437 posts • joined 29 Jun 2009
Am I the only one with attractive friends?
Or is it that everyone here wants to turn the forums into a death-camp for old jokes...
Re: If you fall for that
Yes, because we all know how an infected machine only affects that one person.
Blinded by LEDs
Given how many manufacturers like to cram super-bright blue LEDs into their products, I don't doubt you could go blind from them. I wonder when device manufacturers will realize that blue LEDs produce a far more intense light than the same amount of energy in a red or green LED. There have been many times that I've walked into a datacenter and have been temporarily blinded by locator LEDs right at eye-level.
I have two problems with modern ads:
2) All that code is hosted on a server that neither myself nor the organization running the website can control and the advertisers don't have much of an incentive to police so long as the money keeps rolling in.
I wouldn't mind advertisements that were just basic JPGs or GIFs hosted on the website itself. I also wouldn't mind if the website shipped its access logs off to the advertiser to analyze, they already end up with all that information and a lot more with the current ad systems.
Re: Much as I dislike Facebook, I wish...
I had tinkered with the idea of a social-network backed email system some time ago. It would be easy to determine if something is spam in real time with the data they have. If a message is sent to multiple people (or very similar messages are being sent) you'd just check to see if there is some sort of link between the recipients such as going to the same schools, having friends in common, etc. Otherwise you'd block the message as spam.
"put announce for mtgox acq here"
'acq' could also mean acquittal...
Steganography to hide the whole thing
I'm surprised if they were going for something like this, they wouldn't have also tried to embed more of the virus into images.
The main payload could be nothing but a tiny little script that embeds a decoding routine and exec function into some system library. You could even use a browser update bug and embed this into Chome's or Firefox's SSL libraries (Done properly, you could even sign it with a fake code-signing cert and embed it into the underlying OS so the modified binary looks legit)
The rest of the virus would be embedded in a series of images labeled as 'Desktop Wallpaper' saved as full-color bitmaps at 1920x1080 or something of the like.
Something like this could go unnoticed for a long time
Wouldn't this be making more money for the broadcasters?
They weren't directly making money off the signal anyway, but indirectly from increased sales of products advertised via those signals. At least with this model, they could request viewership statistics from Aereo and rather than try to sell air-time based on 'Company X bought time from us and their profits went up by X amount, where they could now say 'We have at least X number of viewers on these time slots'
It bothers me to see companies like this getting shut down as it could be a boon for all parties involved. At the very least I could see a deal going with Public TV channels as it would a charitable donation and these channels would have a much wider audience.
Or even the human body, other living creatures, smoke detectors, bricks, bananas, ceramics, and many other things that release ionizing radiation, which even though is on the level of nano- or pico-sieverts, is still more than a cell phone has ever produced.
Re: I've always hated the term 'DMZ' in relation to networks
'If your answer to that is "but I can control that from a central place" you have just indicated a new APT target, and therein lies the rub.'
You seem to have missed the point. In most networks, anyone inside the company could be launching point for attack, my point is to reduce the number of possible targets. I would rather have the IT department's systems and working harder to protect them than having to worry about the thousand other machines in the company that can access the management interfaces of the critical servers.
Also your comparison to a company that only has a single key is flawed in that I can replace my machines whenever I want and it wouldn't affect a damn thing, where a key needs to be replaced everywhere.
I've always hated the term 'DMZ' in relation to networks
It causes Security engineers to think in terms of having just three networks: Internal, external and a section in-between when modern technology requires thinking in much finer grained terms. With modern OS's supporting virtual interfaces* you should have dozens, even hundreds of separate networks.
What should have happened when they brought the partner on board was to have set up a specific VLAN and subnet for them that connected to virtual NICs on the servers they needed with listeners configured for access to the data and commands they needed to get it or modify it. If something requires a different set of security rules, it should have its own network.
The last network I designed used hundreds of individual network, each web server cluster had 2 private networks and connection to at least 2 other purpose-built networks: 1 external connection to the back-end of the load-balancer shared only among public web servers, a second shared network used only for management of the internet-facing machines (only interface that allowed ssh/sftp access), a third interface only connected between the web servers to sync application data and user state, and finally the last one was set up only for the servers to connect back into the database servers where the listener was configured to only allow connections to the specific DB the web servers needed and further restricted it by limiting what commands could be passed through.
Of course each network also had an IP or two available for packet-capture systems for debugging and performance monitoring (much easier to debug applications when you can just pull the stats from the interface rather than having to filter everything)
*either through the virtualization platform on a virtual server or through the OS (UNIX-like systems and the VLAN interface, Windows and the HW manufacturer's drivers) on physical boxes.
RE: SD cards / Read only
You do know that the little 'read-only' switch on the side of the card is merely a suggestion to the host, right?
In the operating system, the only thing that happens when you try to write to a card that is 'read-only' is that the OS will bitch at you, if you use the OS's built-in that is. However, you can just send the raw write command and data directly to the card without any problem.
However there is a read-only fuse built into the card you might have used, but then that would mean you are using old, vulnerable software since you can never reset it back to read-write.
What you should have done was to set your partitions to read-only except for /home, /tmp and /var/log. To update, you would mount the device you are booting from on another machine,edit fstab to be RW and then reboot to the device and update, reboot back into other OS and reset fstab to mark everything read-only. Of course this assumes you are using an OS that is intelligent enough to partition its data properly and not just cram everything in to one giant partition.
Re: Try ibiblio.org ..
Simpler than that:
The US doesn't allow you to export crypto software, but Canada does.
Its referred to in the introductory message pre-loaded into every new user's mailbox and if you read the prompt at the end of installation, it will tell you to run 'mail' once you login. The message in your mailbox is a simple letter from Theo and the Developers about some system basics, ending with the suggestion to read 'man afterboot' to learn more (this mail will also appear for all users created on the machine).
The afterboot page is a basic primer on using OpenBSD and other UNIX-like Operating systems and will point the user to other man pages and tools that would be useful to know (in fact I print this page up for all my users for them to hang up in their cubes) Nearly all of them went from having no UNIX experience to being able to solve 99% of their own issues (Including fixing networking issues, diagnosing hardware problems to being able to install and configure their own Desktop environments and even tweak X)
They say RTFM a lot because you have a bunch of idiots that install OpenBSD then ask why apt-get doesn't work (Happened this week) or people that ask questions that would have been solved by just running man afterboot or man <command>. The OPenBSD developers are extremely anal about the accuracy of the man pages and docs and people just ignoring them is really annoying.
Re: Think about this...
Like Linus is much better at talking to the public...
Re: OpenBSD is included in ... third-party packages ...
Code patches developed by OpenBSD is included in those packages, it should also be noted that OpenSSH is also affected by all this since they are part of the same project/foundation.
Yet another appliance...
I don't need any more crap in the network racks when I already have the BGP routers, forward firewalls, load balancers, anti-malware engine, IDS/IPS system, web cache appliance, vpn gateways, rear-facing firewalls, packets shapers...
Typical Web 2.0 idiot programmer thinking: "I have no time to check my code for security bugs, I'm too busy inventing the next InstaSnapLinkedFaceGram+. Lets just make something to cover this up and make it the responsibility of the Dev/Ops team!"
Neither, the algorithm they built was able to detect 68% of the known-spam accounts and incorrectly identified 5% of the known-good accounts as spam.
The algorithm wasn't running for 4 months either, the data they were using was on accounts that have been active for 4 months without being flagged but were determined to be spam accounts.
Re: Probably the most expensive 60g anyone will ever buy..
Or HP toner
At one point that stuff ended up costing more than pure, uncut cocaine.
Re: Politics v engineering
That's a side panel, not a solar panel. Also, every space-faring nation/organization puts their flag on the side.
Patched in the future even if the exploit isn't used
Yeah, like that happens...
Re: More not being evil coming up
I think its more like that guy in his late 30's buying a $500 hat to show that he "is still hip with the kids" and not some kind of corporate sell-out.
Re: Stupid American Patents.
A bit of irony considering that the creator came from Apple...
Re: No one said
No one said it because they were afraid of breaking such an ancient relic.
The real news
is that Zynga is still operating...
Re: Data retention...
"pics are from under 18s sending nudeys"
Something tells me that that is likely the reason they didn't take the $4 Billion dollars; someone was afraid their endless stream of porn would be found and they'd get thrown in prison.
Predictable but has a wide margin of error. That figures given for the life of a nuclear plant is the length of time they can guarantee a certain level of power output.
The rover also has a couple solar panels to power its control circuitry and some of its basic equipment, so it could theoretically keep going indefinitely reporting back the weather, levels of radiation and pictures or whatever else they have the power budget for.
Re: > if they can't guarantee that ephemeral really is ephemeral
First law of data on the internet:
If you want something on the internet, it'll disappear the second you look away;
however if you never wanted to get out onto the internet, it'll be there well past the heat-death of the universe.
Re: useful stuff
They've already proven to be blindingly trustful of people on the internet, just claim to be a new internet payment company that deletes their banking details 6 seconds after the transaction and you can start extracting obscene amounts of cash from them.
I know that most of the users are teenagers living at home, but the same kind of parent that gives their kids a smartphone is also the same kind of idiot that gives them a credit card.
Re: Is Julian Assange
Probably not for much longer. If his party keeps doing stupid stuff like this, I'd imagine that the Ecuadorians would throw him out to void looking like they agree with the bat-shit insanity of the guy's party.
Re: @Repeat (pete 2) The law is not the answer
If the government gets overthrown, I don't think privacy is what I'd be worrying about, besides the intelligences services already have all that information anyway and its not like that will change any time soon. My system doesn't rely on perfect trust, just that you'd only need to trust one person rather than the plethora we do now, and the system I propose would give the people we already trust with our data less of it.
And yes, there are problems with encryption, but I:d rather have it stay encrypted for most of the data's life than not all; I don;t want to wake up one day to find that some jobsworth has left an unencrypted drive full of my information on the bus.
Re: @Repeat (pete 2) The law is not the answer
A few month ago I came up with the idea for a government-run central database to store all information about that country's citizens.
Every citizen would be issued a smart-card that would be used to authorize access to their information. IN turn each Company, organization and agency would be then issued their own CA certificate with which they would use to issue each employee their own certificate as well as certificates for equipment used to process personal information. This would allow for access to that information to be revoked for an rogue employee, a compromised server, or even an entire company that is misusing data.
Each certificate issued would come with a long list of flags based on what information the requester can see (Primarily based off of whether the requester / requester's organization has passed regulatory checks such as HIPPAA, SOX, etc) or if they have a valid business license. This would be restricted at both the CA level and the individual employee level.
Each company or data requester would have a standardized database that would receive the information in the form of a selective replication from the central database over a secured connection (SSL VPN perhaps using the device's certificate for access).
When information is requested of a private citizen, a unique ID is generated along with a series of flags describing which pieces of data that are being requested, this is then sent to the central database where it is held to await authorization. At this point the citizen for whose data is being requested will use some for authorization terminal and log in with their card and see any requests being made for their data, at which point they could uncheck some things they don't want the requester to know, or is irrelevant. At this point the citizen would then send back the authorization. Once this authorization step has taken place, the request is granted in the form of a simple database replication from the central database to the requester's with only the authorized data.
The requester's database would be constructed in such a way that it will filter information itself based on the authorization level of the employee.
An example of all this would be if a citizen broke a bone and went to the hospital, at reception the clerk would create a request for all the citizen's medical information at which point they would be able to filter out irrelevant stuff (say the citizen had a psych eval. a few years back), the citizen would then authorize access to that data. The central database would then replicate all the authorized requested bit of information such as medical history, name, gender, DOB, next of kin, medical benefits, etc. along with a token describing how long the data will be available before the request expires and new authorization is needed.
Since this data is further filter by the local database, each employee would see a different subset of data: the receptionist would see just your name, the doctor would see all your medical history but not address or other information, the nurse would be able to see your name, medications you are *currently* taking and allergy information, etc.
Another example would be an online store where it would ask you for your shipping address and confirmation that you are allowed to posses certain materials such as prescription drugs, or toxic materials (But only if they are authorized to sell such things).
A third example would be for an online service (such as email, a forum or social network) would only need to validate that you are a human being without the need to give them your name or even an email address, plus you could log in without the need for a password (you''d be able to use your smartcard). This would allow illegal activity (Such as soliciting sex from a minor or other malicious behavior) to be reported and the account traced through the original request, that way the police can handle it without the website ever knowing who that person truly was.
On the other hand, if someone came up to you claiming to be from the government or a specific company, you could then make a request to the central database to validate that they are, in fact, a member of that organization and see a list of what they are able to request (In order to prevent fraudsters from claiming to be from your bank to steal you money or a government agent over-stepping their bounds).
There would also be a a table in the database listing every single request for data, which would allow each citizen to review who made each request, even law enforcement requests would be listed here.
The organization running the database would be built from the ground up with the idea of privacy in mind where no one can make an anonymous request despite them having a court order or National Security Letter. In the process of proper law enforcement, certain requests can be authorized by a judge and possibly be anonymized for a set amount of time (say 90 -120 days, but no more than a year) at which point the request will become public and the prosecution must either enter the information as evidence or delete it, either way it would be revealed to the citizen that this information was requested.
"account running the ftp daemon"
Since this was the bbc, what are the chances that ftp was running as root?
Re: "if a product's label states that it's dangerous to your health..." @COG 00:12
Not sure, it seems like one of those chicken-egg type situations...
Re: "if a product's label states that it's dangerous to your health..."
I couldn't agree any more with that statement; my father taught me to select things based on how many warning labels the government requires to be slapped on it (even better if they banned its use in consumer products). From that guidance I've ended up with: an asphalt shingle roof that hasn't been replaced since Reagan was in office and hasn't leaked (The roof I mean, although...); a kit radio that I built to listen to Skylab (And re-purposed for Mir and then the ISS) and hasn't needed to have anything re-soldered; and paint thinner that could melt the stripes off a zebra.
You can have my lead-based materials when you pry them from my cold, heavy-metal poisoned hands. I figure that the time I would gain by using healthy and eco-friendly products would just be wasted re-roofing my house, fixing electronics, or struggling to clean metal surfaces.
You are aware that he wasn't making a comment about Apple specifically but rather about the manufacturing processes companies *like* Apple have to use because of RoHS rules.
Please calm down, even if he was attacking Apple, his comment won't make your preferred device any less shiny or diminish the good aspects you see in them.
Re: emulators? - Online Services
> In 10 or 20 years, we'll only have memories of what WoW or GTA online were like, because the ability to actually play these games just won't exist.
Re: That's rather silly of him
Some of the minimum security prisons are basically summer camp for adults, there are a couple where the prisons get private cells with cable TV and internet access. Escaping form one would be as simple as just walking away. I lived near one for years before finding out it was a prison, looked more like a rehab facility or psychiatric facility.
Re: On the subject of spam - and if that's not 'optional'!
The servers are performing checks to block forged envelopes; the 2-3 million messages is the total volume after making through the SMTP gateways. The vast majority of the spam the servers see is from malware on compromised machines sending through the users' accounts to look as legitimate as possible.
Re: On the subject of spam - and if that's not 'optional'!
According to the logs off of my mail servers (processing about 2-3 million messages a day), the top spam sending domains are, in order from largest to smallest:
At least these are the results from the adaptive filters and feedback from the users (via the spam / not spam buttons in the client). Of course the amount of spam you receive has very little to do with the provider and very much to do with which sites you enter that email address into.
Re: Load of rubbish
Or just take a screenshot.
I wouldn't be surprised if there was someone out there that disassembled the Snapchat client and replicated all its features but rather than deleting the photo, it just saves it somewhere. There is no way for a remote server to verify that the client hasn't been modified (See: Trusting Trust).
Something tells me that they knew about it and was put in there for the feds to catch criminals, etc.
Re: I am Jack's complete lack of surprise
Why would you disagree with the man that controls your promotion?
Who ever thought it was a good idea for the president to be the one to nominate judges for the supreme court?
Re: MUH PROTECTION!
ICANN already prevent you from registering .nato, .un, etc. What they want to prevent you from doing is registering second-level names that infringe on these names like red-cross.sony, UN.bank or nato.bollocks or whatever your chosen gTLD is.
Re: Digital Rights Management
This attack requires detailed knowledge of the unencrypted data and the underlying algorithm itself, of which you have neither in a DRMed system
If he had those kinds of skills, he'd be going to a real school, like the one down the street.
Re: Penis Head
I don't remember which scientific journal it was, but there was a study done about that where they found the shape of the penis is meant to pump sexual rivals' semen from the vagina. It was also conjectured that men get tired after sex in order to prevent pumping out one's own semen.
Well, thats another authority removed from my trusted list.
Every time I set up a new machine or browser I immediately go into the certificate manager and delete all the authorities for nations I've never done business with or have a reason to trust.
Why should I trust a certificate from a company whose name I can't even read? And why should I trust a certificate from a foreign government?
Re: "as fruitfull as shoveling snow around the north pole."
I actually did that for a few months...
During my college days I was taken along with a group of other students up to the Arctic as I was one of the few people that knew how to fix the equipment they were using (They were also quadrupling my pay for the duration of the expedition, hard to say no to that). While I spent some of my time actually doing my job (fixing the effects of extreme thermal-cycling, replacing seized motors, etc) I spent the majority of my time clearing snow from around the doors and external equipment to prevent us from freezing to death.
Although you can build some awesome, and warm, snow-forts up there.
- Fee fie Firefox: Mozilla's lawyers probe Dell over browser install charge
- 20 Freescale staff on vanished Malaysia Airlines flight MH370
- Did Apple's iOS literally make you SICK? Try swallowing version 7.1
- Neil Young touts MP3 player that's no Piece of Crap
- Review Distro diaspora: Four flavours of Ubuntu unpacked