* Posts by Paul Crawford

2096 posts • joined 15 Mar 2007

The Great Windows Server 2003 migration: Where do we go from here?

Paul Crawford
Silver badge

Re: A very narrow, shallow and poor case for Windows retention

If you follow El Reg and have read other articles by Trevor Pott you would know he simply speaks his mind on what has worked for his business and that may, or may not, be a MS-based solution. He is certainly not a "pathetic shill" as you suggest.

5
0
Paul Crawford
Silver badge

Re: For Dog's sake shut up about w2k3 eol.

You may not care about w2k3, and certainly I don't care as I have not responsibility for w2k3 machines, but there is a lot of businesses out there that are about to get their backside's bitten.

Most of it is down to a lack of forward planning, and some of it is down to changes MS have made. You know, like no new 32-bit server machines supporting 16-bit code, or updated security practices that bork badly written older software (like some of MS' own code from around 2000...)

They have to do something: whether it is crossed fingers and more care in firewalls, or migrating some off the physical w2k3 machine and leaving the troublesome code on a VM, or even totally re-thinking what they do and why. So while it may be tedious to hear repeatedly, it is also with a good reason.

2
0

VPNs are so insecure you might as well wear a KICK ME sign

Paul Crawford
Silver badge

Re: Many VPN's suck for other reasons

Probably your best/most secure option is to have the VPN in your router and keep away from the oddity that is VMware's own network stuff.

3
0

Get READY: Scientists set to make TIME STAND STILL tonight

Paul Crawford
Silver badge

Re: GPS...

Of course they do - they don't have problems with this by design.

Its only the ground based software that is implemented by folk who (a) don't know what they are doing, and (b) don't test things that cause problems.

Fsck'em - why not have leap seconds +/- every week and occasionally do two in the same direction on consecutive events? That way stuff will be tested and fixed because the code monkeys can't argue "oh it only happens one per 2 years or so".

0
0

Killer ChAraCter HOSES almost all versions of Reader, Windows

Paul Crawford
Silver badge
FAIL

Adobe (and I guess MS as well) put font handling in the kernel from NT 4.0 to gain speed at the expense of having privileged-based protection, and against Dave Cutler's original micro kernel plans. What could possibly go wrong?

Oh yes, this...

53
2

Pirate captain blasts Google for its 'mystery' Chrome blob

Paul Crawford
Silver badge

Re: "... Chromium, the open source sister of Chrome ..."

Chromium is the open-source part of the web browser project, and Chrome is Google's version with additional propitiatory stuff built-in (flash, other spyware).

That is what has kicked off the storm, that Google had modified the open source part to download a close-source (and pretty creepy) feature for voice recognition.

11
2

So what are you doing about your legacy MS 16-bit applications?

Paul Crawford
Silver badge

Re: @Ken Hagan

AFIK it has nothing to do with the license, but that MS never attempted to port the ntvdm to 64-bit.

Most likely for the same reason that 64-bit dosemu is different to 32-bit and that is down to the 64-bit mode of the CPU not having the VM86 instruction to make life easier.

However, as you say a VM will do for your remaining 32-bit Windows (provided you don't have hardware dependency).

0
0
Paul Crawford
Silver badge

Re: DOSBox

Yes, DOSbox is also worth a turn but we had hardware I/O demands so it had to be dosemu.

dosemu also ships with a copy of freedos, though you can also use MS-DOS as well. You can configure the time keeping part to either follow the host time (so you get NTP accuracy, subject to the ~55ms tick of DOS time-keeping) or have it decoupled from the host which is handy for testing applications with other dates & times.

I tried it beyond the 2038 point and on 64-bit it is fine. Puts off the date problems for long enough for most readers to be commentarding on St. Peter's book...

1
0
Paul Crawford
Silver badge

If you are unlucky enough to have 16-bit + 32-bit + specific hardware/driver + IE dependency then I really do pity you :(

However, if you have 16-bit DOS style stuff then you might also want to try dosemu for Linux. Beware it also has some oddities in terms of 32-bit versus 64-bit versions, but it might be an easier choice. Also if you depend on special hardware that assumes direct DOS-style access to special hardware (as we do) then this option might be away of avoiding having real DOS or Win95/98 machines any more since dosemu can be run with sudo (root) access and configured to permit specific hardware I/O in dosemu.conf

If all else fails, then identify what is not going to work on 64-bit systems and keep that on a dedicated machine/VM and really go out of your way to protect it from the big bad world by putting it on a separate VLAN, etc, and firewalling it to the hilt. Even if it has to print to a network printer, try to block the printer connection as much as possible as they are often never patched and probably contain vulnerable web servers for configuring them, etc.

14
0

Oi, UK.gov, your Verify system looks like a MASS SPY NETWORK

Paul Crawford
Silver badge

Re: Never attribute to malice what can be explained by incompetence.

You also forget the 3rd possibility - that both malice and stupidity is involved.

11
0

Why is it that women are consistently paid less than men?

Paul Crawford
Silver badge

"If you look into any agenda driven politics the left tries to push you'll see it's built on lies"

There, fixed it for you.

16
0

'No evidence' Snowden was working for foreign power says ex-NSA boss

Paul Crawford
Silver badge

Blackmail?

"useless for blackmail since Uncle Sam already knew"

That presumes you only care about the Gov knowing. But what about family, friends, and neighbours who may not be impressed by certain aspects of your private life that you declared for a high security job?

16
0

Cisco to pour BEELIONS into China

Paul Crawford
Silver badge
Joke

So will this closer integration with China mean we can look forward to buying a router with a choice of NSA or PRC back door? Will the web site be pre-ticked depending on your shipping destination?

Actually I'm not sure the joke icon is quite appropriate...

0
0

Banking trojan besieges Bundestag … for the second time

Paul Crawford
Silver badge
Thumb Up

Really I have to hand it to the German BOFH when the declared that a complete rebuild is the only (the final?) solution.

Think about it: you get to replace old routers and start with safe/sane settings for the firewalls, etc. You also dump all of the out of support 2k3 servers and XP machines, and give everyone a new desktop.

Personally I would go Linux with a Windows VM for special stuff, partly to reduce the COTS malware risks but also as a lot of that won't run in a VM to avoid analysis, but looking at a more realistic scenario you get to deploy new desktops with known configurations and can have the ACLs set so no user program can 'execute', only those the BOFH has installed in the correct locations.

Along with that you deploy only known, patched, and properly configured applications. Sure, you have to re-import user data, but that can all be scanned first and maybe even make users ask for what they actually *need* to have, further reducing the risk of p0wned stuff.

We salute you!

2
0

Chrome, Debian Linux, and the secret binary blob download riddle

Paul Crawford
Silver badge
Joke

Come on, they looked at the joys Windows users have with knowing what all those instances of svchost are actually doing and they thought "you know what, we want a bit of that action"

53
3

Why are there so many Windows Server 2003 stragglers?

Paul Crawford
Silver badge

Re: Lack of 32-bit Server platform

The real problem is if you have 16-bit Win95/DOS era software as that won't run on 64-bit Windows. OK you may also have driver problems as well for older hardware under 64-bit (remember how crappy 64-bit XP support was?). Sometimes it will run on Linux emulators (Wine, or dosemu, etc) but that is a significant gamble.

Now you might be saying "Who runs 16-bit any more?" without realising there is a lot of small speciality software from that era that works, and changing the software to a newer version is a major PITA for various reasons:

1) New software license costs

2) Maybe no longer compatible with old, special, and very expensive hardware

3) Different file formats so you cant read/write previous data

4) Different work-flow so you have to re-jig lots of scripts and re-train users.

5) All of the above often gets you nothing more than "supported OS" status as it will do exactly the same job as the old one (maybe better, maybe more buggy).

So while using old servers for general stuff is barely excusable, there are some VERY GOOD reasons why it won't happen for many. But as other commentards have pointed out, you should be working on the assumption that ALL systems can be p0wnd (old & new, Windows & Linux) and planning how you detect that and restore to a clean state when it happens, not IF it happens.

3
0

Testing Windows 10 on Surface 3: Perfect combo or buggy embuggerance?

Paul Crawford
Silver badge

Decent screen for once

OK, the MS product is not very cheap, but the 2160 x 1440 screen is a damn sight better than even the majority of ultrabooks at more than the ~£600 range of these.

4
0

It's curtains for you, copper: IBM boffins push the LIGHT FANTASTIC

Paul Crawford
Silver badge

Re: Tweets??

I think the official El Reg unit should be in kilowrists, the measure of simultaneous pr0n film streaming performance.

2
0
Paul Crawford
Silver badge

Re: Silicon versus GaAs

I think the main reason is there is SO MUCH silicon technology, experience, and fab facilities it is easy to make complex chips from it, whereas GaAs has been generally kept for the fastest of products where you don't have the same density of components but need higher speed. GaAs is more radiation-hard than silicon, but also less tolerant to heat. I'm sure others with more knowledge can provide a better informed answer though.

2
0

Deutsche Telekom, Huawei: Let's rain on Amazon’s euro cloud together

Paul Crawford
Silver badge

What choice in network kit?

In the blue corner we have Cisco with the (alleged) NSA back doors.

In the red corner we have Huawei with the (alleged) PRC backdoors.

Ladies and gentlemen, pick our choice of partners now and place you bets! Complementary tubes of KY will be provided...

4
0

How much info did hackers steal on US spies? Try all of it

Paul Crawford
Silver badge

Re: @Tom 13

Firstly all these remote locations don't need access to a lot of data at any one time, so the database server ought to rate-limit requests and queries to a reasonable amount per authorised machine/user.

Secondly having something where the leak is so significant really ought to have raised the question about how many sites really need to access it, and for them you could have deployed specific machines with dedicated hardware encryption in the network card (or a dedicated secure router) to tunnel the data to/from the server.

None of them having any simple path to the outside world so an attacker would need multiple physical access aspects to begin hacking past the user account and rate-limiting aspects. Anyone needing to access the data base would find those PC(s) in a reasonably secured room, log on and do their job, then go. Room could be CCTV'd so any attempted tampering would be on record, etc.

It is all perfectly possible, but it costs money to do (much less than the hack is going to cost, I'll bet) and adds some inconvenience, but still much easier than the old days of paper files. So its not really *that* inconvenient.

1
0
Paul Crawford
Silver badge

Re: Dear US of A

Again, you are looking at a much higher bar than plugging in a device to an unused port at the recreational area, etc.

Now you are actually tampering with the internal wiring and could easily install a keyboard logger, etc. But on an isolated network you would have to use a radio link out, and that could be monitored as part of a sweep for bugging anyway, if you are sufficiently paranoid or working to regulations that deamand that degree of security. That is why the "red" cables in proper high security installations have to be visible along whole length and subject to regular inspections for tampering (or shielded fibre with some fibres used as tamper-detection, etc).

0
0
Paul Crawford
Silver badge

Re: Dear US of A @Paul Crawford

You are of course correct.

I was just thinking aloud about things that can be done for little physical cost on "normal" PCs & networks typically used in below-secret Gov, Business & Universities. OK, air-gapping is not common on those, but all the other features are pretty much standard on Cisco and similar kit, so having red/black networks for internal/external can be done and spare kit used for both.

Edited to add, worth a read:

http://www.gocsc.com/UserFiles/File/Ortronics/WhitePaperGovtv5AUG2011FINAL.pdf

1
0
Paul Crawford
Silver badge
Unhappy

Re: Forget all that yap, the danger is....

Sadly it could get worse, the original hackers could paste it on a torrent or similar to provide plausible deny-ability for the state about acting on the information in it, and just say they got it from the hackers' public posting. That way other nations and every low-life scammer out there would have the treasure trove as well.

I feel sad for all of those US citizens now at risk and angry that their government was so stupidly caviller in having such an important database on a public-connected system (probably?) with such a poorly thought-through security aspect as this.

They pay billions for the NSA and the least they could have done was got them to give the whole system and its management a once-over. Scrap that, Snowden showed even they had not thoroughly thought-through big system security.

4
0
Paul Crawford
Silver badge

Re: What the Chinese did with it?

Maybe Snowden's documents were the source, or maybe this mega-hack. Who is to say the UK has not been popped (or was sharing with the US which clearly has been)?

If I were Russia/China it would make sense to say it was Snowden to disguise being in on this hack, for example.

Similarly if I were the USA/UK it would make sense to use Snowden as a stool pigeon to try and deflect public anger from the piss-poor security in place and/or the lack of appreciation of what such a massive database of all security-checked staff could mean when leaked.

1
0
Paul Crawford
Silver badge

Re: Dear US of A

"the night janiter plops a rasberry computer with a wireless modem"

If they are taking security seriously the switch would be configured to only allow specific MAC addresses on specific ports and even then only allowing the DHCP-supplied IP address to be used, so that trick won't work.

Also if they take security seriously they would put all the crappy never-patched network things like printers, web cameras, etc, on a separate VLAN/IP range (and without external access in the sad case they are not air-gapped) so their behaviour can be seen more clearly by intrusion monitoring systems, etc, and they can be blocked from initiating any connection to the "good range" machines (i.e. they only react to a print command and don't get to broadcast or probe the PCs).

A more likely physical attach is to plug 'evil USB' devices in to unguarded machines. OK those systems should also be locked down so USB is not on autorun on anything like it, but that may not be enough if they have a zero-day exploit for the lower level USB hardware/stack used. In the nation-state with insider doing dirty work case that is, of course, possible.

Either way, it is much much harder to exploit a network not on-line, as exfiltrating the data needs some sort of access (USB or similar again) and there is a high risk of the person getting caught if the sysadmins have some regular checking of system logs for device attachment, etc, happening.

1
0
Paul Crawford
Silver badge

Re: There's more to this than identiry theft....

The sad thing in this train wreck was seen to be coming for a long time, as you have:

1) Gov collecting data on its people like a fetishist

2) Gov cutting IT budgets and not holding anyone personally responsible, with power, to do anything about it.

3) Putting stuff on or connected to external networks because its cheaper/easier/more productive that way.

4) Software / OS being so complex and hole-ridden with developers all running after "shiny and new" instead of simple and reliable.

5) Other nations realising 1-4 and the gains to be had from popping said data.

The USA may not be the first, but it sure as hell won't be the last nation to have its dirty laundry sent to China (or Russia, Israel, etc, etc)

7
1
Paul Crawford
Silver badge
Facepalm

If you collect it, it will get leaked eventually.

4
0

Intel inside: Six of the best affordable PC laptops

Paul Crawford
Silver badge

Re: Why also 15" models?

Well there are old people or others with vision defects where an 11" retina screen is utterly a waste of money.

A lot of folk use a laptop as a semi-permanent thing because its smaller than desktop + monitor and can be tided away fairly easily. For them a 15" or 17" screen is just so much nicer to work on, and the size and weight are not the same issue as those always travelling with it.

4
0

'Right to be forgotten' applies WORLDWIDE, thunders Parisian court

Paul Crawford
Silver badge

Re: rewriting history

I think in most cases the issue is not that you could search for a person's past events using specific knowledge, but that Google would return all sorts of older stuff with just a person's name.

Surly a technical company such as Google could implement a filter that only returns recent (say past 12 months results) when the search is a person's name, but only recovers such issues if you really go digging deeper with specific searches and date ranges (like you once had to do before t'Internet came along)?

3
2

GAZE upon our HI-RES DWARF PICS of Pluto, beams proud NASA

Paul Crawford
Silver badge
Boffin

Re: Deconvolution?

If you know the camera's point-spread function accurately, which I assume the guys who built the probe did, you can deconvolve the received image with the point-spread function.

It makes more sense in the frequency domain (plus phase) where the deconvolution process consists of dividing the image spectrum by the camera's "low pass filter" effect to restore the original image. This, of course, is not as easy as it sounds for various reasons:

1) There is noise in the image (both random and quantisation due to A/D converters). This gets magnified seriously wherever the camera has poor spatial resolution.

2) If there are nulls in the camera's response you have irrecoverably lost that information.

