307 posts • joined Monday 28th January 2008 17:56 GMT
Economics of Security
I totally agree. Great article Trevor!
Last RSA there was an interesting bit on game theory using a super simple game called Flip It. I have consumed way more brain cycles than I ever anticipated thinking about system resets as a method to limit dwell time. We all know it as our browser in the VM to protect the base system and data...but apply this to the Data Center.
One way trip
While everyone froths themselves up regarding a visit to Mars, I for one want nothing back in this Earth ecosystem. You go to Mars? Stay there...become a Martian. Do not bring back some random virus or bacteria that our probes cannot detect. We are happy to send care packages!
I bet they lit incense, gazed into the ether and were sent a vulnerability from the other side of the Moon. Invoke the secret fuzzers! Bring on the zero days! Reverse engineer the most recent patches!
No, scratch that...they stumbled upon a vulnerable website and stuck their flag in as if they actually killed something.
This test was not about vulnerability, it was about detection.
For that they could have used a worst case scenario customer configuration with out of date Java and Flash. The end result is that very few if any of these vendors can protect against custom Zeus-class malware builds with undetectable signatures, which are as easy to generate as a mouseclick. This is where the reputation link scanner comes in. Does it protect against anything? In the end perhaps no, even if you keep WIndows Update on the one step ahead of the spider schedule. Visiting a website with pwnage is one SQL-injection away. And don't forget that if these cats can test it, just about any dildo who wants to make bank with a "crime pack" can too...but you see it is easier to test the custom builds for detection. I won't advertise for the paid service that does testing against all vendors with current defs.
Oh hell. It cannot be that bad can it? Better go to bed.
Re: Please don't tell me....
This test wasn't about vulnerability, it was about detection.
Failure to test non-Microsoft browsers is a gap? Have you noticed infection vectors lately? Adobe Flash and Oracle Java, with Java taking the clear lead this year.
Implement it with consent
What bothers me is Art's cultural disregard for how business is done over here. He used the words "on his own network" during his keynote which indicates that he has missed the boat near to completely.
What he was saying was something I agree with. How he was proposing steamrolling here in the EU was not.
Re: A few notes
OR key distribution.
Secure key distribution is exceedingly difficult (impossible?) once a bird is in orbit. That means that rather a lot of satellites up there just forward transmissions like overpriced repeaters. I won't point out what type of mischief that would allow an attacker to get up to if he or she were to intercept unencrypted network traffic. If folks don't know what I am talking about, do they need to know?
Billing they have down...try pulling your credit card details...
Has anyone tried to do ANYTHING with the financials of your Skype account lately? Oh sure, click a link to add credits, and it goes right through like you are the only client connected to their servers. Other links for purchase history and so forth? Completely unavailable. 404 through the website, and through the client? Well, it claims you are offline. Not to mention atrocious response time for adding contacts...which means that credits get eaten by calls getting forwarded to phones. Disabled forwarding now that all my credits are gone. Cannot get to anything resembling a purchase history etc screen. Then browsing the Support? Page loads are worse than a shared connection over 14.4kbps. Complete meltdown over at the Skype Server Farms?
Oh lighten up
Let the thing get out the damn door in October and then get smug...if applicable. Have a look at some of the Metro style guidelines via some old Silverlight design pages in the meantime. The stuff is pretty to look at from a design standpoint if done right. Not jarring to the eye. That is a nice leapfrog for a developer, and it ain't too hard to code it. Unifying the interface for the future has more appeal to me than perhaps for you? Just spent a day in a CentOS Terminal, and while I love the direct power of CLI, I pulled out my Windows 8 tester device this evening to finish up some responses to emails using Outlook 2010.
Some of you geeks need to get a little more pantheistic. This isn't a football match or a religion. RedHat doesn't pay you money and neither does Microsoft. Use what you want when you want...and if you are using Windows then PuTTY and FileZilla are your friends.
Re: I've worked it out...
I like how you are thinking. Appropriate choice in icons.
More space junk
If you subscribe to the Kessler Syndrome all it would take is the right one or two satellites to break up in orbit and the resulting debris would destroy all of them...and keep us effectively out of space for the rest of our lifetimes.
Thanks China for demonstrating how to pulverize a satellite in space...and thus creating 2,300 new bits of junk.
Re: Is this really worth reporting?
Well it could serve as a good warning that the free fraud detection software being pushed is not even capable of identifying the client OS. I find this particularly interesting from an IT angle, not to mention that if people actually rely on this software and it stumbles at the low hurdle of stepping over the 1/2" threshold of installation then this is particularly worrying. Having worked in the software industry for a good while now, if your installation sucks donkey balls then your software is so full of bugs it probably cannot be considered a product.
So let's call this article a review from the wild in case any security folks are considering a purchase. Purchase product, create false sense of security, and effectively increase fraud and support calls.
Re: Only an iZombie...
That's correct, the BlackBerry devices are pretty complete using AES 256 encryption and transmission security, but the little image exploit on the BES (server side) allowed remote code execution. This earned this one a CVSS 10 rating. Search RIM KB27244. A successful attack on that vuln could lead to DoS, malware installation, or elevation of privileges.
(fix provided in Aug 2011)
Re: I bought. It's nice. I prefer it to iOS, which I also have.
Mike, a BBC App has been there since almost immediately after WP7 was released. Though when I installed it, it appears to be a scraper from a 3rd party developer group and not BBC at all, either that or the devname was poorly chosen by the BBC people.
Re: What is "permanent"?
No doubt. Semi-permanence requires regular rolling migrations. Even if we have the media, there is no guarantee that a suitable mechanical player can be found. If we have the file, there is no guarantee that the file will be compatible with newer versions of software. Aluminum pressings of CDs oxidize, and files get logical corruption on any media. Celluloid deteriorates, and the magnetic particles fall away from the tape it is attached to or gets ghosts from being rolled up. Even the first commercial phonographs are curios now, and that is a mere century. Old 78 record albums can be converted, but it is also a hugely manual process. This applies to just about anything that needs to make the technogenerational cut. If it is important enough it survives.
As far as thinking that getting something into a Cloud DC that has a proper backup and replication? Or even local solutions plus offsite... Logical corruption still happens.
And in a worst case scenario an EMP creates huge technology free zones. And if that doesn't get us then an asteroid, the sun, or the Vogons will. Excuse me while I put a paper bag over my head and lie on the ground. Six pints of bitter please the world is about to end.
@Dave - Random blog?
Clearly you ain't from around here Mister.
The people train goes out of *snooort snooort* Stubbsville...
This here is Bootnotes. Last post come out sideways.
@Lester, I sure wish I could buy the team a cold beer or 10 for the weekend! Happy testing!
Re: 1,500 accessible asteroids?
Not to mention that VCs have people like me that advise them on the viability and risk of projects. Deals that come to me for technical review, more often my rejection is because the business model is bad or the pitch documents smell like bullshit. If the idea is good, we can engage an EIR, drop me in to help with the technical stuff, or build some money into the investment for outside consultants who can guide them towards the launchpad. I don't get into the books, but I know from talking about taking an investment for a project I have that you are NOT getting rich until your company begins to haul in revenue. That money goes to developers, QA, hardware, support, facilities, marketing, and designers.
Re: Executing code from untrustworthy places can be dangerous?
There is a Microsoft MSDN article from 2007 I found this morning while poking around looking for some writeups of the SDL. Just above the SDL introduction, there is an article called "Inspect your Gadget" that uses the exact same wording as the Security Advisory. The interesting bit is that this article speculates the attack vector and the precise vulnerability.
My guess is that the researchers were poking around and found the following sentence:
Re: Does this article mean anything?
Jesus, don't you get out man!? What are you doing? Sitting around smoking the chronic and keeping it real?
Nutch can be configured for a targeted crawl (eg in the Enterprise) to generate Lucene indexes. These indexes can then be inspected using Luke for tuning of your Nutch configuration file. If a single Nutch server is not sufficient (and often it is,) then you can put the whole thing on a Hadoop cluster. After the indexes are created, you could create a simple search results webpage running on Apache using Solr.
A lot of products are built on combined Apache projects. Try to keep up.
Re: Lighting the lighter....
Actually this is where the magnesium ribbon comes in since you need this temperature to ignite thermite. I wasn't completely sure if I should publicly recommend the full monty of pyro powdered aluminum and ferrous oxide complete with the magnesium ribbon as the starter. Thermite also has the advantage that it doesn't "explode." It burns very rapidly and very hot. The amount you are going to be making is going to combine so fast that the cap does make sense to hold in the heat until the fuel catches and blasts it out the back.
Just went out poking around and there is the Magnelite igniter. I have no idea how well these things work, but they are magnesium and if the Copperhead cannot provide the heat to ignite magnesium ribbon or shavings from a firestarter (as a failsafe) to ignite the thermite, then a magnesium igniter in direct contact certainly should be able to do so. The temperature you have to hit to ignite Mg is 473°C. It will burn just fine in CO2 if you want to pre-test the ignition of just the Mg and the Copperhead in a cold cold dry ice pit.
Re: A bigger hammer?
A small bit of magnesium ribbon wrapped around the Copperhead would generate a nice sustained heat for a second if the heat of the propellant in the engine is an issue, but it would need a source of free oxygen for it to burn. Sort of a secondary igniter. I am trying to think of a powder that might do the trick. Finely powdered ferrous oxide?
Any other suggestions?
because humans are recording temperatures and we have no idea what type of methodology some of the people making the logs used? Rounding up or down. Looking at it up close or just looking over and trusting the old peepers. There was no standardization. Isolated individuals doing the best they could. Not exactly a dream data set.
Adding a couple of things:
Boot time. Windows 8 is much faster than WIndows 7 in boot from cold hardware. I can scarcely imagine what a some of the future devices I will get my mitts on with SSD will do.
Battery life. I have heard from other testers that it is better. My test machine is pretty efficient anyway, and I have not run it all the way down yet.
Tablet and desktop. People whine this is a problem, but after a few months of use it is something I really like now. Key point here is the ability to run classic applications and drive them with a mouse for finer work.
Metro convergence. This is something that is hard to explain. It is not as good as Windows Phone, but the last release is getting there. All the information presented in one spot without having to launch a unique vendor App. If I click on the Contacts or Pictures hub, I have access to Facebook friends and photos as well as my own Photos stored locally..and it is presented cleanly and in an aesthetically pleasing manner.
Tip for folks that complain about not knowing how to start: If you don't feel like lifting your finger to swipe the logon screen up, then you can click the mouse button once to reveal logon.
There is more, but I remember the exact same reaction here on El Reg to Windows 7 when I was talking about how good it was before RTM. Gloom and doom about another Vista. Next release of Windows will see the same cycle. "WHY DO I NEED WINDOWS 9!? I am perfectly happy with Metro."
Guess we will see if customers buy it...there is the test.
Re: It's not the Italian law only - it's an EU directive
This comes from the cultural expectation that if something fails due to a design defect then it is simply covered. It extends over software as well, and at least in some countries the customer can sue for excessive additional labor expenses caused by said design defects.
Perfect example would be a software product that is full of shoddy internationalization problems that drags out the implementation by 6 months more than expected. The customer may return the product and sue for the lost internal project labor costs, sales impact, and lower productivity. This tends to keep vendors and customers on a more cooperative tack, or stings like the dickens when an American vendor gets popped in the ass the first time after a true clusterf%&k of an implementation where the customer rips and replaces.
While I am talking about expensive products above (iPhones and perhaps Enterprise software or hardware) the same customer expectation applies all the way down to things like pencils. I find nothing wrong with this level of consumer protection. You sell shit, you replace it...so don't sell shit. There.
Rough around the edges...
...you could say that. You could also say that there are not many people that want to look like they are members of the Borg collective. Nice stylin' Google.
Looking forward to seeing what's in store for us in augmented reality.
Surface is clearly priced to be a concept that is non-threatening to the OEM ecosystem. It is a device that says "this is possible" but prices itself into obscurity that only a handful of people will purchase. Details of worldwide availability are not even available, but with limited distribution this tends to support my claim.
All that said, I feel Surface highlights what I like best about my tester device so far. I had a rough initial experience with Windows 8 in VirtualBox then to do a fair test I installed on a real machine.
I like that I have a keyboard(physical and onscreen,) touchpad, and touchscreen, and use all of them. I like that I have user profiles so that (unlike the iPad and various Android devices floating around my house) I can create multiple accounts just like a standard desktop so if someone else wants to check their email I can walk away from the device and they have a Guest account - not access to my email. The final convincing bit for me is that I took just my Windows 8 device with me on vacation, and had to do a bit of real work. Instead of the mind numbingly slow Android and iOS on screen keyboards, I had a real keyboard and mouse to use. I have Office 2010 on there, and prepped the device before I left with all my normal desktop applications for the Windows world. I did not have to use PuTTY while on vacation but it is installed. Instead of having to find, buy, and use Apps to bridge the gap, I use my usual comfortable combination of open source and commercial Win7compat stuff that I use on my primary work machines. I cannot even explain how much better that makes it for "real use" than my iPad or Android devices...so how can there even be a comparison? It is not even the same category.
Re: Could it be?
@Franklin, and this is a bad thing in this case?
Microsoft has been publicly polarizing itself towards privacy in response to Google's blatant disregard for it. Simple competitive positioning. Look at the Microsoft videos that slam Google with the "Gmail Man" videos. I recently saw a picture of a billboard advertising Office 365 that touted the fact that they don't index your mail. I mean IMHO this is just a basic customer expectation from a GRC standpoint, yet because a major vendor unscrupulously does, Microsoft turns it into a competitive advantage.
I would say I support Microsoft's unsurprising decision to support and attempt to protect its own end user paid licensing customer base from unrestricted and unfettered access from advertisers. If they want to pick up the privacy advocacy cause then I am not opposed.
The Register website is responsive and serves up the m.site on my Windows Phone 7.5's Internet Explorer. My iPhone 4 (iOS v5.1.1) serves up the full site...so Safari on iOS either does not identify itself as a mobile device (interesting for bandwidth consumption) or the browser navigation bar is suppressing it? (Apple just fixed a similar suppression issue in v5.1.1)
Google essentially thumbed their noses at a long line of individuals and companies who have to actually sit in a limo and travel alongside the masses to get to their private planes. The sweetheart deal was granted for the promise that Google mounted atmospheric sensors on their fleets and conduct survey operations on each flight. So in a way, sure let's see the data...and perhaps let's look for better or more tenants.
For me though, the Senator's buffoonery as a pseudo-cat's paw (in that he knows exactly who he works for) is just a stage performance on behalf of a rogue's gallery of sore losers. Oracle is right next door for example, and naturally Larry Ellison never minds having his ego get an elbow in the nose. Look for campaign contributions and fund raising banquets, and you will find a long line of private plane owners stuffing money in the pockets and twisting the arm of the good Senator.
Jake also knocks over people at the local shopping center while they are texting in the presence of his policeman friend -- and then they have a good laugh about it. I would wager he is one of the more interesting denizens here at The Register since amanfrommars has been replaced by the less outrageous amanfrommars2. For an interesting view into Jake's personality, click on his name and look at his previous rants...er...um...I mean posts.
Re: not helped by Googles piss poor software and UI
No, you are not unusual there. The UI is shitty, and you can generally count on Google for that. One major complaint: to see multiple posts in the feed, you have to scroll, a lot. Compare that to the evolution of the facebook feed and how much work they put into it. A company can throw as much money as they want at a product, but without the evolution of the interface where actual users give feedback on things that could be better, it will never be "right" off the line.
Re: Short memories
@Figgus, what monopoly exactly is that? You checked the browser market percentage figures lately? Not blessing the decision, but if default browser also means it is responsible for background HTML5 shell rendering, then it is hard to argue that this should be left to just any third party to provide a reliable and consistent experience...in the first version. Lockout of allowing other vendors to be an App? There is where I might argue in step alongside with you.
Re: If they really want better search results...
I was a Google fan from the beginning. I have also decided that I don't trust them or their business model of turning the users' data and identity into their bitch or telling us we can opt out for things like having my router used for location services by changing the SID...after claiming that StreetView Wi-Fi data slurp was "just one engineer." Yeah. Not to mention the ads served up on GoogleDocs alongside the company email for one of the startups I work with. I don't trust Google.
I forced myself to start using Bing and don't miss Google. I like the picture of the day on Bing as well. Search results are good in that I find everything I am looking for every time. I have my Bing settings to USA until I see regional feature parity, and this gets tested when I use privacy mode (IE) or incognito (Chrome) since it defaults back to the local country. The Microsoft team outside the USA has done a heck of a lot, but it still misses the boat every once in a while. I can think of two instances in the last four months...not bad at all.
Since I have been using it, I have also gotten to see how MUCH better Bing has gotten. I doubt any of the downvoters that have hounded you have seen that. I prefer the presentation of Bing maps (Seadragon tech,) but Google's crowdsourcing has filled its maps with business and locational data. That's hard to beat.
I guess the long and short of all this is that I am glad I have an easy alternative.
Bow Shock, Heliopause, Heliosheath, Heliosphere, Termination Shock
Solar wind plus magnetic field, combined with our very own magnetosphere determines how much interstellar wind hits our atmosphere. I find this current thinking very compelling, and would go a long way towards explaining the cyclic nature of climate changes. Sorry for all the links.
Another article from Andrew discussing Prof Rao's observations on particle interaction and Cloud formation: http://www.theregister.co.uk/2011/01/21/rao_cosmic_ray_climate_forcing/
A note from 2008 regarding the 50 year Solar wind minimum:
Finally something that is really interesting that is coming up. Voyagers are getting there. In this link there is a glossary of terms to describe
And here to Voyager's home site
Re: Look forward
I am with you on the Apps. Weak. The core installed previews show so much promise, but they absolutely fail to bring the consolidation...in this version. Windows Phone 7.5 is better with core functionality like the photo hub, contacts + facebook, live tile integration, etc.
There have been several things I didn't expect but I like very much:
* Windows 8 supports multiple user accounts and profiles that go with it. iPad and Android? Without multiple user support any device with logged in credentials is tied to a single user. Completely unsuitable for a household. Users need their own profiles.
* Using a touchscreen and a mouse. My touch enabled laptop has me occasionally touching the screen, and finding it more comfortable. I never expected I might like this since I hate a smudgy screen. I swipe the screen for obvious stuff, and touchpad/mouse and keyboard the rest. I know a huge number of keyboard shortcuts, and have mastered some of the gestures that are used regularly. In short I have adapted quickly. (it was a painful initial learning curve though)
* Tablet and proper desktop. Everyone is moaning about this. Hell, set this shit up with a touch enabled monitor and open the desktop to the main monitor in a multiple monitor setup. I just wish the touch enabled monitors hadn't completely disappeared from stores.
I recommend a side by side comparison versus Android or iOS tablets for the interface.
Re: My Credit Card was compromised this way (most probably)
Several years ago, I called up to make a reservation at a hotel.
Oh yes, we have your credit card on file.
Oh you DO?
WTF. I mean PCI DSS is for what? This person (an operator) can see my card number, name and details? They are using a system that is probably not physically secured at all. No vulnerability management, AV that might be out of date, running on XP and IE6. The staff uses this machine to surf the net during slow times. The network is not isolated. It really is a complete wonder the problem is not worse.
visionary or not.
How do you understand that you are doing something special when you are in the middle of doing it? It is like looking at the ocean and only seeing the sea as opposed to the fact that you are crossing it. He may be humble, and realistic about what others are now contributing...he may not be a "visionary." But if he had not done what he did...
Re: selling trojans
not to mention bulletproof hosting...
Look it up. These are facilities with armed guards that host content primarily for criminal organizations. Failure to meet the SLA, results in termination if this for the data center owner/operator...this dramatically increases the motivation to defend by force. So you see, it is a little more complex than just shutting them down or tracking them. Law enforcement task forces could know exactly who the perp is and not be able to do anything about it.
Re: Proper German Company?
I obviously cannot and will not give specific examples.
Even air barriers and dedicated networks are not truly effective. Best practices aside, business must be done. I have personally witnessed that any organization that uses extremely restrictive barriers has staff or unintentional misconfigurations that circumvents all of it. I have watched as helpful IT Admins bypass the security measures. This is country independent. In fact, I would go so far as to say that the more restrictive the network is, the more creative the employees get when presented with problems such as getting a PoC, production deployment, or upgrade done without physical access to the machine, restricted network access to block FTP or ssh, no USB ports active, and no DVD drives available. Some of the strictest controls are in Germany, and some of the worst examples I have seen have also been here. If IT staff will do it for me, then they do it for everyone for every system.
Lay off the folks in the USA.
Proper German Company?
I think your characterization of US corporations stuffed full of DFMs is a misguided position.
Proper German companies? I won't topple your arrogance by telling what would be very embarrassing stories for you.
Re: A plague on all of them
We noticed in our friend circle that we were constantly reaching for our phones to settle discussions by searching for a topic. IMDB here, wiki there, normal search engine queries, looking for photos of this car or that... As fast as we got the answer and "settled" the matter, it still was a regular 30+ second interruption to our evening repeated multiple times. It is funny now, we never agreed to do it, but somehow we all independently came to the conclusion to never pull out our phones. During the transition period, one of us might have pulled out the phone, then thought better of it, and put it back in the pocket before unlocking the screen. Conversation now runs more smoothly as it did before we all began toting smartphones.
What's to balance?
Mass extinction has happened before, and who knows...we might be in line. Or we might just make the planet a miserable mess to inhabit. That was the point of the article. We are not destroying anything, just potentially shitting all over our bed.
burning cow shit throws a lot of soot
and in any case you'll freeze to death when the next ice age comes rather naturally when the heliosphere shrinks
I won't reply to you incorrectly restating my "argument" because it is a drolly pedestrian debate tactic.
Greenhouse effect? Did you actually just use that term? Hahahaha! Would you like to use the term Global Warming next? You might want to check on what the NEW term is this year, because the upper atmosphere is not warming. Sorry. The statistical validity of some of the surface measurements are also questionable, but that is pesky non-peer reviewed research science...not your side's fantastic brand of sensationalism.
The drop of ammonia in the fishtank is the absolute worst example of small things having large effects. Catalysts might be slightly better, but still misses the mark for what we are talking about. CO2 is still not a catalyst or a poison. There is no demonstrated positive feedback loop. As far as ammonia in a fishtank and CO2 in the atmosphere, one is a chemical poison, and the other is a thermodynamic question. How much heat capacity does CO2 have "Mister Established Science? Stay on topic. Thermodynamic properties of a gas. If you wish to branch out, then lets talk about albedo or lack thereof.
Re: Preconceived agendas, etc. @John
small things yes, very small concentrations can be absolutely lethal, but we are talking about the heat retaining attributes of a small percentage of molecules...not the concentrations that are required to poison a fish.
I see the scientist among us has arrived. Simple math too tough for you Burb?
What is the composition of the Earth's atmosphere? Guessing you are not a diver, it is 78% Nitrogen, 21% Oxygen, and then mostly Argon. Somewhere in there we have one of the smaller components of our atmosphere at a whopping f%ck all percent, which then according to the fear mongerer's models doubles to OH MY F%CKING GOD. Yet it still only yearns to scratch the ass of 1% of our atmosphere. If this were a pie chart you could not even see the sliver. A single pixel line would be too thick. It could quadruple and still be so far from even qualifying for a rounding error, yet this gas and its miniscule increase is the culprit for the "global" changes in climate?
Please. Pull the other one. I mean really.
Re: Preconceived agendas, etc.
and you consider it a problem? I would say the title indicates what is on the tin.
Take a 1 liter bottle and fill it with water. This will represent your "atmosphere." Would you now like to do the math about how much of that liter bottle the .0003% increase is? It might be easier to imagine and more practical to accomplish if you use a 100 liter tank, or perhaps a 1000 liter tank of water. Actually no. Why don't we do it 1:1? Let's avoid the ml conversion and take a million liter tank. As we are talking about an increase of 3 ppm this should make it easy for you. Now how much water in a 1,000,000 liter tank are we talking about?
It's f%ck all. That's the answer.
- Geek's Guide to Britain INSIDE GCHQ: Welcome to Cheltenham's cottage industry
- 'Catastrophic failure' of 3D-printed gun in Oz Police test
- Game Theory Is the next-gen console war already One?
- BBC suspends CTO after it wastes £100m on doomed IT system
- Peak Facebook: British users lose their Liking for Zuck's ad empire