I love crapware
Makes the machine cheaper. Even if I was convinced a new computer came with a clean install of the OS of my choice, wiping and installing is required to proove I can restore from backups.
1878 posts • joined 19 Oct 2007
Makes the machine cheaper. Even if I was convinced a new computer came with a clean install of the OS of my choice, wiping and installing is required to proove I can restore from backups.
Everyone with one of these routers can find the private key. If the key is not on the internet already it will be soon. Everyone who knows how to set up an ssh server will be able to pretend that their box is one of the 250,000 routers. After they have stolen all the underwear, how to they profit?
A public key is the product of two large primes. The corresponding private key is the two primes not multiplied together, but in either order, so there are only two possible private keys. It is almost certain that if two public keys are the same, then so are the private keys. In this case, any competent cracker with physical access to the device can read the unencrypted private key. (In the other case, any cracker able to get the unencrypted private key from the telco could just as easily get every unencrypted private key if they were all different). There is nothing to decrypt here.
If all the keys were different, and I had physical access to Alice's router, I could install my device that can pretend to the telco that it is Alice's router. As all the keys are the same, I cannot do that because the telco knows beyond all possible doubt that the secret key is not secret.
<voice style="John Cleese/Romanes eunt domus">
If understanding this is beyond the ability of the average commentard, imagine the near impossibility of explaining to a PHB why the telco needs to spend money maintaining a database of which customer has which key. If by some fiendishly cunning stratagem you sneak the database into the telco's budget how on earth are you going to explain what is going on to the customer when his router does not have the secret key in the database?
You are not making any sense. You can try to crack a public key - create the secret key by factorising the public key. You can try to crack an encrypted secret key by guessing the password. Even when I did not know which key this was about, the private key/keys were not encrypted. The challenge is to steal the unencrypted key/keys from where they are stored.
Dropbear's banner tells you the public key used to authenticate the device, so the secret key is on the device. With physical access and a little hacking, you can copy the secret key to some other device. You can put some other device where the router is, and when the telco tries to log in, you can fool them into thinking your device is the router they supplied.
As the same key is used by many routers, if you can get between the telco and someone else's router, you can convince the telco that they are updating the customer's router when they are really talking to yours. This leaves the customer's router with out-of-date software.
Now imagine what changes when every router has its own key. The telco could keep a database of which key belongs to the router of each customer. When they do updates, they can check that they are talking to a device with the right secret key. If they assume someone with physical access to the router did not copy the key to another device, then they can have confidence that they are updating the router in the customer's home and not some man-in-the middle device.
I can easily imagine the majority of ISP's not bothering to maintain the database. Pretend one does, and finds the wrong key where they expect a customer's device. There are plenty of legitimate reasons: mixing up which device went where so the database is wrong. The customer using his own router - and giving the unused one to a friend whose router broke. The customer generated a new key pair, or the NSA are preventing router updates. So the telco knows something is going on. What are they going to do?
customer man in the middle with an explanation of the issue? Phone up the customer and explain what a secret key is?
Is there a genuine threat that could realistically be countered by telling each router to generate its own keys? If all the keys were different, would you assume that your new device is the only place where the secret key is stored?
If someone finds Linus's secret key, all those computers could be fooled into thinking Linux signed some source code that he didn't! Even worse, type:
gpg --recv-keys 79BE3E4300411886
and you get a copy of Linus's public key, and something similar will get you anyone else's (if they have one). It is almost as if public keys were available to anyone!
The routers have two obvious uses for ssh keys. One use is for authenticating the router - in which case the same secret key is on every router. I could copy that key to another device, and the telco could be fooled into thinking they are talking to any one of their routers when they are really talking to my laptop.
The other use is for remote administration. Each router could have its own key. When the telco does an update, the computer doing the update needs to know the secret key for every router. If a cracker can get one, she can get any or every secret key, so having only one key does not remove any security.
What is the issue here?
The big secret is to be Western Digital, Seagate or Toshiba. Those are the only drive manufacturers left. The margins on drives are so thin that enormous economies of scale are required to make any profit. The spinning disks market is in its final stage of consolidation. A new player would need to commit running their business at a loss until they can get above 10% of the market and refine their manufacturing process to the same efficiency levels as one of the big two. In real life, a new manufacturer will implode before they have a business worth being crushed and bought out by WD or Seagate.
