* Posts by Charles 9

6895 posts • joined 10 Jun 2009

Microsoft’s Get Windows 10 nagware shows signs of sentience

Charles 9
Silver badge

"Luckily Linux seems not to honour that crappery on files but removing Microsoft malware from the registry can be a problem."

There are some things even root can't remove. Like things under control of the kernel like a zombie process (something locked in something like an I/O wait state that'll never clear). That was the thing with that North Korean OS mentioned a while back. A lot of the Big Brother stuff is baked straight into the kernel, to the point that not even root can mess with it.

2
0

Nvidia GPUs give smut viewed incognito a second coming

Charles 9
Silver badge

Re: Linux Nvidia here

Not just you. Happens with my AMD card, too. Think is has to do with the HDMI standard more than anything in that it has issues with displays being turned off.

0
0
Charles 9
Silver badge

Re: I imagine NVIDIA are in the clear

"A GPU driver could use a similar scheme and (as already mentioned) certainly has the bandwidth to make it affordable."

But not the TIME. GPUs are normally built for high performance, so there are frequently zero-time context switches (a freed buffer has to immediately go to another application, with no chance to wait because, like I said, performance is demanded). Now you're in a security-vs-speed dilemma, and people why buy performance GPUs will demand the latter.

0
0
Charles 9
Silver badge

Re: Lotgs of hot air in this thread

"Going incognito doesn’t hide your browsing from your employer"

That copout is due to hypervisor capabilities in enterprise settings. Basically, Incognito can do squat against an agent that can snoop at all programs actively running. Basically, that scenario is like getting caught with a salacious book wide open. You can't do much against that kind of eye.

Nevertheless, Chrome should be obligated to perform due diligence when handling incognito windows. It should, as standard security procedure, retain the information for no more than is absolutely necessary to function, meaning any information it no longer needs should be immediately wiped clean to minimize administrative/hypervisor/root-class malware spying.

1
0
Charles 9
Silver badge

"If any program (let's restrict that to non-root UID) can see another's memory then privacy and security is gone."

Then we're essentially doomed. Anti-malware, anti-cheat, basically any defensive program worth its salt MUST be able to see into other processes to make sure they're not malicious, and if THEY have to do this to be able to function, any other program can pretend to be this, too. We've gone into a Quis custodiet ipsos custodes? situation, and there's no easy answers to that.

0
0
Charles 9
Silver badge

But Google created the content AND presented it on an OS with GPU compositing, meaning they KNEW their stuff would show up on the GPU's RAM. As as saying goes, "You made the mess. You clean it up." There's not much Google can do with active Incognito pages in GPU RAM since it must be in an accessible state for the GPU to put it on the screen. But once the page closes, Google should assume the memory won't be cleaned up on its own, so it should zero or otherwise blank the page before releasing it.

2
0
Charles 9
Silver badge

Re: I've been waiting for someone to notice this vulnerability

Then it should be an option on the free() call, unless it's a free called by the program's termination (in which case it can an automatic wipe; performance becomes less of an issue in the graceful termination phase). That way, the program can judge if the memory needs to be wiped (for example, because sensitive memory is involved--they'll want to clean it regardless and doing it this way minimizes the chances of a read by elevated code). As for abnormal termination (essentially "nuking" an app), then perhaps only then should the OS intervene and wipe the program's memory space as it's performing an intervention. Any other method should leave it the program's responsibility.

0
0
Charles 9
Silver badge

Re: I've been waiting for someone to notice this vulnerability

"This bug is common in graphics drivers... not familiar enough with the inner workings of OpenGL to know but I'd assume the driver could zero framebuffer and texture memory when deallocated/no longer used. Maybe this is hard or non-performant."

The problem is that memory wipes take time, and GPUs are typically built for high performance, meaning it's a trade-off. Speed frequently clashes with security, unfortunately. And in a paranoid system, one should assume their mess won't be cleaned up for them.

PS. Why should the memory be wiped on the alloc? Shouldn't it be wiped on the free instead?

