Posts by Blazde

Re: Expectations

Firefox find-in-page finds hidden text. It is a bit useful and sometimes expected, because Google will index pages based on their hidden text and so people come to a page expecting to find something that's not visible. What's less useful is that it's still hidden after FF finds it and some text is hidden without a way to unhide it (eg. text for SEO). The Chrome solution won't address that either.

"Where's the logic in hiding text on a web page and waiting for the user to expand it later"

The same logic which gives us books printed on individual pages bound into a handy volume instead of a single 10x10 metre sheet of paper. It makes navigation easier. The alternative is text isn't there until you want it and it's fetched from the server, which makes slurping easy too.

Re: Thank you

Supposedly they're setting the threshold at 10minutes to begin with. Most close 10min encounters aren't going to be 'walked past 20 different people with COVID for 30sec each' and they like, they're going to be encounters in small indoor areas or vehicles where transmission is easier, or stopping and talking at each other in the street (which produces lots of fine virus-laden spray), or at the very least sharing a semi-enclosed area like a bus-stop for 10 mins. Many encounters of at least 10 minutes will be way longer (imagine some kind of long tailed distribution) and involve more risky activity.

Essentially the contact time serves as a good proxy for the intimacy of the contact in addition to it's actual duration.

A lot of the actual transmission is between people living together not even attempting to distance, but the app isn't really needed for that. It has to capture the next most likely class of transmission events.

Re: About Time

I'm imagining it went more like this..

Trade Advisor: I expect you're going to ask me whether since we passed this new law any of our companies are doing business with Huawei.

Trade Advisor: The answer is No, Mr Pres...

Trump: That's great. I'm great. We won a really great victory. I think my car is here. We should play golf sometime when this whole uh trade thing is over. Bye-bye.

Technology Advisor: ...

Re: Breaks it angle

Other sources claim the CIA was supplying UK with Argentine intel before and during war, and Ted Rowlands statement dates that back to at least the late '70s when he was in the Foreign Office. It's standard that they would have supplied the intel rather than the means to obtain the intel. Even with the closest possible sharing arrangement you still want to compartmentalise sources.

The other possibility is that GCHQ could already decrypt Crypto AG all by themselves, but wouldn't have revealed that to a TIVC technician and quite possibly would have continued to request intel from the CIA to conceal the ability from them too.

It seems unusual for TIVC to have given raw crypto details to GCHQ. Perhaps a result of the political and technical difficulty of achieving it any other way at such short notice, and thousands of miles away. And apparently the BND had to share it with Maximator counties because 'none of its members felt able to tackle the subject on its own'. So we have this unusually open secret known by most Western intelligence agencies and generations of junior ministers from various countries, all prone to blab for political or sexual gain. Given all that I feel a bit cheated we're only getting some of the juicy details four plus decades on :)

Re: Samsung 0 click details

Of course automatic thumbnail previews are part of the vector.

I think eventually we'll discover the invention and widespread implementation of these was a highly successful conspiracy by malware authors carefully infiltrated into major software shops across the industry, since they serve no other obvious purpose.

Re: El Reg (or the readership) really has changed

It should be true everywhere. My pet hate is people who talk about their obscure health conditions in acronym.

"So... yea, I have TDH. Diagnosed about a year ago, so.. ya know"

No, no I don't know! Without a single medically descriptive word I can't even begin to calibrate my sympathy. Are you dying or have you just been scammed by a quack over a made-up disease?

Re: Good for data-less phone plans

No smartphone here. My reasons are perfectly valid: I have a computer and I have phone, and both function better in their respective roles for being separate from the other.

Re: Say it ain't so!

I think this is literally the first time I've head the phrase "shared computer account", nevermind in the context of an attack vector

Re: You have to wonder...

They'll be needing an 'Are you a violent homophobic racist? Y/N' question then!

There are various legal requirements for public bodies to do equality and diversity Impact Assessments. In my experience it's always emphasised that answering the deeply personal questions is optional, so preferably anyone with 'closet status' sexuality or religion doesn't blab it, but that's probably not the case.

Re: What preventative measures Japan is using? Best for UK to follow their example

Most of them are not wearing 'simple masks'. They're wearing decent masks with valves. Carefully designed ones which thousands of people in numerous dangerous jobs use daily without any of the problems you mention.

The UK government thankfully does have pandemic preparedness stockpiles of what they term respirators (decent masks) for health professionals, stashed somewhere under the half billion £s worth of Tamiflu. Appreciate in other countries they may well need reserving from the open market. France notably so far.

Re: Impact?

In a multi-user or multi-tasked 8085 environment you had every security problem imaginable because it had no memory protection whatsoever.

Due to a variety of factors including - in my opinion at least - poor foresight, this wasn't fixable with a quick microcode update included in your regular patch Tuesday bundle, and so Intel were eventually forced to release an entire new chip design (the 286). Very embarrassing situation.

Re: Another 007 scheme ?

I'd venture there are a fair few air-gapped systems out there that aren't going the whole hog on anti-TEMPEST.

Iran published photographs from the supposedly air-gapped Natanz facility computer room with dozens of people milling around and the place looked.. highly ordinary. It's not implausible that a short video clip published in similar circumstances could leak a passhrase or other short string from a screen which was otherwise free of sensitive information.

Re: Just another VM...

I'll take another VM if it comes without automatic garbage collection. It's over 20 years late but no less welcome.

Re: Pushing too far.

"If terrorism isn't covered under the 'National Security' catch-all then WTF is?"

Presumably the problem is that anti-terror laws are now used so widely in many cases where there's no demonstrable national security threat. The legislation was originally aimed at defeating active terror plots against the clock so the bigger sentencing requirements reflect that imminent threat.

Nowadays if a schoolkid from an Islamic background viewed an ISIS vid on TikTok and the evidence is on his encrypted iPhone they want to be able to put him away for 5(*) years instead of 2 but it's very far from being 'in the interests of national security'. Indeed it may be counter to those interests by contributing to his radicalisation. It's a 'terrorist' offence by virtue of being a conviction under legislation that has the word terrorism in the title, not by being actual terrorism.

(*) 5 years is still nothing compared to the 15 he might get for the video offence so it's also proportionate, you see?

Re: How a video can be delivered through "an encrypted downloader ..

The report states "It should be noted that the encrypted Whatsapp file sent from MBS' account was slightly larger than the video itself". The 'downloader' is just a file containing the original video (and maybe more?). The video now is 4.22MB. We aren't told how much 'slightly larger' the encrypted file is, but they can't decrypt it because presumably the session key has long been discarded or actively purged by the malware. Possibly the original video was larger and contained exploit+malware that has since cleaned itself.

Re: confusing article

It's not quite the same insecurity as using self-signed certs. If a self-signed cert were generated once per-device and private keys actually kept private as they should be (clue's in the name guys), inside each router, then you could blindly trust a cert once on first connection and add an exception but detect shenanigans in future.

With the global private key out in the open you have no confidence what you're connecting to each and every time you initiate a session, and it's right that browsers warn you about that.

Re: "Although it is not unreasonable...

I really miss the old days when you could hate on a new version of Windows just because of the blue-green rolling hills UI with oversized title bars, and then turn it off 3 seconds after installing. We had it so good back then and we didn't know it.

Re: Nothing to see here

An equivalent in financial markets is something like this:

A) Massive cover up by the state and relevant corporations to avoid market panic/board resignations/societal breakdown

B) A few anonymous individuals concocted a juicy sounding hit piece around a kernel of truth in an attempt to gain financially from resulting market uncertainty

(I'm not saying it's A but can confirm I'm not long in LSE)

Re: Not a very strong lineup

Hello John, I would like to tell you that I've met someone. He's called Bob. Have a nice life, Alice

Re: Why?

FCO funding of World Service was reinstated back in 2015, although at lower level and for the more specific purpose of expansion in specific areas of the world they feel need more 'soft power'. There seems to be some question whether it'll continue past 2020 but it's at least mentioned in the 20-21 spending round published in September.

Officially, BBC do say the World Service is funded by the license fee(*). I imagine there's some commercial benefit from general brand awareness that helps shift Top Gear DVDs etc around the world, and it helps domestic BBC news have access to a bigger network of reporters in oddball places, but because it's license fee funded it's not allowed to also be commercial (no ads, subscriptions, etc). Figures for 2018/19 apparently £238mil from license fee, £85mil FCO. (So not enough that it could be closed down and free licenses funded for all over-75s instead, even if that were a good idea).

(*) It's true though that 'license fee' means license fee plus income from the for-profit parts of the organisation.

Re: hmmm....

"Whores, lawyers, politicians"

Sounds like a fun variation on rock, paper, scissors.

Uhh guuys, 's been a whole one year now and we still han't gotten the back of this ere damn votin machine thiin. Now a knows Gill said she be back with a-uh screwdriier but I'm havin some serious doubts that she ever comin back from uh mateurnity leave? So I'm just puttin this out ere, uh don't overreac or nothin, maybe it's time to ask the Feds if they know anythin about uh-ah hackiin?

Re: So ... any constructive suggestions, then?

Reading most of the comments here gives an even greater sense of the planet being doomed. My hat goes off to the protesters, for trying at least with good intentions. This probably wasn't the most efficient way to protest, primarily because the potential for long prison sentences means they may be out of action for a while. However they do have to try different tactics and see what works best, and it isn't always obvious ahead of time because successfully raising awareness which leads to greater action on climate change is itself a complex sociological problem.

Green electricity tariffs are a bit of a con unfortunately. There's plenty of green energy produced in the UK now and not that many households on the tariffs so the green certificates are traded between energy companies for pennies (while they make a bit of extra profit selling the green tariff). The regulation needs to keep pace with change, eg. heavy taxes on non-green energy so that green energy tariffs becomes the norm not the flashy thing you pay a bit extra for.

But sadly the last couple of UK governments believe the country has done enough simply by off-shoring the majority of our industrial emissions and replacing them with a nice big low carbon service sector as if that makes all our indirect emissions China's fault, and that somehow we'll be able to repeat that trick until 2050 when we'll be zero-carbon. Yea right.

The change needs to come from government I think. The odd concerned consumer quietly buying an electric car or boycotting fossil fuel companies or flights isn't going to make a meaningful difference. Voting. Joining a party that's serious about climate change and campaigning for their relevant interest groups. Of course, joining XR protests without doing anything illegal is a good option too. Most of those out on the streets in April were not breaking the law.

Re: I had to look that up

'metal chair' was sufficiently glib to give it away. I laughed anyway. They make some pretty boring sitcoms in America but who would actually make one about a non-specific metal chair?

Re: SSH Timing attacks

A random delay in an interactive session would get annoying before it came close to properly defeating the attack. A better option is to send a constant stream of packets at a regular interval, inserting dummies when no key has been pressed. This is the original comprehensive paper on SSH traffic analysis, and research around that time did lead to some improvements in various implementations: https://people.eecs.berkeley.edu/~daw/papers/ssh-use01.pdf

(Note that this new attack is about getting timing data from the Intel chipset, where you can't otherwise observe network traffic. Attacking SSH is just used an example of one possible use for this timing data).

Yea but it's all completely fine because "hardware filters that only allow data to flow between networks rather than instructions or commands".

(Hopefully they publish the details of these mysterious hardware filters so the rest of the world can use them too).

And we all know you can't crash a plane with bad data...

Re: This is just the US

There are several confident-sounding solicitors firms in the UK offering no-win no-fee group claims but they don't give the impression of representing many people yet. I suppose, ironically, the solicitors have trouble reaching affected individuals in part because their contact data is so well protected now by GDPR.

Re: Eh?

"Scroll down to the bottom and move the pointer over the biggest culprets in the chart. What do you notice?"

Are you looking for this page? https://www.cvedetails.com/top-50-products.php

The worst Microsoft product doesn't even appear until #9 (I think if IE was added up properly instead of split across two entries that would be #9 instead of Windows Server 2008).

The idea that Microsoft code is somehow more vulnerable than their competitors' is a hangover from almost 20 years ago before they got really serious about security.