your code colludes with section 2 is irrelevant. The big clue that the problem is in section 2 and not somewhere else is that you've wrapped it in an unsafe block. That's what Rust does for you, it helps you understand the root cause of the problem.

The solution is to find a memory-safe way to do it. (egs: wrap the dropped data in an outer reference which remains valid and make sure the real reference only exists once, or replace it with dummy data which remains valid, or make it undroppable as long as your program runs). It is true that you might incur a small overhead to fix the problem but it's nothing you shouldn't be doing in any language if you want bug free, maintainable code.

Blazde Silver badge

You're not back to square one. You've profoundly reduced the footprint of dangerous code that needs reviewing, and if you're anything like the average Rust coder you'll work zealously to reduce or eliminate unsafe blocks and refactor them into the simplest, most readable, most likely to be correct code that's ever been written.

(I tried to find a good example but the first 3 driver code bases I checked had no unsafe code. Two of them even had #![forbid(unsafe_code)] at the top. The 4th I checked had four unsafe one-liners. Two were straightforwardly unnecessary. The other two indeed involved a risky pointer re-cast which I couldn't immediately judge the safety or necessity of because it involved device specific knowledge, but I know if I wanted to it'd be several orders of magnitude easier than checking an equivalent C driver for memory-management related vulnerabilities).

SBF likely off the hook for misplaced FTX funds after cops bust SIM swap ring

Blazde Silver badge

Non-transitive comparison breaks glibc qsort

I ran into this problem in real-world code many, many years ago and have the traumatic flashback to this day every time I use custom comparison. It's not all that difficult to mess up a complicated implementation with multiple branching conditionals, and you're one of the lucky ones if the sort crashes (or hits a bounds check now). At the time I figured 'of course this mysterious segfault that took hours to diagnose is all my fault' but now, in 2024, I think both glibc and any to-be-discovered broken callers should have a CVE.

My 2 cents anyway. Good that it's fixed.

US judge rejects spyware slinger NSO's attempt to bin Apple lawsuit

Blazde Silver badge

Re: Apple spokesperson speak to The Register

Apple spokesperson, or recently fired former Apple spokesperson?

What Microsoft's latest email breach says about this IT security heavyweight

Blazde Silver badge

'It's kind of like the mafia'

Nice head orfice. Shame if somebody broke all your windows. We can help you with that..

IT consultant fined for daring to expose shoddy security

Blazde Silver badge

Re: The problem is law is old and tech is new

when initially connecting to the Modern Solution database thought it was one owned and run by his client

My German is not good but Google Translate of the article implies he believed it was run *for* his client, not by his client. Clearly accessing passworded 3rd party systems is something a consultant needs to be careful about. Check with the client whether you have appropriate authorisation.

Nevertheless if that's his defence then the case hinges on intent, not on whether or not an exceedingly poorly secured password counts as a password.

Blazde Silver badge

Re: The problem is law is old and tech is new

If you read the blog where the data was leaked it's clear there is an attempt to damage the company's reputation. It's not clear what the relationship between the security researcher and the blogger is, but you can kinda see where the paranoia about a competitor comes from or at least why that becomes a plausible smear the company then uses.

I suspect it's more likely just typical hacker hubris ('Haha we pwned you but it's okay because as well as telling the world about it and sharing screenshots of customer info, we also emailed you how we did it"). Personally I'm all for giving professional-acting security researchers some leeway, ideally written into law (in the UK the public interest test is probably sufficient, except for the thorny issue of Post Office style private prosecutions), but clearly there has to be limits and where there are limits arrogant types will occasionally cross those limits.

Blazde Silver badge

Re: The problem is law is old and tech is new

"Hallo, anyone there"... No one is there. So you take it upon yourself to rummage through a filing cabinet containing 'extensive customer data from the online stores operated by Modern Solution's clients'.

Is that okay? Or should a genuine security researcher be expected to know when to curb their curiosity?

An only slightly generous reading of the law says he might have been okay if he'd connected to the database, thus confirming the password worked, and then immediately disconnected without even listing any tables etc. That would be closer to your scenario.

Blazde Silver badge

assuming they did not exploit those vulnerabilities

He did that though, that was his mistake.

