* Posts by Pascal

130 posts • joined 25 Dec 2009

Page:

Facebook's own TLS cert used by crooks in double logon phish

Pascal

Facebook and Google IDs are both more and more used as a sign-in alternative to creating local accounts by a LOT of online services. You know, for user convenience and ease of development (offload authentication and account management to Facebook = save days of work!)

So besides the obvious "high % of Facebook users will use the same password everywhere" and "their Facebook email will be behind the password recovery scheme of other sites", the actual Facebook ID itself is quite valuable - would take seconds to test every phished credentials against hundreds of sites where valuable things might be stored.

5
0

'No password' database error exposes info on 93 million Mexican voters

Pascal

Voters database *in the cloud*?

Shame on the whoever is responsible for this incorrect config cock-up.

How can the setup / configuration of a database of all citizens be left to a single guy (or have no review / audit policy of any sort in place, given that even the simplest "IT security for Dummies" check would have caught that)?

And then, how is it even acceptable that such an official database be hosted in the cloud, by Amazon, in the first place? I'm pretty sure item #1 on most governmental data security policies is "don't upload private citizen data on Amazon or Google"...

9
0

Storage with the speed of memory? XPoint, XPoint, that's our plan

Pascal

Re: That table again...

> Seek time has nothing to do with rotational speed as it is a measurement of time taken to move the read/write heads from one track to another and average seek time is approximately the time taken to move over one third of the tracks on a drive.

Seek times are generally listed to include stroke time / settle time as well as "waiting for the beginning of the track to reach the head once the head is in place". Basically "how long before you can actually read the next thing 1/3 of the drive away". So rotational speed does have an effect on average seek time - although clearly not a huge one.

0
0
Pascal

Re: That table again...

Enterprise drives will have a 2-4 ms seek time depending on size and rotational speed. You basically won't find anything that's not at least 2 to 3 times faster than 10 ms on and Enterprise-class drive (that's sold for speed - those slow "backup" drives are another story).

But where I agree that the numbers are waaaay off is DAS / SAN. You're looking at those same 2-4 ms drive, with an I/O subsystems that will add *microseconds* worth of latency.

You can easily have a DAS subsystem that's filled with spinning rust (say, 15k rpm, 2.5 inchers) that will have an average access time below 5 ms.

2
0

AMC sobers up, apologizes for silly cinema texting plan

Pascal

More or less for the same reason you go to the restaurant.

Cinemas also have those 3D / dbox / etc. gimmicks that are fun once in a while, and they certainly have a better sound system than what I have in the living room.

(With that said, I guess I've only seen one movie in a theatre in the last year).

4
0

Admin fishes dirty office chat from mistyped-email bin and then ...?

Pascal

Re: ..bouncing incorrectly addressed mail

> This is a security issue, as it allows spammers to identify real email addresses in an organization. If it doesn't bounce, it's a real address.

That's such a 1990s strategy.

- So many email addresses at companies are publicly listed everywhere that this isn't a useful "secret" to protect (see "security through obscurity")

- Anti spam systems are smart enough nowadays to block dictionary attacks - have been for a looong time

- Anti spam systems are pretty good at actually stopping the spam too even if you know the adresses

7
1

Met plod commissioner: Fraud victims should not be refunded by banks

Pascal

Re: Do you really think online criminals are looking at your card?

> Not sure whether that affects fraudulent buying from Amazon.

Amazon have their own fraud detection systems that seem to be really efficient. Twice now they've reversed the transaction within minutes on e-books I bought from "strange locations" (once while travelling, once because I was still connected to a "screw you, Netflix" VPN).

0
0

Microsoft to add a touch of Chrome to Edge

Pascal

That's a pretty dumb argument, extensions are by definition not standard, and allowing some extensions designed for a competitive product to run on yours is just a competitive edge that you're trying to narrow. And from there you jump to "because not ALL extensions will work on Edge (or Firefox), that will make it the new IE6"? Shouldn't you be saying that it makes CHROME the new IE6, i.e. the source of lots of non-standard addons? (Not that I support this idea in any way, but that's what your logic implies).

5
2

Apple engineers rebel, refuse to work on iOS amid FBI iPhone battle

Pascal

Re: Oh really

No kidding, you can smell the astroturf from here.

2
0

Yahoo! kills! search! APIs!, games! and! Astrology! site!

Pascal

Re: Cost of an Astrology site

"(oddly enough, I'm writing this as a joke, but seriously wondering about the business opportunities of something like that.)"

This is exactly the way newspaper astrology sections are created daily. Some of them license the picture of a "famous" local astrologist to headline the column for extra credibility however.

2
0

Dead Steve Jobs is still a crook – and Apple must cough up $450m for over-pricing ebooks

Pascal

Re: What surprises me most..

"I thought Apple hated TheReg?"

That was 2010. A different era. Pre "peak Apple" and all :)

1
0

Beep, beep – it's our 2016 buzzword detector. We see you, 'complexity'

Pascal

Re: You What?

Utilizing proactive synergies, you can leverage hyperconverged, software-defined devops... no...

By leveraging hyperconverged synergies, software-defined devops can...

Nah, I give up.

4
0

BBC telly tax drops onto telly-free households. Cough up, iPlayer fans

Pascal

"Whittingdale also opened fire on ad blocking companies, comparing them to a “modern day protection racket”. "

What a load of crap. Ad blockers are as much a "protection racket" as "cops" are.

This is about as stupid as the tinfoil hat brigade that claimed anti-virus companies were the ones that released all virii in the wild to sell their product. (Not that many modern security suite aren't just as bad as the malware they want to protect us from, but I disgress).

41
2

Poor recruitment processes are causing the great security talent drought

Pascal

"Companies should also be doing more to hire a diverse team, panelists said. Currently, women only account for around 10 per cent of information security positions, and with minorities, that falls to just 2 per cent, meaning there is a reservoir of untapped talent out there."

Bullshot. I'd *love* to hire more women in IT jobs. Seriously, it would create a better working environment for developers and ops staff. But it's a simple fact that (less than) one applicant in 10 is a woman. How does the lack of interest for a certain group in a certain class of job equate to "untapped talent"?

Either way, point the finger at schools / etc for not getting enough women interested in the field, not for companies that are not hiring non-existent candidates.

21
0
Pascal

"Generally, you've got a choice of a job being interesting, legal, or well paid – and you only get to choose two of those."

Yeah, screw that. I'll go for interesting, legal AND well paid, thank you very much.

8
0

Yelp minimum wage row shines spotlight on … broke, fired employee

Pascal
Thumb Down

Re: Trump?

"As for Ms whiny pants....why does she choose to live in expensive SF area when she only has the capability to earn a paltry $1500? Perhaps she should move to somewhere where someone that generates as little value as she does can afford to live."

Wow. Or maybe Mr. Yelp could pad his retirement fund by just 1 million less this year and actually not require of his employees that they SPEND MONEY for the privilege of working for him?

The level of stupidity required to blame the employee never ceases to amaze.

12
3

What we all really need is an SD card for our cars. Thanks, SanDisk

Pascal

Re: Gold Plated HDMI Cables

When it's about tarnishing and so on and the cable is priced normally, that's all fine and well.

But don't dout that there are vendors out there (and resellers) that sell gold-plated HDMI cables at 50 to 100 times the price and will swear left and right that colors are better with their $200 cable - complete with "proof" in the form of two identical setup on two identical television sets, one using the cheap cable, one using their $200 cable, to prove that blacks are darker, colors are brighter, framerate is better and so on.

Of course, there's noooo way that one of the TV sets is tweaked to look like shit, am I right??

As a side note, I did get in a rather heated argument a few years back on this very topic with the owner of my local high-end audiophile store that ended in me being banned from his store!

5
0

Sorry, kids. Microsoft is turning Minecraft into an 'educational tool'

Pascal

"“There has to be a purpose for using technology,"

And why the hell is entertainment not a good enough purpose for a game?

4
0

UK can finally 'legalise home taping' without bringing in daft new tax

Pascal

Re: Blank media?

This is just step 1.

Soon enough, the argument will be made that USB sticks are the most common storage medium for copied media. Then of course it's just a small leap to hard drives and them newfangled SSD. Come to think of it, your phone stores music too.

Per-gigabyte tax on any form of non-volatile storage is the only way to be fair!

4
0

Video game retailer GAME in email marketing FAIL

Pascal
Mushroom

The real fun starts...

When the first recipient hits REPLY ALL to complain about the cock-up.

8
0

Windows' authentication 'flaw' exposed in detail

Pascal

My "kerberos for Dummies" question ...

The updated quote ends with:

"It is important to be aware that only organizations that already have a fully compromised domain controller are vulnerable to this technique."

I claim only minimal knowledge of Kerberos & co, but that quote basically makes this article a case of "if you are already 100% compromised, more bad stuff can happen"?

Or is the truth something else?

5
0

Are second-hand MoD IPv4 addresses being used in invoice scams?

Pascal

Re: Roll on IPv6

They're not bogus announcements, they acquired these blocks when the MoD released them. It's the MoD's error (not cleaning up the entries associating them with these blocks) that is at fault here (well, and the spammers for not correcting them either before using the blocks).

The BGP bit in there is just "in the past we've seen hiijacked blocks and this here smells just as fishy but is not the same thing".

4
0

Microsoft extends Internet Explorer 8 desktop lifeline to upgrade laggards

Pascal

Manpower retention might be part of that equation? You won't keep your best guys around for long if all they get to handle is IE8 bugfixes?

Or am I dreaming and no organisation that size actually gives a rat's ass about their staff's well-being? Well in that case chalk it up to loss of opportunity. Covering costs is not sufficient, any competent staff stuck maintaining legacy systems is not helping build the next shiny new thing.

0
2

NZ Uni EMC broke considered ditching EMC before SNAFU

Pascal

Are you implying a correlation between sheep migration and All Blacks plays?

0
0

Mm, what's that smell, Microsoft SQL Server 2005? Yes, it's death

Pascal

Re: Ah, there's the rub...

" The boss soon sent him on his way when he showed MS bod one paragraph of a contract we had with [redacted] that stated 'Data belonging to [redacted] must under no circumstances be stored in premises that are not under the direct control of [redacted]'. "

Many thanks to Mr. Snowden for, above all else, making many more of my clients paranoid and insisting on such a clause in their contracts. That was the final nail in the coffin for any management push towards the cloud - I will be forever grateful :)

4
0

Get that OFF dot-com, hysterical France screeches at Google

Pascal

Re: Some sympathy

They're not a mom and pop shop here, they're a multinational making billions in profit a year.

Like it or not, search engines regulate access to content so they'll run afoul of all sorts of legislations, this isn't the first nor the last time.

If they want to have any chance of complying with all the crap various courts all over the world will ask of them, they need to regulate search results based on where the search comes from, not what google ccTLD the request is sent to.

Sure, complying with the ruling is going to be annoying. They'll bitch and moan about the impossibility and unfairness of it all. But I wouldn't call it a big technical challenge for the likes of Google.

3
5
Pascal

Re: If I were running Google

Meanwhile, in the real world, Google would prefer to keep doing business in France (or anywhere else for that matter, see China for example), not do a PR stunt that would backfire in their face across all europe instantly.

So they'll simply comply after the proper amount of "taking a stand for freedom!!" PR.

13
1

Bloke clicks GitHub 'commit' button in Visual Studio, gets slapped with $6,500 AWS bill

Pascal

Re: .gitignore

There is no level of "private" that exists that justifies uploading what are basically financial credentials in clear text form to a 3rd party.