WD and Seagate could release their firmware under GPL without harming their businesses. The thing is, I am not sure it is their firmware. It certainly used to be a component they bought in - like the controller cards. If this problem gets fixed, it will be by people creating 'The Open Rotating Disk Initiative Obnubilating NSA' for themselves.
If your example is correct, the phone makers should have bought a chip they could control.
Personally, I blame the customers. They should have checked for a cyanogen installer before purchase.
"... presents identical and similar product offers that may have lower prices"
In this context is 'may' equivalent to 'almost never'?
Did I fall asleep?
The original Russian disclosure says SSH, not SSL, so step one is to install and enable SSH, on a port where people can find it. This is a terrible idea on any machine visible on the internet because the machine will be found and hit with a continuous stream login requests attempting to find an account by brute force. Although this stands no chance of success with even basic precautions, it does waste a little CPU time and lots of network bandwidth. (The most popular way to avoid the network traffic is to set up port knocking.)
Next, you will have to make some changes to /etc/ssh/sshd_config. The one that is definitely required is 'PasswordAuthentication yes' otherwise all attempts to log in with a password will fail (sshd should be set up to require one type of public key authentication, and have all other methods disabled). You can save the crackers some time with 'PermitRootLogin yes'. Without that, the cracker will need to use some sort of privilege escalation - which a competent cracker probably knows. Next you need an account with a password that was not created with a random character generator. If you permitted people to log is as root, make sure you set root's password to a word or two out of the dictionary, swapping i to 1 and o to 0. You can save some network bandwidth by using the most popular pasword: 123456. (Logging in as root should require logging in as an ordinary user, then upgrading to root access).
Next up, this malware requires a bash script in /etc/init.d/ to install itself. The vast majority of them are sh scripts, but I did find a couple of bash scripts. The malware is looking for '#!/bin/bash', which is the way to specify the bash interpreter in Linux. The BSDs require '#! /bin/bash', and Linux accepts that too for compatibility. You can trip up this version 1 installer by adding a space to bash scripts in /etc/init.d/ - if you have any.
The translation of the incident page said something about using a virus scanner to detect infection. I stopped reading at that point because the advice is clearly bollocks. If you installed and configured sshd to use the ssh port and password authentication with a brute forceable root password then you computer will be infected with something that can hide from any virus scanner running on the computer. You might be able to find the malware by pulling out the hard disk, putting it in a USB enclosure, attaching it to a different computer and comparing it to your backup.
I think the biggest barrier to catching this malware is that something more nasty will get in first and close up the configuration errors before everyone and his dog pwns the machine.
Speech recognition is for working out which words were spoken, but this article is about voice recognition: identifying the speaker. Make sure to create a recording of your voice so you can watch films you purchased even if you catch a cold.
The dielectric constant changes with frequency (it is called dispersion). This was even a problem with 28800 bit per second modems. The signal for a single bit was spread all over the audio spectrum, and spread out in time between the customer's modem and the exchange. One proposed solution was to send many slow bit streams at the same time - each using a small amount of bandwidth centred on a different frequency. High speed optical links send many bit streams at different frequencies to counter dispersion.
If you sent an analogue signal over hundreds of kilometres of ethernet cable, dispersion might make a measurable difference. Back in the stone age, that is pretty much how the phone system worked. All the other sources of noise hid the effects of dispersion.
Some materials have lower dispersion than others, and it is possible to select pairs of materials that cancel out dispersion over a limited frequency range. For ethernet cables, lots of effort goes into reducing cross talk, but I have not seen any mention of dispersion.
The obvious thing these cables are missing is some carved amber end-caps so the electrons don't fall out while the cable is in the post. Only $1000 each - you know they're worth it.
In a good conductor electrons travel millimeters per second. A semiconductor has far fewer electrons (or holes) that can move, so given the same current density, the electrons travel much faster. If they want fast electrons, silver is a really bad choice.
When one electron moves, it leaves behind an excess of positive charge that attracts electrons. The place it arrives at gets an excess negative charge that repels electrons. Although the electrons themselves barely move, regions with extra or missing electrons move fast - like a ripple on a pond moves far more than individual water molecules.
