Bite the hand that feeds you
As much as these vendors don't like what MS is doing, their entire business model is also 100% dependent on MS and would not exist without them.
572 posts • joined 12 Mar 2007
As much as these vendors don't like what MS is doing, their entire business model is also 100% dependent on MS and would not exist without them.
"His hacking did not uncover serious security bugs but it would let fellow hackers on the same network as the coffee machine to mess with its firmware without requiring authentication"
Personally i'd consider the ability to push new firmware to a device without authentication to be an extremely serious security bug... Your new firmware could do *anything(
We'll just end up with ios...
Part of the problem is that of having a single monolithic system doing many different tasks... Some it does well, some it does very badly, so you end up doing all of them in one place out of convenience.
A more modular system would work better, where you choose the individual components that suit your own individual requirements
The activesync protocol was created by microsoft and its they that demand a license fee for its use, if they were truly concerned about open access they could open up their existing protocol.
Similarly they could support existing open protocols for the various types of data (caldav, carddav, imap etc) instead of creating their own new protocols that do the same thing. By doing the latter they can create an impression of openness, while actually ensuring that competing clients will take time to catch up.
As more companies fight over profitable cities, the amount of money being put towards decent internet access in smaller towns and villages will decrease...
Chances are your ISP allocates a WAN address (/128) for the router itself, and should delegate a prefix (typically /64 but might be bigger) for your own use... If your router doesn't support prefix delegation properly then you might have to configure it manually.
That's precisely how pretty much every ISP that has implemented v6 has done it:
1, although every device behind has a routable address, inbound connections are blocked by default, you can enable them if you want.
2, no isp is v6 only, they are all dual stack for now, if your client devices support v6 they will use it by default otherwise they will fall back to v4, it will usually be transparent and sites that use v6 will be accessed in that way without you even realising.
3, in some cases your v4 is natted by the isp and not just by your own router, so you cant control port forwards etc... the only way to allow any inbound connectivity is via v6, which you control.
4, most systems support ipv6 privacy addressing whereby the clients will generate random addresses within your own local (/64 huge) range for making outbound connections, as far as the remote end is concerned a /64 is equivalent to a single ipv4 address - one network that might contain any number of devices, and advertisers etc will use other means (cookies, browser fingerprinting etc) to try and identify unique users or devices just like they do now.
with v6 you're no worse off, you're better off
Nothing about v6 prevents you from retaining control of your own gateway, it just gives you extra options if you choose to use them, makes certain things easier if you choose to do them and makes certain undesirable things (like people scanning your range) more difficult.
There is no downside to v6, and plenty of upsides. Just because you choose to ignore the benefits of v6, doesn't mean you should hold other people back out of spite.
NAT was in use at endpoints, but not really at ISPs... One IP usually correlated to one customer.
Now widespread NAT at ISPs, as well as dynamic addressing makes it much harder to block abusive users by IP... Spammers know this too, and will release/renew or redial a ppp connection to get a fresh IP.
Most mass market ISPs try to bullshit their customers about outages, often they will make customers believe the problem is their equipment and have them reboot endlessly until the problem is resolved.
Personally i'd rather just be told theres an outage and how long they expect it to take to fix, but ISPs think that will make them look bad.
Linux doesn't use SHA512 directly, it uses a salted hashing algorithm which is based on SHA512...
See under "glibc notes"
NTLMv1 is no longer used as a network authentication scheme, but the underlying passwords are still stored using the NTLM hashing scheme.
Two different (although related) things.
The reason microsoft can't change the hashing scheme as easily as Linux can is because the network authentication protocols are tied to the hashing method, so you would need to update all the clients too.
Microsoft existed because the hardware accounted for the vast majority of the cost, and the hardware it ran on was open and flexible. The software being closed and single-source was of little consequence because it was only a tiny fraction of the overall cost (and could always be obtained for free via piracy).
Contrast that with acorn, commodore, apple and the various risc vendors who provided superior hardware and superior software often even at lower cost, but tied you into their whole platform with a single supplier and much smaller range of models and price points.
Depends how hard it is to acquire admin privileges...
On most windows based networks, simply being on the LAN is enough to very quickly get admin credentials with a moderate level of skill and publicly available tools.
It's not the file thats the problem so much as the fact that 99% of users can be expected to use the same software to open the file, ie a monoculture... If you have an exploit for a vulnerability in that software you have a very high chance of success.
That's why monoculture software is almost always the primary target of malware... Think of all the browser exploits which targeted IE when it had over 90% of market share, and how most of these attacks moved to Flash, Java, Acrobat etc once the browser market became more diverse.
If they're dumping email boxes, and those email boxes contain spam and malware then in the interest of full disclosure they have to post it all... If they started removing malware then they've modified the content, what's to stop them making other modifications?
You cannot solve problems by killing people on mass. Making war even cheaper will certainly not help.
Oh but you can, you just need to do it thoroughly and brutally, ie the way things were done historically.
There would be no refugees fleeing if there were no refugees left.
No refugees would flee a warzone where they risk death to enter an enemy territory where they faced almost certain death at the hands of an organised military force.
Insurgents could not hide amongst civilian populations if the rulers were willing to systematically wipe out civilians until the insurgency stopped.
A lack of morals and a willingness to do whatever necessary is a significant advantage in any war.
And 20 opportunties to make sure that a fix for 1 bug doesn't introduce any new ones...
Because puppet "enterprise", the version catering to users who don't want frequent updates.
You have the option of tracking the puppet github:
which seems to be updated very frequently
When you're doing frequent deployments, each change is relatively small and easy to test... Not only that, but no matter how much internal testing you do there's no substitute for actual user testing - bugs will always be found once the users get their hands on.
But if you're doing small changes and regular deployments, those users will find the bugs while the developers are still very familiar with the recent changes which makes fixing things much easier.
If you infrequently deploy massive changes, then each change will quickly result in a large number of bugs, the developers may not have touched the affected areas for a long time, are likely to get overwhelmed by a sudden flood of bug reports and if the fixes take a long time to be pushed down users might get used to working around bugs instead of reporting them and having them fixed.
The poor passwords people use on systems are partly down to the regular change requirement... People simply won't remember a new random password every month, they will pick something that is easily remembered and/or write it down.
If you don't force them to constantly change their password, they only have one to remember and it becomes much easier to remember a single strong password than a new one every month.
The problem is that people are too unwilling to challenge what they've been told for years
Existing installs would continue running, but new installs could not be activated, security updates could not be installed, some existing installs would declare themselves as pirated and stop working, it would still be a big mess.
Not only that, but successive versions of windows and msoffice are significantly different to previous ones that users have to get used to the differences anyway, and most such users will find it no more difficult to switch to mac or a modern linux.
Having a permission system that tries to prevent the admin from accessing certain files is asinine, and only serves to create a false sense of security. If you can administer the system then you can access anything, if you restrict your level of access then you can't perform your task as admin and you're just a normal user with a limited ability to change specific settings.
Consider that the administrator needs to configure backups, how can the system be backed up if some files can't be read? And even if the running kernel won't let you read them, you can always read them from the backup storage.
Instead of adding extra pointless cruft, just accept that the system administrator has full access to the system, and behave accordingly. If you want data to be private from someone, then ensure it never exists in an unencrypted form on a machine accessible to anyone you don't trust.
Sell them to the enemy, you get to kill their pilots *and* drain their cash reserves!
Current versions of Windows, even the workstation versions have SMB enabled by default and make it far too difficult to turn it off, so yes home users could well be affected to as they're running an SMB service even if they don't realise it.
You missed installing an ad blocker in the list of ways to prevent such attacks...
The ad networks used by major sites push malware, and yet they still wonder why people run adblockers?
The fact that very few people are buying windows store apps isnt the point, the mere fact that a high profile supplier like microsoft accepts bitcoin at all adds a lot of credibility to bitcoin and encourages others to use it.
A car can't carry as much load as a 40 ton truck, but for most people's journeys a car with its inferior load carrying capacity is both cheaper and more convenient.
It all depends on what your needs are.
And in what way are your friends and family qualified to judge your ability? People who know nothing about a subject will be impressed by someone who knows only a little more about it than they do.
Your skills sound like you could do low level desktop support, which wouldn't pay very well...
That largely happened on the Amiga after Commodore went bust, and thus no faster models were coming out...
It also happened because the hardware as fixed, so you could program it directly instead of having to go through multiple performance sapping abstraction layers.
Chances are they, like most places, implemented lockouts on an individual account basis. So because the attackers only ever tried one password per username, nothing was ever detected.
Perhaps the recently discovered backdoors will dent their sales going forward... I would certainly think twice about buying anything from them.
99% of the homes Virgin serve are also served by BT, the problem is for people in areas where there is neither option available.
Android phones can all do this in theory, it just isn't marketed or packaged in a way users can use it easily.
There's nothing to stop you running a full linux desktop on any android phone, indeed you can install debian inside a chroot with 99% of the same desktop apps you'd have on an x86 system, including X11, VNC and RDP so you could access other systems remotely for any apps which didn't run (or ran too slowly) on the handset itself.
Looking at the kernel config, it seems CONFIG_KEYS is turned on automatically by a bunch of other kernel options...
And how much of their kit will come preinstalled with backdoors?
I always found flipping robots to be boring, and once robots gained the ability to turn back over or run upside down a flipper becomes somewhat useless.
I preferred the robots which did serious damage, hypnodisc being probably the best example. Makes for great tv, but obviously becomes expensive for competitors if their robots get completely destroyed.
The problem in infosec is it's all a game of compromise and risk management, and there are no guarantees.
If you hire someone to do a pentest, how in depth do you want them to go? And more importantly, how in depth are you willing to pay them to go? Most companies only want, or are only willing to pay for your typical blind external pentest which basically says "given 2 days and only the ip of your website we couldnt get in through direct vulnerabilities on that ip"... It doesn't account for indirect attacks, or even just pure random luck etc.
Also just because a pentest was conducted at any level doesn't mean the client actually followed the recommendations.. Quite often security compromises are made because of cost or lack of skills etc. Many networks are also not designed with security in mind, so significant improvements would require a massive (and costly) redesign.
And it sounds like this case talks about an incident response job, but again jobs like that are down to budget and scope... When i've done such jobs often the scope (and budget) has been limited to the systems known to be compromised but that's not really enough as systems are usually interconnected and often managed from the same workstations etc. The outcome of most incident response jobs is usually that "your logging isnt good enough to really know what happened" and "we really should look at other systems but there isnt budget for it".
So Windows is "easy" and Linux is "hard" because users might want to delve into the command line?
Those same people who can't understand a commandline are not going to work out how to make manual registry changes...
Great, as a pentester the domain is usually the first and easiest target to go for on any given network... All it takes is one vulnerable member system and you can almost always compromise the entire domain, and then every member system is owned. By putting everything in the domain you make it MUCH easier - far greater chance of finding the one vulnerable system you need, and much easier to access everything else (irrespective of how well hardened it is) once you have domain admin.
I don't know about Sky specifically, but the adult content filter on several mobile networks blocks more than just porn...
The one on EE seems to block "hacking" related sites, so i had to request that it be unblocked on my work phone (i work in network security and need to read about exploits and security flaws).
The one on three seems to do some kind of SSL interception which downgrades SSL connections to using RC4 encryption (tested by connecting to google both with and without the adult filter on), and this completely breaks any connections to hosts which don't support RC4 at all, so i had to turn this off just to access my email.
Because outsourcing is done inappropriately and/or badly...
Outsourcing is often promoted as the answer to everything, and there are potential economies of scale and improvements to be had by letting specialists handle what they're best at, while freeing them from having to deal with anything else.
For instance your company may run a couple of databases, but not enough to employ a full time DBA, instead you have a general IT guy also manages the databases. If outsourcing is done properly, you can ensure that a full time highly experienced DBA manages your database, and since your databases are quite small he can manage databases for several clients.
And this is fine if your just using those ranges internally at a single organisation...
But what about when you try to merge organisations together, and/or use VPN links?
Our company VPN will often conflict with the address space being used on other networks.
Microsoft should be obliged because they actively encouraged their customers to get themselves locked in.
Sites which implement a complex password policy are usually acting too self important, and irritating their users...
If you guess my password for wickes or whatever online retailer then so what? You can see my previous orders, you can't even place a new order. Why would i go to the effort of using a strong password for such a site?
Plus you have no idea how such a site stores your password, it might not be stored securely and could easily be leaked.
I always used to use a stupid and easily remembered (but probably not easy to guess) password for such sites where i didn't really care, only now that some have password policies i can no longer use it everywhere and now i have different ones which i continuously forget.
Most companies have severe security problems, most corporate networks are horrendously insecure and basically an accident waiting to happen.
Yet companies do nothing about it, they bury their heads in the sand... They assume that because they have not yet become the subject of a high profile breach that they must be secure. Even when they do hire competent infosec people, those people are usually completely hamstrung.
The quote on yesterday's article was great:
"Complacency is the biggest enemy of security, just because things 'have always been done a certain way' doesn't mean it remains the most effective way. "
Most companies are complacent, they are happy to make the same stupid mistakes because "everyone else is doing it", they assume they are secure because they haven't been (that they're aware of) hacked yet but the reality is that they've just been lucky and/or aren't worth targeting.
The ssl checker indicates they are not pci compliant purely because of their cert being sha-1 signed, but many cert authorities still provide such certs for the time being, and there are plenty of old certs out there too.
As for other aspects of the standard, just requiring strong encryption isn't enough, you have to actually be using it properly. Encryption is pointless if the key is held on the same host, and the data cant be used if it cant be decrypted.
Many implementations comply with the standard by encrypting the data, but then provide a way to access it therefore bypassing the encryption... Many of the people who assess PCI compliance are just box tickers and have no understanding of the actual technology, so if you store your data on an encrypted volume thats automounted at boot that will often be sufficient to pass but in reality has not improved your security at all because anyone who compromises the host will be able to access the data anyway.
Perhaps we don't "enjoy" driving in traffic, but many of us prefer it to other forms of transport...
Many people suffer from motion sickness, and generally (at least in my case) you don't feel sick when you're in control of the motion.
Even if i was rich enough to afford a chauffeur to drive me everywhere, i would still choose to drive for this reason... Although i would probably pay a chauffeur to act more like a valet and take care of the car when i'm not driving it.