Just tell Google - they will then tell MS and give them 90 day to fix before publishing it.
2007 posts • joined 15 Mar 2007
Re: Another scare tactic to charge more money
Did you miss out the joke icon by mistake?
Either that or you have no understanding of what the "32-bit" aspect of IPv4 addressing actually means and presume its a string of ASCII text somewhere.
The CBBC lot has produced some genuinely good programs in recent years, "Horrible Histories" and "Young Dracula" stand out just off the top of my head.
But all else on cable and broadcast has gotten shittier as more adverts are stuffed in, and more channels means less spent per channel on anything worthwhile.
So when you want to purchase something with only a crappy GPRS link available (or none at all), what then?
Re: If American cars suck, how about this one?
That report about Toyota's software is truly shocking - so many mistakes that are in the "just out of Uni and never worked on something serious" level and a corporate arrogance (or ignorance) that the system fails on so many of the safety guidelines in the automotive industry's own MISRA standards.
Unexploded ordnance I can understand, by all means stop people hoarding stuff that might go kaboom.
But removing the tank?
Re: vendor pools
I think the goal of NTP's guidelines is to stop a major supplier hard-coding "generic" pool servers in to their product, as correcting any problems later is a major problem.
So what they are asking is vendors create their own pool (maybe providing their own servers as well, but I don't know if they have to, as they could be aliases of other pool servers) so the hard-coded server addresses are unique to their product(s). That way any problems it can be throttled or blocked, etc, without impacting on anyone else.
As for software projects defaulting to the generic "pool" of NTP servers, I kind of feel they should not - that anyone choosing to install such software should be made to configure it. Of course, when such software is part of an OS or application, you are back to the vendor issue again and it should be pre-configured with the vendor's pool of server names.
Incidentally, in this day and age why are ISPs not providing NTP servers and offering the address via DHCP?
Re: Old Debian boxes had issues
You need a watchdog setup then.
We had no problems, other then an elderly solaris box that was out by a second for an hour or two. Our oldest Linux boxes are typically Ubuntu 10.04 on 2.6.32-74 kernel, and they had no problems.
I prefer my own suggestion - make the insertion and removal of a leap second very frequent, say once per week, but arranged so they correct on average for the amount we need.
That way software developers will be forced to test their own damn code and the problems will be found and fixed.
Re: All is not well, though
Interesting. But more disturbing is Lennart Poettering's attitude to all of this.
For a start, WTF is systemd doing controlling the time when ntpd has done so well over the years?
Secondly, his attitude is one of outstanding arrogance that (a) they are defaulting to Google's time servers that are not offered or guaranteed to work in the future, and not abiding by official NTP/UTC time keeping, and (b) he seems not to care that such defaults put in to systemd will most likely got used by others. If your defaults are not world-wide sane, DON'T PUT THEM IN AT ALL!
So basically having fixed and tested the systems that borked last time, this time it all just worked?
Who would have though that testing software could bring such enormous benefits?
Re: A very narrow, shallow and poor case for Windows retention
If you follow El Reg and have read other articles by Trevor Pott you would know he simply speaks his mind on what has worked for his business and that may, or may not, be a MS-based solution. He is certainly not a "pathetic shill" as you suggest.
Re: For Dog's sake shut up about w2k3 eol.
You may not care about w2k3, and certainly I don't care as I have not responsibility for w2k3 machines, but there is a lot of businesses out there that are about to get their backside's bitten.
Most of it is down to a lack of forward planning, and some of it is down to changes MS have made. You know, like no new 32-bit server machines supporting 16-bit code, or updated security practices that bork badly written older software (like some of MS' own code from around 2000...)
They have to do something: whether it is crossed fingers and more care in firewalls, or migrating some off the physical w2k3 machine and leaving the troublesome code on a VM, or even totally re-thinking what they do and why. So while it may be tedious to hear repeatedly, it is also with a good reason.
Re: Many VPN's suck for other reasons
Probably your best/most secure option is to have the VPN in your router and keep away from the oddity that is VMware's own network stuff.
Of course they do - they don't have problems with this by design.
Its only the ground based software that is implemented by folk who (a) don't know what they are doing, and (b) don't test things that cause problems.
Fsck'em - why not have leap seconds +/- every week and occasionally do two in the same direction on consecutive events? That way stuff will be tested and fixed because the code monkeys can't argue "oh it only happens one per 2 years or so".
Adobe (and I guess MS as well) put font handling in the kernel from NT 4.0 to gain speed at the expense of having privileged-based protection, and against Dave Cutler's original micro kernel plans. What could possibly go wrong?
Oh yes, this...
Re: "... Chromium, the open source sister of Chrome ..."
Chromium is the open-source part of the web browser project, and Chrome is Google's version with additional propitiatory stuff built-in (flash, other spyware).
That is what has kicked off the storm, that Google had modified the open source part to download a close-source (and pretty creepy) feature for voice recognition.
Re: @Ken Hagan
AFIK it has nothing to do with the license, but that MS never attempted to port the ntvdm to 64-bit.
Most likely for the same reason that 64-bit dosemu is different to 32-bit and that is down to the 64-bit mode of the CPU not having the VM86 instruction to make life easier.
However, as you say a VM will do for your remaining 32-bit Windows (provided you don't have hardware dependency).
Yes, DOSbox is also worth a turn but we had hardware I/O demands so it had to be dosemu.
dosemu also ships with a copy of freedos, though you can also use MS-DOS as well. You can configure the time keeping part to either follow the host time (so you get NTP accuracy, subject to the ~55ms tick of DOS time-keeping) or have it decoupled from the host which is handy for testing applications with other dates & times.
I tried it beyond the 2038 point and on 64-bit it is fine. Puts off the date problems for long enough for most readers to be commentarding on St. Peter's book...
If you are unlucky enough to have 16-bit + 32-bit + specific hardware/driver + IE dependency then I really do pity you :(
However, if you have 16-bit DOS style stuff then you might also want to try dosemu for Linux. Beware it also has some oddities in terms of 32-bit versus 64-bit versions, but it might be an easier choice. Also if you depend on special hardware that assumes direct DOS-style access to special hardware (as we do) then this option might be away of avoiding having real DOS or Win95/98 machines any more since dosemu can be run with sudo (root) access and configured to permit specific hardware I/O in dosemu.conf
If all else fails, then identify what is not going to work on 64-bit systems and keep that on a dedicated machine/VM and really go out of your way to protect it from the big bad world by putting it on a separate VLAN, etc, and firewalling it to the hilt. Even if it has to print to a network printer, try to block the printer connection as much as possible as they are often never patched and probably contain vulnerable web servers for configuring them, etc.
Re: Never attribute to malice what can be explained by incompetence.
You also forget the 3rd possibility - that both malice and stupidity is involved.
"If you look into any agenda driven politics
the left tries to push you'll see it's built on lies"
There, fixed it for you.
"useless for blackmail since Uncle Sam already knew"
That presumes you only care about the Gov knowing. But what about family, friends, and neighbours who may not be impressed by certain aspects of your private life that you declared for a high security job?
So will this closer integration with China mean we can look forward to buying a router with a choice of NSA or PRC back door? Will the web site be pre-ticked depending on your shipping destination?
Actually I'm not sure the joke icon is quite appropriate...
Really I have to hand it to the German BOFH when the declared that a complete rebuild is the only (the final?) solution.
Think about it: you get to replace old routers and start with safe/sane settings for the firewalls, etc. You also dump all of the out of support 2k3 servers and XP machines, and give everyone a new desktop.
Personally I would go Linux with a Windows VM for special stuff, partly to reduce the COTS malware risks but also as a lot of that won't run in a VM to avoid analysis, but looking at a more realistic scenario you get to deploy new desktops with known configurations and can have the ACLs set so no user program can 'execute', only those the BOFH has installed in the correct locations.
Along with that you deploy only known, patched, and properly configured applications. Sure, you have to re-import user data, but that can all be scanned first and maybe even make users ask for what they actually *need* to have, further reducing the risk of p0wned stuff.
We salute you!
Come on, they looked at the joys Windows users have with knowing what all those instances of svchost are actually doing and they thought "you know what, we want a bit of that action"
Re: Lack of 32-bit Server platform
The real problem is if you have 16-bit Win95/DOS era software as that won't run on 64-bit Windows. OK you may also have driver problems as well for older hardware under 64-bit (remember how crappy 64-bit XP support was?). Sometimes it will run on Linux emulators (Wine, or dosemu, etc) but that is a significant gamble.
Now you might be saying "Who runs 16-bit any more?" without realising there is a lot of small speciality software from that era that works, and changing the software to a newer version is a major PITA for various reasons:
1) New software license costs
2) Maybe no longer compatible with old, special, and very expensive hardware
3) Different file formats so you cant read/write previous data
4) Different work-flow so you have to re-jig lots of scripts and re-train users.
5) All of the above often gets you nothing more than "supported OS" status as it will do exactly the same job as the old one (maybe better, maybe more buggy).
So while using old servers for general stuff is barely excusable, there are some VERY GOOD reasons why it won't happen for many. But as other commentards have pointed out, you should be working on the assumption that ALL systems can be p0wnd (old & new, Windows & Linux) and planning how you detect that and restore to a clean state when it happens, not IF it happens.
