* Posts by Entrope

116 posts • joined 3 Aug 2012

Page:

No password or PIN, but I have a fake ID. Sure, take the domain

Entrope
Mushroom

Yep...

...and that's precisely why we moved our 50-odd domain name portfolio out of GoDaddy about a year ago after one Naoki Hiroshima had his twitter account @N stolen in part due to GoDaddy's inability to care much for the security of its customers.

3
0

Patch Flash now: Google Project Zero, Intel and pals school Adobe on security 101

Entrope
Mushroom

Ah... patch Flash you say? Hahaha.

Removed from our enterprise as of one month ago.

Many thanks Adobe for reminding me why I removed it, however.

Also, for anyone who is curious... typically manage up to fifty users and to date I've only had two complaints with respect to the absence of Flash. Of which one website attempted to serve malware to my VM and the other is used for uploading files to one of our suppliers.

The former I gave the finger, the later is being a little bit of an annoyance. Why someone decided for Flash to be an integral component of a website to upload files boggles the mind. Seeing how we are the customer in this case I requested for them to provide us with an alternative solution.

So far so good then!

4
0

Windows 10 to give passwords the finger and dangle dongles

Entrope
Mushroom

I think most people forget that...

...your fingerprint is more akin to a username than a password.

And on some services I've seen equality as difficult to change.

1
0

Enough is ENOUGH: It's time to flush Flash back to where it came from – Hell

Entrope
Facepalm

Re: Oki dokies. Enough is enough Fuckobe. Flash is out.

@xBr0k3n. So apparently I did. Sigh. Had to double-check my security advisory E-Mails.

Make that SIX fucking patches within a 77-day timeframe then.

Definitely an inexcusable oversight on my part however. But damn that's a lot of patching.

@John. No vSphere under my belt. Mercifully. We do have one brand of firewall appliance we're quite fond of however which did rely on Flash for its web interface until about a year ago when the last major version release finally got rid of it. It was tolerable originally however as I much preferred to install and utilize their dedicated management application instead.

0
0
Entrope
Facepalm

Re: If this little "feature" is still open to abuse?

@David. Thank you kindly for verifying!

LOL @ HMRC. And face palm. Does make you wonder though how many government websites would outright collapse overnight if Flash were to be suddenly flagged as a dangerous and dumped across the board by all browsers simultaneously.

0
0
Entrope
Meh

Re: This type of mentality is irrational, bordering stupidity.

"Now the other thing, bugs doesn't just go away because you uninstall an offending plugin." - What uninstalling an utterly useless and offending plugin does do however is reduce the number of attack vectors without actually causing any real implications or inconveniences.

And one important aspect of security is to keep installations minimal. More applications, services and plugins equals to more code to exploit. If a given feature isn't required it shouldn't be there if it is within your capability to disable or fully eradicate it.

Seeing how Adobe finds it quite fit however to take its own sweet time to mend the vulnerability (note that a patch hasn't been released yet) despite evidence that said vulnerability is currently being exploited in the wild by a common exploit kit does make one quite inclined to proceed with the eradication route especially when the plugin in question is no longer as necessary to browse the internet as it used to be.

Don't get me wrong though. I do agree with some of your points. But as someone who has been without Flash on a personal level for quite some years I find it difficult to vouch for its usefulness. Yes, the majority of the attackers will be (or have already begun experimenting on) exploiting the "next big whatever" and that is when the evaluation of subsequent countermeasures should take place in order to minimize ones exposure to the vast majority of threats.

Terminating Flash isn't a permanent solution to staying safe online. But *right now* it isn't an unreasonable solution either.

6
0
Entrope
Go

Re: Thinking about uninstalling flash for good

Do it. I've been without Flash for a good four to five years now on my personal workstation and I haven't missed it a single bit. As a matter of fact it actually significantly improved by browsing experience as it got rid of the vast majority of highly annoying "flying across the screen"-style ads.

Back when I first dumped Flash (and mind you this was back in around 2011) I did feel the pinch a little. Certain websites wouldn't load and those which did would contain missing Flash elements. These days however it is extremely rare to be handicapped due to the absence of Flash.

Even CNN plays you videos without Flash.

Also one of the truly rotten aspects of Flash which a lot of individuals do not consider is that it is very often used to override any anti-cookie configuration you may have. Flash has its own data store which ad networks have been known to exploit to store unique identifiers as this data store is not cleared when you purge your browsing history. I'm not sure if this is still the case as I haven't had Flash installed for years and my enterprise configuration had a policy to disable this data store but given Adobe's lousy security track record I wouldn't be surprised if this little "feature" is still open to abuse.

7
0
Entrope
Mushroom

Oki dokies. Enough is enough Fuckobe. Flash is out.

This is our last five Flash deployments along with their respective dates (and we typically patch within 48 hours following the availability of an update);

Adobe Flash Player v15.0.0.223 - 20141112

Adobe Flash Player v15.0.0.239 - 20141126

Adobe Flash Player v16.0.0.235 - 20141210

Adobe Flash Player v16.0.0.257 - 20150114

Adobe Flash Player v16.0.0.296 - 20150128

Really? Five fucking patches within a 77-day timeframe with the last patch issued less than a week ago and already there is another security advisory for this god damned excuse of a browser plugin which is once again demonstrated to contain more vulnerabilities and require more patching than entire bloody operating systems?

Just issued an enterprise-wide uninstall of this pile of crap. Should've done so ages ago and frankly speaking if Flash is a crucial and required component for the functionality of a given website then the webmaster really does have bigger concerns since mobile devices aren't exactly known to be very friendly towards Flash.

And while we're on the topic of Adobe being security-incompetent my reseller had once told me that they were given firm instructions by Adobe themselves to always claim that Adobe's products and services are "very secure". I cannot recall the exact phrase but it was along the line of "we were told to always claim that Adobe and Creative Cloud are "very secure" when asked."

Ha... ha... HA... HAHAHAHAHA.

Yeah. So "secure" indeed that my dedicated E-Mail alias for my Adobe ID is subject to spam attempts multiple (up to a dozen) times an hour because Adobe can't fucking "secure" their website and databases either. I have since changed said E-Mail alias but it continues to stick out like a sore thumb every single time I need to review my mail exchange logs.

News Flash Adobe...

"Security" is a little bit more than just pulling the word out of your arses.

33
0

Are you running a Telnet server on Windows? Oh thank God. THANK GOD

Entrope
Mushroom

Re: first Patch Tuesday in many months that didn't bring with it multiple security fixes for IE

Knowing which day of the month it was when reaching the office this morning I went straight up to Windows Server Update Services to see what's up without bothering read my morning news and I very genuinely thought that something was borked or that perhaps Microsoft forgot to roll out several packages when the typical barrage of "Cumulative Security Update for Internet Explorer 8/9/10/11 for Windows x86/64" was absent from the list of updates pending approval.

I'm shocked. Shocked I say!

0
1

HOLD IT! Last minute gifts for one's nerd minions

Entrope
Mushroom

Hurricane Canless Air System? Pfft. Avoid.

While I have personally never owned one I was in dire need of a reliable replacement to compressed air cans a couple of months ago. I soon found out about the Hurricane but was immediately sceptical. I mean; how much oomph can you possibly jam into such a small package on batteries?

Sure enough, reviews online were extremely mixed. If you go to Amazon and search for the Hurricane Canless Air System you will notice that despite the slightly-above-average 3.3/5.0 stars most users were not pleased with their purchase.

My recommendation then? Get the Metro DataVac 500W Electric Duster. Sure, it needs to run off the mains and as such isn't quite as mobile. But holy cow you had better be wearing a respirator and some goggles if you're intending on using it to de-dust an old PC.

And while the cheap-looking plastic Hurricane goes for 80-100USD on Amazon the DataVac goes for under 60USD and is built like a tank. Solid metal chassis. Extremely robust handle. I cannot even begin to describe how well built the DataVac is. Made in the USA too.

Also here's the differences in Amazon review scores for the two (5/4/3/2/1-Star):

Hurricane: 25 / 14 / 22 / 10 / 12

DataVac: 1355 / 239 / 51 / 21 / 28

And no, I am not related to Metro. Their products are just that good.

1
0

El Reg Redesign - leave your comment here.

Entrope
Mushroom

WTF?!

Came into work this morning and proceeded with my usual "time to catch up on some morning news quickly just in case Adobe decided to release yet another Flash Player patch" and my first reaction upon loading The Reg was "uh what did the page not load properly *smacks Ctrl+F5*" to "oh god no..."

And boy am I glad I'm not the only one.

The old layout was absolutely perfect. Totally agree with the first couple of comments. If it ain't broke don't fix it... especially if the fix in question draws inspiration from Office 2013.

3
0

The NO-NAME vuln: wget mess patched without a fancy brand

Entrope
Mushroom

Am I the only one who doesn't have wget installed?

Admittedly it can be an incredibly convenient facility... but I always prefer to download whatever it is I require onto my workstation first and then upload via SFTP onto my server. I do however always maintain an absolutely minimal installation for this very reason. Less binaries = less vulnerable code.

And as per the Bugzilla report this vulnerability was originally reported on 2014-Sep-08... almost two months ago.

0
0

Was ist das? Eine neue Suse Linux Enterprise? Ausgezeichnet!

Entrope
Mushroom

Ugh

Before I even read the article I was telling myself "please no systemd, please no systemd, please no systemd"... no such luck it appears. Admittedly I'm now working with RHEL 7.0 boxes which have... surprise surprise... systemd. No /major/ issues AS OF YET but I do like to have a fall-back plan.

4
0

Atlas snubbed! Ad blocker says it can kill Facebook's stalker tech

Entrope
Mushroom

Re: Not with a bang, but with a whimper

Simpler approach: VM & revert to snapshot on reboot.

I personally make use of VMware's Unity which allows me to dock out a window from the guest to appear on the desktop of the host. It's a lovely feature. That way it doesn't at all feel like I am running my browser on a VM as there is no need to continuously switch back to the VM when multi-tasking.

And this is also an extremely secure approach against malware attacks (particularly zero-day malware attacks) since all I need to do is reboot the VM and I'm back to my previous snapshot.

I do of course still take my time to block cookies entirely because to hell with advertisers. No Flash either as that's just another avenue to store tracking-related data. No Java either for similar reasons.

2
0

Bad boy builds beastly Bash bug botnet, boxen battered

Entrope
Go

New Bash update in for RHEL

Just got this a moment ago, seems the 2nd update for Bash is in on RHEL...

---> Package bash.x86_64 0:4.2.45-5.el7_0.2 will be updated

---> Package bash.x86_64 0:4.2.45-5.el7_0.4 will be an update

0
0

FBI boss: Apple's iPhone, iPad encryption puts people 'ABOVE THE LAW'

Entrope
Mushroom

Re: What a fuckbag

Did the FBI finally create an account here? What's with all the single downvotes?

27
1

Critical Adobe Reader and Acrobat patches FINALLY make it out

Entrope
Mushroom

Re: What was it, 30? critical security flaws in Adobe products last month?

Yeah. I've always found it hilarious how Adobe can have more security vulnerabilities in a glorified document reader and browser plugin per month than entire operating systems. Keep it up.

3
0

Scratched PC-dispatch patch patched, hatched in batch rematch

Entrope
Mushroom

WTF Microsoft?

"Microsoft strongly recommends that customers who have not uninstalled the 2982791 update do so prior to applying the 2993651 update."

I'm sorry but this is bullshit.

So you are now telling me that after having botched your update I must now spend my good time navigating to "Add/Remove Programs" on all of my personal workstations and sift through hundreds of installed updates to find and uninstall one supposedly problematic update manually because Microsoft is too god damned incompetent to have the new update uninstall the old one automatically?

Oh I totally look forward going to the office today where we've already rolled out the problematic update (but kept it installed because it has frankly caused zero problems to date).

(P.S. And lets ignore the headaches this is going to cause me today for a moment. How the fuck does Microsoft expect the vast majority of their customers to even know this when this information is hidden deep within their KB article? As it is I very rarely read each and every patch-related KB in detail... and this is my job. Average Joe isn't going to know fuck all about this "recommendation".)

_|_ you too Microsoft. I love you guys but this is utter nonsense.

7
2

Linux Foundation says many Linux admins and engineers are certifiable

Entrope
Linux

Some thoughts...

Had a good read through the Linux Foundation website and while the idea looks very interesting and somewhat promising... is it sufficient? Obviously while it's key to know your way around the OS I do find that it's the configuration of various key services which are not always up to par.

Which really brings us to the big question; should the certification go beyond the core OS and also test against default and in addition commonly used services? sshd? snmp? mrtg? iptables? logrotate? To name a few. Go a little further even and set up and optimize httpd for specific requirements. Or even a Mail Exchange with POP3/IMAP services along with database et al.

Additionally, while it's definitely important to know your way around the CLI and the local man pages I have never believed in setting up systems fully without documentation. I actually spend more time reading documentations than actually configuring my Linux boxes because I am insanely OCD when it comes to at the very least reviewing every single configurable parameter there is for a service which I am required to set up. For Apache for instance every single module is reviewed and if I do not deem it as being necessary it gets commented out. But it's hard to do without being in front of the Apache Wiki since I cannot always remember what each one of the hundred or so Apache modules do.

So it really isn't just about memorization... but also about having good habits. I actually spend very little time in front of the terminal because I simply find it more effective to download the required config files onto my workstation and edit them there where more often than not I have a browser running in the background with the documentation open for the service in question. When all is said and done save the files, upload them back onto the server, quickly terminal in to restart the service. And done.

The side-effect of that is that I'm not necessarily the fastest in getting the job done. Far from it. But I pride myself in getting the job done well. Having said that I do have a keen interest in acquiring this certification because studying for it will most certainly fill in a few small gaps here in and there.

I've never touched RAID on Linux, for instance. Because I'm spoilt and always have the privilege of working with hardware RAID controllers on my servers. So yeah. Stuff like this which I have never thought of bothering with in the past I'm now interested in playing with because who knows, it might come in handy in the future. And while I will still be reading my documentations as per normal if I am ever required to commit to a live installation, at least I'll have some prior experience.

3
0

You've got three days to patch Adobe Flash, Air, Reader

Entrope
Mushroom

Re: Update management

In all honesty I have actually never ever encountered problems rolling out Flash updates via GPO as long as you update version after version (missing out on a couple of versions can cause problems). Acrobat on the other hand is one royal pain in the arse.

If you download a 10.1.3* setup file of Acrobat for example you will actually notice that said setup file actually contains a 10.0 MSI followed by a 10.1 MSP and a 10.1.1 MSP and a 10.1.3 MSP. Or some such. Seriously. WTF? Then having to create an administrative install of this fucking unnecessary mess because Fuckobe haven't the slightest fucking clue on how to keep their base installers up-to-date. And forget about rolling out the MSP's individually. Almost never works. So every single time there's an update... extract setup, extract MSI to admin install, extract all the MSP's, run the Acrobat Customization Wizard for the 74th time to make sure nothing broke the MST... DEPLOY.

No such problems with Foxit.

*I probably made those version numbers up but you get the idea. It's been a while since I had to deal with this excuse of an application.

1
0
Entrope
Mushroom

Using Foxit myself... and while I do appreciate not having to update the software every other week it does also make me worry at times. Hah.

3
0

Red Hat spruces up 2011's enterprise Linux with RHEL 6.6 Beta

Entrope
Happy

Re: flame on

I've been playing with RHEL 7 since the first public beta and have just finished migrating all of my servers from RHEL 6.5 to 7.0 (I typically try and coincide hardware and OS upgrades so these were all clean installs on fresh hardware). So far so good.

Having said that, yeah, RHEL moving to systemd was quite an annoyance. Admittedly I haven't actually run into any systemd-specific issues yet and half of my gripes really boil down to me having been deeply rooted into playing with init scripts while the other half being the well-documented nature of the systemd devs (after Linus went on a big rant against one of said devs quite a number of other individuals also expressed their displeasure with the way the systemd maintainers handle bugs).

The only issues I've had with RHEL 7.0 to date were all installer related. Anaconda kept crashing at random and the interface with its nonsensical tab order was aggravating to navigate keyboard-only (especially when choosing NOT to have your partitions automatically created for you). Which really does suck as I typically do not have a mouse on hand when working on my RHEL systems. At times the installer would initialize not detecting one or more of my network interfaces. Other times it would simply crash when navigating from one menu to another.

Really. Here's a piece of advice to anyone installing RHEL 7.0; get out of the installer ASAP. Go in, partition your arrays, and get out (sticking to the standard minimal install). Which is what I usually do but I do at times like to also quickly get my hostname, network interfaces and clock configured.

