> or more with 2 Gbps of networking capacity.
What does that mean exactly? You can't sell a computer with 3 1Gbps network adapters in it?
271 posts • joined 2 Mar 2011
> or more with 2 Gbps of networking capacity.
What does that mean exactly? You can't sell a computer with 3 1Gbps network adapters in it?
In kind of a reverse attack from this I've recently ran into a different bug with HSTS and chrome with a logged in google profile.
I accidently redirected a site to the wrong IP. The second site has an HSTS header set for a different domain which expectedly errored out. Set the IP back to the correct site which does not have SSL listening at all, but now chrome tries to visit the site using https which breaks. The built in tool to delete HSTS doesn't show any entry and will not delete the site from the local HSTS database. Tried deleting all the chrome settings in the user profile but the issue keeps showing up (it doesn't show up for other logged in users on the computer), and I 'think', but am not sure that it comes back with the users settings that are stored on google.
So how much would an exploit like this bring on the darknet?
This makes no sense. It's not a logical argument if you have any clue what is going on at all.
Flash is not an operating system.
Flash is now a browser.
Flash is a plugin for a browser that requires an operating system.
So lets do the math here. Windows Exploits + Internet Explorer Exploits + Flash Exploits. This holds true for other operating systems as well. Linux Exploits + Firefox Exploits + Flash Exploits.
Many other large subs like gaming, pics, movies, and music are down, each of those has over 7 million subscribers. It is really something to watch. It will be interesting to find out what happened with Victoria to set this all off.
>HSTS is still vulnerable
No, not if your url is part of the HSTS list.
>As for broken links, don't many browsers automatically try the HTTPS version if the HTTP version draws an error?
Not that I'm aware of unless the server sends a HSTS flag, with that flag it retries the link as https and automatically uses https for all further urls to that domain.
>Figure a different way to make it safe and stop telling people to change when they clearly are unable to.
Sorry, that's not how security works. When something is insecure it is insecure no matter how poor or stupid people are. Yes, that is a dickish attitude, yet no the less true. Old versions of IE are broken far past SNI issues, they don't support the new TLS versions that fix many security issues, and they don't support PFS.
Even with SNI you get a base website that can give you a message. In this case the message should be download Chrome or Firefox or get a new operating system.
And break every old link in existence, not a good idea. It's better to use HSTS and certificate pinning. Any port 80's are automatically upgraded to 443 by the browser. Too bad Microsoft is only getting on board with HSTS on Windows 10.
If your equipment does not support SNI it does not need to be on the internet at all and almost certainly is at risk of being exploited by an unpatched vulnerability. XP is dead, so is IE. There is some reprieve as you can still run Chrome or Firefox on it, solving the SNI issue for now. I personally don't care if they don't know what a new browser is. At this point all their computer is, is a jump point for spam and viruses.
If your car is a dangerous old piece of crap the state doesn't have to register it for use on the road. While we don't have registration to get on the Internet (thank god), we can change people's behavior by making them upgrade to, at least somewhat more secure browsers if they want their social security or food stamps.
>but if you enter http://www.google.com/ you certainly want the http version of the site
Google doesn't offer regular http for a reason. If you offer https services there are a plethra of reasons not to offer http for any reasons other than redirection. Offering both is a terrible security risk and that is why we have HSTS.
Also a Suddenlink customer and was wondering the same thing. I worked for a cable company named TCA quite some number of years ago, and they were a pretty decent small time player. This was in the early days of cable, before DOCSIS 1 was finalized and had Terayon (or something close to that) modems. Not terribly long after I started working there we were bought by Cox, and wow, they, just like their name, are a bag of dicks. Full blown 'monetize' the customer scripts were given to us, about how we should treat the customer as a number of "RGU's" Revenue Generating Units, and how it was our job as techs to increase the number of RGUs each customer represented. We revolted in mass to the new scripts and told management that we were sticking with the old ones. They fixed peoples problems, and fast. The new shit they gave us was mostly marketing fluff and had very little training (which is very important for new employees) on actually fixing the problem that caused the customer to call in the first place.
They didn't fire us all, probably because they had some kind of contractual obligations that had to fulfill in the buyout, but I got out of there as quickly as possible. Not many years later Cox dumped their midwestern assets as they could not extract as much revenue as expected from their customers. The operation then turned in to Suddenlink which as been pretty decent.
I have to admit that I've let certs expire on some small easily missed sites before, but how the hell do you let a cert expire that has millions of people hitting it? You don't have to wait to the last day to put the new cert in. In general I'll replace the cert a full 30 days before it expires in case the cert provider decides it needs to take a while to review your account for one reason or another.
I've done a number installations with Supermicro gear with 2012R2 as a SAN solution with LSI storage solutions. As you say, you can easily save over $10,000 over what HP or Dell sells.
>Local governments have no desire to spend resources negotiating SSL/TLS with every single smartphone in their area when things explode, rivers flood, or people are poisoned
Yea, I'm not sure what the writers of that were thinking, but that's exactly when you want the verifiability of TLS. Otherwise a third party could make things worse by pushing out fake updates or bad information. Yes, TLS has it's own issues, but non-TLS has no verifiability at all.
Ask most people who or what the Internet is and you'll they'll give you some strange answer, even most tech people that don't directly work with it. How many people will say off the top of their head that IANA makes the Internet, the internet?
Chrome did have a lot of bugs. In fact I assume all browsers have a great number of bugs because they try to do everything and the kitchen sink. That said, both Chrome and FF update quickly when there are active exploits in the wild. With IE you'll have to wait till patch Tuesday, unless it is really bad. Adobe is rather hated for taking a long time to patch exploits, and even worse, their update program taking forever to actually update, with the default setting of check once a week.
No, He's probably a standard user, not an admin. On domain networks java update will not download correctly if you are a standard user and eleivate to a domain admin. You have to log in as a admin to get it to work in the first place.
>Why the mighty eff does a mobile OS need to be so big while doing so little?
Because Apple doesn't make small. Even on Windows iTunes is huge. It also benefits them if they ignore bloated application sized. Oh, 8GB iPhone isn't big enough, well spend another $100 more for 16GB total storage. iOS running slow? Buy an iPhone 7 with 42 bajillion cores.
If phones were kept for a long time, or very low profit items, they may focus on more optimized applications, but that is not the case. Phones get replaced fast and ease of programming for the developer is the focus. We're going to have to deal with the fat os for a long time.
What are you going on about Nate. That is not laptop form factor, and will not fit in many laptops. It is a 2.5 inch form factor drive, but its around 5mm thick. No different than the 2.5" enterprise spinning rust.
Most larger storage arrays have gone to 2.5" for higher density IOPs in spinning rust, SSDs keep the same format for convenience.
Or do you work for WDC who doesn't have a flash line up yet and is trying to FUD the technology?
You've not done your reading on this exploit yet. It went from 'not exploitable' to 'exploitable in a case or two' to 'we're finding new exploit avenues every day'.
I'd have thought you'd have learned after looking at 20+ years of netsec experience online that vulnerabilities never get better after being released, the only potential is to get worse.
It is with unfortunate regret that we inform you that Yugguy has passed away in an auto accident. Shortly after performing maintenance on his Honda Civic his car was seen speeding out of control before crashing in to a concrete pylon and bursting in to flame. Upon further investigation a Stuxnet variant was found on a thumb drive in his laptop computer. No other details are available at this time.
If I watch Netflix on my Wii on Google Fiber, it too will show slow speeds. Stream speed != Internet speed.
>I tried "email@example.com" and it appears that that entirely made up name had already been pawned at Adobe.
Oh, how original. I'm sure you if tried firstname.lastname@example.org or one of the other top 100 made up email addresses you'd find them in commonly hacked databases. Even on sites that require a validation email doesn't mean your address is ever deleted from the server if it's not validated.
It's been going on longer that they are even admitting. Some weeks ago I noticed messages sent to my yahoo account had gone from taking about a minute or two to show up to ever increasing amounts of times. Even worse, if you sent the same message a few times you would get one message almost instantly, one twenty minutes later, and the other just disappeared never to be seen again. Something is very wrong there.
I installed downloaded the boot iso and did a net install inside a virtualbox today. The install worked rather well. Many things like setting the root password could be done while the packages were installing allowing the installer to do 2 things at once. Systemd and firewalld are going to take some getting used to though. The updated httpd-2.4, mariadb(mysql)5.5, and updated php were much needed.
[root@localhost ~]# rpm -q python
[root@localhost ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Everything release 7.0 Beta (Maipo)
>How did a cluster of 4W devices beat a cluster of 95W Xeons?
The same way a GPU beats a cluster of CPUs. CPUs are not 'great' at massively parallel problems, conversely it is unlikely these processors will perform poorly on serial operations.
It's not unheard of in the Linux world either. Tiff isn't a jpg at all, much more complicated format used in the business and medical world pretty often.
>Its very difficult to build a good simulation
You mean impossible.
You can't build a decent simulation of the market when so much of the current behavior of the market is tantamount to abuse of the system. When a new strategy is successful it can rapidly become the dominate behavior in HFT systems in a very short period of time, risk be damned.
Getting rid of the device would be the best first step, but not everybody will be able to act upon that measure in a timely fashion. Disabling remote admin would at least stop a completely unsolicited probe from owning you. The unit could still be attacked via XSS very easily.
And the unexpected reply was
"I'm sorry, I can't do that Dave."
I've done a fair number of SANs this year where the VM storage and bulk file storage are stored on spinning disks, but all the databases have been moved to flash. Moving to flash for DBs has decreased the cost of the installs, fewer servers are needed to serve the same load.
My guess on why they are having a hard time tracking Snowden in the audits... All the system admins were doing similar profile sharing/switching just to get the system to work. It's really easy to track an anomaly traverse a system, but when when the anomalous behavior is standard procedure they may never be able to figure out exactly what happened.
>One place I was at wouldn't let you email the fully dotted quad of a non-routable ip address but were fine with you emailing a MAC address.
I bet you'd blow their mind if you told them you could convert a IP to decimal format.
Crafty people always have a way of getting around dumb policies.
>SuperSpeed+, what is next, ultimate speed and then ultimax?
>An Observation: Why is it that the "poor" nations seem to be around the equator?
Advancements in agriculture are a large part of it.
I'd like to know what company this is that has a %100 record of nothing going wrong on a well site? Maybe you mean 99.9% safety record which still be around 1500 incidents a year in the U.S. The incident rate of contamination is very low, but at lest in the U.S. there is a large lobby that pays senators to lie and say it doesn't happen.
I'm not sure what you're on, but we can model the weather rather well, the more input data we model we put in, the more reliable our output is. A large tornado outbreak was forecasted in the midwestern U.S. and it happened. You're confusing an exact simulation of what weather on one particular day in one particular place will be, or what one particular stock will be at one particular time because both are an irreducible calculations.
The stock market can be modeled somewhat. The issue is people use the models to predict and profit from the market, which changes the market conditions.
Reproduction of such models have nothing to do with specific or general learning systems. Predicting non-linear dynamic chaotic systems is impossible and can only be 'determined' in probabilities of outcome.
This is about the stupidest shit I've heard today.
Next you're going to tell me aManfromMARS is the voice of The Register. Or, you can accept the fact that like any site that doesn't pre-moderate comments, people can say anything they want. Some people will learn, other people won't give a fuck and post anything they want anonymously. Some of it will get removed quickly, other times it's widely viewed.
Sunil was likely dead way before the bombings in Boston, he's been missing for months. Not dick shit to do with anything later posted on the internet.
What's really funny is you post as AC, in the world you seem to desire that wouldn't be allowed.
I've got a new idea.
Write tens of thousands of viruses that contain chunks of windows system files from every version of Windows you can find. Cause more damage then the virus ever would have.
I'm not sure in this case, I have seen cases where just paying for the license up front is the cheap way to do it... but it is not always the case. Sometimes a vendor just won't, or cannot provide what you want.
I have a friend who had worked in the oil industry for years. One of the biggest complaints he heard from his customers was how poor the tract management software was for making earnings statements to customers. He asked the company providing the software how much they'd have to pay to get the features they want. Answer: Not going to happen, ever, for any price.
He and two other programmers got together and wrote a web based app that does what the customers want. They built it modular, because it's still a work in progress, if customers want new features they are easy to add. They built it with a consistent internal API, so it can interface with other datasources easily in the future. They use agile development methods, development happens quickly and new feature to rollout times are short. And the program isn't Windows only anymore (on the customers side), it will run in any modern web browser.
I think these big firms doing government contracts are doomed to fail on the projects for a few reason too. Too much complexity, trying to tie in to different legacy systems with varying levels of support. Too large of development teams of substandard coders. Too long of release cycles, features people need now get added in with more complicated features that need longer test cycles, which end up being delayed because of bugs, which end up also testing with other code from other teams trying to get stuff done, which ends up causing other bugs, ad infinitum. By the time the code makes it to the user requirements have changed or additional systems need tied in starting the failure chain all over again.
Because they are trying to observe the storm, not kill it.
The schools in America are turning out too few students willing to work tech jobs for minimum wage.
No. I have a friend with no internet service at their location at all. They are able to play non-online games just fine.
>Win Me was not a disaster at all
I'll assume 3 things.
1. You did not use WinME.
2. You did not support WinME.
3. Your memory has faltered.
I have never seen an operating system corrupt files, randomly blue screen, or oddly fail in so many ways as ME.
The vast majority of the computers I work on have somewhere below 150GB of data. Seemingly there aren't a huge number of people out there making TB's of video and media. On top of that, the people with desktops are keeping them much longer. A 5 year old desktop is still pretty fast.
I agree that Hybrid systems will bring the power/price down much faster, if the performance numbers on the FirePro SM10000 hold up. 1.4T of DP math... uuhh, that's crazy. The Nvidia K20 isn't a slacker either. Since supercomputers by their nature are parallel, GPUs will inherently speed them up.
Yes, it was an amplification attack. The attacker sends a small packet, bytes generally, the server replies with a larger packet. 512 bytes with the old behavior and much larger packets with the large udp packet behavior. Any request that sends back more data then send to the wrong host can be described as an amplification attack. It's the magnitude of the DNS response that makes it so effective.
You are right on BIND, the correct response is not to return large amounts of data if you don't have the answer.
>Yes, there were issues at the start, but they seem to a lot better now, I happily spent a couple of hours on it last night, and another 30 minutes this morning.
A lot better? I don't own the game since I do not buy from the devil (EA), but watching the Sims Channel on Twitch.tv I see a lot of 15-20 minute wait times for a server spot. And also unsurprising is the number of "We're having errors loading this region' after that. The whole thing is a slap in the face of the fans of the series.
>So, they're either not very well tested and engineered patches, or patches for incredibly simple problems
Most security flaws are simple problems, implementation errors that can lead to serious problems (off by 1 error).
A few patches need to be well engineered because of a design flaw that cannot be fixed trivially (ActiveX).
Firefox will push a serious release to stable within a day, if whatever f'ed up distribution takes a month that's not their fault. Go back to being abused by Microsoft and Oracles terrible patching schedules and stop trolling here.