1460 posts • joined 14 Jun 2007
Re: Analogy defect!
Errr, what? So you're saying that TOR was designed to allow people to post naked pics of others anonymously?
Besides, crappy car analogies are a requirement on techie forums!
errrm, when you posted that, there were only 2 other commentards apart from you, and neither of us advocated any such thing
Streisand effect in 3...2...1....
Oh dear. I'm actually very sympathetic to cases like these, and the bastards (assuming her story is true) are evil scum, but....... oh dear :-(
I presume if she was run over by a car, she'd sue Ford?
"You can make a diode out of a piece of coal and a wire."
I'm sure the 'hipster wearable brigade' will find that bit of information most useful!
What an unusual way to do things...
Um, it seems Facebook did their investigation, and handed the evidence to the police who carried out a successful raid.
Anyone at Microsoft could tell you that the proper way of handling things is to convince a judge that you are the world police, and assume the power to personally confiscate anything you think may be tangentially linked, even if it's not owned or run by the criminals, creating huge collateral damage for millions of innocent people in the process.
"MICROSOFT! FUCK YEAH!"
" You still have to trust the Root DNS certs, but they've demonstrated themselves pretty responsibly up to this point"
Indeed. Far better than the current mishmash of companies doing it purely for profit.
"Deleting" files doesn't physically delete the data?
Wow. Who amongst us techies would have known that?
Re: How to sort out DNS problems properly
Or just use google?!
Re: How to sort out DNS problems properly
Finally! Someone mentions using a locally installed DNS server rather than simply changing to google etc.
(Though doesn't windows cache DNS records internally these days? - unix system's don't [though individual programs could in theory]- you should point entries to a local nameserver or a standalone caching daemon)
However, why go through all that testing for local DNS servers etc. to use, when you can simply configure a standalone DNS server that is seeded with the root servers?
This is basically how your ISPs nameservers are generally setup (after all, what forwarders do you expect the forwarders to use? :-) )
If you run it on a system that isn't powered off frequently, then it will end up caching where the popular records are stored, so it can contact them direct for maximum efficiency.
You are then no longer relying on forwarders (which is also more secure, as what happens if the forwarder currently being used is compromised?)
The only static config you need then is that of the root servers, which is readily available and rarely changes. And even if an entry does change, running a nameserver in this mode means that the very moment your DNS starts up and successfully contacts a root server, it will automatically be updated with the current root-zone list. (Though most nameservers don't actually update their local on-disk copy of this information)
If you follow this route, or indeed the route you mention, as you won't be using the server to serve your own domains to the internet, I'd recommend 'unbound' over 'bind'. It's available for unix/mac/windows etc. and is more lightweight and easier to setup (especially for DNSSEC)
To save money, the ASA could be replaced by quite a simple program:
In meta(ish) code:
....If complaint received:
......sleep for a few weeks
......output "Warn the company that the ads mustn't appear again in their current form."
Re: dot and slash
" I was, in fact, under the impression that no backtracking to argument mode was how most commands interpreted their arguments."
Indeed. That is quite nasty.
remember you can use '--' to end arguments with most commands these days, but I still agree with you there!
Re: You've made be rant now..
"I think your early points are great, but you lost me starting at...
"Indeed, there are many who argue that kernels should not allow files to exist which start with a '-', or contain spaces, newlines, tabs, various binary characters etc..."
My view is that if I'm the sysadmin for a multiuser system, it's *my* prerogative to prevent silly filenames creation by the users. It should *not* be a kernel default; but a filesystem mount option to reject open/creat/mknod/ link/symlink/rename operations where the target filename contains characters from \001 to \037 would be entirely appropriate and save lots of user confusion when they create such problem files by accident. This is fine for UTF-8 encoding and EUC coding."
Hiya. Sorry for the delay in replying.
I told you I was on a rant, so I'll probably backtrack a bit :-)
I agree with you (I think!)
Some argue it should be a kernel default (DWheeler in the article I linked too, for example) - but I don't. Besides, that horse has bolted already, and any new restriction would undoubtably cause problems.
But I probably didn't show that I also agree that such restrictions should be possible, and easily configurable by the sysadmin if he/she thinks it's appropriate. - Just as you describe above.
"...And if my users want to store data against arbitrary binary keys using 'special' C programs to make 'special' filenames, I'll tell them: Don't use a filename as the key, because it's a half-arsed hack. Instead, here you go, sqlite3 or gdbm or bdb, take your pick, they *do this stuff for you*. Oh, by the way, you can *even* use data containing '/' and ASCII NUL as a key. Whoa!!!!"
Backtrack time..... Yes, I agree and like to think I'd behave the same way!
The point I was trying to make was that it doesn't need to be a kernel based restriction - not that such a restriction shouldn't be possible.
But then I ranted off in some utopian way about the freedom of the programmer to be able to do what he/she wants without OS restriction that isn't necessary for the OS to work - but I didn't provide any practical real-world example.
I've never used such weird characters, and can't see any situation where I would recommend it - I was just trying to say that an arbitary restriction shouldn't be a place just to protect some programmers from writing prograns with parsing bugs, or indeed programmers silly enough to use stupid characters in the first place.
"The traditional "woo, anything goes except '/' and \0!" boast is making a virtue out of what likely started as laziness on the part of the kernel programmers. Laziness which probably made perfect sense for the times and the Bell CSRG's use cases. These days, adding an extra "check character code is greater than 32" to the kernel path parsing is not such a burden. It will branch predict correctly almost all the time."
So now it should be in the kernel? :-)
More backtracking from me... Fair enough, and you are right.. If such sane restrictions were in place from the beginning, I'd be cool with that.
TL; DR - I guess what I'm getting at is that this is how it is. It works. It can cause problems, but programmers should know this, and act accordingly. It's not something that needs to be 'fixed' at an OS level to stop the sky falling in. And ultimitely a blanket restriction would just be an added restriction that isn't actually necessary.
A lot of the power (and problems) in UNIX comes from it's rawness, and whilst any effort to make it easier and less exposed should be applauded, whilst I was in rant mode I was concerned with enforced 'dumbing down' - as it seems car analogies are usually used at thjs point, I'd say that you wouldn't force an experienced driver to drive an automatic car, just because some people can't drice manual (stick-shift) - even though in some situations said driver may even decide an automatic is his most suitable choice.
"UNIX got some things really right, but some of what the early designers chose not to care about has turned out later to cause problems for scaling and security. What made sense for the use cases and developer resources of a CS research lab in the early '70s is not necessarily appropriate now. Robust filesystems with synchronousness guarantees, race-free file syscalls and other niceties all came about because people recognised the need to take UNIX beyond what Ken and Dennis first envisaged. No slight to the inventors, just progress."
Yes. Situations have changed, and the other stuff you mention above I agree with, but whilst tightened restrictions on filenames would probably make some programs more robust, without these restrictions the filesystem itself is no less robust if the programmer knows what he/she is doing.
I think I more or less agree with you, I just didn't explain well why I thought 'unnecesaary' restrictions shouldn't be enforced in the kernel, but as you say, under the control of the sysadmin.
I hope I've explained myself more clearly, and didn't backtrack too much, but thank-you for reigning me in!
P.S. I've just written this using the 'w3m' console browser under an xterm session, because VI (or any other text editor) is far better for writing long replies than some slow click-and-type 'notepad-style' gui.... How I wish my current GUI browser setup allowed me to use an external editor like with the Firefox 'ItsAllText!' extension...
El Reg is one of the few sites you can actually use a non-GUI browser on these days...... The last of a dieing breed...
You've made be rant now..
Firstly, I'm not one of those who will blindly defend UNIX, and downvote anyone who dares criticise it (even if they have a valid point) but I'm sorry, this is absolute bollocks.
"Since this bug originates from a design problem it will be very interesting on how operating system vendors address this problem. It is something you cannot fix with a simple patch. The way on how the system interacts with files has to be completely redesigned," SEC Consult writes.
Seriously, what is their agenda? As others have pointed out, this has been known by any half-compitent UNIX user for ages. There is no OS level bug to fix.
No UNIX system needs to be completely redesigned (and if it was a real problem, it would only be the SHELL and it's globbing that would need to be 'fixed' - this has bugger all to do with the way the 'system' (kernel, compiled executables etc.) work)
As has already been mentioned here, any fault solely lies within buggy crappy programs ("buggy crappy programs holding hands" *cough* /coat) and they can be fixed without needing to make any changes to the UNIX kernel, userland, or even the bloody shell.
TO BE FAIR.....
It can be argued that the fact the way globbing works makes it easy for incompetent shell programs to screw up is at best unfortunate.
Indeed, there are many who argue that kernels should not allow files to exist which start with a '-', or contain spaces, newlines, tabs, various binary characters etc...
But, all competent UNIX programmers know that filenames can contain *ANY* value from the 256 in a byte, apart from ascii '/' and NUL, and therefore code appropriately.
This flexability may be a curse to some, but it can be useful to proper programmers (after all, why should a program written in C be restricted from storing files with 'special' characters just because some badly written shell scripts can't cope? -- especially as spne of these systems will be storing files that NEVER need to be accessed from the shell)
Yes, this has been known for years. Just like sql-injection, and other problems, you simply need programers who know what they are doing, without forcing syntax restrictions on them to appese the stupid.
There is a very well written website that describes these issues (and it itself has been around for years):
well worth a read, but to be blunt, anyone who is surprised at what it says shouldn't be bloody programming shell scripts to be consumed anywhere other than their home computer in the first place.
I'm a moron
How long have I been posting here?
I've only just 'discovered' the 'my topics' link.. Well, it's been there as long as I can remember, but I guess I've never tried it - just assuming it listed topics I'd opened on the 'user forums' - I never realised it tracked all article-forums I've posted to too..
You know, it's been a bugger all these years trying to make sure I don't miss any comments under an article I've commented on......
Re: Too Much Clickbait
I think you are referring to one of the more sleazy ad brokers they use - I agree, they are totally sleazy. I was disappointed when El Reg started using them. I mean, Reg Staffers, have you seen how sensationalist and inaccurate these links are?
I agree about power-cycling, but then it depends on how deep 'standby' mode is.
Many white goods power just about everything off but the wake up circuit meaning that that big old transformer keeps humming away, providing no more benefit to the on/off cycling (except, of course for the transformer unit itself!)
Re: It comes down to power supply efficiency
Nigel 11, it doesn't matter that you aren't an electronic engineer in this case - your 'common sense' is sufficient (I did electronic engineering at university and can assure you many of my fellow students wouldn't have had this idea)
But yeah, I've basically advocated EXACTLY as you describe (maybe we should go into business together!) - yup, basically use a battery (or maybe capacitor if appropriate) to run 'standby' mode, ensuring the power supply is off entirely, and as you say, only power it up if the unit is 'switched on' or the battery needs charging, with the hardwired override button for those times the battery is dead - just like you describe!
Seems obvious to me!
my guilty what?
Indeed. I'd expect that summing up not from the prosecution, but from the defence as a way to demonstrate the futility of the case.
But, it seems Matt Bryant was the judge ;-)
Re: Which crypto?
Remember how in WWII, allied soldiers were still sent on missions it was KNOWN they'd fail because the allies didn't want the Germans to suspect they'd cracked Enigma....
"For the prosecution, Neil Pallister concluded that:
Effectively, the crown's case is, the only appropriate inference to draw from the defendant's refusal to disclose the password to allow access to the computer is it would have revealed activity of the type mentioned in the messaging, namely hacking of police, Serious Organised Crime Agency and university websites."
Re: The irony...
"As I understand it, it's to defeat a bot net created through use of Trojans.
Are you suggesting that allowing a user the ability to install software which communicates over the internet is a bug?"
Hah! not at all, and if this is soley due to users intentionally installing software, I withdraw my comment.
However, how many of these are 'advertised' as programs that require specific installing as such, and how much are exe's mascarading as PDFs etc.?
How many grant themselves the right to auto-start without the users knowledge?
How do you reconcile this suggestion with other hate-cries about Internet Explorer since it would inevitably mean that you literally could not install any other browser (or mail client or utility).
But that was never my suggestion.... Getting dangerously close to a strawman argument here!
MS attack a third party to halt something caused by bugs in *their* software.....
Re: Microsoft's Fallacy of Equivocation
" This is similar to shooting all persons with the surname Jones, because someone named Jones pulled a gun."
Oy! Don't give them ideas!
Ha ha, I got my mum a tablet too (she was always using the excuse that she was scared she'd break a big computer)
If she can't get something to work (whatever it is), she calls me and says that her 'google is down'
Then there was the time she proudly told me she'd changed the curtains... It took a bit of puzzled questioning to discover she meant the wallpaper!
Re: possibility that El Reg is too?
El Reg has made the great firewall of China blocklist!
Re: "Uni-directional oxygen free copper speaker cables"...
"..were the most ridiculous things a friend of mine bought.
He said he could tell the difference if he plugged them in the wrong way round.
Everybody else just kept quiet, in full respect of his madness."
Are you seriously implying that none of you ever reversed the cables when he was out of the room?
I'm surprised that people people believed that adding a delayed copy of a wave to the original wouldn't screw things up when the wwaveform varies... But then, I come from an electrical/electronic/engineering background, not a snake-oil one.
" it becomes immediately obvious how bad DAB, MiniDisc and MP3 are and that the only lossy codec that has any merit is AAC (at an adequate bit rate). "
This isn't a loaded question - legitimately curious - where does OGG vorbis stand here?
Hi, maybe the analogy is a bit crappy. I was trying to think in terms of a personal case without using a lawyer. I.E. just me trying to claim for damages to my car, and being referred to as an ambulance chaser in the process.... Yes, I know, insurance companies do this part - as I said, crappy analogy!
Now, this case is complete bollocks, and I agree entirely with your opinion on them.
I hate the scum sucking parasites who behave this way, but then, I'm not saying this in a court where a verdict has yet to be reached.
As such, (and IANAL) I still believe this is a fair decission.
I hate these scum-bastards as much as the next guy, but surely this is a reasonable request as this sort of language is prejudicial - they've not been found guilty yet!
I'm sure if you legitimately took someone to court for rear-ending you, you wouldn't feel it fair if the defence kept referring to you as the litigious ambulance chasing con-man
"Presumed innocent until proved guilty"
I vaguely remember it...
Re: The cover for the game...
good catch, Jai!
Re: Looks more like...
It just looks to me like a generic blonde stereotype, not like anyone in particular
Re: If I was a Facebook engineer...
I totally agree with you!
Re: The trick is....
"Then when a potential employer wants to see your Facebook page, let them."
"Then when a potential employer wants to see parts of your Facebook page you haven't made public to anyone, walk."
Re: If I was a Facebook engineer...
" ...A peddler of creepy advertising, like a tobacco executive who peddles cigarettes to children in developing countries.... I'd wake up and ask myself: What am I doing with my life...???
If I was the anon coward who had posted this same message at least 3 times now, in different El Reg forums, I'd be wondering similar.
Re: Dr U Mour Why this will not hurt M$.
Noooooo! I've just upvoted Matt again! :-)
I fear he's right though - MS will bask in the glory of being seen to be policing the internet - however misguided this may seem to us lot.
And yeah, mega-corp won't give a crap about any outage that doesn't affect them
"NO money, I am afraid but you certainly get my upvote !"
(but I prefer money! )
It's always harder trying to work out exactly was has been setup incorrectly with just the results to go on... A bit like reverse engineering in a way.
I don't have the inside knowledge that you have, but I tried to explain similar in my incoherent post above (which deserved down-voting for the formatting alone!)
However, I'm wary about your solution - assuming their configs are pretty much 'stock', simply changing the zones to authoritative will mean the servers will not look elsewhere for the data, but will expect it to live locally. - of course, the zone data isn't local to microsoft, due to their kludgy solution (which can be made to work, but errrr. not like that)
As you are aware, but I'll try to clarify for anyone else who maybe confused (I'm looking at you, Microsoft!), the difference between authoritative/non-authoritative is as follows: (and to the techie pedants, I'm purposefully leaving out some stuff not relevant to the situation)
Basically, there are 2 separate functions performed by nameservers. Generally these days, nameservers are configured to do one or the other.
However, nameserver software can perform both roles simultaneously, and in the past, they usually did, adding to some peoples confusion.
These 2 functions are:
1) "Lookup addresses for people" - These are the nameservers you configure in your home systems, usually the nameservers of your ISP or googleDNS or opendns. These are known as 'recursive' - they probe the various servers in the chain until they find the answer you're looking for, and then return it to you as a 'non-authoritative' - this means the nameserver you queried doesn't "own" that answer. It got it from elsewhere.
2) "Host and supply the actual data being looked up for a zone" - These are 'authoritative' nameservers. Different domains are assigned to specific sets of authoritative nameservers. These are the servers your ISP's nameserver finally contact to get the info you require.
For example, the authoritative nameservers for theregister.co.uk hold in a file (db/text/etc.) a record containing the address 126.96.36.199 which is returned when someone queries www.the.register.co.uk -- Change this data held on the authoritative nameservers, and the change will propagate across the whole internet.
If you talk direct to an authoritative nameserver, and query a host in a domain it is authoritative for,it will return the *authoritative* (straight from the horses mouth) results. If it doesn't have a match for your query, you are authoritatively told 'not found'. There is no forwarding to other servers. It's own decision is final.
Additionally, if you ask an authoritative nameserver for an address that isn't in a domain it's configured to be authoritative for, then you get a null result (except in the case I mentioned above where some authoritative nameservers are also configured as recursive nameservers...)
How this applies to this case:
By taking over the domains, microsofts nameservers are now considered authoritative. The internet-wide nameservers are being told this.
Now, Microsoft needs to configure their nameserver to say 'I'm authoritative for no-ip.org - and the info for the hosts contained within that domain is held in file xxxxxxx.zzz'
The 'gotcha' in this case is that MS doesn't have the no-ip database! Even if they did, the host address updates from users wouldn't happen unless they also took over the whole update infrastructure (which is actually done under a domain no-ip still control)
Their solution? Even though 'the internet' considers their servers authoritative, they've specifically not set them to be - instead configuring them as recursive nameservers that lookup the results elsewhere.
Of course, following the normal path, they'd look up the nameserver responsible and forward the request there. Of course, the nameserver they would lookup is their own, so it wouldn't work - so they've set in their config files the original no-ip servers as an override..... A bit like how some of you edit your hosts file to override an IP address, they've editted their config to override the whole domains nameserver for these domains they've stolen.
So, their nameservers basically behave as recursive nameservers, just as your ISPs nameserver does for you. The only difference is they've been hardcoded with the original no-ip dns info instead of using what everyone else is supplied, so the requests go to the right place, and the results retrieved, and replied with... HOWEVER, ISPs nameservers expect an authoritative response. microsofts servers are configured to relay the request to no-ip and then return it as *non-authoritative* (i.e. 'here is the information you wanted... but i got it from elsewhere)
At this point, all sane resolvers reject the data. They expected authoritative data and they damnwell better get it!
So, if microsoft simply configure their nameservers to be authoritative as they should be, then they will no longer get the data from no-ip.
What they NEED to do is kludge it so that internally it looksup the data as a recursive nameserver, but when it presents this info, it needs to present it as authoritative.
I'm afraid this sort of hack is beyond simple nameserver configs, and as we see, beyond microsoft engineers, who seem not only to not understand the concept/reasons for authoritative/non-authoritative, but are willing to foist their ignorance onto millions, using a power received under dubious circumstances in the first place...
Now...... Where's my money? :-)
" So, how does that work then? How does my noip client update my IP? I'm pretty sure Microshit haven't implemented the "dynamic" part of the noip service."
They are forwarding the lookup back to the original no-ip servers, so they are sort of acting like a man-in-the-middle.
However they've screwed up the way they've done it.. See my more detailed post below
This is where they've gone wrong (You'd think they'd know how DNS works....)
They are 'honouring' updates to the users dynamic addresses, but in a horrible and incorrect way:
The authoritative nameservers are configured as recursive for *ALL* domains (yuck)
They have configured an override to divert forwarding requests for these affected domains to the no-ip (original) authoritative nameservers. (i.e. they've statically added NS records for the affected domains pointing to the no-ip servers)
They therefore reply to the client with the correct IP address.
This would be fine for a recursive nameserver, but these servers are configured as *authoritative* nameservers for these domains - and are accessed as such, but they are returning the result as non-authoritative.
Basically, this creates the following process (Example uses the no-ip.org domain, but the same applies to the others. Some irrelevent steps skipped/simplified) :
1) User requests the IP for some-subdomain.no-ip.org
2) Users local nameserver (usually belonging to their ISP) checks the .org servers and is told that the 2 microsoft nameservers are responsible for this domain.
3) Users local nameserver ask the microsoft servers for the authoritative ip address of the subdomain, only to be given an unauthoritative result, along with the message 'if you want an authoritative result, go here' which points BACK to the same microsoft nameservers.
4) Users local nameserver replies with SERVFAIL because the nameserver that is meant to be authoritative is not returning an authoritative response.
Whichever bozo claimed everything is working presumably just did a 'raw' nslookup, saw the response, and didn't think (or know) about authoritative/non-authoritative results.
Or maybe MS nameservers don't handle authoritative/non-authoritative results correctly, so things 'work' if your ISP uses a microsoft nameserver product?? I don't know, just a guess...
Anyway, MS, I think this post is worth many thousands of your MS dollars!
By way of an example, here's a session capture using a jo-ip.org domain chosen at random:
4:37  (1) "~" jamie@lapcat% nslookup
> server a.root-servers.net.
Default server: a.root-servers.net.
Default server: a.root-servers.net.
*** Can't find home.no-ip.org.: No answer
> set q=ns
*** Can't find home.no-ip.org.: No answer
Authoritative answers can be found from:
org nameserver = a0.org.afilias-nst.info.
org nameserver = a2.org.afilias-nst.info.
org nameserver = b0.org.afilias-nst.org.
org nameserver = b2.org.afilias-nst.org.
org nameserver = c0.org.afilias-nst.info.
org nameserver = d0.org.afilias-nst.org.
a0.org.afilias-nst.info internet address = 188.8.131.52
a2.org.afilias-nst.info internet address = 184.108.40.206
b0.org.afilias-nst.org internet address = 220.127.116.11
b2.org.afilias-nst.org internet address = 18.104.22.168
c0.org.afilias-nst.info internet address = 22.214.171.124
d0.org.afilias-nst.org internet address = 126.96.36.199
a0.org.afilias-nst.info has AAAA address 2001:500:e::1
a2.org.afilias-nst.info has AAAA address 2001:500:40::1
b0.org.afilias-nst.org has AAAA address 2001:500:c::1
b2.org.afilias-nst.org has AAAA address 2001:500:48::1
c0.org.afilias-nst.info has AAAA address 2001:500:b::1
d0.org.afilias-nst.org has AAAA address 2001:500:f::1
> server 188.8.131.52
Default server: 184.108.40.206
*** Can't find home.no-ip.org.: No answer
Authoritative answers can be found from:
no-ip.org nameserver = ns7.microsoftinternetsafety.net.
no-ip.org nameserver = ns8.microsoftinternetsafety.net.
> server ns7.microsoftinternetsafety.net
Default server: ns7.microsoftinternetsafety.net
home.no-ip.org nameserver = ns7.microsoftinternetsafety.net.
home.no-ip.org nameserver = ns8.microsoftinternetsafety.net.
Authoritative answers can be found from:
> set q=a
"140 characters should be enough for everyone"
"This allows the BBC to deliver in-Tweet news clips that can be linked with longer form content on conventional channels."
Ahhhh, so that's the purpose of Twitter... Shared bookmarks!
Re: Dear Verizon....
" The problem is that the American public gives more of a rat's ass about who is the next American Idol than whipping its miscreant government back in line.
This snow job is only possible because of the duplicity of so many different players."
Exactly the same here in Britain.
If it's not Britain's Got Big Brothers X Factor Strictly On Ice Get Me Out Of Here, people don't care
Re: can we stop saying glasshole yet
" Every time there is a new personal technology we feel this deep urge to take the p out of early adopters."
You must be new here!
Re: STOP in the name of love...
" .... Before you break my heart!
(Few under 50 will get that)"
There was a time that El Reg used to refer to the US Supreme Court simply as "The Supremes"
Bring it back, I say!
- +Comment 'Private Facebook' Ello: There's a reason we're in beta. SPAMGASM!
- NASA rover Curiosity drills HOLE in MARS 'GOLF COURSE'
- WHY did Sunday Mirror stoop to slurping selfies for smut sting?
- Business is back, baby! Hasta la VISTA, Win 8... Oh, yeah, Windows 9
- Third patch brings more admin Shellshock for the battered and Bashed