Could you see it in your hearts to bring back the O'Really shirts? Mine are becoming a bit worn.
628 posts • joined 3 Jul 2007
Could you see it in your hearts to bring back the O'Really shirts? Mine are becoming a bit worn.
They aren't going anywhere. All of this is hype for a TV show, and it doesn't have to be backed by actual science because no science is required to stay on the planet and grab some ratings before everybody gets bored and switches to something else. Remember, Survivor wasn't about surviving. The producers can write whatever fiction they want. The fact is that nobody is going to Mars being funded by some advertising. El Reg's playmonaut has a better shot of going to Mars than any of these "contestants."
Speaking of which, why not send the playmonaut to Mars?
Well, the last time I read about an alligator munching on someone (but not on a cat), the whole person was found in the gator. Nothing was left for later.
Now, Dundee's comment would be correct: that's not a croc! Of course, he'd still have to step lively.
What is with these "crimes?" Are these laws being made up ad-hoc? "Oh, we decided to reconsider your sentence. Conjugate the verb 'to go'." ... "Wrong! Another five years."
Your cake is ready, sir!
Really, what other analogies could have been used? Evil mixed candies? Smörgåsbord of villainy?
And if you are weird or creepy, you're on the watch list for evil people!
Raif Badawi should have run his websit through TOR. Maybe that wouldn't have helped in the long run, as I don't know how many resources the Ministry for the Propagation of Virtue and the Prevention of Vice would have thrown at it to track it down.
Really, that sounds a lot like the Pebble. Runs for a week before bothering you to be recharged, not a lot of compute power, but it's handy. But I don't know if I'd want a wrist bracelet. (Manacle?)
"Never underestimate the bandwidth of a station wagon full of tapes hurtling down the highway." —Tanenbaum, Andrew S. (1989). Computer Networks.
So in this case the boot would be filled with 64Gb micro SD cards. A bit on the high latency side, but what the hey, it's still better than any cable service, and served up with far more panache!
I'm getting a V8 swapped into my Jeep, but that's got nothing on a sports car that can handle a full tank engine!
There are so many good Linux distros running on a Live CD that it's just silly not to do it if you are worried about Big Brother and spyware and all that. For heaven's sakes, the CD can't be altered, so there's a guarantee of no spyware between boots. It's not that hard to do a different bit of clicks to open a different program to edit the same document.
And if you're really paranoid, stop using the stupid computers! Use paper, and the solitaire cipher.
Really, the "privacy bods" need to recognize that there are better solutions than useless scanners.
Amazon has a policy that forbids people plugging in their phones to any Amazon computer, and they're quite upfront about it. As in, "plug it in, get fired."
From the Lookout blog: "NotCompatible.C operators do not use any exploits that we know of and instead rely on social engineering tactics to trick victims into completing installation of the malware. One observed spam email informs the user that they need to install a “security patch” in order to view an attached file."
So it sounds like, "Here's your attached system update. Plug in your phone, and put it in developer mode. Thanks for joining our botnet!"
With ASICs, FPGAs, GPUs, and eye-popping networks on a chip, will quantum computers really amount to anything? Either it's going to be too late, or else it's going to be too expensive for anything actually useful, except by Big Government and Big Corporation. Really, does anyone expect a quantum computer priced like a PC?
By the time a quantum computer will be breaking encryption written today, the art of encryption will have moved beyond what would make that quantum computer practical. And no, it wouldn't be cheap enough for crims to purchase to crack our online transactions.
I predict the obvious: bad implementation and practices are our biggest problem. Always have been, always will be. "Passwords? We don't need no stinkin' passwords!" "Encryption? Uh, I saw a movie with that in it."
Oh, the pain, the horror! To be told that weak anonymizing protocols don't count for much! Tor should have a FAQ about how many ways its anonymity can be countered. It doesn't matter how many times the packet bounces around Tor's echo chamber, there are only so many entries and exits.
Tor is broken. Time for better protocols, where source and destination are anonymous, despite the fact that everything is in a big glass fishbowl!
"Google has more information on the people of the planet and more influence on the people of the planet than all of the governments combined." -- Andrew Greig, founder and CEO of Vizzeco.
He likens Google to the Borg. Actually, it sounds like the Borg and the dark side of the Force. "Don't be evil." Uh huh.
Now is the time to leverage all of the wonderful expertise gained with the intrepid Plamonauts, and go for that prize!
There are a lot of "secret" services which are essentially broken by design. The Tor service can be decloaked if one rents sufficient temporary capacity, and then makes a lot of requests to the site in question, and the analyzes the traffic on the captive Tor nodes. Eventually, the server that you are after lights up in the statistics, and you've got them.
Tor nodes can be evil, too, dumping malware on the files being transfered. Thus when feeding traffic back to someone, you can drop into the stream some exploits to easily track the user's computer.
The only way that a service can be effectively hidden is if it exists on multiple nodes, and move around of its own accord. There was a research paper about using the logic in the Game of Life to keep nodes alive, and give a stable user experience.
And what was doxbin? A blackmailing service! Kind of like an evil Wikileaks.
There are so many capable maritime consulting companies available, I don't see why they weren't hired to do the job right the first time around. Really, does Google really have a need to burn money stupidly like this?
Let's see, what do we need to do? Establish a bunch of "evil" TOR exit nodes? And how much do "cloud" servers cost? And there you have it.
But Silk Road 2.0 was broken through normal infiltration, and nothing else. ("Yeah, I'm a crook! I'm wearing a mask and carrying a crowbar." "Want to be a sysadmin on my evil site?") And then the Feds went on to do routine surveillance, which is something they are very good at.
Personally I'd really like to see the "sellers" serve time. Really, offering contract killing? I would so love to see crap artists like that in the slammer.
Network access is not a panacea. Never has been, never will be. Yes, it can be good for some things. But it won't change the ox cart! If a third-world country's rural population is running at ox cart speed, no amount of network access is going to change that. The ox only moves just so fast.
The Internet made a difference in the first world countries because we already had networks, we were moving at the speed of trains, planes, and automobiles, and we had been doing so for quite some time.
The phone will get to the Exchange server if it is allowed outside, i.e., like https://your.mail.server.com. Then just specify that you're connecting to it. As for the POP3 mail, some clients will allow you to just read what is currently on the server without downloading it. In the POP3 protocol, downloading and deleting the mails are separate operations.
It's not really a question of whether you can run your business on a phone, but how well it can be done. After all, not long ago paper and pen was how business was done, and we got by.
If one must do a good bit of typing, then a Bluetooth keyboard is the only way to go. Your productivity can only be severely hampered by thumb-typing or correcting all of the errors in voice recognition. Also, you will be zooming in and out of those documents a lot. Unless you have a big magnifying glass in front of your screen like in Brazil or Twelve Monkeys, your eyes can only resolve just so much, and you'll be trying to look at how something is laid out, and then trying to edit that. Not fun.
What are they going to do, forbid all travel to north and south America? "Sorry chums, we love you, but you'll have to be isolated to save the newts." And the frogs, and whatever else this fungus loves to eat.
And then the fungus will mutate and eat us.
Interesting how they didn't show anything that actually had to do with wearable computing or computers. Fur suits and cue cards just doesn't cut it.
The first wearable computers we had were those little things from Sharp, the PC-1500, etc. OK, more like stuffable in a coat pocket, but close enough. The next thing that really caught on, and is still sticking with us, is the "mobile phone," with more screen resolution than a desktop monitor.
Since "augmented reality" is sure to be a larger distraction than texting, I'm sure that this will result in more Darwin awards (or runners-up or honorable mentions).
Look, everybody knows when ASIO makes a phone call because they have to move the wombat off the phone. In order for the other bloke to not listen in, he has to hold a koala on either side of his head to muffle out the sound.
At least they're better off than the Tasmanian office, where they haven't ever made a phone call because there's a Tasmanian Devil on top of it.
IIRC, there was a Bitcoin fund for him, as a "thank you for making Bitcoin or sorry that you got fingered by idiots at Newsweek" set up for him. I suppose that's not enough for waging battle against Newsweek, though.
You do realize that industry, i.e., big machines and such, has had IoT for some time, right? It's just that nobody has made a big deal about it. Industry does have quite a lot to monitor, from the tire pressure in dump trucks to all kinds of factory processes. But it's an intranet, for local use only, security breaches aside.
Yes, I have IP cameras, but I don't open my network to the outside. That's part of the sensible nature of security, is to not expose what doesn't need to be exposed. So what about the fridge? The fridge isn't supposed to nag, it's supposed to report what's in it when you're at the store, trying to remember what's in it. You do realize that the alternative is to write things down on a slip of paper, right?
Look at all of the things that we use remotes for today. You realize all of that's IoT, but without the internet, right? I remember when a friend of mine, madly obsessed with remotes, had them all lined up on his coffee table, and then he wanted to turn off the telly. But that didn't work, because he'd grabbed his calculator instead. (It was hilarious watching him mash that red C/CE button!)
So what it comes down to, do we need industrial control for the home? Maybe a bit, but that's all there is, really. Old thermostats need to be replaced with something a bit better, but mainly because the old ones stick a bit, and don't turn off the heat when they should. But it's not because we want the heat only when the electricity is the cheapest.
The current system for finding out when things go wrong is when the citizens in the neighborhood of the device call in to let someone know it doesn't work. Such as street lamps and crosswalk buttons. Now imagine trying to set that IOT device up. There will be a lot of paperwork just to note the location, like 27b/6.
How problematic would the firmware be? Depends on what it does. If it only reports, then there's not much of an attack vector, unless it's through the IP stack. But the ARM chips, if the system really is bare bones, don't have enough room for large complex code anyways. The IP stack itself will take up most of the space.
What everybody misses with things like this is that you could fake it when given that assignment. Or else completely fill up their database with garbage. Anytime your data is sent back to someone in plain text, you should get in on the act, too. Give them more data than they had planned on receiving, not less. What would happen if everybody claimed to be reading the great classics of literature?
Why in the world Bash isn't deleted from any Internet-facing system, I have no idea. If you look at John Hall's code, it's Bash itself that's making a connection back to Hall's servers. I can imagine that a complete evil server system could be hidden in Bash environmental variables. A "minimal system" should be exactly that, with minimal functionality.
We gots exploits!
Yahoo! and WinZip both got nailed. If you take a look at John Hall's request text, the parts that were "malformed" were the User-Agent, Cookie, and Referer. Not only that, but it is Bash itself that's calling back to let someone know that the server is vulnerable! That "/dev/tcp" is part of Bash, for your comfort and convenience.
The messed-up thing about this is that to check whether a system is vulnerable, you have to break computer laws to do it. This isn't just port scanning, the fellow got entry, poked around, and killed the botnet client.
Yes, exactly, have any exploits been found in the wild?
I want to see who has actually been pwned by this, and how badly they misconfigured their system in order for the exploit to occur. There are a lot of exploits that happen simply due to poor configuration, like not scrubbing inputs, and using Bash (instead of sh or Dash) with too many privileges, and many other things. I don't want to see honeypots or theoretical vulnerabilities from security researchers, I want a real case of a system getting hacked by this.
OK, here's the problem: the USB serial connection is just a serial connection, and there needs to be additional stuff to convert all that to writing into the flash. Now, if you were plugging in a flash card into a bus, then things might be different, like the CF cards. But instead, you want to put something on a general-purpose bus, which has no real security features. "Hello, I'm device XXYYXYXY!" That's basically it, and then the bus routes traffic. So really, it's a kind of network, but without the security features of Ethernet.
What does this mean? It means that there must be a controller to translate the serial to the flash, keep the flash wear level, and some other housekeeping. The problem with all of this is that the microcontrollers are amazingly good these days, an a 32-bit controller can be had in an 8-pin package. It doesn't take much to emulate a keyboard, so reprogramming a USB stick isn't that much of a problem.
I figure at some point what we'll see are USB firewalls in the operating system.
"Hi! I'm your friendly input device! And I have a CD drive! And I have storage space! You love me!"
And then everything went to Hell, in a hand basket. Oh, wait, we were already shellshocked before this...
Do you have any idea how many times I've given the OK to Windows to install a device driver for a known good device, just because I plugged it into a different USB port?? It doesn't matter if system policies are changed if the user is trained by the OS to always click "OK" before the "friendly" device can be used.
The "microcontrollers" have some fairly good horsepower. Once upon a time, a 32-bit 60MHz chip would have been running a server or workstation instead of sitting behind a USB connector. If you want to fabricate your own board, you can add a coprocessor, and have a serious little hacking system! Some of these controllers have their own FPGA.
Welcome to the future of Moore's Law, where the servers and storage systems of yesterday are now on USB sticks, and can hack your system in milliseconds.
Trust the computer. The computer is your friend.
That's a great answer to someone else's post.
Right, you made one, and you helped a friend make one for himself. Anybody can do it legally, if they're not violating state law, which was my point. And those laws vary from state to state.
Personally, I'm all for everybody legally doing something like this. Laws have long been absurd, and people need to get involved in prodding their legislators into acting with something that resembles common sense. Unfortunately, yellow journalism and reactive politics have been with us for, well, forever.
Time to do something truly dangerous: write letters and vote.
"and it will remain just a piece of metal which you can send via post, Fedex etc to anyone you like."
No, that's against the law. To transfer this to someone else, you must first obtain the right licenses, stamp the thing with a serial number, and then it can be transferred after the paperwork is done. This is the part with the serial number, and this is the part that legally constitutes the weapon.
You can, however, fill in all of the part that you can't mill, like everything else, and happily go legally shooting. That isn't against federal law.
Gun laws vary from state to state. Perhaps a state requires firearms registration, perhaps it doesn't. Perhaps it allows a person to manufacture a firearm for themselves, perhaps it doesn't. Where I live, this would be perfectly legal, but I'm not so sure about New Jersey. Also, state laws may restrict purchase to state residents, and other things like that. For instance, in the State of Washington, an individual may not own a full-auto weapon, but that weapon may be owned by a corporation. Go figure.
Wow, once again we find out that massive DRAM caches speed things up. Who would have thought?
These days a 60MHz 32bit processor is smaller than your thumbnail, costs $5, and people are still amazed that massive DRAM caches improve I/O. Back when IDE drives had just been introduced, I bought a smart controller and populated it with 16Mb of cache. Wow, builds could fly! And when I shutdown the system, the writes continued for a minute. Same thing here, different day, same premise.
"they went back to numbers to distance themselves from Vista..."
Even though Windows 7 reports that it's version 6.1, and Windows 8 reports 6.3. I wonder if Windows "10" will report that it's version 6.4? Incremental versions mean incremental changes, though! Tweaks! No radical changes, move along...
One of the things that drives me really nuts is that a server is not supposed to be using Bash for its system accounts. And yet X number of numpties have set the systems up that way. Bourne, and its alternate, Dash, don't offer the attack surface that Bash does, and are the defaults. So whoever is getting pwned by this bug had to go and work their way around a large number of security practices, any one of which would have mitigated the problem.
Well, the attack is based on a feature of Bash. This means that it's been "out in the open" for the entire existence of the feature, not hidden as an oopsie-daisy bug in the source code. It also points out why it's a bad idea to have so much running with root permissions, besides not sanitizing input. And why it's a bad idea to allow just any server to throw whatever traffic it likes out onto the network.
The equivalent on a Windows system would be to pass in PowerShell script and .NET binaries through the http request, and then run it all with Administrator permissions. Attacks like these should be in the category of GET root!
But the device zombie botnet has already been done! And without using this "vulnerability," last year. IOT devices have crap security in the first place, and most, if not all, aren't running Bash, but Busybox or equivalent. (Are any of them running Bash?)
Still no word of JUST ONE commercial site (or device!) being pwned by this one. Sure, there's a search on for a server that's vulnerable to this, but so far, nothing.
(Yeah, sure, my IOT light bulb has enough space for Bash. Right...)
Really, anybody notice how all of this is getting inflated? "Oh, maybe the web server is running DHCP. Or a DHCP server could be uploaded." And on and on. How many systems have been pwned by SSH bugs? I worked in a company where a sysadmin opened an unpatched Linux box to the world, and somebody in Germany promptly walked right in through the SSH server.
So, no, I'm not banking on this being as big as people are making it out to be. For this to work, somebody has to explicitly invoke Bash to run executables, not merely have a cgi-bin directory. The system has to be set up with no sanitation of the inputs. All in all, a system has to be set up really poorly for it to be affected.
You know what else is a "vulnerability?" Running code on a processor. Hello, if a system lets a person anonymously upload and then execute code, that's a vulnerability, too. But we kind of guard against that, of course. Yes, we do. Mostly. Kind of. Now and again. Maybe. Nothing remotely like this has ever happened before now. Really.
Yeah, I know, this could possibly be opened up by someone who hasn't a clue as to what they're doing. Maybe "developers" like the Obamacare site contractors, for example. But you can't totally save someone from themselves. It just can't be done. They will always find a way to fail.
And I do want to see a site, not just some test code, but a normal commercial site, pwned by this bug. There's been so many instances of pwnership, this shouldn't be a hard one.
This has existed for 23 years, and nobody has ever written a worm using it! Now, doesn't that tell somebody something? Like this might be a little bit overblown? "Oh, I found a Bash exploit. Wait, it doesn't actually work. Moving on to something else to exploit now..."
Now, what if that supposedly vulnerable server is actually running Bourne shell instead of Bash? Look, ma, no vulnerability! Or maybe the system was set up with some sanitation on the inputs first before the command was sent onwards. I've been seeing people point fingers at Cpanel, but Cpanel folks say that they don't fork around with Bash.
I have yet to read an article stating that server X was exploited with this bug. And I mean truly exploited, not "oh, it looks that way in a Google search."
Pwn the server, post the results, let's see if it's verified.
Because then the "phone" could actually make calls.
No, the next release will fully brick it, thus making it fully functional as one half of a pair of mallets you can use to beat a jungle drum!
Playing games bought on Steam has not made me happy. When I want to play a game, I want to play it when I sit down, not when Steam decides that it has server capacity to see if I may play it. I'd rather pay a premium for the game to not play it on Steam, and wait for it to be delivered to me.
Ballmer went on an acquisition spree, since Microsoft can't innovate. Microsoft bought Nokia, allegedly for its cell phone expertise. Now they lay off practically the entirety of Nokia, plus good chunks of their own US operations. Huawei dumped Microsoft phones due to poor sales.
Spend lots of money buying stuff, lay off lots of people, ???, profit.
Well, the profit is, of course, from Windows OS, Office, cell phone patents, and never from cell phones themselves.
Once upon a time I'd look at the list and think to myself, "Gee, how much would it take for me to get my bedroom on the list?" Now, with the smallest configuration using over 2,700 cores, there's no longer any way this could happen. Any configuration worthy of #500 on the list these days would take more power than the whole house's mains circuit. Back in 2005 a system with 50 cores could score well. Not anymore! I'd need about 100 NVIDIA K-40 cards to get to #500.
From their own website: 21 hours of non-HD video, 120 minutes of HD video, or 42K pictures of your cats.
So in 1,000 years, the archivists will pop one of these into a drive, and see pictures of cats. And they will wonder what the hell is wrong with us!
I've had fingerprint readers on my past three notebooks. And I've used 2FA with a key fob device, for access to a corporate network.
The first real level of security is, "don't put that there," and, "don't let it do that." Don't put embarrassing photos of yourself on the Internet, and don't let your bank transfer funds like that.
The fingerprint idea is OK until you get an owie on your finger, and you need a Band-Aid. Even when it works right, it can take a few swipes before it recognizes your finger. The key fob is OK until it gets out of sync with the service, and then a re-sync needs to happen. The smart card and the key fob can also suffer from insufficient randomness or whatever other problem can crop up.
It's really hard to protect people from themselves. My apartment manager's password is two very simple words, followed by repeating numbers, and he has problems remembering that, so no way is he going to remember v<#?rSK51_Rc,pt, which can still be broken by a rainbow table. Yes, he has called me up on occasion to find out what his password is.
Sending a text message containing a second password to the phone is a good idea, though. Then the second password could be something random, like, "battery horse staple." Of course, for a MITM attack, that would restrict the attack to the current session. But depending on the data that the attackers want to access, that may be enough.
"... but I can see some potential in marrying the mainframe terminal emulator with Linux..."
You do realize that there are already open source TN3270 and TN5250 emulators? There have been professional products for at least 20 years for IBM terminal emulation on Unix, Windows, and even MS-DOS and OS/2. I used to work at Attachmate long ago. ("Where's the IrmaLAN team?" "He's right over there! Splinter!" [This actually confused an HR rep who didn't understand the Monty Python reference. Really, I wonder how much of real life those people experience. Maybe we need to study them with tracking collars and electric shocks...])
Yes, I remember when they were an independent company. Anyways, emulation on Linux not only includes terminal emulators, but also the Hercules project, which can emulate the mainframe itself.
When 60 Minutes ran a piece on the CIA, they received a rebuttal from the CIA before the news segment had been broadcast. The CIA had been monitoring the satellite feeds used for editing the shows...
Never mind security by obscurity, you need security by brick! If it has all the connectivity and Internet functionality of said brick, it's definitely secure for ten years!
Seriously, a lot of the security problems simply stem from really bad practices that should get someone fired in the first place before they create a pile of crap. If you want to manage a fridge, all it needs is SNMP, and nothing else. Same for basically every other appliance. SNMP v1 is more than enough to monitor everything, because you just need to get an appliance's state, not turn it on or off. Honestly, an IOT blender is pointless to turn on and off over the net. Really, is your robot capable of washing and slicing and dicing the veggies, but it can't turn on a switch?
"Predating Stonehenge, the building is thought to have been a house of the dead where bizarre burial rituals were played out. "The rituals included exposure of the dead bodies, and defleshing on a large forecourt,""
Where do they get that data? And about a wooden building that's older than Stonehenge?? The builders and others who played around with the stones weren't big on writing anything down, so I wonder how the archeologists came up with the specifics of the rituals.