456 posts • joined 1 Aug 2008
Re: Cash vs Principles
Those are very good points. But. Google is big business. Big business does not pay tax, so the effect of tax-offsetting is moot.
The CEO of the Weir Group said on Radio Scotland that a possible reduction in corporation tax post a yes vote would be of no interest, as only 5% of corporations paid basic taxes. He was more interested in the benefits that come from Westminster. He, along with the head of the Wood Group (also trying to persuade us to vote no) seemed more interested in getting hold of fracking licences than any taxation issues.
Re: Congratulations you work in IT.
I am sure that anyone that has used a web interface to configure their router is sufficiently "expert" to use the same interface to install a firmware upgrade, if one was provided. I do not expect the average user produce their own.
"I'm not sure that Netis is alone in having this vulnerability."
These stories are a regular feature here. They are not confined to the low cost devices either.
Sorry but you also forgot about EEROM and Flash Memory. Also the term used was "hard-coded" not "hardwired" -- we are dealing with firmware here, not hardware.
Most motherboards, "intelligent" devices, etc. -- including routers -- use flash memory to store their operating firmware. The system allows the flash memory to be overwritten and rebooted. That's how the firmware is upgraded. Firmware images are generally available for download from the device manufacturer's website.
The recommendation for replacement was "short of a fix". A fix is trivial, and could be implemented in-situ remotely. I would expect revised firmware images to appear at http://netis-systems.com/en/Downloads/ within a few days, but that depends on the priorities of these low-cost (approx £10) devices.
Re: Congratulations you work in IT.
"Expecting people to ..."
I thought that most "consumers" got their routers preconfigured from their ISP, and only "experts" bought their own. I would expect the ISP or other tech support to be able to perform the fix remotely -- this is a remote access vulnerability.
As these routers have upgradeable firmware, it should not be too difficult to download the firmware, change the password, and install the modded image. It would only take a few minutes to write a script to randomize rhe password, providing the original password was known.
Of course the manufacturer could provide firmware without the backdoor if their customers pressured them.
If this case succeeds, what would be the consequences for organisations using US owned cloud services? If e.g. a housing association decided to move their data to Office 365, could all their tenants claim compensation?
Re: So, what are FOSS e-mail client /server options?
Did a US judge not recently rule that MS locating servers in Europe would not protect them from data-mining by US officials without needing a court warrant? This provides difficulties using US owned cloud services for organizations that want to comply with data protection laws, or just wanting some privacy.
There also seems to be a problem with data availability for Office 365 users. See frequent El Reg reports, including another one today.
Re: Arbeitsbeschaffungsmassnahme fur NEETs
No, this "research" is by a marketing company providing material suitable for a press release aimed at technical illiterate "journalists" to punt to the Stephen Fry type of advertisee.
They were relating the subjects on their awareness of electronic media products. No awareness of what was being sold, or the "payment" being extracted was required.
[Instad of a "Think of the Children" we need an "Exploit the Children" icon.]
Re: I'll bring the popcorn to watch this...
Yes, Linus had better watch out. Facebook will be stealing all that top secret GPL code.
This article appears to have been sourced from unofficial speculation, rather than the openSUSE mailing lists or web site,
Version 13.2 is due for release in November, and milestones are expected from October for pre-release testing. Factory has always been the place for development packages, that often break each others' dependencies. Snapshots of Factory were fairly infrequent, and used as the basis for "milestones". The change is that since the end of May factory-snapshots are being built daily, including DVD and CD images. This allows system testers to work with known builds without waiting for the milestones.
Watch it on STV Player or BBC Iplayer
Re: Put it on Youtube
It was available on STV Player by midnight. And it will be on BBC Parliament (and Iplayer), without adverts, at 7o'clock this evening.
I thought it was typical boring politicking -- continual repetitive asking the same question that was unanswerable; either because it was designed to be unanswerable or because the answer would be self-incriminating.
Re: Doom for US tech companies
"Then if he/she didn't post as AC he/she would be able to put a "Joke" icon!"
But I thought posting as AC was part of the joke! After all it was a response to Trevor's justified rant against the AC MS shill. The problem with AC posts is that we never know how many or who they are.
Re: Doom for US tech companies
"Oh hey cowardly scumtoad! How ya been? .. "
If you are referring to AC "The many billions ... continue to thrive :-) "
Then I do not think that that was the shill -- just a comedian. I cannot remember the shill/troll using a smiley.
Re: Doom for US tech companies
"The many billions ... continue to thrive :-)"
Predictable, but good nevertheless.#
Re: And when Scotland gets independance
The European Convention on Human Rights belongs to the Council of Europe, not the EU. E.G. Russia, Azerbaijan and Monaco are signatories without being members of the EU.
Re: Special Snowflake
"Is there any example of ... "
If they tried there would first have to be an application to the Procurator Fiscal Service and persuade them that Gary McKinnon was resident in Scotland. Then there is the matter of applying legislation retrospectively in Scotland -- he was investigated (and no case found) for this alleged crime by the English police in 2001. Following that it would be referred back to the Home Secretary because:
"As extradition is a reserved matter the Home Office has overall responsibility for the extradition policy of the UK. " -- scotland.gov.uk
" ... why on earth is GM actually drawing attention to this ... "
The Guardian article makes much reference to Gary McKinnons new SEO business. So I guess this story emanates from a press release whose principle aim is promoting the business, and pushing his web site up the search engine ranks.
(openSUSE 13.1 4GB RAM)
two windows -- 14 + 8 tabs
up 7 days 3hours
780 MiB used
one window 5 tabs
up 5 minutes
one window 5 tabs
up 5 minutes
Ghostery and AdBlock(Plus) all round. Firebug and Zotero for FF.
"fair dealing" -- @veti
w.r.t the putative DVD.
So if a sleeve note was added -- "This DVD is OK, but not worht paying for." -- does that make it a criticism/review, and therefore fair use?
Re: Quick way to check for infection -- @Stoneshop
Thanks for the correction.
print ("I must wake up before posting. I must not post rubbish!") x 100
Re: Quick way to check for infection
A traditional *nix server will have the locate utility. So:
:~> locate humans.txt
What century are these guys in?
"In the *nix world, autoupdate technologies aren't widely used,"
Maybe 30 years ago ( BSD, tapes, and 64kb Internet access), or even Linux 20 years ago. However a quick look at some old Linux admin manuals shows that by 2001 SuSE shipped with on-line-update as standard. The defaults were to run weekly and apply security patches. I cannot believe that most other *nix systems did not have their equivalents.
In that time the only update relate problems that I can recall were a Postfix configuration backed up and replaced with an updated default (spotted and fixed within the hour), and a few occasions where users had "cut and pasted" dodgy PHP that stopped working after an update.
It's really not hard to keep a Linux server tolerably secure. With any decent distribution that is the default, and it does not have a significant cost. You have to decide to do something (stupid) to introduce a meaningful insecurity.
I do not know much about the US system, but. I thought that patents were supposed to be written such that any competent practitioner could reproduce the invention. If patents were written clearly, without legalese obfuscation, then it would be harder to get a patent on general principles rather than genuine inventions, and any legal proceedings could be simpler, shorter, and less of a lawyers' gravy-train.
Why don't the patent examiners just throw patents back to be redrafted if the are unintelligible to any competent engineer. And if the patent offices grant rubbish patents (because they have been privatised, and are paid to grant patents with examination as a cost to be avoided), then judges should apply the tests for a patent's competence before allowing any related action to proceed further.
WinXP does/did. You had to enable "Remote Access/support" from the menu, and do the equivalent of adding the user to the "remote login" group. Has it been dropped? I don't have any MS products, and it's been a while since i needed to access one.
Re: What's new?
What's wrong with "rdesktop", with or without a GUI?
Re: Wow, if only there was a way to find out the answers to above questions
> Type ...
or alternatively you could have saved that brain cell a little, and just clicked on the link in the article. The word "here" in the fourth paragraph links to that very same page.
Re: lack of word-processing/office skills
You have to read the original linked article in the Independent. Apparently the BBC has a form to request permission for undercover reporting. It seems that the Panorama team needed this for their Tower Hamlets story. Instead of creating a new document using an "undercover-application.template", the "MRF-undercover-application.document" was copied from the MRF folder to the TowerHamlets folder, modified and sold saved as "TowerHamlets-undercover-application.document". A junior member of the Panorama team copied the TowerHamlets folder (containing the "MRF-undercover-application.document") to a USB stck and gave it to the Mayor of Tower Hamlets.
So apart from displaying poor security and Data Protection capability, there is also a lack of competency in using basic office software.
lack of word-processing/office skills
All the money that has been wasted on teaching "ICT" in this country and it is still the norm to copy and modify documents rather than use templates, style sheets, etc. The use of a template for the application form would have meant that there was minimal chance of needlessly copying unnecessary data.
If this is available to the "goodies"
then it is almost definitely available to the baddies. If the local cops have access to the average citizens mobile communications, I would be surprised if Big Crime was not monitoring state prosecutors, investigators, and other criminal organizations. Or is there already a defence against RCS, and its real use is to spy on the average citizen and politician?
Re: Prosecute the cops
"the fullest extent possible"
The devil is in the detail.
Could this be a case for a new breed of secret courts? Instead of keeping the accused and defence out, only the defence would have access to the evidence, charges, etc. The prosecution would be denied access in the interests of national, security, efficiency, respecting the needs of the establishment, etc.
Re: I'm more impressed...
Without a "telephone dial" how do you expect the data-entry operators to get their work done?
Fry is a Comedian
That's his job. Pontificating ad absurdum in order to create a snigger is what he does. We should expect no more and no less.
The horse-carriage or dray is biologically governed to a maximum speed of about 20 km/hour. Would the auto-automobile be similary restricted?
I suppose the annual vehicle test could be extended to include a "driving test" on a rolling road with simulated traffic, pedestrians, weather, etc. Would these vehicles be rated and restricted to classifications of road conditions (snow, ice. fog, motorway, etc.), load and speed? Presumably instead of a driving licence, some sort of an operators licence would be required.
Politicians as amateur educationalists
often aren't very successful meddlers.
Giving everyone a general understanding of what programming is, and how stuff works is a good thing. Much like expecting everyone to leave school capable of basic communication in two or three native languages would be desirable. But imagining that everyone could/should be competent beyond reading and writing simple scripts is as fanciful as expecting everyone to be able to produce good literature and poetry in several natural languages, or to be a competent surgeon.
Adam Smith had the right idea; we specialize in what we are good at. That way we get to be efficient/economical, and by swapping/trading the fruits of our labours life is easier for us all.
Re: List of software affected would be useful
This vulnerability affects the client side of the gnutls library. A server that sends a specially crafted ServerHello could corrupt the memory of a requesting client.
This is GPL, so (9unlike the Apache licensed openSSL TLS) it cannot be hidden inside a closed-source package. You would have to be using a Free browser, mail client etc. that uses libgnutls to be vulnerable. Your system's package manager tools should be able to tell you if the GNU tls library is loaded, what version, and what other software depends on it.
We manage a fleet of openSuSE servers and desktops. None of the servers has this library. Many of the desktops (openSuSE/KDE) do have libgnutls as a requirement of the library as a ffmpeg decoder package (from the third party Packman repositories) dependency, but I cannot determine whether the certificate verification function is ever called.
making the same mistakes
All programmers make these (i.e. programming) mistakes, irrespective of who they are working for. The difference is that Free software producers publish there code for inspection and correction. The proprietary software producers keep their mistakes hidden, and reserve the capability of correcting them; mostly the fixes only follow exploitation.
So if I was looking for 25 items, or concerned about future availability, I would probably order from your competitor who was showing 300 available for immediate despatch. I would probably be prepared to pay a small premium for the convenience of a single order.
Re: I used Chromium rather than Chrome
@Lost all faith
I think you meant SRware Iron. I just now installed from the rpm, copied ~/.config/google-chrome to ~/.config/chromium and everything worked, extensions and all settings. It's brilliant thanks for the heads up.
A partnership with Adobe
to implement one company's proprietary DRM is what is being objected to. There is not a call to ban Adobe from producing a plug-n/extension.
There are Adobe and Gnash swf plug-ins for Firefox, that do not require Mozilla to partner with Adobe. Why should this be different?
Re: I can see where the FSF is coming from
"Mozilla are going about resolving a difficult situation as best they can."
The problem I see is the level of collaboration with the not-to-be-trusted Adobe. Mozilla will be accepting some of the responsibility for implementing an intrinsically broken DRM schema. Hopefully the FSF and others will help sway Mozilla away from too close a relationship with the proprietary battalions. I also fear that this alliance strengthens the pro-DRM position within W3C etc.
I would be happier if Mozilla stopped at creating a good sandbox. Preferably this would be a container for all non-OSS extensions/plug-ins.
Those that want to use their system for entertainment, rather than work-only, could add the Adobe and other malware from a non-OSS repository, or download from untrustworthy sources. That would remove the implication of endorsement, and indicate "at your own risk", similar to the present situation with Adobe Flash and Reader.
Re: The proper way to handle DRM
" ... and Chrome had noscript/flashblock ..."
There is AdBlock, Ghostery, and NotScripts for Chrome. And it is not difficult to remove Google, Bing, Yahoo etc. from the search engines, and replace them with DuckDuckGo, StartPage/Ixquick, what-have-you. Of course that still leaves the big problem of closed source -- how far can you trust Google?
Re: Good on him...
" rubrics cube solvers"
I think those would be better tackled by Deep Thought (HGTTG) than the humble Beeb Micro.
register of interests?
It would be really useful if authors of this sort of article made the effort to include any possible conflicts of interest among the proponents.
Re: "pseudonymised data"
> Like "annonymised" but not really.
No, like not at all anonymised, but we hope you will mistake it for anonymised. I.e. please don't look too closely.
Re: Please share my medical details, far and wide.
> So for me, If I'm mangled in an accident
This has absolutely nothing to do with accessing your medical records for medical purposes. Almost everyone is OK with that. This is about giving your personal data to commercial organizations so that they can use it to sell you stuff, or refuse you health/life insurance, etc.
apples - oranges ?
Are you comparing the cost of a licences to use Microsoft software with the price of Red Hat support? Or have you factored in the cost of equivalent technical incident responses?
The real weak link
with e-mail is the refusal of major commercial smtp players to strictly implement the RFCs and best practice. If everyone configured their DNS records (A and PTR), HELO respnses, etc correctly and rejected rather than bouncing (to fraudulent From:/Reply to:), then it would be trivial to block botnets without getting grief for rejecting messages from Messagelabs/Symantec, Gmail/Postini, Microsoft/Hotmail, Schlund/1&1, and all those numpties that place a default/LAN configured MS Exchange server on the Internet.
The reason for the connivance of major players is probably that there is money to be made in spam filters.
And just what rôle does the BIOS code have once the boot loader is running?
PGP/GPG encrypted mail
The problem with this is that it takes two to tango. Unless you can persuade your correspondent to send (a link to) their public key and provide a fingerprint, it doesn't work.
My experience over the last 15 years has been that other parties (including RBS and Pinsent Masons) absolutely insist on sending sensitive documents via unencrypted email. Most senior managers just laugh at requests to enable secure mail because "if it mattered why doesn't anyone else do it?"
- JLaw, Kate Upton exposed in celeb nude pics hack
- Google flushes out users of old browsers by serving up CLUNKY, AGED version of search
- China: You, Microsoft. Office-Windows 'compatibility'. You have 20 days to explain
- GCHQ protesters stick it to British spooks ... by drinking urine
- Twitter declines to deny JLaw tweet scrubdown after alleged iCloud NAKED PHOTOS hack