Re: Twitter driving Twitter-addicts to suicide?
Yeah. There is. The fact that you pollute the internet with that level of disrespect for human beings.
5615 posts • joined 31 May 2010
Yeah. There is. The fact that you pollute the internet with that level of disrespect for human beings.
"What is a reasonable time? Every circumstance may vary, but I'd have thought 99.9% of people check and clear their messages at least once per week. Most people are several times per day."
I delete my "Junk E-mail" and "Deleted Items" folders about once a year. I have rules that filter lots of incoming mail directly into "Deleted Items". I can easily receive something unsolicited and have it stick around for ages.
How often does a normal person purge their temp folders? And you and I both know that I can do all of the above and still get the data back a year later if I wanted. The law is an anti-intellectual law designed to root out dissidents and make them hangable.
"* obviously from the safety of a disposable, unregistered cell phone purchased with cash."
I don't know how it works where you're from, but buying burners has several barriers here:
1) Most shops won't sell a burner without a credit card. Cops don't like it unless they can trace who bought the burner.
2) Most places that sell disposable credit cards require a debit or credit card transaction for the same reasons.
3) Virtually every place that sells either burner cell phones or disposable credit cards has video - and often audio - surveillance.
In order to completely "wash" all traces of the purchase you should go through a few steps:
1) Buy everything in disposable credit cards.
2) Case joints that sell disposable credit cards so that you can ensure they won't be able to track you.
3) Use a mule, but never the same mule twice. (Always incorporate a backup plan!)
4) Consider buying a handful of "high value" disposable cards then using them to buy multiple low value ones at different locations. Additional buffer helps.
5) Do not invest any of your now anonymous ephemeral money into a burner with contactless payment options. You do not want any correlation of your purchases with the phone number, because if they can put your purchases and your number in the same place at the same time, they will pull your image from a camera. Tower triangulation is not accurate enough for this. Keep the phone simple. Basic voice and data. No GPS.
6) Don't use bitcoin; it's trackable. Some altcoins aren't. Do your reserach.
7) Use anonymouse credit cards to purchase hosted/colocated server space in foreign countries in order to do your online shopping/hacking/talking to journalistic sources/posting dissenting views against your government/etc.
8) There are a number of shipping forwarding companies if you want to buy things online. With a little bit of work you can even find storage facilities or virtual office providers that will accept deliveries on your behalf. Better if they are located in a neighboring town, and if you get at them using some transportation method (taxi/lyft/etc) that doesn't take your picture/record your voice/etc. Don't let them track your plates, don't ever take your cell phone to the storage facility. Never associate you with that location, or the whole thing unravels.
I could go on and on, but you get the idea.
Our society has become one which actively hunts dissidents. Even if all you want to do is establish a reasonably secure means to express a dissenting opinion online, you should probably consider much or all of the above.
How did we let it get this bad?
"And who determines a person's ability to recover a file?"
It's a terrifying law. You're actually punished for being smart. I can build a scanning tunneling microscope from parts lying around my home. In theory, I could wed that to a Raspberry Pi and - presuming I could obtain or construct stepping motors/gearing with a fine enough range - I could recover files directly from a wide variety of platters.
I can also remove the controller chip from a flash drive and replace it with something that would allow me raw access to the cells. That would allow me to pull a cell-by-cell image of the drive - something that's virtually impossible with a controller in the way - and then most likely find the deleted images in "spare" cells waiting for new writes.
So, unless I throw away ever computer storage device I own and never use electronic communications again I would vulnerable. "Extreme pornography" ends up in my spam on a semiregular basis and absolutely shows up during internet searches...usually for things so completely unrelated it's baffling.
If I lived in the UK, the knowledge inside my head would be illegal. The country has actually managed to codify thought crime.
What. The. Fuck.
I don't know about you lot, but I actually have real world friends. If I could monitor the tank, I could ask one of the many friends I have living in the city to pop in if there's a problem. It doesn't need to change parameters. Just monitor and report. (Well, I would like it to automatically top of the tanks and feed the blighters, but you don't need "internet connected" for that.)
You lot act like you don't actually have real, live human friends. Like it's "all tech" or "all people".
We live in a world of both people and technology. You should consider mixing and matching.
I have an alarm clock that leaps of the table and drives across the room to make me chase it. So yeah. Technology can help, even with hard problems.
@ amanfromMars 1 cease this coherence immediately. It's disconcerting.
"I would not, however, be caught dead with a goatee."
Noone here accused you of having taste... :P
I don't generally swear, or even write long comments, due to passion. I do it to achieve a very selective, targeted effect in the reader. There have only been - to my knowledge - about 10 comments where I have "snapped", and truly just core dumped my emotions without some form of careful linguistic selection.
That said, I don't see anything in this thread worthy of a good riposte. People are pretty tame, even the trolls. It's like a quiet Saturday night on the lake, in forum form.
Aye. And not just you. Lots of people take pills, even when they are young, for a variety of ailments. Do you know how hard it is for someone with ADHD to remember to take their meds in the morning?
And what about something that took your blood pressure before dispensing a dose of stimulant (again, common for ADHD folks) so that it knew when it was safe, and when not?
A pill box that could track what Alzheimer's (or, for that matter others) patients took, and then either report that back to the doctor, or at least track it in aggregate to help us design better pills?
Something that tracks what we eat, and when, as well as what pills we take - and when - so that we can correlate symptoms for various things with these sorts of events and are better able to detect patterns? (For example, this would be really useful in helping to diagnose Celiac patients, IBS and a few other things.)
Hell, a toilet with an automated excretion analyser to help determine things like "are my organs shutting down" or "do I have a gall bladder infection", etc.
There are a lot of possibilities. Not all have to be internet connected. Some are better if they are.
But that was really my point in the article. It's not going to be "selling billions of units of an individual product" so much as "selling millions or tens of millions of an individual product" to meet niches.
Is there no room for optimism at all? Life is all dour? We will die alone and unremembered after a brief period of despair and suffering that was our lives?
How sad. :(
Actually, no, you're just an idiot.
If you have actually read my arguments you'd know damned well that I'm anti everything unless and until something has proven it's value to me and to my clients. As soon as it has stopped being of value, I'm against it. Value is calculated in many ways: monetary value, trustworthiness and enablement.
I have just as openly pooped on Linux and Apple as I have Microsoft. And I have praised Microsoft, Linux and Apple as well. I am not "pro" anything (except Ninite). You, however, very clearly are. And to you, anyone who doesn't agree with your prejudices must obviously be biased.
So piss off. I don't have time for those who can't separate "disagrees with my view on who is worthy of worship" from bias. You are irrelevant and you are annoying.
"Be honest with yourself, Trevor. You know have a freetard Linux agenda and you will never be satisfied until you get your way."
You're an idiot.
I never said the Chinese economy wouldn't take a hit. I said it wouldn't collapse. The US, OTOH, relies on cheap Chinese goods so absolutely that an inability to source them would obliterate their economy overnight.
"Would the Chinese economy survive if we bought all our production back home?"
Yes. The US just isn't that significant. There are 6.7 billion other people in the world, and they will all still buy Chinese.
Microsoft doesn't make a better mousetrap. Microsoft runs a protection racket. If you don't use their everything, they'll break your fucking kneecaps. So pay the protection money.
That's what "bundling" and "integration" and "embrace/extend/extinguish" or standards is all about. Abusing a monopoly in one area to enforce a protection racket in another.
Most people don't want to buy Microsoft. They don't trust Microsoft, and they sure as hell don't want Microsoft's broken UIs. But so long as Microsoft can keep convincing those who hold purchasing power in governments and businesses to do so, they have us all by the balls.
Actually, it is considered by most experts to be an important part of defense in depth. It eliminates 80%+ of the attacks in a single move. The rest of the attacks then must be dealt with by other means...but it would prevent the current crisis, as the existing malware only looks at default ports.
Sometimes, obfuscation is all that's required. Other times, you need more. But don't discount the value of obfuscation when so many attackers are just plain lazy.
I think if you put the management interface of any device onto the internet you're nothing more than a lesson waiting to be taught to others. So to be entirely fair, when asked, I vehemently advise against it, be they Synology or not.
Naked admin: just say no!
"Isn't it a conflict of interest for Trevor to report on Synology while touting their gear to his own customers? Obviously he wouldn't want them to go bust. What exactly is his interest in the company?"
I am not entirely sure why it would be a conflict of interest to report on Synology while selling it to my customers. I sell Microsoft software and services to my customers too, and I tear them a new arse every other day. Any vendor is disposable, and - to be perfectly blunt - I don't make my living selling computers. I keep my hand it in because doing so allows me to keep a presence at the coalface of IT, making sure my skills stay sharp and that I have knowledge and experience relevant to the IT companies I report on.
What might represent a conflict of interest - but I honestly feel does not - is that i am currently engaged with Synology on a very narrow contract to provide them a VMworld booth demo. This demo consists of a Supermicro FatTwin server, A Supermicro Switch and a Synology RackStation all configured to run various workloads that stress the Synology storage. The contract is very narrowly defined, and I have no other role (such as ongoing consulting, etc) beyond that specific deliverable.
Given the voluminous red tape that is Synology's internal marketing spend processes, there is zero reason to believe I would get another contract from them. So, being frank, there is no incentive on my part to be nice to them. I have a fixed contract that says "I gets my money if I deliver the goods" and there's nothing in there about not pissing off the natives.
And I piss off the natives rather a lot. They weren't exactly happy I ran a pair of pieces that said, in essence, "Synology made mistakes and needs to reorganize themselves internally and spend a stonking huge pile of money to make things better in the long run."
I've never tried to hide who I am working with. You can always find out information about my open-ended engagements at http://www.trevorpott.com/about/ under "disclosure".
I don't list narrowly focused, fixed-deliverable contracts unless those contracts compel me to advocate on behalf of a client. Once more being blunt: I get so many jobs creating whitepapers, blogs, demo videos, booth demos and so forth that the fixed-deliverable stuff all blurs together. They don't make me any more or less happy about a company.
A great example is Microsoft. They gave me a free year of MSDN so that I would be able to have licences to write about their software. Didn't make me any more charitable towards them.
VMware ensures I have a suite of the latest licenses, if you read my writing over at SearchVMware, I don't exactly pull punches with them either...and the VMware licenses I get are enough to run my lab.
Bottom line: if there is ever something I - or any of the circle of professionals I trust to help me make these judgements - feel presents the possibility for conflict of interest, that will be listed in the disclosure section of my personal website for all to see.
In the meantime and betweentime, I will report on anything interesting I turn up - positive or negative - with as little personal bias as I am capable of demonstrating. I will also use and abuse any and all of my contacts within every vendor I can to advocate on behalf of "the little guy": the end customer, end user and the sub-1000 seat SMB.
As regards Synology, this means using all my connections there to try to get them to take a more serious approach to security. But I don't give Synology any more of a break than I would any other company.
Well, except Ninite. They get a free pass no matter what. But I'm allowed to be an unashamed fanboy of at least one company, aren't I?
"You could at least slap all of them equally for their incompetence over the years."
If it was a fnord, you wouldn't be able to see it.
As for Synology, I've got meetings scheduled with them to go over the issues here and try to convince them to invest heavily in security. So far, they seem receptive.
Fail2Ban is capable of more analysis than simply "block X number of failed logins". That just happens to be the only thing most people use it for. :)
Also: Fail2Ban wouldn't have stopped this attack, but it would stop many others. And my point here is "defense in depth." That there are layers that need to be here. I would, for example, configure Fail2Ban - or the auth system it protects - to reject any root or admin-priv user if that user was logging in from anything excepting the local subnet. Very important...
I can't say I completely disagree. At the same time, the balance between security and usability is still something tech companies are pouring research dollars into.
I personally can't claim to have all of the answers. Some, yes, but certainly not all. I think any among us who did try to claim that would be a fool; if they had the surefire answers, they'd be a mad billionaire.
So absolutely there needs to be a refocus on security within Synology. I'd like to be among the first to pound on the table about this. But this has to be balanced with usability and perhaps that means that - for now - we can't have both.
For now, at least, security is a shared responsibility, whether you're using a Synology NAS, a Supermicro IMPI controller, a Dell thin client or an HP display management computer. Systems that are largely unattended and unmanaged still need TLC. It sucks, but it's the state of technology today.
What really needs to happen is a lot of the smaller players need to get together and pool their resources into helping solve the problems to hand. A great example would be the Application Layer Gateway firewall I want. That's a beefy requirement. It take a log of RAM and a lot of CPU, at least when you're talking in the context of IoT devices.
A baseband management controller, or a low-end ARM NAS, or even your average display management computer is going to have trouble handling a proper one. Throw on monitoring, reporting, communications, etc...suddenly we start getting into the realm of a Big Ask for such small equipment.
So I think real research is required how. How can we do more with less? How can we shrink the requirements of some of this stuff so that we stay within the power/parts/price limits for that product category but still maintain both usability and security?
As I said above, I certainly don't have all the answers. I wish I did.
I could use the billions.
If your Synology doesn't have ports open to the net, you should be safe. But do run updates on the thing anyways. If your computer were ever infected in the future, and your Synology was left unpatched, it could be pwned at that point. Updating now will patch the hole.
They're putting together a complete PR campaign around this. Their PR guy is horribly overworked, and he has been reaching out to tech journalists around the world on this. My article - and others like it - are the first line of their efforts to reach customers.
I suspect an e-mail blast is being prepared, though I personally think that should have been done about 10 minutes after learning this was an issue. Still; I do know that they will be issuing most (if not all) of the advice I wrote in this article, probably later today.
We'll see over time how the response shapes up, and I'll work with their PR guys - and hopefully their brass - to make sure they do better next time. People's files are being encrypted. Who knows how many memories are being lost. It's the least I can do.
Edit the firewall on your router, not your Synology NAS. Your Synology NAS should never be plugged directly into the internet. There should always be a router in between. If you have any questions whatsoever, contact Synology immediately, and they'll walk you through locking this down.
Edit: others go there first. :)
Absolutely. Please go to the Synology Download Center and download the update or new version of DSM for your device. You'll be able to log into your Distation or Rackstation locally and then go into "Start --> Control panel --> Update and restore (which is under "system")". Here you'll be able to feed it the file you downloaded.
I've done the above many times. It's safe and works well.
Okay, I do get the quibble about "backup first, then upgrade the DSM"...sort of. In the many years I've owned Synology Diskstations I've never had a DSM update go sideways on me. To be perfectly honest, I trust hte DSM update process enough, I'm not sure a special "out of band" backup would have even occurred to me. (I do have automated end of night backups, natch.)
But I'll make sure to pass along your advice all the same, because it is right and proper that they pay attention to the order of that.
Actually, I can't really call them on the carpet for that one, mate.
If affected, you're screwed. Your data's gone and you either pay the ransom or pray for backups. In that case, the fact that the advice is "switch it off and calling Synology" is - to my mind - exactly the right response.
This means that they will give each user a walk through their options one by one. It also means that if the user chooses to simply nuke out the OS, restore and start fresh by blanking the drives then Synology will help them do so.
Beyond that, I'm honestly not 100% sure what Synology can do. Offer to pay the ransom for you? I'm pretty sure that's actually illegal.
If they knew how to crack the thing and get you your files back should they be posting that on the internet for all to see? Or should they walk you through it on the phone where there's at least a chance that the minor obscurity will prevent the bad guys form figuring out that their operating version is done for?
Honestly, if you've any better advice at all for any of it, ping me and I'll make sure it gets in front of the right people at Synology.
As regards "how this could be prevented in the future", keep an eye out for a sysadmin blog in a few hours. That one has already been written, and Synology's brass sent a scathing hot piece of my mind besides. I have a face-to-face with these folks in a few weeks, and there will be beating about the ears, I promise you all.
"That's what makes you Special."
Shiny. Do I get a short yellow school bus? I could turn it into a testlab on wheels!
Aye, saw it. There are 384 work mails (down from 1021 when I woke up an hour ago) to go before I can start getting into the "El Reg" folder. I'll dig myself out eventually...
That AC is so far in the "RUN, DEAR $DEITY RUN!!!!!!!" part of the crazy/hot graph that a careful reexamination might be required. :)
@Steven Raith don't bother the Anonymous Coward you're talking to is a Microsoft marketing shill. Worse, it's not capable of rational thought. Just ignore it. Hopefully it'll do the world a favor by getting ebola and dying alone.
Several options exist. They're all a little bit prickly. Worth a blog, perhaps.
It was "miserable as bleep" and "reliable unless you changes something."
Azure AD is one of those things that introduces a strict change management requirement into your environment. Breathe on it, and it will do something bizarre. But if you're one of those shops that sets up things and then basically doesn't touch them for 5 years, you're good.
Of course, bear in mind that Azure AD can be configured in a few different ways, depending on the wodge of cash you pay, the apps you're using, the level of integration you're seeking, etc. TBH, from a technical level, it's why I walked away from Azure. I just couldn't stand bleeping with it to keep it working.
Now, if they're correct, and it's push-button easy (with presumably similar "oh shit" buttons for when something changes) then It's worth a really good long look. That said, almost every company I deal with is moving away from Active Directory as their authentication system. It's used mostly to lash together legacy Windows boxes, but almost always with a cloud connector to a less frustrating and more widely supported service.
Identity management is a hotly contested battleground right now with dozens of new entrants every year. It is going to be a while before it all shakes out and there is absolutely zero guarantee that Microsoft will emerge the winner. (My money is on a much expanded OpenID.)
The big problem with Azure AD is that Azure AD isn't exactly like adding a domain controller. You don't just have a copy of your whole AD in the cloud.
The benefit of Azure AD is that you don't just have a copy of your whole AD in the cloud.
Active Directory - like the registry before it - has become a dumping ground for information that by all rights should be in easily editable flat text files. (And bleep you too, systemd, with a bronzed goat!) So there's layers upon layers of cruft in the average Active Directory. Some of this cruft you need to make programs run. Some of it is just "junk DNA" waiting to cause a cancerous mutation.
So the bad stuff doesn't go into the cloud...but much of the good stuff doesn't either. So it takes a lot of whitepapers to find out what's where, when and why. Frankly, I gave up. I started moving away to stuff that doesn't need the Active Directory - or the bleeping registry - to get the job done. I like that "keep it simple" mantra.
But there are a lot of folks who aren't in that situation. And so this might well be an important tool for them, especially if they are to remain wedded to Microsoft in the long term. Microsoft is certainly making it a huge part of their plans, as it is an important weapon in the Identity Wars...and that's a set of battles Microsoft's "cloud first, mobile first" future can't afford to lose.
If you could just get your identity from anywhere, why...what could be next?
Microsoft has made a confession: “integrating your on premises identities with Azure AD is harder than it should be” and requires “too many pages of documentation to read, too many different tools to download and configure, and far too much on premises hardware required.”
Oh, but when I say this exact same thing, I need to be berated, chastised and personally attacked. Groovy.
Still, cheers to MS for fixing this. It's great for their American customers. I genuinely hope it works on the service provider mini-Azures so that the rest of us can have integrated networks provided by companies with zero American legal attack surface. A proper hybrid cloud is a good thing, and Microsoft does look like they're only a few years from having the first stage of that wrapped.
Microsoft is the world's premier supplier of Contempt as a Service. Their offerings are unmatched, whether you reside in Germany, the United States, China, or anywhere in between. Subscribe today!
Aha. Then you are the closest to having grokked my meaning so far! :)
"Sorry Trevor, that's an issue for me. The other is software quality.../soapbox"
I'm not actually sure what you intended to say. Either you were talking about "all modern computers are really inefficient and this is bad" or something I have no idea how to decipher. If the former, I lack an understanding of that connects to the topic at hand.
Maybe I'm too sleepy?
Did I say "Android was currently a major desktop player?" No. I said - and I quote - "Android." No qualifiers of any kind. I let the rest of you lot fill in the blanks with your preconceptions and biases.
I did mean something very specific with that one word comment - and it relates directly to the comment it was replying to - but so far noone has gotten it. Given the absolutely fascinating responses that have developed thus far, I'm inclined not to reveal my original meaning and simply let the lot of you fire arrows into the dark.
I'm really curious to see if anyone gets what I meant.
"Everything you say sounds reasonable except for the Linux bit. UEFI Secure boot will make sure Linux will never get on consumer PCs. Ever!"
"MS knew it was only a matter of time before Win8 would grow on (in?) you..."
Coming from an account named "Fungus Bob" just makes that statement all the more creepy...
Ahoyhoy! You coming to VMworld? I think I owe you a keg or three of beer...
@Ben Bonsall +1 for making me larf. Good show, that man.
"Despite its user interface, when it comes to touch and digitizer support Windows 8 is far better than Windows 7. There are many under the hood improvements in handling that kind of input which 7 lacks. People got so focused about the Metro UI they missed what other was done. I understand any attempt to build a tablet with good pen input supports needs Windows 8, not 7."
Um, no. I'm pretty sure that I said Windows 7 was ass at dealing with pens, or being a tablet. I know full well that Windows 8 has many under the hood improvements over Windows 7. It's the chrome that makes it a bucket of warm ebola.
And it isn't just Metro. It's the fucking charms. And the flat everything. And the zero delineation of controls. And the "cloud integration". And the streaming of your every move back to the hivemind. And the...
Seriously man, if it were just fucking Metro we wouldn't hate it this much.
Ultimately, that's the reason why people don't want to use it, even if the digitizer support is better. It's the 10,000 "little things" in the UI that pick and nag at you like a cloud of bees in your brains. Using the damned thing is just awful, and that's why people will cheerfully pay significant amounts extra to avoid it.
I was aware of the Android one, didn't know the Win 8 one had come out yet, but it makes sense. Which brings me back to "but it runs Windows 8." If Cintiq wanted to do a Win 7 jobbie on the same hardware, that'd be just fine. Worth a premium, even.
I'm entirely aware of all the tablets with Wacom digitizers (Surface, many of Samsung's, etc.) Hell, I own several.
The reason this Macbook Pro dealie has so many backers - and it isn't remotely the first attempt to "tabletize" a Macbook - is because it runs OSX. Windows 8 is a bucked of warm ebola. Windows 7 isn't particualrly great at being a tablet OS. OSX isn't much better...but it has a cult following, especially amongst "design" types who still buy into a two decade old mythos that says "to do proper design, you need a Mac." (That isn't true, BTW, and ceased being true a long, long time ago.)
The point here is that there are poeple who are willing to spend money on convenience. How is this any different than people who pay 2x or 3x more to get a bag of cough drops at 2am by going to the 24/7 convenience store instead of waiting until the morning and hitting up the bulk shop?
There are people - rather a lot of people - who loathe Windows 8. They loathe it enough that they would rather pay 2x, 3x or even 5x as much for what amounts to the same hardware just to get an operating system whose quirks don't drive them batty.
I sympathize. I am personally in that camp. A slightly modified (give me my fucking up button!) Windows 7 is my preferred environment. I am willing to pay extra and/or put in extra time to get that environment. Quite frankly, if my choices on my next PC were "$5000 Windows 7 box" or "$1000 Windows 8 box" there'd be no contest. I'd by the Windows 7 box.
So yeah, I get why people would mod a Macbook. I also get why they don't want a Windows 8 or Android Cintiq. Both of them are absolutely awful for the types of tasks that anyone with a digitiser is going to do.
So...despite the fretting about a few bent coppers...it's really not all that weird.
I agree that a wacom tablet is cheaper, but - and please do correct me if I'm wrong - they aren't generally portable unless they've been built into a "proper" tablet. They serve as a second (or mirrored) monitor where you do things like keep palette tools. At least, that's my experience with them...
To be fair, if I needed a pen interface to do my job, and the only available choices were "Windows 8" and "sacrifice a pill of virgins to get a frankenmac" then I would absolutely choose the frankenmac. Windows 8 is one of those things that is worth paying a significant amount of money not to have to deal with.
Alternately, I could just get an x86 tablet and hackintosh it. Or even Windows 7 it. Not exactly routes forward for large enterprises, but good enough for the lone gunman types.