* Posts by My Alter Ego

416 publicly visible posts • joined 16 Sep 2009

Page:

Researchers spot thousands of Android apps leaking user data through misconfigured Firebase databases

My Alter Ego
Boffin

Re: Securing Databases

It's not that it's hard to write the rules. You can parameterise the paths, access those variables directly and compare them to claims in the JWT token* easily. It's possibly to write granular roles easily. I put it down to a few reasons:

1. People who don't think "how can this be abused" it's even easier to write a rule that grants read (or even worse write access) to anyone who's authenticated, forgetting that you need to compare the uid, roles, scopes, etc.

2. People write lax rules during development for ease of use and forget to tighten them up.

3. Writing rules is boring and feels unproductive as you see no change in the front end

I'm currently writing an app that uses Firestore and the first thing I do is give my test user data realistic roles so I'm not tempted to be lazy. I give read access to those who need it and writes are done via a web API so I can validate data properly.

Also, a lot of the apps may be written by web developers who haven't had to consider that db security takes more thought than it looks.

*Calling the department of redundancy department.

Calling all the Visual Basic snitches: Keep quiet about it and so will he...

My Alter Ego

Re: Risky business

I got booted out of computer club (3rd rule* no games) in school in 91 when I was caught playing Risk on one of those.

* The first two rules obviously being "you do not talk about computer club"

Everyone remembers their first time: ESA satellite dodges 'mega constellation'

My Alter Ego

Re: Starlink hasn't been up long

You also have to factor in the incredibly important rule "fiberglass gives way to steel".

Another TITSUP* on this lovely Tuesday: Virgin Mobile takes time out to enjoy the sunshine

My Alter Ego

Just Virgin Media?

We had some issues around the same time with our BT Net Leased Line. We were losing about 10% of packets, which was bad, but even stranger was that we had no upstream bandwidth. Running a speed test (on known servers) we had 90 Gb/s up, and pretty much 0.00 Gb/s up, which as you can imagine made making requests and serving data slightly difficult.

Could be a coincidence, but I wonder if Virgin and BT share some core networks.

May Day! PM sacks UK Defence Secretary Gavin Williamson for Huawei 5G green-light 'leak'

My Alter Ego

Re: "May seems to be determined to do a reprise of Downfall "

I can sort-of see where the OP was coming from. They both are in positions where they can sprout as much bullshit as they want, secure in the knowledge that they are not required to make actual decisions.

It's easy to complain about the status quo, and waffle about solutions that have been shown to be unworkable, and they both excel at that. Mind you, they're not the only offenders.

UK joins growing list of territories to ban Boeing 737 Max flights as firm says patch incoming

My Alter Ego

Re: The reason that the Max series need MCAS

Except that it didn't happen that way. The flight scene of the movie was incredibly accurate, but then diverted massively from reality. The NTSB acknowledged that the simulations didn't take human reactions into account, they didn't need Sully to tell them that. In fact Robert Sumwalt (the chair of the panel, and a former A320 pilot) was very complimentary about the CRM (Cockpit Resource Management) and the fact that trying to concentrate with pretty much every alarm going off in the cockpit is incredibly difficult, even in a simulator.

Captain Sullenberger actually asked for the real names of NTSB members to be removed from the movie.

The problem is that it's really difficult to make two hours of NTSB hearings into a movie that the general public want to watch. I actually watched the NTSB hearing videos (they're on YouTube) as I'm an aviation nerd, and while dry were actually pretty interesting.

Now when I hear people say "I didn't know that..." in relation to Sully, I reply with "and I didn't know that the Americans captured the Enigma device until I watched U-571".

SpaceX Crew Dragon: Launched and docked. Now, about that splashdown...

My Alter Ego

Re: Ripley and a cuddly earth

For a while his Twitter profile had a photo of him in a dinner jacket and a fluffy white cat on his lap, ala Blofeld. He also had a photo of the time the CRS mission underwent a RUD (or as the author beautifully put it, when falcon went foom).

Both show a certain sense of humour, but I stopped following him after he went a bit nuts with the paedo submarine debacle. It might be with hung a look if he's settled down a bit now.

Zip it! 3 more reasons to be glad you didn't jump on Windows 10 1809

My Alter Ego

Re: Who even uses Windows ZIP handling?

People who use the right tool for the right job. I use tar.gz if transferring data between *nix machines, unless bandwidth is crap, then I use tar.bz as the CPU expense [hopefully] is worth the transfer time saving. Zip is perfect when interoperability is paramount, as I know it's supported on pretty much every OS.

You like HTTPS. We like HTTPS. Except when a quirk of TLS can smash someone's web privacy

My Alter Ego

Re: OMG

Apparently the BBC did tell them to speed up (or was it slow down) the way in which they said "kind of lingers", so it was less obvious.

Open-source this, open-source that, and the end of the Windows 10 Creators Update

My Alter Ego

Re: Too True.....

Thank fuck I'm the only person who encounters this...

Google Chrome 69 gives worldwide web a stay of execution in URL box

My Alter Ego

Re: Do Not hide the URL

It's still the first (not literally) thing I do.

Heatwave shmeatwave: Brit IT departments cool their racks – explicit pics

My Alter Ego

Not as Heath Robinson as some

We ordered some ali box sections to make a 1.2x1.2x2.4m box that fits around our server cabinet. Picked some 25mm insulation board from Wickes, made some brackets (rivnuts are awesome) to keep them in, cut a slot and shoved a window AC unit on a shelf dumping in cool air.

Keeps the interior of the cabinet at a nice 20-23°C, while the outside can get up to 35. AC runs through our UPS so if there is a power cut it'll run as long as the cabinet does.

I kept the fact we have an AC unit quiet, in case the meat sacks get jealous!

Foot lose: Idiot perv's shoe-mounted upskirt vid camera explodes

My Alter Ego

Re: The real question is: did he want to get arrested?

I read somewhere else that he first went to his mentor (a clergyman) and then turned himself in, so I guess he was told to do so.

... Aaaand that's a fifth Brit Army Watchkeeper drone to crash in Wales

My Alter Ego

Re: what are they doing?

"They're using them to spy on *sheep*."

Stupid, sexy sheep.

First SpaceX Falcon 9 Block 5 rocket lobs comms sat into orbit

My Alter Ego

Re: A half complete network of Iridium satellites...

I think the problem with the feed dropping out on landing is because of the massive vibrations from the engine(s). I'm sure they could add a lot more dampening, but it's probably not worth it as they can probably pull the local camera storage to vote the footage. I agree that it's a bit annoying/disappointing for is though.

I did notice that the camera on the Block 5 first stage was a lot less secure than on previous versions. It was vibrating badly when ever the RCS was fired.

There will be blood: BT to axe 13,000 employees

My Alter Ego

Hope BT Local Business are getting canned

While I empathise for anyone losing their jobs, I truly hope the Local Business (LB) are going to removed from the face of the earth. They have been the cause of every problem we've ever had:

1. LB insisted we change the name on the account from the director's name to the company name. When we did the LB sales droid cancelled out account and recreated it, most likely to get his grubby little hands on commission for a "new" contract. Result - ISDN 30 down for 36 hours.

2. Renewed contract early, LB sales droid couldn't do his job properly so we got billed £4,700 for "leaving our contract early". Result - out of pocket for two months.

3. Signed contract to upgrade to flex-up a leased line and add resilient fibre. Contract was subject to us accepting any excess construction charges (which LB insisted wouldn't be an issue, something we didn't believe but thought it's worth a shot). When quoted £40,000 + VAT we declined. So they charged us £5,000 for breaking our contract. Result - still out of pocket as it nobody knows how to rectify the screw up.

