1773 posts • joined 22 Jun 2009
Yes, but in large organisations there's always the odd box under a desk that hosts a "pirate" server setup by an intern 3 years ago, badly configured and unpatched because you wouldn't expect Lucy from receiving to know her way around sh (and the root password is long lost anyway).
Re: I'll raise your false positive and see you in court
Heartbleed is a fairly easy vuln to test for, so there's no false positive (as outlined in the article) and false negatives are necessarily very contrived set-ups. It's good that the false negatives are found and added to the detection tools, but there are very few systems affected in the real world. Of course you wouldn't want them to be yours...
In any case the detection tools are mostly useful for the clients. As a sysadmin, if you're going to spend that kind of time checking if your pant is down, chances are that you'd better use that time to update OpenSSL instead.
Re: As has been proved time
and time again, fingerprint scanners can be fooled by a dedicated team with heavy equipment. In a lab. Set up specifically for that purpose. With previous knowledge of both the "key" and the target. Within FOUR DAYS, assuming the target did not notice their ultra-hush-hush device went missing. FOUR DAYS AGO.
Meanwhile, "good" passwords are cracked almost instantl by the million every single day by virtually anyone on the planet, leading to numerous kinds of frauds, costing real money.
Kids these days.
A password that you cannot change, and leave written everywhere you go. I can't fathom why people think it's a good idea.
I have 2 reasons for you:
-It takes days to counterfeit for a team dedicated to the task with expensive hardware, a dedicated lab and specialized skills. Most passwords can be cracked in a matter of minutes by a script kiddie with a 200 bucks laptop from eBay.
-you can't possibly forget it. Most "hard-to-guess" passwords end up written on a post-it, which is demonstrably worst than holding them at your fingertips (litterally). And most of them aren't hard to guess at all anyway, cue the obligatory xkcd reference: http://xkcd.com/936/
Re: iSuppli estimates
The same is true in any hardware company. The details of parts supplier deals are always deep secrets, because both the competitors and competing suppliers could take advantage of them.
You're right, but for the wrong reasons. BOM are uncannily difficult beasts for a "real" all-encompassing tech company like Samsung. At Apple it's mostly a matter of trade secrecy, because Apple is mostly a product _designer_; for companies like Samsung (and, to a smaller extent, Moto for example) you have to factor in the fact that they actually make a lot of the parts in their devices themselves... but in different branches, branches which bill each other almost as if they were different companies. But only almost. Now factor in the cross-licensing deals that Samsung (and Apple, but to a staggeringly smaller extent, because they don't hold as much IP in the electronics or manufacturing departments) have with external manufacturing companies, most of which are not per-piece or even per-product and you may -just may- approach the complexity of the thing. And now remember all these Branches in Samsung? well, if they are remotely as retorse as Western companies they have internal "intellectual property" deals as well.
Now I need to stop and grab a beer, because if I go on I'll need an Aspro instead and that's much less fun.
both have the same correction factor
A lot of the parts in the iPhone and the Galaxy are manufactured by Samsung.
You're taking for granted and evident that Samsung and Apple pay the same for these parts. It may be the case, but it's not an obvious (or safe) assumption to make.
Exactly what I thought. I just hacked the Lexmark to print a python module manual. F34R MY 1337 5¦<1LL><0R
No doubt Amazon will be sued for billions over this...
...as soon as Apple has submitted the patent application paperwork.
Re: OpenSSL "blueprints"
If only there were more volunteer willing to check OpenSSL's UML designs, all this wouldn't have happened.
Re: "Google's Android 4.1.1 is vulnerable"
unsuspecting clients connecting to malicious servers (servers which will still be expected to present a valid SSL certificate)
Not necessarily, from what I gather the malicious server wouldn't have to present a valid certificate. Your point still stands, people are extracting useful info from servers by hammering them with malicious SSL requests; I can't see that happening on a phone. Remember that in the 64k you can extract at a time, most is truncated or otherwise uninterpretable garbage. Moreover, on a client machine most if not all of that garbage would be data that the malicious server previously sent to begin with (ot that was sent to the malicious server by this particular client). In chrome and Firefox, tabs are run in separate processes, so even if the attacker managed to hammer your phone with malicious requests at the right instant -extremely unlikely to begin with- they couldn't snatch your bank credentials from a concurrently-open tab.
Not terribly scary then. Still needs patching.
Re: "Google's Android 4.1.1 is vulnerable"
Yeah, my thought too. If you're worried about this bug on your handset I have a personal meteorite deflecting shield you may be interested in. Heartbleed can leak some of the calling process' memory stack.
If memory serves, both Chrome and Firefox fork processes on connection, which means that a malicious website would have access to 64k of... it's own prior data exchanges with you. In other words an attacker could use your ram as his own history. Oh noes, the end is nigh etc.
This bug is really only a concern on massively multi-user servers, where the 64k of leaked memory could contain _someone else's_ data. A client machine typically has only "one-on-one" server-client connections, so attackers can mostly retrieve data they already have. And that is, if they can make use of the tiny time frame in which the connection is established (typically, client system are not designed to accept out-of-the-blue SSL connections; they establish the connection for a particular need they have, say, to retrieve the list of emails in a distant mailbox, then shut it down).
A server is vulnerable because it is designed to be listening to random connection requests, and potentially has a huge number of users connected to it. Unless I missed something, neither is happening on a client system.
That's better than I expected then
44 per cent? That's better than I expected. Not everyone has something interesting to say, and even though these 44% are probably a tiny portion or the users who don't, it's still good to know that almost half of Twitter's users know when to sut up. Now for the other half...
> I gave myself permission to look at one of our Mac Book Airs
And how do you reckon the vuln could have been exploited on your MBA anyway?
I bet iOS and OS X are immune from smallpox and H1N1 too. Oh and rickets too.
If that's all Apple PR dept found to make the headlines this week, that's weak.
... once one of the machines is compromised you don't even need the key...
Re: Shame, Mozilla!
I have been a Firefox and Thunderbird user since long before they were separated from the main suite; I had switched mail clients a few month ago due to thunderbird becoming a right pain in the arse in resource-constrained environments and I was on the verge of switching browsers because of the growing bloat. This scandal pushed me over the edge, all my machines are now Mozilla-free.
The only thing that bothers me a bit is that some clueless morons may associate me with the christian bigots calling for the boycott ("if you're not with us you're against us" and all that bullshit). But then again I don't care terribly much about what clueless morons think of me.
Re: Why bother with... @dan1980
> played on an oval
Yeah, I had kinda missed that part of your post.
Re: Why bother with... @dan1980
> swap the goals for four posts and exchange both the grounds and balls for elliptical versions. That'd do it.
I really, really hope you're referring to the version whith grown men dressed in cloth, not the one with overweight armoured dancing queens. The latter is almost as boring as baseball, and that's saying a lot. Why they insist on calling "sport" an activity that consists mostly in standing absolutely still is beyond me. And aren't these -perfumed?- handkerchieves lovely...
Re: How many XPers?
> Does El Reg have any stats as to how many people running XP are reading its hallowed words?
Well, there's me, for example. My personal machines mostly run Debian but this work one is an old XP system, with manny overexpensive specialist pieces of software installed. I'm probably going to upgrade in the coming weeks, but I still don't know what to do about said software...
Nose duly cut sir
No report from the face yet.
Most of the world is relieved, not worried, that the US will have less direct control. The "worried" part of the world is a few thousand people in the semi-tech fringe of the US republican party... that's not much of the world population.
Re: Of course you can't launder bitcoins.
> Bitcoins are always anonymous, that's the whole point of bitcoins: they're always freshly laundered and smelling faintly of lavender.
Not sure what you mean by "anonymous", but they are traceable. That's the whole point of the chain. The equivalent of laundering would be the pooling shops that mix the content of wallets, making the coins hard to trace -but not impossible.
Re: well personally
> In the Google?
Yes, in the Google.
> What does that do?
It allows you to share your cat videos with your grand-grand-kids
> What do I do after?
> Did you mean double-click?
> "That's 2 steps." Which don't actually work
They do. Just try.
> and presume much more knowledge than your target actually audience has.
Not more than using Dropbox. And it relies considerably less on unspoken visual codes than "dumbed-down" (but unintuitive and undocumented) solutions like Dropbox.
The cowards here lack the tech clout of a elderly woman apparently. Dropbox is _not_ easy for the non-technical people, especially the older ones (its retarded interface is based on Facebook visual codes, which is not familiar to the elder).
Also, local solutions these days are plug-and-play, more so than Dropbox. In most cases, _no_ config changes at all are needed. The only cases where I've seen them fail was on internal network where the admins had put a lot of effort into insulating the local network from the outside world. On a home system it'll go directly through the firewalls Go look up the stuff you diss (filezilla et al), you'll look considerably less stupid.
Re: well personally
> Quick, in 5 easy steps how does your non-IT literate granny spec, install, configure, secure, maintain and back-up a public-facing FTP server?
-click on Filezilla-FTP-for-dummies-setup.exe
That's 2 steps. You're welcome.
> \o/ The first commentard who seems to get it. Well done Sir/Madam.
That the "smiley" for a gaping... something or other?
Re: well personally
> You forgot to tell us what perfect tool we should all be using...
You pay them to do this
It's the Intellectual Property Crime Unit, their very raison d'être is to be Big Media's private police paid on the taxpayer's money. So, it's very unlikely they will ever stop.
Actual CnP from their site:
" The companies that run the Internet, companies like Google"
Nonononono you don't get it. T's with tablets that it will be hillarious.
I really hope this hits the streets soon. Imagine how fun it will be, all these iPad users holding their shiny stuff vertical at eye tlevel to text. If you thought that people look a bit like dorks when they take pictures with their tablets, then this system will make you cringe so hard it'll become funny.
Not to mention that they'll need to shackle the thing to their wrist, as people holding a $800 piece of kit in front of them at arm's length will be a delight for hit-and-run thieves...
Fuck that tech!
And now I need a fishbowl for my Pi. As if my living room wasn't cluttered enough as it is.
Technically you can't alter the focus, just add some artificial blur. The 2 lenses are just here to get "distance" information, which lets you blur similarly objects that are the same distance away. There are some cameras that really let you "alter" the focus after the fact, but they are rather more sophisticated, relying on proper lens arrays (which means that you don't "change" the focus as much as "define" it after the fact). They also tend to be low-def and to be absolutely horrid as soon as the light goes slightly down -well, that or they are humongous and cost the price of an appartment. I bet this thing, although not really being able to define the focus after the shot like a proper lighfield camera, is much better on the resolution and low-light fronts.
Comparing it to the lytro is just plain wrong; this here thing is just adding "distance" information to the picture, letting you apply a wonky blurring filter selectively to objects that are the same distance away from the lens.
Re: His anti-gay stance is unfortunate
> Firefox already got rid of the user-friendly UI option to turn JS off
Fortunately The Proxy did not get rid of the command-line friendly option to send JS go fuck itself elsewhere.
In any case I don't think getting rid of the UI-oh-look-shiny-clicky-clicky ways to set options is necessarily a bad thing. In fact I for one support the good old config-file approach, just fire up a text editor and presto! all the setting in the same place for you to merrily meddle with. And you can save the old file for one-step full restore should you do something stupid.
As such, FF current system is rather a step in the right direction, even though it's lacking in the inline documentation department.
Re: I'm boycotting FF too
I could go on... and that's before we reach text-mode (w3m, links, lynx etc)
On the issue of gay marriage, my current boss would say: "They make me smaile. As a young straight woman 40 years ago I was demonstrating for the right NOT to marry. But everyone should have the right to make their own mistakes".
... the form of "activism" that is only slightly less efficient than electronic petitions.
Re: @ElReg!comments!Pierre: You'll Need To Do Better Than That.
I'm not responsible for anyone's poor culture or impovishered language. Here, have two example of inanimate object extermination, on the house:
"The following passage in Æschines's Oration against Ctesiphon confirms the usage of such a law as the above It would be a grievous thing in you, O Athenians, who are used to exterminate from your territories such pieces of wood, of stone or iron, things inanimate and senseless as have been the accidental cause of a man's death, by falling on him; for you who cut off and bury that hand separate from the rest of the body, which hath committed self murder; for you to reward the undeserving."[...]
"If any thing inanimate (lightning or other weapon sent from heaven excepted) shall either by its own fall, or by a man's falling upon it, deprive him of life, let application be made to the judge and let the inanimate thing be exterminated as is the case of animals"
in FULL INQUIRY INTO THE SUBJECT OF SUICIDE (to wich are added as being closely connected with the subject) TWO TREATISES ON DUELLING AND GAMING.
Charles Moore, Rector of Cuxton and Vicar of Boughton, 1790.
I'm sure Google will yeld plenty other examples.
Re: @ElReg!comments!Pierre @ Turtle
Oh look at what the Oxford dic say:
Line breaks: ex|ter¦min|ate Pronunciation: /ɪkˈstəːmɪneɪt, ɛk-/ verb [with object]
1 Destroy completely
> /shakes head.
Re: Another interesting hypothesis @ stu 4
So it means either to kill one in ten, or to tax -normally, by one tenth (tithe)-... mmmh, I wonder which one the original user meant.
Re: The simplest explanation and confirmation bias
> I discount the military radar data because I am familiar with such radar data and I have a good idea what it does or doesn't show. For those who aren't personally familiar, I suggest you read the accounts of the incident where the U.S.S. Vincennes shot down an Iranian airliner by mistake.
I suggest you read the accounts of the incidents where US forces shot their Brit allies by mistake, or where they bombed a whole block killing numerous civilians because they mistook a camera lens for a RPG launcher. It has nothing to do with radar tech, everything to do with the "shoot first, think later" culture of the US forces.
That particular radar had the 777 in sight for most of its flight, including the part when it was broadcasting its ID. There is little to no doubt that there identification is correct. Now that's not the same for altitude data, that is not reliable.
Re: The simplest explanation and confirmation bias
> I agree with your comment that primary radar data is unreliable at best since it doesn't identify the aircraft as MH370.
Do you have the radar data? Military radar systems are designed to try and identify the "blips" they get; i'd bet a 777 has quite a characteristic radar signature.
> I also feel that to assume that transponder and ACARS stopped transmitting because the aircraft crashed is less speculative, ie requiring less assumptions than other theories.
So the plane crashed and ACARS stopped transmitting its ID but somehow kept pinging the satellite?
> this line of reasoning requires far less assumptions.
If that's what you think I have a theory with even less assumptions for you: it's just been misplaced behind the couch. Zero assumptions needed.
Re: Transparent display?
Yeah, there's this stupid SLR fashion... everyone now gets one, often an entry-level one, and they keep the kit zoom that came with it (which is unvariably a crappy one). So you end up with something bulky and overexpensive that makes not-so-good pictures. Most people would be better off with a high-end compact (Canon S series, Panasonic LX series, or even Nikon P310). Less expensive, easier to handle, and better cameras if you're not going to change the kit lens on your SLR (which most people never do).
Re: Transparent display?
> the display will show what the actual picture will look like, but what you see through the display will be completely different.
Why? No. Compacts with an optical viewfinder work somewhat similarly, and high-end compacts such as the Leicas or the Fujifilm X100 have optical or "opto-digital" viewfinders too, with or without paralax correction. There's decades of technical expertise in that field. I have 2 rangefinders from the 70s that even have mechanical parallax correction (ie the viewfinder physically moves as you change focus, so that the field of view in the finder corresponds to the image projected on the film). Another widely known example is the dual-lens reflexes, in which 2 different mechanically coupled lens are used, one ->eye and the other ->film.
Of course it won't work for macro, as the distance between the viewfinder and the lens becomes a problem at very short distances, but starting from ~1 m it's virtually indistinguishable.
> "Sending money to Uganda" has a nice ring to it as a veiled threat for those in the know
Ho noes he's gonna become a registered Vim user!
they won't need these 70k in equipment anyway
Not after everything is moved to the cloud (surely that would not be equipment budget).
Which is where I tought everything would go sour, with someone taking a short but entertaining flight from the retreat environment to the tiered greenspace. Possibly a duo flight even.
Bring back the Moderatrix, I say
Re: Wrong angle, fellow commentards (@myself)
Aw, seems my keyboard is acting up again...
Wrong angle, fellow commentards
Although I agree with a lot of what was written so far in the comments, it's Fortune's list of leaders, which means "top snakeoil merchants". People able to initiate and/or perpetuate a cult centered around them. By that measure most of the nominees do belong here.
And don't forget it's a merkin list, only people visible from inside merca are taken into consideration; and merkins are favored. Hence the shortstop whose name I can't be bothered to aknoledge. Had it been a brit list it would have comprised Brian O'Driscoll. Same diff.
Re: Simple question
Have course, I'm happy to help; here is an excerpt have the TOR FAQ page:
I would of thought that a copyright-based complaint was their mode have action, but Apple's speed have reaction may of been modified by friendly pressure by the NSA... or they they would of acted faster if the claiment had been one have the Ass. of America.
How can I use the name "Tor"?
The Tor Project encourages developers to use the name Tor in ways that do not confuse the public about the source of anonymity software and services. If you are building open-source non-commercial software or services that incorporate or work with The Tor Project's code, you may use the name “Tor” in an accurate description of your work. We ask you to include a link to the official Tor website https://www.torproject.org/ so users can verify the original source of Tor for themselves, and a note indicating that your project is not sponsored by The Tor Project. For example, “This product is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.”
Can I use the Tor onion logo?
If you're making non-commercial use of Tor software, you may also use the Tor onion logo (as an illustration, not as a brand for your products). Please don't modify the design or colors of the logo. You can use items that look like the Tor onion logo to illustrate a point (e.g. an exploded onion with layers, for instance), so long as they're not used as logos in ways that would confuse people.
Can I use the word "Tor" as part of the name of my product or my domain name?
Please don't use Tor in your product name or domain name. Instead, find a name that will accurately identify your products or services. Remember that our goal is to make sure that people aren't confused about whether your product or project is made or endorsed by The Tor Project. Creating a new brand that incorporates the Tor brand is likely to lead to confusion, and commercial confusion is a sign of trademark infringement.
It's funny because * it's ** true.
- Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
- Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
- Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
- Feast your PUNY eyes on highest resolution phone display EVER
- AMD demos 'Berlin' Opteron, world's first heterogeneous system architecture server chip