It's so dumb it must somehow be a clever staged marketing scheme to promote Apple's bug bounty programme, right? -.-
I feel cheated out of the gory technical details I was about to dive into.
93 posts • joined 11 Jan 2019
Firefox find-in-page finds hidden text. It is a bit useful and sometimes expected, because Google will index pages based on their hidden text and so people come to a page expecting to find something that's not visible. What's less useful is that it's still hidden after FF finds it and some text is hidden without a way to unhide it (eg. text for SEO). The Chrome solution won't address that either.
"Where's the logic in hiding text on a web page and waiting for the user to expand it later"
The same logic which gives us books printed on individual pages bound into a handy volume instead of a single 10x10 metre sheet of paper. It makes navigation easier. The alternative is text isn't there until you want it and it's fetched from the server, which makes slurping easy too.
Supposedly they're setting the threshold at 10minutes to begin with. Most close 10min encounters aren't going to be 'walked past 20 different people with COVID for 30sec each' and they like, they're going to be encounters in small indoor areas or vehicles where transmission is easier, or stopping and talking at each other in the street (which produces lots of fine virus-laden spray), or at the very least sharing a semi-enclosed area like a bus-stop for 10 mins. Many encounters of at least 10 minutes will be way longer (imagine some kind of long tailed distribution) and involve more risky activity.
Essentially the contact time serves as a good proxy for the intimacy of the contact in addition to it's actual duration.
A lot of the actual transmission is between people living together not even attempting to distance, but the app isn't really needed for that. It has to capture the next most likely class of transmission events.
To add to this, yesterday Hancock gave figures from the ONS antibody survey (otherwise unpublished) indicating about 4.4million across the whole UK have antibodies, using a test which is deemed very accurate. Against the official death total of 36K that points to a case fatality rate of 0.82% with the caveat that both figures are likely to be underestimated, but not by huge margins. Similar to estimates from other countries and far, far above 1 in 1450.
(But of course optimists want to believe the madcap models thrown together by creative 'scientists' on twitter which show we'll have heard immunity by next Tuesday around 3pm - and who can blame them).
It doesn't matter if you're personally concerned about privacy issues or not. The fact that others are and therefore won't use it makes the app less useful than it could be. If you're for the greater good then surely you're for a functional app that the greatest number of people are willing to install?
"Crown prosecutor Samuel Main told Westminster Magistrates' Court '.. his disobedience'"
Sums up this law well. Not a crime, just failure to be a good boy in the eyes of a hectoring state. Since he's apparently not been charged with anything else we have to assume he's not a terrorist who just happened to store every last shred of evidence against him on his phone. More likely just had some embarrassingly legal porn on it. Probably cuckold kink.
Good on him for refusing.
And good on the magistrate for making a mockery of the legislation's pretence by allowing a now convicted 'terrorist' to walk free.
I'm imagining it went more like this..
Trade Advisor: I expect you're going to ask me whether since we passed this new law any of our companies are doing business with Huawei.
Trade Advisor: The answer is No, Mr Pres...
Trump: That's great. I'm great. We won a really great victory. I think my car is here. We should play golf sometime when this whole uh trade thing is over. Bye-bye.
Technology Advisor: ...
Other sources claim the CIA was supplying UK with Argentine intel before and during war, and Ted Rowlands statement dates that back to at least the late '70s when he was in the Foreign Office. It's standard that they would have supplied the intel rather than the means to obtain the intel. Even with the closest possible sharing arrangement you still want to compartmentalise sources.
The other possibility is that GCHQ could already decrypt Crypto AG all by themselves, but wouldn't have revealed that to a TIVC technician and quite possibly would have continued to request intel from the CIA to conceal the ability from them too.