Blazde Silver badge

Re: The problem is law is old and tech is new

The problem is geeky types like to find pedantic reasons why a password isn't a password but judges are wise and usually old, and the law older still, so they see straight though it. Nobody is not calling it a password because it is one, and a straightforward translation to bricks-and-mortar ethics says you don't have permission to go inside someone's house just because you find their front door key lying around outside for anyone to access. I'm not at all familiar with the interpretation and nuance of German law but a quick glance at the code in question says you shouldn't try to use passwords you know you don't have permission to use, regardless of how you came across them, and how tempting it is.

It is harsh, and very arguably the company should be prosecuted for terrible security practice too, but you can see in an age where there's a legal responsibility to report data breaches an ethical hacker creating a data breach in many cases won't be that much less of a headache that a non-ethical one doing it.

Is it time for 6G already? Traffic analysis says yep

Blazde Silver badge

Re: it would be great

Yes. They make the satellite ginormous so your phone doesn't have to be. AST SpaceMobile - blotting out the sun near you soon.

Lapsus$ teen sentenced to indefinite detention in hospital for Nvidia, GTA cyberattacks

Blazde Silver badge

Re: "broke into Rockstar Games using an Amazon Firestick, his room's TV, and a phone"

Well I'm currently carrying out research(*) before drafting my first screenplay.

(*) This mostly involves watching all the existing movies. After that nothing will hold me back. Although, maybe I'll study a few of your novels first as well ;)

Blazde Silver badge

Re: Fascist pigs now targeting kids

I don't know what you mean by paraded. The 17 year old was not named because he's a kid (notwithstanding the odd exception to this rule eg. just yesterday). The 18 year old, legally in this country is an adult, and thus was named in a court open to the public and media.

Either you're suggesting closed courts, or anonymity for convicted criminals, or anonymity only for mentally ill patients who've committed criminal acts? I can see some arguments in favour of the last one of those, but a lot more against.

Blazde Silver badge
Alert

Re: "broke into Rockstar Games using an Amazon Firestick, his room's TV, and a phone"

In the movie in my head he ends up in a custom-built air-gapped Faraday cage. The Magneto treatment.

Until one day a nurse messes up and leaves the outer door slightly ajar. Arion uses a toothbrush to aerosolarise the powdered milk he's carefully accumulated, and blows it gently through the gap in the door, which triggers smoke detectors in the fire control system and causes a hospital-wide evacuation protocol. Six attendants come to escort him out of his cage. The next cut shows an attendant's smartwatch conspicuously missing and then Broadmoor's main gates open, all the lights go off everywhere and we, the viewer, already know he's escaped.

Pro-China campaign targeted YouTube with AI avatars

Blazde Silver badge

The lift is limited by mass of air moved which (in this case) is limited by airspeed at the tip of rotors, because if that goes above speed of sound/speed of vibrations in air, then really bad things happen. Ingenuity was already quite close to that with one 'rotor column' (it has two rotors in it but moving the same column of air). The air on Mars is so thin they need to spin extremely quickly. So, my understanding is that the only way to get bigger payloads is more rotors and spaced out.

'Longer distance' is presumably about battery capacity and/or solar panel surface area, or whatever other power solution is used ie. mainly down to needing heavier loads. Being able to locate solar panels out of the airflow (surrounded by rotors instead of in the centre of them) sounds like an efficiency advantage too.

Blazde Silver badge

'China is highly capable and trusted to deliver massive infrastructure projects'

Honestly they got a point. When I'm looking for reliable massive infrastructure contractors it's them or Ancient Egypt. Nobody else comes close. That cheap Roman crap looks nice but crumbles after a few centuries

Ofcom proposes ban on UK telcos making 'inflation-linked' price hikes mid-contract

Blazde Silver badge

Re: Hey, there's an idea...

I can't think of any other common long term consumer agreements

Well mortgages would be the biggie. About 1/4 in the UK are variable-rate, but even for fixed-rate in the long-term a lot of people are forced to mortgage at rates heavily influenced by inflation.

Blazde Silver badge

Re: Hey, there's an idea...