An excess of charge in one place is a voltage. A change in voltage moves along a pair of wires at the speed of light in the insulator between them. Light travels through popular insulators at between one half and one third the speed of light in vacuum. High frequency traders have already switched to air to reduce latency.
I can just imagine audiophools listening to their music with vacuum spaced ethernet cables while a pump chugs away to maintain the vacuum.
When someone wants to sell a book that proves their cult religion is sciency, they usually follow the sequence: quantum -> observer -> consciousness -> bullshit
Inside the box: Either [the atom decayed and the cat is dead] or [the atom did not decay and the cat is alive]. The Geiger counter amplified the energy difference between a decayed/non-decayed atom until there was a clear macro-scale difference: a cat the is either angry about being shut in a box or dead. Inside the box, the Geiger counter is an observer.
Outside the box: In the thought experiment, the box is so magical that no clue about the state of the cat can escape. Not the faintest vibration from her breath or heartbeat. No hint of RF from nerve impulses. No difference in which warm atoms vibrate differently because either the cat's immune system is digesting bacteria or the bacteria are digesting a dead cat. Because the box is magical, the wave function that describes the contents of the box is a superposition of states of a live cat and more states of a dead cat.
As soon as the box is opened, the wave function collapses. That term needs some explanation: either the probabilities for different states of a dead cat collapse to zero, and the sum of probabilities for states with a live cat zoom up to one, or the other way around. The rate at which the probabilities change depend on the sum of the energy differences between the possible states. A nerve impulse from a live cat might cause a photon of RF energy to escape from the box just as the lid opens. That photon could cause a molecule outside the box to vibrate. That vibration could change the way other molecules vibrate. Because the difference between a dead and a live cat is macro-scale, billions and billions of differences between the states leap out of the box the moment the lid starts to open. Those differences create other differences outside the box that grow exponentially. That exponential growth or amplification is what collapses the wave function.
The key feature of an observer is amplification. If one atom can change electronic state, and the only possible result of that change is another atom changes electronic state then the result is a wave function in a superposition of states. If that second atom consequently emits a photon into a photomultiplier, the photomultiplier amplifies the difference between possible states and collapses the wave function.
Tiny parts often have a warning in the data sheet. The packaging is so thin that light can get through turning diodes and transistors become photodiodes and phototransistors. You do not normally see this in action because of EMC shielding or the box that the device comes in.
The size of a resource is usually estimated as some multiple of the reserve, and the size of the reserve is set by the market. If a new use for helium is discovered, more will be trapped from oil wells, the reserve will increase, and we will have two or three decades of the resource again.
I found more information here. As I became a penguin last millennium, I could easily have misunderstood some the things I read about Windows for Pi.
If I understand what I read there and elsewhere correctly, a Windows Pi is not a developer's computer. A developer works on some other computer, creates a Windows Pi executable and transfers it to a Pi to run. When the target is a 300MHz MIPS, OK. When the target is a single core 700MHz ARMv6, and the application is big, then OK, but for 4x900MHz ARMv7: Why?
I think I found a why. If I understood correctly, Windows has some alternative to NFS with some weird authentication protocol that only Windows understands (excuse: I am a penguin, so really do not know what the Microsofties were talking about). Now you can connect to this stuff with a $35 pi instead of the $299 box Microsoft needed to run their software.
The only really consistent thing I have seen about Windows for Pi is that Microsoft will make an announcement real soon now. I get the impression Marketing do not know anything yet and Microsoft's techies found out about the project from The Register.
Last time I saw Microsoft's numbers, Microsoft scored 52/year (patch Tuesday) and the Linux numbers included every package multiplied by the number of distributions. I admit that was a long time ago and things have changed - these days Microsoft do not update every Tuesday.
Abiword on Pi.1 worked, but you could see the screen updates. It was tollerable for trivial work, but I used something bigger unless someone else was using it. Abiword and LibreOffice have been running fine on my 4 core 1GHz ARMv7 box since early 2012 (tripple the cost of a Pi). For the vast majority of office work, this is fine. The NIC is '1GHz', but ⅓GHz would be more honest when you look at the memory bandwidth. It is attached to a 100MHz switch. It was using an SSD connected by USB until the eSATA cable arrived. Lack of 100MHz network and lack of SATA are not noticable issues for office work or for a ripped DVD client / server. On a good day, two users can watch 1080p over a 100MHz net.
Linux users have been able to set up an 'austerity computer' for years. Sometimes they are even for sale directly to computer somewhat-literates. In the past, such computers vanished half way through an exhibition and an underpowered windows box appeared after a couple of months later for twice the price.
I have no idea what hardware Windows 10 + MS Office really requires but I would expect a Pi.2 to be a perfectly capable Libreoffice box. I have had problems using a Pi.1 as a print server, and would make sure I had a plan B before trying a Pi.2 as a print server.
Back in the day, I could compile for i386, i386+i387, i486(dx), i486sx, i487, Pentium, Pentium MMX and the AMD/VIA variations. I could also compile for any subset of them at the cost of reducing performance. Debian has ports for two variations to keep the size of the repositories sane. (Gentoo supports your exact hardware by downloading the source code and compiling it). ARM is just about leave a period of diversity that used to afflict x86. Debian has two ARM ports: armel (much older hardware than Pi1) or armhf (a little too modern for Pi1). Rasbian (a Debian port specifically for Pi1) is needed to get reasonable performance out of an old Pi. A Pi2 should be able to use the standard armhf port without a significant performance loss.
ARM SoCs have something resembling a BIOS: an on-chip ROM than can just about read a boot loader from SDHC or SATA or whatever device exists. At this point, things get unpleasant. Each ROM works differently, and the documentation is usually secret, missing, non-existent, badly translated and full of errors. Where there is a standard, it is often outright hostile to prevent you from installing Linux on a landfill RT tablet. The fix is called Das U-Boot. If there is a branch for your SoC, Das U-Boot can be compiled and installed on flash where and how your particular boot ROM expects it.
The next disaster is that every SoC has a different mix of on chip components, and usually far more than can access the outside world because there are not enough pins on the chip. The actual hardware available depends on what verison of the PCB the SoC is soldered onto. On modern x86 systems, most devices can be found from their PCI id, or by hoping the BIOS will tell you (gray beards can regale with tales of ISA and plug 'n pray). On ARM, you can create flattened device trees (lists of available hardware) when you compile the kernel.
Getting an ARM to boot requires partitioning some flash device the way the boot ROM expects, installing the correct branch of U-Boot where the ROM expects it, and pointing U-Boot at the right FDT and you distribution's partition. The kernel itself can be the standard one from your distribution.
The current system may be vile, but it could easily be worse. When BIOS was the 'standard', some manufacturers implemented it so badly that the Linux BIOS project was created to replace it (that project suffered from all the horrors we currently see with ARM). There are standard boot sequences for ARM, usually designed to lock you into Chrome, RT, Android, Winphone or whatever you want to replace the day you get the device.
The real solution is the same as it has always been: research the install process and state of hardware support before you make a purchase decision.
If you do not decrypt an encrypted file when the police tell you to, you get five years in prison. A paedo or terrorists would get far worse if they did. The fun comes when you email a file full of random numbers to Theresa May called 'plans_for_wmd.txt.gpg'. How is she going to decrypt it?
Same for the house of commons.
I tried your credibility link to a blog written by Anonymous ExNokian. AXN has convinced me that TA is being honest. The link complains about three graphs, and has a link promising to tell me what is wrong with the first graph and probably has similar links to the next two graphs, but I never got that far.
The first graph illustrates Elop's promise to convert Nokia's smart phone customers into Winphone customers. TA says his graph is a tidied up version of one from slashgear. AXN points out that TA missed out 'not a prediction' from slashgear's graph, and changed the vertical axis from net sales mix to revenue mix. Both are careless/naughty mistakes, but both graphs clearly represent Elop's promise to convert all of Nokia's smart phone customers into Winphone customers. TA and AXN both have graphs for what really happened.
AXN's graph shows the proportion of smart and dumb phones sold by Nokia. It looks a lot like the original 'not a prediction' graph, and makes it look like the 'not a prediction' graph was an accurate prediction.
TA's graph includes a white region at the top that grows with time. The area represents Nokia's smart customers buying Android/iOS. Elop retained 3 out of 20 smart phone customers.