It seems unusual for TIVC to have given raw crypto details to GCHQ. Perhaps a result of the political and technical difficulty of achieving it any other way at such short notice, and thousands of miles away. And apparently the BND had to share it with Maximator counties because 'none of its members felt able to tackle the subject on its own'. So we have this unusually open secret known by most Western intelligence agencies and generations of junior ministers from various countries, all prone to blab for political or sexual gain. Given all that I feel a bit cheated we're only getting some of the juicy details four plus decades on :)
Of course automatic thumbnail previews are part of the vector.
I think eventually we'll discover the invention and widespread implementation of these was a highly successful conspiracy by malware authors carefully infiltrated into major software shops across the industry, since they serve no other obvious purpose.
It should be true everywhere. My pet hate is people who talk about their obscure health conditions in acronym.
"So... yea, I have TDH. Diagnosed about a year ago, so.. ya know"
No, no I don't know! Without a single medically descriptive word I can't even begin to calibrate my sympathy. Are you dying or have you just been scammed by a quack over a made-up disease?
They'll be needing an 'Are you a violent homophobic racist? Y/N' question then!
There are various legal requirements for public bodies to do equality and diversity Impact Assessments. In my experience it's always emphasised that answering the deeply personal questions is optional, so preferably anyone with 'closet status' sexuality or religion doesn't blab it, but that's probably not the case.
Most of them are not wearing 'simple masks'. They're wearing decent masks with valves. Carefully designed ones which thousands of people in numerous dangerous jobs use daily without any of the problems you mention.
The UK government thankfully does have pandemic preparedness stockpiles of what they term respirators (decent masks) for health professionals, stashed somewhere under the half billion £s worth of Tamiflu. Appreciate in other countries they may well need reserving from the open market. France notably so far.
They're wearing masks, to a man: https://cdn.cnn.com/cnnnext/dam/assets/200303041657-01-coronavirus-tokyo-japan-0303-exlarge-169.jpg
While we keep being told wearing masks is pointless because we can't be trusted to wear them properly.
In a multi-user or multi-tasked 8085 environment you had every security problem imaginable because it had no memory protection whatsoever.
Due to a variety of factors including - in my opinion at least - poor foresight, this wasn't fixable with a quick microcode update included in your regular patch Tuesday bundle, and so Intel were eventually forced to release an entire new chip design (the 286). Very embarrassing situation.
We could just talk to our GPs in code.
"That business we talked about last week, it's.. finalised at last. What a relief. Your associate was able to provide some very helpful material assistance."
"Good to hear. And has there been movement on the new business this week?"
"None yet, is that a concern?"
"No no, delicate matter. It shouldn't be rushed. I hope there'll be less collateral damage this time."
"Yes I'm hopeful too. Do you think our friends up high suspect anything?"
"Ahh, I can't hear you. The line is going funny. I'll see you next week for your monthly height measurement anyway. No wait, we did your height last time. Probably no need to check it again so soon you know, hah! This one is uhh.. a cuticle check-up. We can discuss further then anyhow. Bye."
I'd venture there are a fair few air-gapped systems out there that aren't going the whole hog on anti-TEMPEST.
Iran published photographs from the supposedly air-gapped Natanz facility computer room with dozens of people milling around and the place looked.. highly ordinary. It's not implausible that a short video clip published in similar circumstances could leak a passhrase or other short string from a screen which was otherwise free of sensitive information.
"If terrorism isn't covered under the 'National Security' catch-all then WTF is?"
Presumably the problem is that anti-terror laws are now used so widely in many cases where there's no demonstrable national security threat. The legislation was originally aimed at defeating active terror plots against the clock so the bigger sentencing requirements reflect that imminent threat.
Nowadays if a schoolkid from an Islamic background viewed an ISIS vid on TikTok and the evidence is on his encrypted iPhone they want to be able to put him away for 5(*) years instead of 2 but it's very far from being 'in the interests of national security'. Indeed it may be counter to those interests by contributing to his radicalisation. It's a 'terrorist' offence by virtue of being a conviction under legislation that has the word terrorism in the title, not by being actual terrorism.
