Feeds

* Posts by Stuart Longland

1055 posts • joined 11 Jan 2008

Page:

FTDI yanks chip-bricking driver from Windows Update, vows to fight on

Stuart Longland
Silver badge

Re: Should just

There's no sensible mechanism for a Windows device driver, once installed and running, to 'pop up a message'.

A problem Microsoft could help with. Surely the driver can write to a log for the technical people amongst us as an interim solution?

Of course, Microsoft could have trivially produced a sensible user-mode solution to the problem of low-data-rate odd-ball USB devices (i.e. most of FTDI's customers) back in the mid 90s, but for some reason they didn't.

Probably because they thought the money was in making things faster (allegedly) while ignoring the reasons these simpler interfaces are still popular.

Still, this is a step in the right direction. I'm not saying they should support third party components, but at least they're not tampering with third party components now. There aren't too many options that don't leave the end customer exposed to the cross-fire unfortunately, but minimising this as much as possible while allowing the dodgy manufacturers to "make right" their wrongdoing sounds like the best approach.

2
0

Happy 2nd birthday, Windows 8 and Surface: Anatomy of a disaster

Stuart Longland
Silver badge

Re: Our users just want to get their work done

...and yet sales are fine. As for users, my users did grumble and complain when they got their first ribbon-ized Office, but they adjusted. Their proficiency may have lowered while they relearned it, but occasional users learned how to use the ribbon and power users didn't even notice it was there because the keyboard shortcuts still work.

That's only true if:

- you happen to be a power user that remembers every key combination

- you ignore the fact that for many people, alternatives do not exist¹

¹: Yes, I'm aware of LibreOffice/OpenOffice. I do use them, and it's the standard office suite at my workplace. I do also note that the package is occasionally buggy and doesn't support features that some find useful.

1
0
Stuart Longland
Silver badge

Re: Snatching defeat from the jaws of victory...

Last time I tried Linux and attempted to install Firefox I first had to find an installer for the distribution I was using. Then I had to decide from a swathe of nonsensical file types, gar, tar, bar har-de-har-har (with no explanation of what they meant or do). Finally I had to go through the rigmorole of 'unpacking' them, and typing a load of cryptic command to try try to complete the install.

obligatory Jobs paraphrased quote: You're installing it wrong.

Correct method would be to get familiar with the package repository manager you use and its frontend. If it's Debian based the package repository manager is called apt and there'll be a GUI frontend called Synaptic Package Manager. Ubuntu has its Software Centre. I'm not sure what it's called on Red Hat derived distributions other than it'll be based on yum.

You fire that up, look for Firefox, click install and it downloads and installs it for you. Not much different to the Apple App Store or the Google Play store, except that apt predates both of them by nearly a decade (late 90's versus 2006 for the iPhone).

Going to a supplier and obtaining a package manually is the old DOS-way of doing things that Windows inherited. It's not user friendly as you discovered, and haphazard installers mean the process is not guaranteed to be a smooth one.

1
2

FedEx helps deliver THOUSANDS of spam messages DIRECT to its Blighty customers

Stuart Longland
Silver badge

Re: Bah!

How many "FedExEmp would like to recall this message" messages flooded the internetworks right after the initial delivery?

A dead giveway they're using Outlook too… and the Microsoft-centric view of the world that you can just magically unsend an email in the same way you can unpost a letter.

Sorry fellas, once you click send and the email leaves your border router, it's GONE.

0
0
Stuart Longland
Silver badge

Re: BCC?

Does this count as a Data Breach rather than just an annoyance, as email addresses were disclosed?

Probably not, I doubt even FedEx would be as crude as using an in-email-client mailing list. Big lists of email addresses in the To or Cc fields is a sure fire way to get your host blacklisted.

No, this sounds like an email list (with a dedicated address) that was misconfigured to allow anyone subscribed to post to the list. Not what you want in an announcements list.

0
0
Stuart Longland
Silver badge

Re: BCC?

Or… it was a mailing list address in the To or CC field, and someone left the barn door open…

1
0

Chipmaker FTDI bricking counterfeit kit

Stuart Longland
Silver badge

Re: Very dumb idea

Nowhere on the packaging or documentation does it state what chip is in use, and nor would this information mean anything to most end users

[…]

10 thumbs up & 8 thumbs down

A pop quiz for the 8 downvoters: Here are some USB-serial adaptors on sale.

Can anyone one of those 8 downvoters care to tell me:

- what chipset each one uses and

- whether the chipset is genuine

If you cannot answer either of these two questions, how can you make a valid decision on whether to purchase that device?

3
2
Stuart Longland
Silver badge

Re: Very dumb idea

This device does not belong to FTDI, thus FTDI have no permission to make any alterations to the device whatsoever.

Exactly. It's not a FTDI device, so why should it work with any FTDI driver?

Exactly. It's not a FTDI device, so why should any FTDI driver send any commands to it?

2
1
Stuart Longland
Silver badge

Re: Pretty nasty

you don't sue the police for confiscating your cloned car, you sue the bloke at the pub who sold it to you.

And the car doesn't get confiscated by the maker of the car that yours is a clone of either… it gets confiscated by law enforcement.

That is where FTDI have overstepped the boundary.

4
2
Stuart Longland
Silver badge

Re: @Tonybarry (over reacting ignorant moron)

FDTI did this to assure that VALID chips do not get confused with counterfeits.

And of course, people never make mistakes in their detection code…

2
1
Stuart Longland
Silver badge

Re: life support?

Or the desktop the said life support kit gets plugged into for maintenance when the kit gets serviced.

1
0
Stuart Longland
Silver badge

Re: One group of people are about to have a pretty big problem...

Similar problem here…

I'm in Brisbane Area WICEN (Wireless Institute Civil Emergency Network for those not familiar with the group) who do emergency communications for various community events. (In the UK there's an equivalent: RAYNET, and in the US: ARES)

One of those is the International Rally of Queensland, where we use packet radio with TNCs (terminal node controllers: modems basically). Most of us use Kantronics KPC3 TNCs which as typical of early 90's equipment, are RS-232 based.

Some of us have laptops that have on-board RS-232 but most use USB-serial converters.

Many in the group are electronically savvy, but not computer savvy. They might be good with antennas, many service their own equipment, and most know their way around a computer enough to get themselves out of trouble, but are not experts in computing.

I can see this being a major pain in the arse: as I pointed out above. Try picking up a piece of kit off the shelf at a shop, and tell me:

(1) what USB-serial device is in use and

(2) whether it's a genuine one.

About the only way I've found to find out about (1) is to download the driver from the shop's website (if it links to one) and go digging around in the various files for clues.

Price is not an indicator: The fakes can jack their prices up just as easily as anyone else. The same company can sell a "cheap" cable using knock-off ICs in one shop, and an "expensive" cable using the same chip, and people would be none the wiser.

Then there's the problem of USB-serial devices embedded in other equipment, which we get no say over and can do nothing about.

Return it to place of purchase you say? Good luck sending something back when it was bought from some eBay seller with a disposable account who has long since ditched their account and old contact details. Or explaining the problem to the dolly bird behind the counter at the Dick Smiths/Tandy/BestBuy/PCWorld/whatever store you bought it from.

This of course assumes you own the device: What if you're borrowing it? How do you explain a bricked device to them?

As to FTDI: I feel for them, but this is not the way. Refusing to operate with the device concerned would be better. Yes, the device stops working on their computer, but when it works on someone else's with an older driver, they can investigate and find a work-around to the problem.

Reputable suppliers would hear complaints and perhaps organise/issue a suitable driver for their counterfeit device: problem solved.

By making the device (temporarily) inoperable on all computers though, this is just going to fuel resentment which will work against FTDI.

4
1
Stuart Longland
Silver badge

Re: Very dumb idea

So FTDI gets no money for the parts so they say "you are not using our VID/PID and our drivers" for free and they are the bad guys?

They are if they put out a driver that bricks the device. It's one thing to put out a driver that pop's up a message about a counterfeit device and refuses to work: the person will either roll the driver back or seek assistance to get the driver rolled back, but they at least know that something isn't right. If the device was recently purchased, it would be a prompt to go and see the supplier.

What is proposed here, is that the driver makes a change to the device that prevents the device from operating on any system. A reversible change, true, but a change nonetheless. This device does not belong to FTDI, thus FTDI have no permission to make any alterations to the device whatsoever.

The only thing in FTDI's power, is to refuse to acknowledge the device.

8
6
Stuart Longland
Silver badge

Re: Very dumb idea

What's more: you pick up a peripheral off the shelf and tell me what USB serial chip is in it.

I've got a couple that are Prolific PL-2303 compatibles (one IBM branded, one ATEN), both work fine in Windows XP and Linux, neither work in MacOS X. The USB serial chip in my Kenwood TH-D72A is a Silicon Labs device, and I'm starting to see more of these.

Nowhere on the packaging or documentation does it state what chip is in use, and nor would this information mean anything to most end users.

Sorry FTDI: I understand you have to earn a living and that developing drivers costs money, but tampering with other peoples devices to prevent them from working in the way they were originally intended (whether reversible or not), is simply not on.

