3610 posts • joined 10 Jun 2009
Re: pretty sneaky...
"Here's an open question. When Linux finally gets BTRFS properly implemented, will normal linux users be protected against this?"
If set up correctly and the malware doesn't get past the snapshot threshold, then a backtrack may be possible, though I don't know about about btrfs to learn if this is an exploited feature. Most of the work seems to be concentrated in the realm of snapshots, which are advantageous for VM hosts.
Re: A weakness?
That's assuming the malware connects directly instead of hijacking an existing program like a web browser that already has outgoing permission. And this would only work on a whitelist system that defaults to deny. This would likely only be in highly-restricted workstations. More common would be a blacklist system which would default to allow.
Re: Nuke the perps from orbit?
"If it was possible to identify a command and control server and take it down in seconds, a lot of this crime would get a lot more difficult.
Also, a simple point, computers need a clearly labelled physical button called something like "Disconnect from Network" which would stop all network activity without the need go go through any menus. The second someone thinks they've clicked on a bad link, being able to hit that button would stop a lot of infections."
1) Even if you could ID a C&C server, what if it turns out to be in a country hostile to you? That's why there are a lot of Chinese-, Russian-, and Eastern-Europe-based servers. They may not be as inclined to cooperate with you, and matters of state can keep you from applying pressure.
2) If it's that bad, PCs probably need something more drastic: a return of the Reset button. Forget disconnecting from the network. You'll probably need a full memory flush and more than likely a new IP address and set of rules. And that's assume the malware didn't manage to report intel back in the split second it was in your machine. Not so much nuking from orbit, but still on the level of "dump out and start over".
Re: Title is basically incorrect
Plus by hibernating like this, the malware has a chance of getting INTO the backup, tainting it so that trying to restore it could result in immediate re-infection.
Re: Im not doubting you Charles but...
I've seen software repositories and media servers keep mirrors that have random-sounding names in the first part of their domain name. I believe these are generated on the fly for certain sessions and then terminated afterward to prevent backdooring.
Because if Microsoft tried to do ANYTHING, someone would find a way around it. Think privilege escalation. And there's been a disturbing trend towards making malware capable of surviving even "nuking from orbit", such that even that isn't so sure anymore.
Until you find out they're clever enough to use IPs ALSO associated with legitimate sites. As for DGAs, they're ALSO used somewhat by some legit software houses, meaning blacklisting them, too.
I suspect the next step(s) for crypto malware are:
(1) hibernate first so as to increase the odds of getting INTO the backup, The idea being should one try to use a backup to restore the OS and files, it'll just wake up again.
(2) stick around after the ransom so as to hit the victim again (what business doesn't want a repeat customer).
(3) look for ways to invade the MBR, BIOS, and/or EFI to get around OS safeguards and try to gain nuke-resistant.
"There is a possibility that HFT may try to manipulate the market by artificially distorting one market to momentarily create a spread to exploit but that normally should be impossible because the trade will work against itself (i.e. making buying more expensive and selling cheaper). This can only work, in theory, if you have a leveraged position, say, in OTC market - but OTC markets are not suitable for HFT, so, there...
I have not seen many problems caused by "run-away" HFT algorithms so far. In fact, markets seem to shrug off occasional glitch much quicker and easier than in the old times. The day-traders are the ones that seem to be affected the most by extremely short-term volatility as they are forced to either set the stops wider, which increases the risk, or tolerate them being broken more often, which kills their efficiency."
Didn't we just have a "flash crash" recently? It's a sign of volatility, and the spike in volatility we saw can be scary.
The problem is that while the HFT program is trying to seek out these minute differences, so are many other HFT programs, ALL of them trying to be the one to cash in. It's like a little paper bag with only one sweet left in it when ten people happen upon it all at once. Everyone thrusts their hand into the bag at once because they all act at once. Similarly here, the HFT programs can all act at once, creating a spike. Meanwhile, the transactions take time to clear (because of the speed of light if nothing else), so there's a delay between actually making the transaction and getting the result. WITHIN that time period, any number of HFTs could be making the same move, adding to the mess like how fog hides the 20-car pileup and turns it into a 50-car one.
Re: @AC 19:39, "Which must mean that markets cannot be efficient."
Well, I will call this BS as BS as well. In addition, I will call anything that tries to call me BS is BS as well because I am calling MYSELF BS, and you can't call something BS if it's ALREADY BS, can you? (Joke ends).
But seriously, there's a point to this. While it is true that unregulated markets inevitably lead to corruption (the sharpest image in my mind is the American Guilded Age of the late 19th century), the problem is that, like the greedy investors, regulators are people, too. And unlike the investors, they're in a position of power. Which makes them MORE prone to corruption. IOW, you shift the focus of the corruption from the investor to the regulator. Sure, regulations are all fine and dandy when they first arist, but they're eventually tainted over the years. Look at what's happening with markets today. Everywhere you look, more holes than a wheel of Emmentaler. Because regulators get corrupted and insert the loopholes one at a time in a perverted form of "regulatory creep".
What your back and forth demonstrates is that BOTH sides can be corrupted by greed and that greed is basically going to try to ruin anything society. And the worst part is, greed is inherent to all of us. It's a survival instinct (Thugg wants to get everything he needs to survive, and if it means Ooga doesn't make it, even better). Community usually only works when there's a common threat (that's why wars tend to mobilize people--they present a common threat), but when the threat's over, we turn to the threat within.
I'm perhaps oversimplifying things a lot, but I think my thought process explains why you're both correct. In essense, we can't play fair because, deep down, we DON'T WANT to play fair. It's not the greedy investor or the greedy regulator but the greedy HUMAN. And that makes the whole issue of the rules a "hard" moral problem, because solving it also involves convincing OURSELVES not to cheat.
Re: What does automated trading add?
Two words: Flash Crash.
There was a swing in the market so alarming that anyone who would've noticed it would've set off alarm bells. Funny thing was, it was over so darn fast that no one really noticed it until AFTER THE FACT. Since it happened too fast for humans to even know it happened, that reduces it to algorithmic trading, and the speed of the activity basically leaves only HFTs as the possible reason.
An analysis later confirmed that what happened were a few HFT programs reacting to each other much like sharks in a feeding frenzy: one sells, another sees this and sells, a third sees them and sells, the first sees everyone else and keeps selling, etc. They reacted against each other, creating the "feedback loop" I mentioned, and since they're designed to be very fast, it all cascaded...and then rebounded, too quickly for anyone to notice while it was going on.
Re: What does automated trading add?
"More generally, making trading - acting on the information and opinions - in the market easier is beneficial. Much of the existing regulation is precisely about that. But not all. In particular, taxing transactions makes trading more difficult, just like prohibiting certain means of trading (prohibitions of shorts were common enough in recent years, meaning you were free to provide information to the market by acting on your opinions as long as those opinions were positive...). I think this is what Tim is saying, essentially, though I absolutely do not presume to be his spokesperson or his interpreter."
But at the same time, it's noted that trading should not be TOO easy. This is especially true with high-frequency traders who act so quickly the human mind cannot keep up. The end result is feedback loops leading to chaotic market swings. The market needs to be able to move, yes, but if it moves TOO much it'll overshoot, and this can be trouble. Think of the market swing like a bungee cord. You don't want it too tight that it jerks you hard and early, but you also don't want it too slack that you hit the ground before the rebound kicks in. Everything in moderation.
Re: So many things wrong with Android permissions...
The reason Android app permissions are all-or-nothing is because the developers DEMANDED it of Google. IOW, it was the ONLY way Google could convince developers to migrate. Otherwise, they would've stuck with Apple (who was top dog at the time so they HAD to bite the bullet), and Android would've gone nowhere.
So Android needed apps, the devs basically demanded control or they wouldn't provide the apps. What else could Google have done?
Re: Potential uses but only in controlled settings.
It's quite possible to ask for it in new homes and major renovations. I mainly wired my downstairs when the kitchen was being remodeled, as they tore the old inner wall down, allowing me to work around the studs (getting from the attic all the way to the exterior conduit would otherwise have been impossible due to twists, turns, and staples). It's when you have to deal with "in situ" situations that wires get tripped up.
Re: Potential uses but only in controlled settings.
But in both scenarios, you'd need to place the two ends of the link in ways that may not be so practical.
An office would be in a better position to use physical connections because most have access to a drop ceiling which alleviates the hardest part of the wiring process (a conduit pole can get the wires from ceiling to cubicle). Since a cubicle link would have to be put on the ceiling anyway, it would probably be easier (and perhaps more secure) to wire up.
As for the home, layouts can be more random, making the system less practical than a WiFi. Range is becoming less of an issue with more powerful access points.
Re: Sounds familiar
I don't know. There are some security benefits as noted with physical line of sight limitations. Plus IRDA suffered from bandwidth problems IIRC and faded because newer tech was both higher-speed and didn't require aiming. But some things are best done aimed.
Potential uses but only in controlled settings.
Given the line of sight limitations, I would have to think this would best be used in two ways: broadcast data (which might be better served with some kind of broadcast radio data band) and point-to-point connections where wires and radio are unsuitable. It could have a use in security applications where a controlled wire-free link across an air gap might be needed for temporary transmission of data. Depending on the receiver sensitivity, it might also be a cheap alternative to laser links that have been used between skyscrapers.
I wonder if the tech could be used as a successor to IRDA, capable of transmitting and receiving more information at a time than Bluetooth and barcodes while still in a confined setting.
Re: One Flaw..
- Records don't just disappear when a business closes up. More than likely SOMEONE still has them in case of investigations or lawsuits.
- Foreign receipts probably won't be trusted, especially for phones with American markings (I know you can get phones in Asia, but many times they're phones MEANT for Asia--or they're knock-offs. Either way, one can usually tell the difference. Ex: No Asian seller will sell a phone with T-Mobile branding--that's strictly Western).
- And the hand-written receipt can still be checked by contacting Bob Smith. Plus the receipt could be considered suspect, meaning the transaction will be tagged, kept for later, and if it's figured that Bob's fencing, he'll probably get a call.
Put it this way. They're demanding a paper trail, and a traceable one at that. It's the lack of traceability they'll be looking at.
Re: One Flaw..
But that receipt will still have a date/time stamp as well as a transaction identifier. Any store with an electronic journal can use them to run a search and check to see if the transaction matches or not. It's pretty much SOP for ANY store with such a system, which means switching stores simply lets THEM check.
Re: I won't hold my breath waiting for a difference.
But then the OTHER store can check. What stores these days don't keep an electronic journal? At the very least, they use it to cut down on returns fraud, plus it helps when police come calling concerning possible CC fraud (the stores will want to cooperate since that helps get them off the hook).
Re: Is it really that hard to ID a phone?
The problem with that is government relations. Consider if you think the Chinese would really care so much about a US blacklist.
Re: I won't hold my breath waiting for a difference.
You may be able to print fake receipts, but the stores can probably tell it's a fake through their receipt journals.
Re: Actually, I have to grit my teeth and admit that this politician's suggestion..........
You'd be surprised. Unless it's a photocopy of a genuine receipt (which is trickier than you think--most stores use thermal paper, and photocopies tend to leave telltale marks), the receipt would likely not match the transaction and/or date/tiime stamp (and most stores with computerized points of sale keep electronic journals that can be searched), meaning it would be pretty easy for the store to spot a fake receipt.
The problem is that many of these are ALREADY life-threatening. And what about people with compromised immune systems (transplant patients, HIV/AIDS patients, etc.)? On a more important front, antibiotics help to facilitate surgery, as the immune system is inherently compromised during a major surgical procedure (innards can be exposed to pathogens normally limited to the outside so they lack defence).
Re: Is this the future?
Tape may not be dead, bit it's been niched. It's now pretty much an enterprise device.
Personally, I wouldn't mind a consumer-grade version of this stuff. Given all the stuff the average user starts accumulating like a magpie, having the ability to take a cassette holding a few TB and putting it elsewhere for a rainy day. The tapes themselves aren't so bad price-wise, but the DRIVES...(shudders).
Yes, I know there are external hard drives, but I always worry about the controller hardware in them, not to mention I've had a few (mostly Seagates) show signs of giving out. But from what I can tell, the demand just isn't there and external drives fit a "good enough" niche.
Re: Can't hurt to have available!
While GIMP supports PSD files, it DOESN'T support Photoshop PLUGINS, and there's many a Photoshop workstation that has some plugin they use for special filters or whatnot.
It's the same problem with exchanging LO/OO files with MS Office: in addition to the inevitable formatting gaffes, complicated files will have scripts in them that don't translate well between products.
And since these products are the de facto standards of their respective industries...
Remote Desktop is not included in Home releases. it's intended for the Enterprise, so it's only on the Enterprise branch of Windows products: meaning XP Professional, Vista/7 Professional, Enterprise, and Ultimate, and 8 Pro/Enterprise.
Re: Doesn't sound very secure
I still don't see how a computer couldn't figure it out. It's just a matter of two levels of pattern recognition, and since the CAPTCHAs normally have to be made by computer in order to get out the desired level of randomness, patterns WILL emerge that a computer can exploit.
"Do these in reverse order" - Should be easy enough for a computer to recognize the word "reverse". Even if you tried a scrambled-number order combined with reverse and the occasional, "DO NOT DO THIS STEP" at the end or directional cues like "under" or "to the right", a system with enough training should be able to pick out all these gotchas. Language isn't a big stumbling block anymore as this is the first step towards decent machine translation (while while not perfect is still improving considerably over some years ago). Same for the pictures. It shouldn't be too difficult to tag a certain image (even if rotated or flipped) with "wet dog" and "happy cat".
Re: All that RED???
In this case, color is only used for uniqueness, not as a distinguishing trait. IOW, a colorblind person may something different, but it's still useable to them because the color doesn't HAVE to factor in.
I don't think this will work. The thing behind CAPTCHAs is defeating bulk access by restricting access to people capable of working their way through something less-than-programmatic, like a distorted picture. The big thing the GOTCHA doesn't do, it seems, is CHECK the initial response against anything reasonable.
So if a machine encounters a GOTCHA for the first time, what's to stop it from putting down a bunch of gibberish like "correct horse battery staple" and simply remembering what it used for the next time it sees the blot (quite easy with the right technique)? Even if the system checks for grammar, you could easily construct a "mad lib" type of system ("I see <NOUN> with <NOUN> and <NOUN>).
Re: Read the fine print
And if you learn you basically can't change the people because the standard's too high a stake for human nature (and the inherent desire to control) to leave unaltered?
It's like when someone suddenly invents the Next Big Thing and suddenly realizes that it's SO valuable that people will KILL for it, meaning no one can be trusted to do things for the greater good.
Re: China is not a problem
But colds and flus are rarely fatal, so it's NOT too late. It's entirely possible to MITIGATE its effects. Sure, you can have an insider in your midst, but there are ways to minimize the damage, just as it's possible to still control the situation after discovering a bomb.
Re: America's most important creditor
China is only the US's biggest FOREIGN creditor. The vast bulk of US sovereign debt is held DOMESTICALLY.
Tell that to all the people who have NFC phones but no Google Wallet support due to carrier lockout. S3 and S4 owners have been crowing for months about the solution around it, and I like it, too.
There's also the matter of custom UIs like Sense and TouchWiz. There are people who find it too clunky, too bloated, or simply not for them. Cyanogen uses the basic AOSP interface, which you can then customize. I personally don't use it because AOSP's NFC support is spotty, but many others like the KISS simplicity. Also, this saves them money since it can buy them time when they don't have to buy a new phone just yet. I did that for my Desire Z and slimmed things down enough that I could still use it satisfactorily for another six months when bloatware kept slowing my phone to a crawl.
As for the XDA Forums, I found their search tools useful for hunting down information. You can search threads, groups, and the whole site if necessary.
Re: What's the point?
These two questions made me switch.
"Does your phone have NFC? Does that phone allow the use of Google Wallet?"
For me (A T-Mobile US Galaxy S4), the answers were "yes" and "no" (T-Mobile still doesn't support Google Wallet officially, AFAIK it's only supported for Sprint). The community found a way around that, and I found the feature most useful in my experience.
"Do you like the built-in software on your device?"
That was "no" for me, and since they're built-in, you can't uninstall them even as they poll your network and sap your data allowance and battery life. Getting one with the excess baggage or "bloatware" stripped out was a nice plus. In addition, there were assorted niggling details that were both annoying and (until I customized) impossible to address.
In addition, having better control of the phone meant I could take charge should something go wrong. Because of a good routine, even when updates went wrong, I had a means to backtrack.
PS. I understand my experience is not for everyone. I first rooted a phone only a year ago (Desire Z/T-Mobile G2) to give it more freedom when I went abroad, but since then I came to appreciate the additional freedom and flexibility it allowed.
Re: I have a question for these morality crusaders.....
Oh? I thought they took that out some time back. I know mine's broken. And since unplugging it can surge the set and break it, they'll find out eventually.
I thought the standard practice was to pop the cover and remove the battery. This removes the need for the metallized bag and ALSO prevents the tripping of vigilance control that could still work without a signal (since they can be time-based). In addition, it allows for the swap-in of a new SIM that further distorts the original phone's identity.
Re: Almost unsolvable problem.
"I have an easier solution, if you don't want people to know some things, don't tell em, don't write it down, and certainly don't store it on a computer."
And if you have a bad memory or the information's not easy to memorize (like random data--poor fit for Memory Theater), you're basically hosed?
Anyway, it is possible to set up some chain of trust. You just need to hand-assemble something that can process a few bits of assembler code, use that to create a means to do more of it, and build up from there. Or you can hand-disassemble one of the low-level steps, verify it, then use the verified tool. Then you can take on a compiler with assembler code and build on up. And you can do all this from a bare-bones OS or from a setup where direct access is used, bypassing the OS. Just saying there are ways that don't have to take years. Weeks, a month or two, maybe, but not necessarily years.
Re: Unnamed qualified professionals vs amateurs?
They haven't said WHO they're hiring because they're still in the process of contacting prospects. IOW, they don't know yet. Once the funding builds up and they get some contracts, then they'll be able to list names.
Re: No DRM
And Hollywood and the rest see a consumer public that can't figure it out. It may be your device, but it's THEIR content, THEIR rules, THEIR copyright. Either submit to the terms or you don't play, end of.
So if you keep saying "NO NO NO" to DRM, Hollywood will just respond with "NO NO NO" to consumer devices. They've ALREADY demanded that 4K devices must be purpose-built: no PC/phone/fondleslab playback for you.
If you don't like the terms required to watch the latest movie on your fondleslab, then Hollywood DOESN'T NEED YOU If they feel the money isn't there, they'll abandon the streaming market and go back to the box office, where they get most of their money anyway.
The DoD should challenge Oracle with this question.
"Who will support our software if you cease to exist?"
One of the BIG big things about Open Source is that, if all else fails, you still have the documentation of last resort: the source code. Even if all commercial support disappears, someone with the necessity could examine the source code to solve problems. For a military application, that can become a security issue and one closed-source inherently cannot accommodate.
Re: Last resort you can always take a tape cartridge apart and recover the tape
But what if it's the controller that fails? That kind of failure can also bite SSDs.
Re: T-Mobile just don't know how to run a mobile network
I had little to complain about with my experience with T-Mobile. I was on a contract with them for two years and the phone was nice and the service quite satisfactory. I rather liked the WiFi Calling feature since I tended to spend plenty of time on WiFi (usually at home), and the subsidized rates weren't too bad, either.
As noted, their unlock policy was quite fair and reasonable. I got my unlock code with little trouble (I asked after 18 months), and the phone worked pretty well aborad, in fact better than I expected given T-Mobile's bands.
I only left because my contract was complete and didn't want to continue paying the subsidized rate. The main drawback is that I lost the WiFi Calling feature as well as Visual Voicemail (now THAT was good as it meant you could navigate it without having to use touch-tones). I'm currently still on the T-Mobile network but with a MVNO, and those two things are really the only things I miss. If a prepaid GSM-based service offered those features (T-Mobile won't offer the service with their prepaid plans), I'd probably jump on it.
Re: "A simple trawl could send a tape-robot into melt down."
I think the "trawling" refers to the fact that Google is in a particular situation where tape is not suitable. Google is in an industry where data essentially has an INFINITE shelf life and NEVER goes stale: someone could request ANYTHING...even data from 15 years ago...on a moment's notice. Plus, due to the way they work, they could end up having to gather data from who knows how many different locations and must do it tootsweet. For Google, everyone REALLY WANTS everything...YESTERDAY. Their business depends on it.
Retrieving 1 entry from a single tape may just be annoying, but (even WITH an index) imagine the stress involved when the robot has to change bunches of tapes just to build up 100 links from nearly as many tapes? Like I said, though, this is particular to Google's line of work.
Re: A small detail is missing
That's what it sounded like to me. From the way they described things, I kept thinking it would be an optical disc format of some sort.
Low Thermal Expansion Coefficient
For the record, the Thermal Expansion Coefficient is the rate at which a substance expands when it's exposed to heat. Like how a ring might expand when doused in hot water and contract again when doused in cold water.
In terms of material longevity, this means a material with a low TEC (like Tungsten and Silicon Nitride) is unlikely to distort when exposed to heat: A Good Thing.
I wonder if anyone here recalls that tungsten's high melting point was one reason it was was the metal of choice in incandescent light bulbs.
Many have noted that is IS disabled by default on most of the routers. I know it was disabled on my DIR-615 (since replaced with a new dual-band ac router).
Given that most of these devices DO support WPA2, which supports AES as well as TKIP. These have not been compromised and most of the talk about WPA2-PSK cracking has been in the same old problems: weak passwords. As for the WPS button, which IS handy so I don't have to carry wound my standard-limit WPA key around, especially to devices where entering the key is difficult, I just make sure to use it carefully so that the device is most likely to be seen first, and I check my client tables afterwards in case of intruders.
Re: None so blind, etc.
"It's pretty much accepted that every piece of embedded kit has some secret sauce to allow the makers to intervene when everything is badly screwed up, although usually it's in the form of some soopersekret login/pass pair."
With something like this, the usuall fallback is the factory reset, which is supposed to reset the firmware back to default settings (which are written in the manual with the caveat that you're supposed to CHANGE it once you're in). Failing that, there's also usually the emergency flashing mode, which should allow for the flashing of ANY firmware in a local setting. If even that fails, then there's likely something fundamentally wrong with it and it will need physical attention in any event.
Re: It would be nice to think
It does, usually. Thing is, is that enough or can this be triggered even with remote management turned off?
- Review Apple iPhone 6: Looking good, slim. How about... oh, your battery died
- 'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
- +Comment EMC, HP blockbuster 'merger' shocker comes a cropper
- Moon landing was real and WE CAN PROVE IT, says Nvidia
- Apple's iPhone 6 first-day sales are MEANINGLESS, mutters analyst