1035 posts • joined Thursday 15th March 2007 16:58 GMT
MS should be hammered over this
Why the on going problem of "fake installations"?
Why don't they make the install CD (sorry, DVD now!) free to download and then charge for activating it when the user first tries to use it?
Would also get rid of the irritation of "MS tax" on new PCs as you would pay for MS separately, should you want to keep it.
TX spectrum not the whole story
Even if they had a 'perfect' brick-wall style of transmitter spectrum, it would still be a problem for GPS due to a number of factors:
(1) The effectiveness of the pre-LNA filter and LNA/mixer not to be overloaded by what leaks in from the strong local adjacent channel.
(2) The 'reciprocal mixing' problem with the receiver's local oscillator's phase noise. Here the issue of (1) that is not causing overload of the LNA/mixer still can end up increasing the in-band noise floor by (in effect) shifting the LO's noise there.
(3) The noise floor due to quantization errors in the digitising process (as it *will* be DSP-based after all).
Of course all of the above can be minimised by good design, but everyone wants their GPS to be cheap, small & sensitive for use in poor locations, and those are often mutually exclusive with high adjacent channel protection.
As if browsers were not buggy enough already
"It's a C++-like languages designed to let you build in parallelism and security," Blizzard said.
I can't be the only one to see C++ as not being associated with 'security' even if it is good for native speed?
So not happy with the current buggyness of browser implementation, we can now add the joys of trying (and usually failing) to implement and debug multi-threaded code.
...actually use Java in a browser any more?
Sadly yes, for some crappy web sites that either don't work, or are a major pain otherwise. Examples include:
Facebook's photo uploader, either hand selecting 5 images at a time, or allowing them to access your machine via a Java thing to allow all files in a directory, etc, to be selected. No way on my PC!
One of the genealogy web sites my father uses is so crap a design that your choice is to use IE & ActiveX enabled, or a Java viewer (which, last time I looked at his PC, is also out of date and leaves an ever-increasing tree of cache directories):
The Devil & deep blue sea as far as security is concerned! For him I set up Linux & Java as the least-worst option for this.
As mentioned, relying on one product/system is a bad idea, in particular when it is one that is very popular and lots of black-hat skills are available to break it.
But the bigger issue is the one you raised here - RSA kept the keys to *everyone's* kingdom, so when they got hacked is resulted in all players losing most (if not all) of the SecureID's supposed advantages.
RSA wanted to make more money you see, so rather than make a product that YOU, the customer, would set up and operate, they wanted to keep themselves in the loop. For a fee, of course...
Had they done so, then Joe Bloggs Ltd would have thier own seed database and on being hacked it just screws the one organisation. Everyone else are OK (until they get directly hacked of course).
But no, a proprietary key design with them holding YOUR data. You could argue that a top security company would be much better at doing that than Joe Bloggs Ltd, of course, but the evidence says otherwise.
Why are they still not coming clean on exactly how it happened and what was taken?
@Sources of exploits
Interesting report, but part of me is a trifle suspicious of MS reporting on their own problems. I would be more interested in reading 3rd party assessments.
I guess the other aspect is there are probably far more PCs with Flash installed than Java, so more targets? Also a favourite has been that other piece of crap, the Adobe Reader & its PDF browser plug-in.
Back to today's rand - why can't Adobe sort of their software? It must be only a fraction of the code base size of Windows, and yet they make MS look like the golden boy of security by comparison.
"So I guess we are one or two proportionate steps away from someone hacking the Federal Reserve open market system or getting access to launch codes for the U.S. and U.K.s nuclear deterrent?"
Depends. Do you think they use Windows+Adobe software for said systems? Do you think they are doing anything serious about the no-longer-SecureID tokens?
Is this largely an IE based attack?
While it is possible the phising attacks are probably quite well crafted, am I right in believing the res:// protocol is a windows/IE only trick?
Another good reason not to use IE at all, even if you are dedicated to using Windows for other reasons?
