Feeds

* Posts by vagabondo

466 posts • joined 1 Aug 2008

Page:

SHELLSHOCKED: Fortune 1000 outfits Bash out batches of patches

vagabondo
Bronze badge

Re: Fortune 1000 overlords SHELLSHOCKED into Bash patch batch

"you really don't want to get notified every time one of packages that's installed "

That's not the point. We keep all of our critical systems on stable, long-term tested software versions, except we apply security patches automatically within 24 hours of their release. These are normally backports, and do not push our software to the latest packages. This is a standard feature of serious distributions and is trivial to implement. The risk of a security patch tacking a system down is trivial compared to the potential consequences of leaving a known vulnerability open.

0
0
vagabondo
Bronze badge

@AC re: MS consultants

" Microsoft consultancies are having a very busy week "

Do you know any Microsoft consultants that offer a credible no-bugs guarantee? Or even a SLA that specifies security patches within 5 days of discovery?

6
0

Bash bug: Shellshocked yet? You will be ... when this goes WORM

vagabondo
Bronze badge

Re: Oh $!#t.

"So we all OSX users are screwed?"

Depends. A security patch may have been applied without upgrading the bash version. I do not use OSX, so do not know how their security patch policy works.

On my systems (openSUSE):

$ env x='() { :;}; echo "vulnerable"' bash -c 'echo "hello"'

vulnerable

hello

-- sorry about the extra line-feeds added by El Reg.

and

$ env x='() { :;}; echo "vulnerable"' bash -c 'echo "hello"'

bash: warning: x: ignoring function definition attempt

bash: error importing function definition for `x'

hello

6
0

Troll hunter Rackspace turns Rotatable's bizarro patent to stone

vagabondo
Bronze badge
Meh

Re: Class Action?

But not as good as the supposed public regulators (i.e. the patent offices) doing their job by actively investigating patent applications, and rejecting any that are do not demonstrate non-obvious novelty or supply sufficient detail to enable reproduction (including any that they do not understand).

Perhaps if the patent offices cann/will not employ examiners who are "experts in the field", they should insist that applications are written in comprehensible, plain language and published for a consultation period, classified according to the trade and sector affected. This would make it easier for trade magazines to draw them to the attention of those affected and their experts. The ability to be understood by the average "specialist journalist" would be a good test for comprehensibility (I am thinking of the "technology" reporters of the BBC, Guardian, Daily Mail, etc. being expected to understand the patent sufficiently to be able to reproduce the invention).

2
0

Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM

vagabondo
Bronze badge

Re: wtf

"It's also known as a Lorne sausage and it's crap."

If you buy it from places like Iceland, I expect it is crap. But some butchers that make their own get it right. A butcher in Dunoon used to have a really good square sausage reputation -- it had to be ordered in advance (1960s).

1
1
vagabondo
Bronze badge

Re: What are your predictions?

I predict widespread hangovers over Friday and Saturday due to an excess of both celebration and disconsolation. The distillers will do well. I bought some pies this afternoon and already had a couple of bottles (Jura and Talisker) ben.

slàinte!

1
0
vagabondo
Bronze badge

Re: No law against asking somone a question is there?

I am pretty sure that you can publish the exit poll results after the official poll closes. The restrictions only apply while the polling stations are open.

1
0

Italy's High Court orders HP to refund punter for putting Windows on PC

vagabondo
Bronze badge
Childcatcher

Re: I think the real issue here was the EULA thing

"Windows but it was not clear that some additional agreement must be made to use it"

Perhaps every time there is a retail sale that includes an EULA, the seller should be obliged to explain in simple language the full extent of the restrictions, and inform the customer that alternatives are available.

0
0

Scottish independence: Will it really TEAR the HEART from IT firms?

vagabondo
Bronze badge
Headmaster

Re: What's in a name?

No, "The Kingdom of Great Britain" was created with union of the Kingdoms of England (what is now England and Wales) with Scotland in 1707

Sorry but the kingdoms were united when James VI flitted south and took on the James I of England and Ireland job as well in 1603. I think that James styled himself King of the United Kingdom -- it might be used in the front of a "King James Bible" -- he certainly had the naval "Union Jack". 1707 was the union of the parliaments.

0
0

Warrantless phone snooping HAPPENS ALL THE TIME in Blighty

vagabondo
Bronze badge
Mushroom

manifest promises

In a real monetarist/neo-liberal political system a government ignoring its manifesto would be a breach of contract. That would mean that the deal that put them in power was void and be grounds for a elections in all the constituencies represented by the defaulting party. Any person or organisation that has lost out because of a failure in their reasonable expectation of an electoral pledge not being honoured should be able to sue the offending party for damages.

3
0

'Stop dissing Google or quit': OK, I quit, says Code Club co-founder

vagabondo
Bronze badge

Re: Cash vs Principles

Those are very good points. But. Google is big business. Big business does not pay tax, so the effect of tax-offsetting is moot.

The CEO of the Weir Group said on Radio Scotland that a possible reduction in corporation tax post a yes vote would be of no interest, as only 5% of corporations paid basic taxes. He was more interested in the benefits that come from Westminster. He, along with the head of the Wood Group (also trying to persuade us to vote no) seemed more interested in getting hold of fracking licences than any taxation issues.

1
0

Securobods warn of wide open backdoor in Netis/Netcore routers

vagabondo
Bronze badge

Re: Congratulations you work in IT.

@Hargrove

I am sure that anyone that has used a web interface to configure their router is sufficiently "expert" to use the same interface to install a firmware upgrade, if one was provided. I do not expect the average user produce their own.

"I'm not sure that Netis is alone in having this vulnerability."

These stories are a regular feature here. They are not confined to the low cost devices either.

0
0
vagabondo
Bronze badge

@Lars

Sorry but you also forgot about EEROM and Flash Memory. Also the term used was "hard-coded" not "hardwired" -- we are dealing with firmware here, not hardware.

Most motherboards, "intelligent" devices, etc. -- including routers -- use flash memory to store their operating firmware. The system allows the flash memory to be overwritten and rebooted. That's how the firmware is upgraded. Firmware images are generally available for download from the device manufacturer's website.

The recommendation for replacement was "short of a fix". A fix is trivial, and could be implemented in-situ remotely. I would expect revised firmware images to appear at http://netis-systems.com/en/Downloads/ within a few days, but that depends on the priorities of these low-cost (approx £10) devices.

1
0
vagabondo
Bronze badge

Re: Congratulations you work in IT.

"Expecting people to ..."

I thought that most "consumers" got their routers preconfigured from their ISP, and only "experts" bought their own. I would expect the ISP or other tech support to be able to perform the fix remotely -- this is a remote access vulnerability.

0
0
vagabondo
Bronze badge

As these routers have upgradeable firmware, it should not be too difficult to download the firmware, change the password, and install the modded image. It would only take a few minutes to write a script to randomize rhe password, providing the original password was known.

Of course the manufacturer could provide firmware without the backdoor if their customers pressured them.

0
0

Facebook needs to defend Austrian privacy violation case

vagabondo
Bronze badge

If this case succeeds, what would be the consequences for organisations using US owned cloud services? If e.g. a housing association decided to move their data to Office 365, could all their tenants claim compensation?

0
0

Munich considers dumping Linux for ... GULP ... Windows!

vagabondo
Bronze badge

Re: So, what are FOSS e-mail client /server options?

Did a US judge not recently rule that MS locating servers in Europe would not protect them from data-mining by US officials without needing a court warrant? This provides difficulties using US owned cloud services for organizations that want to comply with data protection laws, or just wanting some privacy.

There also seems to be a problem with data availability for Office 365 users. See frequent El Reg reports, including another one today.

3
0

Brit kids match 45-year-old fogies' tech skill level by the age of 6

vagabondo
Bronze badge

Re: Arbeitsbeschaffungsmassnahme fur NEETs

No, this "research" is by a marketing company providing material suitable for a press release aimed at technical illiterate "journalists" to punt to the Stephen Fry type of advertisee.

They were relating the subjects on their awareness of electronic media products. No awareness of what was being sold, or the "payment" being extracted was required.

[Instad of a "Think of the Children" we need an "Exploit the Children" icon.]

2
0

Facebook wants Linux networking as good as FreeBSD

vagabondo
Bronze badge
Alert

Re: I'll bring the popcorn to watch this...

Yes, Linus had better watch out. Facebook will be stealing all that top secret GPL code.

2
0

Factory-fresh delivery: Get your OpenSUSE fix daily

vagabondo
Bronze badge

!3.2 Milestones

This article appears to have been sourced from unofficial speculation, rather than the openSUSE mailing lists or web site,

Version 13.2 is due for release in November, and milestones are expected from October for pre-release testing. Factory has always been the place for development packages, that often break each others' dependencies. Snapshots of Factory were fairly infrequent, and used as the basis for "milestones". The change is that since the end of May factory-snapshots are being built daily, including DVD and CD images. This allows system testers to work with known builds without waiting for the milestones.

1
0

Scottish independence debate: STV player flops under weight of viewers

vagabondo
Bronze badge
Childcatcher

Watch it on STV Player or BBC Iplayer

Re: Put it on Youtube

It was available on STV Player by midnight. And it will be on BBC Parliament (and Iplayer), without adverts, at 7o'clock this evening.

I thought it was typical boring politicking -- continual repetitive asking the same question that was unanswerable; either because it was designed to be unanswerable or because the answer would be self-incriminating.

2
1

Microsoft's Euro cloud darkens: US FEDS can dig into foreign servers

vagabondo
Bronze badge

Re: Doom for US tech companies

@Chemist

"Then if he/she didn't post as AC he/she would be able to put a "Joke" icon!"

But I thought posting as AC was part of the joke! After all it was a response to Trevor's justified rant against the AC MS shill. The problem with AC posts is that we never know how many or who they are.

1
0
vagabondo
Bronze badge

Re: Doom for US tech companies

@Trevor Pott

"Oh hey cowardly scumtoad! How ya been? .. "

If you are referring to AC "The many billions ... continue to thrive :-) "

Then I do not think that that was the shill -- just a comedian. I cannot remember the shill/troll using a smiley.

1
3
vagabondo
Bronze badge
Thumb Up

Re: Doom for US tech companies

@AC

"The many billions ... continue to thrive :-)"

Predictable, but good nevertheless.#

0
0

Pentagon hacker McKinnon can't visit sick dad for fear of extradition

vagabondo
Bronze badge
Facepalm

Re: And when Scotland gets independance

The European Convention on Human Rights belongs to the Council of Europe, not the EU. E.G. Russia, Azerbaijan and Monaco are signatories without being members of the EU.

5
0
vagabondo
Bronze badge
Childcatcher

Re: Special Snowflake

"Is there any example of ... "

If they tried there would first have to be an application to the Procurator Fiscal Service and persuade them that Gary McKinnon was resident in Scotland. Then there is the matter of applying legislation retrospectively in Scotland -- he was investigated (and no case found) for this alleged crime by the English police in 2001. Following that it would be referred back to the Home Secretary because:

"As extradition is a reserved matter the Home Office has overall responsibility for the extradition policy of the UK. " -- scotland.gov.uk

" ... why on earth is GM actually drawing attention to this ... "

The Guardian article makes much reference to Gary McKinnons new SEO business. So I guess this story emanates from a press release whose principle aim is promoting the business, and pushing his web site up the search engine ranks.

8
1

Another day, another Firefox: Version 31 is upon us ALREADY

vagabondo
Bronze badge

Re: Irrelevant?

Ditto

(openSUSE 13.1 4GB RAM)

Firefox 30.0

two windows -- 14 + 8 tabs

up 7 days 3hours

780 MiB used

Iron/Chromium 34

one window 5 tabs

up 5 minutes

550 MiB

Chrome 35

Iron/Chromium 34

one window 5 tabs

up 5 minutes

580 MiB

Ghostery and AdBlock(Plus) all round. Firebug and Zotero for FF.

0
0

Help yourself to anyone's photos FOR FREE, suggests UK.gov

vagabondo
Bronze badge

"fair dealing" -- @veti

w.r.t the putative DVD.

So if a sleeve note was added -- "This DVD is OK, but not worht paying for." -- does that make it a criticism/review, and therefore fair use?

.

3
1

Manic malware Mayhem spreads through Linux, FreeBSD web servers

vagabondo
Bronze badge
Facepalm

Re: Quick way to check for infection -- @Stoneshop

Thanks for the correction.

print ("I must wake up before posting. I must not post rubbish!") x 100

0
0
vagabondo
Bronze badge

Re: Quick way to check for infection

A traditional *nix server will have the locate utility. So:

:~> locate humans.txt

will suffice.

0
2
vagabondo
Bronze badge
Unhappy

What century are these guys in?

"In the *nix world, autoupdate technologies aren't widely used,"

Maybe 30 years ago ( BSD, tapes, and 64kb Internet access), or even Linux 20 years ago. However a quick look at some old Linux admin manuals shows that by 2001 SuSE shipped with on-line-update as standard. The defaults were to run weekly and apply security patches. I cannot believe that most other *nix systems did not have their equivalents.

In that time the only update relate problems that I can recall were a Postfix configuration backed up and replaced with an updated default (spotted and fixed within the hour), and a few occasions where users had "cut and pasted" dodgy PHP that stopped working after an update.

It's really not hard to keep a Linux server tolerably secure. With any decent distribution that is the default, and it does not have a significant cost. You have to decide to do something (stupid) to introduce a meaningful insecurity.

15
1

Forget the mobile patent wars – these web giants have patented your DATA CENTER

vagabondo
Bronze badge

Re: Non-obviousness

I do not know much about the US system, but. I thought that patents were supposed to be written such that any competent practitioner could reproduce the invention. If patents were written clearly, without legalese obfuscation, then it would be harder to get a patent on general principles rather than genuine inventions, and any legal proceedings could be simpler, shorter, and less of a lawyers' gravy-train.

Why don't the patent examiners just throw patents back to be redrafted if the are unintelligible to any competent engineer. And if the patent offices grant rubbish patents (because they have been privatised, and are paid to grant patents with examination as a cost to be avoided), then judges should apply the tests for a patent's competence before allowing any related action to proceed further.

3
0

Chrome Remote Desktop adds Linux to supported OS list

vagabondo
Bronze badge

Re: rdesktop

WinXP does/did. You had to enable "Remote Access/support" from the menu, and do the equivalent of adding the user to the "remote login" group. Has it been dropped? I don't have any MS products, and it's been a while since i needed to access one.

0
0
vagabondo
Bronze badge

Re: What's new?

What's wrong with "rdesktop", with or without a GUI?

0
1
vagabondo
Bronze badge
Facepalm

Re: Wow, if only there was a way to find out the answers to above questions

> Type ...

or alternatively you could have saved that brain cell a little, and just clicked on the link in the article. The word "here" in the fourth paragraph links to that very same page.

1
0

ICO probes BBC after secret British army unit's info LEAKED

vagabondo
Bronze badge

Re: lack of word-processing/office skills

@smudge

You have to read the original linked article in the Independent. Apparently the BBC has a form to request permission for undercover reporting. It seems that the Panorama team needed this for their Tower Hamlets story. Instead of creating a new document using an "undercover-application.template", the "MRF-undercover-application.document" was copied from the MRF folder to the TowerHamlets folder, modified and sold saved as "TowerHamlets-undercover-application.document". A junior member of the Panorama team copied the TowerHamlets folder (containing the "MRF-undercover-application.document") to a USB stck and gave it to the Mayor of Tower Hamlets.

So apart from displaying poor security and Data Protection capability, there is also a lack of competency in using basic office software.

3
0
vagabondo
Bronze badge
Facepalm

lack of word-processing/office skills

All the money that has been wasted on teaching "ICT" in this country and it is still the norm to copy and modify documents rather than use templates, style sheets, etc. The use of a template for the application form would have meant that there was minimal chance of needlessly copying unnecessary data.

0
0

EXPOSED: Massive mobile malware network used by cops globally

vagabondo
Bronze badge
Big Brother

If this is available to the "goodies"

then it is almost definitely available to the baddies. If the local cops have access to the average citizens mobile communications, I would be surprised if Big Crime was not monitoring state prosecutors, investigators, and other criminal organizations. Or is there already a defence against RCS, and its real use is to spy on the average citizen and politician?

2
0
vagabondo
Bronze badge
Black Helicopters

Re: Prosecute the cops

"the fullest extent possible"

The devil is in the detail.

Could this be a case for a new breed of secret courts? Instead of keeping the accused and defence out, only the defence would have access to the evidence, charges, etc. The prosecution would be denied access in the interests of national, security, efficiency, respecting the needs of the establishment, etc.

1
0

Chap builds rotary dial mobile phone

vagabondo
Bronze badge

Re: I'm more impressed...

Without a "telephone dial" how do you expect the data-entry operators to get their work done?

http://engineering-intelligence.net/images/bob-800x647.jpeg

http://historycompu.blogspot.co.uk/2009/02/first-computers-pascals-calculator.html

1
0
vagabondo
Bronze badge

Re: Where the video?

At the top of the article there is a link:

Click to view video

0
0

Stephen Fry MADNESS: 'New domain names GENERATE NEW IP NUMBERS'

vagabondo
Bronze badge
Headmaster

Fry is a Comedian

That's his job. Pontificating ad absurdum in order to create a snigger is what he does. We should expect no more and no less.

1
0

UK govt 'tearing up road laws' for Google's self-driving cars: THE TRUTH

vagabondo
Bronze badge

horsepower

The horse-carriage or dray is biologically governed to a maximum speed of about 20 km/hour. Would the auto-automobile be similary restricted?

I suppose the annual vehicle test could be extended to include a "driving test" on a rolling road with simulated traffic, pedestrians, weather, etc. Would these vehicles be rated and restricted to classifications of road conditions (snow, ice. fog, motorway, etc.), load and speed? Presumably instead of a driving licence, some sort of an operators licence would be required.

0
0

Everyone can and should learn to code? RUBBISH, says Torvalds

vagabondo
Bronze badge

Politicians as amateur educationalists

often aren't very successful meddlers.

Giving everyone a general understanding of what programming is, and how stuff works is a good thing. Much like expecting everyone to leave school capable of basic communication in two or three native languages would be desirable. But imagining that everyone could/should be competent beyond reading and writing simple scripts is as fanciful as expecting everyone to be able to produce good literature and poetry in several natural languages, or to be a competent surgeon.

Adam Smith had the right idea; we specialize in what we are good at. That way we get to be efficient/economical, and by swapping/trading the fruits of our labours life is easier for us all.

9
0

Patch NOW: Six new bugs found in OpenSSL – including spying hole

vagabondo
Bronze badge

Re: Podcast in detail about the current vulnerability

http://thecloudevangelist.com/ 10 minutes mp3.

Deserving a downvote for the "bit.ly" link obfuscation and MITM spying; not for the "evagelist" typo.

0
0

Linux users at risk as ANOTHER critical GnuTLS bug found

vagabondo
Bronze badge

Re: List of software affected would be useful

from http://gnutls.org/security.html

This vulnerability affects the client side of the gnutls library. A server that sends a specially crafted ServerHello could corrupt the memory of a requesting client.

This is GPL, so (9unlike the Apache licensed openSSL TLS) it cannot be hidden inside a closed-source package. You would have to be using a Free browser, mail client etc. that uses libgnutls to be vulnerable. Your system's package manager tools should be able to tell you if the GNU tls library is loaded, what version, and what other software depends on it.

We manage a fleet of openSuSE servers and desktops. None of the servers has this library. Many of the desktops (openSuSE/KDE) do have libgnutls as a requirement of the library as a ffmpeg decoder package (from the third party Packman repositories) dependency, but I cannot determine whether the certificate verification function is ever called.

3
0
vagabondo
Bronze badge

making the same mistakes

All programmers make these (i.e. programming) mistakes, irrespective of who they are working for. The difference is that Free software producers publish there code for inspection and correction. The proprietary software producers keep their mistakes hidden, and reserve the capability of correcting them; mostly the fixes only follow exploitation.

6
3

Achtung! Use maths to smash the German tank problem – and your rival

vagabondo
Bronze badge

stock level

So if I was looking for 25 items, or concerned about future availability, I would probably order from your competitor who was showing 300 available for immediate despatch. I would probably be prepared to pay a small premium for the convenience of a single order.

2
0

FSF slams Mozilla for 'shocking' Firefox DRM ankle-grab

vagabondo
Bronze badge

Re: I used Chromium rather than Chrome

@Lost all faith

I think you meant SRware Iron. I just now installed from the rpm, copied ~/.config/google-chrome to ~/.config/chromium and everything worked, extensions and all settings. It's brilliant thanks for the heads up.

https://www.srware.net/en/software_srware_iron.php

1
0
vagabondo
Bronze badge
Facepalm

A partnership with Adobe

to implement one company's proprietary DRM is what is being objected to. There is not a call to ban Adobe from producing a plug-n/extension.

There are Adobe and Gnash swf plug-ins for Firefox, that do not require Mozilla to partner with Adobe. Why should this be different?

3
0

Page: