992 posts • joined Thursday 15th March 2007 16:58 GMT
"replace Win2K and XP boxes with Win7"
Except in a lot of cases they can't. Why? Because older systems may only have drivers for w2k, and maybe not signed ones at all, so they won't work under win7. Most likely a whole lot of other niggly differences will mean it just won't work without getting new software for the control system.
And maybe you can't, then what? The original supplier might be out of business (or assimilated in to another and skills lots) or just not supporting your old hardware any more.
So new hardware then? Ah yes, but maybe it is not exactly the same, so now you have to change all of your associated software and hardware to account for the differences, then fully test and debug it before making it live, etc. You do still have the folk who installed and understand your old system fully I hope?
So there you have it, the real cost of a propriety system - they decide when you get stuffed for support. For example, w2k will never be fixed for the thumbnail previewing bug, or dozens of other ones identified recently that hark back to old Windows code. Soon the same fate will befall XP.
Considering a lot of industrial systems are expected to last 10-20 years, it is a joke to use software with typically 10 years or less support and no come-back.
At least with Linux you have the opportunity to fix it yourself, maybe hard to do in cases, but it is possible and no one will wave an EULA telling you you can't do it.
We still use some DOS based software to control our antennas, written originally 20 years ago. Why change when it works?
However, we now run it using dosemu on 32-bit Linux, as you can configure it to have direct hardware access so the legacy stuff works (a security and multi-user no-no usually, but this is a special case). Only thing that I don't think is currently emulated well (if at all) is DMA access, but we did not need that.
We even got the dosemu project to accept our patch so dosemu can be configured to keep the NTP-disciplined time of the host, a huge advantage over the old system!
This gives us the advantage of keeping the tried and trusted control software, but with a modern OS with secure remote access via ssh, decent networking, journalling and/or RAID file system, accurate time keeping, etc.
windows+virus => fish+barrel
We can look forward to all of the usual comments here, including mine. They used to say "no one got fired for buying IBM" which was based on the generally high quality of the product, even if the cost was possibly too high.
Maybe its time folk started to get fired for using the most infected operating system in history for safety-critical applications?
And yes, I know that you *can* make Windows reasonably secure, and I have personally used it for years without infection, but that is because I am semi-knowledgeable, fairly paranoid, and probably lucky as well.
But I also know that every Windows system I have seen with friends & family, irrespective of AV products used, has been compromised sooner or later by simple mistakes. There is just *so much* opportunity to infect a Windows box it beggars belief. Protecting against infections is really hard work, and clearly in this case they failed to do so.
@Henry Wertz 1 & @Nigel 11
Thanks for the clarification, though my Ubuntu set-up did offer the option to start software it found.
Thankfully not starting by default, but most users won't think twice when offered! I changed the Nautilus settings (Edit -> Preferences -> Media) to "do nothing" but wish there was an easy way to impose such changes system-wide on all user's profiles to begin with.
What bothers me a bit is the default for mounting FAT/NTFS formatted drives (i.e. virtually all USB sticks, etc) where the permissions are 755 (i.e. everything is executable). That should be disabled so files are 644 and directories 755.
While accepting that nothing can be completely safe, I would like to see no-execute on external media (maybe an enable button so you can run CDs?) and only a few specific app-armour shielded applications being allowed to preview the contents.
While it is true it won't protect against real-time tampering with your access, in most cases that would be apparent and so possible to report quickly. Also it is a much bigger challenge to write malware to automate the actions of taking over/tampering with an account in real-time, compared with just passing on the details to someone for selling/exploiting later.
So, yes, its not total protection against a compromised PC but its a lot better than nothing. Of course you would be an idiot to knowing use an infected PC, but making things harder for the bad guys, and making detection of malicious activity easier, has to be a good thing.
Tux, my current friend against 99.9% of malware.
Given this capability is likely to be routed through the OS, how long until Windows has a virus/trojan that allows remote access to the OTP as well as key-logging so the bad guys again have all they need?
The big advantage of the key-fob is (a) you can use it on multiple PCs, including untrustworthy ones, and (b) it is not connected to the internet and thus virtually immune to malware. Biggest disadvantage is various banks and so on all having different systems so you have a fist full of junk to carry with you if you want access on the move.
Why not have a way of using one OTP key fob with multiple accounts?
@Thin end of the wedge?
While I am all for making Linux nice to use, that should not be at the expense of basic security!
Autorun was a dumb idea, and should not be copied in to Linux just because lazy/ignorant Windows users like it. In fact, running anything off USB should be disabled by default with root permissions to enable it.