(And before the trolls come out, yes I know all OS are vulnerable to some degree, more so for Trojans, but indulge me this fanboi-baiting luxury given Windows 99.95%+ share of current malware)
@Who bothers with multi user accounts?
Answer: Those who care about their security and privacy.
It is not hard to have multiple accounts and switch users, after all only one person can physically use the keyboard/monitor at a time.
I have found most families rapidly get used to the idea and actually LIKE IT! Each can customise their own desktop, bookmarks, etc, and the parents are happier that the little ones have Google's safe search enabled, have their pr0n browsing kept out of the browser history, etc.
As already pointed out, even a single user PC can benefit from having more than one account. Yes it is hassle to switch often so you would not do this for minor things, but for most people the banking type activity is an occasional one, so switching account for that is no big deal.
So good idea for every OS type is to have something like:
1) An admin account, just for installing stuff (how often do you REALLY need to do that?)
2) Your normal user account.
3) Your banking account.
4) A guest account (for those cases when someone wants to use your PC but you would rather they did not mess with important stuff).
Paris, as you might want to add a pr0n account as well...
Alternatively, MS could make a version of IE that is not burrowed so deep in the OS they can make it work on other systems.
"Tell me one, just one thing that would be of interest for attacker and could not be gained with user privileges."
The ability to key-log other user's accounts.
You know, like a child doing something silly like trying to install a game, and then the parents bank account being accessed?
On a multi-user machine that is a big deal, but as I already said, most home PCs do not enforce any real concept of user roles.
On a typical Linux box (e.g. Ubuntu that I use) by default I can read other's documents, but not modify them (so no encrypted file blackmail), nor can I install any system-wide changes (change programs, alter web browser settings, redirect DNS, etc).
@I like this reasoning...
"The only viable defence against fatal road accidents is in the meaty world: you either (A) educate your users to be suitably paranoid or (B) flatly deny them the ability to drive cars."
Yes, like a driving test perhaps?
And jail time and/or losing one's license for doing really stupid things on the road?
We are used to the concept of education and control where there are obvious physical consequences from our actions, which is why we limit the freedom to do certain things until one has demonstrated some degree of relevant skill and responsibility.
Computers on the other hand don't seem to be covered as there are no 'real' consequences from users' ignorance (or sometimes utter stupidity). Other than fraud of course. And blackmail. Oh yes, and extortion via DDoS attacks...
"information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack"
More like RSA were p0wned completely but did not want to frighten the shareholders...
Anyone else talking?
Probably you are right, but I am pretty sure it was MS who came up with the dumb idea of autorun.
Not to mention no "execute" permissions so running programs/scripts on the basis of file extension.
 I think NTFS ACLs support execute permissions, but who understands and uses them on their home desktop? And how much Windows software would just break if it were to be turned on by default?
To compromise the user's own account in virtually all cases needs no password, but to take over the machine is a problem needing sudo rights.
Given most home PCs are used in "single account" mentality, that is not a whole lot of protection :(
Back to meaty eduction for all I'm afraid.
A lost battle
Trying to detect bad applications seems to me to be a wasted cause - just how effective is AV really? Most Windows boxes I have seen were taken by stuff that either (A) evaded the AV, or (B) convinced the meaty one that they really wanted/needed to install it.
Given the near infinite options for black hats to adjust their product to evade detection (a trojan need not keep a specific exploit trick that a virus needs, after all), and the time lag in AV catching up, it appears a lost cause. But lucrative to the AV snake^b salesmen of course...
So Mac is now targeted and failing, it seems partly due to "ease of use" installs that Windows foisted on the world so that uneducated masses could use computers more easily.
Linux would/will as well, given the behaviour observed on the machines I have set up for family/friends (dubious .exe files on the users desktop, WTF?)
The only viable defence against Trojans is in the meaty world: you either (A) educate your users to be suitably paranoid or (B) flatly deny them the ability to run/install arbitrary software.
