Posts by Blazde

Have to be honest if I saw one single SSD perched on the back of an otherwise empty truck I'd be tempted to take it. That's just screaming 'nobody cares about me'.

Re: Guntrader is roughly similar to Gumtree

Such a shame the pandemic has done it for Gumtrader. Does anyone know an alternative? I'm stuck buying brand new for now but it's so much more expensive, and it tastes funny.

Re: Verbification*

Good grief. It's a CERT Coordination Center document, from a database funded by the US Federal government, and authored by a man who appears to have been born, educated, and worked his entire life in America and you expect them to use British English definitions of words? That ship sailed many centuries ago.

"As far as I know, 'exploit' has for a long time been both noun and verb"

A long time yes, but before that it was only a noun and presumably there were fuddy-duddies up in arms about it changing. Yet it did and our language is the more nuanced for it. Using one yourself while baulking at someone else's use of the other seems to make you a hypocrite, doesn't it? Both can be replaced with 'use' with only minor(*1) loss of meaning(*2).

(*1) small

(*2) intention

Re: This is confusing

Literally my first thought: At least he's now got a great career ahead of him doing TED talks on self-improvement for racists.

And it appears he already has the first draft of his book done..

Re: 'In the Public Interest'

Superficially it's a legit act of whistleblowing that lead to a swift resignation. You don't need to know the identity of the whistleblower to know that going after them is the wrong thing to do in a society which attempts to protect public interest whistleblowing. The law is absolutely still protecting the anonymous person(s) if it makes it unlikely a conviction will follow, and your investigation is thus a waste of resources.

I do think however given where the leak came from there's a responsibility to perform some investigation to make sure there's nothing extra going on which could impact national security. There probably isn't but it'd be serious if there was. That investigation should surely be handled by the Parliamentary Security Department, the police, or even MI5. Not the ICO.

Immediate thought: It can't be the UK because our test and trace is far too hopeless for that level of detective acumen.

At a guess it's the US because they tend to put cardholder name right there on the paper receipt. And because it's then a quick Google for anyone to find the person's address, mobile number, car registration and so on because all that stuff is often public too. A few dollars if you should want to buy their mobile location data... and so on.

Re: Why would it be a target for breakins?

According to a more complete translation: "the submission [to the central database(*)] should include the product name, model, version, and the technical characteristics, harm, and scope of the vulnerability that have security loopholes in network products."

So - depending precisely what 'technical characteristics' comes to mean - possibly quite vague, but if you have a bunch of these reports a good fraction will still signpost a skilled researcher to a vulnerability very quickly. Searching for a needle in a haystack is the most tedious part of this work, and if you know there's a needle near the bottom of this particular haystack it gets a whole lot easier.

(*) 'Ministry of Industry and Information Technology’s cyber security threat and vulnerability information sharing platform'

Also: "The network security threat and vulnerability information sharing platform of the Ministry of Industry and Information Technology simultaneously reports relevant vulnerability information to the National Network and Information Security Information Notification Center and the National Computer Network Emergency Technology Coordination Center."

So there'll be at least three copies of 0-day database. It sounds semi-public already to be honest.

Re: Quelle audace!

Yet the planes ended up with British engines. It feels like there's a piece missing from this intrigue.

Re: Abe Lincoln knew the truth about QKD.

"Please don't conflate a self-serving political system and the industrial-military complex with a cryptographic protocol. The article was about the protocol."

Yup I think you should follow that advice and realise how pointless your original comment was.

Big organisation investing - for them - miniscule amounts of money into hyped tech proves nothing about the intrinsic value of that tech. It points to them seeing the possibility of some commercial value. At most it indicates they see an outside possibility of some intrinsic value and they don't want to be left behind in case it turns out that way when the cost of keeping up is so low.

The clearest mathematical detail is that all these organisations already make extensive use of low cost cryptography without any meaningful key distribution issues and no mathematician is up in arms about how insecure all those protocols are.

It's interesting blue sky research. It doesn't solve any of the many very big current computer security problems.

Re: Noone is safe?

