203 posts • joined Tuesday 19th July 2011 08:36 GMT
"Holding it wrong" - have a +1 ;)
The ultimate question!
There - have an upvote ;)
On the subject of Bond, this quote:
"I ask students what is the first thing that comes to mind when they think of intelligence. Invariably the answer is: 'James Bond.' This is a sad state of affairs. Not only is James Bond fictional, but he is not a fair representation of intelligence," the prof said.
Ehm, did the prof consider that those students may know that 007 does not represent actual spies, but do think of him regardless? Did that prof ask whether his students thought Bond resembles reality?
Ah never mind, everything for a nice juicy quote...
Laws that forbid watching that stuff? Well... I certainly wouldn't watch it but laws that prohibit watching anything are a bit too censorist for me, thanks.
(And please don't mention the p word. Let the police hunt down the sickos who create those images...)
If we are to have censorship, I do applaud your position that the nipple/nudity censorship should be switched with censorship on violence.
I'll go sulk in my corner now.
Re: I'm off there now
As long as you file your expenses for reimbursement ;)
Re: Hah, he's been too busy on the Pan-Galactic highway
Or downing Pan-Galactic Gargleblasters, more likely ;)
If it it's not in the law books, we have trained typists over here, so just a matter of hours ;)
Re: LINUX - Server.....sure, data centre...maybe, desktop...don't hold your breath
Yep. Ubicutous OSes... dangerous but if you manage to harness their power, there's nothing that can stop you.
Grammar nazi because discussing the contents of your posts seems useless.
Re: @Robert Carnegie
Well, there's always Firefox on XP...
Weeping and gnashing of teeth
Nice article, but when I read "weeping and gnashing of teeth" I really missed a vintage Verity piece on this :)
Indictometer? I like it!
"plugin more clearly telegraph to users when it could potentially be dangerous to let Java code be executed in their browsers (not all the time? – Ed)."
Ed (talking horse or editor... or both?) is right I think ;)
So they went to the trouble of installing pretty lights that indicate the level they indict their own product security. Amusing, but worthless, I'd say, given their stellar track record of Java "security" in the browser.
PS: The wording of could potentially leaves a bit to be desired in the weasel words department. Fortunately, The Reg is definitely not Wikipedia though...
 Yes, lame. Excuse: not enough coffee - not that that necessarily improves things but this is the only excuse I can come up with right now.
Re: Others have done it
This criterium, my dear chap, these criteria...
Re: assuming this is true...
AFAIR using a radio transmitter using the same mechanism the airline itself uses to transmit operational data to the aircraft (could be EICARS, can't be bothered to look it up)
"We pilots always check what the automatic systems are doing"
.... well, I seem to remember a Air France crash in the Atlantic where the pilots had no idea what the plane was doing when taking back control from the autopilot.
Also, I'd trust the FAA as far as I could throw them with their "regulated airspace". What does it mean that the airspace has rules if somebody does not play by the rules?
Re: Loyalty and experience: more to be said?
"Is there really anything else needs to be said?"
Yes: don't pay managers for short term cost savings/revenue increase.
(Hopeless optimist here, yes)
Mars writing entire sentences?
You're almost starting to make sense by writing those entire, often grammatically correct (though I'll stop short of describing the content - leaving that up to our Esteemed Readers as well as your Worthy self) sentences.
Would you stop that? My world view is being shaken very much!
Re: It sounds to me like a good thing
AFAIU the article said nothing about changing the coupling between Webkit and the JS engine, just that Apple wanted to take certain things out.
Google is likely to only support their own JS engine with Blink anyway.
If they go from 2 to 1 JS engines in Webkit, I'd think that only increases the likelihood of removing any proper arm's-length interfaces...
Re: Opera too
Well, as Webkit is LGPL licensed according to WP, Blink must be too. So it's open: Google have to publish their changes.
As for the article author's argument that diversity suffers because of a fork which he thinks/hopes will become the dominant platform (instead of errm, now, let's see.... Webkit!?)... what pills has he been popping?
Cure for cancer
Well, some whacko just posted that "cure". Sigh.
Iain, hope you enjoy however many months come with your wife and loved ones.
Madness or PR/propaganda?
Might be worth looking at the exemptions a bit more: when the FBI says it's ok, it's ok, etc. The added advantage is that it provides nice govenment workplaces for the guys who get to rubberst... ehm process those exemption requests.
I'm sure those loopholes are not unintentional and that a huge amount of kit will suddenly be exempt...
Re: Document your tricksy shit?
Well yes and no.
If you're messing with crypto code you'd better know what you're doing in the first place. Removing something because a static code generator says so says more about the guy removing it than the quality of the comments.
That said, commenting never hurts and yes, it will perhaps prevent the same mistake.
Economics are the real problem
I think Trevor hit the nail on the hit with the final few sentences. There's a market in breaking security, also some in implementing security at the individual product/company level, but no economic incentive to force better security standards.
The technical development of the standards/protocols may (does) hit its snags, there may be insufficient amount of skilled people around to efficiently do this, and some standards/protocols may have technical or security deficiencies, but the real problem is that these improvements are not adopted.
So what could change this economic point of view? Government/trade industry/whatever fines when corps are using insecure technology (e.g. banks on SSL, not latest TLS), when data breaches occur etc seems to be the only obvious solution here..
(Whatever its faults, at least PCI DSS has lead to improvements in security. These are often implemented and "audited" by incompetents but hopefully not always)
What do you guys think?
(Thumbs up for the article)
Alternative power system
Yes, such a power system would absolutely radiate brilliance and be a glowing testimonial to human ingenuity :)
US subsidiaries should ship your data to the home of the free if Uncle Sam asks for it...
IIUC, US regulations don't care if they're subsidiaries... (don't know where they draw the line: wholly owned, majority owned, somebody on the board who has a fondness for US products...)...
Non-compliance with PCI-DSS
As you say, writing complete card numbers to log files is a big no-no. Even if there hasn't been any breach, I'd be fine with Visa fining them.
I don't know Visa's conditions but it sounds reasonable to fine based on non-compliance regardless of breaches... too much costly investigations and useless fingerpointing otherwise. If their security isn't in order, they could have been breached (even if they weren't) putting credit card customers at risk.
Yep OAuth 2 sucks big time. Last time I checked, Twitter was still on 1.0. I hope that whatever else they do, they remain on that.
Ehm, ek kannie Debian installeer nie (of ek weet nie hoe om Debian te installeer nie) would be my best bet ;) 
Still, I agree with the sentiment - Debian just works ;)
 Nee, Afrikaans is nie my moedertaal nie...
Re: I doubt it
Recycled urban legend methinks. I heard the one about a server stuck under a desk with the janitor etc.
New failure better than repeat failure?
Yep, they're innovating.
When I read this "competition paradigm changed" I have to dig up my anti-nausea medication.
Does this guy mean that the moves of some players on the market have totally changed the way the economic principle of competition is viewed.... or did that moron just mean that the "competition situation in the market changed" or something similar!?!!?
Glad I got that off my chest.
Yep. Effectively the 1kb=>1Tb Coke example is just a transformation/encryption; the reverse step (decryption) surely isn't going to be performed by humans=>a software program will do it=>same weaknesses as using regular encryption.
(And even if humans do get the offsets to the relevant bytes out of the vault, type them in by hand, then the 1kb file will appear anyway in memory).
Or am I missing something?
Beer because that's what encryption usually leads me to thinking about.
Actually, I think Eadon has a point.
I'm thinking the point of the so-called RCA is to make sure MS keeps their customers. It therefore does not have much to do with finding the real root cause as long as it leads to the desired effect.
Cynical? Who? Me?
Re: ""The RCA will be posted on this blog as soon as it is available," he wrote."
Who says the RCA won't be corporate bullshit?
Agreed though that MS might not get away with that...
Too many files accessed?
AFAIR, he accessed 15 or so files, while the judge thought about 10 would be enough or something.
Compared to the fact that he's not the guy who is responsible for the appalling security but wanted to report the problem, I think sentencing him for that is just vindictive.
As for the fact that he didn't give the provider enough time to fix things: as others said, IT'S JUST A PASSWORD - fix it! (Oh and password complexity requirements, set up a VPN etc but first plug the obvious leak).
Re: What lax security?
IIRC, Dutch media earlier reported that it is indeed only username+password, no VPNs etc.
re: What was he exposing
"What was he exposing? That he knew the password?"
Yep, and that the password apparently was abysmally weak.
Perhaps they will sneakily use version numbers (or revision numbers) internally... and just tell customers "you Windows is too old, you need to cough up^H^H^H upgrade"...
"with the right combination of SIP traffic, the hex value 32 (ASCII 2) with the offset 0x47f would crash the interface that received it."
Well, actually, the right combination of *any* traffic, but yes, the SIP traffic triggered it.
What complicates matters is that he found out another value "inoculated" the card against crashes so that probably is why it is so hard to track down. Also not all cards appear vulnerable - different firmware versions etc?
Icon: ignore description, look at image ;)
Well, just as there's always PostgreSQL vis-a-vis MySQL, there's always Freeswitch when talking about Asterisk ;)
Agreed with your post though - interesting to see the Oracle-Cisco wars...
A billion here, a billion there
Must be too long since I read my economics textbooks or these sentences are incorrect:
"Microsoft, along with VC Silver Lake Partners, is reported to have lined up $15bn from UK and US banks to finance a deal, making them minority investors in a private Dell. Reports value an estimated $3bn Microsoft contribution as a 10 per cent stake."
- MS+Silver Lake together have gotten $15bn from banks to invest in Dell
- MS invests $3bn
=> Silver Lake then invests $15bn-$3bn=$12bn?
Or are the banks not loaning money to MS and/or Silver Lake but investing directly in Dell?
Religious, are you?
Excel < 1-2-3? Features!!?!
What features would that be and would you be willing to bribe the LibreOffice people to put them in?
Post hoc ergo propter hoc
Right. So I should just throwing in .Net code in a Java project and magically watch the quality increase?
Did those code gazers bother to do any analysis on *why* these differences occur or is our Reg hack in question too lazy to quote them?
*cough* even Libre/OpenOffice!
Business doublespeak, statistics, and marketing figures...
What does "showing mobile leadership" even mean? Blegh, business speak again.
Once again it's the Asay Satay Sauce of various figures dredged out of multiple "analyses" mashed up to support what the author is saying. But it generates ad revenue, I suppose, and after a previous good article, I'm not surprised to see the author back to his normal self.
- FLABBER-JASTED: It's 'jif', NOT '.gif', says man who should know
- If you've bought DRM'd film files from Acetrax, here's the bad news
- Analysis Spam and the Byzantine Empire: How Bitcoin tech REALLY works
- VIDEO Herschel Space Observatory spots galaxies merging
- Apple cored: Samsung sells 10 million Galaxy S4 in a month