You're over-reacting. That was just a figure of speech. How can I tell? The rest of his post is perfectly sensible and reasonable. He even started out obliquely defending systemd. Does not come across as a person who even remotely thinks of that statement as a personal one in any sense.
65 posts • joined 30 Aug 2008
disable UPNP and allow the mobile app to do everything
the biggest failure is UPNP.
They should mandate disabling that. All communication to the "mothership" should go through a mobile phone which is on the same wifi network. Yes that would essentially be akin to XSS but in a good way.
I'm pretty sure this is the most practical, scalable, solution for this.
Gone in 10 seconds...
...my good impressions of El Reg as a tech-savvy pub.
This attack does *not* give you anything you could not get by using a USB boot, CD boot, or PXE (network) boot.
The only situation where you *do* get more than that is in "kiosk" type situations (where the CPU/case/disks are locked away but the keyboard/mouse/monitor are accessible).
And even then, the statement "With access to the shell, an attacker could then decrypt Linux machines" is totally wrong.
doesn't make sense
They could have licensed it to the other party. I run a small project called "gitolite" which has just such a licence from the SFC, which owns the "git" trademark. It's free and it's only purpose is to protect their trademark.
what he should have done
is to capture the page before, then pay for the advertisement, capture again, and then sue. That's proof that this is a racket if the bad review goes away when you pay.
A lot more tangible, IMO.
I have been boycotting Dropbox since they took on Condoleezza (sp?) Rice as a board member. Since I never had a dropbox account, for me,"boycott" means refusing document links that others send me that they want to share.
Of course I don't use Apple either so this specific issue doesn't bother me.
On another note, I'm curious what other apps do stuff like this; i.e., this one was found, how many more are hiding?
it's not the people...
I stopped listening because they concentrate so much on the storage industry, which is something I have zero interest in (not being an "enterprise" IT guy I suppose). Almost none of the companies they speak of are well known outside data center and similar operations folks.
On the plus side they give a decent breakdown of each episode with MM:SS timings so I do sometimes download and listen to segments.
On the minus side, I loved Sarah Vela's sense of humour, I loved her voice and I especially loved her laugh (like when she leg-pulled her cohorts), and she's now left the show. Sad...
Re: Life's hard choices
Speaking for myself, I don't see anything wrong with millions of Apple users waking up to a zero bank balance... they're used to Apple robbing them blind anyway so this can only be a minor incremental pain.
my backup strategy
(I know you didn't ask me, but still...)
I have a simple strategy that consists of actually reviewing the files that my incremental backup program reports as having changed. (The backup program itself is "borgbackup" -- awesome stuff; look it up. Unix only though).
A modification of this could be to keep a trend of number of files in each top level directory that are changed per day, and if something unusual happens, alert someone.
An even simpler way that often works (for single desktops) is to count how many files changed today, and alert if it is at least 1.5X larger than the maximum number of files changed in the last N days (adjust N to taste). The alert should list the actual files that were changed so someone can quickly determine if there was a problem or "oh yeah those files, we know what all those changes are".
The assumption is that the malware (if any) has not borked my borgbackup software to produce false reports of what it is seeing. I suppose in theory that could happen with a more popular backup tool so YMMV.
Re: it's a backdoor, not a bug
I think he meant "as opposed to Lenovo installing it themselves". Probably referring to the so-called "free" apps that come with a laptop which caused some consternation recently (if something affects only Windows, I tend to not remember details).
Comodo CEO (2011, same one now??) hilariously slammed in Moxie Marlinspike's talk
watch especially 05:19 to 06:52, then 07:45 to 11:30
heck watch the whole thing; Moxie is a very clear, articulate, speaker with a great sense of humour *and* knows his shit
isn't south korea the place where...
you MUST use windows, and a government proprietary activex control, in order to do any online banking etc.? (I'm sure I heard something like that a few years ago, maybe someone can correct me).
Stopped using FF for all but one or two fussy sites after the Pocket nonsense got in.
Qupzilla -- yeah I know, what a name! -- works great. It also has some serendipitous extras for me. For example, if I have many tabs from the same site, and I want to enable JS on one of them, in FF+NoScript, this touches ALL the tabs and they all start reloading. In Qupzilla it's only that tab.
Now if it could only do that for cookies also, that would be grrrreat!
lost me at "G" in Gnome.
I hate that POS. I especially hate their attitude to users, and the fact that you can never actually get used to something nice because they're likely to simply take it away next time.
as soon as you lot apologise for Gen Dwyer's https://en.wikipedia.org/wiki/Jallianwala_Bagh_massacre
Don't bring up such old stuff. It was very one-sided in many ways.
@Heyrick, @Happy Ranter, @AC "What am I missing"
AC: your question is "Surely if you can inject a 301 in the response, you can manipulate the rest of the response anyway?"
Sure, but a 301 makes it permanent. Your MITM may be temporary, but you are making a permanent change to the app now.
Happy Ranter: regardless of what their motivations are, the fact is that an *app* (as opposed to a real browser, even on a mobile device) does not have a URL bar, so the minimum protection we normally have when we get a 301 -- the fact that we can *see* the new URL in the bar -- does not exist here.
That is the issue, I think.
@Justin: I'm sure there are lots like me...
...who have refused to touch facebook (and in my case have even forbidden my daughter from having an FB account) because of the "everyone in one bucket" problem.
We don't have to be doing anything bad/criminal/shameful/naughty to want to segregate our social networks. Compromises like "don't invite your mum" or "don't invite colleagues as friends" are signs that you're letting a technology FAIL drive your social network. And making excuses for the failed tech too.
So much for the value you place on this medium I suppose.
(Oh and I have been told that FB does have such a feature but it is such a badly done, hard to use, bolt-on that it may as well not be there. Clearly if an FB fanboi like you did not mention "we have it too" it must be well hidden indeed so whoever told me this was correct!)
I have helped people (on request) to set privacy settings properly on FB and have come away appalled. Last such experience was about 6 months ago.
I now have sent a G+ invite to my daughter (yes the same one who can't have an FB account!), because I looked at the settings and they make sense. She will still have to exercise caution in what she says to whom but that's life. I'll watch what she does for a few weeks but by and large I'm OK with this.
Yes I'll still watch Google's policies closely but I doubt they'll ever do the amazing amount of facepalm statements and actions that Zuckerburg/FB managed to do over the last few months/years. Nor will they, after the Buzz debacle, take this issue lightly either...
mind in the gutter
Domain Internet Groper? Are you sure that's what "dig" stands for?
your redhat comparision fails -- you realised it fails but you did not explain why.
Two words. Copyright assignment.
It's not the decision to sell that caused all this. It's the decision to have mandatory copyright assignment. Which allowed them to change the *client* libraries from LGPL to GPL for instance.
Tell me how that helps FOSS in any way, forcing the MySQL client libraries to be GPL? That was pure greed.
Now it's biting them, and they're running around crying about it...
malware see, malware do
this post just about made my day/week/month.
I've always considered Windows to be the biggest piece of malware floating around, and MS to be of questionable legality in various aspects (and not just the anti-trust stuff), so it's nice to know they're inspiring "the next generation" so to speak...
"fix had not taken"
just run "dig +trace www.tcs.com"
If you're piggy-backing on someone else's DNS, like your ISP or openDNS or the chocolate factory, and you get a different answer than 18.104.22.168, you know what to do.
But actually, if you aren't running your own DNS, and didn't flush your caches as soon as you heard this, you shouldn't even be commenting on the issue.
"still see the bad page" ==> **reporting** on the issue
"fix had not taken" ==> **commenting** on the issue
[Same disclaimer applies as in previous comment]
tcs.com was NOT hacked....
please guys, I expected better from you lot...
[Disclaimer: I'm an employee of TCS, though naturally I'm posting this in my personal capacity]
tcs.com was NOT hacked yesterday. What did happen was that the DNS records that supply the IP were reset to some other IP.
Whether that was done by actually hacking netsol or by social engineering a valid change request I do not know.
I know the site was fine because going through the internal DNS got me the correct IP address and the correct content.
I believe the problem started sometime before 1am IST [this is a wild guess, from other symptoms; don't ask, heh heh!], and was resolved around noon or so [this guess is more accurate because I was semi-actively monitoring it].
In both instances, it would have taken a few hours for the bad data to expire from DNS caches. Depending on who your DNS provider is, you may have seen it "come back" at different times. If you were running your own DNS, you could have purged your DNS cache manually and would know more accurately when it came back.
At this point in time I am still receiving reports of other DNS servers still showing the bad data. Just tell them to purge their DNS caches if you know them, or switch to openDNS. They've got the right stuff, and have had it a lot longer than the chocolate factory's DNS :)
what amazes me...
...is how many sheeple there must be if he got 15,000 petitions.
Anyone who thinks for 2 seconds can see this guy's cries of "oh no the sky is about to fall on our open source heads" are all bull. A few more seconds and you can even guess why he's doing it (hint: if you force Oracle to sell it, who would buy?)
There *may* be damage from Oracle, but it will only be to commercial licensees. Not to open source.
why do we need a leak?
can't we just figure out the new rules from the details of the incident prompting them? I mean, surely no one still believes the TSA actually *thinks* before making rules do they?
I'm just waiting for the first guy to put both components of the bomb in his underwear, or two guys with one part each, and they combine them on board. TSA will have to ask everyone to take off their underwear.
Bruce Schneier, as usual, puts it very well. http://www.schneier.com/blog/archives/2009/12/me_and_the_chri.html says: I've started to call the bizarre new TSA rules "magical thinking": if we somehow protect against the specific tactic of the previous terrorist, we make ourselves safe from the next terrorist.
Listen up folks: the only reason more terrorism isn't happening is that the **bleeding terrorists are even MORE stupid than the TSA**!
"under the table"
...is the expression used in India for the kind of deal that I *very* srongly suspect has happened here.
The sdcard association has *standardised* on this format for their future cards: http://www.sdcard.org/developers/tech/sdxc. A format that they *know* requires money to be paid even by a consumer (since the terms prohibit a FOSS system from using it). In a day and age when awareness of FOSS has never been higher, so don't tell me they didn't realise this.
I refuse to believe this has happened without MS bribing people at sdcard.org. Either that, or gross incompetence/negligence at sdcard. No other explanation.
I wonder how many...
... of their computers are currently getting hacked by people more competent and less reachable/vulnerable than Gary McKinnon?
It seem unlikely that they've spent any time fixing the *real* problem, nor the people who caused it, from the effort they're making to "shoot the messenger". Which is what this is, if you come right down to it.
"dies" "live longer"
nice pun, if intentional... :)
ftp vulns can be fixed...
I've long maintained that any admin who uses (or requires the use of) normal ftp for authenticated access of any kind should be taken out and shot [*]
In the two cases of gumblar infection I have seen so far, the infected party's hosting provider had given them plain ftp access to their space.
[*] ok I was half joking there... you dont have to take him out
only way to hide his and his ilk's failure I guess
I seem to recall hearing, over the years, about lots of spyware and rootkits that were undetectable by most AV, including this bozos self-named product. They leeched off the insecurity of Windows for as many years as they could, never once pointing out or attempting to help come up with any real, long term, cure for all of Windows' security ills. Naturally.
Now MS has gotten into that game (took 'em long enough...) these leeches stand to lose most of their blood supply, so they come up with bone-headed schemes like this.
Yes, I know someone said the original article is more of a "what if". So here's mine: what if we banned the use of Windows to access the internet? Seems to me a lot easier to do, and no downsides either.
Killing off leeches like this would be just a bonus, not the main focus...
it *is* windows...
windows was (re-(re-))built from the ground up as a multi-user addon to an inherently single user system. A Linux desktop is going the other way, so there's a lot of security already in there in terms of separation.
@David W ("No need for a trojan if you've got root...") -- clicking on an attachment does not execute anything, and even if desktops become like that (some are, sadly) they won't execute as root.
@Charles9 ("malware that slips through even NoScript") -- can you show me an example of anything that slips through NoScript? I haven't seen one yet
I've stopped wishing MS any ill...
I've stopped wishing MS any ill.
I have now transferred all my ill will to organisations who make deals with MS. There's far more opportunities to gloat that way.
Serve t-mobile right.
The remote management thing is a good point (as of now anyway), but this article was about infected machines staying infected for months on end -- hardly likely in a "managed" environment like that.
On the "home" front, if someone wants to connect to her job, she should have a job-issued laptop/desktop. As a "personal go to guy", I might help with setting up Firefox+Adblock+basic precautions/education as someone up there suggested, but I probably wouldn't install Linux -- I don't mess with someone else's "work" stuff unless it is "work" for me too.
The video webchat thing -- lets just say you threw in "MSN" as bait. I'm not a big user but last time I checked, skype worked fine.
The old "everyone else is using it, so I have to use it too" argument may be genuine in *some* special cases, but in all but one of the dozen+ people I maintain computers for (personally, no cost) a little digging has revealed that there is no *real* need -- it was more a perception.
And finally, if you really are using Linux at home, the least you can do is stop calling us "fanboys". Most of us -- in real life if not on El Reg ;-) -- are perfectly reasonable people.
A: fail -- the web interface sucks even more, I constantly hear; I'll admit I haven't tried it myself, but in these comments someone said something, and I have my less fortunate colleagues to rely on for my opinions.
