396 posts • joined 1 Aug 2008
Re: Not the programmers fault!!
> Too many companies roll out software without dry runs and offline testing.
Could this be related to the CIO's recent departure?
Re: I am paying for OpenSSL, via my Red Hat subscription
And your Red Hat Enterprise Linux is not affected by this vulnerability.
If by Novell you meant Attachmate/SUSE, well the SLES and SLED distributions are also unaffected. Unless you have a Motorola phone, you have not paid Google for phone software. Your complaint should be directed to your phone supplier.
With FOSS you have the choice. Accept it for no charge "as is" and take responsibility for yourself, or purchase support/management and expect your supplier to act responsibly.
Re: Information requested
It's so cheap with the hourly rate that you just sign up an try it -- if you make a mistake you have only lost pennies, and can destroy your instance and start again. It is quite clear how yo spin up and get an initial login. After that it depends on the image/distribution that you select.
I recently started using DigitalOcean. I couldn't discover which distributions were available until after signing up. (Ubunto, Fedora, Centos and Arch). Then you use the selected distro's own wiki and forums etc. for help and documentation. I normally administer openSuSE, and chose a minimal Arch. It took less than two hours to add a user, configure sshd, perform a system update, and add/delete packages and personal scripts to suit, then have a nameserver in production.
I did not find the DIgitalOcean community forums very useful, although the company documentation was clear and helpful. To try something out it is quick and cheap to fire up an new temporary machine to experiment with - that is what I did to find out how to update the kernel, and fine tune the netw configuration for a faster start-up to remote login time. I had never used Arch Linux, with its unique package management and configuration tools before.
Re: Ego wins out over common sense.
I worry about the future of VirtualBox.
Re: my 2 cents
"the kernel needs to protect itself from this kind of idiocy"
As has been explained elsewhere in these comments, there is no problem with the kernel. It worked just fine. It was systemd (before it eventually fixed this bug) that got itself into an infinite loop and failed to complete the system startup. Spewing out endless garbage to the kernel log was more of a symptom than the cause of the failure.
We used to use the Unix sysv init. This(sort of) loads a shell, mounts the root filesystem then uses a bunch of scripts to start the initial processes in the right order. The idea of systmd is that once it is running, you can just start and stop processes at will. Systemd is supposed to sort out process dependencies -- e.g. making sure that the network is up before starting ntpd or sshd. The strong promotion of systemd by Red Hat employees has meant that important/vital sub-systems, such as udev, have been rewritten to accomadate systemd. This has made it increasingly more onerous for distributions not to switch fron init to systemd. Either systemmmd will mature, and get developer tools and a workflow, such that it can be maintained without screwing other projects, or it will cause so much pain that it has to be replaced. In any case I hope something structurally less arcane can be introduced that fulfils the auto process dependency advantage of systemd.
Re: where I can get a manual for English.
The usual reference for British English is Fowler's -- Dictionary of Modern English Usage.
I believe that in the US they prefer The Chicago Style Guide.
You miss the point. Linus, and the other kernel developers, were not railing against a colleague or employee. They were expressing displeasure at a supplier (systemd) for repeatedly delivering a shoddy product that impacted on their work, and for largely disregarding customer (kernel developers and distribution admins) feedback.
Re: Yadda yadda yadda
Yes systemd is a sysadmin nightmare. I have also struggled with adding a graphics to a working minimal system. Systemd has beens the only thing to frustrate upgrading from the long-termopenSuSE-11.4 without having someone on-site to force a reboot.
I understand the attractions of the systemd approach to boot-time and daemon management, but the implementation has been a bit amateur. The megalomaniac tendency to ensnare everything it touches just does not sit well with the 'nix philosophy.
Re: A tad fishy...
Try a search for "optimaxruinedmylife" or (at least with DDG) even "optimaxruinedmylife.co.uk" and see what happens.
Re: Trying to change the business...
"a better way to change how the business is regulated be to keep the sites up"
optimaxruinedmylife.co.uk now belongs to optimax, but optimaxruinedmylife.com is up and spreading the word with an anonymous registrant.
Re: In the UK Credit reference agencies have special privleges
Once they have your data they have it. Their business is acquiring, cross-referncing and selling personal data. For their purposes it does not have to be accurate, only good enough to sell; much like Google and the other data marketing companies.
They are also in the bulk and junk email business that is used by a significant number of UK retailers. If you are a customer of one of their customers they have that data as well. Plus anything they can glean from DVLA, insurance companies, etc. And as a US company they don't have to worry too much about data protection legislation.
If they are making money out of our data, we should have free access, and the ablility to correct and annotate it. We should also be informed of each occasion our information is accessed/transferred to a third party. That would cut down on fraud and misuse.
Re: Single or multiple domains?
Thank you. The Nominet fees page that I referenced appears to be wrong/misleading. I will inform the Nominet office on Monday.
I really should have opened an account as a normal registrant, so that I was familiar with our customers' view of the web interface.
Thanks again for taking the time to correct my misunderstanding.
Re: Single or multiple domains?
You can read all this stuff at http://www.nominet.org.uk/become-registrar/fees
If you ask Nominet to do it for you it's £10+vat per domain. But you can do it yourself, or more simply leave it to your new registrar. I do not know of any registrar who charges for transfers in. Choose your registrar depending on what other services (if any) that you need. Domain registration is often provided as a loss leader to sell other services. My company does not bill separately for domain registration and name servers, but bundle it in with our support and management services.
For what I thought was a predominately UK based site for IT professionals, there seems to be a lot of ignorance of the .uk registry displayed by the author and commenters.
"Internet Provider Security (IPS) tag" is a nonsense-term wrt Nominet and the .uk registry. This usage is an invention of Webfusion Ltd/123-reg.
Nominet members that are authorised to add, renew, and delete domains from the registry are called "registrars". Registrars used to be called "tag-holders". The tag (normally the abbreviated name of the registrar) is the registrar's id used in the registry databases. The domain is registered for a "registrant", who must supply an email address, and identifying information.
All registrants should be notified as to how they can use Nominet's web interface to update the registry information, including the tag(s) (if any) they wish to be associated with their domain(s). They can also ask any registrar to take them on as customers and change the tag for them. The system notifies the registrant, and both losing and gaining registrars of the change. This need not cost anything (although you have to pay Nominet or the new regstrar the upcoming registration fee). Nominet's rules do not allow a registrar to hold a registration as hostage for any reason. Of course this only works if the correct registrant information is held by Nominet.
Webfusion Ltd t/a 123-reg appear to be charging to change the outgoing tag, presumably because this is a nuisance for them, and is usually done by the new registrar as part of their service along with name servers etc.
Until a few days ago (and still in most cases) a domain transfer to a new registrant (not registrar) was done by Nominet staff, and required a written application, with evidence of identity and acceptance of liability in case of a challenged transfer. This used to cost £26. Now a registrar can be "accredited" (they need suitable level of indemnity insurance)
to transfer domains between registrants. The will normally charge for this service. If you check out nominet.org.uk, you can see that Webfusion Ltd (123-reg) are accredited.
So the message is -- Don't Panic! -- this was a bit of a non-story.
Black = USB 1
White = USB 2
Blue = USB 3
So if white is important, buy USB 2 cables
"These performance enhancements are reached at scale when looking at 40 or 50 or 60 cores being used," Ulin explained. "On the low core counts you don't see it."
So for 99.9% of users this performance boost is irrelevant, and they should stick with MariaDB.
Re: Read the T&Cs of the web site
"... standard agreements that have been approved by trading standards ..."
And how would you classify the standard "social media" Ts&Cs -- "All rights are transferred to us, and we can change these conditions at any time so as to benefit us, oh and you have agreed just by reading this." The only appropriate classification would be "Here be Dragons -- run for your lives!"
Returning a laptop to PC World ruined this bloke's credit score. Today the Supreme Court ended his 15-year nightmare
Re: A bit missing from this article that sheds a different light..
Not just a bit missing, but a bit of a misrepresentation.
The background to this can be read in the Court of Session report, which is a bit turgid, but quite readable.
[Edit:] the Supreme Court PDF linked to in the article reproduces much of the information in the above Court of Session opinion.
Basically: In December 1998 Richard Durkin tried to buy a laptop from PC World in Aberdeen. The salesman (because o DSG's bizarre rules) was not able to open the box to check the specification, and suggested that once purchased it could be returned if incorrect. Unfortunately, instead of immediately unpacking it in the store, the buyer took it home, discovered that it did not match the item requested, and returned it the following day. After a dickhead PC World "manager" initially refusing to accept the returned item, they eventually accepted the matter as a non-sale and returned his deposit. HFC, the hire-purchase provi ders had claimed that he should still pay them for the returned item, but as their agent (PCWorld) had voided the
sale the matter seemed settled. However when he later tried to obtain a bank loan, and a mortgage, these were blocked due to a bad credit reference from HFC. He did all the right things, appealing to PC World, HFC, Equifax, and Experian, but was unable to get the bad mark removed.
He sued HFC etc. in Aberdeen Sheriff Court and won in 2006. He claimed actual losses of £250,000, but was awarded a total of £116, 674.
However Mr Durkin disagreed with the method used to calculate the damages, and appealed to the Court of Session in Edinburgh in 2010. HFC took this opportunity to counter-appeal, trying to argue that his hire-purchase contract with them was separate from the rescinded sale contract with PC World, and that the Sheriff had been wrong in law. Alas Mr Durkin's side made a few mistakes when responding to HFC's counter-claim, e.g. omitting evidential documents from the appendices. As a result of that legal cock-up HFC prevailed, Mr Durkin was liable for the escalating costs, and lost his £116, 674 award from the Sheriff Court.
The Court of Session findings have now been appealed in the Supreme Court in London. The original Sheriff's opinion that the loan agreement was dependent on the sale, and should have been rescinded along with the sale contract,
has now become a precedent with standing throughout the UK. For legal-technical reasons Mr Durkin's damages have been set at £8000. Some lawyers have no doubt stuffed their pockets with considerably more.
executable document formats
lower spam/malware bandwidth. No need for attachments with names like "Very Important Document.doc.exe" -- saves three bytes.
Re: Money well spent
Reminds me of the fashion for "re-branding" airlines, with all the wasted millions on logos and paint-jobs. Oh! and BT spending more on van resprays, and stationery than engineering.
If you want to load untrusted software
on any computing device, there is always the potential for problems. Obviously instead of the proliferation of adware, etc. the Android ecosystem needs to grow up; with repositories either run by entities that can be held legally liable for their wares, or opensource with active community oversight and trusted signatures.
" If the attacker were to create malware that auto-started on power-up, the user's only option would be to completely wipe the device via a boot loader recovery."
Isn't it possible to boot with a known good image, then mount the bad partition and fix it. This is pretty normal when the boot system gets screwed, or to repair a damaged filesystem, etc. Or the bad filesystm/SD card could be removed an mounted on a PC, where the offending configuration can be edited -- that's what I do when playing with my tablets.
This is not a cPanel exploit per se. Cpanel.net was one of the infected sites. The attack vector is described as loading a compromised binary, or allowing root access to your server.
Re: Unix servers?
"I thought the mantra was: 'Gnu's Not Unix'.....??"
Here "Unix" is a shorthand for Unix, Gnu/Linux, BSDs, OSX, and even some MS Windows servers.
You really have to read the stuff at http://www.welivesecurity.com -- the article here is unclear to the point of being downright misleading. More like a techie Daily Mail/Sun article than what we expect from El Reg.
Re: The devil's in the detail
"I may live to eat my words, but: ..."
probably because this attack is reported as potentially affecting many OSs; e.g. BSD Unices, Gnu/Linux, OSX, and MS Windows.
The technical report at http://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/ is really interesting and usefull.
The quick check for infection is given as a one-liner:
$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
Re: If you go back to an old 2G phone
I recently replaced the battery on my Motorola L7, which cost £30 unlocked, a few years ago. The new battery lasts me 10-15 days, depending on talk time, signal strength etc.
why not mark the actual edit
Instead of burying the disclosure in the edit(or)'s metadata, why not have a footnote to the actual entry? The footnote could disclose the editor's funding organization.
Re: "Merely...make money"
Websites who don't want people to use ad blockers should serve the ads from their own web-site and leave out all the third party spyware.
"... maybe we all should do our part in keeping them gainfully employed ..."
That's only appealing if we're not the ones paying their wages.
Re: It's not DOCX we're worried about
"Office Online is completely free, but without the Google Spyware.... "
And who in their right mind would trust Microsoft to look after their sensitive or mission critical data?
Re: Kettle, met pot, pot meet kettle @AC
" ... and had a unit market share of 75.2% ... "
As this came from a financial report it could well have a basis in truth. The market in question would be measured in terms of sales. The figures would be somewhat different if they were in respect of deployments.
Re: It's not DOCX we're worried about
"......Google Apps ..."
We should also warn charities about the risks of giving up their (and their clients') data to a data mining/selling company in a jurisdiction where European style data protection laws do not exist. Any organization that is responsible for storing and/or processing sensitive data should be wary of third party cloud "solutions".
"HTML is a lot more secure than PDF"
I think that you are confusing the ISO standard for PDF with Adobe's proprietary software, and its extensions to the standard. Just as there are many W3C standards compliant browsers for HTML, there are several PDF generators and viewers written to the ISO standard.
It would be difficult for any other company or project to even remotely approach the level and consistency of security vulnerability that has been historically achieved by Adobe and Microsoft.
"... and digital printers from home to industrial becoming able to accept any file type"
Most printers do not accept any file type. The lingua franca of printers since the early eighties (as far as I can recall) has been Postscript and its successor PDF.
Re: Not this Microsoft garbage, again?!
" is specific only to the UK Cabinet Office"
No this applies to all UK government offices.
"whatever format the Cabinet Office decides to use as their particular standard, they'll be dealing with documents in the other standard as well"
There is plenty of software that can produce ISO standard ODF documents. Do you know of any available software that can produce ISO standard OOXML documents? Last I heard Microsoft had not managed it.
How can OOXML be considered open when there is no published description comprehensive enough to permit an implementation?
Re: It's not DOCX we're worried about
"with BSI ensuring it meets requirements through their involvement in developing and influencing the Standard"
That would be the same BSI that acted on behalf of Microsoft to push the undefined MS-OOXML through the OSI?
Re: Kettle, met pot, pot meet kettle
" the practical demise of KDE and Koffice"
KDUE4 is alive and kicking (KDE-4.12.2 is the current version). KOffice was succeeded by the Calligra suite 3-4 years ago.
Abiword etc. support ODF in the Gnome environment. And besides LibreOffice and OpenOffice there are others for Free, Open, and proprietary environments.
Of course it will always be possible to create document loaded with macros, etc. that will need a specific environment to work optimally, but for the most part ODF allows the essential transfer of information between collaborating users. For finished wore the Cabinet Office specified the use of PDF.
The most important thing is that government offices should not mandate the purchase/use of any particular manufacturers software by citizens or businesses. This is what MS is trying to achieve by vigorously promoting its own closed document formats. Our government should be acting on our behalf, not promoting the profits of a forign corporation and its associates.
The real data transport savings are to be made with broadcast and on-demand entertainment media streaming. Most publishers of these use content delivery/distribution networks , who place there nodes with the ISPs. So, apart from providing data scraping opportunities on sensitive data, how does this proposal help anyone?
You don't need a FB account,
you just need to have given your name, phone no., address, etc to someone who does allow social network hucksters access to their contacts/address book, and your data has been slurped for resale.
Re: Looks like
But does deleting her account remove the data she has already given to them from their servers?
Why should paper publishers be given the rights to digital publication of publicly (including charity) funded research in the first place?
And does this apply to Elsevier et al, who extract a significant slice out of research budgets?
"There is a clear need for government to have access to a format which allows them to say that this is the final, official version of this document."
A digital signature is the appropriate means for determining authenticity.
> You need Adobe for some of HMRC's PDF forms.
Yes, and HNRC will fine companies until they succumb and buy a MS Win machine or licence so as to be able to run their specified version of Adobe Reader. However the article states that PDF is to be for non-editable documents. Hopefully non-editable will include forms, and that HMRC will abandon their traditional intransigence and comply with the guidelines. Even better if the guidlines are made mandatory.
Re: Offline for roughly 10 minutes, only?
... some major banks <del>will</del>should soon be ...
But somehow I don't think so.
> It's considered a flow rate of one coulomb per second
(I am not sure if you are joking, senile, or did not take science at school.)
It could be if a coulomb could be measured reliably. Actually the coulomb is an SI derived unit (Ampere second).
Seems not to have been VBulletin
From the current forum header:
NOTICE: A vulnerability in the forum SEO plugin we have been using has been found making it necessary to discontinue it's use. Existing links in Google, Yahoo, Bing, etc. as well as any existing bookmarks may have problems. The search engines will get our sitemap and it shouldn't take long for them to depreciate the old URLs and start replacing them with new. We apologize for the inconvenience.
I hope that the never re-instate the SEO plug-in. It mangled/obfuscated many URL links in order to "spy" on users, and prevent some of us behind corporate firewalls from following the linked pages.
Re: It looks like NO ONE ever audited X Windows
> Did you follow the links in the article ? Sadly it is that old ....
Yes, and I addressed this in another thread. My recollection of the change from XFree to X.org, is that there was supposed to be a re-write. Certainly the X.Org libXfont did not exist before this millenium, and is dated as eight years old by Freedesktop.org.
Integer overflow in the FontFileInitTable function in X.Org libXfont before 20070403 allows remote authenticated users to execute arbitrary code via a long first line in the fonts.dir file, which results in a heap overflow.
And an (inelegant) OpenBSD workaround/patch promptly published.
I suspect (but have no evidence) that the present story is the result of a rediscovery of this flaw, and the subsequent release of a Ubuntu security update. And that the offending libXfont code was blindly copied from the earlier work.
Re: Well on of my distributions had the fix in yesterday
and OpenBSD had a patch in April 2007!
- Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
- Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
- Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
- Feast your PUNY eyes on highest resolution phone display EVER
- AMD demos 'Berlin' Opteron, world's first heterogeneous system architecture server chip