(*) 5 years is still nothing compared to the 15 he might get for the video offence so it's also proportionate, you see?
The report states "It should be noted that the encrypted Whatsapp file sent from MBS' account was slightly larger than the video itself". The 'downloader' is just a file containing the original video (and maybe more?). The video now is 4.22MB. We aren't told how much 'slightly larger' the encrypted file is, but they can't decrypt it because presumably the session key has long been discarded or actively purged by the malware. Possibly the original video was larger and contained exploit+malware that has since cleaned itself.
Crown Prince hacks Bezos' phone to perv at dick pics. Classic case of homoerotic penis envy. Deserves many lashes, and ideally a well-funded UN inquiry to establish just how small the prince's thing really is.
He even hired a guy called Mr Pecker to do the cover-up! Just how obsessed can one man be?
It's not quite the same insecurity as using self-signed certs. If a self-signed cert were generated once per-device and private keys actually kept private as they should be (clue's in the name guys), inside each router, then you could blindly trust a cert once on first connection and add an exception but detect shenanigans in future.
With the global private key out in the open you have no confidence what you're connecting to each and every time you initiate a session, and it's right that browsers warn you about that.
An equivalent in financial markets is something like this:
A) Massive cover up by the state and relevant corporations to avoid market panic/board resignations/societal breakdown
B) A few anonymous individuals concocted a juicy sounding hit piece around a kernel of truth in an attempt to gain financially from resulting market uncertainty
(I'm not saying it's A but can confirm I'm not long in LSE)
Next year they'll be running scams with mindbogglingly confusing, contradictory pages filled with turgid text as well..
Q 26. Do you want to give all your money to a scammer?
[ ] Yes [ ] Maybe
Only tick Maybe if you have also completed and attached form K5368-P or K5368-Y, included the appropriate documentation and signed declaration of non-liability, were born before April 6th 1912 and are currently a Lloyd's underwriter.
(Oh shit I spent 6 hours doing form K5368-Y before reading the last bit)
FCO funding of World Service was reinstated back in 2015, although at lower level and for the more specific purpose of expansion in specific areas of the world they feel need more 'soft power'. There seems to be some question whether it'll continue past 2020 but it's at least mentioned in the 20-21 spending round published in September.
Officially, BBC do say the World Service is funded by the license fee(*). I imagine there's some commercial benefit from general brand awareness that helps shift Top Gear DVDs etc around the world, and it helps domestic BBC news have access to a bigger network of reporters in oddball places, but because it's license fee funded it's not allowed to also be commercial (no ads, subscriptions, etc). Figures for 2018/19 apparently £238mil from license fee, £85mil FCO. (So not enough that it could be closed down and free licenses funded for all over-75s instead, even if that were a good idea).
(*) It's true though that 'license fee' means license fee plus income from the for-profit parts of the organisation.
Similar cycle iPlayer Downloads has been through a few times now. It starts off crap but they gradually release updates until it's somehow quite decent and everyone has forgotten how much more awesome the old software was. Then for vacuous 'modernisation' reasons they suddenly pull it and deploy a brand new stripped down, bug-ridden, CPU hungry app that's missing all the features users spent years lobbying for in the previous one. This repeats every 4-5 years and it's utterly infuriating.
"sex workers in clogland are classed the same as say... independent plumbers, and are generally thought to give better value for money"
I'd say their respective service levels depend mainly on the kind of pipe you need unclogging.
Choose the wrong professional for the job and you'll always get a bad outcome. "Hi, I need someone who can do a good long rodding.. yes it is quite urgent, can you come over and get started right away?"
Uhh guuys, 's been a whole one year now and we still han't gotten the back of this ere damn votin machine thiin. Now a knows Gill said she be back with a-uh screwdriier but I'm havin some serious doubts that she ever comin back from uh mateurnity leave? So I'm just puttin this out ere, uh don't overreac or nothin, maybe it's time to ask the Feds if they know anythin about uh-ah hackiin?