Entertain us.. just how bad does El Reg look on that Commodore?

Re: Cost of doing business or a fine?

To be fair, having read the headline, the first paragraph and second paragraph of the article several times, I've not the first clue how many calls were made. It's enough to confuse even a very large napkin.

Re: Similar Attacks Work Against Humans

Concrete block dropped off an overpass is one of the more commonly exploited human vulnerabilities (sadly). Much cheaper than either an audio device or laser too.

Re: ridiculous offence?

If you give insider information to your friends planning or merely knowing they'll use it for insider trading, or you find out later they did and fail to report it then you'll be guilty of some kind of conspiracy to commit or accessory to insider trading crime.

If you blab confidential financial information in the pub genuinely oblivious to the fact your friends later trade on it then that's just going to be between you and your employment contract (unless perhaps you're an officer of the company in which case you might be held to higher standards and given a proper good telling off by a judge before getting off scot free).

It is a slightly confusing term, whatever the history of it 'insider' now refers to the information not to the trader.

Re: How cynical

If we're really getting cynical, how about the idea the FBI gave up the backdoor because they realised God Mode on the criminal comms threatened to make too many law enforcement jobs obsolete (also: 'now you have AN0M I assume you won't be needing this huge and very poorly accounted for CI budget?').

At least leafing through reams of irrelevant Whatsapp convos requires serious numbers of analysts and proportionately high salaries for their managers. Plus it's more fun because of the smut. The criminals just geek out over crime non-stop, what a yawn fest.

Re: Courtpocalypse?

It's the gaming of the process that became partisan rather than who's appointed, which always has been.

In England High Court judges have of course always been appointed by the Monarch and thus entirely apolitical.

(Hah just kidding, since 2005 though there's a committee process intended to remove political bias and ostensibly appoint on merit, plus the newer UK Supreme Court judges have to have input from Scotland and N.Ireland so I'd imagine it's way harder for any party to influence the outcome. Of course they still end up drawn from particular class demographics and therefore exhibit bias. It all matters less than the US though since they're not defending a written constitution from overreach by the legislature).

Re: Even simpler explanation

I'm not sure they need Russian help for any of that. According to Australian Daily Mail today "University-educated mothers under 55" are the true evil at the heart of panic buying. (Whose idea was it to educate the Sheilas?)

Re: Hack the Planet!

"Any England/UK Hacker movies from the 90's? Doubt it.. :)"

Not a movie but Channel 4 being hip, edgey and way ahead of their time (uuh relatively speaking that is) did a hacker docu in 2000 called Hackers In Wonderland that was quite good and basically covers late 90s material. It's available on YouTube. Big UK names in it, and inevitably a few yanks too.

"This man [Cold Fire] was once considered one of the most dangerous criminal hackers in Britain. Not wanting to reveal his home address he met us at a local laundrette." And there's the obligatory paranoid yet understated tone set with a line that could have been uttered by Alan Partridge himself.

Re: Half-Double Rowhammer

Pretty much. There's been a couple of iterations of hardware fixes now for Intel & AMD. If you want either software to not have to care about security compartmentalisation, or increased security without any performance impact at all you're going to be waiting forever because those things aren't desirable/possible.

I don't see how RowHammer/etc will ever be 'fully' fixed because it's essentially probabilistic and the surest ways to mitigate it significantly increase latency, power consumption, or silicon area in ways fundamentally linked to the physical laws of the universe. It could perhaps become the purest example of a security/cost/performance trade-off. The other dimension potentially worth trading against is uptime, because if hardware detects it might have been successfully Hammered the last line of defence is to halt execution rather than cede control to the attacker. Hard decisions.

Re: "Legacy of single user on a disconnected PC"

There were some very early 3rd party remote login solutions like WinFrame (which Microsoft subsequently based Terminal Services on). By the time Rupert is talking about, 2001 when MacOS launched, multiple users at the same time, either remote or locally with fast user switching was supported natively. The underlying multi-user architecture was always there because services used it, just interactive multi-login was missing.

Re: Got my family's Opt-out forms signed & sent off to the GP yesterday

As I understand there is some suggestion they'll stop honouring them in future because the type 1/2 opt-out differentiation is going away in favour of the 'national data opt-out' which GP surgeries must honour from September, so make sure you've registered with that too.

https://digital.nhs.uk/services/national-data-opt-out/information-for-gp-practices#practices-must-no-longer-record-type-2-opt-outs-

"Some patients will have a type 1 opt-out registered with their GP practice, which indicates they do not want their confidential patient information leaving the practice for research and planning purposes. These existing type 1 opt-outs will continue to be respected until the Department of Health and Social Care conducts a consultation with the National Data Guardian on their removal."

And if you just filled in a GP form for a type 2 opt-out it will be ignored because:

"GP practices must no longer use the type 2 opt-out codes to record a patient's opt-out choice as they are no longer collected or processed."

Leaving the unsurprisingly shambolic possibility that people who believe they're opted-out won't have.

Re: I just walk away

Online supermarkets seem to be doing it lately post-login. I suppose airlines and supermarkets both attract bots trying to book slots, scrape prices constantly, or something like that?

I'd like to suggest I get a pound every time a company I'm paying makes me do a captcha, to help motivate them to find less irritating solutions to their bot problem (maybe they should just put up with it?). But the truth is they can probably already see a greater loss of sales than that in their usage stats and yet they're still doing it.

"Sorry darling, my health app says I have a headache tonight"

Re: That is today's security environment

"You tell me that there isn't a single rogue engineer that thought that wasn't a good idea."

They probably just got told any access control would cause unnecessary hassle for Dell Technical Support.

Re: Need trapping

You're both wrong. In general at hardware level they're neither signed nor unsigned, just fields of bits which are typeless other than for their width. Many common arithmetic instructions function exactly the same whether they're operating on bits you choose to interpret as unsigned integers or two's complement signed integers and so the instructions are ambivalent (but will set flags to enable you to check afterwards for conditions on both). Even when instructions or registers are notionally intended for specific types (signed/unsigned/pointers) they're routinely used for the 'wrong' type by compilers, sometimes in line with the CPU manufacturer's own optimisation advice, so the typing is really just a naming mechanism to refer to slightly differing functionality.

It's up to language designers to use the tools already available. Types exist at language level. The trouble is not the extra instruction but that checking for overflow generates a branch and modern CPUs hate branching. More so since the speculative execution game got leashed. The other issue Rust designers have found is that doing anything halfway useful after detecting overflow imposes a lot of limitations on general code optimisation, because the fault code needs to understand what was going on when it got triggered.

Re: errmmm

Presumably Joe and Josephine will get a compensatory Google Privacy Checkup(*). That seems to be how these things usually go.

(*) https://safety.google/ (Knock yourself out)

Re: "We have strict licensing policies that govern how customers are permitted to use etc"

Agreed, I'm sure if they were being more honest they'd say they mean their policy is strict but that's not enough to prevent the technology falling into the wrong hands. And if they were being still more honest they might say their *written* policy is strict but not always strictly adhered to when enough money is on the line.

Still, it's a PR line that precedes Signal's blog post, and it's clearly intended to give the impression their technology won't fall into the wrong hands so it seems weirdly inappropriate here when it just has done. (But what do I know, it's probably some textbook PR gaslighting voodoo).

Maybe referring to their status as a 'Body Designated to make Super-complaints' which presumably the current Secretary of State for Business backs or else he could remove their status: https://www.legislation.gov.uk/uksi/2009/2079/made

The VISA vs XRP comparison in that paper is ridiculous. At every single point they compare apples to oranges, and always in the direction that favours XRP.

(The comparison with Bitcoin and Ether is fairer. Of course, no mining no crazy energy usage)

Re: Open options

I may have mislead you with the word 'Very'. We're only talking a few hundred columns (not even hitting Calc's much hated col limit) by less than a hundred thousand rows. Excel proves perfect for the job every time, and is only one step in a toolchain that probably includes whatever you're thinking is the correct tool.

Nevertheless they prove very large from the perspective of other spreadsheet software.