This has been compounded by BoE interest rate hikes - companies have got more limited access to credit and more expensive thus causing even more strain on supply chains and businesses having to raise prices even to keep the lights on.

Not gonna comment on the rest but this part is refutable by studying the chronology of rising inflation, rising interest rates, and then falling inflation: https://www.statista.com/statistics/1311945/uk-inflation-rate-central-bank-interest-rate-monthly/

Let's try it like this: "companies & individuals have got more limited access to credit and more expensive thus causing them to buy less stuff, reducing demand and therefore also reducing inflation"

This is the trouble with economics - always two sides to the coin, no matter how much the coin is worth.

Memory-safe languages so hot right now, agrees Lazarus Group as it slings DLang malware

Blazde Silver badge
Boffin

Re: Lazy Meta-Curry

Those side-effects are the worst part of malware. If only the bad guys would stick to purely functional code the world would be a better place

23andMe responds to breach with new suit-limiting user terms

Blazde Silver badge

That whole (extremely long) dispute section is just an indictment on US consumer laws. It's a series of hoops to jump through which are clearly discriminatory and designed purely to impede the consumer's ability to take legal action. Of course any well run company will put such a system in place if they can get away with it.

The equivalent section in 23andme's European TOS pretty much just says: Let us know if you have any complaint but your statutory rights aren't affected so go to court if you must, whatever.

https://www.23andme.com/en-gb/legal/terms-of-service/#dispute-resolution-arbitration

Polish train maker denies claims its software bricked rolling stock maintained by competitor

Blazde Silver badge
Happy

Oh you're Krakówing me up

A year on, CISA realizes debunked vuln actually a dud and removes it from must-patch list

Blazde Silver badge

Re: Test with all the layers

We get get tested every few seconds, and it is free. Want to see the logs?

I believe it's more of a 'no-pen no-fee' arrangement. When they do pen they gouge you..

Microsoft issues deadline for end of Windows 10 support – it's pay to play for security

Blazde Silver badge

it’s just for legacy software anyway

Hopefully it's just for legacy data as well?

It's ba-ack... UK watchdog publishes age verification proposals

Blazde Silver badge

Re: NSFW...

The powers that be are sold on the idea that AI can magically solve all this. Type NSFW into Google.co.uk in a few years and it'll be endless 'Age restricted' results with just a few of the weirder, probably ruder results not restricted because AI can't magically solve this. And a bunch of innocent searches will also lead to endless 'Age restricted' results too because... AI can't magically solve this. Google (& Microsoft) won't care because now you need an account with more personal data attached to use their searches, and they already blew the serious search competition away so you have nowhere else to go.

On Facebook & Instagram random innocent posts are already mysteriously marked 'sensitive content' on the regular (because AI can't magically solve this)

UK government denies China/Russia nuke plant hack claim

Blazde Silver badge

Re: Sellafield / Windscale

"A repeat of the Bibby Stockholm embarrassment is unlikely as the newly repurposed accommodation first built in the 1960s is routinely irradiated, which Home Office officials believe should have destroyed any Legionella bacteria present"

Plex gives fans a privacy complex after sharing viewing habits with friends by default

Blazde Silver badge

Re: Why do companies think we care what anyone else is doing?

“Hear if your friends get to, uhh, the end of the episode before you, and high-five their achievements…”

Those annoying people who binge-watch shows at 1.5 times normal speed will really screw up the pooled audio you know..

Blazde Silver badge
Big Brother

Re: Why do companies think we care what anyone else is doing?

"Okay new idea. We're all too individualist and lonely now. Let's try to bring back the experience of crowding around the only telly in the house with a bunch of friends and family, like the good old days. TV viewing should be social again!"

* mildly sceptical nods and agreement *

"All those boring modern sitcoms recorded without laugh tracks? What if your friends were laughing along with you? Let's record an audio stream from each person's viewing and dub a mix of them into future viewings of that media. So you can hear your friends laughing along at the same jokes with you. You can hear in the quiet bit of the movie when one of your friends leans back in their creaky armchair and cracks open another beer. Maybe you'd like to do the same? You can hear when they're completely bored by the trash they're watching and decide to call their mother and check in about those gallstones.."