2
0
Charles 9
Silver badge

"The O/S certainly should clear memory that has been owned by a different process. Otherwise, as has been said above, there are at least privacy issues. It absolutely has to clear memory previously owned by a process with a different UID."

But what if the program in question is a recovery tool that NEEDS to see that memory? One size can't fit all here, and the principle of DTA dictates that ultimate responsibility falls to the program that made the data (the origin point, if you will, the point of first responsibility). If you don't trust another program to see their data, it should be wiped before you release it. And before you say the OS should do this (maybe not wipe on the alloc but on the free instead), remember that bulk memory operations mean an unavoidable performance hit, and if the OS is designed for high performance, such a hit may not be desired.

1
1
Charles 9
Silver badge

"On a well designed OS, the apps should not even be aware that other apps are running and each app should be able to consider its own memory space private and secure. We're not quite there yet, but it's a good aspiration ;-)"

Can't. There are times when an app NEEDS to know another app or module is running. Example, what good is a web browser without an Internet connection, which means knowing the socket driver is available, which may or may not be in Userland (depends on the OS, but microkernels by design would put everything non-essential into Userland). And there are such things as "ethical" process snoopers like anti-malware and anti-cheat programs.

3
0
Charles 9
Silver badge

Re: been like this for years

This has been a known exploit since the earliest days of personal computing. It was quite common to quickly reboot a machine and discover troves of information left by the last program running (I used to do this quite a bit in the latter days of using my Commodore 128). I recall very few programs have the know-how to interrupt the warm boot sequence to erase their code to block this (I think Lenslok-protected games actually cared).

4
0
Charles 9
Silver badge

Re: Video driver clearing memory

Basic defensive SECURITY programming says Don't Trust ANYONE. That goes backwards AND forwards. In other words, don't make assumptions of inputs AND don't release anything you don't want seen since anything you release COULD be seen. So like I said, Chrome should wipe any Incognito pages before releasing their framebuffers on the assumption that they don't want the contents to be visible to anything else.

There's also the matter of the KISS principle. Assume the least work was done on your request, and do yourself the least amount to accomplish your goal since you may be subject to delays or repetition that result in small delays adding up. Why should Diablo blank their framebuffer if they're just going to immediately overwrite it anyway?

10
0
Charles 9
Silver badge

Why is it a bug in Diablo? They initialize the memory with their first frame of rendering. What happened to the framebuffer before them is, frankly, none of their business. It should fall on Google to ensure that when a Incognito page is closed, it's blanked BEFORE it's released. In security terms, this is a memory leak on THEIR part.

28
1
Charles 9
Silver badge

Re: Video driver clearing memory

"But doesn't an O/S kernel zero out regular memory before handing it to an application?"

Why should it? The memory you get from an allocation should be considered to be "undefined", and therefore it should be the applications' responsibility to handle it accordingly, using as you said common memory-fill techniques if necessary.

"GPUs are often touted as having large memory bandwidth, so surely they can use a bit of that to zero out a newly allocated region?"

Again, that's if they WANT that. If you're allocating the framebuffer to say play a video, then zeroing is redundant. You let the video take care of that.

I'm agreeing with the point that if an application is touting a low-trace operating mode, the onus is on the application to ensure low-trace operation.

10
8

13,000 Comcast customers complain to FCC over data caps

Charles 9
Silver badge

Re: Data caps are just a small problem by comparison

All fine and dandy. But how do you force the issue?

0
0

Boffins switch on pinchfist incandescent bulb

Charles 9
Silver badge

Re: TCO? @ Jonathan Richards 1

"On the other hand if "they" had ensured that there was enough clean nuclear power available ...."

There are those who would argue that emboldened term is an oxymoron.

1
0
Charles 9
Silver badge

Re: TCO?

" This has now been exposed, though known by anyone expert for years. You need about 20W + of CFL or LED to light the same area to same brightness as a 100W lamp."

Funny. From what you say, the packages I read on a regular basis would then be accurate, because the 100W incandescent analogue in CFL is rated 26W (over 20 as you said). The watt ratio is roughly 4:1. A 9W CFL is roughly supposed to put out as much light as a 40W incandescent, a 15W a 60W, and I think an 18W a 75W.

1
0

American cable giants go bananas after FCC slams broadband rollout

Charles 9
Silver badge

Re: Fsck all of them...

Have you tried threatening them with a lawyer? Given your Internet is wireless, this falls directly into the FCC's purview (since wireless bandwidth has to come from the feds first), so unless they can show where the data use comes from, you can claim they're defrauding you.

0
0
Charles 9
Silver badge

Re: Comcast and Co disagree

That's assuming the trenches aren't already covered up. If they are, then that's an added expense. Remember, a lot of the infrastructure in America has already been installed. This is one reason New York is so difficult to wire up (200+ years of densely-packed existing infrastructure to work around).

As for the local monopolies, that's basically a necessary evil. For these small, poor, isolated communities, it was basically take the sweetheart deal or stay in the dark, because NO company would be willing to plunk down to build out to the boonies without some assurance of RoI. If there were to be restricted by law, the numbers wouldn't add up and they wouldn't even try. Remember, wires in America are more often than not privately owned, and companies frequently reserve the ultimate option to call Leave It and declare No Deal.

0
0
Charles 9
Silver badge

Re: A serious problem

What you describe demonstrates capitalism in action. Business customers draw a higher rate, can frequently be metered, and can sign longer-term contracts. These buildings probably agreed to chip in for the gigabit rollout to their area as part of the contract. For an area to get additional coverage (which means extra infrastructure which means additional costs), you usually need either connections (such as getting in on new construction while the ground's already torn up), numbers (if an entire neighborhood contracts to sign up for gas, internet, or whatever, the utility has better incentive to plunk down), or money (affluent areas can usually pony up if they want it badly enough).

This has always been the problem with rural Internet coverage. They lack any of the three. They're sparsely populated, frequently of a lower standard of living, and as a result the community as a whole is lacking in capital. That's why many of them get tied up in sweetheart deals: it's the prime condition the companies will insist before they're willing to go out on a limb.

0
0
Charles 9
Silver badge

Re: Fiber bundles to all county seats

All fine and dandy. Now who PAYS for all that infrastructure rollout?

0
0
Charles 9
Silver badge

Re: It's much the same over here....

It also helps that Singapore and Hong Kong are TINY. Try doing the same thing in the United States where there's tons of sparse population to consider.

1
1
Charles 9
Silver badge

Re: Comcast and Co disagree

If that's the case, then why is no one using it while people clamor for more bandwidth? Any economist would see that as artificial scarcity to their detriment since someone else could come along and find a way to use the dark fiber to undercut them.

0
0
Charles 9
Silver badge

Re: Please can we borrow him

I may be mistaken, but the high price may be due to the need to install a cabinet at that junction (branching out fiber optics isn't always as simple as installing a splitter; the last mile in my Cox neighborhood for example is still copper). If neither she nor anyone else on her street has already signed up for the fiber, then that means infrastructure additions much the way Virginia Natural Gas doesn't run through my neighborhood because no one was interested in ponying up for the pipe (I use propane instead). Now, as it so happens a Verizon FiOS cabinet happens to be in the easement next to my house, so if I wanted to, I can switch (indeed, Verizon has sent many an offer). But since that means boxes throughout the house, the bottom-line price isn't good enough yet.

2
0

Exploit kits throw Flash bash party, invite Crypt0l0cker, spam bots

Charles 9
Silver badge

Re: Frends don't let friends install Flash

But the few that remain become that much more difficult to deal with. What do you do when your very-expensive enterprise system requires Flash to control it? Switching it out is not an option due to the accountants, who tend to be able to trump the security team (after all, accountants can influence the IT budget).

0
0
Charles 9
Silver badge

Re: vulnerable

You can avoid Flash vulnerabilities by not using Flash, but many people don't have that option, requiring flash in their everyday activities. And yes, if they want to infect people badly enough and they can acquire one (this can be tough; usually it's states and other powerful agencies that hoard them), they MIGHT use a zero-day vulnerability.

As for Windows 10, that's still done by Adobe IIRC. The only company helping Adobe with Flash is Google, and only in regards to Linux and Chrome.

1
1

How hard can it be to kick terrorists off the web? Tech bosses, US govt bods thrash it out

Charles 9
Silver badge

Re: Free Speech is Liberty

What makes you think they didn't come from ISIS. I mean, three men with material essential to any serious farmer commited quite a bit of mayhem 20 years ago, and technology means more and more power can be obtained by an individual over time. What's to say a lone wolf couldn't wreak national-scale mayhem today and we just don't want to admit it for the sake of our sanity?

0
0
Charles 9
Silver badge

"Disaster ensues."

Then you're basically saying, "Damned if you do, damned if you don't". If it isn't the government screwing you, it's robber barons (think the GIlded Age). Somewhere along the line, SOMEONE will have the chutzpah AND the capability to usurp, one way or the other, and since this is basic human instinct when they see a zero-sum game (it's you or the other guy), we'll never see this go away.

Which may be why no "people-centric" government doesn't seem to last for too long in historical terms. Every one of them degenerates or collapses due to simple human nature.

0
0
Charles 9
Silver badge

Furthermore, what happens when a crisis hits, like a war, and you NEED the government to rally and protect you from the enemy? World War II was a legit example. No single state could muster the forces necessary to defeat the combined Axis Powers, and since we were also deep in the Jim Crow era, there was also considerable friction between northern and southern states. Only the central government can override these frictions and unite the nation in war.

So IOW, you MUST trust the central government at some point, or there's no point in a government to begin with.

0
1
Charles 9
Silver badge

Re: A possible answer !!

But what downsides are there back home? Before you say "terrorism," note that some people hate you for your mere existence. I believe they call that, "Haters gonna hate."

As far as the home turf is concerned, doing nothing is not an option, and the people DEMAND a robust solution. Otherwise, they'll vote you out. So what's a country who demands they be doing something effective to do when there is NO such thing as something effective to do?

0
3
Charles 9
Silver badge

"The problem is that people came to trust government at all."

And the problem behind the problem is that your average person isn't interested in anything as remote as that. They just want to see tomorrow, that's all. The simpler their lives can be, the better. It takes a certain amount of enlightenment to be able to question things around you; most don't have the intellect for that.

1
1
Charles 9
Silver badge

The enemy doesn't NEED backdoors, just a general idea. Unlike us, bound by Rules of Engagement, the enemy can attack indiscriminately. There's no such thing as neutrals to them: there's allies, enemies, and sympathizers, and the latter two are fair game. Thus civilians get targeted instead of, say, military installations.

1
11
Charles 9
Silver badge

And yet, by doing that, they make themselves more vulnerable to enemy action by providing a ready-made, robust solution instead of a homebrew job which can be hit or miss. The one big bug-a-boo about freedom is that it can always be turned against you. Heck, according to the opening of Genesis, GOD learned that the hard way.

0
15

Confirmed: How to stop Windows 10 forcing itself onto PCs – your essential guide

Charles 9
Silver badge

Re: How to stop Windows 10 forcing itself onto PCs – your essential guide

Don't buy anything, just stick with what you've got because, frankly, most games require it since they're not WINE or VM-friendly.

0
0
Charles 9
Silver badge

Re: With all these brilliant coders out there :

Many times, there is no replacement package, and the hardware is custom, so virtualization is not an option. It's bare metal or bust.

0
0
Charles 9
Silver badge

Re: With all these brilliant coders out there :

"4. For the cases where the Windows tool won't run under Wine or Crossover run Windows in a VM. An old copy of W2K may do fine and won't try to install spyware even if you let it connect to the net."

And if the software balks in the VM?

0
0
Charles 9
Silver badge

Re: With all these brilliant coders out there :

"All we can do is to keep abreast of the security battle and get users to be savvy."

So how do you fix Stupid?

2
1
Charles 9
Silver badge

Re: With all these brilliant coders out there :

"It's called ReactOS and won't be finished for a lonnnnnnnnnnnnnnnnnnggggggggg time."

Judging by their homepage, it hasn't been updated in over a year. Plus their original target was Win2K compatibility. Meanwhile, there have been FOUR major Windows releases since then. They're trying to chase a moving target, and it's getting away from them.

0
1
Charles 9
Silver badge

Re: @ Doug -- Paying for Windows 10 after July

"business related apps"

What if that business-related app is a custom industrial control system that runs on XP and only XP? Changing OS is not an option due to the custom nature of the hardware (which also means it can't be virtualized, so VMs are not an option), and since the hardware's hugely expensive and still being amortized, you can't switch it out.

1
0
Charles 9
Silver badge

Re: Thanks Microsoft

Until you realize that one piece of software you need is Windows-only, won't run on WINE, and acts funny in a VM.

0
2
Charles 9
Silver badge

And then you get hit with a drive-by. BAM! There goes your idea of "being careful". I mean, what if El Reg gets hit with a drive-by, especially on one of its internal (read: won't be filtered) ads?

0
0
Charles 9
Silver badge

Re: Ahh! Registry hacking! Of course.

I do keep the CLI in mind, even in Windows. In fact, I've become pretty adept at Batch Files and VBScript automation, because few things beat batch files for...well, batch operations, doing similar things to numerous files at a time.

1
0

Catalan town hall seriously downsizes monarch

Charles 9
Silver badge

Re: Inventive?

That's why I said "can" instead of "will". In places where freedom of speech is not strongly assured, dissing the country's leadership will draw at best dirty looks and at worst LEOs. Your mention of the Sex Pistols expression probably showed England is tolerant enough to let the isolated case slide as a nonviolent protest. In the Catalan case, it appears to be somewhere in between: a summons to explain oneself.

0
0
Charles 9
Silver badge

Re: Inventive?

Looks like YAAC forgot the Joke Alert. I guess you haven't heard of comedian Larry the Cable Guy, have you? He actually made a joke of that, and his typical outfit happens to be sleeveless.

Another joke take of this is to "arm bears". Imagine a poster with an upright bear (a la Smokey) carrying a 12-gauge pump-action shotgun.

2
0

T-Mobile US boss John Legere calls bulls*** on video throttling claims

Charles 9
Silver badge

Re: Pink?

So what happens when you tunnel into YouTube through a VPN? Now T-Mobile only sees scrambled data. How will they know what you're doing?

0
0
Charles 9
Silver badge

Re: When Unlimited != Unlimited

The reason "setup" and "login" came into vogue is because the style you cite is considered grammatically correct: dangling prepositions (proper style says prepositions MUST have an object, as in "up the creek" or "in the hole").

0
0

Bloke sues dad who shot down his drone – and why it may decide who owns the skies

Charles 9
Silver badge

Re: Simple question...

Unless it's a cop rappelling from a police chopper (assume it's SWAT). He's in the line of duty, so he's allowed to trespass if the police have a warrant that grants them forcible entry.

1
0

South Korea mandates spyware installation on teenagers' smartphones

Charles 9
Silver badge
Unhappy

Re: The more you know.....

And here I thought someone was going to go the other way and wonder why I'm talking about either birds or high-ranking churchmen.

0
0
Charles 9
Silver badge

Re: The more you know.....

Apparently, this is because ages in the far east, like Korea, are given as an ordinal rather than a cardinal, so "1st year" makes sense to them.

0
0

NSA spying on US and Israeli politicians stirs Congress from Christmas slumbers

Charles 9
Silver badge

Re: Seriously?

Even ENCRYPTED communications? Even FIBER communications? Let's see it, then.

0
0

Forums