* Posts by Rob Carriere

176 publicly visible posts • joined 17 Nov 2010

Page:

This is what it looks like when your website is hit by nasty ransomware

Rob Carriere

Re: Read-only filesystems

I love that strategy. But it only works for static content. So, yes, please run your CDN that way, but any CMS-based part of the site will at the very least have the database as a mutable component. Usually there is a directory that holds uploads and temporary files as well. You can and should defend those, but that is a larger attack surface and therefore intrinsically more vulnerable.

Rob Carriere

Re: Image link shirley?

It's entirely possible you're right, but if the thing ends up serving malware, the victims won't much care how the malware got onto the server -- FTP or share from a Windows box or a direct hack of the server, malware is malware.

German prosecutor given Das Boot over Netzpolitik treason charge

Rob Carriere

Re: what ship? I see no ship

Oh come on. You must have heard of multilingual puns.

EXT4 filesystem can EAT ALL YOUR DATA

Rob Carriere
Thumb Down

Very misleading article

Five minutes of proper research would have shown it is a bug in the MD RAID0 system that has nothing to do with EXT4 or any other file system.

Here's the description from Eric Work, who wrote the fix:

This bug affects systems with kernel 3.19.7+ or 4.0.2+ running any filesystem on top of MD RAID 0 that supports and enables TRIM. No other RAID levels are affected. I believe Intel fakeraid is also affected. If you don't use fstrim or have the 'discard' option enabled in fstab then you wouldn't be affected. Removing these TRIM options is also the workaround.

Astroboffins eyeball MONSTER GAS HALO hugging Andromeda Galaxy

Rob Carriere

I suspect they mean angular diameter. 100xMoon =~= 50 degrees which at 1,5 Mly distance works out to about 2.8 Mly diameter = 1.4 Mly radius =~= roughly the 1 Mly mentioned in the article.

Good luck displacing Windows 7, Microsoft, it's still growing

Rob Carriere

Re: Windows 10 = Windows 8.10

I don't disagree with much of what you're saying, but I feel one important point is getting lost in the shuffle: businesses don't buy OSes for the sake of buying OSes, they get them so the computer can be used to run applications that meet some business need.

And the 800 pound gorilla in that room is MS Office/MS Outlook. Any story that wishes to be a prediction of how future Windows will fare will have to account for the future of those apps.

Specifically: Does Microsoft still have the leverage to force Windows upgrades through restricted MS Office/MS Outlook compatibility? They used to in the past. I'm unsure whether they still have it, but I'm pretty sure that whether or not they have that leverage is the crucial question in the Windows Upgrade Circus.

What is the REAL value of your precious, precious data?

Rob Carriere

Re: NO.

Would that were true.

You can set the price at infinity and your data will be stolen rather than taken.

Google sticks anti-SQL injection vaccine into MySQL MariaDB fork

Rob Carriere

It doesn't

From a ZDnet article:

"The new MariaDB Enterprise release features protection against SQL-injection attacks using a database firewall filter. In a few months community MariaDB will also include the database encryption developed and used internally by Google, which has been using MariaDB for a year."

So that's two separate and unrelated features.

LG monitor software quietly kills UAC, dev says

Rob Carriere

"Gotta say, disabling UAC's the first (maybe second) thing I do on any new Windows machine."

Fine, but that's your choice. You make a deliberate choice and if/when things go wrong, you know who to blame. Nothing wrong with that.

This malware fine monitoring software OTOH, decides for you and doesn't even tell you. Quite a different thing.

You want disruption? Try this: Uber office raided again, staff cuffed

Rob Carriere

Re: illegal software...

The driver is acting illegally, however, so the Dutch court, so is Uber, as (a) it's application is specifically designed to facilitate this illegal behavior and (b) it takes a cut of the proceeds.

Locally Integrated Menus back on Vivid Vervet’s menu

Rob Carriere

Re: The idiot who came up with the global menu bar should be shot

That would be someone at Xerox Palo Alto, circa 1975, I think.

In Unity, meanwhile, a simple option turns this off if you don't like it.

Rob Carriere
Happy

Re: Menus

It does exactly that in my 14.04, so I see no reason why it shouldn't work in 15.04. So prepare to be delighted, I guess.

Pull up the Windows 10 duvet and pretend Win8 and Vista were BAD DREAMS

Rob Carriere

Heh. I like that phrasing. :)

More or less what I meant, although it's not limited to the GUI. (Vista admin access, anyone?)

They're experimenting (Vista, Win8). And like all good experiments, some of it turns out to be crap. So then they keep the good bits and retract the bad ones (Win7, Win10). And thus progress is made -- at least, I know very few people who prefer XP over Win7 for reasons other than trying to keep prehistoric hardware or software up and running.