AXN's graph is at best completely useless for checking Elop's promise to convert all of Nokia's smart phone customers into Winphone customers. What you need is something like TA's graph. Of course AXN disagrees with TA's numbers, and promises to explain in a link to another of his posts. I got part of the way through that, and found more rants, and promises to substantiate them in other articles.
Where AXN does have numbers, they are numbers shipped, not numbers sold and they are often for only one region and not the whole world. Personally, I disagree with TA's assumption that the difference between 'units shipped' and 'units activated' represents unsold Lumia's in boxes with the retailers. I always thought Lumias were shipped out, shipped back and shipped to the region where Microsoft wanted to quote a large number of units shipped (opinion - no evidence).
I would agree that TA rabidly despises Elop, and by association, does not like Microsoft at all. Where did this hatred come from? TA makes it quite clear that he is unhappy about Nokia's loss of profits, loss of unit sales and loss of market share, all of which happened while Elop was in charge. TA places almost all of the blame on Elop (Ballmer gets a some blame too). Given TA's feelings on the matter, I can understand why you might question his figures, and conclusions, but if you want to discredit TA, AXN is the wrong choice.
... the most profitable thing to do is to ask for a year's extension and a 10% budget increase every year.
Now the government know where they stand, the only question is to decide if they want havoc now for ten billion, or in three years time for thirteen because it is certain the software will not be ready 'real soon now'.
... where it can be publicly debunked. The only reason to suppress would be if it were all true. Are they talking about MP's expenses?
It used to stand for redundant array of inexpensive disks. The first one was made out of drives that were so far out of warranty that they were expected to fail. The idea is that redundancy allows the use of cheap drives. If you have done your calculations correctly, and can tolerate the drop in performance when a drive is replaced, then the cheapest disks could be the right answer for you.
The manufacturers preferred RAID to stand for redundant array of independent disks, and charged extra for drives 'designed' for RAID. For some use cases, that is the right solution.
Blackblaze mentioned their disks experience vibration. My own 3TB Seagates rest on the foam the came with, and none have failed yet (doesn't matter if they do, as I can live with the down time of a restore from backup). If Blackblaze kept their disks like mine they would need a much bigger data centre. Replacing cheap drives killed by vibration could be cheaper for them.
I am sorry I thought Reg readers were smart enough to recognise a clear example of Microsoft being able to correct an unpopular decision before the next major release. In future I will try to dumb things down for you.
If Windows 10 is a flop it will not be a disaster for Microsoft, and they will not have to wait two years to do something about it. Someone will sell a start button, and Microsoft will include one in version 10.1
I always thought a new version of Windows was a disaster for manufacturers and distributors. Customers delay replacing equipment until other people have got the new version working.
I am not entirely convinced that Android phones and Chromebooks require technical expertise. I would like to throw my TV and satnav into the same category. The router has an excellent user interface with well written documentation. I have not tested to see if a computer illiterate person can set one up, but somehow lots of people have got online. They cannot all be technical experts, and I doubt that many are using Windows based routers. (Is there such a beast?)
There is plenty of room for debate about the amount of required technical knowledge for Pi's. Mine are video/music/backup server/clients. Usage is trivial - as tested by computer illiterates. Setting them up required some technical knowledge back when they were new. Millions of Pi's are used as video servers, so the barrier to entry cannot be that high any more.
Turning the first Chromebooks into Debianbooks used to required an experienced techy, but these days it can be done by a reviewer working for The Register. The 'Desktop' at home is a SolidRun Cubox-i running Debian. This was as easy to set up as a Pi, and is used by non-techies.
There was a time when Linux knowledge was rare among techies. Now lack of Linux knowledge is rare among techies. Microsoft has publicly admitted the trend: Linux on Azure and Office for Android. Microsoft has enough cash to subsidise Windows for years. One day they are going to pass the maintenance costs onto their dwindling user base. On that day will you be locked in to Microsoft software, or will you be a penguin?
IAVO. So old in fact that I pre-date software patents. Back in that stone age programmers could profit from there software without any 'protection' from the patent mob. If someone wrote something equivalent to your software, by the time they got it to market you would have version 2 ready.
Later when the patent office started accepting patents for 'computer implemented inventions', some companies had sufficient stupidity to patent their software. Patents take years and money to obtain, then even more years to sue someone into paying a license fee. The companies that focused on patents rather than products went bankrupt and sold their portfolios for a pittance to trolls. The trolls had a horrible time monetizing their patents until they stopped aiming at programmers and hit the merchant bankers instead. The breakthrough 'invention' was pastel bars on graphs to guide the reader's eyes from the scales to the wiggly line. The bankers caved in without a fight at gave the trolls the money they needed to file enough niucanse litigation to get regular pay days.
The idea of patents was to reward inventors for publishing their invention with a 'time limited' (20 year!) monopoly. Nobody reads patents anymore - unless they get sued. In part that is to avoid tripple damages for knowingly infringing. The other reason is that the vast majority of patents would be obvious to a crushed worm if they were not written in obfuscated patent language. Now that inventors do not read patents if they can possibly avoid it, the value of publication has gone, and the monopoly reward should vanish with it.
Although setting fire to patent lawyers sounds very gratifying, I would rather just fine them for racketeering.
The website mentions working on an inductive charging pad, wireless image transfer and wifi, so you can get the number of cables out of the mouse down to zero - at the cost of finding out what happens to your hand if you keep it right on top of all those RF emissions all day.
The other option would be to bolt the computer to the monitor and use a bluetooth mouse. People have held bluetooth devices to their heads for years without obvious problems and with mouse separate from the computer you can plug in lots of USB things without having to move the mouse through a tangle of cables. Also, when someone puts the mouse in their coffee, replacing the mouse is going to be cheaper than replacing the computer.
I do not see a use case that cannot be handled better by one of the many existing small cheap computers.
someonelesesbox has a misconfigured ssh server. Take a look in /etc/ssh/sshd_config for:
and change it to:
If you need root access on a remote machine, log in as an ordinary user, the use su. Reading the whole of man sshd_config would be a good idea too.
Noddy's guide to shell scripts:
People who do not know any better start bash scripts with:
A better choice is:
#! /bin/bash -e
The -e means exit if any command exits with non-zero status. Now when something goes wrong, the shell script will not plough on regardless doing stupid things because of the earlier failure. There is also some chance that the last text send to stderr will contain something useful to diagnose the fault. With the -e switch, today's disaster can be caught with:
[ -n "$VARIABLE" ]
A better choice would be:
if [ -z "$VARIABLE" ]; then
echo >&2- "$0: Environment variable VARIABLE is empty"
Finally, if you do not know how bash will expand something, ask it with echo:
echo $(type -p rm) -rf ~
Science has nothing to do with being balanced. In science, the test of truth is an experiment. If someone claims a particular genetically modified plant is poisonous, and someone else claims it isn't, then it is time to get a flock of rats, put the genetically modified plant in the food of half of them, and the unmodified plant in the food of the others. After a couple of generations, the experiment will show if the modified plant is more poisonous... to rats. After the experiment, at least one side is proved wrong, and a balance or consensus view is for people who cannot face reality.
I would not expect one scientist to know absolutely everything, but I would expect one scientist to be able to find another scientist who does understand whatever issue politicians want advice about. I would also expect that a competent scientist can tell the difference between a scientist and a trick cyclist far more easily than the average politician.
Back in the stone age, Microsoft ran adverts that 'proved' Windows was more secure than Linux. The proof was to go through all the software in all the Linux distributions, and add up all the security patches in a year. The number was huge in part because it included types of software that Microsoft did not sell, multiple forks of the same software, multiple pieces of software that did the same things and all multiplied by the number of distributions. The 'equivalent' number for Windows was 52.
Decide for yourself:
A) I like patches to be delayed so they arrive on a known day of the week.
B) I like patches as soon as they are ready.
CHAP came back before lunch, but the DHCP server wasn't talking to me. DHCP got fixed during lunch, and I could ping the gateway, but nothing beyond. Full service was restored some time before I posted this.
I was suspicious of similar claims about solar powered transport, until I did the maths myself. Half the area of my home in the south of the UK would be sufficient to charge an electric car for my rather modest personal transport needs (I would have to cover the whole house and garden to transport everyone living here). The cost of the panels and regular replacement costs of the batteries make fossil fuels cheaper, but solar panels and batteries are getting cheaper.
Algae are much more efficient than land plants. I do not have all the numbers required to calculate the costs, but if I find them, it is worth doing the calculation. At a guess, it might work out in places with cheap land and plenty of sunshine, but I think the technology would have to mature before it could be cost effective where live.
Last time I looked, the total human food supply was more than enough to feed everyone but there are still people starving, and poor people with crops they cannot sell locally because of over supply. Take away our advanced transport infrastructure, and we too can enjoy years of plenty and years of famine.
There were cgi-scripts written in bash. The most obvious one converted man pages to html. Doing a Google search for almost any unix command would give a list of servers hosting man-pages and half of them would be using bash. The barrier to entry (knowledge of bash and cgi) was so low that there were thousands of people playing with it. IIRC within two days over 44000 different attack scripts had been detected - and that is just the people foolish enough to leave a trail across the internet. What is more, http was not the only service using bash in an exploitable manner.
AFAIK, there are nothing like the number of target machines for this Windows/telnet exploit. I would hope that the majority of people able to enable telnet on a Windows machine know why it is a bad idea, would only enable it as a last resort, would prevent access to it from the internet and not advertise the service so it could be found with a simple web search. Even then, it looks like exploiting the vulnerability requires considerably more than noddy level understanding bash and cgi.
Many penguinistas used to think that it was safe to allow remote execution of a carefully written bash script. No-one with a clue ever trusted telnet - which is why I found the idea of a security patch for it so surprising.
I thought the purpose of telnet was remote code execution, with the option to send unencrypted passwords to local network sniffers. I use it to talk to embedded systems too dumb for dropbear (trimmed ssh) over a dedicated network cable. The idea that telnet could be secured or required a security patch seemed strange, so I tried looking up vulnerability. Microsoft's knowledge base tells me 'server error in / application'.
Can anyone explain what is going on?
"The Netlist-filed document argues that SanDisk must obey the injunction because the storage biz has been actively selling ULLtraDIMM technology since April 2014 while knowing Netlist was taking Diablo to court"
Being taken to court is nothing to do with being found guilty. The rulings from patent litigation are fairly random (but the lawyers always win). If this goes to appeal, the results of the appeal will be equally unpredictable, so by Netlist's logic, if there are grounds for appeal then the injunction should be cancelled because Netlist knows the bickering can continue for another decade.
This was tried years ago by a US politician famous for adapting Arthur Scargill's speeches. The result was some steganography software that disguised encrypted messages as text in the style of Arthur Scargill's speeches. (web searches are not giving me relevant links, so I might have misremembered whose speeches were copied.)
"The first duty of any government is to keep our country and our people safe."
The biggest danger to any government is not a guy in the desert with an AK47. It is a citizen with a vote. An AK47 with no ammo is reasonably safe. To make a person safe, a government has to take away his vote. The government can already do this on four easy steps.
1) Take the voter's computer.
2) Pick some files, and claim they contain steganographically hidden encrypted data.
3) Require the person to decrypt the files.
4) Send the voter to prison for being unable to decrypt a file that did not contain steganographically hidden encrypted data.
Prisoners do not get to vote. If you want to keep your right to vote, go through every picture, video and document you ever created, and replace them with new versions that have the following steganographically hidden encrypted text:
Cameron double plus good duckspeaker. Love big brother. Joycamp unneeded.
Some have thinner power wires that are OK for to connect to a powered hub, but have to much resistance to spin a disk.
I recommend an RFC proposing a new SMTP response:
rejected: excessive legal boiler plate
Recognising legal junk should be easy for a spam filter.
The excuse/justification for the law is to catch paedophiles and terrorists. You do not have to provide your password - just can spend 5 years in prison instead. Of course, 5 years is less than a likely sentence for paedophiles or terrorists.
If you need to take Snowden2 data abroad, do not carry it with you. Encrypt it, put it on the net, travel, download, recrypt with a new key and shred all your copies of the old key.
...get a raspberry π.
You can defend a much bigger budget with a high FPR.
1) A guy with a gun in Afghanistan.
2) A comentard in the UK.