Out of curiousity, what EAL 7 operating systems are there? I cant find any on the common criteria
118 posts • joined 12 Apr 2010
Out of curiousity, what EAL 7 operating systems are there? I cant find any on the common criteria
@dogged - I wish I could upvote you more than once.
"widespread dispersion of LSD and MDMA?"
The will either cause cancer or cure it depending on the random Daily Mail headline generator.
Surely unless this is an account which needs remote access, the broadcast of the PW isnt a problem? If someone breaks in to sit a machine and log in, they've got other security failures to worry about.
And as others have pointed out, the fact it seems to be a shared / generic password means its kind of pointless. So the news here should be "idiots designed IT system" not users posted password.
Unauthorized access to a private URL is prosecutable no matter what you describe it as. Hacking or guessing the URL does not make it legal.
How do you define a private URL? Is that one which is published on the public web but you dont want people to access yet? Or is it something else?
How do you define authorised access to a public website? Is there something I have to sign up to so that I can visit webpages, or just some webpages - and then only after I've visited can I find out?
Other than that, what?
The cause is corruption and graft (and occasionally good old-fashioned incompetence).
I was always brought up with "graft" meaning working hard..... I actually had to google to learn it also meant corruption.
This left me genuinely surprised so thanks for opening my eyes a touch.
"The Met is currently in the process of outsourcing its number of IT staff from 800 down to 100."
Hmmm..... I cant see how this will cause any problems at all...........
" Presumably a regional CT team rather than a specific Lancashire one." - not in the 80s. The regionalisation of the teams came later than that and while GMP may have seconded officers, it was still very much down to force teams until at least the mid 90s, by which time the PIRA threat on the mainland had all but gone.
The price of that ASUS EeeBook X205 is good, I agree.
However, "much better product" is far from the truth. It is painful to use and Win 8.1 crushes the device. You think you have a real laptop but you actually have something so underpowered it makes you want to cry.
If it wasnt for the fact it doesnt perform as well as a Chromebook for "everyday computing tasks", it would be an excellent purchase.
Just to check - cos these are tablets so not directly comparable with a chromebook. I've tried a LINX 7" and it isnt worth £79:
Can you find a windows laptop style device which runs as well as a chromebook (check out the time from power on to doing stuff) for about the same price as a chromebook?
The reason I ask is that the Chromebook replaced all the laptops and desktops in my family as it is significantly easier to use for the tasks people wanted to do - writing emails, letters, websurfing - than the more powerful devices and the form factor is more suitable for this sort of thing than the tablets. (Which remain as the main content "consumption" devices for things like YouTube and Minecraft).
No one in my family - and none of my work colleagues - particularly like the tablet interface for messages much longer than a tweet, so I dont think they would enjoy writing documents on a 7" screen.
But I am. I'm an unrepentant geek, I'm running Crouton on one of my Chromebooks, which I find very useful. But I love the fact that I can pick up a Chromebook, open it and use it. And so does the rest of my family. My daughter uses hers all the time.
I started off very cynical about the Chromebook, its OS and its purpose in the grand scheme of devices. I was also quite reluctant to use something which wasnt a "proper" OS etc.
However, a guy at work got one and I had a play.
That afternoon I bought one. Everyone in my family loved it to the point where we ended up with three in the house and the laptop and desktop languished un-used except for occasional tasks which needed things the chromebook didn't offer (mostly Photoshop processing of huge RAW image files).
I am not saying it isnt possible to build a site on a phone and SSH in to transfer it.
However, this is a phone which someone managed to smuggle into prison so I assume it isnt a Note4. There isnt really the scope for creating sensible graphics and testing anything is going to be challenging.
So either there was no site and it was purely phishing emails (much easier to spoof, although getting the garbage most GSI type messages include might be a pain in the backside) or he has small enough fingers that spending the time coding wont cripple him.
Which was the RSI bit.
Did he use the phone to build the site or was that someone else? If he managed to code a phishing site entirely on a phone smuggled into jail, the man is a genius with very small fingers and a future of RSI.
Can any one add or enhance my understanding about this:
"which also made making, supplying or obtaining articles for use in computer misuse offences in themselves."
Does that mean things like Hackin9 and nessus / nmap articles or John the ripper are criminal offences now?
Ah, comprehensive reading. My son needed help with that too at some point - but he was 6 at the time.
This would have been hilarious and cutting if you had actually read the article properly first.
Let's revisit the very first line of the article:
Well done for getting that far, but how about we revisit the third from last paragraph and show some real comprehensive reading:
For his finale, Lee nailed Apple's Safari with a use-after-free (UAF) vulnerability involving an uninitialized stack pointer, and bypassed the sandbox to perform remote code execution on an OS X Mac.
That kind of implies a Mac was pwn'd, dont you think? (and no, I still didnt downvote anyone on this thread)
That is the worst part of this news, in the eyes of the public, CENTCOM has been hacked!
In reality, a script kiddie who may, or may not be associated with Islamic terrorist groups has managed to subvert a pretty weak security control around a publicly accessible social media channel.
As per XKCD, its a bit like someone in a school sprayed graffiti over an Army recruitment poster.
But, the public fear of EVIL CYBER MUSLIMS will mean over-reaction after over-reaction.
What were they going to do - forbid drivers from entering the city? Impractical, how would they stop them? Or forbid them from charging more? - then how would they get enough drivers to brave the traffic?
How about a third option where Uber disables the surge pricing for emergency situations like this.
That way, drivers who are already in the area can still be paid for taking people out of the area but there is no incentive for the more mercenary, risk-taking types to go back in looking for a quick profit?
I dont think this is something that should be completely algo-decided either - it is a trade off between discouraging drivers to risk themselves (and drive more spectators into the risk area) and providing a service to help people in the area return home. I suspect each incident should be assessed on its own merits.
I wholeheartedly agree that footing the bill for outward journeys is excellent.
"PS, reg staff, WTF have you done to the site????? For the love of god, revert back..."
As far as I can see, until "Shellshock", it was pretty normal for AV vendors to do their think, issue detection file updates and provide a bit of protection for end users.
The much maligned McAfee appears to have a detection in place for Regin since 2011 - which predates the trend for high profile DAT file releases - so I suspect a lot of the secrecy around this is simply people dont bother looking through the tedious information pushed out with each detection database release.
"Oh wait you said quarterly, and across the product range then, so not that many then. How many did Microsoft release in the last 3 months for all their products."
I could be wrong, but a quick check on Technet shows MS issued 9 patches in May, 7 in June and 6 in July so that is 22 in the last three months. The numbering system implies MS has issued 42 in the seven months of this year.
But this overlooks two main issues:
1) issuing lots of patches doesnt necessarily mean your software is dodgy (it could mean you are just much better at finding and patching holes than anyone else).
2) Using MS as the example really is setting the bar low.
"Vague thoughts about if I had anything worth hiding, I'd like a system with 2 passwords where the alpha password lets you in normally, but the beta password 'obliterates' the incriminating stuff whilst allowing access to the innocent but private stuff..."
One of the great parts of truecrypt was the hidden container which allowed you to reveal one password granting access to the outer container but the inner container remained invisible.
AFAIK this technique was able to keep the hidden container from detection using pretty much all current forensic tooling. The final audit findings may reveal more.
Tails has been trying to get rid of Truecrypt for a while now:
https://labs.riseup.net/code/issues/5373 and https://tails.boum.org/blueprint/replace_truecrypt.
Looking at the changelog, zuluCrypt was added as an option on 19 May but the bit about "recent concerns" was added 29 May.
Also, there is a SANS forensics presentation from 2010 which (on slide 23) covers Truecrypt and states "removed at the request of US government" - http://digital-forensics.sans.org/summit-archives/2010/18-lord-cryptanalysis.pdf
" It only has 25% of the functionality"
Agreed - Whole Disk Encryption was not the main reason I used truecrypt, and isnt the main reason almost everyone I know used truecrypt.
If if if that was the whole reason, Bitlocker is even a poor alternative for truecrypts WDE.
TrueCrypt was more than just whole disk encryption.
TrueCrypt provided a tool which allowed users to create portable storage and deniable containers - all in one cross platform bundle.
It will be missed but even if it does return, will anyone ever be able to trust it again?
@Martin an gof
Not since the 1990s.
"However it wouldn't be difficult to implement two factor authentication, requiring, for example, a pin, birth date, last random digits of the Tesco club-card number etc. to prevent this occurring in the first place."
Not difficult but potentially a nightmare to manage. Distribution, revocation and verification of the second factor is hard enough when companies deal with their employees - Tescos has an elastic user base so there would be a reliance on an externally provided source of the second factor. Apart from anything else, there has to be a decision on how many new customers will go elsewhere when they are told to get the dongle / app / whatever rather than just click and buy.
Then you hit the problem about users needing a second factor for every different site they manage. Or do we have a federated second factor service which instantly throws up issues around being a single point of failure etc.
All tescos needed to do here was have better security controls around how it allowed access. 2FA may have helped but is far from the only answer.
Doesn't this imply that a lot of middlemen (who should have known better from the Q) have made money brokering trades as the stock prices went up and down again?
Did I misread something?
The subtitle reads
However, note that we didn't say British billionaires there
and while headline does indeed avoid saying British, the first paragraph undoes this with:
A rundown of the richest people in China has revealed that the very wealthiest British billionaires collectively boast more cash than their counterparts in the People's Republic.
So, are the "British" billionaires cohort more cash-rich than the Chinese ones or just the UK billionaire cohort?
I wouldn't be too convinced by numbers from CWJobs, jobserve or whatever.
Companies looking to hire seem to push the job out to seven or eight agencies who then all pimp the same job (with slightly different rates) this makes it look like there are a lot more roles than really exist.
A good example was a role in Middlesex i got in my job search email today. Identical job description, identical location, seven different adverts with six different rates (£84 per day difference between highest and lowest). Two of the adverts were from the same agency (Hays in this instance).
All in all, I wouldn't trust any report which counts afvertised jobs on online sites as an indicator of anything - good or bad.
"Anyone find Amazon Prime absolutely rubbish?"
In general, 9 out of 10 orders arrive on the guaranteed date - this dips around Christmas but the averages out to about 90%. Every time they have missed this, I have complained and had the membership extended.
"Perhaps because people don't *want* to work all day and all night? Perhaps because the stores can't afford to employ the extra staff and pay for the extra lighting and heating that opening late would involve?"
This is on the assumption that being open outside "normal" working hours means the store has to be open 24/7.
The stores that cant afford to be open the extra hours are still paying to be open at times of the day when no customers visit. This makes no sense.
Obviously it would depend on some sound market research but there would be nothing stopping a shop targeting working people opening at 1600 and closing at 2330hrs each day. No extra staff needed and if that is the time the customers visit, it makes much more sense than being open 0900 - 1700hrs.
My closest high street is virtually a ghost town during the day. There are some old people walking around and there are a lot of unemployed people walking around. The overwhelming majority of shops have silent tills and bored staff gossiping with each other. However from about 1530 onwards things change and the last hour the shops are open (generally 1700 - 1800), they are busy with lots of customers and queues at the till as people try to shop before closing time..
Most of the shops could close until 1400hrs without any noticeable loss of revenue and staying open to 2000hrs or later would likely bring in extra customers.
Its not about hiring extra staff, it certainly is not about making people work all day and night (who suggested that or is it just a strawman to scare people off the idea?), it is about being open at a time that suits your customer base.
Nightclubs and restaurants are a good example. Why open when you customers dont need you?
Or did you mean their Bada system? (If so, not new, not secret, reported openly)
You do know that Samsung already has its own App Store type thing, don't you? But it is android apps in there.
Are you suggesting (leaking?) the idea that Samsung has invented a new os on the quiet but has enough debs and apps to take on google / apple?
No wonder you are AC.
Trademarks have to be used or you lose them.
It seems it was used and within the window required by the law. What is the problem here?
Do you mean most people want android but not google play or did I misread?
Good points but:
Previously, Nokia was very big in many languages most Americans cannot even spell, and which constitute substantial markets.
Not substantial enough to save Nokia.
The non-English language market is almost certainly bigger than the English language market, but for some reason people the world over still want access to the AppStore and Google Play (and as far as I can tell, both support non-English languages..)
If you talk to average non technical people, you'll find you're mistaken. The article is correct, most people don't really know what "Android" is, they are buying a Samsung phone, not Android.
I think this is only partly correct.
I agree that most people (probably even most technical minded people) arent looking for an Android device first, they are looking for a device they like the look of, they like using and is at a price they are willing to pay. This sort of explains why Samsung is (currently) demolishing the competition from other Android manufacturers.
However, people are going for the Galaxy brand rather than (for example) Wave, which means the OS must have some impact over and above the Samsung brand.
This could be how the OS works, it could be how the OS looks, or more likely it is about what the OS provides in the way of apps and stuff. There is no reason to assume that this would transfer equally to a different OS - and given that one of the remaining arguments for iOS is the sheer volume of its AppStore, going to an OS with a much more niche app selection would be a very bizarre move for Samsung (minimal gain potential, massive loss potential).
Realistically, there is no strong motivation for Samsung to move to cut google out. Samsung is not a software development brand, its strength lies very much elsewhere and the costs of developing and maintaining their own ecosystem appear to monumentally outweigh any potential increase in profit share they would drive. Even if Samsung did create its own system, it would still be paying Google for some things (maps etc).
The PAYG Nokias are quite cheap indeed (at least if you use 3's prices as a guide) compared to comparable phones from Samsung or Apple. It seems a good way of checking if people buy the brand or the price.
It should be interesting to see where this goes and I am a big fan of there being more competition in the mobile phone space.
Ah - you beat me to it :-).
It is funny to have seen things revert back to purchasing time on a University mainframe again in one lifetime. Pretty fast circle going on there....
Mmmmm, the downside to this is that you get supplied the cheapest crap possible with which to do your work. It will be slow, so loaded down with "management" services that you can just about run notepad if your lucky, takes an age to boot, is tied to the network with some desperately unreliable synchronization software that means you have to reboot your hideously slow to boot POC just to get undocked.
Frequent complaint about company supplied hardware, however I dont think BYOD is the solution.
If you are wasting an hour a day because the device is slow, then you company needs to be made aware of this (1 hour per day per employee = lots of new hardware) so management can make a decision.
If your time is profitable to the company, then this wasted time is costing them (not you) so they really should cough up and get you a better device to work on. Anything else is losing them money.
It may be that your time isnt as valuable to management as you think, in which case it isnt cheaper for them to improve your hardware - if this is the case, then make the most of the enforced breaks and enjoy the more relaxed pace of work.
If a system has security designed into it from the start then it will be more secure than another system that does not.
You need to stick to Plan 9 from Bell Labs.
Last I checked, you had to join the Google borg to do anything worthwhile with an Android.
Not strictly true.
Meanwhile my iPhone cruises happily along with all my calendars and contacts plugged into it and syncing both ways via CardDAV and CalDAV, to a server I set up for myself and I administer.
If you have the know how to set up and admin a server, you can do this on droid devices as well.
But if officialdom wants reports, then officialdom should send a 'policeman' out to respond.
Excellent point - but before the policeman can respond, people have to start reporting the crimes and show that it is happening enough to make police responses necessary.
Implementing good security is an individual company responsibility. Tracking down and punishing the perpetrators is a police responsibility. At the moment, there is a bit of a disconnect because in lots of (although far from all) situations, the company decides to not mention the breach and deal with it using its own resources.
At the moment, this makes sense for lots of companies - is this what the EU is trying to change?
Don't want the internet to devolve into apps.
Otherwise it seems that AOL & Compuserve were just a bit ahead of their time.
What web browser features can fix the fact that my 46 year old eyes struggle to read text on my phone or that my fingers (not fat fingers either) sometimes hit the wrong link?
This is a really good point - and all too often designers are too heavily focused on their massive displays to remember that accessibility is very important.
However, this isnt a problem solely focussed on web browsers or solved with apps. If they are going to the trouble of developing an android and iOS app to provide better accessibility, they should have just put a bit more effort in to the front end design in the first place.
Do any browsers support orientation detection? Properly, I mean, not just re-flowing the text. A dedicate app will often adopt an entirely different layout in horizontal mode than vertical mode. Putting buttons along the top instead of down the side for instance.
This isnt the browser - it is down to the design.
Good responsive layouts will identify that the screen dimensions have changed and reformat its CSS appropriately. There are lots of pretty good frameworks to make responsive design trivially easy (320andup is one of the better known) and these all allow for a full reformatting at breakpoints.
Perhaps all of that could be done in a browser if HTML supports it but how many web designers actually do bother to think about that kind of thing?
It does, but not enough developers think about it - they are too busy designing a website for browsers then coding an app for phones.
It's second nature for a phone developer but the most you can really expect a web page to do is flow properly so that page items aren't obscuring other page items.
Phone and web interface developers are, or at least should be, the same beasts.
Maybe you can do it in CSS, but it's far easier not to. HTML+CSS is an abomination creaking at the seams.
Yet HTML5 + CSS is what drives most apps.
The latest Sony devices look, feel and work great. The coming tablet looks awesome!
Excellent - see the open market works for everyone's benefits. If Sony do manage to pull off a superb device at an equivalent price point, then well done for them and Samsung's business will suffer.
This is the "good" thing about free market capitalism. Companies try to encourage brand loyalty because that is what allows them to sell rubbish to customers who still keep ranting about it being the greatest thing ever (until the next one comes out and fixes all the previous faults because until the new one does it they arent faults).
Realistically, if Apple could produce a decent enough tablet which did the things I want a tablet to do, at a reasonable price, I would buy it. So far, they haven't and my old iPads are gathering dust now.
If you sell enough you will get some problems / faults.
No one is disputing that.
Friend has a Samsung - it developed a fault and kept rebooting randomly but many times per day.
A friend of mine had an S3 which developed camera problems - it was refusing to take pictures. He had a short call with Samsung tech support and picked up a new phone the next day. All docs, data and apps were sync'd over seamlessly.
Can you genuinely and accurately claim Android is safer than iOS? Nope.
Nope. Where did I claim that?
I said being locked in wasnt the same as having access to the largest and safer app store.
Being locked in is being tied to an ecosystem which means should you become dissatisfied with either the direction the OS is going in, or the quality of the devices manufactured, you find it very hard to migrate to another platform. Pretty much every app you have purchased is lost and depending on how you have stored your data it becomes a pain in the arse to move it over to your new ecosystem.
So, given this, it is understandable that for people looking to take their first footsteps in the new world order, that the open environment of Android is more appealing.
Yes, there is more malware hiding in the android space, but the number of compromises of android devices is not scaling up in line with the doom and gloom predictions.
Maybe it is because 99% of apps in either iOS or Android repositories wont see the light of day so it doesnt matter if they have malware on them or not.