4. Refuse to provide a SIP trunk. Apparently for legacy (or anything the don't support - Asterisk) they will only provide an ISDN gateway which, so we have to maintain a PRI for bugger all reason (Asterisk -> PRI -> BT ISDN Gateway -> BT SIP Trunk)

BT know they have us by the balls, as we're too scared of reversing the Direct Debit because we know some over-zealous little shit will pull the cord, even though as billing dispute is in process.

AWS sends noise to Signal: You can't use our servers to beat censors

My Alter Ego

Domain is actually souq.com

I only mention it because I was trying to get more information on how Signal were using a domain they don't own.

Your AI pet project is only as smart as its garbage training set

My Alter Ego

Not that this is anywhere close to AI

Back in 2013 when Bitcoin was a mere $200 (and before MtGox "lost" all it's BitCoins) a couple of us in the office played around with trying to build a trading box. At first we thought about arbitrage between the various exchanges, but because of how long a transaction might take we nixed that fairly early on. We then had a look at trying to earn out of the insane swings.

We'd write our (insanely simple and non-learning) algorithm, and tune it on past data, and then run it on the live values. When it lost we tuned it again - rinse and repeat. It was an interesting process, a bit of fun, and no real money was involved.

The main thing I took away from the experience was that "It's really easy to predict the past" (and that the price of Bitcoins is completely illogical and garbage)!

You're a govt official. You accidentally slap personal info on the web. Quick, blame a kid!

My Alter Ego

Re: Unisys screwed up

"Entrapment requires the prosecution or their agents to suggest the crime."

I don't know about the UK or Canada, but apparently it's completely legal in the US for law enforcement to suggest a crime. All you have to do is refuse. It becomes entrapment if they coerce you into committing the crime.

Source: Law Comic - Entrapment The whole strip is actually pretty interesting.

Sysadmin’s worst client was … his mother! Until his sister called for help

My Alter Ego

Re: Re:Until I come to use a fucking laptop,

Seconded. We have a stack of them (and the MK120 mouse/keyboard combo) in the office.

My Alter Ego

Re: Ahhh...

Ouch, even my German mother doing that one funny!

Sysadmin shut down the wrong server, and with it all European operations

My Alter Ego

For the love of god...

I just did this this morning, after reading this very story (and the comments) yesterday evening.

Reg man wraps head in 49-inch curved monitor

My Alter Ego

Does this simulate multiple windows?

One of the benefits of using multiple monitors (I use 3x24") is that I can dock 4 50% wide windows on two of the monitors. If this is a single monitor then I can only dock left and right, or does this come with drivers that make the width more usable.

UK.gov: Psst. Belgium. Buy these Typhoon fighter jets from us, will you?

My Alter Ego

Am I missing something here, I'm sure the RAF has some different hardware inside it compared to the Luftwaffe and the Spanish AF, but surely Eurofighter and Typhoon are branding differences.

"The Eurofighter is known as Typhoon in the United Kingdom and export markets and as EF-2000 in Germany, Italy and Spain. However all Italian aircraft carry the "Typhoon" logo on their tails."

Timeout everyone. Y'all know that Musk's $500 'flamethrower' is literally a Boring blowtorch?

My Alter Ego

Re: Here’s to honesty!

"Of course I can't throw rocks, I've paid $230 to be only a couple miles from Falcon Heavy when it goes boom launches."

Lucky bastard. I'd love to watch a launch (of any kind), but especially one with a 1st stage landing but the cost of getting a flight transatlantic to Florida, only to find it's a scrub makes a little expensive.

Intellectual Property Office drops, er, patently cool cartoon to teach kids about trademarks

My Alter Ego
Boffin

Like to hear some feedback from parents

Seeing as I don't have any children that I can experiment on (or any children for that matter), I'd love to know what the actual reaction to this video would be.

Maybe I should try getting my 8 year old niece to watch it and ask her what her she thought of it.

Upset Equation Editor was killed off? Now you can tell Microsoft to go forth and multiply: App back from the dead

My Alter Ego
Trollface

Re: I hadn't noticed.

Most people would get in trouble for using latex in an office environment!

Why did top Home Office civil servant lobby Ofcom for obscure kit ban?

My Alter Ego

Yeah, I saw this at the Ordnance Survey. I worked with a guy always came "highly recommended" from other departments, yet couldn't read a map after about 20 years of working in production. He always made sure that people were aware of this (the highly recommended bit, not not being able to read a map!), so was completely oblivious to the fact departments would do anything to get rid of him.

Memo man Damore is back – with lawyers: Now Google sued for 'punishing' white men

My Alter Ego

Why would non-whites be banned from joining the Union? Whites weren't banned from the Asian society, etc in my Uni.

UK security chief: How 'bout a tax for tech firms that are 'uncooperative' on terror content?

My Alter Ego

Re: Or ...

"when terrorists get dobbed in by the neighbours"

As the last few years have showed, it doesn't matter how much neighbours and acquaintances try dobbing in radicalised people if those reports aren't acted on by the security services.

Judge rm -rf Grsecurity's defamation sue-ball against Bruce Perens

My Alter Ego

I think it's the evolution episode, seeing as the humans are in threadbare clothes and the courtroom is full of robots.

"I don't want to live on this planet anymore"

Oh good. Transport for London gives Capita £80m for WAN, LAN and Wi-Fi

My Alter Ego

Re: Crapita public wifi ????

This will be great for train enthusiasts, or anyone who's ever wanted to control a full scale tube train (completely with life-like passengers)

'DJI Mavic' drone seen menacing London City airliner after takeoff

My Alter Ego

Re: Idiots

They can descend close to terminal velocity if you're not careful. While tuning my home-build quadcopter I wanted to get it on the ground quickly, and just started descending. It started to look like it was simply dropping with a loud buzzing noise and my helicopter aerodynamics lecturer sprang to mind "shit - vortex ring".

Fortunately I had enough time to increase thrust and managed to fly it out of it's own downwash. From then on I learned to descend in a nice coordinated spiral.

Forget Bruce Willis, Earth's atmosphere is our best defense against meteorites

My Alter Ego

Re: Doesn't follow

Regardless of whether it'd make a difference, surely it'd be worth trying. Every little helps...

Oregon will let engineer refer to himself as an 'engineer'

My Alter Ego

Re: let me guess

Funnily enough, I once asked somebody in our engineering department where Professor Lockett was, and was told "you don't want him to hear you calling him that, he's a Doctor". Although it's quite likely that he was joking.

My Alter Ego
Coat

Re: let me guess

Not unless you're discussing the relativistic effects!

My Alter Ego

Re: let me guess

I don't get the whole calling yourself an engineer thing.

I've a BEng in Aeronautical Engineering, but I don't call myself an Engineer because I don't work as an engineer. Nor do I call myself a Software Engineer because I didn't train as one, even though I spend [most of] my day writing software. The closest I come to describing myself as an engineer is that I was trained as an engineer, although pedants might pick me up on that, seeing as I never touched engineering outside of academia.

Shady US sigint base upgrade marred by stolen photograph

My Alter Ego

Re: Reminds Me Of That Time...

That video's great. I don't know how have I never heard of him up until now.

Drone collisions with airliners may not be fatal, US study suggests

My Alter Ego

"May not be fatal"

I'm pretty sure they will be to the drone. Won't somebody please think of the drones

Brit MP Dorries: I gave my staff the, um, green light to use my login

My Alter Ego

Re: Sends a terrible message.

Well, the public voted her in so of course she should be more trustworthy than us plebbs. I can't wait for Damien Green to start claiming that it must have been a member of his office, because he too shares his credentials.

User dialled his PC into a permanent state of 'Brown Alert'

My Alter Ego

Ugh - pretty much had that happen. Colleague dumped his laptop on my desk and asked if I could have a look at it. After lifting the lid I decided I wasn't touching it and whilst deciding whether I just hand it back with the comment "clean it first", I opted to dig out a keyboard and mouse.

I did make the point of leaving it on his desk and then immediately washing my hands.

User asked help desk to debug a Post-it Note that survived a reboot

My Alter Ego

Re: PBKAC

I know where you're coming from with the van as it's not standard behaviour.

Computers and monitors have had separate PSUs (and therefore switches) pretty much from when computers had VDUs.

It's also quite useful. I lock my session when I leave work and turn my monitors off. That way I can ssh if required.

Guy Glitchy: Villagers torch Openreach effigy

My Alter Ego

Re: Lies, damn lies and BT excuses

We've had that locally. A company called Gigaclear started burying fibre around Oxfordshire (although it seemed a little haphazard in places). BT (who've had no interest in installing FTTC) started chasing them around slapping "Infinity coming soon" stickers on all the cabinets.

In the mean time, we're trying to upgrade our BTnet leased line to a resilient one. We've been quoted £40k for the fibre to be pulled in from the Headington exchange. When we queried the cost we were told there's no existing fibre - a lie seeing as one of the neighbouring businesses already have what we're asking for (and with no excess construction costs). We were then told that all the fibre's been utilised, which while possible is highly unlikely. Unless of course Openreach blow in a single fibre at a time.

Oh yes, and we've been charged an extra £4.5k because our useless Local Business rep signed us up for a new contract, but forgot to remove the early termination fee.

I'd struggle to find a company who are so completely incompetent in almost every department as BT are.

'Lambda and serverless is one of the worst forms of proprietary lock-in we've ever seen in the history of humanity'

My Alter Ego

Lambda - great on paper

My experience with AWS Lambda was that it looked like it was exactly what I needed. Until I tried using it...

The documentation for the particular function I wanted to use was horrific. There was a single page on the internet that described its used, and much of the information was missing or incorrect. With 18 hours Amazon had to make three changes to the documentation, while I tore my hair out wondering why I was getting unexpected data passed to the function.

Then there's the cold start times - I had a function that took <600ms to run, but if not run for a while would actually take >20s* to run. Seeing as the AWS service calling that function mandated that it would timeout after 5s, I realised that it's pointless to rely up it. Unless of course I decided to dedicate an EC2 instance to the function, but then I'm paying for 750hrs a month (which I'm sure Amazon would love).

I learned that biggest barrier to using Lambda isn't the vendor lock-in (I was aware of it when I started the project), it's Lambda itself.

* 4 s of that was used to deserialize 500 bytes, ffs

Can you get from 'dog' to 'car' with one pixel? Japanese AI boffins can

My Alter Ego
Joke

Re: The adjusted pixels

"...catastophically destroyed the ability of the algorithm to catgorise the image..."

That's a little unfair, some of like dog pictures!

Is the FCC purposefully screwing up US school broadband projects?

My Alter Ego

Nothing to see here, nope, no conflict of interest.

Ajit Pai, former Associate General Council for Verizon. I'm sure his experiences there have no relation to the FCC being overly against any broadband schemes not being run by large telecoms companies.

And I'm sure he won't be moving back to a similar company when his tenure at the FCC is over.

Tories spared fine after being told off by ICO for election telemarketing

My Alter Ego

Well, you're the first person to mention GMB and unite so all I can say is "that's a lovely strawman you've knocked down".

Besides, why do you assume people aren't bothered by Labour breaking electoral rules just because they're critical of the Tories? Most people grew out of using the "but teacher, Jim did it too..." excuse decades ago.

HMRC's switch to AWS killed a small UK cloud business

My Alter Ego

Re: 85% of revenue from a single client?

When you make the rules you don't have to follow them...

Jeff Bezos fires off a blue dart, singes Elon Musk and SpaceX

My Alter Ego
Happy

Re: Something doesn't add up

Rocket science would be a lot easier if Tsiolkovsky hadn't come up with his Rocket Equation. What a bastard!

OnePlus privacy shock: So, the cool Chinese smartphones slurp an alarming amount of data

My Alter Ego

Already turned off on my One+3

I have no recollection of having turned this off (of course I could have forgotten doing so).

Page: