@Kenny Swan - It's Likely ...
that some recipients will have recently booked flights which goes some way to excusing them opening the zip (but not then running an executable!).
Posts by Phil
16 publicly visible posts • joined 3 Aug 2007
Booby-trapped emails fly back into fashion
Black hats attack gaping DNS hole
Exploit code targets Mac OS X, iTunes, Java, Winzip...
Thursday 31st July 2008 07:42 GMT
@K L
The bad guy sits between you and the banking site and can relay all communication in both directions. Any authentication exchange can also be relayed. Once you've said OK to the message that warns you that the SSL certificate doesn't match the banking site that you think your using or isn't signed by a trusted 3rd party then your doomed!
Dutch ban voting computers over eavesdropping fear
Monday 26th May 2008 07:39 GMT
Why Not Scan?
Here's how I see it working:
- I go to the polling station, identify myself and am handed my voting slip.
- I place my voting slip into the e-voting machine and it prints a unique (and random), human readable identifier onto the slip and issues a receipt with the same identifier (which I compare).
- I mark my X or Xs as appropriate.
- I place my voting slip into the e-voting machine.
- The machine scans the slip and registers the vote.
- The voting slip is retained should manual counting be required.
- I go home and go on-line to the e-voting web site where I am prompted to enter, for example, the 3rd, 7th and 12th character of my identifier.
- The web site shows a list of the (n) matching identifiers, sorted by identifier, and their associated vote and I confirm that my vote is correct.
- Following the election results being ratified the full set of identifiers and votes is made available. The physical voting slips are all collected, without reference to their original location, sorted by identifier and filed.
There are things that might cause concern:
1. Is the slip marked in some way to link it to the identified voter?
2. Can the generated identifier be linked back to the voter in some way?
1. is already possible with manual paper ballots and 2. should be addressable.
Have I missed anything?
DWP still sending out passwords and discs together
Comcast mulls overage fees for bandwidth lovers
Saturday 10th May 2008 16:01 GMT
What's The Problem?
If companies publish their caps and their fair use policies then it's fair enough to impose them. Would the Comcast users who say they'll leave if the 250GB cap is imposed be happier if, instead, Comcast just terminated the contract of anyone who exceeded some unspecified amount of traffic?
I don't like the idea of caps per se but I think that offering a cheap, low cap service, a medium priced, high cap service and an appropriately priced uncapped service is the way to go. All services should also provide facilities to see what you're using.
@AC 16:01
You're right, 4 weeks is 2419200 seconds but on an 8Mb/s line this equates to 2419200 MB not 19353600 (that figure is megabits not megabytes). That said, that's equivalent to 2362.5 GB which is a lot more than 250GB.
AVG revamps free security scanner
Dutch MP releases anti-Islam movie
Saturday 29th March 2008 21:03 GMT 
@AC (The blame game)
I don't blame religion for violence, I blame people for violence (aka "Guns don't kill people ..."). Violence is human nature - frequently it is the result of tension, frustration and an inability to otherwise resolve perceived injustice. Religious belief is, however, often used as the justification for violence. For believers it can lower the threshold at which the taking of another's life, and likewise the loss of their own, becomes acceptable. This effect is not unique to Islam, it accompanies all religions that require followers to believe that after death they will 'live' in eternal bliss.
@Other Respondents to AC (The blame game)
AC does not specify in what way blaming religion for violence is the same as blaming computer games. This gives the reader the freedom to interpret it as he/she sees fit. Personally, I can see that the comparison is valid in as much as whether either are responsible for fostering violence is open to debate.
Tokyo 250Mbps mobile supernetwork speeds into life
Next time you go to the loo, bring your locked laptop with you
Saturday 29th March 2008 14:38 GMT
Things I don't Understand ...
1. why there is a distinct signature for passwords in memory.
2. why passwords aren't wiped from memory when I lock the machine.
3. why el Reg comments don't provide a 'refer to previous comment' option.
4. why my local supermarket doesn't have fresh bread on Mondays.
VMware vuln exposes the perils of virtualization
Friday 29th February 2008 06:54 GMT 
Is Privilege Escalation Involved?
As far as I can see from the linked article this is just a directory traversal issue. This means that the underlying OS is only as vulnerable as permitted by the account running the virtual machine - not an immediately pwned situation if you run the vm as a limited (i.e. non-admin) user.
If you run a vm without any security then you risk having your host disk read and broadcast on the internet (and incriminating evidence planted on it too.)
Most home routers 'vulnerable to remote take-over'
Friday 18th January 2008 11:11 GMT
Is UPnP The Issue?
From what I can see the problem isn't with UPnP but with the home gateway router manufacturers' implementation of it.
Take a look at "Understanding UPnP™: A White Paper" at http://www.upnp.org/resources/whitepapers.asp. Once you get past the Windows ME logo and the 'future tech' verbiage it comes down to an appliance advertising the services it offers.
Now look at consumer internet gateway routers (IGR) and ask why a consumer IGR needs to allow its internet connection settings or password to be changed via UPnP.
I can see why an IGR would allow UPnP to configure port forwarding (external to internal) - this replaces the process that I would otherwise need to undertake manually – but why an IGR should offer any other service is beyond me.
If the only UPnP request that my IGR recognises is one that opens an external port then I’m happy – that’s what I thought it did and my internal application firewall (ZoneAlarm) will let me decide whether a specific application is allowed to listen for incoming internet requests.
Wikipedia black helicopters circle Utah's Traverse Mountain
Stripogram copper walks on offensive weapon rap
Wanna stick USB 2.0 to your network?
Saturday 11th August 2007 15:44 GMT
Why Only Fast Ethernet (100mbps)?
This is a question I've been asking ever since wireless pre-N products hit the market.
The Asus WL-500W (draft N) even mentions on the blurb page that it 'achieves speeds higher than 100Mbps' and yet it only offers fast ethernet on the wired side. USB 2.0 hard drive transfer rates easily exceed 100Mbit/s - the LaCie Mobile Drive, for example, claims from 25MB/s (200Mbps) up to 30MB/s (240Mbps). Most motherboards and home PCs these days come with gigabit ethernet as standard. A gigabit switch can be purchased for around £30 (retail). So why only fast ethernet on this type of device (USB network server)?
Products I'd like to see:
- ADSL2+ modem/router with SPI firewall, GbE 4 port switch, wireless-N
- ADSL2+ modem/router with SPI firewall, GbE 4 port switch, wireless-N, USB print & storage server
- ADSL2+ modem/router with SPI firewall, GbE 4 port switch, wireless-N, USB print & storage server & all the other frills
Flash: Public Wi-Fi even more insecure than previously thought
Friday 3rd August 2007 14:46 GMT
What's New?
Unsecured connections are insecure - why is this news?
If you are using a session cookie outside of a secure connection then include an encrypted timestamp and nonce. If you get the same timestamp and nonce more than once for the same session ID then reject it. If the timestamp is outside an X minute window then reject it.
Strictly speaking, if the clock resolution is fine enough then the nonce isn't needed but it does make it harder to crack the encryption.
Or am I missing something?
Biting the hand that feeds IT