Reading most of the comments here gives an even greater sense of the planet being doomed. My hat goes off to the protesters, for trying at least with good intentions. This probably wasn't the most efficient way to protest, primarily because the potential for long prison sentences means they may be out of action for a while. However they do have to try different tactics and see what works best, and it isn't always obvious ahead of time because successfully raising awareness which leads to greater action on climate change is itself a complex sociological problem.
Green electricity tariffs are a bit of a con unfortunately. There's plenty of green energy produced in the UK now and not that many households on the tariffs so the green certificates are traded between energy companies for pennies (while they make a bit of extra profit selling the green tariff). The regulation needs to keep pace with change, eg. heavy taxes on non-green energy so that green energy tariffs becomes the norm not the flashy thing you pay a bit extra for.
But sadly the last couple of UK governments believe the country has done enough simply by off-shoring the majority of our industrial emissions and replacing them with a nice big low carbon service sector as if that makes all our indirect emissions China's fault, and that somehow we'll be able to repeat that trick until 2050 when we'll be zero-carbon. Yea right.
The change needs to come from government I think. The odd concerned consumer quietly buying an electric car or boycotting fossil fuel companies or flights isn't going to make a meaningful difference. Voting. Joining a party that's serious about climate change and campaigning for their relevant interest groups. Of course, joining XR protests without doing anything illegal is a good option too. Most of those out on the streets in April were not breaking the law.
A random delay in an interactive session would get annoying before it came close to properly defeating the attack. A better option is to send a constant stream of packets at a regular interval, inserting dummies when no key has been pressed. This is the original comprehensive paper on SSH traffic analysis, and research around that time did lead to some improvements in various implementations: https://people.eecs.berkeley.edu/~daw/papers/ssh-use01.pdf
(Note that this new attack is about getting timing data from the Intel chipset, where you can't otherwise observe network traffic. Attacking SSH is just used an example of one possible use for this timing data).
It leaks the timing of everything typed inside the SSH session. So yea you're correct, not the initial authentication, but leaking a password is sort of the worst-case but completely plausible scenario if you logged in and immediately change your password, tunnel elsewhere, use sudo, login to an http interface on a nearby router, etc, etc. All kinds of other useful surveillance could be done too without ever capturing a password.
Arguably the one marked 'victim machine' is really the victim's machine and the RDMA server is the victim machine? but it's just semantics.
Hmm I dunno, Venezuala or not, Smartmatic really sounds like a brand you can trust. I mean the product is obviously smart, and it's automatic. It's modern, even a little futuristic. And it doesn't sound at all like a made-up gizmo from an 80s cartoon episode who's plot pivots around the unexpected failure of said gizmo.
Yea but it's all completely fine because "hardware filters that only allow data to flow between networks rather than instructions or commands".
(Hopefully they publish the details of these mysterious hardware filters so the rest of the world can use them too).
And we all know you can't crash a plane with bad data...
There are several confident-sounding solicitors firms in the UK offering no-win no-fee group claims but they don't give the impression of representing many people yet. I suppose, ironically, the solicitors have trouble reaching affected individuals in part because their contact data is so well protected now by GDPR.
"Whilst reverse engineering the BLE communications was an interesting challenge, it’s not actually necessary. As there is no pairing or bonding established over BLE when connecting a phone, anyone in range with the app can take control of the straighteners."
Good. This product doesn't deserve any security.
"Scroll down to the bottom and move the pointer over the biggest culprets in the chart. What do you notice?"
Are you looking for this page? https://www.cvedetails.com/top-50-products.php
The worst Microsoft product doesn't even appear until #9 (I think if IE was added up properly instead of split across two entries that would be #9 instead of Windows Server 2008).
The idea that Microsoft code is somehow more vulnerable than their competitors' is a hangover from almost 20 years ago before they got really serious about security.
Biting the hand that feeds IT © 1998–2020