Like I said, arguably they shouldn't be doing their experiments on paying customers. OTOH, this stuff is tough, especially when you think of the very wide range of computers and network setups Windows has to run on and the even wider range of skills and preferences of their users.

<evil grin>

So, give them a break and then switch to Linux.

</evil grin>

Rob Carriere

I feel kinda odd being a Microsoft apologist, but there is a kind of sense to this. Feature expand, consolidate. Feature expand, consolidate. And so on. Somewhat reminiscent of Intel's tick, tock model. (Except they tend to get both the ticks and the tocks right.) All the people who have screamed bloody murder at Win8 have helped shape Win10, just as the Vista outcries helped create Win7.

I'd like to think there has to be a more elegant way to do this, but that's easy to say from a comfy chair on the sidelines.

Pub time for NASA bods? Orion spacecraft test launch called off

Rob Carriere

Re: Why is wind a problem

1. Considering ground level wind was mentioned, this is probably what was up.

As for the thing being 21 tons, fair enough, but that doesn't make it hard to move. I have moved 10 ton boats on my own and I am not a strong guy. In water or air, you don't get the friction with the ground and things are very different from what intuition might tell you.

The basic question is, can the wind move the rocket sideways by the couple of meters clearance it has from the tower before the tail of the rocket clears the top of the tower?

Alternatively, can it topple the rocket before it clears the top of the tower? (Once you're clear, you can lean into the wind; while you still next to the tower, you're pretty much restricted to engine gimballing.)

Neither of these would take hurricanes. Just a good solid breeze against that huge sail, err, rocket.

Consider that a 40 knot crosswind is reason not to land most aircraft and those things are more controllable than rockets.

Shellshock over SMTP attacks mean you can now ignore your email

Rob Carriere

Turnkey security is hard and not always possible, sure. That doesn't mean we shouldn't try to get as close as we can.

You could think of a library that contains the fork/exec boilerplate and a globbing function. Some scripting languages in effect do this.

Alternatively, you could make a safer version of system() that only passes environment variables you explicitly request.

system("foo --bar *.baz", "EMACS", "TMPDIR");

or something like that.

Rob Carriere

I think the biggest problem is that system() is far more convenient than fork() + the exec*() family of functions.

Water flows downhill. You can rant at people not to do the wrong things until you're blue in the face, but you will only achieve reliable results when it is easier to it right than to do it wrong. At some level, this might be considered a bug in the design of the API.

OpenVPN open to pre-auth Bash Shellshock bug – researcher

Rob Carriere

Re: My /bin/sh points to dash .....

As Steven said, "patch anyway".

As an exercise in intellectual curiosity: You (and pretty much all other Linux users out there) are not vulnerable in any situation where a shell script is invoked without specifying the shell to execute it. In that case, you get the default shell, which is not bash.

However, it is also possible for the caller to explicitly specify bash as the shell to be used or for the script itself to use a shebang specifying bash. In many environments, doing either of those will get the dev in question hung, drawn and quartered, but still, such things do happen.

The only way to be certain it doesn't happen on your machine would be a complete audit of all code on there. That's probably not your plan, therefore the answer of "patch anyway".

Spammer uses innocent hacked blogs to punt NAKED PICS of JLaw, McKayla Maroney

Rob Carriere

Re: "plumbing the depths"

That's because when you dive that low, the pressure builds up and you need titanium plate rather than contem plate.

WHY did Sunday Mirror stoop to slurping selfies for smut sting?

Rob Carriere

Re: Urrrggghhhh

I've seen it used in the sense of 'load an entire file into memory in one read() action' as far back as the mid-80s -- and it might be older than that.

In general, using a regular dictionary in an attempt to disprove the existence of jargon is a mistake; the purpose of such dictionaries is to show only the regular, non-jargon, use of the language.

Latest Firefox and Thunderbird updates plug CRITICAL SSL vuln

Rob Carriere
Coat

"Is capable of being tricked"

An enviable capability, to be sure.

'Windows 9' LEAK: Microsoft's playing catchup with Linux

Rob Carriere

Re: Case Sensitive File Systems...

I'm afraid your explanation of the executable files gaffe is factually incomplete. The reason is that Windows memory maps AND is incapable of allowing existing accesses to a deleted file to continue for the life of the relevant process, something that all flavors of Unix have been able to do since the 70s. As you say, there are advantages to memory mapping. There are no advantages to being incapable.

Plug and PREY: Hackers reprogram USB drives to silently infect PCs

Rob Carriere

Re: I call semi-bollocks

Gotes said:

"Could be a bit annoying when you've just plugged in a keyboard and have no other means of responding to the prompt."

Er, yes. One of the reasons I've never quite gotten the big rush to make keyboards USB. (Yeah, I know, standard connector is 0.3 cents cheaper). The things need exceptional handling in a number of places and this is one of them.

Still, as someone below has already suggested, you can pop up a passcode on the screen and require it to be input. Combine that with serial number lock-in for known good keyboards and you're good to go.

Alternatively, dedicate a USB port to the keyboard and only ask questions if a keyboard is plugged into another port. This should serve most desktops well. A laptop already has a built-in keyboard, so you have a channel to answer the popup. That in combination with a serial number lock should minimize the fuss on most laptops.

Rob Carriere

Re: I call semi-bollocks

I suppose the non-sensitive machine still works (doesn't really matter whether it gets pwned by a malicious document or a malicious drive -- you were prepared for it to get pwned)

But, yeah. Nasty.

How hard would be to modify the OS so it pops up a notice, "The device you just inserted wants to register as mass storage, a keyboard, and a network card. Which of these functions do you want to allow?"

NEW, SINISTER web tracking tech fingerprints your computer by making it draw

Rob Carriere

Re: Surely this is illegal under Computer Abuse and Data Protection laws?

I'm guessing that would depend on your jurisdiction.

The Dutch anti-tracking law, for example, specifically states that it is the act of tracking that is being legislated, not any specific technology used for that purpose. So as far as I understand it, you'd be perfectly welcome to use these techniques instead of cookies as long as you only use them for purposes for which cookies would be allowed (that is, to implement essential functionality of the site, such as login; to gather anonymized usage statistics of the site; or to do anything else for which I have given explicit and informed consent.)

LOHAN seeks stirring motto for spaceplane mission patch

Rob Carriere

To Boldly Fly where Mighty Orbs Go Bust.

Facebook: Yes, we made you SAD on PURPOSE... for your own good

Rob Carriere

> Here's a link for anyone interested:

> https://diasporafoundation.org/

Thanks. That looks interesting.

Rob Carriere

It'd be interesting to think through how hard it would be to do a purely peer-to-peer facebook alternative. Kill the vampire in the middle, so to speak.

Surprise Android 'KitKat' update fixes nasty OpenSSL vuln

Rob Carriere

Most Android devices suffer from a double MitM attack (Manufacturer in the Middle).

As far as I know, there are two ways to avoid that. First, buy your device, don't get it via a carrier plan. That gets rid of the one middleman. For the other, either get one of the Nexus devices, or install Cyanogenmod.

Tennessee bloke cuffed for attempting to shag ATM – police

Rob Carriere

Re: Perhaps he misread it

At least it was in the US. Otherwise he might have expected to get chips with his pin.

Beam me up Scotty: Boffins to turn pure light into matter

Rob Carriere

Re: Get your tin-foil hats here -- at these prices I'm cutting my own throat

Yup, the article talks about electron-positron pairs. The positrons would be the anti-matter bits.

So, to add to your fine list: possibility of making a hole to another dimension from which robots with positronic brains emerge. No matter what orders we shout at them, they shut down the facility, because it is dangerous to poor befuddled humans.

Adobe blames 'maintenance failure' for 27-hour outage

Rob Carriere

...wake up with a gigantic omelette on its corporate face.

So they have omelet for breakfast. No biggie to them.

The critical thing here is that they have a captive audience. People will write angry tweets, blogs and what have you and they will keep paying Adobe. Unless and until somebody writes a viable alternative to CS, they have no choice but to keep paying Adobe.

Europe's shock Google privacy ruling: The end of history? Don't be daft

Rob Carriere

Andrew, thank you

for being a sane voice in a howling storm.

Our Reg reader 'mutt's nuts' dictionary is le chien's biens

Rob Carriere

Dutch

In Dutch you'd get either 'de hond zijn ballen' or 'de hond zijn kloten', but that wouldn't normally be used as an expression of praise. Once upon a time, there were some people who were using 'de tieten van Jezus' (the tits of Jesus) in a similar way, but it's been decades since I last heard that one.

Rob Carriere

Re: This article does feature my favourite (and only) welsh word

Makes sense to me. The stuff inside goes 'popty' and then the microwave says 'ping'.

Ubuntu 14.04 LTS: Great changes, but sssh don't mention the...

Rob Carriere

I think we're partly talking past each other. I completely agree that most of the time, search is inconvenient for file access and the few times it is convenient, it's either because I or a a colleague messed up and something wasn't filed where it belonged or because I'm trying to make sense of a project I'm not familiar with. (And then I'm usually using find and/or grep, not the Unity file search.)

Where I find search to be superior to menus is in program startup and occasionally as a replacement for deep menu navigation. This is a very fast way to get to programs I don't use frequently enough to pin. So, windows key;c;a;enter and Calibre starts up. Windows key;g;enter and gjiten is there and so on.

Things that I do use frequently enough to pin are even faster. WIndows key + 7 and emacs is up. Still other stuff I fire up from a shell; xdg-open foo.pdf and so on. The whole system works well enough I don't need much pinned. (nautilus, firefox, write, calc, settings, shell, emacs, xpad -- and the write should actually be removed, I hardly ever fire that up from the bar.)

I agree that discoverability isn't as good as a classical menu system. I don't care, that's startup costs. I use computers intensively and startup costs are negligible compared to the total, so the relevant criterion to me is the speed I can eventually reach. And between fast application access and not having to drag windows around, I think Unity saves me an hour every week.

That's not for everybody of course. Somebody who spends their time in Gimp is going to be using the mouse far more often than I do. Even office software has many features that are easier with the mouse than the keyboard. So, no I'm not claiming this is a universal solution; I'm certainly not saying that everybody should switch. I am saying that it works for me and that works amazingly well for me.

Rob Carriere

Re: The fixation with 'serarch' for everything

Why search for everything? Because it fits well with a keyboard-centric way of working. Unity is pretty meh unless you're a keyboard freak, then it effortlessly outstrips everything else out there.

The funny bit about Unity is that it will work reasonably well for a beginner (no clutter to get lost in) and it shines for the experienced keyboarder. The ground between beginner and expert and the ground for mouse-based experts is left, well, not bare, but certainly not covered by anything very inspiring either.

Commonwealth Bank in comedy Heartbleed blog FAIL

Rob Carriere

Re: Foot, meet bullet

All it says is that any coffee they happen to serve will not contain rat-droppings...

It's 2014 and you can pwn a PC by opening a .RTF in Word, Outlook

Rob Carriere

Oh, I agree. Some days you're a little slow, you say. Well, some days, I pun poorly. So there. 'Tis the nature of me, especially before the coffee...

Rob Carriere

I love LaTeX and use it a lot, but...

TeX is a programming language. .tex files, including LaTeX ones, are executable content. If you blindly process a .tex I send you, I can read from and write to everywhere in the file system you have access.

Rob Carriere
Happy

I'm aware of the history of at least two file formats called RTF, both going back several decades. In this case, I was doing simple acronym punnery.

Rob Carriere
Coat

I've always thought Rich Text Format was misnamed.

It should have been Windows Text Format.

iPhone 6 FEELS your heat, wetness... and it'll TELL Apple – report

Rob Carriere

Re: Tinfoil hat

But at least it is a stylish cop, right?

Distro diaspora: Four flavours of Ubuntu unpacked

Rob Carriere

Re: I don't get it

I'd agree with you, except I ran KDE and Gnome 2 in parallel that way for a year or two and every last single update caused trouble that required console-jockeying to resolve -- making this Not Recommended for anybody who isn't a console jockey. I swear they forbid their QA to test setups like that.

Prez Obama cyber-guru: Think your data is safe in an EU cloud? The NSA will raid your servers

Rob Carriere

"The United States government has to get out of the business – if it were ever in the business – has to get out of the business of fucking with encryption standards," Clarke said.

No, Mr. Clarke. The United States government would have to be seen and believed to have gotten out of that business. Regardless of your political stance on the whole matter, that is going to be a Herculean task in the current environment.

JavaScript is everywhere. So are we all OK with that?

Rob Carriere

Re: "too expressive in some ways, with features like closures..."

Yes, but it takes a programmer to understand that and the speaker being quoted was an analyst.

Chrome lets websites secretly record you?! Google says no, but...

Rob Carriere

Re: An OS function?

True. OTOH, I usually expect/want exactly zero of these sites to use the mic or cam. Clicking OK for the one or two exceptions per year I can handle.

Unstoppable data growth in storage has ... er, stopped

Rob Carriere

Re: ..market share... graph is strange

Also, what is reported is market share, not actual units. In a market that is changing overall size, that's likely misleading.

All in all, quite the Soviet style statistics.

Los Angeles' weather is just like Mordor, says Brit climate prof

Rob Carriere

Re: WTF

Maybe, but checking that your model does not go bonkers when the land masses are redistributed seems like a good idea. He could have just drawn a random map, or used xkcd's idea of the Earth on its side, but he picked Tolkien instead. Works for me.

Our MOM's LATEST EGGS: 'Looking GOOD', chuckle Indian space boffins

Rob Carriere

Re: Well done India

As you wish. I still respect those who can build stuff well beyond those who sit on wads of largely inherited cash.

Page: