976 posts • joined 23 Oct 2007
Fairly simple, the update doesn't overwrite the passwords database ;) The box pulls rather than being pushed to, so simple enough really.
Well, I say database. If you've ever rooted one you'll find it's actually an XML file containing all sorts of config.
BT's not a shining example though, they have services open by default (and potentially accessible by anyone on the internet) using HTTP basic auth. They also rather spectacularly fucked up with their 'different default wireless keys and passwords' a while back by using the routers serial for the wifi and neglecting to think about the fact the access point was helpfully broadcasting it's serial number.
Re: web client sucks
It really brought home to me just how shite the web-client is when I needed to upload a disc image through the browser - special plugin needed for it. That in itself isn't great, but the bit that really did it for me was the plugin download being 80MB. A friggin 80MB browser plugin?
The web-interface sucks in general too. Thankfully don't have to use it too often
What an absolute shower of idiots.
If you're storing credentials, assume whatever #defences you have in place will be breached at some point and an attacker will walk off with your database.
Doesn't mean you shouldn't have other defences in place, but having other defences is never a suitable excuse for not doing your best to ensure those credentials can't be calculated if stolen - requiring strong passwords is just one part of that. Using a good hashing mechanism is another part.
Advising against re-use is more about protecting your users - if the worst does happen, it's one (hopefully irrelevant) account, rather than every account they have on every service.
I mean, if we're working on the assumption that our defences are good enough, why even bother using salted hashes? An attacker's never going to get to the database, so plaintext passwords are fine, just like they have been for years
I suspect it how he got to that is that I assume the major UK ISPs control 80% of the market, so that causes an 80% drop with the block.
Sounds incredibly likely sadly.
Sounds to me like you're doing a poor job of assessing the risk, assuming you're making a loss because of the payouts....
Not that I disagree with your sentiments about Copyright infringement being wrong, but add me to the list of people who have a hard time gathering much sympathy for an insurer.
If I had to guess, based on the current 'porn' filtering in place. If your ISP's server receives a DNS query for TPB (for example) they'll make a note and you'll later receive an email. Only a guess mind, but it'd be cheaper/simpler for the ISPs to implement than going the DPI route.
Course, it'd be no proof that you'd actually visited the site, but not sure that'd stop them sending an email.
Opens up a new, much more legitimate phishing angle though. Once it becomes known that CCUK are sending email notifications, it'd become more believable if you received a notification with a link to pay your small 'fine'.
On the other hand, given the general ineptitude often shown by the media companies, most of their emails will probably only ever see the inside of a spambox anyway
Re: "Copyright infringement is theft, pure and simple"
"In the USA A person is guilty of theft if he dishonestly appropriates property belonging to another."
Except of course, we're not in the USA, so the US definition has no bearing on what a UK minister has said.......
"Theft is also commonly understood to mean "taking something that doesn't belong to you". A word can have more than one definition."
True, but if you're talking about the legality (or otherwise) of a behaviour or action, it's not unreasonable to expect that you use words based on their legal definition.
The Cambridge dictionary linked to above also defines 'rape' as "destruction of the natural world, often for profit", yet I'm not sure anyone would be happy with seeing an implication that someone behaving in that way should be treated as if they'd committed the sexual offence.
Re: Another solution
It's definitely not only men, either.
Nope, I've had my arse groped quite a few times without invitation, or even prior social interaction. Not recently though, must be getting old.....
In an environment dominated by women, they show a lot of the attitudes that men are criticised for, although the actual physical actions might be slightly different. IMO the reason it seems to be blokes misbehaving more often is probably more to do with the fact that there are still more male-dominated environments than the other way round, plus given social attitudes, a lot of blokes probably wouldn't say anything for fear of being seen as a whiner (see Matt Bryant's "well I would" comment above)
Re: This article's about the minority
I think it's a case of being tarred with the same brush, because the only faces you remember out of the sea of faces at a big conference are those of the twats.
It's still not right though, it's often characterised as being 'male IT workers' when really it's "a minority of IT works who'd likely behave just as badly if they worked at McDonalds"
Re: Another solution
Not that alcohol can't/doesn't have an impact, but IME the assholes are assholes whether they've had a drink or not.
Blaming the booze is easy and doesn't address the actual issue. I can happily drink at events and not wander around groping anyone, so it's quite unlikely the booze is solely to blame.
"if people wouldn't drink they would get into alcohol-related trouble, full stop"
Well, yeah, obviously but the cunts will still be cunts. The only thing it would mean is they couldn't try and explain it away by blaming it on the alcohol.
Drink or not, groping a complete stranger is never acceptable.
Came across them when they first launched (one of my old bosses contributed some cash to their development IIRC). Played around a bit, but it was a bit *meh*, especially as it's hard to use social media when there's no-one else on there.
Came across them again when they got publicly hammered for an absolute shed-load of vulnerabilities (most stupid and easily avoidable AFAIR).
Had faded out of my memory until now though
Re: we need the public to become educated in the tools they are using and what can be installed
> I like to think of people who call other people muggles as "wankers".
Perhaps my tone was a little too dry, but before anyone points me to http://xkcd.com/1386/, it was a joke, perhaps a bad one, but a joke none-the-less
Re: we need the public to become educated in the tools they are using and what can be installed
Unlike El Reg and its commentards, not everybody devotes their whole life to being a tech expert. IMO, pins set by default would help those normal people.
Normal? Round here we call them muggles....
In all seriousness, just what is 'Normal'? Pins set by default will help with the current issue, but there are a fair number of other issues in general with your 'normal' people not giving two fucks about security. So that issue still needs to be addressed, which means those 'normal's need to start giving at least half-a-fuck and making the effort to understand some of the tech.
Knowing why it's a good idea to have a PIN set should absolutely never be the realm of 'tech expert's.
Whether a law is needed is doubtful. Better just have the manufacturers set the unique PIN by agreement.
Unique being the key there, if the default PIN is 1234 then we end up worse off than now (as most of those 'normal' users will leave the default).
I do actually agree with you, just resent your use of the word 'normal' (even though I am not, and never have been 'normal' and proudly so).
"This is another example of an incompetent retail CEO incapable of providing leadership and process to secure their organization. Just as the CEO must manage his staff and assets, the CEO is responsible for protecting the security of his network and his customers," said Philip Lieberman, president of security firm Lieberman Software.
Haven't read the background (only what's in the article) but had to re-read this block because the tone is pretty harsh from the get-go.
Don't get me wrong, I agree that holding the CEO ultimately responsible is potentially a good way to get companies to start paying proper attention to security, but I'm not sure firing him's the best way forward (unless there's some additional background I've missed, or you simply want to make an example so that other CEO's perk up).
Some unpleasant consequences, but retention of the job (this time) would surely be the better way forward. If you're going to teach an someone a lesson, it's generally better for the business if you continue to employ them afterwards, than to kick them out and then ultimately replace them with someone who hasn't learnt that lesson first hand (though obviously it depends what they did wrong).
Maybe I'm just feeling overgenerous this morning?
Re: No long passwords
I set it up to generate a 20 printable character passwords. At least 60% of the sites I try this on will not allow it - too long, objectionable characters etc. Not that any of these tell you beforehand what the restrictions are. 16 character alphanumeric works on most sites but even that is rejected by some as too long.
Yup, but that's still better than the bastards that 'accept' it, silently truncate it down to their max length and leave you wondering why you can't log in.
Knowing coppers, there probably was no explicit threat, more a what do you think will happen to your two kids if you're doing 20+ years?.
The publicly stated reason was poor coding standards in Reiser4. Whether that's the truth or not may be in question, but it's definitely not the same thing - if the kernel devs are lying, then it's different because Ebay are being honest. If it truly is the coding, then it's different because Ebay haven't blocked sales because his music is shit.
Definitely not the same thing....
Is it really metadata?
Is it really metadata, or is it actually the data (i.e. the log) that was used. Ever since various leaks, all I seem to see is the word metadata being used, even when it's not appropriate.
So did they use the logs, or did they provide some data about their source data (and if so why, given there was only one subject)?
Re: FUCK OFF
Did you RTFA or just the title?
The ICO having more funding and power is likely a good thing IMHO at it means they can chase the fuckers that don't take care with our data.
From a read of the title though, I thought it was going to be DRIP phase 2
Let alone the exchange of perl one-liners, clearly that mismash of symbols must be a secret code, could $_ be code for 'the attack'.
If I was exchanging semi secret stuff in the clear, I'd use brainfuck just to mess with them
You need to make sure you email the author of one of the blogs too (link on the right hand side) asking when service will be restored:
Yup, Mr Boscovich was indeed included in the recipient list.
Have ignored the temptation to add a comment to either post though, generally companies are less willing to just cough up if they feel you've gone out of you way to publicise/publically deride the issue.
Don't send it directly. First contact your law firm (if you don't have one I recommend Dewey, Suem, and Howe) and have them send the bill as an attachment to an official letter.
When I send 'gimme-money' letters (not that it's that regular), I tend to give a 14 day period to resolve it before I both the lawyers. Works for the most part (I've got a success rate of 98%, though I suspect MS will drag that down shortly), especially if I have the good sense to proof read and make sure I've not dropped a bollock somewhere in what I've written.
Slightly different if I was responding to a similar letter though, that'd always get looked over by a lawyer from the outset.
I figured I'd send MS an invoice for the time I've spent fixing the resulting issues, given that as a third party not covered/protected by my contract with NOIP, they've become the de-facto service provider and fucked everything up through sheer incompetence
"they've no idea about planning infrastructure to scale."
The existence / scalability of Azure (the world's second largest 'cloud' I believe) tends to disprove that.
Yes, because Azure has been so reliable. Size != reliability.
The fact that an worldwide outage was caused by MS forgetting to renew a SSL certificate, a week after a 5 day outage on one of their SQL components further reinforces the idea that big != reliable or good, especially when it comes to Azure.
An of course, we fall back to the current situation. If they're any good at planning things to scale, why aint their DNS infrastructure coping eh?
Re: Let's clear it up...
Remember it's not No-ip hosting the content either.
" Despite numerous reports by the security community on No-IP domain abuse"
I find the structure of this sentence interesting, to me it reads as though it's talking about Papers and articles (reports on), and not reports to No-IP. Given they are just hosting DNS records, without a list of affected subdomains what precisely are they supposed to do?
Microsoft claimed some of the subdomains use MS protected marks,
That's the bit that really baffles me. A number of subdomains get set up infringing a mark and the judge hands the entire domain over? That's bat-shit insane.
And that's before anyone starts on the fact that No-ip serves DNS records not content. The malware could have got the same content just by going to an IP address, and never touching no-ip (though DNS obviously makes life much, much easier from the malware authors PoV :) ), which makes the decision all the more bat-shit crazy.
Doesn't Microsoft produce infrastructure frequently exploited by cybercriminals?
If one thing's clear, they've no idea about planning infrastructure to scale.
Leaving aside the rights and wrongs of being given custody of the DNS, how the fuck have they managed to take custody so that they can filter out the 'bad' but fail to make sure their servers will stand up to the load so the 'good' is unaffected?
Re: WTF is anyone still using PayPal for?
Not to mention that whilst you may not use Paypal, most other people do (and don't use other services). So if you don't accept Paypal you're artificially (and quite severely) limiting your own market.
I had to provide them with ID a while back because the amount I'd received passed a threshold. Normally they do an 'online check' but it seems that I don't exist, wherever it is that they check.
Re: Eggs and Baskets
What amazed me about so many commentards on saturday morning was how many of them thought they were smart because they knew how to change DNS servers, but were still dumb enough only to point themselves at one DNS server.
And were 'smart' enough to change DNS servers, and tell everyone else it was a DNS issue, whilst completely failing to take note of the fact that changing DNS didn't help with accessing quite a lot of sites. There was a hell of a lot of the blind leading the blind on the net on Saturday
Re: Wasn't a DNS issue...
Yup, though as lots of people on social media were trying to be clever and tell others it was a DNS issue, I fully expect that if BT do cough to the root cause they'll blame DNS.
Was sat troubleshooting the loss of connectivity, and it looks like a couple of interfaces went down on a box near Telehouse based on comparison of traceroutes before and after. Possibly elsewhere too, but that's what we were seeing.
BT's DNS servers, inevitably, are the other side of that hop, so whilst there was an issue reaching BT's DNS, it wasn't _the_ issue.
Re: It would help an awful ****ing lot
Never thought I'd use this sentence - Ill give HSBC their dues on this one.
They phoned me recently and authenticated themselves rather than asking me to do the same.
There are still far too many bad practices that leave us exposed though. If verified by visa increases the likelihood that I'll be liable for a loss, they should damn well let me use special characters in my password *grumble*
Re: anonymized & agregate results
A great example being the NYC data that was released - Drivers for > 173 million trips identified from 'anonymised' NYC Cab data
Because in theory, they could identify an area that's likely to see an increase in demand and then build a mast nearby to give themselves a competitive edge (everyone else's masts being a bit further away). As well as capturing punters, they can rent some of that mast space to the other networks for a suitable price.
In reality, if that happens it's rare. At the moment the main focus seems to be on rolling out 4G in heavily populated areas rather than trying to eliminate blackspots (though as the former is potentially more profitable, you can't really blame them).
With tongue carefully in cheek, I'd also point out that having multiple companies, any one of which could be the owner of that brand new mast, probably (briefly) makes the network's life easier, as those wishing to complain of having headaches/illness from the radiation emitted by the (occasionally, not even turned on yet) mast will have to narrow down the owner before sending their emails.
Re: Just friend and unfriend
Yes, it'll also tell them to congratulate you every year for having been in the job for n years
Re: Who cost the taxpayer £6M?
6m does seem a bit high, but I guess theres some paranoia about letting him slip through the net, so plod have overresourced.
Of course, even if Sweden suddenly say 'ah, new information, no case to answer', he's still going to be arrested as a bail jumper the second he strolls out into the rain. Pretty much bang to rights too
Re: My network...
> Ooo bitchy, that hurt, handbags at dawn.
Wasn't actually meant that way.....
> You said it yourself, by not blocking something, you are allowing it.
True, but you used the word 'condoning'. Allowing something through inaction is not the same as condoning it.
Re: My network...
@AC - He said rules not responsibility.
"If you block one thing and not another then it can be interpreted as you condoning the latter."
Only by someone ill-informed enough to believe it's possible to actually block everything you don't like.
It's up to admins what they allow on their network, and you can police certain things without being compelled to police everything, it's really not an all or nothing situation.
Re: Precise time?
As they were at Dartmouth college in New Hampshire, I'd guess the timezone would be UTC-5
Don't be ridiculous, there's nothing sexist about wanting to see some jiggling boobies!
Are the Diet Coke ads sexist? A group of women gawking at a well toned man? Sexual attraction is a base drive, and 'objectification' flies both ways. There's plenty of objectification going on in mags for women as well, is that sexist? I don't think so, though I'd say that it's sexist to claim it's OK for one gender to gawk and objectify but not the other..
Is gawking suitable behaviour in a professional environment? Not really, but calling it sexist is completely ignoring the fact that many women do the same thing.
Giving a bloke a task because you don't feel a woman would do it properly/correctly would be sexist, gawking is unwanted attention but it's not and never has been sexism (unless you want to argue that only gawking based on your own sexual preferences shows prejudice).
So no, there's nothing sexist about wanting to see some 'jiggling boobies', though ideally it shouldn't be happening in the workplace. But then, I've also worked at places where the hula-hooping itself would be considered inappropriate behaviour, so ymmv.
I suspect, as well, that many would have far more sympathy if one of the hula-hoopers had complained, it does come across as someone being offended on someone elses behalf and the link someone posted earlier regarding the rug does suggest that she was perhaps over sensitive at times. It doesn't automatically mean she's wrong in this case, of course, but we all get judged by our past actions, especially when something relevant pops up on the net.
As a man I find other men making stupid claims about this ficticious war on men totally embarrassing... please do shut up.
It's not entirely fictitious though, some feminists do seem to be seeking more than equality, take the campaign against lads mags for example.
That's not to say we shouldn't all be aiming for equality, but we can't blindly accept that everything labelled as 'for equality' will actually lead to it - there will always be those (male or female) who want a bit more, or who unknowingly apply their own prejudices.
For most of the history of humanity, women have been denied basic rights and it is time we let women have a voice
I completely agree, but what we shouldn't do is deny anyone the right to criticise what's being said. It's supposed to be a debate not a "oh we oppressed you, you'd better call the shots for a bit".
WRT the story, the Hula-hoop thing strikes me as a minor thing, but innappropriate if the guys were sat there just short of drooling.
Re: John Smith IQ of 0.19 Mattie explains his PoV.
... fail to realise a network engineer (or hacker) can sniff (it's a technical term, it actually means copy off the bits from the data stream for analysis, not the actual physical action of sniffing that your lack of education would lead you to,believe it to be - wouldn't want you to be any more confused than you already are)
Sorry, but that made me chuckle.....
Of course, the rest of the argument is bollocks as having the ability to do something doesn't mean it's OK to actually do it, for any reason. Whilst packet capturing can be useful for diagnostics, that utility doesn't mean it's OK to sit and take captures from a core router just to see what nude selfies happen to fly by. It's possible, but also not OK to set up a port mirror, and run captures on the offchance they might capture an email that would prove your spouse was cheating.
Presumably it's OK for me to assault anyone who comes to my front-door because they might be thinking about robbing the house?
does the service provider (and any advertising bodies they pass your history to)
I suspect both bodies would argue that that happens with your consent (though some would disagree).
What customer wants to see only some games or sports during the year when they used to be able to watch it all. You now need to subscribe to at least 2, possibly 3 different providers to watch it all.
Sounds similar to the moan some of us were having when the paid networks started outbidding the BBC/ITV/C4 for sports (Cricket comes to mind).
Call me bitter if you want, but frankly Sky deserve a kicking for that one and I'm glad to see it happen - though I agree it's pretty poor for the consumer.
>If the youth had used his big chopper to spy on his cheating boyfriend in Nancy, then maybe it would be funny and clever.
>I have (had) the wonderful acquaintance with a friend of the family who when I pointed out that he was
> a down and out racist idiot (among his many other sterling qualities) rebutted with (after the shock of
> someone pointing this out to him) that I was being politically correct.
The fact that it's sometimes correct, doesn't render it impossible to be too politically correct.
Yes, we should be mindful of others, and shouldn't spread hate, but no one has a right not to be offended. Certainly no one has a right not to be offended on behalf of someone else.
As long as there's a distinction between an off-the-cuff remark and actually buying into real discrimination, there's no real harm - assuming we're not making those jokes to people who don't understand the distinction (yes, that was a 'think of the children').
I occasionally get called cripple, hop-along and various other things. It's all meant in good humour and it doesn't cause me any offence, other people it might. Frankly I'd rather have a rapport with someone than have them too busy worrying about saying the wrong thing.
Re: The other issue
IIRC CCTV is one of the exceptions to that right. Unless something has changed, you have no right to request access to the video that includes you.
The justification was a combination of two things, as I recall. One being the difficulty in locating the video, but the real killer was that the video would likely contain others and their 'personally identifiable information' (i.e. their image) would be being leaked to you.
Re: Serious question: why buy a new router?
> Would it do any good to be able to define alternate DNS servers; doesn't BT route all DNS requests to their own Mumsnet approved servers anyway?
You might be running your own DNS server on the LAN, no reason it couldn't use a VPN tunnel to go out and grab it's DNS from elsewhere (exactly what I do).
If the Content Filters are enabled, then you get a lovely blue screen whenever you try and access any page - if you're using Off-Network (i.e. non BT) DNS servers (see this screenshot. Though in true BT style even that's only half implemented - if you use TCP instead of UDP for your DNS queries it all gets through fine (or did when I was testing).
If the filters are 'Deleted' - i.e. NOT just Off - then they don't tinker with your DNS (as far as I can tell) though I trust BT about as far as I can throw them, so I've tunnelled mine anyway.
Re: Serious question: why buy a new router?
Ok so your parents aren't likely to need to do this, but you did ask what it was missing
- Static routes (useful if you're running a VPN server)
- Custom DNS address via DHCP (as mentioned above)
It's also a bit stingy, in that it has NTP but won't seem to share the love with the LAN.
It lacks Wake on Lan and various other (small but useful) bits. For quite a while (couldn't tell you if it's been fixed without checking).
Yes, QoS could be handy too.
Are these features worth an extra £100? Probably not, though as they're all quite small and the HH has an 'Advanced' section, you could also ask whether they could just have included them instead.
I agree on putting down extra cash though, so mines becom(ing) nothing more than an Internet Gateway, with a Pi taking over most of its duties.
The biggest issue I found with the HH though was that the Wifi was useless. At semi-regular intervals it just seemed to decide to discard all packets until you re-associated (tested on multiple devices). BTs response was that it must be something in my house causing interference, though strangely enough the AP on the Pi hasn't been exhibiting the same behaviour.
When mine turned on, I had to select a level from 'light, medium, strict' and then wait two hours to use the 'Off' option (can't make changes until it's updated itself). I then had to click 'Delete filter' to stop receiving a blue page tell me I was using an off-network DNS server.
So, unless I missed something (and I looked pretty closely), 100% of BT subscribers will activate the filter. What probably won't get reported is the percentage who then hit OFF as soon as they get a chance
So yeah, I had to opt in to opt out of opting in.
I also don't entirely trust BT not to fuck something up at somepoint, so most of my traffic (including DNS) is now routed over OpenVPN to a VPS that I wasn't making full use of before.
Re: Rats in a sack
Censoring everybody in case a few small-minded twats might pretend to be offended is an act of gormlessness on a colossal scale.
I'm offended by that, where's my 'Dear Mr MP' template........
The internet does not need any censorship.
I'm starting to think it needs some, we could do with some real world censorship/enforcement as well. Though the 'offensive' acts I'm thinking of are pretending the views of a tiny 'moral' minority are supported by the majority.
ISP level filtering should be an optional add on - as in Opt-In. Should also be a paid add-on so that the rest of us don't have to foot the bill. Not a big one for 'the market will decide', but if there're really that many people wanting it then the offerings would increase/improve.
If in fact nobody really wants it, the offerings will disappear through not being cost effective, at which point that minority will make a fuss, and we'll end up back in the current mess....... bollocks. Gave that less thought than an MP gives to the workings of the www.
Re: Heart Internet
That one surprised me too, but then I did kind of think - who in their right mind wouldn't change the root pass as soon as they have access to the box anyway?
Still going by the looks of things
- Infosec geniuses hack a Canon PRINTER and install DOOM
- Feature Be your own Big Brother: Monitoring your manor, the easy way
- Boffins say they've got Lithium batteries the wrong way around
- In a spin: Samsung accuses LG exec of washing machine SABOTAGE
- Phones 4u slips into administration after EE cuts ties with Brit mobe retailer