If YOU do that in your private repository, you're just the guy that will headline the next article of this sort.

2
0

Spaniard claims WWII WAR HERO pigeon code crack. Explain please

Pascal

Re: Exactly.

Right, because as we all know, once his code is reverse-engineered, no current-day computer could possibly brute-force an algorythm that a WW2 scout-type person was able to encode by hand. Am I right?

2
0

Windows 10 blamed (partly) for stalled PC sales recovery

Pascal

Setting Windows aside for a second...

It used to be that PCs got a lot faster on a year by year basis. Along with that, Windows was bloating at a frightening rate and the older PC just couldn't run it.

Consumer PCs just don't scale at that rate anymore. The systems people bought 5 years ago are probably still good enough. They had Windows 7 back then, but they could run 8, 8.1, and probably can also run Windows 10 as is. And they're probably still good enough for whatever they're used for.

If the whole PC industry was eagerly awaiting the next Windows because the "bloat factor" would have forced new purchased, or worse (as some always do), were hoping new hardware purchase would happen because "Win 10 drivers aren't compatible with your old hardware" (hello, Creative Labs), that's really THEIR issue, and has nothing to do with Microsoft.

So, Windows 10 popularity aside, even if it were to become the most popular OS ever, I still don't get why "the industry" expects a new OS to resuscitate an industry that's slowly winding down - they need to accept that some people are happy with just their phone and are unlikely to ever buy a home desktop PC again.

16
0

Intel left a fascinating security flaw in its chips for 16 years – here's how to exploit it

Pascal

Re: a ha ha ha ha ha :(

"You may be too young to remember such classics as the FDIV bug"

My favorite quote at the time - "We are Pentium of the Borg. Division is futile. Prepare to be approximated."

18
0

Did speeding American manhole cover beat Sputnik into space? Top boffin speaks to El Reg

Pascal

Re: As the lid sped into space, it was heard to say ....

By the bowl of petunias?

0
0

Uber slapped with $7.3m fine for keeping quiet about driver accidents

Pascal

Re: Yeah, right

"Hasn't stopped them elsewhere"

France doesn't count?

3
1

'This ruling does nothing to change the facts' thunders Apple in latest price-fix appeal blow

Pascal

Re: "Apple told The Reg in an emailed statement..."

Only way this truly happened is if they hit an auto-responder set up for the ruling.

3
0

Samsung caught disabling Windows Update to run its own bloatware

Pascal

Re: Windows Update is a nightmare

"It's about time Microsoft understood that."

Right. And the fact that the option YOU use(Notify, no download) exists clearly indicates that they do inderstand.

Not only that, but nowadays (starting with win 8 I believe), you can set a network connection as "Metered" and Windows won't automatically download updates over it (in fact, tethering to a windows phone automatically sets it as metered, I believe).

So what is it you're complaining about?

Or are you just saying that "notify, no downloads" should be the default setting for every Windows install because "laptop tethered to a 4G phone by someone who has no clue how to setup windows" is the majority use case nowadays?

If so I don't agree - as was said earlier in the discussion, defaults need to cover mom & pop use cases. Download AND install. Anything else, the rest of us are able to configure how we want.

3
2

Config file wipe blunder caused deadly Airbus A400M crash – claim

Pascal

hindsight is 20/20 ...

But if that diagnostics data was so critical that the ECU would shut the engine down, why did it even allow the engine to start / spin up enough to take off?

Beyond the botched update that deleted the data, there seems to be a critical design flaw there.

12
0

Sysadmins rebel over GUI-free install for Windows Server 2016

Pascal

I'm surprised at the reactions

Reading this thread, I'm genuinely surprised at the way people are reacting.

For years it seems the "GUI on a server is bad" sentiment has prevailed, and now the sentiment I get from this thread is "Not installing the GUI by default on a server is a slap in the face to small businesses".

I get why many people want the GUI. Lots of interactive crap in the server world still, especially in the small business sector and in legacy apps.

But isn't it enough that it exists as an option? You want it, install it, otherwise you shouldn't?

It seems that defaulting to "it's not there" is a push in the right direction, and having the ability to still add it fully serves everybody that wants it for any reason, be it legacy services or inertia / preference?

I'm personally biased towards the no GUI side, evolved naturally from managing servers at the other end of a very slow link, went from VNC (way back) to RDP, then to running the managemetn apps locally, to "ok, so I only ever again use the GUI to install the server and critical updates" and selectively moved to core installs (except, yes, some legacy stuff that requires server GUI).

0
0

It's FREE WINDOWS 10 time: 29 July is D-Day, yells Microsoft

Pascal

Re: How many of you Windows user will be...

"MS posts, Apple posts they always end up with an OS equivalent of a willy waving contest."

Now THAT'd be one weird launch party :)

0
0

Windows 10 to MELT YOUR BRAIN and TAKE OVER YOUR LIFE

Pascal

Re: Not just Eye Candy then

> Maybe now that everyone's so used to mouse clicking and touch-screen swiping, Microsoft should bundle Colossal Cave and Zork to remind people how to use the keyboard.

Oh god, don't get me started. A while back I happened to look over the shoulder of one of our web guys that saved a change to a php file, switched to the browser, refreshed the page to see the result. You know, what should take 1/3 of a second (CTRL-S, ALT-TAB, F5).

Only he went with the mouse:

- Click the File menu, Click Save

- Go to the task bar, find browser (stacked, of course), find the proper window from the list

- go hit the refresh icon

A grand total of 5+ seconds. (Then back to the editor he went, using the mouse again).

I can't imagine how dysfunctional the tablet generation is going to be!

1
0

SQL Server 2005 end of life is coming, run to the hills...

Pascal

> "SQL instances will continue to run but specifically there will be no further security updates or “hot fixes”, potentially leaving customers with system vulnerability."

Truth be told, lack of security updates on a 11 years old database is not something that will worry a lot of people. It's not like we can expect another SQL Slammer any time soon, these systems now tend to be very well isolated, and in most case they can keep running worry-free for years. Other hotfixes to resolve bugs / issues could be a problem but you'd again expect that a 10+ years old system is "fit for purpose" and any kinks that matter to a specific customer have been worked out already or they would have migrated to something else.

4
1

Welcome to the FUTURE: Maine cops pay Bitcoin ransom to end office hostage drama

Pascal

Re: Backup verification matters

This is exactly the kind of assumption that leads to data loss.

Any kind of recovery plan needs to be tested on a regular basis, and that certainly includes backups. It's probably not necessary (nor practical) to test full site failover more than once a year, but proving that you can perform a full data restore from backups at least a few times a year should be a given.

4
0

This open-source personal crypto-key vault wants two things: To make the web safer ... and your donations

Pascal

Re: Certificate expired

It's not like most of the "big names" haven't messed up certificate renewals at some point, but from a crypto outfit on a mission to help secure keys, it made me smile to see the expired certificate :)

5
0

Microsoft uses Windows Update to force Windows 10 ads onto older PCs

Pascal

Re: Really?

But unless I read this wrong, the update being pushed is not Windows 10, it's a promo thing that will invite users to upgrade to Windows 10. So in that sense it's not really any more offensive than said app store upgrade.

I'm really looking forward to the shitstorm this is going to cause, ranging from the thousands of PCs that will be messed up by the update all the way to the unavoidable "Microsoft abuses monopoly again by not offering to install Linux the same way" articles :)

7
3

Microsoft update mayhem delays German basketball game, costs team dear

Pascal

Re: Use an OS that can be relied on when the mission is critical

If you run international competitions with "a" computer, you're just as guilty as that guy.

Whatever hardware or OS, if a mission-critical system depends on an improperly managed computer with no backup in case of failure, someone will end up looking like an idiot at some point.

8
1
Pascal

"The laptop controlling the screen crashed right before the start of the game and upon re-start insisted on installing automatic Windows updates."

Windows won't "insist on installing updates" on boot unless the person responsible for that laptop had started updates earlier that required some work on boot, but had not actually rebooted.

I would hate to be the person responsible for that fuckup, especially if it's due to negligence!

9
2

Apple's Tim Cook and Salesforce's Marc Benioff DECLARE WAR on anti-gay Indiana

Pascal

It's never black or white.

Of course it's a Good Thing (tm) when tech CEO use their influence (economic or otherwise) to advance social issues.

But what about when their agenda does not align with what's good for the public?

Is Apple's influence such a good thing when thinking about corporate tax laws, the 100+ billion they're hiding in tax heavens?

Is Google's influence a good thing when the FTC basically states "they're worse than Microsoft ever was, but meh, who cares"?

I don't particularity like the 100 richest people in the world making most of the decisions for the other 7 billion, even if they occasionally happen to align with the common good. And I doubt that anyone here believes that most of these guy's real agendas are good for the masses.

40
3

Ford: Our latest car gizmo will CHOKE OFF your FUEL if you're speeding

Pascal

Re: If you need to be seen, sidelights.

> I should point out that when they were off, they had actually been put into the OFF position inadvertantly. Because I was so used to them being on automatically, it took a while before I realised they were not on when they should have been.

My new car warns me for that. I have the usual ON / OFF / Auto choices, if I have them set to off while it's dark outside I'll get an initial verbal warning and an occasional full-screen notification in the dash. It does come in handy considering the automatic setting behaves well enough that I basically unlearned to turn on the lights by now. (At any rate, there's always enough minimal lights to be seen when the engine is running - in the "off" setting the headlights are actually bright enough to be seen even in sunlight).

I'm of the opinion that car should always light up a lot and not offer drivers much choice about it :)

1
0

The storage is alive? Flash lives longer than expected – report

Pascal

"Has anyone done any costings of buying a few high reliability eMLC drives vs buying lots of cheap "desktop class" drives, and building a RAID array with lots of hot spares?"

I went through the exercise recently, for a fairly small database (a few TB) that gets massive amounts of I/O, mostly writes. With customer drives I estimated I'd reach the rated write capacity after ~6 months.

In the end however a fairly big showstopper was the fact that most drives would reach end of life at the same time. Either I'd simply retire the entire array after 5 months and cycle all drives (more maintenance than I care for), or just wait to hotswap all drives as they each failed, and pray that I wouldn't have enough concurrent failures to kill the RAID (which seemed like a real possibility if I evenly wore out all drives to their rated lifespan).

The risk just seemed to big.

2
0
Pascal

"Still, if I was running a large server estate and was looking at putting SSDs in them, I would probably now think twice before forking out huge amounts of cash on eMLC kit and I would instead be looking at higher-end consumer drives."

I'm one of the people that recently thought long and hard about doing this - the premium for eMLC is just horrible, but in the end, we felt like we had no choice since this was for a mission critical database.

Comparing SSDs rated for 3 DWPD over 5 years to SSDs rated for ~300 total writes (which over the same 5 years amounts to just about .16 DWPD) does in the end justify the major price difference.

If all of a sudden we can expect much cheaper SSDs to have similar endurance (the results for the 840 Pro adds up to about the same 3 DWPD), it's definitely worth looking at again.

Of course right now it's just anecdotal evidence. Someone has the budget to burn through 1,000 of them and let me know how it goes?

0
0

Kaspersky claims to have found NSA's 'space station malware'

Pascal

Re: The beginning of the end for Windows

Yeah, because in a theoretical future where even just 25% of workstations run (say, Linux), the NSA will just go "Oh well, we had a good run" and give up.

8
0

Page:

Forums