Annoyingly the RHEL 7.0 installer also seems to omit some options which I am quite adamant were in the RHEL 6.x installers. You no longer have the option of configuring a boot-loader password during install and neither are you asked whether or not you want your clock to be UTC. Minor issues but annoying nonetheless as it just adds onto the number of config files I need to dig into post-install.

Once I'm out of the bloody installer though it's all smiles. Happy to have finally moved onto newer revisions of numerous packages. It really is frustrating when you're left out on new and useful features because you're a number of versions behind... and I really try to stick with the standard/optional RHEL packages on my mission critical systems in order to ensure hassle-free updates.

2
0

TrueCrypt considered HARMFUL – downloads, website meddled to warn: 'It's not secure'

Entrope
Go

Re: Am I safe?

Running the hash through a number of search engines yields plenty of results (many of which from 2012) so my guess is that you're quite safe.

3
0

EBay, you keep using the word 'SECURITY'. I do not think it means what you think it means

Entrope
Mushroom

Re: Aren't they regulated as a bank these days? Or does that just apply to their Paypal racket?

Paypal? Regulated like a bank? HAHAHAHAHA. Wishful thinking.

Yes, I'm serious. Paypal themselves very openly abuse the very fact that they "aren't a bank" and thus cannot be regulated as one within the vast majority of countries they operate in.

It is interesting however because when it comes to matters which strictly benefit Paypal (i.e. them requesting for copies of your national ID) they suddenly behave all "oh we must have this information as we're a "financial institution"". But the very moment your Paypal account is frozen for whatever arbitrary reason deemed fit by Paypal then the tone swiftly swings to "we are not a bank and thus the only legal document which matters is *our* TOS and fuck all".

Yeah. Fuck you too Paypal.

2
0

Google kills fake anti-virus app that hit No. 1 on Play charts

Entrope
Trollface

Re: Pretty easy

Hah. Anyone else remember the days from the Windows 95-98 era when applications costing upwards of 20 bucks would claim to "INCREASE YOUR COMPUTERS MEMORY!!!11!1!" (read: increase the size of the Windows page file which anyone could do from "Control Panel" -> "System".)

11
0

Windows XP still has 27 per cent market share on its deathbed

Entrope
Mushroom

Re: Lots of last-minuters out there.

From my experience even most small companies with staff who primarily use their systems for mail and web browsing have long upgraded from XP. Don't forget that these are typically companies with no fulltime administrator where the company owner simply buys off-the-shelf with whatever operating system said systems happen to have on them during the time of purchase.

Hence any such user who has purchased a system over the past seven years should already have Windows Vista installed (and believe me when I say that despite Vista's issues a lot of regular users simply didn't care as that's what the computer came with).

5
1
Entrope
Mushroom

Re: I don't believe it...

Some months ago I saw a photo on Reddit of a lost notebook someone had found. Fella tried to boot the system up and was greeted with the lovely sight of the Windows Vista smartcard logon screen...

...along with a US DoD Property notice.

Does that answer your question? :P

0
0

Torvalds rails at Linux developer: 'I'm f*cking tired of your code'

Entrope

Quite worth reading the rest of the LKML thread...

...as it seems that quite a few others are miffed at the systemd maintainers as well.

16
1

Hardwired crypto certificate FAIL bricks Juniper router kit

Entrope
Mushroom

This is rather mean.

I mean at least Microsoft gave everyone years of advance notice with respect to Windows XP's impending End-of-Live. Even then, though, it's technically still possible to use the Operating System.

If I were one of Juniper's customers and all of my kit suddenly died with zero advance notice what-so-ever I'd be rather miffed. Especially so if the fail-over routers were also old and thus also affected.

Routers especially tend to last rather long and for most part if you're utilizing nothing beyond core routing functionality it's not uncommon to be able to get away with not patching the router for years. I've seen tons of Cisco routers in the wild running on ancient versions of IOS. But hey, if it works, why not? Imagine if every single Cisco router in excess of five years old suddenly "deactivated" overnight... half the internet would probably collapse.

4
0

Red Hat plans unified security management for Fedora 21

Entrope
Linux

My reaction: Finally!!! Wait... god damnit!

"Finally!!!" because such a facility is awesome and couldn't come sooner.

"god damnit!" because considering this nugget of brilliance is only going to be released on Fedora later this year there is simply no way of it coming to RHEL 7.

(Small team here so it does help tremendously in the "update management" department if we simply stick to what's available on the standard RHEL repositories... especially since Redhat does an astonishingly good job (in our experience) in ensuring that patches don't end up borking our live servers (and of course replace RHEL with CentOS for our less mission-critical servers)).

2
0

Seattle pops a cap in Uber and Lyft: Rideshare bizs get 150-driver limit

Entrope
Thumb Up

Re: The same-old same-old

My sole purpose for logging in after reading this article was to make a comment about the unions along with the striking resemblance of this case to that of "New Jersey versus Tesla" but I guess that's been settled already.

Having said that however I do feel that I need to make a further mention that unions are nothing but a complete waste of oxygen. Their only purpose seem to be... well... how should I put this...

What's that old American saying again? "How many workers does it take to change a street light (bulb)?"

2
10

Not sure if you're STILL running Windows XP? AmIRunningXP.com to the rescue!

Entrope

Abacus? That's a little mean... no?

I mean yeah it might be a tad bit old...

...but at least it doesn't suffer from security vulnerabilities.

0
0

Mt Gox fielded MASSIVE DDOS attack before collapse

Entrope
Mushroom

Re: 850,000 Bitcoins worth hundreds of millions of dollars

Except that a very recent leak revealed that MtGox had over 950,000 Bitcoins?

Considering MtGox's "trustworthiness" then (oh who am I kidding, this is the same MtGox which had parsed usernames and passwords in plaintext through URL's when the site first launched) I wouldn't be surprised if MtGox DDoS'd themselves in order to portray a false image of MtGox being the victim.

3
0

20 Freescale staff on vanished Malaysia Airlines flight MH370

Entrope

Fake passports?

Apparently "five passengers booked on the flight did not board and their luggage was consequently removed" and "it has also been confirmed that two passengers were travelling on stolen passports."

While not evidence of foul play, it is suspicious.

Condolences to all.

0
0

Microsoft to get in XP users' faces with one last warning

Entrope
Mushroom

Re: Woo hoo! Phishing opportunities galore!

I actually thought that Microsoft's popup did 100% resemble a phishing dialog.

Things are sure to become quite interesting in the near future.

All that's left to say is... Yipieee!

17
0

Government-built malware running out of control, F-Secure claims

Entrope
Mushroom

Re: Symantec and McAfee (among others) have not responded

Yeah. This is the same Symantec that has for quite some time now refused to participate in AV-Comparatives while just about everyone else has no issue with said participation.

That in itself should already be setting off alarm bells.

This however is just another reason for anyone to avoid Symantec at all cost.

10
0

The UNTOLD SUCCESS of Microsoft: Yes, it's Windows 7

Entrope

Considering VL Windows 7 SKU's are no longer available...

No shit?

We over here purchased a hundred Windows 8 licenses not long ago...

...to install Windows 7.

1
0

Credit card of PayPal PRESIDENT cloned by UK crooks

Entrope
Mushroom

Re: Wouldn't have happened if merchant accepted PayPal

What would have happened instead is that I would have walked out of the shop empty-handed because PayPal would have locked, suspended or otherwise denied me access to my funds in my account the name of "my safety" and whatever other colossal Godzilla dung.

Kinda a small little bit of detail missing eh Mr Marcie?

0
0

HP 'clarifies' firmware/support contract rules

Entrope
Mushroom

Double-U Tee Eff?

In the first place shouldn't HP be providing us with servers with non-broken firmware?

And if said firmware is broken shouldn't it be HP's responsibility to mend it at no additional cost?

Admittedly it has been a while since any firmware on any server has given me any major headaches. Having said that however we did shift away from HP ProLiant (to the delight of just about everyone in our company) many years back and we are now Dell PowerEdge exclusive.

I guess the one benefit I see of this is that it's now a lot easier for me to convince my clients to stay clear from HP. While it is quite rare for there to be critical firmware bugs three years after release it is always nice to get small performance bumps from time to time through firmware optimization.

5
2

Adobe goes out of band to fix frightful Flash flaw

Entrope
Mushroom

Aaand... updated.

Had this update in our repository within five minutes of receiving this particular advisory.

Have to say though... considering that Patch Tuesday is a week away this must've been pretty damned urgent for Adobe to release an out-of-cycle patch. Most of the time we'd be waiting another week. Or two. Or three.

1
0

Hacker backdoors Linksys, Netgear, Cisco and other routers

Entrope
Mushroom

Well...

...where I'm from I can certainly see this attack working extremely well.

The vast majority of ISP's here simply authenticate users by checking against the MAC address of their router/modem. To the ISP it's one less thing for the user to screw up and hence one less issue for the user to create and subsequently call the ISP to complain about.

It also makes it easier for everyone when a given user chooses to change their router/modem. Simply call the ISP up, give them the new MAC address (which more often than not is printed somewhere very obvious on the appliance), and let DHCP take care of the rest.

And as already mentioned, just about everyone isn't interested beyond getting their router up and running and as such most users will not notice much of a difference pre/post factory reset. Sure, WiFi might stop working... but they'll probably just try to log into their router with the default credentials which they never bothered change in the first place to set WiFi up again and all's well in this world again. In their view at least.

0
0

Mexican Cobalt-60 robbers are DEAD MEN, say authorities

Entrope
Mushroom

What a laugh and interesting read the comments in this article are.

Wasn't going to comment on this article originally. I now feel the urge however to mention that this is one of the big reasons I read The Register. The comments section in articles are often filled with both insightful and outright humorous posts which can go on to make my day.

I've long had an interest in reading up on disaster-related incidents of various types and there was at least one story linked which I hadn't had heard before. Thank you for that, Dan Paul.

(One of the original reasons for my interest was from back when I was a rather young chap when I noticed that everyone keeps banging on about how everything nuclear is the root of all evil. Yeah, radiation can be bad. We get it. It's stupid however that even the smallest of incidents involving any form of radiation often over-shadows much larger incidents of other types. I, for one, have noticed that while just about everyone has heard of Chernobyl almost no-one I know is aware of the massive chemical incident in Bhopal. And the two incidents weren't exactly far off from one another.)

This bit though made me spend the next half hour cleaning my monitor;

Daniel B.: "Indeed, all radioactive stuff has explicit labels like the all-known fan-shaped one and "MATERIAL RADIOACTIVO" stamped on it."

I like crisps: "or MATERIAL......SCORCHIO!!!!"

And now for a suitable icon...

0
0

Think unpatched Win XP hole's not a big deal? Hope you trust your local users

Entrope
Mushroom

Re: "unless a BOFH opens a email containing rigged PDFs from a vulnerable server"

You'd be surprised.

Some months ago a friend of mine had made an urgent request for me to pop by her office to take a look at their failing Microsoft Exchange 6.5 on Server 2003. Apparently their outsourced IT "support" (and I use the word "support" rather loosely here) were too incompetent to solve the problem.

Anyhow. Dropped by her office. Asked for her to log into the server. My jaw hit the ground when I saw the desktop and then hit the core of the earth when I navigated "All Programs".

Chrome? Check. Firefox? Check. Thunderbird? Check. Adobe Flash? Check. Adobe Reader? Check. Silverlight? Check. Nero? Check. Antivirus definitions dated 2009? Check. Firewalls disabled? Check. And I could go on forever, frankly.

And this was on their corporate Exchange server.

0
0

Revealed: How Microsoft DNS went titsup globally on Xbox One launch day

Entrope
Mushroom

I lol...

I had, admittedly, performed a similar cockup many years ago.

While moving our firewall policies from one GPO to another I had forgotten to disable the destination GPO first before applying the new firewall rules. And because the base policy was to block all inbound and outbound connections by default (and also because I was rather slow in setting the new firewall rules up) quite a number of systems inherited the new GPO before it was fully configured and were thus left in a state where traffic in both directions were being blocked.

Fixing that wasn't fun as I couldn't automatically force all the affected workstations to acquire a new policy since I had successfully bricked their network connections.

Lesson learned though is that I now set up new GPO's as very-freaking-disabled, configure them, export to test environment, test, and then enable them if all goes well in test.

For Microsoft to have made a similar cockup though... hahaha.

3
0

AVG, Avira and WhatsApp pwned by hacktivists' DNS hijack

Entrope

Re: so far so good

I'm personally surprised that no one has commented on their use of NetSol in the first place.

Now I do admit that I haven't visited NetSol's site in years (and still refuse to even in the name of fact finding) but last I checked NetSol was still charging ludicrous mark-ups on domain name registrations claiming "superior support" over their competitors as justification of said ludicrous mark-up.

Yeah. Right.

If my other half (who is not IT savvy at all) is able to figure out on her own (and with ease) how to register a domain name and then forward said domain name to her blog then I think we can do without NetSol's claimed "superior support" and just go with a more affordable (and reliable) alternative.

0
0

Redmond slips out temporary emergency fix for IE 0-day

Entrope

Re: Why bash IE? This would be a non-issue if you configured your browser proper.

Are those facts or merely your personal opinions? I do not typically stay on top of which browsers have suffered the most security vulnerabilities but doing a quick search online reveals a number of articles showing that there was at least one year where both Chrome and Firefox had over two times more high risk vulnerabilities than Internet Explorer. Each.

Internet Explorer was an absolutely crap browser all the way till 9. Which was decent. But with 10 Microsoft has certainly gotten their act together. I used to use Firefox during the earlier days of IE until the release of IE9 as Firefox dev seems to have suffered a number of quality assurance problems during that time (plenty of crashes, infinite loops, memory leaks, and et cetera). Things have gotten better for Firefox recently, however. Just like how Microsoft has improved Internet Explorer.

My only criticism of Internet Explorer (or Microsoft, really) is that from 9 onwards it is no longer provided to users of Windows XP. I actually aggressively recommend Firefox to Windows XP users. For those on 7 however I simply say "well, it's really down to your personal preference".

0
0
Entrope

Why bash IE? This would be a non-issue if you configured your browser proper.

I'm probably going to down-voted quite a fair bit for saying this, but lets be honest here... your choice of an "alternate" browser doesn't suddenly make you "all so security savvy". What matters is how you browser is configured along with your browsing habits.

Based on Microsoft's advisory I'm pretty much unaffected by this vulnerability. My standard Internet Explorer configuration involves custom security zones configured with ActiveX very disabled, many other features I do not require also disabled, all default IE plugins disabled and Internet Explorer running in enhanced security mode (which forces 64 bit, ASLR and et cetera).

As already mentioned every browser encounters security vulnerabilities and bashing Internet Explorer exclusivity every time Microsoft releases a security advisory is childish. I could even go as far to say that Internet Explorer is actually FAR more customizable than Chrome from its user interface from a security perspective (primarily due to the decent amount of options offered when customizing a security zone though quite a few other security related options can also be found in the Advanced tab).

This perpetual Internet Explorer bashing is slowly becoming old.

4
3

Myst: 20 years of point-and-click adventuring

Entrope

No mention of Obsidian?

While Myst was and still is an astonishing game lets not once again forget about the existence of an equally as astonishing masterpiece named Obsidian (by Rocket Science Games).

Let me point out however that this company was appropriately named. Obsidian is infinitely more difficult than Myst. It took me months before I reached the FIFTH CD (yes, there were five CD's in total) and I eventually gave up. I have been gaming for 20 years now (with much experience in puzzle/adventure games) and Obsidian is the only game I have given up on (and I'm quite stubborn when it comes to not going online for walkthroughs as I enjoy the satisfaction of completing a seriously difficult game on my own).

Personally I did not find Myst difficult at all (completed it in about five hours a few months back and the last time I touched the game was in 1994). Myst had its plus points in many other areas however which have already been mentioned in the article.

Take my word though. If you enjoyed Myst... play Obsidian. It has an astonishing story. An absolutely unreal environment with concepts and ideas which are truly unique to this game. And its puzzles... my lord. Your problem solving skills and patience will be pushed to their absolute limits.

Trust me on this.

0
0

Server sales continue decline – time to bargain hard with your supplier

Entrope

Have said it before and will say it again...

...thank Intel for delaying 22nm E5/E7 Xeon's.

If you consider the fact that servers need to last a good many years it does make one hell of a difference in power and cooling costs when you compare 22nm versus 32nm. And even as we speak right now Intel's 22nm E5 Xeon parts are STILL not out.

Yes, I'm aware that they'll hit the market in Q3, but the fact is this delay has caused us to pretty much eradicate all server upgrades over the past 15 months. And I know I'm not the only one.

After all the primary benefit for me to upgrade my servers is to reduce power and cooling costs. Performance is a plus point, sure, but it's a secondary benefit for most part.

INTEL!!!

1
0

Page:

Forums