12
10

Forget the $2499 5K iMac – today we reveal Apple's most expensive computer to date

Stuart Longland
Silver badge

Re: Ahhh....

It probably doesn't bend

5
0

Sign off my IT project or I’ll PHONE your MUM

Stuart Longland
Silver badge

Re: Re-read the klingon software development guide

Is this some sort of leaked Q-A document from Microsoft? Sounds awfully like what happened with Windows ME.

1
0

Microsoft WINDOWS 10: Seven ATE Nine. Or Eight did really

Stuart Longland
Silver badge

Re: Windows 10 is Old News

14? Is that all?

0
0
Stuart Longland
Silver badge

Re: It worked for Red Dwarf

They're not the only ones in the entertainment industry to skip a number.

The Traveling Wilburys did it: Volume 1 was followed by Volume 3.

0
0
Stuart Longland
Silver badge

Me, hooked up to Microsoft Windows-based life-support?

Over My Dead Body.

54
0

Will.i.am gets CUFFED as he announces his new wristjob, the PULS

Stuart Longland
Silver badge

Re: Bling bling

About time Flava Flav got into the wearable tech market. I can see it now...

The flavWatch redifines the concept of the watch, as it is suspended from the users neck.

Actually, that could be practical. It doesn't have to fit in a pocket so the screen can be larger. The battery can also be larger, so better battery life. Since it is hanging around your neck, it's in convenient range for answering calls or checking messages.

2
0

Disaster roster: OMG, are YOU SAFE? I dunno. Check Facebook

Stuart Longland
Silver badge

Re: Ads?

"We notice you're stuck, buried in a collapsed apartment block! How's your life insurance? Here's some policies to consider while you're here!"

1
0

Twitter, Cloudflare kill SSL 3.0 ... and here's how YOU CAN TOO

Stuart Longland
Silver badge

Re: immhavingapacheamidoingitrite?

I found according to Qualy's SSL checker that if I disabled TLS 1.0 a whole stack of common browsers were marked as "failed", such as the browser in Android 4.0 (which would include my phone).

So it might be wise to allow TLS 1.0 and 1.1 as well for now, unless you only care about your own access (in which case, use whatever you like because you control the infrastructure).

1
0

Crims zapped mobes, slabs we collared for evidence, wail cops

Stuart Longland
Silver badge

Re: [SECURE DEVICE: SOLVED]

Yes, except some networks are phasing out 2G… Telstra being one of them.

0
0
Stuart Longland
Silver badge

Re: 1) remove battery (or turn the device off until you can get it to the lab)

0) Install app that does an automatic wipe of the device when it next starts up if the user doesn't authorise the device's shutdown/network disconnect.

1) remove battery (or turn the device off until you can get it to the lab)

2) profit!

Next problem!

Indeed.

5
3

Chatting to Al Qaeda? Try not to do that – Ex spy chief defends post-Snowden NSA

Stuart Longland
Silver badge

Re: Sounds just like...

I thought he mentioned the arse end…

2
0

Aussie builds contactless card cloner app, shops at Woolies with fake card

Stuart Longland
Silver badge

Re: A Sting no doubt!

Now I've got Roxanne stuck in my head…

Probably appropriate since we (collectively) are going to get shafted by this one way or the other.

0
0

LTE's backers vow to KILL OFF WI-FI and BLUETOOTH

Stuart Longland
Silver badge

Bluetooth, really?

If I understand LTE correctly, in order to connect to an LTE network, the device in question needs some authorisation to use that network, in most cases this is the presence of a SIM card with the credentials needed.

Does this mean if I want a hands-free headset, that the headset needs its own SIM card to take a call from my phone?

4
0

FLASH drive ... Ah-aaaaaah! BadUSB no saviour to plug and play Universe

Stuart Longland
Silver badge

Re: Wrong direction of trust...

"You appear to be adding a second mouse, is this really true? Think carefully my friend before answering..."

Let's see you click the Yes button after you accidentally unplug the wrong USB cable to your combo keyboard/mouse then have to plug it back in again.

Reminds me back in 2003 of someone doing a Windows XP install onto a machine with no floppy drive, SATA disks (which were a new thing then) and USB HID keyboard/mouse.

Setup unwittingly unloaded the USB drivers, then prompted with a dialogue box asking if we trusted the unsigned SATA drivers. A dialogue box we couldn't answer because we had no working keyboard or mouse at the time.

0
0
Stuart Longland
Silver badge

'Plug and pray' is indeed very old but it's nothing to do with the current context. It was about how USB drivers were very hit and miss for a long time, needing installing for each individual port, being very OS specific etc.

Actually, it predates USB… we were talking about Plug-and-Pray back in the days of ISAPnP. (Not PCI, ISA.)

4
0

Windows 10: One for the suits, right Microsoft? Or so one THOUGHT

Stuart Longland
Silver badge

Re: Oh, please...

So you're saying that: because you don't want it, we shouldn't have it?

0
0
Stuart Longland
Silver badge

Re: Proper clipboard support

You know you can show the extensions again with a few mouse clicks? Its the first thing I do after installing Windows.

Indeed, and you can disable the ShellShock backdoor in Linux by replacing the 'bash' binary, which is just a few clicks.

The fact that it's the DEFAULT must be irrelevant to you.

5
1
Stuart Longland
Silver badge

Windows X: It's the cross we bear…

5
1
Stuart Longland
Silver badge

Re: Proper clipboard support

That Windows Explorer "feature" has been with us nearly 20 years now.

2
0
Stuart Longland
Silver badge

Microsoft, you surprise me

A couple of useful features, and you didn't decide to follow Apple and call it Windows X. You seem to like copying everything else they do.

I'll bet the Command prompt still lacks the sort of terminal sequences that VT220 supersets like xterm and rxvt have had for decades though and probably looks at me funny when I run ./configure && make && make install. But small steps, we at least have copy and paste working more naturally.

Virtual desktops? Welcome to 1990. You might've gone somewhere had you released something like this in 2004.

I think we call this, Windows 10 Years Too Late.

8
3

Bash bug flung against NAS boxes

Stuart Longland
Silver badge

Re: QNAP again?

Mmmm, won't stop the Microsoft crowd from sCOFFing though.

3
3

TEEN RAMPAGE: Kids in iPhone 6 'Will it bend' YouTube 'prank'

Stuart Longland
Silver badge

Re: Conflicted

Of course, telling this to teenagers is like waving a red rag in front of a bull…

16
1

SHELLSHOCKED: Fortune 1000 outfits Bash out batches of patches

Stuart Longland
Silver badge

Re: nas and modems @Stuart Longland

Indeed, it'll be more substantial than that of a router, because it probably has Samba for Windows File Sharing, some media streaming tools, web/FTP server, etc…

This does not necessarily mean that bash is being used. You'll need filesystem access to actually know for sure, just looking at the size of the firmware blob isn't going to tell you.

0
0
Stuart Longland
Silver badge

Re: nas and modems

How does this affect the 1001 NAS, media server, TV's and modems around that run a version of Linux

Like This.

Very few of those devices actually have the OS-image storage for a full-blown GNU/Linux distribution. Most are a cut-down Linux OS based around Busybox, which according to that test I did, isn't vulnerable.

Even a NAS, which may have big HDDs installed, won't be using those HDDs for the OS, it'll have a small flash chip somewhere with a minimal OS on it.

0
1
Stuart Longland
Silver badge

Re: Meanwhile, on a web server that was already patched twice

Indeed, I suppose it's people who think such patches should make those crack-attempts invisible. Or those who maybe wish their commercial software supplier was as swift delivering fixes.

I find it rather telling that this apparently 20+-year old bug has only just started being exploited within the last week.

I've certainly seen a few attempts myself now.

2
0

CURSE YOU, 'streaming' music services! I want a bloody CD

Stuart Longland
Silver badge

Re: Streaming

My only reason for sampling stuff at 48kHz instead of 44.1kHz is that most of my sound devices today are natively 48kHz and don't do other rates, so rely on software up-sampling for 44.1kHz.

So I leave it at 48kHz when recording it (usually from vinyl) and leave it at that.

Gone are the days when sound-cards would re-sync their clocks to just about any sample rate you wanted. (Had great fun trying to write an ALSA-SOC driver to make a TI TLV320AIC3204 do that though a couple of years back.)

1
0
Stuart Longland
Silver badge

Re: I still buy CDs

Actually, sometimes having to get off my arse to flip the record over is a good thing. It ensures I move around every 20 minutes.

1
0
Stuart Longland
Silver badge

You feel old?

None of my music was downloaded or streamed.

One song was live-recorded off FM radio (yes, very naughty of me… but whenever I've been in a record shop I have a quick squiz to see if there's an album that has it), the rest have been ripped from a mixture of CDs and LPs which I personally own.

I'm not about to start downloading or streaming now, my current arrangement works fine thank-you.

5
1

Patch Bash NOW: 'Shellshock' bug blasts OS X, Linux systems wide open

Stuart Longland
Silver badge

Re: another huge hype

The media does seem to have amplified the issue somewhat, but then again, that's what they're there for, to amplify the news that others raise. And bad news sells! This centuries-old fact is not news.

What I observe with HeartBleed and ShellShock was the idea of "branding" a bug, which seems to have resonated with the media outlets.

Even more so than the bug where Debian's patching caused OpenSSL to generate weak keys. That bug was particularly nasty, but generated a lot less press than these two have.

With it, I've noted a lot of misinformation out there, claims of all kinds of embedded devices/Android being vulnerable (see my tests with busybox above) and claims that it's a Linux or Unix-only problem (Windows can run bash, e.g. using Cygwin or Interix).

So in the open-source world we've now had a few high-profile security holes pop up. As you point out, some of them have been around a long time. HeartBleed was nasty as it revealed bits of RAM accessible to the web server which amongst other things would include the SSL private key.

ShellShock doesn't give you that (as the private key should be owned by root and unreadable by anyone else) but it does allow you to execute arbitrary commands, which is nasty in its own right, as it only takes a privilege escalation bug to gain access to such information.

The good news with ShellShock is that it's only a limited set of environment variables that get passed to CGI scripts, and so it's not that difficult to mitigate against if you have a CGI script that executes some command line application (e.g. gitweb executing the "git" command). Not difficult to do a few checks of %ENV, pluck out the bits you want then set the offensive ones to `undef` before shelling out.

The other factor is that bash is never linked to applications, it is a stand-alone binary executable, replacing it will not cause ABI breakage like replacing OpenSSL can, and it typically does not come bundled with applications either as a dynamic library or statically linked. That makes containment and clean-up a lot easier.

1
0
Stuart Longland
Silver badge

Re: We are not out of the woods yet

And the patches are out:

25 Sep 2014; Lars Wendler <polynomial-c@gentoo.org> +bash-3.1_p18-r1.ebuild,

+bash-3.2_p52-r1.ebuild, +bash-4.0_p39-r1.ebuild, +bash-4.1_p12-r1.ebuild,

+bash-4.2_p48-r1.ebuild, +bash-4.3_p25-r1.ebuild,

+files/bash-eol-pushback.patch:

Another security bump for CVE-2014-7169 (bug #523592).

At least in Gentoo, and yes I've just re-patched, again. Still, amusing to see these "exploits" showing up in web server logs and have no effect.

0
0
Stuart Longland
Silver badge

Unless your router is a full-fledged Linux box with GNU Bash installed (unlikely), you should be safe. Most don't have the storage for a full-blown Linux distribution, thus rely on the more compact Busybox shell:

RC=0 stuartl@rikishi ~ $ env X="() { :;} ; echo busted" busybox sh -c "echo completed"

completed

Not vulnerable, at least my version isn't.

1
0
Stuart Longland
Silver badge

Re: well i am off

Sure, I'm rubbish at golf but I'll join you. My outside-world facing boxes are patched.

0
0
Stuart Longland
Silver badge

Re: Can you hear that sound?

I'll have my server patched in a minute… anything I have the source code to, no problem. It's all the commercialised crap that's a problem.

-----

make[1]: Leaving directory `/tmp/portage/app-shells/bash-4.2_p48/work/bash-4.2/po'

>>> Completed installing bash-4.2_p48 into /tmp/portage/app-shells/bash-4.2_p48/image/

strip: x86_64-pc-linux-gnu-strip --strip-unneeded -R .comment -R .GCC.command.line -R .note.gnu.gold-version

bin/bash

ecompressdir: bzip2 -9 /usr/share/man

ecompressdir: bzip2 -9 /usr/share/info

ecompressdir: bzip2 -9 /usr/share/doc

>>> Done.

>>> Installing (1 of 3) app-shells/bash-4.2_p48

>>> Setting SELinux security labels

-----

Told you so. :-)

19
7

Spies, avert eyes! Tim Berners-Lee demands a UK digital bill of rights

Stuart Longland
Silver badge

Re: Here We Go Again.

In other words, if the authorities can't beat the "terrorists", they should join them?

10
2

'Windows 9' LEAK: Microsoft's playing catchup with Linux

Stuart Longland
Silver badge

Not quite. X works over a network almost transparently.

RDP isn't quite the same experience.

0
0
Stuart Longland
Silver badge

Re: Wow so much copying Microsoft..

I seem to recall FVWM2 existing a little bit before Windows Chicago (to use the name it had back then) and featuring a task bar and start menu.

Then again, maybe I recall incorrectly. Someone like to clear this up?

0
0

Page: