580 posts • joined 6 Jul 2009
Can you still buy memory cards/USB sticks on EBAY?
1) All flash devices have firmware.
2) Reprogramming the firmware of flash devices is a standard operation, and little old ladies in the market stalls of Shenzhen will do it for you. The most basic purpose is to implement algorithms dealing with bad flash cells. For years, the most common malware purpose was to lie about the size and provenance of the flash device.
3) 10 Years ago it was common for usb devices to include keyboard emulators to install software. There were a couple of efforts directed towards standardising the process, which eventually died as the industry moved away from the idea because of security concerns
This clever demonstration links the two well known ideas: flash controller.reprogramming, and usb device malware.
Re: @dkjd Medical doctor (GP) not a scientist?
I'm sure that most PhD's aren't trained Doctors. 'Doctor' is a very old fashioned courtesy title when used to address PhDs.
>workarounds are possible
> but those outlined in the post require rather a lot of working around.
At least one of the work-arounds is trivial: disable workstation "password" resets.
And I did that anyway when I was doing server upgrades. Disabling and re-enabling is a simple policy setting.
Routine machine password reset is more a kind of enviromental sanitation setting than a present threat mitigation. The machine password is not, of course, a "password", it is totally user-invisible, disabling changes makes your network more robust, and the risk/danger is very very very low on my list of possible risks/dangers to my network.
Re: Headline wrong?
Of course the headlines wrong. That's the whole point isn't it?
>It may have cost some others something though, as is mentioned in the story.
Or, it "may" have cost them nothing,
or they "may" have made an extra profit from the attention the stock is getting.
If the prosecution had any actual evidence, they wouldn't be resorting to weasel words like that.
non comparable statistics
One of the studies I read 20 years ago found that mobile phone use was comparable to drunk-driving: but ignored the fact that drunk drivers are drunk for the entire journey, mobile phone users are effectively 'drunk' only while making a call.
Another study derived usage figures by observations in [a location that higher than normal mobile phone users] at a time of day that had [higher than than normal mobile phone usage].
I think that both those studies gave false figures for the total expected benefit of banning phone use while driving, But they also implied a false figure for how much pain the enforcement would cause.
If the number of accidents caused by mobile phone users is small only because sensible people don't use their phone much while driving, then this relatively harmless law is doing good while not causing much inconvenience to many people.
Re: "Freedom" of Information...
Freedom From Information laws.
My first contact with FFI laws was many years ago, when I was trying to sort out an error in my file with a goverment department, back in the days of physical files. It eventually emerged that the reason I got different repeat requests for information every time I went in, was that they had TWO physical files. Which would have been obvious if they had show me the information they had. But the actual statement was "We can't show you, because of the Freedom of Information laws"
Re: Without trust ...
>Florida ... when their electronic voting machines proved
I guess you're refering to Florida, when their manual-mechanical voting machines proved to be less than fair and correct.
Or perhaps you meant to refer to some little-known electronic voting machine in Florida, and the reference to "Al Gore" just crept in there because you got your dates, politics, and technology mixed up.
'secret sauce', 'trade secrets'
Not by any ordinary meaning of the terms. Not even 'secrets' by any ordinary meaning of the term: market trading is done in public, in a public market, with the public.
Writing as a person who created trade secrets, and the secret sauce, in the finance industry, I wondered if the miscreants had stolen trade secrets, or secret sauce, and if so, if they could possibly have made any money out of doing so, and if the victim could possibly have lost money from the theft.
Reading the article, I see that the answers are No, and No: if any trade secrets were stolen, it didn't cost the firm anything, and didn't gain the thieves anything.
The theft, the loss, the gain, came from front-running and the artificial delays. So a descriptive headline would have been something like:
Hackers steal millions from major us hedge firm
Hackers intercept trades from ..
Hackers delay trades from ...
Hackers re-route trades from ...
Hackers inside-trade inside ...
Re: Pound sign
Also called the Number Sign in ASCII, where it was put by the Americans, which is part of the reason why it is the alternate value for the English Pound position.
"‘‘The symbol # means the same as No., and it can be very useful"
("The I.S.O. character code,’’ The Computer Journal, vol. 7, no. 3, October, 1964)
In AUS, the subtitles on my TV show # (number) or £ (pound) to indicate music, depending on where the program was subtitled, indicating an odd translation difficulty somewhere.
@ symbol was used for pricing. As: 5 apples @ 5p
The typewriter, of course, was widely used for commercial correspondence, and, before the photocopier, even for copying out price sheets.
I've done this
-- for a couple of clients, who ran investment banks for their dealer network.
Operationally, not very difficult. My clients did not require banking licences or building society licence or anything: whatever the requirement is for a banking licence, they were able to do this without it. Perhaps banking licences are tied to lending money? Or accepting money from the public? Or depositing with the Reserve Bank?
My clients were just borrowing money from their dealer network, as a service to the dealers, as a kind of loyalty scheme. The money was just invested in the parent company.
The reporting requirements were not very rigorous, for a few hundred clients and a few million dollars.
Within the reach of a small coding team for those numbers, but the product I had would have scaled badly.
Extended Support Release
Now that they are copying the rapid version number increment, the other thing they should copy back from FF is the Extended Support Release -- so that I don't get stuck on websites that require this months version.
Re: NSW budget calls for lower GST threshold on imports
I've seen $700 estimate for the all-up cost of collection on $500 (assuming the threshold was lowered to $500). Very little of this is the "cost to the customs department" -- but it's the cost you would expect to pay.
Nobody is suggesting this as a tax-raising measure. The whole point is to make importation unattractive.
They calculated in y2K that from a tax view, $1000 was the sweet spot, and it's only moved up since then.
Virtual credit cards
>Virtual credit cards were payment systems designed to combat online fraud by utilising temporary card numbers.
1) Do virtual credit cards still exist? If not, how old is this article?
2) If virtual credit cards do exist, who offers the service?
In the old system, tanners and dry-cleaners collected from the public toilets and pissours. I can't see that working in the modern system, where it's first mixed with shit.
Even the least obvious markets are sometimes using mobile phone technology. According to this article: http://www.theregister.co.uk/2013/05/13/smart_meters/
"Existing smart meters are using the cellular networks, generally 2G"
Positions out in the middle of a field are even more likely to use mobile phone technology, since other technologies require more power and/or less security and/or a local network to connect to.
>households running multiple video streams at once
Two months ago I got 1 upvote and 5 downvotes for saying "It was always going to be the replacement for FTA analog TV.". 2 years ago I got censored from the Whirlpool forums for saying something similar.
Is it still unsafe to say that the NBN was the "circuses" part of "bread and circuses", or will the classical allusion be lost on ALP voters?
>Personally I prefer a reasonably honest approach,
So I take it that you will be boycotting Diffray and The Register for misleading you into thinking that MS was not patching security flaws on Win 7?
I really dispair sometimes: By your own admission, you are a Unix/Linux user. Clearly you don't understand the MS eco-system, and care less. You haven't bothered to read the comments correcting the misinterpretation you have adopted. But you feel qualified to comment about "M$" anyway...
Re: This article makes no sense
.>So wait, now there are some extra functions you can call in Win8 and not Win7?
It's more subtle than that. You can call these functions on Win8 or Win7 when the next MS C upgrade appears. Or you can write your own version and call it on Linux or OsX. The report is that software using these functions has already appeared on Win8, but not yet on Win7. Standard MS procedure will be that these versions of these functions will appear on supported platforms when software that uses them is re-written. If the purpose of rewritting the software is for a security patch, we expect to see these library functions appear in the Win7 library, as part of a security patch. If the purpose of re-writting the software is a Win8 bug fix or feature upgrade, we don't expect to see that on Win7.
ummm. But this has nothing to do with security patches. Or patches.
And the word "Safe" is used only as a convention for this class of C library functions: it's a bit of a misnomer really: unlike other languages, the "safety" still depends on.programmer programming checks on the length of strings, it just provides a structured way of doing so.
The main point is addressed in other posts, but just note that the objections are also arguably invalid. There already exist hardware devices for taking an excrypted stream, and decrypting only the output. The equivilant is obvious: an encrypted program that can be dissassembled only on decrypting hardware.
DRM hardware is only protected by legislation, but that's still good enough for one large industry.
>far-fetched that fixing this "mistake" will somehow take another six months, too -
Classic mistake, all too common by management.
Software is not the 'easy part' of a large company.
As demonstrated by the telephone companies that have gone bust because of problems with billing, and the turnpikes that have taken massive stock market write-downs because of problems with billing, and the general business companies that have changed management because of failed BI implementations.
It is easy to underestimate how complicated a simple software change is. It is never as simple as it appears.
Give yourself permission to throw things away
"Kind and resourceful people see potential value in every cracked and crazy thing. Throwing it out may be a waste, but if you can't find and use things in the mess, they are already lost to you. On top of that is buildings and space you cannot use, clarity and beauty lost, wasted.
Its already wasted. You are only gaining by letting it go.
[Cecilia Macaulay, "Lessons from a Japanese Farmhouse makeover"]
Re: Whoa there
>operating systems that do not have built-in support ... WinXP
WinXP has EFS, the Encrypting File System, except in the Home version.
Furthermore, Bitlocker requires TPM hardware, so even if you have the Enterprise Win7, you probably won't have Bitlocker on your home machine.
In terms of functionality, TrueCrypt fell somewhere between EFS and Bitlocker. It allowed you to have a single BLOB containing many things, but that BLOB could not contain your host operating system.
Philosophically, the argument for TrueCrypt was that, as a single blob, it concealed the existance of objects as well as encrypting them.
People who want to conceal their activities may want to look for a new method. People who just want to encrypt may continue to use the native features of WinXP.
insOlation is spelled with an O, as in sOlar.
I wondered what kind of insulation failure they might have had. Thermal insulation? Electrical Insulation? But on reading the article I see that the kind of problem they had was with Spelling Insolation.
Got my email notification today, May 27, which makes it 4 days after this article, 7 days after the announcement.
The email notification was cleverly written in idiomatic marketing speak, to make it look like it came from a third-world scammer.
In breaking news, the vulture gets done for soliciting and aiding a criminal offense...
Re: Copyrights protection for real code vs patents of trivial ideas - what is more evil?
>If that had been mentioned at the time do you think we would have learned Java?
Where were you? MS pulled versions of Win2K -- an operating system just like Android is -- and MS Office, because they had written their own varient implementation of Java -- just like Google has --, and Sun cracked the mads at them.
Re: W. T. F.
Copyright and Patents are BOTH the wrong standards for code. The only reason that code has been shoe-horned into patents or copyright is that both are covered by international treaties.
If people had set out from the start to create a sensible set of logical and consistant laws for code IP protection, they would also have had to set out on a process that took more than a century the first time around: creation of an international IP regime like copyright or patents.
Re: So who gets the money?
>House of Lords used to be full of unelected fuddy duddies that (with a few exceptions) didn't do much
Was full of a bunch of unelected fuddy duddies that, by the miracle of social mobility, was gradually coming to represent average typical people.
Blairs triumph was to replace them with political appointees.
Scott Adams on ISDN
Technically it was a good idea....
"I studied the market for ISDN and calculated all it's costs. I found that it was a great technology with no immediate competition and it probably had a large market potential. The only thing that could limit it's sucess was complete incometence on the part of all phone companies, colossal stupidity by every ISDN hardware vendor, and complete idiocy on the part of the regulatory oversight commities.
It was obvious ISDN was doomed."
From when he was an PacBell ISDN employee.
Only URLs I have problems with are those monsters generated by google when you click on a link.
And then when your google connection drops out, you have to delete a mountain of gibberish to find the URL it is supposed to be indirectly pointing to, to find where you actually want to go.
--should be recorded as a drug-related crime. Odd that the article mentions he was drunk and dope-affected, but you're just left to infer that he was in nicotine withdrawal.
Absolutely typical crime though. Knocks over a servo for whatever change is in the drawer AND CIGARETTES. In fact, how often do you hear of an attempted armed robbery on a service station where they did NOT also steal cigarettes? Not enough money to buy the cigarettes.
It used to be a war-crime to torture POW's by withdrawing cigarettes. Heard a guy bragging about having that removed from the war-crime list: I got the impression he thought it was ok to torture smokers by removing cigarettes.
When I installed Office on Win2K I gut current updates for Office, despite the fact the Win2K wasn't just un-supported -- it was kinda "withdrawn" because of the Java settlement.
Re: Keep your "taters" to yourself!
When at University, I always used to help out at the start of each new year, showing the freshmen which way was East. I think it helped.
Re: Yeah no kidding...
>Microsoft does say that there may be situations where .NET must be removed
No, that was a stupid mistake by the journalist. Read the text: MS does say that there may be situations where .NET must be reinstalled from a cleaned base.
Sloppy Shorten makes it up as he goes
Rule 1: Blame Liberals
Rule 2: Make up shit
Rule 3: See rule 1
Re: What story?
>As I recall it, that story was about a DEC VAX/VMS machine. Unlike modern stuff, they did not need patching every week.
""Oh, sure, they're sending out patches. But they're being real quiet about it. They don't want their customers to panic.""
<THE CUCKOO'S EGG
The migration wizard ... will no doubt improve in time
This surprised me. What is the justification for believing that the migration wizard will be improved?
PS: I won't say that no-one had ever heard of Sybase before MS bought the product. Just that it was a minority.
>NetBank does not (and did not) use OpenSS
But I think that CommBiz (which is different to Netbank) goes to https://www.my.commbiz.commbank.com.au/.
And Qualys was reporting that the Commonwealth bank had a susceptibility -- now fixed.
Re: Commonwealth bank down today!
Still stonewalling on what the problem was. Which makes it likely that whatever it was, it was an act of stupidity that caused the outage.
Commonwealth bank down today!
Massive failure of their EFTPOS system today. Maybe unrelated. An outside chance that they stuffed up changing their key certificates (as some other people have already stuffed up)-- I'm watching with interest.
Assuming you believe him
>NetBank does not (and did not) use OpenSSL
No indication that he has anything more than a vague idea what is going on, as indicated by his repeated use of the word 'patched', in conjunction with his claim 'never used'.
Since he doesn't seem to know what he is talking about, that could possibly include "we never used the vulnerable versions of OpenSSL"
I'm not a member of LinkedIn. Does it show what his first degree was?
Re: The problem is testing, not coding
>Commercial vendors can afford high quality software testing tools. Open source developers usually don't have these resources,
Coverity "testing solutions are built on award-winning static analysis technology" was doing free testing for security-related O/S projects. I would have thought OpenSSL qualifies.
Re: WTF generic security software FAIL
C' mmon Vic...
I asked a question. I got a reply "Windows security is better". You replied to the reply with: "Same to you, with knobs on it"
So, I've followed the thread down, do you have anything to contribute?
Re: WTF generic security software FAIL
Downvote, because you made that assertion without even attempting to demonstrate that you had any kind of knowledge about the question I asked. I don't like to downvote you, but I'd like to encourage you to do better. If you know anything about Linux security, what can you tell us?
WTF generic security software FAIL
>silently siphon passwords, crypto-keys, and other sensitive information from vulnerable systems.
>We rebooted the server at 3:08PST, which may have contributed to the key being available in memory, but we can’t be certain."
I'm not familiar with the OS or the applications, but isn't there a secure memory API like (on the Windows side) "SecureString" or "SecurePassword", "CryptProtectMemory", or "SecureZeroMemory"?
So that you don't leave passwords, crypto-keys and other sensitive information in memory for generic memory-recovery attacks to harvest?
A single ESXi host is really only any good...you need vCenter
I agree. But I seem to be surrounded by people that think having a free VMware hypervisor, or two free VMware hypervisors, is somehow a good thing.
Are we missing something?
>Everyone with even an ounce of technical knowledge or telco/ISP experience knows that full fibre replacement was the only way to build a network for the next 50 years
I have both, and I know that FTTN was sold to the Aus electorate as Business, Health, and Education. Which was BS from the very start. It was always going to be the replacement for FTA analog TV. And the pricing was BS as well.
A system that couldn't honestly be justified on Price or Content, and you're angry, dammed angry? You should be angry about being made a fool of in the first place.
Heartblead exposes a generic problem
Recovery of data from memory has been demonstrated many times by increasingly sophisticated malware. So the real question isn't "why wasn't this exploit detected by static analysis from Coverity?", but why on earth is Open Source/Linux/BSD software leaving vulnerable information in memory in the first place?
- NASA boffin: RIDDLE of odd BULGE FOUND on MOON is SOLVED
- SOULLESS machine-intelligence ROBOT cars to hit Blighty in 2015
- BuzzGasm! Thirteen Astonishing True Facts You Never Knew About SCREWS
- Worstall on Wednesday YES, iPhones ARE getting slower with each new release of iOS
- Microsoft's Euro cloud darkens: Redmond must let feds into foreign servers