Without trying to sound too condescending, anyone who does not know how to copy, change permissions, and manually start software has no business running new stuff in the first place. Someone needs to know how to set up and protect the PC, most of your company/family does not, and allowing any simple execution of code is a disaster waiting to happen.
@Who still uses windows?
A depressingly large number, I'm afraid.
However, while I still use XP and 2000, it is a VM on Linux now, and I generally disable networking and USB access wherever I can, in addition to having turned off autorun on ALL drives by the registry tricks.
Really, as already said in these posts, autorun was a dumb idea in the first place and only sustained by those who cared not two hoots about security and freedom from crud ware.
RIP Ken & DEC
We had PDP-11/34 computers when I started some 25 years ago, though they were replaced by PCs and Sun workstations by the 1990s. We had stuff hung off the CPU bus and still marvel as watching the huge HDD units working away, for all thier minimal storage by modern standards.
VMS was rock solid from what I know, and its a real shame they did not do as well as they could have. Also a real shame how "HP" dropped the Alpha processor (as Itanium was going to rule, eh?) and generally dumbed down all they had acquired.
Thanks for the advice AC. Yes, you are right as there are things like the "NTFS alternate data stream" that have no obvious Linux equivalent so really need a Windows-based server to access them reliably.
[One could argue that is a dumb feature, mostly of use to hiding Trojans from what I have seen, but the fact it *might* be used in a key application needs to be considered for a reliable backup/restore]
Clearly there is a lot of things to be considered when you have block-based SAN/iSCSI plus the need for centralised and efficient backing up. Will el Reg step up to this challenge?
Very good suggestion, though you need to know just what users have in place and a server that supports all of them. I guess for typical use (mix of Windows & Linux) you only really expect to have NTFS and ext3/4 to mount for such nifty tricks, so I guess most Linux boxes will do it.
I am not sure quite how selective restoring of file(s) would work. Probably you need to take the current volume off-line (so everything is consistent) then mount on the tape server, restore by file, and re-mount on the user's machine?
Missing the point (again)
Most users want files, therefore they really want a NAS.
Few users need block storage, and typically only for some high end things like databases or sucky email servers (actually, if you know one that does not suck, please let me know), and for most users they would see the SAN through a server which mounts the file system(s) of choice over it.
Cost & reliability are often correlated, but not sucking at something is sadly rare :(
As others have pointed out, you can have block access using iSCSI from a NAS-like unit, so you can have all of them in one device.
Backing up? Now there is an interesting situation, as block SAN has no internal idea of *what* each block holds, so you can snapshot and save, but not on a per file/per user basis, and you can't exclude crud like user's browser cache, etc.
With a NAS you can do both (snapshot and selectively backup/restore).
However, you need it to run a file system and protocol that works for your users, and there are some applications (both Windows and Linux) that seem broken on network mounts due to them not completely behaving like the low level local file system expected. Crap design for sure, but if you must use them and have remote high reliability storage, you may need SAN/iSCSI with your user putting the file system on the served-up block to solve that problem.
Ultimately, you normally want something to keep all key data in one reliable place, and to allow proper protection by replication/backing up so your users don't have to. As they won't in most case know or care until it is too late...
Sad but predictable
Using a massive cluster "to parallelize and execute Excel workbook macros" makes sense to those who don't consider using proper math/statistic tools for the job.
Yes, you may be able to re-use 'business skills' but considering the problems of validating complex spreadsheets, poor data typing, the lack of proper program structure, version/change control, debugging issues, etc
My heart sinks at the idea of it.
@What about the Apple tax? etc
You don't really get the idea of a oligopoly do you?
Apple has a small share of the PC market and they ship their OWN software with it. Same for a number of smart phones, and at least most smart phone manufacturers offer several products with different OSs (Apple an obvious exception, but it is their own software).
The issue here, for the hard of thinking, is the majority of desk & laptop computing devices are ONLY available with MS Windows. And MS has a long and inglorious history of illegal and immoral business practice in this area.
I really hope the Italians stick to it, as the UK regulator told me it was not important enough to investigate. As I have already said, why not pay MS at activation time? Solves all of the issues without dropping Joe Public in to OS installation hell, and also could be used to force MS to deal equally with all suppliers, thus eliminating any residual anti-competitive pricing practices.
@Build your own?
What about a laptop?
And while I know there are a few good guys out there (like Novatech in the UK) who give you the choice, most don't.
So how about this: you get MS pre-installed (so Joe Average has no faffing about with installation CDs and drivers, etc) but don't pay for it until you activate it, where you then pay MS directly?
This uses MS's own established anti-piracy feature to its best effect, and makes user aware of what they pay to MS and the value they get. Anyone who is wiping it then has nothing to pay as they simply don't enter their credit card details when MS asks.
Yes, maybe "you can have Windows 7 Starter Edition instead at no extra charge" since MS want to avoid competition, and you still have the issue of (1) the overwhelming malware choice for Windows at 99.9%+, (2) the lack of a central install & patch system for things like Flash, and (3) the slightly higher hardware requirement.
This is for folks with essentially no computer experience, so Windows, Mac, or Linux, it makes no difference as they have to be trained anyway. In addition, they have little or no interest in PCs, so are not bothered about range of applications, games, etc.
Web access - check
Email - check
Photos - check
Word processor - check
Linux does them all, just so long as they are set up by someone half-competent, unlike some of the commercial efforts so far.
No surprise here - move along
I am in favour of Galileo just because I think the EU should have the technological capabilities to design, build and operate sat-nav on its own. Compared to how our glorious leaders were prepared to piss away £Billions on oppressive ID cards, this seems like money well spent.
But I always laughed at the assertions that it could some how pay for itself. That was typical of two-faced politicians desperate for a public justification, but no one with an ounce (or few grams) of technical sense would believe it.
SpiderOak looks good
Assuming it is all honest, then SpiderOak looks like the sort of answer to on-line backup/syncing, client-side encrypted hence no real worries about where the servers are, etc.
Still, keep your local copy just in case!
I agree, there is a lot of questions that *everyone* should be asking of on-line providers, and I guess the above list covers the key ones. In fact, the simplest of all is this:
Do I have the encryption key, and it is not known to the storage host?
For most other factors, where the data is held, what happens if they are bought/liquidated, etc, they become less important as they cannot DO anything with my data as they don't get it plain-text.
OK, you have to ask what happens if it vanishes, but again you must look at the 'cloud' as a good HDD, not as a complete solution. You should have 2 copies of your data no matter what! 
And I know the arguments about de-dupe, but surely you could have a user-side client encryption that is block de-dupe friendly by encrypting blocks of the same size (4kB, 64kB?) with the same key-based pattern so they still de-dupe even if the plain text is unknown?
Clearly you have not actually used much else have you? Modern Linux (for 5 years or more I have used it) has a firefox icon that just does the business. How hard is that?
And my cowardly friend, you seem to have failed to notice these machines are for folk without PCs, so why should you expect them to be somehow a master of Windows or Mac use?
Think it through sunshine, you are suggesting:
(1) Windows, with 1M+ new viruses per 6 months. So who pays for Windows license? Who pays for or performs the cleaning up when the AV fails (as they frequently do)?
(2) An Apple computer that 2nd hand is still going to sell for way more than £100, unless its unusable. And lets face it, most peripherals that fail on Linux are also failed for Mac for the same reason (secretive devices that the manufacturer only supports Windows).
While I have my doubts about the grand social plan here, I can't see there is anything technically wrong with the proposed solution.
Intel says "Windows is too bloated to be saved by an ARM processor", so people will keep buying hot power hungry x86 boxes to make it run acceptably fast?
Quite possibly true, and MS' announcement is all to stall OEM defectors to Linux who can compete with Apple on use-versus-battery life.
As for playing the 'HD video' card in his argument, surly that would be subject to hardware acceleration in the graphics chip set, no?
1) I believe MS have announced the server 2008 and studio 2010 are the last Itainium supported models.
2) How long did they support non-86 OS for, and how much MS software worked on it?
I know from experience that support/commitment from MS on non-86 was a joke. Maybe they will try harder this time, but I would wait and see.
More important will be the issue of how well the user enjoys the experience when most older hardware and software is not working, or not working well, on ARM based hardware. As that has been one of MS' key advantages so far.
The other has been bullying OEMs in to Windows-only, which I suspect is the key reason for the announcement, to avoid them defecting to Linux in order to compete with Apple, and thus avoiding users questioning if Windows is actually that good or needed at all.
Really it beggars belief that the value appears to be around $100 per signed-up user name. Just how are they going to earn a decent return on this money?
I despair that my future prosperity & pension is about to be pissed away by 'investors' once more.
Indeed, that is what is needed to sell it: A "life size" TV and plenty of African-American lesbian socialists, maybe upsetting the Tea Party, but in any case having fun.