Decent screen for once
OK, the MS product is not very cheap, but the 2160 x 1440 screen is a damn sight better than even the majority of ultrabooks at more than the ~£600 range of these.
I think the official El Reg unit should be in kilowrists, the measure of simultaneous pr0n film streaming performance.
Re: Silicon versus GaAs
I think the main reason is there is SO MUCH silicon technology, experience, and fab facilities it is easy to make complex chips from it, whereas GaAs has been generally kept for the fastest of products where you don't have the same density of components but need higher speed. GaAs is more radiation-hard than silicon, but also less tolerant to heat. I'm sure others with more knowledge can provide a better informed answer though.
What choice in network kit?
In the blue corner we have Cisco with the (alleged) NSA back doors.
In the red corner we have Huawei with the (alleged) PRC backdoors.
Ladies and gentlemen, pick our choice of partners now and place you bets! Complementary tubes of KY will be provided...
Re: @Tom 13
Firstly all these remote locations don't need access to a lot of data at any one time, so the database server ought to rate-limit requests and queries to a reasonable amount per authorised machine/user.
Secondly having something where the leak is so significant really ought to have raised the question about how many sites really need to access it, and for them you could have deployed specific machines with dedicated hardware encryption in the network card (or a dedicated secure router) to tunnel the data to/from the server.
None of them having any simple path to the outside world so an attacker would need multiple physical access aspects to begin hacking past the user account and rate-limiting aspects. Anyone needing to access the data base would find those PC(s) in a reasonably secured room, log on and do their job, then go. Room could be CCTV'd so any attempted tampering would be on record, etc.
It is all perfectly possible, but it costs money to do (much less than the hack is going to cost, I'll bet) and adds some inconvenience, but still much easier than the old days of paper files. So its not really *that* inconvenient.
Re: Dear US of A
Again, you are looking at a much higher bar than plugging in a device to an unused port at the recreational area, etc.
Now you are actually tampering with the internal wiring and could easily install a keyboard logger, etc. But on an isolated network you would have to use a radio link out, and that could be monitored as part of a sweep for bugging anyway, if you are sufficiently paranoid or working to regulations that deamand that degree of security. That is why the "red" cables in proper high security installations have to be visible along whole length and subject to regular inspections for tampering (or shielded fibre with some fibres used as tamper-detection, etc).
Re: Dear US of A @Paul Crawford
You are of course correct.
I was just thinking aloud about things that can be done for little physical cost on "normal" PCs & networks typically used in below-secret Gov, Business & Universities. OK, air-gapping is not common on those, but all the other features are pretty much standard on Cisco and similar kit, so having red/black networks for internal/external can be done and spare kit used for both.
Edited to add, worth a read:
Re: Forget all that yap, the danger is....
Sadly it could get worse, the original hackers could paste it on a torrent or similar to provide plausible deny-ability for the state about acting on the information in it, and just say they got it from the hackers' public posting. That way other nations and every low-life scammer out there would have the treasure trove as well.
I feel sad for all of those US citizens now at risk and angry that their government was so stupidly caviller in having such an important database on a public-connected system (probably?) with such a poorly thought-through security aspect as this.
They pay billions for the NSA and the least they could have done was got them to give the whole system and its management a once-over. Scrap that, Snowden showed even they had not thoroughly thought-through big system security.
Re: What the Chinese did with it?
Maybe Snowden's documents were the source, or maybe this mega-hack. Who is to say the UK has not been popped (or was sharing with the US which clearly has been)?
If I were Russia/China it would make sense to say it was Snowden to disguise being in on this hack, for example.
Similarly if I were the USA/UK it would make sense to use Snowden as a stool pigeon to try and deflect public anger from the piss-poor security in place and/or the lack of appreciation of what such a massive database of all security-checked staff could mean when leaked.
Re: Dear US of A
"the night janiter plops a rasberry computer with a wireless modem"
If they are taking security seriously the switch would be configured to only allow specific MAC addresses on specific ports and even then only allowing the DHCP-supplied IP address to be used, so that trick won't work.
Also if they take security seriously they would put all the crappy never-patched network things like printers, web cameras, etc, on a separate VLAN/IP range (and without external access in the sad case they are not air-gapped) so their behaviour can be seen more clearly by intrusion monitoring systems, etc, and they can be blocked from initiating any connection to the "good range" machines (i.e. they only react to a print command and don't get to broadcast or probe the PCs).
A more likely physical attach is to plug 'evil USB' devices in to unguarded machines. OK those systems should also be locked down so USB is not on autorun on anything like it, but that may not be enough if they have a zero-day exploit for the lower level USB hardware/stack used. In the nation-state with insider doing dirty work case that is, of course, possible.
Either way, it is much much harder to exploit a network not on-line, as exfiltrating the data needs some sort of access (USB or similar again) and there is a high risk of the person getting caught if the sysadmins have some regular checking of system logs for device attachment, etc, happening.
Re: There's more to this than identiry theft....
The sad thing in this train wreck was seen to be coming for a long time, as you have:
1) Gov collecting data on its people like a fetishist
2) Gov cutting IT budgets and not holding anyone personally responsible, with power, to do anything about it.
3) Putting stuff on or connected to external networks because its cheaper/easier/more productive that way.
4) Software / OS being so complex and hole-ridden with developers all running after "shiny and new" instead of simple and reliable.
5) Other nations realising 1-4 and the gains to be had from popping said data.
The USA may not be the first, but it sure as hell won't be the last nation to have its dirty laundry sent to China (or Russia, Israel, etc, etc)
If you collect it, it will get leaked eventually.
Re: Why also 15" models?
Well there are old people or others with vision defects where an 11" retina screen is utterly a waste of money.
A lot of folk use a laptop as a semi-permanent thing because its smaller than desktop + monitor and can be tided away fairly easily. For them a 15" or 17" screen is just so much nicer to work on, and the size and weight are not the same issue as those always travelling with it.
Re: rewriting history
I think in most cases the issue is not that you could search for a person's past events using specific knowledge, but that Google would return all sorts of older stuff with just a person's name.
Surly a technical company such as Google could implement a filter that only returns recent (say past 12 months results) when the search is a person's name, but only recovers such issues if you really go digging deeper with specific searches and date ranges (like you once had to do before t'Internet came along)?
If you know the camera's point-spread function accurately, which I assume the guys who built the probe did, you can deconvolve the received image with the point-spread function.
It makes more sense in the frequency domain (plus phase) where the deconvolution process consists of dividing the image spectrum by the camera's "low pass filter" effect to restore the original image. This, of course, is not as easy as it sounds for various reasons:
1) There is noise in the image (both random and quantisation due to A/D converters). This gets magnified seriously wherever the camera has poor spatial resolution.
2) If there are nulls in the camera's response you have irrecoverably lost that information.
3) You might be trying to compensate for two effects - the camera's response and the movement of the system.
4) Errors in the above can become artefacts.
Re: "it remotely disabled the product key on her own 8.1 laptop"
See, this reason alone is why I won't choose to use Windows unless its the only choice for some special job - they can dick around with my PC at any time of their choosing.
Re: Let me guesss...
"Idiot sysadmins...greater risk to security than an unpatched Linux or Windows machine"
Often the unpatched machines are the result of said idiots.
Sure you may find machines that can't be patched for various odd reasons (not supported and/or run special software that can't work on newer OS, etc) but for $DIETY's sake you don't have them Internet-facing or in use for email/web browsing...
Re: Let me guesss...
"Don't believe only the luser blindly clicking on an exe is the culprit, sometimes the real luser is the syadamin"
For most corporate networks they should have all user-writeable space set to no-execute via Windows ACLs. Apart from software developers or sysadmins, who need to execute software that is not already installed in the proper (read-only) system locations?
Re: NTP isn't that much better
"PTP eliminates Ethernet latency and jitter issues through hardware time stamping"
So you have an irrelevant comparison: PTP can't work on a WAN, and on your LAN (without WiFi use or woeful congestion meaning you should upgrade your routers) you get sub-ms accuracy which is smaller than the time-slice for most software/OS task scheduling.
Also having asymmetric delays of 100ms or so is quite poor, you really ought to be using NTP sources that are 'closer' to your machine (in a network sense).
But returning to may main point made elsewhere, using time stamps which are *assumed* accurate to re-order data over a wide system is simple but also prone to clock error. Should programmers not be looking at other hand-shake and event counting methods to synchronise the *order* of events instead of trusting everyone's clock is always sufficiently close in time-keeping?
Maybe if they spent less time in pointless GUI dicking around and fixed bugs they would have less need for this?
And what about non-security bugs, like the defaulting to US Legal paper for printing on every update on the *NIX version that has been open for more than a decade?
Re: lots of talking to do
As for the bundestag pc network being scrapped and replaced, maybe that is a final way to get rid of XP and force all users on to something more secure, reliable, and supported?
Lets just hope they check the PC suppliers are not using NSA-infected HDD should they decide to keep with Windows known boot loader...
Re: "c language, the most important enabler of cyber war"
The correct statement is "stopping the use of cheap crap programmers who don't understand what they are doing and fail to apply best practice when coding and the multitude of tools that already exist to help"
If you are really looking for a scape-goat for info sec woes, how about Office and VB plugins?
Re: Air Force General Hawk Carlisle
I wondered the same! OK, not quite as sinister as General Jack D Ripper, but a triumph of naming nevertheless.
Paris, as she could have my precious bodily fluids...