* Posts by Charles 9

5030 posts • joined 10 Jun 2009

Windows 10: Forget Cloudobile, put Security and Privacy First

Charles 9
Silver badge

Re: Windows 10 who cares?

"The sad and sorry truth is that..."

The SADDER and SORRIER truth is that the desktop version of Windows is not meant for people like you but for Joe Ordinary who wants something they can just turn on, browse Netflix, get the e-mail from their boss with the next week's schedule, do their taxes, oh and even play a few games. The BARELY-computer-literate, IOW. A famous Douglas Adams quote springs to mind about the audacity of complete fools and the idea you just can't make something foolproof. How do you cater to such a crowd WITHOUT ticking them off (since if you tick them off, you'll probably lose more than them)?

0
0

Wikipedia to go all HTTPS, all the time

Charles 9
Silver badge

Re: Hmm...

It's STILL better than having all your dirty laundry out for the world to see...AND MODIFY ON THE FLY. Got any better ideas besides just hanging our butts in the breeze?

1
1
Charles 9
Silver badge

Re: Hmm...

"Not quite sure about the justification here..."

With ANY in-the-clear transmission, your stuff can be altered in-flight by any relay. That's how the Chinese Cannon works, and Verizon's session tagging, and that's why Telnet and rlogin were abandoned for Secure Shell. Using HTTPS blocks this in situ modification unless the relay can masquerade as the source site.

5
0
Charles 9
Silver badge

Re: Playing to the gallery

"Reducing the cacheability of the site makes matters even worse."

Given how easy it is for any given page of the Wikimedia project to be edited, caching would actually work against you rather than for you since there's a chance you'll miss an edit. If data constraints are such a big issue, perhaps that should encourage browsers to adapt hash requests over HTTPS to compensate.

1
0

How much info did hackers steal on US spies? Try all of it

Charles 9
Silver badge

Re: Dear US of A

"But on an isolated network you would have to use a radio link out, and that could be monitored as part of a sweep for bugging anyway."

Not if it's designed NOT to transmit all the time but instead only on a specially coded signal it receives first, THEN it transmits its stuff in a quick short-range burst that would require omnipresent super-sensitive (as in prone to drowning out) detector to trace. If you're pro enough to get this far, you probably have an egress plan as well.

0
0
Charles 9
Silver badge

Re: you have DEcrypt it SOMEWHERE.

"Others have already mentioned that the user interface has built in rate limits. "

That doesn't stop a PATIENT adversary, though. And the GOOD ones are patient. Patient adversaries are how we developed techniques like Smurfing and steganography. They probably started at a position where the stuff is used as part of the job, sniffed out the ones picked up during normal operations, and slowly worked up, finding ways to defeat the detectors as he went.

0
0
Charles 9
Silver badge

Re: What the Chinese did with it?

"Everybody - and I mean everybody - with a security clearance is going to have to be turned over and checked thoroughly."

Credits to milos the FIRST people turned are going to be the CHECKERS, putting your square in a "Who Watches the Watchers?" scenario and no way out since you need checkers to hire more checkers.

0
0
Charles 9
Silver badge

Re: you have DEcrypt it SOMEWHERE.

Trouble is the multi-layered approach suffers from a common ponit of failure: the user interface where EVERYTHING has to be removed in order for the stuff to be of any use. About the only solution to this problem (essentially an exploitable "analog hole") is to go cyberpunk (in the style of William Gibson or Shirow Masamune) and have enc/dec security capabilities built directly into our brains.

1
0
Charles 9
Silver badge

Re: Dear US of A

"When hole is deep enough, stop digging..."

But what happens when you've been digging through sloppy mud all day and all you have is a shovel? Oh, and you hear thunder in the distance...

0
0
Charles 9
Silver badge

Re: we who are about to be ripped off (again)

"In my shop (an NGO, ffs) all externally facing data was encrypted at rest and in transit. All systems using that data needed to use a key and two way handshake before the data was useful."

Thing was, the stuff has to be useful at SOME point, which is where you attack the database: at the points where they MUST be decrypted to be useful. That's always been the unavoidable flaw with encryption. In order for data to be useful, you have DEcrypt it SOMEWHERE.

2
0
Charles 9
Silver badge

Re: This is rapidly becoming a world laughing stock

It's still trust in a sense; otherwise the world would've abandoned the Dollar for something else. The fact they haven't implies some level of trust, even if it's of a paranoid level.

3
0
Charles 9
Silver badge

Re: This is rapidly becoming a world laughing stock

Probably some financial bombshell that instantly kills global trust in the Dollar.

2
0
Charles 9
Silver badge

Re: Lots of people have to fill this out

But it's still a veritable one-stop shop for identity theft, which itself has serious security consequences.

11
0

If hackers can spy on you all then so should we – US Senator logic

Charles 9
Silver badge

Re: the only solution

"Most seniors are also just barely able to keep roofs over their heads. Being fired for voting is against the law. If they don't stand up for that then they need to STFU and stop blaming anyone else."

At least they have protections set up decades ago like Medicare and Social Security. The young don't even have THAT to back up on. As for being fired for voting, two words: AT WILL. Try proving your firing was for voting and not for incompetence, insubordination, or (thanks to at will) purely at the employer's discretion.

"The hippies, war protestors and civil right marchers (both black and white) back in 1960s were fighting against the same problems. Many went to jail. Many lost their jobs."

But the barriers were MUCH lower then. There were much fewer people. They could find new jobs or start their own businesses and so on. Plus there was a war on, so they could go to 'Nam and earn a new reputation. Today, with knowledge of you everywhere, two words: GOOD LUCK.

"So if Gen X and Y aren't willing to stand up just to that, then they're screwed and the longer they wait, the more we're going to become just another large banana republic from the 19th century."

Well, if THEY'RE screwed, then WE'RE ALL screwed because they're gonna take everyone else with us.

PS. EVERYTHING I've described I've seen...FIRSTHAND...in multiple places.

0
0
Charles 9
Silver badge

Re: It sounds to me...

Well, it's kind of being in a leaky boat and the only implement to hand IS a drill.

1
1

It's 2015 and Microsoft has figured out anything can break Windows

Charles 9
Silver badge

Re: Why not just integrate EMET into Windows 10? @Charles 9

Probably because you simply can't fix stupid, and any fault of the OS is NEVER the user's fault in the minds of the users.I mean, they bitch and moan about UAC as it is. Now you're going to break MORE stuff with SteadyState and EMET? Sound to me like a bridge too far and an excuse to not budge from where you are. Better to face the dragons you know than the ones you don't.

0
0
Charles 9
Silver badge

Re: So all it does...

"The same things that stop malware from subverting anti-malware software today. This is an API that vendors like Kapersky can plug into. It enhances the range of their capabilities if they choose to use it."

So what's to stop a malware from posing as an anti-malware, hooking into THE SAME APIs, and subverting them. "Who watches the watchers," IOW?

"If you're upset that the anti-malware software or OS, is "software", then perhaps you would be interested in the tool MS announced a couple of months ago that runs security from a separate Hyper-V instance that exists in parallel running directly from the hardware."

Hyper-V is a VM hypervisor. I'll grant you no one's been able to pull off a Red Pill to date, but since it's still software it can't be ruled out. Particularly if cyber-warfare really does go to the next level and hardware starts becoming compromised. It may seem paranoid, but given all the news we've had lately, we're almost in DTA territory as it is.

2
1
Charles 9
Silver badge

Re: Goody

"There are already versions of malware that will probably get pass this! There are web based attacks where the downloaded script is 'innocent', only it includes calls to remote code that is only provided when invoked..."

But wouldn't the kit detect that remote code is needed (since it would have to be "included" at some point) and demand that code be loaded up (and thus scanned) BEFORE the script is allowed to run or continue?

2
0
Charles 9
Silver badge

OUR point can be summed up in three words: IN YOUR DREAMS.

Just because you're better doesn't mean you'll win. Beta max was better than VHS but LOST the VTR war. Microsoft has nothing to lose by doubling down. If Linux overtakes, they'll be as insignificant as Blackberry is now, and switching kernels would be seen as an act of surrender much like again Blackberry.

Plus ask yourself this. If Linux is so superior, why isn't professional workstation software coming out for Linux more often? Why can't Valve convince more developers to embrace Linux and Vulkan?

1
0
Charles 9
Silver badge

Re: Why not just integrate EMET into Windows 10?

Other way around, I think. They feared breaking other people's essential software and getting blackmailed for it.

0
0
Charles 9
Silver badge

Re: Rewrite!

"Then you have the architectural limitations of a monolithic kernel."

You do know that Linux is a hybrid kernel, too? Been that way for a long time? Otherwise, why would Linux have kernel modules?

1
1
Charles 9
Silver badge

Re: So all it does...

"But no, you as per usual have thought in your benighted wisdom that writing something which goes through a list of ones and noughts and checks them against a list of other ones and noughts is trivial and that therefore this is trivial. "

Because it IS trivial. What's to stop a malware from altering the list so that its blacklist includes useful programs? AVs produce false positives by accident all the time; what's to stop them being done intentionally? As for the scanning process itself, it's still software, and software can be subverted.

0
4
Charles 9
Silver badge

Re: A possible (expensive) solution to a small part

The ROM can ITSELF hold the flaw.

And the Harvard approach kills JIT compilers which are needed in performance-intensive applications.

0
0
Charles 9
Silver badge

Re: Just Use Linux

Even the tide has a problem against a cliff. Desktops are still too useful and too powerful which is why they remain the baseline for performance gaming.

1
0

BlackBerry on Android? It makes perfect sense

Charles 9
Silver badge

Re: BB UI without QNX is?

"A cute, popular pig, but..."

Or a stout big-tusked boar like the Blackphone, unless you can prove otherwise...

0
0
Charles 9
Silver badge

Re: Interesting conjecture.

"A case can be made, but in the end that case isn't particularly compelling. If that were to be the endgame then why bother at all with hardware? It would be simpler to get out of the device business altogether and allow whomever licenses the suites to provide the hardware and the engineers to bolt it together. It boils down to what additional value the OS has that can be extracted in other ways."

Because it's going to take more than just slapping your UI on top of the Android kernel to make it properly hardened. One of BlackBerry's calling cards was that it was a system secure enough for proper enterprise use. As of now, baseline Android doesn't make the cut, but as noted by devices like the Blackphone, you CAN make it good enough if you get under the bonnet. So for BlackBerry to make a good Android device, it will have to do the same: be almost as picky as Apple when it comes to how the devices are built and the core software assembled so that it can properly pass the enterprise acid test.

1
0
Charles 9
Silver badge

Re: Agree with the title, but...

"Mainstream sells. Non-mainstream does not."

That doesn't mean you can find your niche and survive on it. That's why professional software can still turn a profit, in spite of the small audience, if it's the right software for the job such that the pros are willing to shell out for it. For years, BlackBerry survived by finding its niche in secure enterprise devices. It suffered from a combination of government interference and intrusion from the mainstream. I strongly suspect the niche is still there, it's just changed its shape and BlackBerry still has the potential to retake the niche and find its market again.

1
0

Google wants you to buy Nest CCTV, turn your home into a Brillo pad

Charles 9
Silver badge

"it makes and receives phone calls"

And it probably will STOP doing that soon as older-gen frequencies get shifted to smartphone-ONLY purposes. Then it really WILL be smartphone or bust. Plus what about all those people who communicate in non-phone ways like Skype or Twitter or Facebook?

0
0
Charles 9
Silver badge

You claim everyone would ditch Google in a heartbeat, but ask yourself, "For WHAT?" Who else is out there that is as feature-rich as Android and Google that would allow people to pick up where they left off? Apart from Apple, who's just as guilty, I doubt you'll find a serious answer. And since they've become too ubiquitous, I doubt they'll be convinced to abandon cell phones altogether for fear of that emergency call that can't wait and so on.

1
0

Cops turn Download Festival into an ORWELLIAN SPY PARADISE

Charles 9
Silver badge

Under the law both in the UK and in the US, a normal sales transaction DOES NOT constitute a debt but a sale, so the "legal tender" provision DOES NOT apply. Barring certain acts of discrimination, the vendor reserves the right to refuse sales at his/her discretion. That's how vendors in my neck of the woods refuse service to rude and rowdy people.

0
0

Carbon nanotube memory tech gets great big cash dollop

Charles 9
Silver badge

Not just crap but hard to handle. It only worked at a certain minimum temperature, so it had to be literally warmed up to work, which is why Konami had to come up with their noted "Morning Music" as a warm-up signal for their Bubble System games. Not to mention the reading process was destructive, meaning you had to feed the data back in as soon as it was read, and if something went wrong in between, the whole works got corrupted.

1
0
Charles 9
Silver badge

"If it sounds too good to be true..."

I was noting that, too. I mean, a product that can supplant both the DRAM and the mass storage market in one stroke? That's an exceedingly rare thing indeed no matter where you come from, so as the saying goes, "I'll believe it when I see it."

0
0
Charles 9
Silver badge

Wake me when this stuff actually sees a mainstream product launch. Until then, it's just another vaporware.

8
0

Using leather in 'leccy cars is 'unTesla', rages vegan shareholder

Charles 9
Silver badge

"Electric cars are a technological dead end anyway."

If electric cars are a dead end, what will replace them when there is an eventual move to reduce the number of ICEs on the road, being highly inefficient and polluting and all?

0
0
Charles 9
Silver badge

Re: @Charles 9

But then again, I wonder what would happen if such a person turned out to be a Hindu who will not kill a creature for religious reasons (meaning the First Amendment comes into play).

0
0
Charles 9
Silver badge

Re: Sentient Beings?

See my argument about PLANTS being sentient.

0
0
Charles 9
Silver badge

Re: Errr...

Wonder if anyone ever defaced one of those billboards with spray paint that says, "Good! I eat cats, too!"?

0
0
Charles 9
Silver badge

Re: Beware the entitled vegan!

"How does it work in the US - is there something similar, or are property rights stronger? Just asking, because I'm genuinely interested."

There's no uniform policy on the matter. It depends usually on state and local Health Codes. Generally, though, pest creatures like ants, roaches, and rodents need to be controlled, particularly in eateries, and places can be subject to inspection, especially if complaints are lodged against the place. As to the owner's complaints about non-lethal methods, she's up against the rest of the neighborhood; her rights can be trumped by everyone else's right to a clean, disease-controlled environment. He/she would have to take that up with the City Council/State Legislature if she wants his/her way. At the extreme, they DO have the power to condemn places they deem uninhabitable due to filth or pestilence.

0
0

Undetectable NSA-linked hybrid malware hits Intel Security radar

Charles 9
Silver badge

Re: If it was truly firmware?

But what happens when the programs in the non-reprogrammable ROM chips are found to have exploits in them? Now you have an unpatchable exploit.

0
0
Charles 9
Silver badge

Re: So...

"It seems hard to believe that someone has the time and ability to recreate the factory firmware for so many different devices without access to the original firmware's sourcecode."

Thing is, they can obtain the firmware through other means, such as a legitimate update download. They can then tinker with it offline at their leisure, allowing them to basically rebuild it to their needs (including taking out things to make room and so on), THEN find a way to inject the malware.

0
0

Top Eurocop: People are OK with us snooping on their phone calls

Charles 9
Silver badge

Re: "Society accepts that this is a reasonable way to run a democracy"

I always put it this way. What good is one smart vote versus ten stupid votes?

0
0
Charles 9
Silver badge

Re: "Society accepts that this is a reasonable way to run a democracy"

Are you sure? I believe you overestimate the collective intelligence of modern society.

1
1
Charles 9
Silver badge

Re: At what point will the public feel safe?

"Tell them they can't have it."

They won't take no for an answer AND they vote.

0
1

New US bill aims to zap patent trolls with transparency demands

Charles 9
Silver badge

This I could see as a sensible proposition: both the patent and the means to implement it, on the condition they actually DO implement it.

0
0
Charles 9
Silver badge

Re: Bet it won't apply

OK, we'll grant you that one, but given that the scheme was created for Windows 95 (so as to allow the system to compete on the LFN front with other systems like OS/2), the clock on that patent has got to be running out soon. And anything pertaining to LFN on NTFS is probably on a shorter clock if not already up because NTFS was developed with the original Windows NT, which is several years older than Windows 95.

0
0

Obama issues HTTPS-only order to US Federal sysadmins

Charles 9
Silver badge

Re: @Robert Carnegie

"With http you might be able to stay anonymous."

How when you STILL have to tell the website who you are? As for proxies and such, one mandatory JavaScript (as in enable it or you can't get in) and you're IP is traced just as easily: even through stuff such as TOR. And then there's the whole user registration jazz that can ID you to the person (and for the really important stuff will probably link you to government-known IDs like SSN or mailing address), IP be damned.

0
0
Charles 9
Silver badge

Re: I just hope

"No, not if your url is part of the HSTS list."

But if your site is NOT on the list, the ISP or whatever can intercept the HSTS flag and erase it, preventing your browser from going opportunistically secure.

0
0
Charles 9
Silver badge

Re: The ones controlling the certificates have the power

Thing is, in this case the US Government controls the NSA: in particular, the President and the Secretary of Defense (the NSA falls under the DoD).

0
1

Creationist: The Flintstones was an accurate portrayal of Dino-human coexistence

Charles 9
Silver badge

Re: The Nightmare

"Sadly even I know that God don't kill people, people kill people so don't ban God or is that the Gun?"

Joke aside, how do you counter the idea of the miscarriage, the stillborn, or someone just plain struck by a bolt out of the blue? In other words, if God (or His universe) doesn't kill people, what about all those people killed by sheer chance, with no hand of man involved?

0
0
Charles 9
Silver badge

Re: The Nightmare

"Taken to the extreme, this omnipotent God has created everything, including my current thoughts, and memories of my past joy and pain, and so already knows the result of the trials inflicted on me.'

Perhaps it's best to say that God isn't truly omnipotent: just close to it. Many interpretations put Man as God's big wildcard: the concept so out there even He can't predict it (as in God can't predict Man's will). That was why Eve and then Adam were able to be turned astray: because they had the capability to do so, and thus introduced to God's universe the idea of the wildcard. Seen in that light, all the ordeals God puts before man can be seen as a kind of trial by ordeal: fire-forging. What doesn't kill or break you makes you stronger, and so on.

0
0

Forums