But realistically, I won't be getting a 3D TV any time soon. A few of the 3D films have been worth watching, but at least the cinema has the scale and justification for putting on the silly glasses. Home 3D TV, unless its no-glasses operation, is going to be a hard sell.
@I do get it
"You unfortunately WILL have to change your mindset as fundamentally the cost of supplying additional usable consumer capacity exceeds the additional revenue received from it. "
Sorry, but you still don't get it. At the end of the day it is *always* the consumer who pays, either directly (by the ISP fees) or indirectly by the ISP charging big business who then pass the extra fee directly back to us, the consumer, by their pricing.
We pay both way. Think about it!
But in the "neutral way" the system is not rigged to favour the current big players by pricing out the smaller/newer players.
As for the uneven distribution of usage, it is quite possible to shape *end user* bandwidth so the system hogs don't cause too much of a problem. I have no big issue with that side of traffic management.
What I do object to is anything that deliberately favours or disadvantages an IP range, or a protocol, as it is no business of the ISP what I use the pipe for.
Don't you get it?
"The only thing is a mindset that says the internet is that plug in the wall and a freetard mindset."
Sorry to piss on your party, but *I* pay for my internet connection and as such expect to use it for what a damn well like. I don't want my ISP, who might well be in an oligopolistic position, to dictate what I can access freely or not.
And yes, I am well aware that "unlimited" internet is not technically or financially feasible, but I have no problem with reasonable charges based on what the ISP can deliver.
The whole point of regulating the ISPs for "net neutrality" is to prevent anti-competitive practices, either directly (where they favour their own business partners) or indirectly (where they charge such that only big players can afford to gain a usable connection). Don't you understand that?
At the end of the day, I pay my ISP to be a "dumb pipe" whether they like it or not, and I expect them to sell what they can deliver.
Lack of competition, or unfair competition (e.g. selling an access package they can't deliver at a lower price than a more honest ISP), is not helping the industry at all.
Looking at the successful internet companies (e.g. Google, BBC iPlayer, etc) and expecting them to pay up is missing the point, I pay for my internet connection so I get to choose who I use, and those I access already pay (no doubt a lot) to access the internet at their end.
The key point is not Intel developing security measures, but what they do with that in the market place.
Situation #1 is they come up with an open standard for it, and this is well publicised so Intel and AMD can make bit-compatible implementations. Then McAfee and others (AVG, Avira, ....) can implement software that uses them to the advantage of all customers.
Situation #2 is they implement a secret, and potentially untrustworthy system where only McAfee can make much use of it, push it out with strong marketing and FUD, then screw the users for every $CURRENCY_UNIT they can.
Now can you guess which is more likely?
Yup, too trusing
Sadly I have seen this sort of behaviour as well.
Currently Tux is my answer as its harder to subvert and much less of a target. Sometimes I contemplate taking away admin rights, as even a hypothetical 'perfect' system is only as secure as the fool, er family/friend, who is able to make system-wide changes.
Much as I dislike Google's power-grab of the net, there is a lot to be said for ChromeOS for users who just want web/email and light wordprocessing as you don't get the option of local store/changes.
Interesting article, but where is the beef?
No doubt we will see a lot of frothing in the commentary section over this since, if true, it is a serious compromise of software used by a number of security-focused companies and individuals.
But it also reads a bit like some cheap novel, as it seems unlikely something as fundamentally important (to the FBI, etc) would be open for discussion following a "10 year NDA".
So the real question, where is the cryptographic beef? Has anyone got evidence this succeeded?
I guess it is possible that some subtle flaws in key components might have been smuggled in, but again I also expect this mechanism has been studied by people knowing FAR more than I do about the matter. So where is the evidence?
Either way, I still trust open source far more than Windows!
Yes, there appears to be the full-disk mode, but reading the section about the rescue disk, it brings up the issues that dual-boot had with some software - they bugger-up the boot area for "activation" reasons (i.e. worse-than-usual DRM), and the problems of fixing a broken system (for whatever reason):
So while it is possible, it may prove to be unreliable in practice. Also, from my own experience of dual-booting XP, sometimes it gets screwed by AV which assumes (incorrectly) that a boot loader change is an infection.
But I thought you were a leading lesbian on-line magazine?
Truecrypt - full disk?
The problem you have with a lot of laptops is Windows, and its tendency to 'bleed' information all over the file system.
While you can, as a smart users, make sure your documents & email are in the truecrypt drive, only to find stuff like password hashes, etc, stored elsewhere. And you need to boot windows first to run truecrypt...
Hence the advantage of hardware encrypted HDD - no real performance penalty and the whole OS, of any choice, is secured.
Box evidence not important...
...what matters is the linking of the phone number to the pizza order and delivery. And for that they will have the phone company logs, and the testimony of the pizza employee(s) involved.
So while the box's details may be dismissed as 'unsafe' evidence, the actual information is corroborated elsewhere, and I don't see why it would also be considered tainted.
Unless it had anchovies...they taint most things.
Paris - well put 2 and 2 together and you get...yes 69!
Welcome to the 21st century's version of the witchcraft trials...where the accusation alone is enough to ruin a life, and those who make false accusations rarely, if ever, face charges over it.
HDD encryption - a solution now?
I thought the current generation of hardware-encrypted HDD provide a pretty good answer to this, so long as the laptop enforces its use with a non trivial password when ever it is closed/idle for long?
Of course, that alone is a problem as users don't like password-locked screen savers, but at least there should be little performance loss, and no worries about the OS caching sensitive stuff outside of your chosen encrypted folders.
Presumably you can get those supporting two (or more) passwords, the user's one and a separate admin one to fix it when the users forgets/reveals their password?
If so, WTF is Intel gaining from $billions of McAfee?
Both as bad
MS has a long and inglorious history of poor security and poor (often deliberately so) interoperability, so they can't claim anything for that.
But as a user of Google's "professional support" I can confirm it is piss-poor, with simple requests (e.g. being able to control our own email filtering of .zip and similar attachments) being fobbed off as something the could not/would not do for us, but maybe if we posted a request on an open forum then maybe, maybe just, and ompa-loompa would do something about it.
FAIL for MS, and for Google.
Of course he does not want 'practising' homosexuals, he wants ones that are good at it!
Either way of putting it (fnarrr), it is the waist to hip ratio, and I seem to remember reading that around 0.7 (i.e. the 'hourglass' figure) was both most attractive to men, and also good for child bearing.
The latter being a good evolutionary reason for men linking it. Or more precisely, the reason that men who like curvy hips tended to have partners who had children successfully in pre-successful Caesarean operation days, who presumably inherited the tendency to also like it.
The good news for women is it is not the size of your bum that matters, but the proportion. And ignore the women's fashion magazines, who are not actually targeting men.
Wait a minute, why am I bothering? this is an IT site!
I have no interest at all in gay men, but unlike this politico, I don't feel threatened in the slightest by them. Why should I? The best evidence I could find is this analysis from the OKcupid dating site, which supports my view:
Maybe he needs to get out more...
I like the one about the Unseen University's research pushing back the boundaries of ignorance...
The new MS
Sounds a lot like Microsoft's anti-competitive actions that significantly contributed to the killing of DR-DOS, Netscape and others by rigging the playing field of the desktop PC. Funny how any dominant business eventually turns to dirty tricks to keep itself up there...
But I also agree with Anton Ivanov, I don't want my search results polluted with comparison sites so they should be a separate area of the returned results.
Unless the Swedes, for whatever reason, find they must deport him back to Australia for trial there.
And that flight somehow ends up passing through the USA...
"creating invisible lead soup"
I though the Chinese already managed that, otherwise what is one-ton soup made of?
"you will have no problem if the US starts intercepting all your comunications"
I guess you have not heard about the warrentless wiretaps the USA has been using on its own citizens then?
Or indeed that it has done so on "foreign" citizens who, of course, do not get the protection (for what is left of it) that the US constitution is supposed to provide?
While I can see that diplomacy needs a large degree of privacy to be conducted effectively, I must say the actions of the US in recent years, both militarily (e.g. the invasion of Iraq on doubtful grounds) and legally, such as the odious and ill-named PATRIOT act, and their actions in pushing a US-centric bullying approach to copyright (e.g. the ACTA negotiations being held in secret, even from our elected representatives) result in little sympathy from me when this happens.
@We are not typical
And thank $DEITY for that!
I don't think most of us believe that it is possible to block pr0n effectively, and most of us do not want to. The issue here is what represents the best overall solution for children and free society as a whole.
My view is it comes down to education and supervision at the early (i.e. most vulnerable stage) so as children naturally develop an interest in things sexual through puberty, they have the sense to know good from bad, and the restraint from accessing that inappropriately. Thinking for themselves, in other words.
I don't want a knee-jerk government or lobby group telling me what to think, or what I can access where the subject is in fact perfectly legal to do. I believe that is my own decision to take, and parents should those decisions to a point, then allow their children to do so as they mature.