B: good point in theory. Oddly, MS-hater though I am, (haven't used Windows at work since 2004, and at home since 2000 or so), I find myself more angry at LN's designers/developers. Probably because my expectations of IBM were much higher than of MS. Plus I have a lot more friends (and former colleagues/bosses) in IBM than in MS, and so maybe I mentally rank it a much smarter company :-) Really, at the risk of repeating myself, LN didn't have "sort by subject line" till about 2004 or so -- now come on that's a deep scar, admit it.
C: irrelevant. I think this is the most important point LN apologists consistently fail to grasp. All we want is email. Don't tell us "oh it can do so much more".
We don't care. We don't care. We don't care.
I know this isn't slashdot so I'll resist using a car analogy :-)
E: helpdesk/incompetent admins? Sure maybe they have their share. Domino doesn't exactly make it easy, I'm told. Mostly because of the same reason -- they're not actually administering an email server, they're administering something "that can do soooo much more" to quote an AC up above somewhere.
F: and you just proved what I said. Although I doubt if you realise what a horrible idea that is. It's not just classical Unix evangelists -- most people realised long ago that you build multiple pieces that work together, not one big monolith that tries to do it all.
new phrase for you: synergestic FAIL :-)
G: see E.
as for your users not complaining, I either take my hat off to you for being a superhuman, or back off in haste because you're a BOFH who'll cut me off if I *do* complain ;-)
@emotional BS (AC, 07:57)
[you'd think *attacking* a corporate thing would need AC, not *defending* it, but I guess you know best...]
> I've never heard such irrational & emotional BS in my life. Sure, the UI of Notes was poor, but that was the only weak area in the whole Notes &
listen, bubba, your "only weak area" happens to be the only one a normal user cares about because it's the only one that makes his life miserable. Until you get that into your head, you'll never get the point of what you blithely call "emotional BS".
> infrastructure, Notes & Domino is sooooo much more than that, but most folk who look at Notes & Domino only see the eMail capability, rather than everything else it is capable of.
See above. Summary: *I* *DONT* *CARE*!!!
You know, I get the feeling you're one of those wannabe BOFH types who either doesn't have any "users" or no obligation to keep them happy. You're definitely *not* a user yourself.
> cognisant of the architectural implications of any decision , rather they focus on the user experience and
ooh yes -- we must never let *users* dictate terms, must we? what would the world come to...
> believe implicitly everything that Microsoft tell them as most of them have only seen a Microsoft environment, then they think that they only have the option of an Outlook client.
**Stop implying that anyone who opposes Notes must prefer MS Outlook** Those are not the only two mail clients out there, and if you don't know that, you shouldn't be out in public without your seeing eye dog.
You want to go head to head, try it with Thunderbird
@AC 12:49 and 13:29 and others
Completely agree. Notes is major, MAJOR (bold red letters) FAIL.
Here's a funny story. I work for a fairly large IT services company, and my brother, working in a somewhat smaller one, wanted me to put his resume through the mill. I casually mentioned the word "Lotus Notes addressbook" in the context of trying to find out *who* to send his resume to (for his skillset and all...)
He sort of jumped back a bit, and said "you guys use Lotus Notes?" "Yes, it's the corporate email client", I said.
A brief pause. Then he says, "er, never mind about the resume; don't send it to anyone..."
I wish I had made that up, but I'm sorry to say it's true!
And they can make the newer versions as pretty as they please, but a POS that acquired "sort by subject line" in 2004 or thereabouts is not my idea of anything remotely clueful. Pigs and lipstick come to mind.
I have an open challenge to anyone in my company: find an arbitrary mail from more than 6 months ago, knowing only a part of the subject line and one of the recepients names. Lotus Notes head to head with Thunderbird + GMailUI. Once you've seen a long message list reduce itself automatically as you type more and more conditions in the search bar, you're hooked.
more items to blacklist for me, because it looks like this new standard is going to be (1) all over the place (2) and no open source way to access the files from
why in the world would a standards body for the SDXC or whatever chips decide to standardise on a file system that is proprietary, in this day and age, I'll never know...
(other than money changing hands or threats, like the OOXML thing, I suppose)
@Michael C Posted Tuesday 11th August 2009 13:45 GMT
doesn't explain why you can't tell people you've been asked for the key, which apparently is also part of RIPA, per John Naismith Posted Tuesday 11th August 2009 16:35 GMT
>> It never ceases to amaze me how the open source people (and Linux people in particular) slag off MS (and quite rightly too!) but then go and copy what MS are doing!
Sorry but Miguel De Icaza does not represent "open source people" any more than Bernie Maddoff represents Wall Street, as far as I am concerned :-)
@Mathew Evans (@shills.microsoft.com?)
>It's been around for over 10 years, and its sitting at < 1 % of desktop / laptops. Every OEM manufacturer who has a go at selling a Linux desktop / laptop pulls the plug quick smart, because they get arm twisted by MS threatening to pull their OS completely from them or jack up the price enormously.
Fixed that for you; and no need to thank me -- I'm just that kind of helpful guy, I'd do it for anyone, even people like you.
very happy to hear this
I am tired of people switching to open source because of the "economic climate". I keep telling them cost is only the third reason to switch to Linux etc., and that security and reliability are the first two reasons.
So this feels good. "Schadenfreude" is too mild to describe what I'm feeling Maybe "gleeful". Even "gloating" :-) I hope this happens in larger enterprises, and I hope it somehow magically doesn't happen when they test in the IT department before pushing it out to 20,000 desktops :-)
And @Henry9: you may well be right but the real problem is the need for AV in the first place. Ask yourself where that came from
@Ponmyword (and others)
re "Offshoring is one thing, abusing the immigration rules is another" and similar sentiments by others
I remember when offshoring itself was considered so bad, so unfair, and all that. You mean to tell me all it took was to diddle with immigration rules a bit and suddenly offshoring ain't bad?
/me ducks and runs :-)
@JC and windows -vs- linux support
Linux needs a wrapper because the hardware manufacturers are still pandering to the sheeple-OS only.
If you have, say, an Intel chip (small company out of Oregon, you may've heard of them) it just works, on most any recent distribution.
With Windows, it works *not* because MS is doing *anything at all*, but because the hardware manufacturer went all out to make sure.
This, my friend, is a direct result of them being a monopoly, though it's at a level where MS can't be blamed for it in court.
I install and configure Linux for friends and family, even people I only have a nodding acquaintance with, no strings attached. That such level of support is needed is not Linux's fault.
However, I also know people who talk like you do, and I am happy they're on Windows. I took the water to the horse['s ass] but I can't make him drink you know.
Back to this issue: regardless of what is or is not Firefox's fault, installing something onto a **competing** product, that changes the behaviour of the competing product (useragent string), **without** the user's permission, is criminal.
They couldn't come up with even a little dialog saying "oh hey I notice you have FF. I can install foobar onto it to make your experience on FF as foobar as on our own IE. Would you like me to?"
And for those who think this was not intentional, let me assure you MS staff are not idiots. That old line about "never attribute to malice that which can be explained by stupidity" doesn't apply to MS.
In this case, it was to make sure .Net and Moonshine work on as many computers as possible.
to the tin-foil-hatters
this is your president speaking. I am more paranoid about google's evil potential than all of you put together.
But (if they do what they said they would) this will be something you can run on *your* own servers.
Ease up on the worrying!
what they did not mention
is "secure". They found a close-enough-in-some-sense word (Trusted) but they dared not say "secure".
cloud is good only if...
...the service is more valuable than your data.
i.e., or most of us, cloud == cloud cuckoo land
...and a great release it is too (Mandriva Spring 2009)
downloaded it (Mandriva Spring 2009.1 KDE One CD image) from a French mirror the very day it came out, before it went to torrent and/or the mirrors got hammered :-)
To start with, their hybrid ISO is a stroke of genius -- no messing with unetbootin or liveUSBcreator or things like that; just dd the ISO to a USB stick instead of burning to a CD. Done. It may be reflective of my inadequate imagination/brains, but I had never realised it could be this easy.
Installed it in 5 machines within the next 2 days. Very little fiddling -- especially suspend/resume; works out of the box.
KDE 4.2.2's transparency etc features are much more reliable than in 4.0, and I actually *use* them; it's not just a gimmick. Ever transcribed/summarised someone's overly long document into a quick email for the boss? I only need to sort-of see what I'm typing, so having the ODT show through the very high-transparency email compose is pretty cool :-)
Except for a minor problem with installing from behind a corporate proxy (you have to change the download engine to curl or wget; the default aria2 has some issues) which I duly reported, I haven't come across anything significant.
@Lager and Crisps
"Microsofties are patrolling all the tech sites..."?
You have an extra "pa" in that there verb :)
enough with the wikipedia bashing
especially when there's no indication that YOU have done the same yet...
in other news...
Pakistan rubbishes charges of state-sponsored terrorism.
Nothing to see here, move along...
@I hope it fries all...
> the windows boxes at work
I'd rather it hit all home machines first. Less impact on the economy, more real benefit.