10 posts • joined 22 Jul 2011
Re: A bug in a library is always worse, but...
Given the Heartbleed vulnerability I'm very happy running web sites on Windows, and have been for many years :)
I do have sites I manage on CentOS and FreeBSD too, luckily most of them don't use SSL so weren't affected (but have been patched already just in case), and those that do use SSL were on older distros which use older, unaffected version of OpenSSL.
Re: A bug in a library is always worse, but...
If you read the followups you'll see it's a zero day affecting IIS4 on Windows NT 4 and IIS5 on Windows 2000. Both of those versions have been EOL for years, in the case of Windows 2000 since July 2010. Who in their right mind is still running web sites on Windows 2000?
Re: Check your vulnerability here.
Nice to see they've added Heartbleed testing - it didn't check for it yesterday as that site was my first port of call and flagged up all the servers I needed to test as green, but at least has flagged up the one I know has an issue with a big fat red F.
However, it does state that the Heartbleed check is experimental, so it may report a pass even if the server actually is vulnerable. Might be worth using a few different tests, including use openssl itself on a box local to the servers being tested to cut out any intermediate termination points that might be disguising the issue.
Re: re: command line (@ A J Stiles)
Whenever I'm doing Windows support and need a user to run a command line, I get them to use Start > Run and type cmd <enter>. That provides everything you included in your misguided "Windows doesn't have ..." reply.
Linux has it's uses (I've been running my VPS hosted system on Debian, Ubuntu, and CentOS for years, and also have a bunch of FreeBSD systems where I work to look after, including "dumb" terminal replacements), but for general desktop use I still prefer Windows 7; XP was the dogs doobries for many years, but Windows 7 blows it away - and I still get to maintain old VB6 code using Visual Studio 6 without any problems (just have to disable desktop composition so aero is off when running VS or else drag-and-drop form design results in painfully slow redraws).
While disabling RC4 is a good idea in theory, in practice it's impossible when running Windows Server boxes that are not 2008+. Windows Server 2003, while still in extended support until July 2015, only supports TLS1.0 which has a small number of ciphers; RC4 is the only cipher it does support that doesn't use CBC, so turning it off isn't an option if you need to run SSL. All the Windows 2003 CBC ciphers are worse than RC4 given how BEAST demonstrated their inherent weakness, and various patches and KB articles released shortly after BEAST resulted in the two RC4 ciphers (TLS_RSA_WITH_RC4_128_MD5 and TLS_RSA_WITH_RC4_128_SHA) being the only two left available. For some companies upgrading all their servers to Windows 2008/2012 right now just isn't a realistic option. If the charts at http://w3techs.com/technologies/details/ws-microsoftiis/all/all represent a realistic spread of IIS versions, then 42% of websites running Windows are on 2003/IIS6 (which represents around 6% of all websites in the survey), which is still a significant number of servers worldwide. Given Microsoft is supporting Windows Server 2003 for almost 2 more years, and that they're urging RC4 to be disabled, where is their announcement about a patch for 2003 to add TLS 1.2 support? After all, this would constitute a security risk, and therefore require a security fix, wouldn't it?
Ah, now I've read a few more articles I see what Visa are planning - aggregating offline purchases in an "area" with the types of purchases made (which would still have to assume that a purchase at Tesco would be for groceries rather than a new TV, for instance) and then the advertisers would use geo-location (most likely by IP address as they'll be little else to go on without any personal data) to figure out which area you're in and show ads ... so if you live in an area with a large number of people buying things at Pet City then you'll end up with pet related ads. Short term looks like it'll be a utter waste of time for advertisers; geo-location is often a mess, my home IP comes up as being around 200 miles from where I live, and my work one about the same distance from where I work ... and ads based on aggregated data will be irrelevant for most browsers as the ads will be based on offline sales, not online, which likely has a wildly different purchasing demographic (I buy food in Tesco but never online, for instance, so online ads for food wouldn't give me a sudden impulse to buy food online).
Maybe it's not April, but Visa/Mastercard will be having the last laugh with this.
Without a major overhaul of the payment network protocols this isn't going to be feasible. I've implemented 3 different payment systems over the past few years, and while one had the option to include a description of what was being purchased I've never seen a reason to include it. All that Visa/Mastercard would see would be a merchant reference, the card details, and an amount - how are they ever going to figure out what has been purchased? Amazon (or Tesco, or any other retailer selling a wide variety of items),will likely have 1 merchant services account for all transactions, so if you spend £10 with them there's no way to identify what that £10 was spent on - it could be books, DVDs, shampoo, food, toys, paint, anything!
So, we're back to the first line - a major overhaul of the payment network and forcing all retailers to specify merchandise category codes in transactions. Considering that the payment network doesn't even handle addresses (only address numerics are passed around as the system doesn't support non-numeric values) there's little chance of adding a system to handle these codes in the forseeable future, and even then a significantly smaller chance of retailers implementing these codes as that would require major changes to all commerce platforms.
Is it April already?
SSL certificates use 2048 bit keys (at least that's recommended minimum in certificate requests for general use) but the actual SSL/TLS data encryption is still only 256-bit or 128-bit for the major ciphers in use. Take Google.com for example - right now it has 256-bit encryption using AES256-SHA, 168-bit encryption using DES-CBC3-SHA, and all the other ciphers are 128-bit. Certificate key size is not the same as the encryption key size.
read the post next time :)
The key phrase to look out for in that post was "change their change their", not the part about passwords and keys. The title of the post was a very obvious clue ...
... double tray BD player required??
@Blake, you could have picked up the SW DVDs that contained two discs per film, one with the special edition and one with the original theatrical cut - the latter not being anamorphic and only 2.0 audio, but much better than a VHS conversion.
As to LotR, I was looking forward to the BD extendeds because I'm a lazy git and don't want to have to switch discs halfway through the films like I do with the extended DVDs. But thanks to the inclusion of 4 commentaries on each film they've been split across 2 discs each again. I don't give a stuff about commentaries; I'd be much happier with the extended movies on 3 BDs without the duplicated discs from the DVD releases (I've got those already too from the collectors DVD sets as well as Minas Morgul and the King's crown that were available for a limited time from Sideshow with the order form in Return of the King).