* frightened silence *

"Great. Could we get a first shot at this implemented by next week?"

Binance and CEO admit financial crimes, billions coughed up to US govt

Blazde Silver badge

Re: The cost of a jail-out card

Indeed. In the US the phrase 'reached a plea bargain' frequently just means 'lawfully bribed the prosecution'

Blazde Silver badge

Re: Where's the $10 billion coming from?

The press release states $1.35bil came from trading fees, which feels ballpark correct compared to Wall Street market makers and considering the fees/spreads are actually quite similar.

The rest sounds suspiciously like money in the process of being laundered (the phrase 'civil forfeiture' is used), which means it might be anything from proceeds of Iranian oil bypassing sanctions to money extorted by North Korean APTs, and in most of those scenarios we can expect them to be discrete about the details for legal and diplomatic reasons.

They've probably also benefited enormously just from having shareholder capital invested in crypto-currency.

Former infosec COO pleads guilty to attacking hospitals to drum up business

Blazde Silver badge

Re: "a former business leader"

It's not just his condition, the offence is obviously not being treated very seriously. For one thing the plea bargain makes no mention of phones going offline being intentional, and I imagine the prosecution felt they'd struggle to prove it was. But the main factor is the US legal system's over-focus on financial damage in hacking cases. This case is a textbook example of one side of that:

"b. Section 2B1.1(b)(1)(H) applies because the amount of loss resulting from the offense(s) of conviction and all relevant conduct is more than $550,000 but less than $1,500,000, resulting in an increase in the offense level by 14.

...

d. Section 2B1.1(b)(18) applies because (i) the Defendant was convicted of an offense under 18 U.S.C. § 1030, and the offense involved an intent to obtain personal information and (ii) the offense involved the unauthorized public dissemination of personal information, resulting in an increase in the offense level by 2."

He's paying the $818k back so he's a good boy. The fact it was patient data at a medical facility barely registers in the sentencing.

(The other side of the over-focus problem is: 13 year old kid bungles into megacorp's system with no particular malice or profiteering in mind, megacorp overreacts spending $50 million on intrusion reaction. Kid gets buried)

LockBit redraws negotiation tactics after affiliates fail to squeeze victims

Blazde Silver badge

6. Other proposals you have in mind

Under no circumstances should you end negotiations without requesting a helicopter & a McNuggets Happy Meal as a final demand

(Let's put the physical risk and light comedy back into ransom situations)

FBI Director: FISA Section 702 warrant requirement a 'de facto ban'

Blazde Silver badge
FAIL

"query applications [..] would not meet the legal standard to win court approval"

Well, there's your problem

Bug hunters on your marks: TETRA radio encryption algorithms to enter public domain

Blazde Silver badge

The protocol being old is not the same as the hardware being old. I'd bet very little in active use is much beyond 10-15 years old, which means - like modern Wi-Fi routers - it will have very programmable signals processing and general purpose chips, and will have way more 'oomph' than any hypothetical future TETRA encryption can possibly require because they all come bundled with modern Wi-Fi/Bluetooth/LTE capability too.That TETRA is so old is extra reason to expect that, aside from the antenna size, it's all/almost all software implemented.

Beijing reportedly asked Hikvision to identify fasting students in Muslim-majority province

Blazde Silver badge
Meh

Buying more tents than one person could possibly need, and at a time of year when anyone with a perfectly decent home would shun camping? On a list.

Impatient LockBit says it's leaked 50GB of stolen Boeing files after ransom fails to land

Blazde Silver badge

Re: Scan the data for corruption

"Must be a USA term, and you assume 'the whole world has to know all current USA slang abbreviations, since USA is the whole world'"

Woah there, I can assure ye the Ulster Scots Agency are just trying to keep a bit o' auld culture alive. Naught so lofty as becoming the whol' world

China's top bank ICBC hit by ransomware, derailing global trades

Blazde Silver badge

Prohibition on the payment of demands

'the time has come for serious consideration to be given to a prohibition on the payment of demands, or at least severely restricting the circumstances in which they can be paid'

Cryptocurrency transactions of course already illegal in China, which is a pretty big restriction on ransom payment. I wonder how this is changing targetting there? You'd imagine a too-big-for-rules state owned company like ICBC would be able to find a way to pay if needed, but perhaps smaller orgs are enduring less attacks? Or is the ban not enforced well enough to affect this?