Ideally (C) do both.
Balls in the vice
Must be nice for all those IBM customers to know they can't fart without paying IBM rates.
Is there really such a cost/performance advantage to mainframes to make such lock-in worth it? Or are these customers all dependent on legacy stuff that they just have to grin and accept each turn of the vice handle?
"Allied Telesis is reportedly working on removing the leaked documents from the filesharing sites"
Meanwhile we look forward to getting the mushroom cloud back in the sphere of plutonium...
Hmm, apart from making the usual smug comments about the the most hacked system in history, it strikes me this is such a typical attack that any competently secured installation of Windows should have survived. Symantic say "the visiting computer is subjected to various application exploits" but no more details.
Have I missed the idiot factor?
"Best in class processors" is a good joke.
Methinks the real reason they won't use their advanced fab to make an ARM chip is it would show exactly that point, that x86 is a piss-poor underlying design.
"I poll the drive's SMART temperature sensor just twice per second"
2Hz? Why so often?
The thermal time constant of a HDD with all of that metal must be of the order of high tens to hundred+ seconds, so I expect you could poll every 10-20 seconds and have sufficient margins for control system stability.
I expect that would lead to <1% loss in speed, and you get the disk's health as well.
@no such thing as free healthcare
"when in fact they are paying more on average, through being taxed and paying a government bureaucracy to manage things, than if they paid upfront for the service"
How much do Americans pay on average for health care (I include "company cover" which is of course also a stealth tax)?
How dose this compare to the UK (e.g. NI minus the pensions part)?
I know of a late family friend from the USA who came to the UK for 3 weeks of holidays and *private* dental treatment as it much cheaper than just getting it done in the states.
Unfortunately he did not provides financial details, though is actions speak for themselves, but clearly you can to back your statement up?
@Hard disks get hot
Yes, they get hot and need cooling, but at my desktop here I can look at their temperature using my RAID card as it simply asks for the SMART status.
Any 'pro' machine that is not monitoring the smart status is basically a failure, as it provides warning of disk problems (but not always) before you begin to lose data, so why not use it for the temperature?
And before anyone asks about the loss of control when the OS crashing (on a Mac, never! they scream) you just have the fan controller with a watchdog timer - no OS updates for X seconds and fans go to maximum speed. Simplez!
Fail, for Apple pissing on its professional customers.
Why no sign of an ARM based one that is not limited to 1-2 hours battery life?
Or don't they have Chrome, etc, working well enough (if at all) on non-x86 hardware?
Meet the new MS, same as the old...
Choose the one that sucks least
Really, all operating systems suck, and the task is choosing one that provides the least hairy-mouth experience for you users and IT staff. At the risk of stirring up the fanbois (and gurls) here is my take on it:
1) Windows XP has maturity, and best range of software and tools. Also the best range of maleware by far. On its way out, and the final death of IE6 will be a relief to all, including Microsoft..
2) Windows 7 shares most of XP, but less legacy software and hardware works with it. Needs more (i.e. modern) hardware to enjoy using it, and to get the best deal with the malware or the joke that is AV software.
3) Apple Mac solves a lot of the security issues, but less software support. And costs a lot more for hardware. Jobsian control freakery an issue long term, but most folk like it as a few key things like Office and Photoshop are available natively for it..
4) Linux has the security of Mac (if not better) and freedom (speech and beer), but not much in the way of mainstream tools work "just like that". Helps if you have a fez, and maybe a beard. Would help a lot if they could stop dicking around with the desktop and fixed known bugs - looking at you Canonical.
Training of your users is needed no matter what you do, and if you think going from XP to 7 is no problem for Joe Average (and not typical El Reg reader) you are a fool.
If you are dealing with reasonably staff, then mixing Linux or Mac for the host and running VM(s) of XP, etc, for legacy stuff works and makes security better, if a bit more involved to manage.
But don't trust my opinion, I don't have a fez.
There goes any semblance of helpful tech then :(
"Nokia *management* couldn't find their arse with either hand"
Yes, I believe you are quite right there.
I feel very sorry for Finland and all of the engineers tossed out by this dumb move, and just wish they could have culled the right people earlier.
My first 2 phones were Nokia and great, sadly my 3rd was an HTC Wildfire as the competition was too expensive/controlled (iPhone) or just a bit crappier.
@Good news! Extra efficiency!
You don't get it:
Apple are "efficient" in that they have a clear vision and design good products around that - their R&D is money well spent ultimately as it sells well and returns the investment several times over.
Nokia on the other had could not find their technical arses with both hands, such was the range of competing and ill thought out products they developed and which management seemed unable to guide.
Nokia needed to change, to streamline and set user-focused goals. Instead they have been lobotomised and handed their future to MS, who as we all know have a very bad reputation in this area.
 subject to control freakery.
 ask former Sendo employees.
Did thery mention MS?
Did they cover how dumb Outlook Express' design was?
How easy it became to spawn a tsunami of crap by using a really, really stupid feature that some wonk at MS though was cool?
When I read "Meltemi " I though of the Wicked Witch of the West melting.
Noki + MS = corporate equivalent it seems. Sad day.
Reliability and NOx products
My concerns are the issue of reliability given the generally dirty-ish inside of a combustion chamber where one might expect a fair proportion of the energy is lost in the window's surface after some time.
Of course, then the cost of the laser assembly.
And the opportunity for idiots to play with them outside of the engine.
Finally, I thought one problem with leaner burning engines was high NOx products? Can anyone knowledgeable comment on that aspect?
"first pays a $272,340 deposit, which they claim represents half the cost of supplying the documents"
Are they paying monks to transcribe the documents using gold-leaf decorated calligraphy or something?
@Total non story
"Nothing of any value is done on the windows boxes"
Except maybe store the home addresses, social security numbers, photos, and other personal data of those who do have access to important stuff?
Not that a Chinese (for the sake of argument) agency would then consider a more traditional spy approach of, say, compromising and attempting to blackmail or convert said workers to agents, would they?
@Two things I don't understand
Point 1 is down to the 'embed everything' attitude of MS where something like a spreadsheet is ABLE to run externals things, probably a flash object (as that is a common source of holes in getting through). And often there are dozens of ways in Windows to elevate privileges once you can run arbitrary code to do more mischief.
Point 2 is one of life's WTF? questions that is never adequately answered.
As I said, most hacked software in history. Whether a lot of that is down to its popularity is a side question, no doubt some of it it is, but it means that even for a similar situation (say hypothetically Linux and Windows had the same number of exploitable bugs) you have far more black-hat skills to deploy against MS' crock.
And yet it is chosen for a sensitive lab? FAIL
Google learned this the hard way and did something about it - changing to Macs. Not perfect (fanbois won't understand that statement) but it reduces the attack opportunities a lot.
It would help, but it is NOT the whole answer. Yes you will reduce the number of attempts at penetrating the system, but it is only one aspect.
You need 'security in depth' as each layer always has *some* way of being penetrated.
As seen here, and several other places recently (Google et al, French & Canadian gov, etc) Windows/IE/Office/Flash has been a juicy orifice for entry.
Valuable site uses most hacked software in history, site gets hacked.
In related news: Pope though to be Catholic.
The main "Advanced Persistent Threat" seems to be the prevalence Windows, IE, Adobe flash & acrobat these days. Will no one rid us of this scrounge?
Any sign of them using non-Windows based attacks yet?
So far it seems to be IE and that basket case of security, Adobe (pdf & flash), in the approach.
@security holes you are looking for
Funny thing is, the security model of MS' OS has been migrating its goalposts for some time. A lot of stuff developed for and working fine on w2k fails on XP, and stuff for XP fails for Vista/7
This is more complex that you suggest as MS has changed (or been forced to change) the rules a number of times.
At the start of w2k/XP they should have screwed it down tight and just said "tough" to any application that did not work, user logged in as admin or otherwise. They did not, simply as too much money was to be made keeping compatibility and not having users keep the old 95/98 OS or defecting to something better.
What UNIX-origin programs do on windows comes to how easy it is to adapt, as the models are very different as are the user's expectations and it is often not the main goal of the developers. FF is a bit of an exception sadly.
However, the main difference though is UNIX-like program know they *wont* get admin permissions by default, so have been written more sensibly for native use. Back to the article, I think the main thrust of it is "MS poo-poos bug report as unusable, researcher uses it". Sadly seen that before, and not just MS.
I think they provided the piss-poor system in the first place. The attackers had it easy with hard-coded passwords that *could not* be changed.
Add the usual sprinkling of MS holes and it was not mind-blowingly hard, even though it is quite a first in targeted attacks that actually did something obvious.
@World IPv6 Test day
Just tried http://test-ipv6.com/ on my home linux PC on Virgin cable broadband:
"10/10 for your IPv4 stability and readiness, when publishers offer both IPv4 and IPv6
0/10 for your IPv6 stability and readiness, when publishers are forced to go IPv6 only"
Uni not only players
Also remember that it is not just universities that have big IPv4 allocations, some US companies and gov also have more than far more than is needed.
Are those addresses well used? It is true that some new projects could use them and justify a student block per uni, but most PCs are just for office admin and lab work, and would be best behind NAT anyway.
@Take IPv4 addresses away
In general, you are right about universities having way more IPv4 addresses than they need. My own department has a 255 block for a couple of dozen machines. Only a couple of them need a world-facing static IPv4 address. I expect most universities could get by with only 254 IPv4 addresses in total.
As for the virus/zombie issues, that is down to Windows as #1 reason, followed very closely by the number of 'personal' computers on the networks without competent administration. The computing equivalent of "A lawyer who represents himself has a fool for a client".
"Why use LastPass?X
LastPass is a password manager that makes web browsing easier and more secure.
Oh the irony! A 'security product' you can't find out about unless you have the web's most insecure multi-platform orifice installed!
The real question is responsibility. But that applies also to those with infected computers. It is high time that those responsible for the running of computers were held accountable, maybe by forcing the suppliers of certain well known operating systems to also have some responsibility.
Yes, getting a virus to remove itself, or to run a clean-up program, might bork the system, but it was ALREADY BORKED! Just the user was not aware that their system was open to the bad guys for any sort of exploit they may dream up.
In a critical system like the NHS or defence, then WTF are they doing not taking sufficient care or corrective action?
Solution - send a message telling the owner to fix it (by getting a local computer professional to deal with it, not this "download blah-bla-bla" business) and then a week later run the virus removal. If it works, the PC is clean. If it is broken, tough, as the owner already had sufficient warning and was complacent in their own downfall.
"a company like Microsoft would be destroyed if it gave away data through a lapse in security"
Not like infected windows boxes have been doing for years and years then?
Oh sorry, this is "the cloud" so normal rules of trust don't apply...
True, but....we don't know to whom AC #1 has to deal with:
Situation #1 is he/she is plodding along with a lame security set up and fending off irate users taken by surprise when their Windows box is hosed yet again.
Situation #2 is they are doing all that is humanly possible, but are faced with a combination of witless pointy-haired bosses and complete lusers who manage to pull defeat from the jaws of victory every time by running as admin and acting like an utter moron (or allowing their .kids free reign as admin as well)
Who knows? Should we ask tux?
- Review Samsung Galaxy Note 8: Proof the pen is mightier?
- Nuke plants to rely on PDP-11 code UNTIL 2050!
- Spin doctors brazenly fiddle with tiny bits in front of the neighbours
- Game Theory Out with a bang: The Last of Us lets PS3 exit with head held high
- New material enables 1,000-meter super-skyscrapers