1591 posts • joined 15 Mar 2007
The issue is not about releasing classified information for the hell of it.
It is about showing the public when they have been lied to by the leaders, or in a number of cases where the (majority) of leaders have, it appears, been lied to by the agencies that are supposed to be under their control.
Can you suggest a better route to defining what those agencies should be doing? So far our leaders have not been willing or able to, or are in favour of that but not telling us.
The success of democracy depends on an informed public, and if we are not being told honestly the magnitude and general nature of such activities, we are not able to exercise that right.
Reading too much in to it?
The reference to "war" might be nothing to do with real guns & bombs war but something related to silencing those who are doing the (fairly responsible) releasing so far. Recently Cryptome have been a bit paranoid about site access, etc, though maybe with good reason.
Time will tell.
Update all at once?
That makes sense for laptops, etc, which get powered up/down irregularly so having two root partitions that toggle once safely updated makes sense.
But for a main OS then every update means a reboot. OK, that might be part of the overall system design and fail-over strategy for cloud use, but you can say goodbye to updating just a broken library, etc, with the rest of the machine (or at least that kernel) and running processes keeping going.
Sh! <quiet voice> It is the same one </quiet voice>
Lessons of history, etc...
Put stuff on internet, watch it get hacking attempts.
Put critical stuff on internet, use software that was developed historically for stand-alone use, find patching said system is a major PITA because the hardware etc out live the software development cycle time-scale, and watch it get hacked.
Again, and again.
Re: Did you get the memo?
I know Vista is on security updates only mode, but given this was described as it "further enhances the security of Windows Update" I wondered why that was not covered.
Thankfully I personally don't have to deal with Vista on a daily basis, my own needs (which are not internet-facing) are covered by XP in a VM.
What about the few sad folk still unable to avoid suffering from Vista, is that not still considered a supported OS?
Re: In the year...
You are not the target audience, it is for Mr & Mrs Average and their family/friends/workmates who have little or no legitimate need to install or configure software on a daily basis.
Simply forcing them to log-out and back in with an Admin account is often enough to make them pause and ask "Is this really a wise thing to do?"
Most software is pants for security. But its not uncommon for key generators and hacked versions of popular software to have a "little extra" inserted.
"The survey estimated around $62.7bn worth of unlicensed software had been used last year."
Except almost all of that use would just vanish or be replaced by FOSS if the end users had to pay the full price for things on which this valuation is based.
Personally I am not going to support folk using cracked versions of software. If you don't want to pay in cash then use software that is licensed as free. If all of those pirates were to do that, I suspect BSA members would be even more worried...
Re: Target Market ?
It sounds pretty good in many ways, I can think of a few friends who would pay for this!
I would as well, if I didn't have a fairly new Moto-G to fondle for a while.
Re: @Matt Bryant
I think you will find it is the smart ones who are concerned by the over-reaching mind set of NSA/GCHQ/etc.
The dumb one of which you speak are too busy watching Big Brother/TOWIE/Geordie-whatever to care about that is being done in their name.
Have a down-vote, we all know you need some masochistic pleasure now you don't have Sun Microsystems to rant about.
Re: jail sentence
So AC, you think that today's world is just like WWII when Hitler was crushing people across Europe and committing genocide on those groups he did not like?
If you feel so happy about mass surveillance and gov organisations that act as if they are beyond the reach of the law, why are you posting as AC? Fancy a bit of privacy, perhaps?
"It introduces an incentive to “do a Netflix” and lobby regulators rather than invest in their own capacity and backhaul"
As if there is any incentive in these areas to invest in infrastructure anyway?
Lets face it, roaming works perfectly well for those on overseas SIM cards who do get to roam between UK network operators and they manage to deal with that OK. Same with banks using each other's ATM for customer service, they somehow manage to work out a financial compensation arrangement that makes it worth while.
I for one am 100% in favour of forcing this as the current status in sparsely populated areas is you are lucky to get any signal, let alone 3G, and it is not getting any better under the current business plans.
Not just MS of course, but the whole business model where you basically throw it all away in a few years once you find that repairing it is way too expensive even for parts like batteries that have finite known life.
Makes me wish that the EU or someone would introduce a legal requirement for a 5 year warranty so that suppliers had to up the game in terms of MTBF and/or make repairs a cost-effective options once more.
I'm personally willing to give up a few mm of thickness to gain that cost saving and landfill reduction.
The point is not that someone did something stupid like not change the default password when prompted, it is when:
1) The user is not subject to any reasonable attempts to point this out to them, or
2) Said password can't be changed (looking at you Siemens' SCADA equipment), or
3) Software supplied is subject to a known flaw (e.g. Heartbleed) and they DO NOTHING to fix it.
All software has bugs, the issue is not that this will happen but that there will be lots of stuff that is simply not fixed because the manufacturers are too incompetent to do so, or just want to sell you another one.
If they were held liable for, say 5 years, after the product was on sale and for all bugs not fixed after a reasonable notification time (like the suggested 30 days), then maybe they would take it a bit more seriously. Of course it would cost a little more, but think of how much better we would all be if the race to the bottom on development, testing and support was halted in the name of security.
Re: You win or you die.
More likely that US consumers get a screwing.
Re: Secret Tech
Also a lot of these tools need physical access to fit them to the victim's computer. Generally speaking, if the bad guys have breached your physical security then you don't have much chance anyway. Also that ups the ante quite a bit, as someone (even if a corrupt employee) is there doing the fitting and risking jail-time it caught by CCTV, observant staff, security checks, etc.
Re: And what's the real subtext here...?
The networks are already able to block phones if they really want to. Even if they don't use the IMEI to block like they do in Europe, they can keep killing your subscriber account.
This just makes the phone more obviously blocked so it can't be as easily or profitable re-sold. Of course there will be ways round it, but make it too much trouble and eventually the druggies, etc, doing the robbing will realise its not such a pot of gold (or heroin) after all.
Re: SaaS, PaaS
Nope, all of the [X]aaS models are about locking you in to a steady revenue.
Unless you are too small to make having an IT support person worth it, or have such a variable service demand that buying peak-demand is too expensive, then just avoid it!
Roll up, roll up!
Bet your business on our service that we can and will change without any choice on your behalf!
Of course we won't do anything stupid to upset you. It not like we would foist a universally disliked UI paradigm on all customers, even though the majority fed back a dislike of it, would we?
The Wrong Trousers?
How compatible with other inductive phones will these wonder-pants be?
Re: Backdoors anyone?
Better or worse than closed source software from companies based in countries known to spy on us?
Re: No sympathy.
There are two separate issues that the court seem to rightly have asserted : firstly that IN GENERAL the police, or anyone else, needs a warrant for such private information. That is the whole point of judicial oversight. The second point you appear to have overlooked is the court also ruled that in spite of this point, the evidence in this case stands.
Overall this is a triumph of common sense.
"The goal here isn’t to keep the NSA out, because realistically they will find a way in if they really care about you. The goal is to raise the cost so that bulk surveillance becomes impossible."
Amen to that. We all knew spy organisation perform spying activities, but we thought/hoped it was targeted on the basis of probable cause and court oversight. By raising the cost of doing so, it becomes targeted again, court or no court.
The other aspect of this is likely to be a general improvement in security practice, something that also helps against access by foreign gov (for any given definition of "foreign" that fits) and criminal hackers.
Re: Biological sciences
I suspect that biological sciences produce too many who might have been boffins, but end up as "mad scientists" due to feeling the need for a personal Igor to assist in the lab.
Re: The socks have it
@Lester Haines - agreed, the deci-Pyke is better, and in keeping with the decibel.
@Gray Ham - It helps to name things after dead folk, as there is no risk of them returning to a normal low-energy non-boffin state.
Magnus Pyke's genius
I remember when he was asked what time is, and his answer was quick, funny, and at a deep level actually true: "Its the stuff produced by clocks"
Re: The socks have it
I vote for the milli-Pyke as being a new El Reg measure!
Agreed, to be a boffin you need to meet several requirements:
1) To perform research in to something technical.
2) Said research is to create something new and special (i.e. not just a slightly cheaper/faster phone or similar). Physics/astronomy theory might just get in there, but only if well beyond normal comprehension.
3) Points 1 & 2 are more important to said boffin than "normal" social activities. Not to say they don't enjoy a pub, BBQ, or anything similar, but are quite likely to head back to test tube-bothering at unpredictable times.
Re: This is quite credible
Er, no. A typical PC is pretty immune to mobile phone signals, otherwise it simply crashes. What you are thinking of is interference to the audio systems, but that counts for nothing really (bar spoiling your YouTube videos, etc).
As already stated, it is easy with lots of power to crash a PC but much harder, to the point of being virtually impossible, to crash selective sections. And the PC is already in a Faraday cage, called its box.
An attack based on bluetooth/wifi is much, much more likely as a large number of PCs have those enabled by default and mobile phones can communicate with them. Even if logically "off" it is quite likely that the protocol stack has vulnerabilities that can be exploited to access the PC.
Hell, I once managed to wipe the boot sector of an XP PC when developing a USB peripheral while using MS' own stack and drivers. So if it can be done there, I have no doubt it is at least theoretically possible with wifi/bluetooth if the hardware is on and listening, even if not supposedly used.
Do you know anything about what you are talking about?
Buffer overruns and similar attacks (e.g. mal-formed pictures) require you to actually get the have the PC do something with the data that is subject to a lack of validation. That is simply not possible with a sound system bar, perhaps, voice-to-text-to-command conversion which is hardly likely.
Same for other routes, to actually inject data to a system that is not expecting it (wired network, USB cable, etc) needs a LOT of energy, not something that is going to go unnoticed and not something you will get from a mobile phone meters away.
First time I got an ESD test gun I did the obvious - ignored the instructions, wound it up to maximum (above 18kV) and tried it on my PC. It was fine, but I crashed an old (pre-EMC regulations) PC in the adjacent office.
To do so took a lot of peak power, and it is virtually impossible to induce such a crash in a controlled manner to exploit it. It is not like a buffer overrun where you can inject code in a specific place, you induce data/address corruption in a GHz clocked PC and you have no idea of just where it is going to bork at.
I see no feasible way of pushing malware on to an air-gapped computer. The sort of RF power needed to flip bits is simply going to crash it. Unless it has something like wi-fi or bluetooth operating of course!
Getting data off an already infected but now air-gapped computer is within the bounds of belief, but unless you are looking at very special hardware (i.e. not a mobile phone) then the data rate would be very low as it is not so easy to get most hardware to generate a wanted modulated signal that won't be drowned by the usual chatter of data and address bus activity of both the PC and the phone (along with the usual spread-spectrum clock typically used to help meet EMC requirements).
Security through Obscurity
Fails one again...
Default (or lame) administrator passwords in this day and age?
Re: @Gordon 10
I think his point is the secret requests, and being paid to honour them (e.g. PRISM), were hardly discussed or much in the way of objections raised until the full extent was exposed by Snowdon, and now they find their revenue threatened so are having to grow some and challenge the legality.
"It's a bit shocking to be honest"
What, that they had not funded such an audit themselves with that sort of a budget?
Re: you scratch my back and I'll spend tax payers money on you.
It depends on what you use Amazon for. If it is cloud backup then you never have to send the keys - just have the TrueCrypt volume on there, even with DropBox that works (diff sync only changes/ sends the blocks that are updated not the multi-GB file).
If its a VM running something then yes, it is fairly easy to grab the system memory while it is running.
If $SPYAGENCY with billion $CURRENCY budgets is willing to go as far as knobbling your OS via a targeted update (as opposed to a general 0-day vun or _NSAKEY style of arrangement) then you don't stand much chance anyway.
Re: SELinux eh?
"a computer not connected to the internet"
Yes, that makes for a very useful smartphone...
Re: SELinux eh?
So, when faced with the two choices:
1) Trust me, and here is the NSA-supplied code to review
2) Trust me, I'm a big US company with NSA connections.
Which do you prefer?
I have had errors on trying to save in Word saying the document was too big to save - think some corrupted embedded objects were reporting '-1' as the size so 4GB or something.
Sadly only option was to delete said object, save, start gain and re-embed it. I just hate Word...but it is probably the least-sucking word processor :(
I have seen Word fsck-up on embedded equations and occasionally on embedded images on EVERY version from 95 to a fully-patched (as of a few months ago) version of Word 2010, that is 15 years of at least one unfixed bug!
Also seen crap from OpenOffice/LibreOffice.
Try some Marmite - the Devil's very own lubricant.
Re: An even better solution
From my recent cases of helping family & friends with their PCs:
Setting up Linux on a PC to stop the infestations (little ones have not worked out how to shag Linux yet), payment in kind was a bottle of wine.
Reinstalling Vista (against my better judgement, but they really wanted that), after getting them to spring for 4GB memory instead of 1GB it came with, result was 12 bottles of wine.
"How can anyone take open source seriously when major bits of software are managed by pouty children?"
Have you ever worked in a large company? The management layer can be every bit as bad, though for subtly different reasons.
In any case there are plenty of examples of closed source products that only ever got reluctantly patched once a breach had occurred, and not when they were notified of it. Should we not take commercial software seriously as a result?
Re: Buffer Overflow
It is possible, but often not done for historical or laziness reasons.
The most common problems are copying or printing a string of characters in to a destination that is too small, so it overflows into somewhere else that can then be exploited. The usual culprits in the C/C++ language are strcpy() and sprintf() (and similar) but you can often use alternatives such as strncpy() and snprintf() instead which take the destination size and enforce that limit (though with strncpy() you should also enforce nul-termination of the string as it won't do that).
If the destination buffer is allocated by the malloc() family, then in Linux you can also use the electricfence library for debugging and that puts each buffer in to a separate page and any violation results in a segmentation fault that you can then debug from the core dump. However, you would not normally use electricfence that for release code as it has a performance penalty, it is really intended for testing and debugging.
Re: And the clients?
"I mean what did they actually do ?"
Probably what most IT folk and businesses do - turn existing stuff in to a product/service that works/sells according to demand.
Re: Look at page 113 of the 'Greenwald' file
I think you will find slide "Page 113" is on page 27 of the PDF.
Re: "who are shamelessly stealing from TrueCrypt"
You might want to look up what stealing means. It implies depriving the rightful owner of something of value.
Given that the moral owners of the TrueCrypt name are not coming forward, and that there is absolutely no sign of them commercialising this product in any way, I don't see what is being "lost" to justify a copyright infringement charge, let along "stealing".
Sure it is an infringement of the license terms, but who is actually suffering? Certainly not the end users who otherwise would have to go to something else that might be much worse in terms of privacy.
Won't that need IE9 or above?
- One HUNDRED FAMOUS LADIES exposed NUDE online
- Twitter: La la la, we have not heard of any NUDE JLaw, Upton SELFIES
- China: You, Microsoft. Office-Windows 'compatibility'. You have 20 days to explain
- Apple to devs: NO slurping users' HEALTH for sale to Dark Powers
- Rubbish WPS config sees WiFi router keys popped in seconds