* Posts by Leo Davidson

90 publicly visible posts • joined 5 Apr 2007

Page:

Cheaper, slimmer Google Nexus 7 rumored for Q1 2013

Leo Davidson

Charger and manual are included.

The N7 comes with a charger (standard small USB), unless something changed in the few months since I got mine.

There is an electronic manual in the Google Books app, which you cannot miss because the widget, showing the book cover, is on the home screen by default.

Google's support (and ordering process) is pretty awful though, I'll give you that. I just went through a lot of hassle to get a Nexus 4 and I'm not sure I ever want to buy a device direct from them again.

Mystery of David Attenborough's garden skull cracked

Leo Davidson
Holmes

News of the World

I believe there is also compelling evidence that Rebekah Wade had Kate Webster's phone hacked and was listening to her voicemails.

OCZ Vertex bashes users with Blue Screen of Death

Leo Davidson

What if it's the sys/swap drive?

How do you propose the OS does anything but crash if the failed drive is the one with all the operating system files on and/or the one with the swap file/partition on?

In a system with an SSD, both usually apply.

Sure, you could have an OS that loads everything it might possibly need into RAM but that's going to waste a lot of RAM.

Honestly, this is like complaining that an OS crashes because the memory or the CPU explodes.

Pentagon: Hack attacks can be act of war

Leo Davidson

Goose meet gander

So, presumably, if the same rules apply to both "them" and "us", if Iran could prove who was behind the Stuxnet attack on its nuclear reactor then it would be okay for them to blow up a power station in the responsible country or countries?

I'm guessing that would be condemned by the USA, even though they are advocating the same response for themselves.

Android Marketplace starts cleaning house

Leo Davidson
Alert

It's not because they are emulators.

There are loads of emulators still on Android's market.

The reason these were removed has been widely reported to be complaints about licence violations filed by the teams who wrote the original emulators which these ones are based on. The Android ports were being sold for (substantial) profit and without making their source available, either/both of which were against the terms of use for the code.

If there's any kind of scandal here, it's that Google took so long to respond to the complaints, not that they took the apps down. (I've no idea what kind of proof was given to Google, nor how long it took other than a comment I read from one of the original devs saying it was about time, so I don't personally know if Google acted quickly or not. In the past they've been very slow to take down blatant pirate copies of apps, so I imagine it takes them even longer to decide something is using another project's source-code.)

If this were a complaint by a console manufacturer than you'd expect either all emulators or all emulators for that particular manufacturer to be taken down, not all the emulators made by one particular developer. So the explanation that it's a GPL (or whatever) violation makes sense, and fits with what people have publicly said they have sent complaints to Google about.

Android app sales skimpy, sluggish, slack, scanty...

Leo Davidson

the problem is supply, not demand

I think this analysis overlooks a rather important point: iOS has more high-quality software written for it. So of course its software gets more sales.

I'm not saying that accounts for all of the difference, but surely it's too big a part of the picture to ignore it if you're thinking straight.

I have an Android phone and have bought a bunch of apps and games. Some of them are very good. But there are still a load of other top-quality games I've seen for the iPhone which I would buy on Android if they were ported. They're not, so those sales don't happen. (I still don't want those apps enough to change platform and suffer iTunes, however.)

If you build it, they will come. I don't blame anyone for focusing on iOS -- it is a more tried & tested route, and Android Market does have its issues -- but there is decent money to be made on Android all the same, for people who put time into it. As a bonus your app/game will stand out more because it's competing with less.

Another thing I find odd about this article is the stuff about Apple's top ten promoting certain things. Android Market does something similar, and has done at least since I started using Android late last year.

Microsoft's IE9: Don't believe the hype

Leo Davidson

Office vs IE releases

"Why is it that the same people that whinge about a new version of Office coming out every 3 years are the same people that demand a brand new browser every 6 months?"

Oh, hmm, let's see:

* New versions of Office cost hundreds of pounds.

* New versions of IE are free.

* New versions of Office do little more than change how the non-standard toolbars and menus look, for most people. The big features they add are used by only a handful of people. (Not that there haven't been some great features added over the years, but it's rare for people to care about many of them.)

* Office defines the file formats etc. which it uses, and has virtually no competition, and thus cannot be left behind if not updated often enough.

* OTOH, IE has serious competition and has to keep up with ever-evolving web standards/technology, yet stagnates. As a result, thanks to its declining but still huge market share, it holds back what web developers can do and/or the amount of time/hassle taken to do it.

