80 stories
1 follower

Perrottet backs public servant’s sacking

1 Comment

The NSW premier has endorsed the sacking of the senior public servant who was responsible for appointing former deputy premier John Barilaro to a lucrative US trade job.

Departmental secretary and former Investment NSW boss Amy Brown has left the public service with a payout of nearly $500,000 over her role in the job debacle which embroiled the government in scandal for three months.

An independent review of the recruitment process found Ms Brown had been indirectly influenced to preference Mr Barilaro for the job despite a range of other well-credentialed candidates.

Department of Premier and Cabinet secretary Michael Coutts-Trotter said on Monday he had decided Ms Brown would not remain as head of the Department of Enterprise, Investment and Trade.

“It’s a privilege to hold a role as a senior leader in the NSW public service. With this, rightly, comes a high degree of accountability,” he said.

Ms Brown was on $614,000 and was entitled to 38 weeks of her salary plus entitlements — at least $450,000.

Commenting on her sacking for the first time, Premier Dominic Perrottet said he endorsed the decision and said she was entitled to the payout.

“I certainly support the decision that has been made,” he told Sydney radio 2GB on Tuesday.

“There are entitlements that come from through those decisions.”

An independent review was held earlier this year into the appointment of Mr Barilaro to the $500,000-a-year, taxpayer-funded US trade job.

It found Ms Brown had been indirectly influenced by former-trade minister Stuart Ayres’s preference for who should get the New York-based role.

Mr Ayres resigned as minister last month after a draft excerpt from the review raised questions about whether he breached the ministerial code of conduct with his involvement in the appointment process.

The review found Mr Barilaro’s appointment was not kept at arm’s length from government.

Mr Perrottet said the appointment process was “flawed from the outset” and ordered an independent legal review to establish if Mr Ayres had breached the ministerial code.

The review, released last week, found Mr Ayres had not breached the code but he remains on the backbench.

The opposition said it would be unfair if Ms Brown was the only person to take responsibility for the scandal and warned the premier against returning Mr Ayres to the frontbench.

Mr Barilaro relinquished the trade job in June, just weeks after his appointment was announced, saying the role was untenable and had become a distraction.


The post Perrottet backs public servant’s sacking appeared first on The New Daily.

Read the whole story
10 days ago
Share this story

Italian Grand Prix: Alex Albon to miss race as Nick de Vries takes over in Williams

1 Share
Williams driver Alex Albon will miss the Italian Grand Prix as a result of contracting appendicitis.
Read the whole story
20 days ago
Share this story

Book review – “Pro Active Directory Certificate Services” by Lawrence E. Hughes

1 Share
PKI Solutions Logo

Disclaimer: This review contains my personal opinion about the book and does not necessary reflect the company’s or other people opinion. Hello everyone, today I have a little-bit unusual blog post, which is a book review. As you may know, my primary interest area is Microsoft Active Directory Certificate Services (ADCS) and it there are…

The post Book review – “Pro Active Directory Certificate Services” by Lawrence E. Hughes appeared first on PKI Solutions Inc..

Read the whole story
22 days ago
Share this story

LG is bringing NFTs to its smart TVs

1 Comment
Image: LG

Just months after Samsung announced that it’s bringing non-fungible tokens (NFTs) to its TVs, now LG’s doing the same. The company’s new NFT marketplace, called LG Art Lab, lets you “buy, sell and enjoy high-quality digital artwork” from your TV.

For now, only users in the US with an LG TV that runs webOS 5.0 or later can access the app, which is available to download from the TV’s home screen. Through the portal, you can buy and sell digital works made available through LG’s NFT drops. The first one of these drops is set to occur on September 22nd and features a set of metallic-looking NFTs from sculptor Barry X Ball.

Since I just so happen to own a compatible LG TV, I downloaded and tried out the app for myself... and there’s not much going on there yet. The app is pretty empty, and there aren’t any NFTs that you can browse through and buy right now (unless of course, you want to watch a video of Barry X Ball’s upcoming NFT on loop, which I did over the course of writing this article).

 Image: LG
Would you look at that? NFTs on TV!

But once there’s actually an NFT you can buy from the platform, LG says you can scan the QR code that appears on the screen, and then open the Wallypto app on your phone to complete the transaction. Before you do that, you’ll need to purchase USD Coin (USDC), a stablecoin that’s supposed to be pegged to the US dollar (and managed to maintain that peg when other stablecoins crashed).

LG’s NFT platform is built on Hedera, which describes itself as the “most used, sustainable, enterprise public ledger for the decentralized economy.” Unlike the Ethereum or Solana networks many popular NFT marketplaces support, the Hedera network doesn’t operate on the blockchain — it uses a blockchain alternative, called hashgraph. LG is just one of the several corporations that serve as a governing member of the Hedera network, with proponents of the system claiming it’s faster and more efficient than transacting on the blockchain.

LG says it’s going to keep adding NFTs from artists on a “monthly basis,” and that you’ll get to view any NFTs your purchase from the LG Art Lab app. Just like Samsung’s doing with the NFTs on its TVs, it looks like LG is hoping users will display the NFTs on their TV when it’s not in use (which sounds like a few extra bucks on my energy bill that I’d rather not spend).