Russia's Sandworm – not just missile strikes – to blame for Ukrainian power blackouts

Blazde Silver badge

Re: Why were their SCADA units on the Internet?

Neutralize all alarms

Install optical drive

Upload MicroSCADA binary

Bungee jump from platform

Monero Project admits thieves stole 6-figure sum from a wallet in mystery breach

Blazde Silver badge

Re: Oh dear

So it became a better world for gunsmiths, and a worse one for fletchers? For all the rest of us 'going out into the countryside to catch something to eat' only improved markedly in the mid to late 20th century with the invention of the out-of-town supermarket.

When I was a kid stealing $437,000 required time, patience and CISI certification. The last being notoriously difficult for North Korean financial planners to acquire

In quest to defeat Euro red-tape, Apple said it had three Safari browsers – not one

Blazde Silver badge

Re: The title is no longer required.

It's their scale that makes them like this. They're required to act in the best interests of shareholders (aka don't hate the player, hate the game - even if these execs do clearly enjoy the game too much), so there's a calculation:

1) Chances this flimsy legal argument succeeds: 1 in 1000

2) Cost of filing the legal paperwork: below accounting rounding threshold

3) Value creation if it somehow succeeds: absolutely stonking

4) Reputational damage of acting with this kind of disdain: None, we do it all the time anyway

In summary it's a no brainer

Meta's ad-free scheme dares you to buy your privacy back, one euro at a time

Blazde Silver badge

Re: Shocked?

You're confusing price with value. €120/year is what they think the market will bear. Clearly it's priced in line with similar media subscriptions, which is cheeky as hell because they don't produce their own content nor pay proper content producers to do so (token monetisation of annoying clickbaity shorts to draw you into their ads clearly not counting).

But this is what happens when a company is allowed to develop a monopolistic position in the market. What we should really be worried about is the way Whatsapp is becoming the new de facto international phone system..

King Charles III signs off on UK Online Safety Act, with unenforceable spying clause

Blazde Silver badge

Re: Age verification can kick UK netizens off all the regulated mainstream porn sites.

Almost none of the Japanese stuff will past muster with 'protecting women and girls' in the second set of codes. We'll have to watch that edgy American stuff where they beat up homeless men instead, because presumably that's still okay.

Side channel attacks take bite out of Apple silicon with iLeakage exploit

Blazde Silver badge
Thumb Up

'they also developed a timer-less variant that was based on race conditions'

Love this bit. They essentially create their own timer by running a yardstick thread. Exploiting a time-based side-channel without access to a timer just emphasises how difficult mitigating these kind of attacks is.

Nice work overall.

Hunters International leaks pre-op plastic surgery pics in negotiation no-no

Blazde Silver badge

Re: Really?

It's litotes (until some grammar geek comes long and explains why it's technically something related but more obscure). I don't agree it's subtle, it's very common in El Reg articles and sections of the British press in general

Irish cops data debacle exposes half a million motorist records

Blazde Silver badge

The ascetic approach to information security: Since usability and security and are always in tension we must make our secure systems maximally inconvenient to use.

British boffins say aircraft could fly on trash, cutting pollution debt by 80%

Blazde Silver badge

Re: except

I mean government & industry plans - you know, the plans resulting from the goals set out in the Climate Change Act which makes it, not exactly difficult, but as difficult as feasibly possible for future governments to ignore the problem?

Of course there's a possibility those all amount to green-washing but somewhere between the expert input from industry, the scrutiny of the academics, and the rabble of the free press pandering to the electorate there is a danger something workable turns into reality and makes all the naysayers look foolish. High gas prices do not hurt the all-important economically viable aspect of it all.

Blazde Silver badge

There're already quite detailed, workable plans to decarbonise aluminium, steel and concrete production in the UK (not just by continuing to outsource the emissions overseas! - primarily by electrifying their energy usage). Air travel remains an outlier because you can't just wave wind turbines and battery storage at the bulk of the problem.

Page: