Posts by Paul Crawford
1000 posts • joined Thursday 15th March 2007 16:58 GMT
@readme.txt
792 pages - hardly a "readme.txt" - and for a first glance no meaningful comparisons with any other systems, though 0.91 watts per MIPS was mentioned (which seems not that spacial compared to ARM-based hardware).
Maybe you could enlighten us?
Hardware raid - yes
Ever tried to dual boot windows & Linux on a software raid?
It is not always about speed, or basic hardware costs, but sometimes just from the convenience of a card that makes your disks look like one SCSI volume for easy support. The Areca cards I have used preserve disk assignment if you swap cables, and will re-build after a hot swap without care from the OS.
For software RAID I would want ZFS, as much for snapshots and file checksums. That is a real boon to data integrity.
Oh, and the last word to everyone out there is a reminder "RAID is not Backup"
@Adaptec Technology
Thanks for the warning!
Must say I used an old IDE Adptec card several years ago, and it had separate cables per disk so one HDD fault should not cause a system failure.
Guess what? I had a dead disk and the card locked up when booting, so I had to find and remove the faulty HDD before I could boot the PC. Not exactly "high availability".
You really wonder if these companies really test things, you know with special HDD that simulate various faults (I/O time-outs, bad sectors, etc)?
What?
"ranging from a low of 26 MIPS "
Am I missing something here, but as far as I can see my HTC smart phone has more than 26MIPS of processing performance free to run any apps, in fact, probably almost 10 times that.
Just who would spunk several tens of thousands of dollars on a sub-early-90s-486 performance machine, even if it is highly redundant?
Posted in Glasgow cammer not thrown in slammer
@DF118
Exactly, and maybe this is the point in his sentencing - it is hardly worse than the guy watching the film then going out and blogging to his mates & the world the plot and saying its crap/good/whatever.
I don't see how some crappy phone-cammed version with tinny sound supplemented by crisps & farts is really devaluing the film by being released upon t'Internet.
@Ammaross Danan
I think you will find the nasty 128GB limit was an IDE issue (which has a LONG history of being crap and incrementally fixed to a new level of crappyness) as it worked fine if you had a SCSI disk (or hardware RAID controller that presented disks as SCSI volumes).
Oh and I have installed w2k on 2008 metal, all it needed was a floppy with the disk controller driver!
But you are right that running legacy stuff in a VM is the way forward. In fact, running today's stuff in a VM has lots of advantages (other than speed and convenience). Easy of migrating from machine to machine without a re-install is one of them...
@Wilco 1
Clearly a case for a boot-CD like the bit defender one?
Never had the misfortune to deal with this malware, but a clean boot should help.
Oh, until the bad guys also get round to flashing your BIOS...
Which reminds me of another rant, why can't the dumb buggers who design motherboards have a switch/jumper to enable BIOS updates? (default = locked, of course)
And why can BIOS provide a report of the boot area so you know it has changed? Yes locking it down as in "trusted boot" is a pain and not something I want as it would piss off Tux no end, but at least offering you the SAH-1 hash history (or similar) of the sectors used for booting would let you know if something had been changed and so if a boot/clean CD was worth trying pre-emptively.
First to say?
May I be the first to say selling "Micky Mouse software"?
@Fail
(1) It depends on how you define "social engineering", as in this case they did not manipulate the target beyond posting the device to a selected individual.
(2) They did not have local physical access. They did not break in to the building or its infrastructure. This was a real Trojan horse, or more precisely, a Trojan mouse.
So I would say they did the job, and I would also say that asking for your defences to be tested while ruling out some of the known attack vectors is a bit dumb of the hiring company.
"Look at the size of my door lock! Bet you cant pick it!"
"Where are your window locks?"
@Um, neat idea but very limited in practice
This is a highly targeted attack needing money & skill. Not a mass market drive-by sort of web browser hack for mum & dad's ageing PC.
I suspect anyone deploying this will have done their homework and got a good idea of what the victim is using. Most likely it will be the "corporate Windows image" for 99% of the workforce, so you can work from that point onwards...
@Just don't count on that
As a 'mouse' or other USB device it would not know what was typed on another keyboard-like input device, so not that simple..
But if you did the same modification to a keyboard, then yes it is quite simple...
@Same attack on Linux
Yes and no.
The basic idea is the same, if you can move the mouse and/or type key strokes you can do a LOT.
It is also likely (e.g on Ubuntu) that you could have a USB drive auto-mounted with a known name (based on the volume ID/name) so loading arbitrary software is also possible.
Now unless you were lucky and able to type in a terminal opened for root (or recently sudo-ed) and the user is privileged and not terribly observant, escalating is not as likely, but still possible depending on the user and/or exploits you can muster.
But if all you wanted to do was slurp the contents of the user's home directory and/or reveal network details that could help another attack, which could have a wealth of sensitive information, then it is easy! Without attempting to hide your operations, just open command dialogue with Alt+F2, then enter a command such scp or rsync with details of a dodgy destination server...
Sneaky, very sneaky!
Must take my (red?) hat off to these guys, as they have upped the ante by a big amount. The same trick could be used with *any* USB device given a bit of engineering effort to have a hub & rogering-mouse included.
Mouse/keyboard (obviously!)
USB pen-drive/external drive.
Phone with USB "charger".
Printer with USB connection.
You get the idea...
I wonder how national security folk around the world are now eyeing the equipment they got from USA-based companies, made in China, handled by unknown agents, with suspicion?
Earthing, indeed
It is largely a case of maximum linear gap length. As a rule-of-thumb to get half-decent screening you need to have proper metal-metal contact every 1/20 wavelength or less for *every* joint. For 1.8GHz this means around 8mm.
Most biscuit tins won't approach this, in fact, a lot of RF screened boxes don't make it either!
But put an audio noise source in the tin box and it will help render any sound spying *much* harder if the screen is not enough to put the phone out of RF use (depends on base station range, etc).
Maybe fart apps are not so useless after all?
Does not compute!
"The Mac platform isn't any safer," he added.
"more than 3 million signatures for its Windows anti-virus software compared to 1,000 for its Mac"
So having a 3000:1 bigger range of threats, and a poorer-by-original-design security model is not making Windows less safe?
No computer is 100% safe, and often the (l)user is the weakest link, but it is hardly truthful to say the Mac is not any safer.
Tux, my favourite now.
MS should be hammered over this
Why the on going problem of "fake installations"?
Why don't they make the install CD (sorry, DVD now!) free to download and then charge for activating it when the user first tries to use it?
Would also get rid of the irritation of "MS tax" on new PCs as you would pay for MS separately, should you want to keep it.
More to the point...
Ah yes "Your account is compromised"
By what I wonder, MS security again?
TX spectrum not the whole story
Even if they had a 'perfect' brick-wall style of transmitter spectrum, it would still be a problem for GPS due to a number of factors:
(1) The effectiveness of the pre-LNA filter and LNA/mixer not to be overloaded by what leaks in from the strong local adjacent channel.
(2) The 'reciprocal mixing' problem with the receiver's local oscillator's phase noise. Here the issue of (1) that is not causing overload of the LNA/mixer still can end up increasing the in-band noise floor by (in effect) shifting the LO's noise there.
(3) The noise floor due to quantization errors in the digitising process (as it *will* be DSP-based after all).
Of course all of the above can be minimised by good design, but everyone wants their GPS to be cheap, small & sensitive for use in poor locations, and those are often mutually exclusive with high adjacent channel protection.
As if browsers were not buggy enough already
"It's a C++-like languages designed to let you build in parallelism and security," Blizzard said.
I can't be the only one to see C++ as not being associated with 'security' even if it is good for native speed?
So not happy with the current buggyness of browser implementation, we can now add the joys of trying (and usually failing) to implement and debug multi-threaded code.
@Does anyone...
...actually use Java in a browser any more?
Sadly yes, for some crappy web sites that either don't work, or are a major pain otherwise. Examples include:
Facebook's photo uploader, either hand selecting 5 images at a time, or allowing them to access your machine via a Java thing to allow all files in a directory, etc, to be selected. No way on my PC!
One of the genealogy web sites my father uses is so crap a design that your choice is to use IE & ActiveX enabled, or a Java viewer (which, last time I looked at his PC, is also out of date and leaves an ever-increasing tree of cache directories):
http://www.scotlandspeople.gov.uk/Content/FAQs/Questions/index.aspx?206
The Devil & deep blue sea as far as security is concerned! For him I set up Linux & Java as the least-worst option for this.
@monoculture
As mentioned, relying on one product/system is a bad idea, in particular when it is one that is very popular and lots of black-hat skills are available to break it.
But the bigger issue is the one you raised here - RSA kept the keys to *everyone's* kingdom, so when they got hacked is resulted in all players losing most (if not all) of the SecureID's supposed advantages.
RSA wanted to make more money you see, so rather than make a product that YOU, the customer, would set up and operate, they wanted to keep themselves in the loop. For a fee, of course...
Had they done so, then Joe Bloggs Ltd would have thier own seed database and on being hacked it just screws the one organisation. Everyone else are OK (until they get directly hacked of course).
But no, a proprietary key design with them holding YOUR data. You could argue that a top security company would be much better at doing that than Joe Bloggs Ltd, of course, but the evidence says otherwise.
Why are they still not coming clean on exactly how it happened and what was taken?
@Sources of exploits
Interesting report, but part of me is a trifle suspicious of MS reporting on their own problems. I would be more interested in reading 3rd party assessments.
I guess the other aspect is there are probably far more PCs with Flash installed than Java, so more targets? Also a favourite has been that other piece of crap, the Adobe Reader & its PDF browser plug-in.
Back to today's rand - why can't Adobe sort of their software? It must be only a fraction of the code base size of Windows, and yet they make MS look like the golden boy of security by comparison.
@Marketing Hack
"So I guess we are one or two proportionate steps away from someone hacking the Federal Reserve open market system or getting access to launch codes for the U.S. and U.K.s nuclear deterrent?"
Depends. Do you think they use Windows+Adobe software for said systems? Do you think they are doing anything serious about the no-longer-SecureID tokens?
Oh dear...
Is this largely an IE based attack?
While it is possible the phising attacks are probably quite well crafted, am I right in believing the res:// protocol is a windows/IE only trick?
Another good reason not to use IE at all, even if you are dedicated to using Windows for other reasons?
(And before the trolls come out, yes I know all OS are vulnerable to some degree, more so for Trojans, but indulge me this fanboi-baiting luxury given Windows 99.95%+ share of current malware)
@Who bothers with multi user accounts?
Answer: Those who care about their security and privacy.
It is not hard to have multiple accounts and switch users, after all only one person can physically use the keyboard/monitor at a time.
I have found most families rapidly get used to the idea and actually LIKE IT! Each can customise their own desktop, bookmarks, etc, and the parents are happier that the little ones have Google's safe search enabled, have their pr0n browsing kept out of the browser history, etc.
As already pointed out, even a single user PC can benefit from having more than one account. Yes it is hassle to switch often so you would not do this for minor things, but for most people the banking type activity is an occasional one, so switching account for that is no big deal.
So good idea for every OS type is to have something like:
1) An admin account, just for installing stuff (how often do you REALLY need to do that?)
2) Your normal user account.
3) Your banking account.
4) A guest account (for those cases when someone wants to use your PC but you would rather they did not mess with important stuff).
Paris, as you might want to add a pr0n account as well...
@IE support
Excellent move!
Alternatively, MS could make a version of IE that is not burrowed so deep in the OS they can make it work on other systems.
@Anon999
"Tell me one, just one thing that would be of interest for attacker and could not be gained with user privileges."
The ability to key-log other user's accounts.
You know, like a child doing something silly like trying to install a game, and then the parents bank account being accessed?
On a multi-user machine that is a big deal, but as I already said, most home PCs do not enforce any real concept of user roles.
On a typical Linux box (e.g. Ubuntu that I use) by default I can read other's documents, but not modify them (so no encrypted file blackmail), nor can I install any system-wide changes (change programs, alter web browser settings, redirect DNS, etc).
@I like this reasoning...
"The only viable defence against fatal road accidents is in the meaty world: you either (A) educate your users to be suitably paranoid or (B) flatly deny them the ability to drive cars."
Yes, like a driving test perhaps?
And jail time and/or losing one's license for doing really stupid things on the road?
We are used to the concept of education and control where there are obvious physical consequences from our actions, which is why we limit the freedom to do certain things until one has demonstrated some degree of relevant skill and responsibility.
Computers on the other hand don't seem to be covered as there are no 'real' consequences from users' ignorance (or sometimes utter stupidity). Other than fraud of course. And blackmail. Oh yes, and extortion via DDoS attacks...
RSA's part?
"information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack"
More like RSA were p0wned completely but did not want to frighten the shareholders...
Anyone else talking?
@jake
Probably you are right, but I am pretty sure it was MS who came up with the dumb idea of autorun.
Not to mention no "execute" permissions[1] so running programs/scripts on the basis of file extension.
---
[1] I think NTFS ACLs support execute permissions, but who understands and uses them on their home desktop? And how much Windows software would just break if it were to be turned on by default?
@Anon999
To compromise the user's own account in virtually all cases needs no password, but to take over the machine is a problem needing sudo rights.
Given most home PCs are used in "single account" mentality, that is not a whole lot of protection :(
Back to meaty eduction for all I'm afraid.
A lost battle
Trying to detect bad applications seems to me to be a wasted cause - just how effective is AV really? Most Windows boxes I have seen were taken by stuff that either (A) evaded the AV, or (B) convinced the meaty one that they really wanted/needed to install it.
Given the near infinite options for black hats to adjust their product to evade detection (a trojan need not keep a specific exploit trick that a virus needs, after all), and the time lag in AV catching up, it appears a lost cause. But lucrative to the AV snake^b salesmen of course...
So Mac is now targeted and failing, it seems partly due to "ease of use" installs that Windows foisted on the world so that uneducated masses could use computers more easily.
Linux would/will as well, given the behaviour observed on the machines I have set up for family/friends (dubious .exe files on the users desktop, WTF?)
The only viable defence against Trojans is in the meaty world: you either (A) educate your users to be suitably paranoid or (B) flatly deny them the ability to run/install arbitrary software.
Ideally (C) do both.
Balls in the vice
Must be nice for all those IBM customers to know they can't fart without paying IBM rates.
Is there really such a cost/performance advantage to mainframes to make such lock-in worth it? Or are these customers all dependent on legacy stuff that they just have to grin and accept each turn of the vice handle?
Really?
"Allied Telesis is reportedly working on removing the leaked documents from the filesharing sites"
Meanwhile we look forward to getting the mushroom cloud back in the sphere of plutonium...
Windows again...
Hmm, apart from making the usual smug comments about the the most hacked system in history, it strikes me this is such a typical attack that any competently secured installation of Windows should have survived. Symantic say "the visiting computer is subjected to various application exploits" but no more details.
Have I missed the idiot factor?
Posted in Otellini: 'Intel won't build ARM chips'
Indeed!
"Best in class processors" is a good joke.
Methinks the real reason they won't use their advanced fab to make an ARM chip is it would show exactly that point, that x86 is a piss-poor underlying design.
@+++ath0
"I poll the drive's SMART temperature sensor just twice per second"
2Hz? Why so often?
The thermal time constant of a HDD with all of that metal must be of the order of high tens to hundred+ seconds, so I expect you could poll every 10-20 seconds and have sufficient margins for control system stability.
I expect that would lead to <1% loss in speed, and you get the disk's health as well.
@no such thing as free healthcare
"when in fact they are paying more on average, through being taxed and paying a government bureaucracy to manage things, than if they paid upfront for the service"
How much do Americans pay on average for health care (I include "company cover" which is of course also a stealth tax)?
How dose this compare to the UK (e.g. NI minus the pensions part)?
I know of a late family friend from the USA who came to the UK for 3 weeks of holidays and *private* dental treatment as it much cheaper than just getting it done in the states.
Unfortunately he did not provides financial details, though is actions speak for themselves, but clearly you can to back your statement up?
@Hard disks get hot
Yes, they get hot and need cooling, but at my desktop here I can look at their temperature using my RAID card as it simply asks for the SMART status.
Any 'pro' machine that is not monitoring the smart status is basically a failure, as it provides warning of disk problems (but not always) before you begin to lose data, so why not use it for the temperature?
And before anyone asks about the loss of control when the OS crashing (on a Mac, never! they scream) you just have the fan controller with a watchdog timer - no OS updates for X seconds and fans go to maximum speed. Simplez!
Fail, for Apple pissing on its professional customers.
Missed oppertunity
Why no sign of an ARM based one that is not limited to 1-2 hours battery life?
Or don't they have Chrome, etc, working well enough (if at all) on non-x86 hardware?
Meet the new MS, same as the old...
Posted in Choosing a desktop OS
Choose the one that sucks least
Really, all operating systems suck, and the task is choosing one that provides the least hairy-mouth experience for you users and IT staff. At the risk of stirring up the fanbois (and gurls) here is my take on it:
1) Windows XP has maturity, and best range of software and tools. Also the best range of maleware by far. On its way out, and the final death of IE6 will be a relief to all, including Microsoft..
2) Windows 7 shares most of XP, but less legacy software and hardware works with it. Needs more (i.e. modern) hardware to enjoy using it, and to get the best deal with the malware or the joke that is AV software.
3) Apple Mac solves a lot of the security issues, but less software support. And costs a lot more for hardware. Jobsian control freakery an issue long term, but most folk like it as a few key things like Office and Photoshop are available natively for it..
4) Linux has the security of Mac (if not better) and freedom (speech and beer), but not much in the way of mainstream tools work "just like that". Helps if you have a fez, and maybe a beard. Would help a lot if they could stop dicking around with the desktop and fixed known bugs - looking at you Canonical.
Training of your users is needed no matter what you do, and if you think going from XP to 7 is no problem for Joe Average (and not typical El Reg reader) you are a fool.
If you are dealing with reasonably staff, then mixing Linux or Mac for the host and running VM(s) of XP, etc, for legacy stuff works and makes security better, if a bit more involved to manage.
But don't trust my opinion, I don't have a fez.
Bugger
There goes any semblance of helpful tech then :(
@Vic
"Nokia *management* couldn't find their arse with either hand"
Yes, I believe you are quite right there.
I feel very sorry for Finland and all of the engineers tossed out by this dumb move, and just wish they could have culled the right people earlier.
My first 2 phones were Nokia and great, sadly my 3rd was an HTC Wildfire as the competition was too expensive/controlled (iPhone) or just a bit crappier.
@Good news! Extra efficiency!
You don't get it:
Apple are "efficient" in that they have a clear vision and design good products[1] around that - their R&D is money well spent ultimately as it sells well and returns the investment several times over.
Nokia on the other had could not find their technical arses with both hands, such was the range of competing and ill thought out products they developed and which management seemed unable to guide.
Nokia needed to change, to streamline and set user-focused goals. Instead they have been lobotomised and handed their future to MS, who as we all know have a very bad reputation[2] in this area.
----
[1] subject to control freakery.
[2] ask former Sendo employees.
Sounds good
"Paris Hilton and Lindsay Lohan...get blown"
Oh, sorry I was think of another film genre!
Thanks, its the dirty mac with the cinema tickets and tissues thanks...
Did thery mention MS?
Did they cover how dumb Outlook Express' design was?
How easy it became to spawn a tsunami of crap by using a really, really stupid feature that some wonk at MS though was cool?
Melt me
When I read "Meltemi " I though of the Wicked Witch of the West melting.
Noki + MS = corporate equivalent it seems. Sad day.
Reliability and NOx products
My concerns are the issue of reliability given the generally dirty-ish inside of a combustion chamber where one might expect a fair proportion of the energy is lost in the window's surface after some time.
Of course, then the cost of the laser assembly.
And the opportunity for idiots to play with them outside of the engine.
Finally, I thought one problem with leaner burning engines was high NOx products? Can anyone knowledgeable comment on that aspect?
WTF?
"first pays a $272,340 deposit, which they claim represents half the cost of supplying the documents"
Are they paying monks to transcribe the documents using gold-leaf decorated calligraphy or something?
@Total non story
"Nothing of any value is done on the windows boxes"
Except maybe store the home addresses, social security numbers, photos, and other personal data of those who do have access to important stuff?
Not that a Chinese (for the sake of argument) agency would then consider a more traditional spy approach of, say, compromising and attempting to blackmail or convert said workers to agents, would they?
