144 posts • joined 15 Aug 2009
Re: "Reddit users discover jailbroken iOS malware threat"
"Here's the most recent iOS security white paper which shows the attention to detail Apple puts into the implementation of iOS security. Jailbreaking compromises it.
Yeah - what a ridiculous idea: wanting to use your iThang the way you want to rather than what is proscribed.
I'm not going to bother reading the pdf - I'm sure its really reassuring ... if you have no idea about software bugs or system security in general.
Get a grip.
PS OK I will read the PDF ... (less than 10 mins edit time later) Ahh, I see this under VPN:
• PPTP with user authentication by MS-CHAPV2 Password and RSA SecurID or
Yep - that's reassuring. Just don't use it kids.
Wonder if Oracle Forms will move into the 21st Century? Imagine not getting queries about fixing snags with a JRE 1.6. Never mind - I'm sure there is a simple migration path to something more modern.
Thank the good Lord for this sort of enlightened closed source crap. It's how Enterprise works - hallelujah.
In a few years time you kids will end up like me. This is what the real world is like - and it costs a bloody fortune for my customers. I only get to try and repair the damage caused by the difference between "open" and reality in a browser.
At least if you use the latest trendy open source stuff, the lunch bill let alone the license bill is rather less.
You can keep your f******* Enterprise grade bollocks to yourself
Damn this boring old finite world.
Their sales increase in quantity but their individual sale value decreases - well that's in the "core" business. Meanwhile they have bought an awful lot of IP along with various vanity stuff.
I defy anyone to actually give G a real representative value - they are properly odd and highly intelligent at the same time. That is either a recipe for success or big fail. My (fairy) money is on the former.
Actually, they are spectacularly successful in pretty much all real world measures, apart from - apparently - in the eyes of a bunch of financial xfuckwitsx wizards.
So this kill switch is
... a bit like a pencil without the graphity bit: POINTLESS
Was it in doubt?
I can remember always *knowing* that "the mounties always get their man" - and I've never even been to Canada.
PS I have actually been to Canada - as a foetus, but that was some time ago. I'm 43 now! Mum said it (Canada) was lovely.
"The new build of SQL is designed to handle all data in-memory, a shift that would increase processing times by a factor of thirty, Nadella claimed."
Err, I don't think so and the simplistic fallacy: sizeof(RAM) < sizeof(hard disc).
I believe it can keep a particular table type in RAM without a persistent backing store but not all data. With enough batteries and generators and clustering of your RAM based tables and trickling back to rust/SSD, that could be quite nifty if handled very carefully.
Still, it makes a nice marketing epithet. I'm sure no other DB does that already ...
Re: Where have all the fanboyz gone
I call bollocks.
It's Patch Tuesday this week - and we've still got a load to do. Patching the OpenSSL implementations was a doddle that I did yesterday and last night with a glass of wine and an awful lot of screen sessions. Oh, and a Puppet module for the big stuff.
At one point I had 15 odd ssh sessions going - try that with RDP to click on the wanky yellow shields and then wait for the reboot. I had an editor with a selection of command recipes to paste straight into the command line: update library, check for modules in RAM using lsof and restart services with older OpenSSL libraries open.
I'm going to enjoy the weekend - you wont.
Re: HMRC will be interested
HMRC might be in the UK.
However this is in Australia and they have the <Google/> ATO and probably state tax gatherers.
Re: Could heartbleed be in any way related to the windigo botnet?
SSH != SSL
Re: This didn't occur to me immediately
The server is vulnerable.
Re: not older kit?
It is pretty unlikely that SOHO gear is actually running 1.0.1. They are generally MIPS or ARM things that run some sort of ancient cut down *BSD. However, I would look at your NASs closely - QNAPs run Linux of some sort for starters. These quite often offer themselves up to the outside world for file sharing n cloudy cobblers.
pfSense 2.1.1 is not vulnerable and was released especially for this - it has 1.0.1g on it as well as a 0.9.x series for other stuff (don't ask!)
@David W - You used the term "gasoline" so are clearly not from around here 8)
I note that the US int al has a lower standard RON than the UK according to http://en.wikipedia.org/wiki/Octane_rating although I seem to remember that we actually have 95 as standard and 98 is the fancier and more expensive stuff.
Perhaps (and I am making a pretty massive leap of supposition as to your country of origin) you are already in the grip of homeopathic gas peddlers - do you find that your car suddenly starts to work when it's refuelled ?
Time gentlemen, please.
I suspect that by including time as an integral component of his model, that will make it a much better model than others that don't. Time is incredibly important to us and how we operate.
However I don't think that time is an inherent component of the operation or intelligence of the brain. I think it is an emergent property that arises from its operation. I think our perception of the passage of time is just that - a perception. There is a passage of time, it's just not how we perceive it. I certainly don't have an ntp daemon in my noggin.
By including time as part of the model may cause the model to improve to the point where it can eventually be removed as part of the input and processing and emerge as an output instead - now that would be seriously impressive.
PS Has anyone else noticed the Feynman reference
I've just had a recent bash with Wine Is Not an Emulator on my smart new Haswell G4 based laptop. I had to run winetricks as per the very simple wiki entry to install MS's DirectX 9 redist and all of a sudden a reasonably modern game runs full wide screen, silky smooth with audio and everything.
OK I'll come clean, its one of those hidden object jobbies (it's for the wife - honest!)
WINE is simply amazing given what they are trying to achieve. Its way more ambitious than a hypervisor (have you ever tried to even use the Win32 API - now imagine trying to translate it on the fly to another API) and the pay off is incredible performance, often exceeding the original.
All that said, I think that you can pretty much assume that WinXP is near enough fully covered by WINE, with winetricks and some workarounds.
For all else run up a KVM or use a native Linux application.
If you are wondering how on earth a plane can simply vanish then what about this: http://en.wikipedia.org/wiki/MV_Lyubov_Orlova
That's a rather large ship that was drifting around the Atlantic for some time, presumed sunk now. For over a year attempts were made to find it, in vain.
Re: Good performance? Scalable?
> So, Java is compiled on the client machine, able to optimise specifically to the host CPU..
Near enough but it has to do it quickly and may skip a fair few optimizations that a multipass compiler can do.
> unlike C/C++ that has to work on the lowest common denominator. I take back what I said about it ;)
Not on my machines at the very least. You're thinking of closed source things that have to be backward compatible or *nix distros that want to do the same.
My CFLAGS environment variable on my machines include "-march=native". On the laptop I am typing this means optimize for Haswell G4. I'll bet your system isn't compiled to that degree of ridiculously modern!
So, it is not a failing of C/C++ but merely how the output is intended to be used. MS could release a version of Windows which will only run on the very latest CPU.
Now it's also not that simple either.
You can include multiple code paths that depend on the CPU flags available. Your binary will get commensurately bigger though but it will run on your lowest supported CPU but take advantage of newer stuff.
Put 50 milllion odd records in an Elastic Search database and then see whether Java is slow 8) Try it - its free. Or try out MongoDB (can't remember if that one is Java - think so). While you are at it run up Log Stash and Graylog2. A mass of Java and bloody fast. I ran that lot on my desktop PC for a demo for a few weeks (quad core old Intel processor, 8GB RAM, one SATA disc (with some SMART failings)) with Postgres, MariaDB, Apache, and a Jasper Reporting set up in the background whilst I crack on with work on KDE in rather nice 3D accelerated desktop across multiple monitors.
Whoever above mentioned the installer needing an old JVM may like to notice that it can be installed in a CLI from a .tar.gz or .zip or whatever.
I'm a tool
If you don't monitor your systems you will be toast. My little firm looks out for >1000 servers and systems. Our Icingas et al have around 5000 odd services being monitored, disc space, service/daemon status, AD, DNS, NTP, Equallogics, ESXi, Cisco/Dell/HP/Netgear switch statuses, UPS and many many more including backups. If it's switched on and provides a service, we monitor it.
Nagios/Icinga/Check_MK/NagViz/Nagstamon are my current weapons of choice. I've tried the lot and none comes close. Having said that OpenNMS is looking promising again - I'm probably due another go, the last one was a couple of years ago. If you are a Windows bod then give Spiceworks a go. Its very good.
Netdisco - brilliant if you have a lot of CDP talking network gear. Bit of a pest to get the dependencies sorted out at install. A doddle to use and maint free.
WireShark, nmap - Windows versions are available - compulsory if you go anywhere near a network
Gentoo Linux - mmm compilers n USE flags. Funnily enough my smart new laptop can update itself faster from source code than many Windows update sessions I endure! LibreOffice in an hour and a kernel compile in a fag break. Of more use to the usual mob around here - grab a copy of the System Rescue CD. It will save your bacon one day, even if its simply resetting a forgotten Windows password. That's as close as many will want to get to Linux, but just get it.
Exim, ClamAV and SpamAssassin. Right, that's email sorted. All of that will run on Windows incidentally. Exim can be a bit tricky to set up. Just Goo-Bing-Hoo for a recipe. It can do things with email routing that is amazing. Great to put in front of the usual corporate mail systems thing and rather handy for migrations from one to another system or corp mergers.
Security Onion - it's big and very clever. It will eat disc space if allowed but is a neatly packaged IDS/IPS etc. Expect to spend some time tuning it though.
Graylog2 + ElasticSearch + Logstash. They are all a doddle to install. Logstash can take some configuring. Use nxlog on your Windows servers and send their events using GELF to Graylog. Graylog etc running on my desktop PC (it was top of the line five years ago) for eval ate our external router's Netflow output plus a couple of DCs event and a slack handful of other Win servers plus a mail log and our telephony server logs and Squid logs. Well you get the idea. I run X Windows and KDE on top of that with no slow down. Oh and the query speed is phenomenal. I got up to 40 million records and queries still run in a very few seconds.
FreePBX distro. I can jimmy up a telephone exchange in a VM in under 30 minutes from slapping in the ISO. That includes external trunks and a handful of extensions.
pfSense - it's an amazing firewall, router and VPN concentrator. Works nicely in a VM.
Pretty much everything I've mentioned here is Open Source.
Re: I just bought an IBM server blade for forensic experimentation
Interested to hear how you intend to profile what the CIM jobbie is upto. Obviously you can watch its net traffic which would be fun up to a point.
Just in case anyone reading here has never thought about it: iLOs (HP) DRAC (Dell) etc etc are able to do things like checkpoint their host and read the RAM contents without the host or its OS being any the wiser that anything is happening.
Read this http://fish2.com/ipmi/itrain.pdf for a more involved write up on these things. It's quite long and a bit idiosyncratic but a good wake up call for any sysadmin who might not have even bothered with a VLAN or two for them.
Londres is the fifth or sixth largest French city (cite: Heard on R4)
Anyway, how on earth can there be a proof of "There are too many ..." ?
Re: Allow me to comment on another country's practices
Nasty, nasty manufacturers 8) I hope all your up voters noted wher your tongue was lodged ... oh and I missed a n in shouldn't.
Anyway, I tried to buy a car recently and the Ford dealership around here (Yeovil) managed spectacularly to fail to do that simple job despite us trying our best to get them to do so. We were keen on the Fiesta - it won all the awards in the class of car we were interested in and we wanted to simply go on a test drive.
They failed quite impressively in several areas: firstly they were closed on Sunday - me and the missus work for a living as do they but we have spare time at weekends and hence car floggers need to be available at weekends, all weekend unfortunately (they can always do shifts, that's what my company does); secondly the salesperson seemed incapable of noticing that the real customer was my wife and not me.
I wont bore you any further but it would have been nice to be able to directly buy from Ford but I can't without the wiff being able to test out whether she's happy driving it.
So how would Tesla manage that situation?
Are they unable to open their own dealerships a la Ford et al in the UK (look: I got three languages in there, one extinct) - how does it work over there ?
I've been to to the US a few times and their car flogging setup looks pretty similar to ours - what am I missing?
Allow me to comment on another country's practices
Does seem a bit dodgy - why should't they flog their motors directly?
Here in the UK, you generally buy a car from err a franchised dealership but I'm pretty sure you could go to the manufacturer directly, who would probably point you to the nearest franchised dealership. However, I do know for a fact that I could go and see Arial and buy an Atom directly from them (I live in Somerset rather close to the Arial works)
If you want to sell your house, you could do the usual thing and engage an estate agent (en_US:realtor) or you could put up your own "for sale" sign and advertise in the local rag.
I could probably ring up Dyson and buy a hoo....err... vacuum cleaner.
I don't think I can ring up Sony in Wales and get a Raspberry PI though. Hmmm
So, in general, if you make stuff I think that you can and should be able to sell it direct to the consumer if you want to without having to subsidise middle-men unless they add value to the supply chain in your opinion (increase sales, take on support burden etc.) By the way I own a middleman business ...
Now that is here. In the US it might be different. I've just dug out a few examples, I'd love to hear whether there are reall differences over there on how you can flog stuff. I'm pretty sure if I wanted a little something from the more expensive end of IBM's product list in the US I would be looked after by an IBMer directly.
Now I think about it, are there any UK examples like this whereby a sort of artificial business model is protected like the auto dealers in the US?
PS I do understand this is not a federal thing - it's individual states being daft.
Haven't seen an NSA/GCHQ angle mentioned yet
If I was running say a shadowy n-eys type organisation, which say had recently received some quite bad press for hoovering up vast amounts of data, then I might do something like this:
Devote a vanishingly small part of my operational capability (and budget) to tracking down the perpetrators of things like this and pass on details to the relevant civil authorities such as the police for arrest and charging. The results would be published widely and eventually attributed to my (shadowy etc etc) organisation.
It would be useful training for new recruits in my cyber division and be unlikely to reveal any funky operational capability to my opos in other (shadowy etc etc) organisations. Mr Snowdon has already done quite a lot of that - the real me rather than the shadowy me is grateful for that by the way.
Instead of blustering about how law abiding my (shadowy etc etc) organisation really is - honest, I personally would be going on a charm offensive, if I was half as clever as I am supposed to be, I'd do a bloody good job of it as well ...
If I did this my Icinga (ne Nagios) monitoring system would go berserk. Surely they have more monitoring than simply millions of Twatters ....
I wouldn't mind if it was actually useful. It's yet another example of an IT memory test. Absolutely no indication of technical ability. If you need to know config maximums, then pull out the docs.
Your tree rodents must be pretty tough beasties.
I thought we had US imported grey squirrels here but they just munch on nuts. You must have a newer uber hard breed over there that eat plastic and copper. Please feel free to keep them. Our native reds have been turfed out of most of the UK and the relativly new black ones don't chew metal as far as I know.
Besides what kind of mad critter chews on the thing supporting it up in the air ...
Re: The IKEA 'Splosh': now available with 4 or 6 drawers in a range of colours
I'll just clean my keyboard - thanks to your comment - and get on with my day.
Layer 3 *is* the new Layer 2.
RFC3514 does actually seem to allow for this by being a bit vague and covering things like MIME types as well. I'm sure an evil bit can be set in this new funky rubbish scheme. They could always follow the requirements for IPv6 as a template ...
Of course there's a back door
Of course there's a back door - it's the front door: Windows Update. Simply send a special update to specific machines.
No need for MS to confess to a feature that's always been there in the open. Even if they are not actually complicit in this, it would not be too hard to add a man in the middle additional service in the deployment tubes or mess around with what Akamai actually send down to a machine.
Pick your conspiracy.
It's a lot easier to hack a website when the sysadmin/webmaster uploads your code for you.
Many security conscious admins use SFTP and FTPS instead of FTP and Filezilla is a convenient client for this for Windows and Linux alike, even though Linux has many other clients generally already built in. It can be used as another crossover feature for an ex-Windows bod.
Does the Linux version have this additional feature?
I'd say this *could* be a big deal for the unwary.
Do marketeers and other noddys have any idea just how small a quantum leap (http://en.wikipedia.org/wiki/Atomic_electron_transition) is?
Is security really rocket science?
Why does this still happen with monotonous regularity to the big boys?
MS have access to some seriously clever chaps who know how to secure stuff. In this case it's just a blog so how hard can it be? Oh and email accounts - how daft are MS front line staff?
Surely MS might learn the "something you know and something you have" mantra eventually. They could always pop in "something you are" as well but that would not really be necessary for this.
Why not buy a few 100,000 RSA tokens? - they're NSA approved.
Security is still optional in this company despite one of the earliest, widely publicised screwups I can instantly recall being Cisco branded internet facing routers that were left with default passwords - hilarious results. To be fair - my memory might be failing - the actual fault might have been a flaw in IOS that was exploited. I'm still pretty sure it was stupid passwords.
I also find their "best practice" mantra that they try to ram down your throat demeaning - there is no such thing as "best practice". There is "good practice" and "bad practice" in IT security - but no best.
Re: What does this solve?
As well as advanced tap to pay gadgets in the US I note that your standard card payment systems now have a signature digitiser pen 'n' tablet these days.
Imagine my horror on being presented a tablet to sign on spending around $400. Most of the rest of the world I have visited have these things called PINs and we don't write them on the card. Admittedly they are open to abuse: silly PINs like repeated digits but they are not actually written on the card for all to see.
I haven't signed the back of a card in years - why would I?
Luckily the child behind the counter didn't actually check my card anyway and instead took the opportunity to congratulate me on my command of English - me being a foreigner - which must have been good enough to be impressive.
I didn't have the heart to explain that my nationality is nominally called English after my country of birth: England - one of the bits of the rather complicated UK of GB n NI agglomeration. I was simply glad to escape with my legitimate purchases having bypassed a security system that made me really want to cry.
You see: My job has a rather major IT Security component.
What kind of cruel and unusual punishment does a "rapid-cadence philosophy" involve?
The quotes are missing from the article, hence I can only presume Mr McAllister has originated the term.
Impressive histrionics all 'round for a mere patch.
Re: Debug That Sir!
I suspect the logs will be unchanged. I think this thing is basically a reverse web proxy that fiddles with the URLs. Perhaps a little like a NAT for http (shudder).
Finally China catches up
I believe that Google and Facebook at least require this as well. Admittedly its not a legal requirement but I believe it is a term of use that your account is in your real name.
Why attribute to malice ...
Why attribute to malice that which can be more easily caused by incompetence?
What about a DNS filter update gone wrong. I can't believe that part of the GFoC doesn't include DNS level filtering.
It's so much easier and cheaper to filter DNS than a massive layer 7 deep packet jobbie which would be the final stage in their filter. There's probably some pretty serious transparent proxying in there as well.
Head off the bulk of naughty traffic at the DNS lookup stage and the rest of your filters need not be quite so powerful as they otherwise would need be.
I earn an awful lot more than that doing something called "work". To increase the amount I take home I do "overtime".
Get rich quick fiddling with BTC? Bollocks!
Re: Van or De?
>Norman French speaking natives but some of us poor foreigners, do care <sniff>
That would be French, German, Anglo-Saxon, Latin n Greek (plus quite a few other inputs). Why we call it English is a bit of a puzzle. Anyway, English is formally a Germanic language.
If we are going to get anal, feel free to explain why you misused a comma (before "do care") and viciously abused an innocent hyphen. I think you meant: half Norman/French - which is a fair description of those folk that popped over in 1066 and gave the "natives" a kicking, rather than the modern locals.
Mind you, I'd love to be able to be pretty fluent in another language rather than simply get by in three and embarrass myself in many others, so perhaps I'll hold your coat.
3 -> 2
It shouldn't be too hard too justify to yourself that people directly connected to terrorists are themselves obviously terrorists, should you be of that frame of mind.
Reclassify the previous one step away numbers as belonging to "ring 0". Now two steps embodies the same data as three steps and complies with the new requirements.
Why on earth is it a .com address?
It should be .gov.uk. My internal alarm bells go berserk when a URL looks wrong and a UK Govt related/sponsored/whatever website with .com on the end looks wrong.
Everyone gets the too late message
If it was recruiting for biz then that firm would probably have de-cloaked by now to a mediagasm of ridiculous proportions.
My money is on a security agency and that everyone gets a too late message at the end. Some finishers might be approached however.
If you have rather a lot of access to internet traffic (raw, logs, and metatdata) then working out who is a real solver of the riddles and who is merely following on would be trivial.
Hope it doesn't give you "(i)Ring-(i)Sting"
Come on Reg, if you are going to drop terms like that, tell us what they mean.
I (personally) know what the individual bits of that phrase mean but a bit more might be nice. A quick Google gives me lots of marketing puff - it's a faster *DSL with knobs on. You lot are reporters and should be better informed than me.
@AC 2055 (GMT) Boston Resident
Thank goodness that the fabled American Dream is not dead - your comment is the first concrete example I've seen in a while that can be encapsulated that way.
Nice to see.
PS I lived in a town for many years that features in your treasured folklore - Plymouth (Devon - not MA) and Thanksgiving respectively. Boston is of course in Lincolnshire. In the UK we can't even type Massach ... whatever, without a squiggly red line appearing 8)
More research required
If I knew how to do it, I'd verify that certain distros are actually affected by this bug and someone hasn't somehow inadvertently fixed it for binary release.
I wonder if there is a sufficiently sophisticated news outlet lying around, who could take this story to an Al fixated milliner's fulfilment?
PS. RHEL/CentOS, SLES int al. would be a good start
First they came for the DNS
For now it seems that simply bypassing your ISP's DNS servers will fix the problem. I haven't used one of those for years. For most people however, setting up BIND/PowerDNS/MS DNS is a bit much!
This list will get you started:
If you don't know how to set this at your router, then set it on your client machines - a simple Google will get you how to do this in nauseating detail.
However, when 53/udp to "unauthorized servers" gets blocked, start to worry. Then look out for deep packet inspection that blocks unauthorized protocols and content ...
My watch charges at 93M miles!
Citizen Eco - solar trickle charged. Had it for over eight years and it has never stopped.
Simple trumps fancy in my view - it's a pain sorting out phone chargers without having to worry about a watch as well.
Outlook doesn't help
Outlook makes it really hard to read the headers. However even if you could very few folk know what they are looking at.
It would not be hard for a mail client to flag emails where the various addresses don't stack up and the referenced domains in URLs don't match the email domain. The client could deref the URLs from the HTML and display exactly what you will click on and even change them to plain text when they are not in the domain that sent the email.
It is not foolproof and the downsides - eg "legit" spammers (eg estate agents and other businesses who bulk email) being forced to properly identify themselves all the way through are not too onerous.
Hmm, need to think about this a bit and see what I can do with Exim and a new filter I can feel coming on ...
To be honest a simple filter that turns hrefs into plain text will go a really long way and that should be a doddle.
Re: pick a pipe of pickled pepper
Absolutely - a peck is a unit of volume (two gallons I think), whereas you wouldn't want to stuff any quantity of peppers in a pipe.
I'll cite my granddad rather than Google - a Devonshire farmer who routinely mentioned pecks and told me what one was.
>>>>"They would probably give up looking, close their eyes (yes... the whole country) and stick a pin in a map - and say "that's where it is""
>>Wow! You got the majority of US citizens pegged true!
Not half as depressing as me noting that rather a lot of my fellow GB dwellers are just as geographically challenged as our hilarious stereotypical Merkin.
- Updated Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
- Elon Musk's LEAKY THRUSTER gas stalls Space Station supply run
- Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
- Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
- Android engineer: We DIDN'T copy Apple OR follow Samsung's orders