Read the whole story
26 days ago
Share this story

Certificate Revocation in Microsoft Edge

1 Comment and 2 Shares

When you visit a HTTPS site, the server must present a certificate, signed by a trusted third-party (a Certificate Authority, aka CA), vouching for the identity of the bearer. The certificate contains an expiration date, and is considered valid until that date arrives. But what if the CA later realizes that it issued the certificate in error? Or what if the server’s private key (corresponding to the public key in the certificate) is accidentally revealed?

Enter certificate revocation. Revocation allows the trusted third-party to indicate to the client that a particular certificate should no longer be considered valid, even if it’s unexpired.

There are several techniques to implement revocation checking, and each has privacy, reliability, and performance considerations. Back in 2011, I wrote a long post about how Internet Explorer handles certificate revocation checks.

Back in 2018, the Microsoft Edge team decided to match Chrome’s behavior by not performing online OCSP or CRL checks for most certificates by default.

Wait, What? Why?

The basic arguments are that HTTPS certificate revocation checks:

  • Impair performance (tens of milliseconds to tens of seconds in latency)
  • Impair privacy (CAs could log what you’re checking and know where you went)
  • Are too unreliable to hard-fail (too many false positives on downtime or network glitches)
  • Are useless against most threats when soft-fail (because an active MITM can block the check)

For more context about why Chrome stopped using online certificate revocation checks many years ago, see these posts from the Chromium team explaining their thinking:

Note: Revocation checks still happen

Chromium still performs online OCSP/CRL checks for Extended Validation certificates only, in soft-fail mode. If the check fails (e.g. offline OCSP responder) the certificate is just treated as a regular TLS certificate without the EV treatment. Users are very unlikely to ever notice because the EV treatment, now buried deep in the security UX, is virtually invisible. Notably, however, there is a performance penalty– if your Enterprise blackholes or slowly blocks access to a major CA’s OCSP responder, TLS connections from Chromium will be 🐢 very slow.

Even without online revocation checks, Chromium performs offline checks in two ways.

  1. It calls the Windows Certificate API (CAPI) with an “offline only” flag, such that revocation checks consult previously-cached CRLs (e.g. if Windows had previously retrieved a CRL), and certificate distrust entries deployed by Microsoft
  2. It plugs into CAPI an implementation of CRLSets, a Google/Microsoft deployed list of popular certificates that should be deemed revoked.

On Windows, Chromium uses the CAPI stack to perform revocation checks. I would expect this check to behave identically to the Internet Explorer check (which also relies on the Windows CAPI stack). Specifically, I don’t see any attempt to set dwUrlRetrievalTimeout away from the default. How CAPI2 certificate revocation works. Sometimes it’s useful to enable CAPI2 diagnostics.

CRLSets are updated via the Component Updater; if the PC isn’t ever on the Internet (e.g. an air-gapped network), the CRLSet will only be updated when a new version of the browser is deployed. (Of course, in an environment without access to the internet at large, revocation checking is even less useful.)

After Chromium moves to use its own built-in verifier, it will perform certificate revocation checks using its own revocation checker. Today, that checker supports only HTTP-sourced CRLs (the CAPI checker also supports HTTPS, LDAP, and FILE).

Group Policy Options

Chromium (and thus Edge and Chrome) support two Group Policies that control the behavior of revocation checking.

The EnableOnlineRevocationChecks policy enables soft-fail revocation checking for certificates. If the certificate does not contain revocation information, the certificate is deemed valid. If the revocation check does not complete (e.g. inaccessible CA), the certificate is deemed valid. If the certificate revocation check successfully returns that the certificate was revoked, the certificate is deemed invalid.

The RequireOnlineRevocationChecksForLocalAnchors policy allows hard-fail revocation checking for certificates that chain to a private anchor. A “private anchor” is not a “public Certificate Authority”, but instead e.g. the Enterprise root your company deployed to its PCs for either its internal sites or its Monster-in-the-Middle MITM network traffic inspection proxy). If the certificate does not contain revocation information, the certificate is deemed invalid. If the revocation check does not complete (e.g. inaccessible CA), the certificate is deemed invalid. If the certificate revocation check successfully returns that the certificate was revoked, the certificate is deemed invalid.

Other browsers

Note: This section may be outdated!

Here’s an old survey of cross-browser revocation behavior.

By default, Firefox still queries OCSP servers for certificates that have a validity lifetime over 10 days. If you wish, you can require hard-fail OCSP checking by navigating to about:config and toggling security.OCSP.require to true. See this wiki for more details.

For the now-defunct Internet Explorer, you can set a Feature Control registry DWORD to convert the usual soft-fail into a slightly-less-soft fail:



Edge Legacy did not have any option for non-silent failure for revocation checks.

Read the whole story
59 days ago
Excellent write up
Share this story

Microsoft starts testing new Windows 11 taskbar UI changes

1 Comment
Photo by Becca Farsace / The Verge

Microsoft is experimenting with new UI changes to the Windows 11 taskbar. The software giant is testing out bringing back the familiar search bar from Windows 10, alongside notification badges for the Widgets section in Windows 11.

Windows 11 currently ships with a search button on the taskbar, which can be disabled and only shows the search logo. Microsoft is now testing three different search taskbar visual changes. One experiment is the usual search icon, while two others include a small or large search bar in the taskbar. Microsoft is looking for feedback on the changes before they’re rolled out more broadly, and the tests are part of Microsoft’s new experimental Windows 11 features, which does mean they might not ship.


Continue reading…

Read the whole story
78 days ago
But all I want is taskbar ungrouping back!
Share this story
Next Page of Stories