The problem is how do you prove intent? In some cases it's fairly obvious that it's malware, but there are plenty of tools that were designed for security testing or stress testing that could easily be adapted to attacking systems.
628 posts • joined 29 Aug 2010
Re: Grumpy old men 1 - Web experience managers 0
What do you mean a resurgence? SQL injection never went away. Just look at questions people on Stack Overflow are asking related to database querying from an external program/script. At least 90% of the people asking on that topic are building their queries by concatenating user input into query strings. It's like prepared statements don't even exist for most developers.
I thought that was one of El Reg's joke names. Who would unironically name their company that?
I'm OK with this
Because as far as I'm concerned it's the perfect field test of anti-net-neutrality advocates' claims in the wild. If everything is flowers and rainbows then fine, no problem. If it's not (which given the long and inglorious history of the relationship between American-branded capitalism and its vict^H^H^H^H customers seems far more likely to me) then it will hopefully serve as a cautionary tale to the rest of the world who can then avoid going down that route. Who cares what happens to a bunch of Americans in the meantime? They're just the lab rats as far as I'm concerned. It might even teach them a valuable lesson about just how powerful and dangerous a vote really can be in the hands of the ignorant.
Re: What is a created kind?
It is a pseudoscience, called Baraminology
Re: Get with the program!
Are you claiming that lions and tigers are different breeds of the same species? Because no creationist I've ever spoken to believes that.
Yeah I'm sure there will be a mad rush to go with all those other UK based cloud providers whom aren't subject to the Snooper's Charter..... oh, wait.
Go somewhere else then. Maybe some UK based cloud provider where your data will be protected from prying eyes. At least until the Food Standards Agency suspects you of wrongdoing and some other governmental department wants to sell your data to cold callers...
Fuck fuck fuck, fuck fuckity fuck. Fucky fucky fuck, fuckit.
What's that high pitched humming noise?
It's George Orwell spinning in his grave.
Re: Open source
If it's in Darwin then it might already be open source. I'd have to check though. (People seem to forget that Apple's OSX family of which iPhone OS is a part is partially open source)
But does it run Overwatch?
He asked if he needed to disclose. The reply was no. Therefore he didn't disclose. He was told one thing but they actually meant another. That doesn't strike me as very fair.
Having said that I don't think I'd feel the same way had it been something more serious like a violent assault or organised criminal activity or something.
Re: Welcome to the future. It's not safe.
"Some hackers are bored, have the time to spare, and welcome a challenge, and hardened targets are as ostentatious as open doors to them"
No question that there are people like that out there, but the era of the hacker who does it for the challenge being the norm is long past. The vast majority of hacking is done these days for profit, either by installing malware or spamvertising, spreading ransomware, etc. For this breed of hacker the value of hacking a system is inversely proportional to how much effort is needed. You might never be able to slam the door shut but you can make it tough enough to open to make it not worth it for the hacking-as-a-business brigade.
Re: Welcome to the future. It's not safe.
"No, we can't accept that software WILL be vulnerable because that ALSO means we must accept that all software must be COMPLETELY vulnerable"
Like it or not, that's the reality we live in right now.
Pretending it's not so will not change the fact that it is. Everything is vulnerable. Of course every care should be taken to avoid coding practices that lead to vulnerabilities, and of course every time a vulnerability is unearthed it should be fixed, but while we pretend that software isn't all vulnerable we won't design systems to be able to resist attack. When we accept that all software is vulnerable we'll start applying better practices such as compartmentalising it so the damage can be contained when somebody finds a way into a system that they shouldn't have access to for long enough to prevent the attacker gaining further access.
It's like the ant colony that defends itself heavily around its perimeter with warrior ants but if you get past them you have unfitted access to the queen, the food stores, the nursery, etc etc.
Re: Welcome to the future. It's not safe.
The problem is software is complex and with the best will in the world a non-trivial system is always going to contain bugs. You could take every possible precaution in your development process to avoid security holes and still end up with one exploitable bug in the system that may go unnoticed for years. Is it fair to toss people in jail for that? Especially given that most developers are fundamentally creative by nature and struggle to think in the same way a fundamentally destructively-minded hacker would and might not notice that the fantastic new feature they've just implemented could be hijacked and used for nefarious purposes?
No, it's better to simply accept the fact that all software is going to be buggy to some extent and have mitigations in place to limit the damage that said bugs are capable of causing by compartmentalising systems so a compromise in module A doesn't allow you to cause further damage by manipulating the behaviour of module B.
Effing software patents
The whole concept is stupid, obnoxious and unworkable. Software patents should all just be scrapped.
Nest is killing it
I'd say that'd debatable. Nest might be the best known IoT brand but it's stagnated for years and from what I hear Google are no longer taking it very seriously, in spite of the ludicrous amount of resource they poured into it.
Re: Wheels in the Wings Design Flaw
"Due to the way the engines are positioned on the Concorde the whole wing caught fire because the leaking fuel went straight into the afterburner exhaust"
None of the engines on Concorde were ever actually on fire (though the crew did get a false fire alarm on one of them). The deluge of fuel rushing over them basically drowned them - they were deprived of airflow and flamed out. The probable ignition source was a damaged wiring loom for the landing gear retraction mechanism.
Re: Wheels in the Wings Design Flaw
Tire-related catastrophe is something that can happen to any aircraft. The deadliest DC-8 crash in history (Nigeria Airways Flight 2120) was triggered by a tire bursting and catching fire on takeoff.
Re: YIPPEE! Great news!
My mother won a trip on Concorde (a short circumnavigation of the British Isles and a sprint up to full speed). I was so jealous that I didn't get the ride. I do remember watching the takeoff though, that noise punches you in the chest in a way nothing else does. It was glorious.
Re: Cheaper to pay bug bounties...
The fact that there's pretty much nothing out there that can't be hacked suggests the problem is not a lack of competence, but simply down to the fact that software is hard. Millions of lines of code isn't even considered a big system any more, and no matter how careful you are it only takes one slipup somewhere to introduce a vulnerability. Add in multiple threads of execution opening up the concurrency can of worms and this isn't at all surprising.
Having said that, 4 seconds for Flash is just plain pathetic, the fact it's an old vulnerability that got exploited doubly so.
Russia blocks LinkedIn.
LinkedIn spam plummets overnight.
And there was much rejoycing.
"Say you live in country A, where the cost of living is $20k a year for basic food and rent. Your salary therefore MUST be greater than $20k a year if you are to afford to live in your country."
This is true, but as far as most of Europe goes, the cost of living is going to be closer to 20k than to 4k so an European worker is going to expect a salary in the same range as a UK worker. Especially if they actually do come over here and have to face the same cost of living as UK residents face. The guys in India may be a hell of a lot cheaper than that, but the guys in India also turn out terrible terrible code that's not worth even the cheap price you pay for it. Trust me, I've made a few quid cleaning up the mess one of these outsourcers left behind.
"Automobile manufacturers didn't leave the Rust Belt because the workers weren't good at their jobs. They left because people in Mexico could do the same job and yet only wanted 1/3rd as much money for it"
Funny, because my understanding of the situation was that the Rust Belt car industry died because they produced shitty gas guzzling unreliable basically disposable cars that would oxidise in six months, and they subsequently got eaten alive by the Japanese when they started making high-quality economical durable products that would still start on a cold day, a situation that the oil crisis only made worse because who wants a gas guzzler when petrol suddenly costs three times as much? The American manufacturers made the wrong product for the time, the Japanese manufacturers made the right one and the free market made its choice.
Re: I am Mad
Rational prudency? Trump? That's a good one
I'm a tech worker in the UK and never worried about my job security from the EU open borders policy or from international outsourcing. The former is because in my experience tech workers from the EU can match UK workers in terms of talent but also demand the same level of salary, so there isn't a huge advantage to hiring them over the local talent and the meritocracy decides who gets hired. I'm perfectly fine with the best job going to the best candidate. As for development being outsourced to distant lands it's become increasingly apparent that the quality of code you get from these outsourcing development houses is terrible. You pay peanuts, you get monkeys.
If you're good at your job then globalisation shouldn't pose a threat to you.
Where do I get a burger like the one in the photo? It looks lush
On the plus side, when the market decides that America is doomed after either the bad candidate or the worse candidate has won the election, the dollar should collapse and hopefully restore its relative value to the pound.
Maybe time to invest in Euros.
And here in a nutshell is everything wrong with software development, especially when it pertains to security. Developers are fundamentally creatively-minded and simply cannot think the way a fundamentally destructively-minded hacker will. I also think that in spite of the cynical sense of humour a lot of software guys display, they are at heart too optimistic and assume that most people are basically not malicious. They will come up with what seem like good ideas, even great ideas that make things better for everybody, then some hacker comes along and realises that this great idea that makes things better for everybody can be re-purposed to run down your battery, or spam you with porn ads, or install a keylogger or anything else that ranges from mischief to full blown felony.
I think university courses on software development should contain at least one semester on how to think like a hacker so that developers are taught that no, not everybody out there is a good guy and anything you do with the best of intentions could potentially be used by somebody less noble to wreck mayhem. We did do some engineering ethics studies when I was at university, which is somewhat along those lines, but was more focused on how things done with the best of intentions could lead to accidents rather than how they could be abused.
Re: Ok, so...
You're all mad.
It's quite clearly five spaces per tab.
Will it include a course to teach us what a "digital" motor actually freaking is?
Invented e-mail in the late 70s, huh?
Note the date.
When did systemd turn up again?
Years after the COW bug was introduced into the kernel. Scapegoating is such fun, but it's rarely useful.
They should just convert their existing jets to UKIP specifications and saw off the left wing.
So basically the story is "Seagate stick branding on mediocre external SSD, hopes to gain traction in the sucker market"
Ars Technica did an analysis on the pricing and found that once UK VAT (which is included in the list price versus US Sales Tax which isn't) and import duty is taken into account the difference in UK and US pricing is minimal, probably no more than 50 quid.
Of course that statement doesn't generate many clicks and ad impressions.
Now their SSD options on the other hand, there's a legitimate ground for beef. If you select the maxed out SSD option (2TB versus .5TB) the price jumps by more than a grand. I know OEMs don't give good deals on storage or memory upgrades, but that's just plain ridiculous. As I don't know if a user-upgrade is an option or whether this new machine is a sealed unit you can't upgrade yourself that's a very big deal.
Re: Pint due.
It's Douglas Adams' description of Vogon ships from the Hitchhiker's Guide to the Galaxy.
Just use Postgres!
I'm not buying Apple IoT gear...
... but then again I'm not buying anybody else's either. I have no need for a door lock that's connected to the internet with a default password of "password"
You can't do that with a Mac
Wasn't one of the MS Surface ads about how much better the battery life was in these things than it is for a Mac laptop? Might want to sort this one out pretty sharpish guys, or the ASA might send you a strongly worded letter.
Re: It's a brand problem not a technical problem
Sell it? It's fricking free.
Re: It's a brand problem not a technical problem
And there was me thinking that technical excellence, reliability, robustness, strong data integrity features, strong disaster-recovery features and providing a rich, standards compliant API for developers were the really important features in a database system, when all along it's a cool name that really matters! I should just save all my data to a RAM disk and call it the Batman DB.
Re: Whiff of evil?
I noticed Postgres wasn't on that list. Seriously, grab a copy and have a play with it. It's very Oracle-esque and on the whole a very nice database to work with. As for Mongo and other nosql solutions, I guess it just depends on your workload (though I personally don't care for them myself either, and it is rather telling that a lot of nosql systems seem to be trying to find ways to hack in sql-like behaviour).
Stupid metaphors aside, Postgres is a very capable database, far more so than MySQL, and what's more it's not tainted by the whiff of evil that all Oracle products have.
Re: John Smith
It's not uncommon for creatives (web comic artists and the like) to set up "fake" social media accounts in the name of character(s) from their works and post to them in character. If a character's name happens to clash with a real person would that qualify as a "fake social media account" and therefore constitute a criminal act?
I know to most people this might sound like a daft question, but a guy went to prison for making an obvious (albeit tasteless) joke about blowing up an airport so better safe than sorry...
What's that? Design the system such that if the controller stops functioning it also ceases to emit a signal to indicate it's healthy, the absence of which will lead to the brakes activating?
Pah. Failsafe is for sissies!
Ok, how about a redundant system that's entirely mechanical and not dependant on either electrical power or computer control?
LOL, Redundancy is for wusses!
Entity may be short and stout
That's all well and good, but does it implement RFC 2324?
Apple had the right strategy
The simple fact of the matter is that OEMs make Android insecure. So long as they don't see it in their best interest to get Android patches out in a timely manner to any of their devices that are actually capable of running it, they will leave huge swathes of the Android using public vulnerable to known CVEs. They've got to go. Apple's iron grip on its devices means that devices as old as the iPhone 4S still get updated until recently.
The other big problem for Android security is dodgy apps getting into the Android Play store, or incompetently written ones that overrequest security permissions which some other malicious software can then subsequently exploit. Expect a crackdown in Google Play soon.
Apple basically had the right strategy from the get go when it comes to devices such as phones and tablets, and Google have come to the conclusion that their strategy needs to be more like Apple's.
Re: The crew capsule of death?
Formula 1 drivers routinely walk (or at least limp) away from 50+g crashes, fighter pilots can sustain extended periods of 9g with training, and I believe the record for surviving an impact is something like 214g (though luck did play a big part in that one). Provided the crew are securely strapped down (and why wouldn't they be?) that kind of tumbling is most definitely survivable. It wouldn't be very pleasant though, but given the alternative is being blown all over the local area I think most astronauts can live with it.
Just like any other capsule then, with the notable exception of Apollo. During a test of its launch escape system the test rocket (a Little Joe) broke up, triggering the escape system to fire for real. That was entirely a lucky accident, however, and would be difficult to repeat intentionally.