Posts by ElReg!comments!Pierre 2711 publicly visible posts • joined 22 Jun 2009
"It being open-source software that anyone can audit, one might have expected the SQL injection vulnerability to have been discovered and fixed long ago. To be fair, GNU.org is by no means the only popular open-source project to have been ransacked by hackers."
To be fair, it being open-source software that anyone can audit, one might have expected the SQL vuln to have been exploited long ago (if it was that trivial).
To be "fairer", the raise in attacks against open-source repos is quite interesting. I can see two possible explanations:
1. open-source software has "gained" so much "traction" with the "market" (as the strategy boutiques put it) that it's become a wothy target for miscreants.
2. traditional target products (read Microsoft, Adobe, etc) are finally putting their act together and are increasingly harder to crack, comparatively making traditional strongholds look weaker than before.
To be the "fairest", both factors probably contribute, and I would hazard to say that it's a good sign for open-source software, as in most cases the code repositories were compromised, not the customer systems. When you think about it as a "customer" sysadmin, it feels much safer than MS /et al/ systems where the miscreants target YOU directly. Well, unless you're running Savane with MD5 hashes, but who in their right mind uses MD5 nowadays? ;-)
Semi-troll post, hence the icon.
That's what you get for embarassing the powers that be.
When security researchers get intimate foreplays at the hands of the DHS (http://www.theregister.co.uk/2010/11/19/dhs_detains_hacker/), what else would you expect for exposing the Emperor's "diplomatic" underwear? We can only hope that the EU gave the US a run for their money on this one (a level playing field in the sharing of banking info maybe?).
Surely you mean "which brand of PC, they weren't asked, it seems".
I'm currently a Dell, because PCs are far too prone to virus infection. Also, Dells just work whereas PCs crash all the time. You, are you a Dell or a PC?
Do you prefer Android or Linux? Snow Leopard or MacOS? You want a laptop or a MacBook? Shoes or Nikes?
This is marketing-induced stupidity. On TV or in the Daily Mail it's OK (barely), but you guys should really know better. Especially as it really comes out of the blue, you deliberately added the very piece of stupidity that Nielsen managed to avoid. You almost had it right with the "non-Apple smartphones" but then "Mac or PC, they weren't asked". AAARRRGHH
That is all, sorry for the rant.
>So, allow me to restate my point. without crypographic techniques you have no way of knowing the source of an email, if it has be tampered with, and CERTAINLY no way of knowing if it has been read by a 3rd party. Email is inherently insecure.
Yes it is, when you're dealing with tech-savy people and high-stakes fraud. Here were talking about a TV show that allows vottes for a ~1h timeframe. For the people who vote in these, the Intarwubs are a blue 'e', and while it might be politically interesting to spend a few thousand emails with spoofed 'From:' headers, anything more technical is most probably:
1. far beyond the technical reach of the nutters involved, and
2. not worth the hassle and risk to begin with.
Also, as I said, filtering by IP is probably the only convenient way to avoid one single person voting through a hundred ad-hoc yahoo! or Gmail adresses (contrarily to what you seem to believe, yahoo! et al do report the originating IP.)
>We havent even brought up the concept of gmail/hotmail/yahoomail/FBmail/etc.
As it were, they do report the originating IP quite reliably, and filtering by IP adress looks like the only practical way to prevent _that_ sort of stuffing.
Of course you could use proxies, but that's quite risky.
>That would normally be one or two votes per ISP
>you can't trust anything in the header
Well, it IS significantly harder to spoof the path than the From: header.
Keep in mind that we are most probably talking about non-technical people using a mail agent that allows to enter custom From: from the GUI. Not only do they watch stupid gameshows, they also VOTE in them.
I'd say relying on the path in the headers would be more than enough in that case (we're not trying to thwart a Sino-Russian secret spy agency here, they're just lusers who put their hands on KMail or something similar).
I was under the impression that every single bit of info (included, but not limited to, photos) that users publish via FB became FB's property, for them to use as they see fit (one of the reasons why I don't use the thing). In that case, surely there cannot be any misappropriation. Mildly misleading advertisement, maybe. Was I wrong?
The C17 is nowhere near able to land on short bumping strips as well as the A400M, contrarily to what Lewis boldly states, so it's not going to be able to do the job in 'stan.
The C130, on the other hand, can, but it's an ageing craft, slow as fuck and in dire need to be replaced (according to some) -maybe not the most pressing concern when money is tight, though.
Anyway, that's beside the point. The US won't let you build the things under license I suspect (they want to keep the jobs and the revenue stream. Not to mention tech "secrets").
Surely you're jesting.
The C17 needs more than 2.3 km of _hard_ strip while the A400 only needs ~1km of _soft_ strip. That is indeed a huge difference, to the point that it's meaningless to compare them on any other aspect. That's probably why Mr Former Minister compared the A400M to the C130, not to the C17 (also he appears big on interoperability, and virtually no-one flies the C17)
Not taking any side on this one, just stating the facts.
>(remember how these were pre-iPhone?)
Yes I do. Service has degraded since then (but that was the trend anyway). Voice tariffs are unchanged (they tended to decrease before, that stopped), and sure there are more unlimited data plans but that was the trend already and prices certainly did not drop a bit (there's even been a hike on the capped plans). In my part of the world, the iPhone hasn't changed anything. Litterally.
>Soon we'll be able to travel to a foreign country and buy a local SIM over an app
Most probably not, no. Certainly not more easily than buying a pay-as-you-go SIM was: walk in shop. Get SIM. Start talking.
Now you will need to lug a laptop around, find a hotspot, connect, hope that the app store of your manufacturer has a deal with a local telco, if they have deals with several of them you will need to figure your way around arcane tariffs anyway, you will probably miss out on the contractless deals as it would be unsustainable for telcos to offer them in this channel (enjoy getting a 1-year contract for your 2-weeks stay!), and will end up paying more as the app stores tend to charge extortionate rates on what you sell through them.
But hey, it's not like I didn't predict your post a couple posts up, so that's fine by me.
The whole thing will of course work through sync with a laptop running iTune (or whaterver app your phone manufacturer endorse) and the OS your phone manufacturer endorse. Which means you not only have to get the "right" computer with the "right" software, but also find a hotspot (which can be a nightmare outside of cities, even in developped countries). And of course you will have much less choice in terms of operator and tariff (if any is available at all. You will also have to be in the "right" country of course.)
That's a big step for mobility. Only backward.
>he hardware key is the hardest to crack.
Agreed. Moving from a physical-token-based security model to a software-based one is a huge step backwards. Also, obligatory initial key transmission over the internet is BAD, m'kay? (what's the bet that most of it will happen over insecure WiFi connections?). End-to-end encryption would have to be very strong indeed, as we're not talking about fast-expiring keys here, but virtually eternal ones Suddently it becomes worth throwing quite a lot of processing power at bulk captured networked data. Not to mention that even with a very strong and convoluted encryption scheme, being able to see the transaction happen already gives you valuable intel in itself. That guy at the next table who just updated his Facebook (thank you FireSheep) ? He also owns an iPhone, for which he just got a "virtual SIM". Means he's probably a foreigner, or at the very least from out of town, and won't know what to do if he's mugged in a dark alley. That's just an insta-example, I'm sure fraudsters will find better ways.
Fraud is already happening even with the physical token model, I don't know how anyone could think that moving to a weaker model is a good idea.
>if you want multiple accounts on one sim then a sim could be created to do that.
Or you could own several SIM cards...
The only people who will benefit from that are the manufacturers with an online shop.
You will need an expensive computer with the right software installed... so now your phone manufacturer is in position to dictate what brand of PC and OS you are allowed to own, not to mention what networks you're allowed to use. I'm guessing that they will levy a tax on the process, too. If Apple's current practice is to continue, expect a 40% increase in your phone bills. Great. All that for little to no discernible benefit for the end user.
It will probably sell very well. And the customers will probably proudly show off that proof of their gullibility, too (sadly, that's no sarcasm).
But unless Oracle puts a lot of effort in pushing Java (which doesn't appear to be their plan so far), the language will lose most of it's open-source supporters with the departure of Apache. Of course the current java developpers will stay onboard for a while (at least the one-trick-ponies), but who in their right mind will commit to long-term Java projects now? Sun's strategy was to spend little ressources on Java by having open-sourcers do the grunt work. If that goes away, Java is pretty much dead in the long run anyway (again, assuming Oracle don't commit significant ressources to it).
Just look at which projects use Java: the bulk of it is open source. The most prominent monolithic -hence difficult to port away- would be OpenOffice, but Oracle managed to piss them off big time. There are a couple commercial things (like Jgraph) but they are quite niche. And if there is something open-sourcers can do, and can do well (appart from forking), it's porting code.
"Its a bluff and if they actually do it, then the only ones to lose is Apache."
What could they possibly lose? The only things they get from being in there is a say in the decisions related to Java roadmaps, and a way to get licenses easily. Now Oracle has made abundantly clear that they won't listen anymore, and they refuse to grant licenses, ergo Apache doesn't benefits from being in there. On the other hand, having Apache in meant a lot for the open-sourcers and largely contributed to the success of the language. If Apache leaves, that's largely gone. Also it's bad for the image of the language, which future appears fragile (and which looks more like a lock-in).
If anyone loses, it's certainly not going to be Apache, simply because staying would not bring them anything to begin with.
"Suppose Apache walks away. Oh no! What will Oracle do? Hint: They'll pick up the code, and maintain their own in house release."
Even if they did (which they probably won't as they clearly have no interest in it) that would cost them money. Unless they found a way to make developers work for free.
"game theory"
Game theory doesn't explain how working for free for Oracle and giving them support when they fail to uphold their end of the deal (trying to publicly humiliate you in the process) is a good idea. Can you spell it for me, again?
Would YOU do free work for Oracle knowing that you'll be denied the right to use the tool you built?
"He quotes the total number of distracted accidents, not the number that were distracted by mobile phones, which would be only a tiny minority."
Where I live, ~1 in 3 drivers are on the phone (rush hours). I was hit by a prick in a SUV just two days ago (hit not hurt, traffic was slow). He was apparently having quite a lively conversation. On the phone. Which prevented him from seeing me, even though the guy on the other lane had stopped to let me go.
I wouldn't be surprised if the guy quoted in the article actually _underestimated_ the number of phone-related incidents, and by a jolly good margin (phone-driving being illegal in most areas, it tends not to be reported in the case of an accident. Insurance, etc...).
Not saying that jamming is the solution, but the ban certainly needs to be enforced more (here the plods will fine you if you wear headphones while biking, but they let drivers on the phone alone entirely, despite it being equally forbidden).
Seriously, reading the article and the comments I wonder how no-one suggested emailing your files to your Gmail account as a form of backup.
There are online backup solutions, but dropbox ain't one of them. It's primarily a sync/share type of thing for people who can't use ftp. Of course you CAN use it to "backup" data, the same way as you can email said data to your Gmail or Yahoo! Mail account.
Same goes for a lot of things mentioned in both the article and the comments. Basically, if you have routine write access to files on your "backup", then it's not a backup but a sharing/syncing thing, as pointed by jake and Philip.
>Of course it will never happen...
Rule : if you can think of it, some sad geek has already built it.
http://portal.acm.org/results.cfm?&cfid=113062480&cftoken=66386576
Of course it's not a productivity cluster, but I bet you could find more "serious" projects if you looked for them.
And I wouldn't know what to do with a tablet (web browsing is NOT my main occupation).
But I went for a 9" EEE, not a 11.6" monster. With a SSD; I wouldn't have bought a HDD one.
As I said when the notebooks switched from the original SSD-and-Linux small things to lumpy sluggish Windows machines: MS killed the notebook.
That's some serious trolling you got there Sir Hard Reg Sir.
OK, I'll bite:
If you cut Aqua entirely and stick with console mode, you can increase the battery life by a LOT more than 2 hrs.
Also, if you leave the thing off to begin with, the battery will last for WEEKS instead of a meager 6 hrs max when on.
D'uh.
Plus, my money's on the test being not-too-honest to begin with. Were exactly the same things running in both cases (same apps, doing the same things, etc)? I doubt it.
In other news: a computer in use needs more power than an idle one. Who would have thought?
The -potential, and overblown- problem lies with the flash addies. Filter them out (flashblock, filtering proxy, whatever) and be done with it. That way you can still have access to the "useful" flash content (e.g. the PARIS videos on El Reg).
You're welcome.
Cheers.
That's the OS. Are you suggesting people should install OSX-server on non-Apple branded hardware? Baaaad Graeme! That's against the almighty EULA! (Cue Jobsian Lightnings and Thunder)
(Also for £1000 the Dell box will have a few useful features that the base Xserv lacks, like redundancy etc)
Also, consider that the first iteration was WiFi only... something you can move around at home, or at a pinch take to the starbucks on Sunday morning to tweet while sipping your Venti half-caf soy no foam latte, not too hot, with a shot of vanilla and a dusting of nutmeg, freshly ground only.
That pretty much sets the scene, methink. And it looks deliberate, too (to avoid overlap with the iPhone/Pod range perhaps?).
To be honest it's touted (and used) as a way to check facebook and twitter on your couch during the commercials in your fave TV show. (and similar).
Compare the ads: mobile users are most often shown in motion, in the street, on the bus, in airports, etc, and the emphasis is on geolocation apps and other mobility-related stuff. The iPad ads show users wallowing in couches and using the device to read the newspapers, books, or similar "sedentary"activities. So it would seem that Apple doesn't think of the iPad as very mobile either.
As much as I dislike the brat, he is right on this one.
I guess the missing word here is "standalone". The judges probably didn't realize that encryption is built in pretty much anything these days, very often SEVERAL "layers" of it. For them it probably just meant "truecrypt and PGP", i.e. standalone encryption software.
Still doesn't make much sense in my opinion. But the actual wording would prevent him from even logging in (Code Monkey: I'm pretty sure even Win98 uses SOME form of encryption to store login information).
"Chances are it can be uninstalled from most desktop machines and the user won't even notice."
That's mostly wrong. I dislike Java as much as any sensible person should, but unfortunately quite a few applications are coded in Java. OpenOffice/LibreOffice springs to mind of course, but here we also have more "specialized" stuff written in Java (ImageJ, Jgraph and a few others). That's a pity as Python is much better as everyone knows.*
And I'm not even going to mention web-based applet or JavaWS as it's bad for my blood pressure.
Bottom line is, lots of people will notice if you take java away (which doesn't meant it shouldn't be done).
*icon for that statement; Python is orders of magnitude better, as far as high-level interpreted languages are involved.
"laptops aren't clever enough to restrict major updates to when one has a WiFi or cabled connection"
I'm pretty sure it's not a problem with the machines here. Now whether the users are clever enough to make it so is another problem. Well, if users cared at all in the first place, that is.
Hey, I'm pretty sure that some people out there would/do choose to do major updates and heavy downloads on their unlimited data link on purpose, to avoid paying for it in their capped internet connexion.
"It goes on to theorize that a gay user struggling to come out of the closet could be inadvertently outted by such a scheme."
I suppose that would be by aggregating data from a lot of that user's clicks, and building a "gay-like" pattern. Let me shine a different light on this: we could aggregate the same amount of data and compare it with paedo or terrorists patterns surely... Bam! instant paedorrist finder! That's so obvious, I'm sure that "they" thought about it, and are perhaps even already doing it right now. Come to think of it, that lawsuit sounds rather suspicious, these guys wouldn't happen to have something to hide, would they? Ummmh, California you say? Lottsa dirty old chaps down there, they don't call it "America's flaccid penis" for nothing. Suspiciouser and suspiciouserer...
Mine's the one with the torch in the pocket, thanks. Yeah, the pitchfork's mine too.
You are obviously right. The people who put the system together are still in need of a good spanking though. That's not even a beginner's mistake, that's dilettantism of the worst kind. Surely "let's try and sneak system commands in the input" is the very first thought of anyone trying to compromise a world-facing system. And surely that's the very first thing any admin worth his salt <db db db db db> any admin at all would consider.
"people owning American domains must not do anything that breaks American law"
As many have found, given that the US have the master key to domain names, your registration may be arbitrarily terminated regardless of the TLD you use. It suffice that some small town's tribunal in the middle of Arkansas gets upset with the content of your site and point out that you site CAN be accessed from the US. Even if your website doesn't break the law where registered nor where the servers are located.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