3) You might be trying to compensate for two effects - the camera's response and the movement of the system.

4) Errors in the above can become artefacts.

6
0

Microsoft says its latest, dodgy Windows 10 build is good for (almost) everyone

Paul Crawford
Silver badge

Re: "it remotely disabled the product key on her own 8.1 laptop"

See, this reason alone is why I won't choose to use Windows unless its the only choice for some special job - they can dick around with my PC at any time of their choosing.

6
1

Confusion reigns as Bundestag malware clean-up staggers on

Paul Crawford
Silver badge

Re: Let me guesss...

"Idiot sysadmins...greater risk to security than an unpatched Linux or Windows machine"

Often the unpatched machines are the result of said idiots.

Sure you may find machines that can't be patched for various odd reasons (not supported and/or run special software that can't work on newer OS, etc) but for $DIETY's sake you don't have them Internet-facing or in use for email/web browsing...

1
0
Paul Crawford
Silver badge

Re: Let me guesss...

"Don't believe only the luser blindly clicking on an exe is the culprit, sometimes the real luser is the syadamin"

For most corporate networks they should have all user-writeable space set to no-execute via Windows ACLs. Apart from software developers or sysadmins, who need to execute software that is not already installed in the proper (read-only) system locations?

0
0

The time on Microsoft Azure will be: Different by a second, everywhere

Paul Crawford
Silver badge

Re: NTP isn't that much better

"PTP eliminates Ethernet latency and jitter issues through hardware time stamping"

So you have an irrelevant comparison: PTP can't work on a WAN, and on your LAN (without WiFi use or woeful congestion meaning you should upgrade your routers) you get sub-ms accuracy which is smaller than the time-slice for most software/OS task scheduling.

Also having asymmetric delays of 100ms or so is quite poor, you really ought to be using NTP sources that are 'closer' to your machine (in a network sense).

But returning to may main point made elsewhere, using time stamps which are *assumed* accurate to re-order data over a wide system is simple but also prone to clock error. Should programmers not be looking at other hand-shake and event counting methods to synchronise the *order* of events instead of trusting everyone's clock is always sufficiently close in time-keeping?

0
0
Paul Crawford
Silver badge

Re: NTP isn't that much better

NTP is better than Windows SNTP by many order of magnitude

A typical Windows installation (thinking desktop here) has, by default, a time set once per week - so can be out by minutes at times. Even if you set the frequency to once per hour (registry setting) you are lucky to get better than 1 second.

NTP on a WAN typically give you accuracies of 10ms or better (so around 100 times improvement)

NTP on a LAN with decent time servers (e.g. machine with very good hardware clock or local GPS) gives you accuracies of the order of 0.1ms or better, so around 10k times better.

Often the question programmers should be asking is why am I using time, and is that actually the best way of determining order and sequence?

0
1

Mozilla doubles bug bounties to $10k

Paul Crawford
Silver badge

Maybe if they spent less time in pointless GUI dicking around and fixed bugs they would have less need for this?

And what about non-security bugs, like the defaulting to US Legal paper for printing on every update on the *NIX version that has been open for more than a decade?

2
0

Google's super-AI boffin, Bilderberg nobs, and a secret Austrian confab

Paul Crawford
Silver badge

Re: lots of talking to do

As for the bundestag pc network being scrapped and replaced, maybe that is a final way to get rid of XP and force all users on to something more secure, reliable, and supported?

Lets just hope they check the PC suppliers are not using NSA-infected HDD should they decide to keep with Windows known boot loader...

0
0
Paul Crawford
Silver badge

Re: "c language, the most important enabler of cyber war"

Fail!

The correct statement is "stopping the use of cheap crap programmers who don't understand what they are doing and fail to apply best practice when coding and the multitude of tools that already exist to help"

If you are really looking for a scape-goat for info sec woes, how about Office and VB plugins?

0
0

ISIS command post obliterated after 'moron' jihadi snaps a selfie, says US Air Force

Paul Crawford
Silver badge
Paris Hilton

Re: Air Force General Hawk Carlisle

I wondered the same! OK, not quite as sinister as General Jack D Ripper, but a triumph of naming nevertheless.

Paris, as she could have my precious bodily fluids...

3
0

Everything old is new again: Man mugged in New York, only this time for his Bitcoins

Paul Crawford
Silver badge

Why?

I don't want to blame the victim for being robbed, as that is a crime no matter where it takes place. But I do wonder why would you turn up in person to pay by bitcoin?

As far as I can see its main reason for existence is for electronic payment, and more so for use outside of the US-controlled credit card and Paypal corporations where it is hard to trace and hard to stop (e.g. wikileaks accounts being blocked by US gov pressure). Of course the "hard to trace" aspect appeals to criminals just like wads of cash, so maybe they pushed him for a bitcoin transaction knowing that.

6
0

Star Trek's Lt Uhura hospitalised in LA after stroke

Paul Crawford
Silver badge

I wish her all the best for a speedy recovery.

I still find it hard to believe that in my own lifetime that kiss was such a big deal, but then looking around the world today at some of the morons out there it is less of a surprise.

28
0

Ruskies behind German govt cyber attack — report

Paul Crawford
Silver badge

Re: And yet the EU continues...

OK, you don't like sanctions.

Now how do you propose the West can impact on "the criminal government staff" without starting a war?

0
0

We stand on the brink of global cyber war, warns encryption guru

Paul Crawford
Silver badge

Re: Warfare via computer networks isn't soft power.

Sure, eventually something important will be hacked and people will die and, maybe then, will organisations will finally wake up and stop putting critical stuff on the internet at all.

Hell if you had to audit your whole system and get risk-based insurance for such design-decisions we would hardly see any such risk, as then systems would be properly secured and so take physical access as well as cyber skills to damage.

Just now there is a sporting chance of a few script kiddies taking a pop at critical stuff because a many years old and unpatched (or unpatchable) system is now exposed to "save money" and "improve productivity" in an important infrastructure or plant somewhere.

3
0

Compromised SSH keys used to access Spotify, UK Govt GitHub repos

Paul Crawford
Silver badge

Re: Why ?

"If you yourself are not clever enough to use github in a secure manner"

So Sir, were you clever enough to notice the bad random number generator in Debian's OpenSSL? Did you in fact report it and help fix things?

If not then STFU and get on with something more useful. The call is not for GitHub to hand-hold users at any point, but to notice said compromised keys and warn users about them. Those keys, most likely, were generated years ago and then kept even when the user's OS was updated to something that has that bug fixed and they probably forgot which version of number generator was used to generate them originally.

6
0

Secure web? That'll cost you, thanks to Mozilla's HTTPS plan

Paul Crawford
Silver badge

"DHCP exchange) from being poisoned by a man in the middle?"

DHCP exchance is on my LAN and so under my own control. Not perfectly immune to attacks as they could p0wn the router, etc, but far far harder to do than out on the WAN.

0
0
Paul Crawford
Silver badge

"What does DHCP have to do with HTTP/HTTPS?"

Don't certificates sign for a given IP address? What if that changes?

"Also, you do a dis-service to systems admins/engineers by repeatedly writing that only developers can manage redirects and handling the nuances of making SSL work"

OK so who patches old expensive colour A3 laser printers to add SSL support? Have you seen much sign of software patching/upgrades even for new/recent printers?

2
2
Paul Crawford
Silver badge

Re: If selling certificates becomes like selling domains...

"they'll still prevent man-in-the-middle alteration"

If world & dog just ignores dodgy or revoked certs (like Google do in Chrome) when so many stink and/or change for no good reason, then what is to stop an ISP doing a proxy with some self-signed cert for everywhere?

0
0
Paul Crawford
Silver badge

Re: ^ This ^

Yes, like the shitty business of defaulting to US Legal paper size on every update on *NIX platforms. That bug has also been open for more than a decade. Maybe a small amount of time fixing stuff would bring more happiness to users than pointless dicking around with GUIs and pushing policies out that break things?

9
0
Paul Crawford
Silver badge

Vaccines have considerably less of a down-side that not being able to access old sites and local printers, router config pages, etc.

4
0

Forums