I'm sure there are plenty more reasons, but that'll do.

Leo Davidson

Market share

Microsoft aren't a charity. If they don't think that IE affects their bottom line in some way then it's really, really strange that they have put so much time and money into it over the years.

Adobe closes Flash-based Flex to outsiders

Leo Davidson
Grenade

Respect must be earned

"We have to respect those teams development process"

Given the results of the development process behind Flash -- an endless stream of security holes that take them weeks/months to fix; a 64-bit version that's years late... -- I see no option but *disrespect*.

HTML5 web video flashes past Flash

Leo Davidson

Liars often figure...

Those stats seem rather misleading.

1) Where are the figures for video that *isn't* encoded in H.264?

There are a lot of videos on the web not using that codec, even if it is very popular for new content.

2) Where are the figures for video that is served via Flash (whether H.264 or the older codec Flash also uses)?

Video being available in one format does not exclude it from being available in another.

There's little doubt that the HTML5 video tag is the way of the future but let's not pretend we're closer to it than we are.

Java surpasses Adobe kit as most attacked software

Leo Davidson

Show me an app that requires Java...

Show me an app that requires Java and I'll show you an app I don't want anywhere near my machine.

I haven't had a JVM installed in many years*. The web doesn't need one. No non-enterprise/middleware software worth a damn needs one. (OpenOffice certainly doesn't need one.)

I've used (and written) some enterprise middleware using Java and that stuff is fine, as far as it goes (wouldn't be my personal choice of language but it does work so, sure, whatever). It simply is not needed on most machines, though.

(*With the exception of the JVM smuggled on to one of my machines for Blu-Ray playback, but that keeps to itself. And I'd rather it wasn't there, and that Blu-Rays just had movies on them without stupid interactive menus, but what can you do. :\ Blu-Ray is a trojan horse for java. :) )

Jobs drops hint on Google open video codec

Leo Davidson
Jobs Horns

Go away, Steve.

It's ridiculous that the VP8 quality argument is allowed to stand when it's as good as the baseline H.264 mode, which is what everyone will have to use for web videos if they want them to work on mobile devices. The other H.264 modes may as well be a different codec which nobody can/will use.

As for Jobs: http://www.pretentiousname.com/temp/joined_up_thinking.png

Flash embraces Google's open video codec

Leo Davidson
Jobs Horns

Steve Jobs is a liar.

Anyone who believes the Steve Jobs lies that Apple care about open web standards needs to take another look at Apple's movie trailers website:

http://www.pretentiousname.com/temp/joined_up_thinking.png

Jobs lied about hating music DRM and he's lying about wanting open formats and to free us from proprietary plug-ins.

Council deforests beauty spot to combat dogging

Leo Davidson

Worried? Me?

"It's an ongoing problem and very worrying for members of the public."

Who is it worrying and why?

Oh no someone is having sex, I am so very worried!

I suppose if you have kids you might not want them to witness people shagging as they're walking through the forest in the middle of nowhere but I'm not really following the implication that people having sex outside are somehow a serious danger to the public. They're not raping random people as they pass by or anything like that. Are they leaving jizz everywhere or something? What's the deal?

I guess if I had to walk past a load of shaggers every day on my way to the local shop I might find that annoying, like I'd find someone blasting out crap music annoying, but still not worrying.

SA news outlet deploys sh*t London Olympics logo

Leo Davidson
FAIL

It sure is shiiiiiiiiiiiiiiiiiiat.

Why is that 2012 Olympics logo still in use?

It's like Gordon Brown. Everyone hates it. Everyone knows it's shit. Everyone knows everyone else knows it's shit. Yet it's still there and we still let it represent us. WTF?

London is walking around with "TWAT" written on its forehead.

Drought effect on rainforests is negligible

Leo Davidson

I don't have a side

Not sure why people think I have a side. I was asking for balanced reporting, not for reporting which favours either side.

Anyone who has been paying attention to The Register's coverage of climate change issues will know it's been far from balanced. Extremely selective is what I'd call it.

Leo Davidson

What's the scoreline?

What's the scoreline here, in terms of mistakes made on each side of the debate?

Is the reason The Register doesn't run similar stories about debunked claims from climate-change deniers that it would be a fulltime job to document the lies/mistakes that come from that side of the debate?

Or is there confirmation bias and/or an agenda at work here?

Not saying everything the IPCC do is right, but if being 100% right is the requirement then you've got to reject every single organisation, I suspect.

Jesus Phone to exhibit holy gift of bilocation

Leo Davidson
FAIL

Re: Pre-emptive multitasking

The fact that one thing (the desktop/shell/explorer.exe) blocks while waiting on a shared resource is not evidence of a lack of pre-emptive multitasking.

OTOH, your post is evidence that you don't know what pre-emptive multitasking is. :-D

PayPal restores Cryptome for real

Leo Davidson

PayPal aren't a bank.

PayPal aren't a bank; it's just a service where you can pay real money to modify some numbers on a website and, at a future date, you *MAY* be allowed to turn those imaginary numbers back into real money, but there's no guarantee of that (nor regulation) whatsoever.

There are lot of four-letter words you could call PayPal but "bank" isn't one of them.

Old PS3s locked out of PlayStation Network

Leo Davidson

It's not just PSN

It's not just PSN that's affected and Sony are advising people not to turn on their consoles AT ALL until they know more.

No, it isn't the end of the world, but it's also hardly a good turn of events.

More workers poisoned by supplier for Apple, Nokia

Leo Davidson

Green hardware companies

Even without this issue, it's hard to imagine how anyone could consider Apple (or any/many other hardware companies) "green" when their modus operandi is to convince the world to buy electronic gadgets and then, a year later, throw them in the bin and buy the new models.

I imagine every hardware company *wants* to do that but Apple seem fairly unique in actually achieving it, with people being eager to bin their current Apple kit and refresh it as soon as a new model is out. (Or maybe it's just the people I know.)

That's not to mention their Nintendo-like knack for intentionally messing up aspects of early models so that there are easy & obvious things to add to the later refreshes to tempt not new customers but the same old customers to buy another version of the hardware they already have.

Or batteries the user cannot replace...

It's one reason I've always thought Al Gore was a hypocrite for going on about the environment while being on the board of a company that, however hip their image may be, seems intent on stuffing landfills full of last year's tech.

A portable device is for life, not for Christmas! :-)

Adobe apologizes for festering Flash crash bug

Leo Davidson
FAIL

Reader 64-bit: Another example of laziness

Another example of Adobe's laziness is Adobe Reader on 64-bit Windows.

People have been complaining for 2 or 3 years that the thumbnails and preview handler didn't work.

Who finally fixed them? Not adobe. Me, in my spare time.

One of the fixes was just a registry key set incorrectly because Adobe cannot read API specifications (something I've noticed a lot when trying to make their stuff work). So far, Adobe can't even be bothered to incorporate that fix into their installer, several MONTHS later.

How many Adobe engineers does it take to change a registry setting?

The fix for thumbnails, just released, required some coding but still should have been done by them years ago, not by a third party in his spare time.

Fixes are free for anyone who want's 'em:

http://www.pretentiousname.com/adobe_pdf_x64_fix/

Adobe: critical Acrobat flaw fix 4 weeks away

Leo Davidson

Adobe Reader's much faster these days, FWIW.

Not that I like Adobe or Adobe Reader (see my comment above), but people who use FoxIt just because it loads faster might want to try a more recent version of Adobe Reader as it loads pretty fast these days.

Adobe also do a better job of rendering fonts, especially at small sizes:

http://www.pretentiousname.com/adobe_pdf_x64_fix/pdf_comparison/

PDF-XChange seems like another good PDF viewer:

http://www.docu-track.com/

I've yet to understand the buzz around FoxIt as it's main feature seems to be that it's not written by Adobe, but it's not actually a better viewer from what I can tell. (It was back when Adobe Reader took an age to load, though.)

Leo Davidson
FAIL

3 months and counting to change one registry value

Adobe are a useless bunch.

For three months and counting they have ignored the fix I gave them which makes their PDF preview handler work on 64-bit systems. All the fix takes is a couple of registry value changes which are completely documented by Microsoft, yet Adobe have just sat on their arses.

That's also not counting the two years (or more) they completely ignored the issue and the people complaining about it. I decided to look into it myself and it only took me a few hours to find & solve.

http://www.pretentiousname.com/adobe_pdf_x64_fix/

They're an absolute bunch of muppets, it seems, so I'm not surprised it takes them a month to fix a security issue that's in the wild.

IBM hurls defiance at Microsoft after communications pitch flop

Leo Davidson
Flame

Loltus Nothanks

Lotus Notes? Fook off!

I'd rather communicate using smoke signals generated by setting my pubes on fire than use that load of gash, thankyouverymuch.

"But it's been improved!" -- No it hasn't. Changing the UI colour doesn't improve the program behind it. Or the horrible, non-standard UI, for that matter.

Microsoft uncloaks invisible XBox controller

Leo Davidson

@Chris - You can transfer downloads to a new console

@Chris: "ArcadeAgain - useful new feature allowing you to actually use the stuff you have paid for offline, when your console, which you have also paid for, fails catastrophically and is replaced by a refurbishment after a month of waiting."

Microsoft let you transfer ownership to new consoles now, so that you can play them even if you are offline or logged in with a different profile. They've let you do this for ages. I agree it was something to complain about originally (and still is to varying degrees with the competition, though PSN's DRM seems pretty relaxed), but it seems that Microsoft have sorted it out on their platform.

Of course, we have yet to see what happens to all our DRM-laden downloaded content come the next generation of consoles. What are the chances that none of the three manufactures are going to say "LOL, you can pay for all that again, buddy!"? :)

'Better IT could have stopped 7/7 bombings'

Leo Davidson
IT Angle

Better foreign policy could've prevented 7/7 bombings

Better foreign policy could've prevented the 7/7 bombings.

Why worry about the symptom when you could tackle the cause?

Wolverine leak claims first victim?

Leo Davidson

News Corp seem to be pro-piracy when it suits them

--8<--

"Roger Friedman's views in no way reflect the views of News Corporation. We, along with 20th Century Fox Film Corporation, have been a consistent leader in the fight against piracy and have zero tolerance for any action that encourages and promotes piracy.

-->8--

Yeah, right... Maybe when it comes to piracy of stuff you own, but not so much when it comes to piracy in general:

http://en.wikipedia.org/wiki/NDS_Group#Piracy

Online attackers feed off Norton forum purge

Leo Davidson

@All lies: PADDINGX is not suspicious

"I do know that after the binary was deconstructed it contained a lot of "PADDINGX PADDINGX" etc...that sounds like a familiar technique eh?"

Yes, familiar in that it's something that Visual Studio seems to add to exes it produces as padding after the manifest resource (in case the XML grows in size, I guess).

Familiar in that it's a string I can find in 641 executables on my computer, including ones I've built myself.

I don't know about your other claims but that one sounds like FUD to me, whether intentional or not.

Symantec addressed the "Swap Drive" IP by saying it was a company they bought a few years ago, FWIW. They could be lying but I imagine it's fairly easy to find out who the company is if you are suspicious of that.

Wanna see how to use Win 7 UAC to pwn a PC?

Leo Davidson

Re: I've never had a problem

If you feel that way then you should be in the camp arguing for the UAC prompts to be removed completely.

(Note: Removing the prompts is not the same as turning off UAC completely. Apps still have to be written to use UAC and support the extremely useful over-the-shoulder elevation feature for non-admins. Apps also still have to segregate their admin and non-admin tasks with an encouragement to minimize the admin parts. All that's lost is the user notification/consent about switching to admin mode. Which is no loss when malware can bypass it with very little effort and the only things that will show it are the legitimate requests which the user will OK every time.)

Right now the problem is that Windows 7's UAC prompts provide very little protection. The solution could either be:

a) Make them more secure.

b) Get rid of them by making the default the "Elevate Without Prompting" mode that was already an option in Vista. (i.e. Admit that, as it is now, it doesn't work, is just security theater, and is unfairly inflicted on third-party apps to give the illusion of security when the hole isn't their fault and is actually the fault of the very things that are getting the free pass: Microsoft's apps which used UAC so badly that it irritated people so much on Vista. I go into this thinking in more detail and examples on my site.)

If you find UAC pointless then argue for B.

Personally, I find UAC useful. As one example, I keep my nightly backup files in a place that cannot be modified by non-admin processes. That way a normal process cannot easily take those out if it is taken over by a remote execution attack. Obviously there's still a chance that an admin process will be taken over in the same way but limiting it to only those processes reduces the risks. Crucially, things that access random places on the net such as web browsers and FTP clients are all non-admin.

(And before someone says, "Just don't go to dodgy websites," you should know from reading The Register that plenty of "safe" and legitimate websites have been hacked in the last year and made to serve up malicious content to their unsuspecting readers.)

Leo Davidson
Flame

RE: Sorry to burst your bubble ...

Sorry to burst *your* bubble Rich Turner, but if you'd actually paid any attention tothe videos, the article or the explanation linked from the videos you would know:

IT

DOES

NOT

USE

THE

RUNDLL

OR

SENDKEYS

FLAWS

YOU

IDIOT.

:-)

Sorry, but waiting for the reg to moderate comments all weekend while so much retarded crap was left here built up my frustration levels.

I'm also wondering how you managed to post that on Sunday when I put a large, caps message at the top of the video explaining it on Saturday morning.

Did you even look at the page before slopping your stupidity on the Internet?

Leo Davidson
Flame

Reply to all...

MICROSOFT HAVE NOT SAID THEY WILL FIX *THIS* EXPLOIT. You're all thinking of the other two. Microsoft haven't even responded to this exploit yet (in any meaningful way.

RE: Too late (Mike Kamermans)

The issue was published *after* the E7 blog post you quoted. MS haven't responded to this issue yet.

You'd know this if you bothered to read my web page instead of assuming that any post on the web saying any issue was fixed applied to every possible issue. :-)

RE: Why? (AC)

"Hasn't this guy just wasted his time? Since Win7 is Beta, MS have said they aren't too fussy about patching the Beta, but have said they'll change this for the final."

MS's talk of patching was about two different issues both of which are easier to patch than this one. Also, they were not going to patch the other two until a lot of fuss was made over them. MS are also traditionally very slow/reluctant to fix things this late in the cycle and there wont be another beta.

And since it's a beta, now is exactly the time to test it and provide feedback, which is what I've done.

RE: Most pointless proof of concept ever.

"Except they didn't, because they had already installed a trojan which would have to bypass UAC by the usual social engineering techniques."

Except nothing was installed beyond an EXE being copied to the desktop. UAC was not bypassed at all until the program itself bypassed it. All things explained in the video and on the webpage that you didn't bother to view properly before commenting. Well done!

Windows 7 UAC vuln not a vuln, MS repeats

Leo Davidson

A third exploit, with video.

Today I finished writing a proof-of-concept application that demonstrates a third flaw of the Windows 7 UAC design.

I don't know whether this is fixed in the reported changes that will go into the final build as they haven't been released for people to inspect. I feel they really should be another beta at least, else these problems could wind up left in the retail release.

The flaw I demonstrate allows:

- Any *unelevated* process

- On an x64 or x86 Windows 7 with default settings

- To create and use elevated COM objects without any UAC prompts

- Using code injection into *any* process that is flagged for silent elevation.

If it needed to it could scan the running processes and pick a random one that had the appropriate elevation manifest but at the moment it just targets Explorer.exe.

It demonstrates what I was trying to prove which is that fixing the problem in, or removing the silent elevation flag from, individual programs such as RunDll32.exe may make attacks a little bit harder but does not fix the problem.

Here is a video (with a mirror site donated by a friend as the first one seemed slow):

http://nudel.kelbv.com/W7Elevate/W7Elevate.htm

http://leo.lss.com.au/W7Elevate/W7Elevate.htm

I'm in the process of writing up what it does. The write-up will appear here once I've finished it:

http://www.pretentiousname.com/misc/win7_uac_whitelist2.html

(If the URL doesn't work then I'm still typing away. :))

Before anyone says that "it just copies a file, so what?!", note that it's copying to Program Files, a protected area, and I could trivially make it do other things. The demo is just to prove that the unelevated process is doing things it shouldn't be able to do. My intention isn't to produce a proof-of-concept program that actually does some damage; just to prove that there's a problem here that could be exploited by someone malicious.

Besides, if you can rename, delete and replace files in System32 and Program Files then you can easily take full control of a machine.

Windows Vista stuck on single digit enterprise adoption

Leo Davidson

Businesses don't migrate to every version and don't migrate straight away.

Is there anything abnormal here?

Most large companies I've worked for have not been using the latest version of Windows when I got there. They also tended to skip a version or two, waiting until it was really worth it (or the old version was too expensive to buy support for). Businesses don't upgrade operating systems just for the sake of us and even when there are compelling new features they are weighed against the huge costs and risks of upgrading that many machines and migrating that much software.

Given that most large companies already run locked-down builds where users don't have admin access, I can't see a huge benefit for them to move to Vista. Other main improvements in Vista are more foundations for the future, when Vista's features are the baseline that all developers can assume people have, such as improved 3D hardware sharing on the desktop. Not something many businesses care about now (but they might be grateful for it in the future when/if business apps take advantage of such features).

There wasn't a huge benefit to move from Win2k to XP, either... But the jumps from Win9x or NT4 (or god forbid NT3.51) to Win2k, XP or Vista all make a lot of sense. I imagine most businesses who did install Vista did so because they were still using something older than XP, yet I don't remember people slagging off XP because people still used NT4, Win2k or Win9x after it came out.

I don't really understand what people expected to happen. It seems like XP existed for so long that people have forgotten what things were like when it was a younger OS (never mind Win2k or before).

OS adoption happens slowly, and rightly so.

Gears of War grind to halt

Leo Davidson

DON'T PANIC -- Code signing != timebomb (if done properly)

DON'T PANIC! :-)

As Harri Koppel says, the problem is that they forgot to (or didn't realise the had to) timestamp the signing/certificate.

Timestamped certificates do not expire. If you want an example, bring up the Properties dialog on comctl32.ocx on a Vista machine and you'll see it was signed with a cert that expired many years ago but is still considered valid:

http://nudel.kelbv.com/cert_timestamp.png

See here for more detail on timestamping:

https://www.thawte.com/ssl-digital-certificates/technical-support/code/msauth.html#expires

The real problem here is how long it's taking a simple re-signed exe release to reach customers. I presume Microsoft are applying their ridiculous testing/certification requirements just in case the replacement exe somehow... what, is more buggy than an executable that cannot actually be run? I suppose it could delete files or something but surely there's no risk of that if they just re-sign the existing, pre-tested code??

Windows 7 UAC shutoff 'bug' leaves Microsoft unmoved

Leo Davidson

@The ignorant people saying it's a Beta...

To everyone saying it's a beta and we should thus ignore the issue:

a) Microsoft have EXPLICITLY said they WILL NOT CHANGE THIS.

b) If a fuss isn't made about it MS may completely ignore it. In fact a fuss has been made about it and MS are still ignoring it. So more of a fuss needs to be made about it because it's completely broken.

c) You obviously have very little experience with preview/beta software and Microsoft in particular (though they are far from the only culprits). I can think of so many damn times where an issue has been raised in a public preview of an OS, application or game and everyone has assumed it will be fixed in the final release, only to find that it hasn't. Unless a fuss is made things simple do not get fixed.

d) Microsoft are rushing Windows 7 to market. See the article on the Reg's front page where they reiterate that there will not be a second beta. Features are now locked-in, unless something catastrophic happens (which this is, IMO), and only tiny changes will be made after the first RC is released. There is no second beta and no second chance to submit feedback.

e) Microsoft traditionally do a TERRIBLE job of supporting their OS the moment it goes gold. There are so many bugs in the Windows UI code in particular that people have complained about for years but which never get fixed, apparently due to a combination of fear about breaking something else when fixing bugs and just not giving a crap.

In summary, it is entirely justified to make a big deal out of this right now. We're probably already too late!

Leo Davidson

Proof of concept has been made

These people have made a VBScript which will disable UAC on a default Windows 7 install without any user interaction:

http://www.istartedsomething.com/20090130/uac-security-flaw-windows-7-beta-proof/

It works by opening the UAC control panel (which is inexplicably on the UAC whitelist) and sending it mouse & keyboard events.

"Am I missing something here? If the end-user turns off UAC then it is disabled. How is this a bug?"

The problem is that it doesn't have to be the *user* who turns it off, just code running as the user. As the proof of concept code shows, Win7's UAC can be turned off by any program/script which the user runs.

The whole point of UAC is to allow users with admin access to avoid giving all programs they run admin access, in case those programs are malicious or (more importantly) trusted by subverted by things like buffer overrun bugs.

Now any program can get admin access by sending some mouse & keyboard events to the control panel. That is so simple to do that there's already a VBScript example to prove it.

(The UAC "secure desktop" feature prevents those mouse & keyboard events from reaching the confirmation dialog but if there is no confirmation dialog due to the whitelist then that does not stop anything.)

Similarly, programs can send mouse & keyboard events to Explorer to change protected files without any UAC prompts, since Explorer is on the whitelst and you cannot take it off the whitelist without disabling the whitelist entirely.

Personally, I will be disabling the whitelist. I don't mind UAC prompts and don't see them that often. For people that do get annoyed by them for some reason, though, they should be able to remove the UAC control panel and Explorer (and whatever else they want) from the whitelist while also being able to add programs they want to suppress the prompts for. If there's any point to a whitelist at all it should be controllable by the user.

Leo Davidson

There's also an antitrust issue here, IMO.

The UAC whitelist is anti-competitive, as well.

Users cannot add 3rd party components that they use & trust to the UAC whitelist. Only Microsoft's own components can be on it. So, for example, third party file managers have to display at least one UAC prompt to get admin access while Microsoft's Explorer does not. That isn't an even playing field.

Similarly, users cannot remove Microsoft's components from the UAC whitelist. So if you do not use Explorer but do want the whitelist (which is on by default), you are forced to leave the security hole open for Explorer even though it doesn't benefit from you. Explorer's UI isn't isolated like an admin process is -- its windows have "medium integrity" -- so there doesn't seem to be anything to stop it being remote-controlled via mouse & keyboard events. Which is an okay trade-off if you use it but a stupid security hole if you don't.

Sadly for me (a file manager nut), people don't seem to care much about anti-competitive behaviour that affects anything other than web browsers, so nobody AFAIK has picked up this story, although I did mail a bunch of sites about it.

More details here, including a confirmation from Microsoft:

http://www.pretentiousname.com/misc/win7_uac_whitelist.html

Where's Wally Vista SP2?

Leo Davidson

Do we desperately need SP2?

Do we desperately need SP2? If not then why make a fuss over the release date? I'm surprised there's talk of SP2 already at all, to be honest.

I guess it's good to bundle all of the Windows Update stuff into a single download but that's still nothing to get excited about the exact release of.

Vista SP1 seems to work great on the three machines I run it on. I don't have any problems copying files over network drives, either, although that could be because I use Directory Opus rather than Windows Explorer for file management. (It seemed to be the shell file-copy APIs, which Opus does not use, that had the problems pre-SP1.)

Then again it could also be a problem with your network card drivers... It seems usual for people blame Vista when it could be any number of things, doesn't seem to have been investigated properly and doesn't happen for other people.

Apple gives QuickTime new version number

Leo Davidson

@"QuickTime Alternative is the way forward"

That's an ignorant statement because QuickTime Alternative *is* Quicktime, just with some stuff removed from the installer.

Chances are if there's a security problem in the way Quicktime renders media then it's going to affect you even if you're using QTA, and by using QTA you now have to wait longer for a 3rd party to update the hacked installer so you can update.

http://en.wikipedia.org/wiki/QuickTime_Alternative

Microsoft gives XP another four months to live

Leo Davidson
Gates Halo

Hate Train to Nowhere

Sigh, another Register article about Vista, another stream of comments from idiots whose S key seems to be mapped to the $ symbol, all complaining that Vista, which they have barely used, apparently did inappropriate things to their dogs' behinds and constantly displays UAC prompts (hint: you're doing it wrong, and you can always turn off UAC if you insist) and that it needs more than £5 worth of RAM (oh, boo f***ing hoo!).

Oh, and that, "maybe it's okay if you buy new hardware," in an article that is about XP being offered to OEMs for use *on new hardware* for a few more months.

Facebook ignores huge security hole for four months

Leo Davidson
Thumb Down

NoScript: The cure is worse than the disease.

I tried using NoScript. I love the idea of it in principal. Unfortunately half an hour of using it will made me realise how much of the web depends on Javascript. The majority of sites I visited were completely broken and I have to keep whitelisting things to the point that it seemed utterly pointless.

If pretty much breaking the entire Internet is your idea of a fix then I'd rather be broken. Here's a similar fix: Turn off your computer.

I went back to using Flashblock instead.

I'd love it if Javascript wasn't used so (IMO) gratuitously. (It's used wonderfully on many sites but on others, where you're being served a static page, it makes me wonder WTF the site authors were thinking.) If I only had to whitelist a few sites, like I do with Flashblock, then NoScript would be great. Having to whitelist a huge number of sites is a giant hassle and makes me question what I'm protecting myself from when so many things are granted an exception.

Microsoft phone coming Zune?

Leo Davidson

Can we have a Zune music player, please?

Who cares about phone rumours when you still cannot buy a Zune in most of the world, including the UK?

It was easy not to care about the Zune at first but after the firmware/software updates (and Apple's recent capacity downgrades) the Zune seems to be as good at playing (gapless!) music as the iPod, with better PC-side software (if you're on Windows) and format support and equal capacity (120gig). Given the choice I'd buy one over another iPod at the moment, if Microsoft would actually try and sell me one.

Brit ISPs censor Wikipedia over 'child porn' album cover

Leo Davidson

Wikipedia *is* censored

When discussing whether or not the image should be removed, I think it is silly that Wikipedia admins immediately end the discussion with the mantra "Wikipedia isn't censored."

Wikipedia *is* censored. How can they claim it is not? They will remove content which is illegal in Florida, USA. If that isn't censorship then what is?

I am not saying that the album cover should be removed -- FWIW I don't think it should be -- but that the argument should be about what to censor and why, not whether or not things are censored at all (when they clearly already are if they are illegal in Florida).

Their reasons for censoring content illegal in Florida are clear: Getting the servers taken offline (or forcing them to move countries) would be very damaging to the project. Fair enough. But banning anon edits for half the UK is also damaging, so perhaps the discussion should be about how damaging something should be before it is censored. Or just say "we only care about Florida and don't care about the rest of the world" which would be fine. That's still censorship, though.

Google silences Gmail security blogorumors

Leo Davidson

GoDaddy should require more than an email

Email is inherently not secure, since signing and encryption is not standard or required, so services with access to important things -- domain names, banking, email itself -- should require more than just access to an email address in order to change or retrieve passwords.

I'm no fan of GMail but even if there was an exploit in it I would still put most of the blame on GoDaddy in this case. Email can and will be broken into; deal with it.

Unofficial fix issued for Vista networking flaw

Leo Davidson

RTFB

The only people who can exploit the bug are members of the Network Configuration Operators group. (Administrators already have full access to the machine so there's nothing for them to exploit.)

Number of users in that group by default: Zero.

I'm sure there are a few cases where people are using that group, and Microsoft's slow response at issuing what should be a trivial fix -- just bounds-check the input -- for a bug that will be serious to some is a disgrace, but let's keep things in perspective. This won't affect many people and blanket "lol, you shoud go back to XP" statements are ignorant & stupid.

MacBook buyers bite Apple over copy protection cock-up

Leo Davidson

DVI also uses HDCP

Saying they should include a DVI port would not solve the problem. DVI also uses HDCP and HD content can require it.

HDMI is just DVI + audio in a different connector. HDCP can be and is applied to both and you can run into the same problems with protected HD content when using a DVI cable if your graphics card and/or monitor do not support HDCP. (Or if they support it but not in the mode you are using... e.g. For a while at least there were several graphics cards which support HDCP in single-link DVI mode only, meaning it didn't work at high resolutions requiring dual-link DVI.)

Sony Ericsson Walkman W595 music phone

Leo Davidson
Thumb Down

No gapless playback if it's like the W910i

I've got a W910i and it's a great phone but not a good music player since, like Sony's other current MP3 players, it doesn't do gapless playback.

If Apple (with the iPod) and Microsoft (with the Zune) can implement gapless playback, and considering that Sony *used* to do it with their ATRAC players, it doesn't seem too much to expect things that carry the Walkman brand to do it as well. Sadly they do not.

Shame, though the rest of the W910i works great.

Microsoft rushes out emergency Windows update

Leo Davidson

It's not for CVE-2006-2094

I guess Gordon Slater was making a joke about it being an emergency patch for CVE-2006-2094 from 2006 but this patch doesn't seem to have anything to do with that.

Someone seeing his reply and not realising it's a joke might think the problem is to do with IE and not bother installing the patch because they don't use IE.

In fact, the problem seems to be in the RPC service and browser choice won't matter.

Microsoft's 'ordinary Joe' promises Windows 7 bliss

Leo Davidson

What DRM are you lot going on about?

Lots of posts here mentioning how DRM is the worst thing in Vista.

What are you talking about, exactly? Can you point me to the articles with info on the DRM added to Vista that isn't also in XP and the benchmarks which measure the performance hit from it?

I hope you're not just referring to the Peter Gutmann "the longest suicide note in history" article which was largely a made-up load of hypothetical rubbish written by someone who had never used Vista and was using worst-case guesses (both about how things might be implemented and, if they were, what the hits may be from them) from other people's forum posts.

I apologise if I've somehow missed all of the sound information and benchmarks on Vista's horrendous DRM, and if in my two years of using Vista I've somehow not noticed that my PC's performance is terrible. Perhaps I'm living in an alternative universe? I get the impression, though, that a lot of people heard something about "DRM" and "Vista" and decided it must be true and must be the blame for every possible problem without further investigation.

Page: