Feeds

* Posts by Brian Miller

551 posts • joined 3 Jul 2007

Page:

Innovation creates instability, you say? BLASPHEMY, you SCUM

Brian Miller
Bronze badge

Beware hokey religions and ancient mantras

“Why do you say we should not innovate?”

You'll never win when you try to challenge someone's hokey religion and their mantra of "innovate." They aren't solving problems, and they know it. They know that they are trying to suck down government money. They are going to give their stupid presentations until they run out of cash, and then find something else to wave around as their new banner.

0
0

Grav waves: Moment when 'father of Big Bang inflation' learns he was RIGHT ALL ALONG

Brian Miller
Bronze badge
Joke

Celebratory ice cream?

Will Ben & Jerry's be releasing Gravity Wavy? Or Big Bang Butterscotch?

7
0

The long war on 'DRAM price fixing' is over: Claim YOUR spoils now (It's worth a few beers)

Brian Miller
Bronze badge

Might as well file, the computers are in the closet!

I still have a couple of the systems gathering dust in the closet. So why not file? I can actually show the memory. They don't ask for any proof, though, like sales receipts. If I were them, I'd be asking for some proof of purchase. That would cut the claims down!

0
0

Brit Bitcoin dev: I lost 'over £200k' when MtGox popped its socks

Brian Miller
Bronze badge

No real banks are messing with BitCoins

Anybody notice that no real banks are messing with BitCoins? And all of the sites that are screwing around with them can't write basic financial transaction software?

2
1

Bitcoin bank Flexcoin pulls plug after cyber-robbers nick $610,000

Brian Miller
Bronze badge

Protocol review? Hello?

How many times will it be before these "banks" review their transaction protocols? And how long before BitCoin users will read the terms of service, and not use a "bank" that declares they aren't responsible for what you store with them?

7
0

Reg HPC man relives 0-day rootkit GROUNDHOG DAY

Brian Miller
Bronze badge

Rootkit playing tunes?

This sounds really bizarre. Why would a piece of malware literally toot its own horn? The whole purpose of a rootkit is to hide and be stealthy.

The second question is, what was it doing? The thing is, remote administration is not the way to go here. Admittedly, I'm one of those fellows who does know how to use a kernel debugger and a network sniffer, and I have a 16 port managed switch just for what's at my desk.

The first thing I would have done is, as Nigel 11 noted, run from a live CD and scan the drive. When a rootkit gets into the system, it then normally removes itself from the various process lists, or renames itself to something innocuous. The next thing I would have done is to look at the network traffic, using a different machine. OK, so I'm using switches that allow port mirroring, or else you'd have to keep a real hub handy. So I'd look at the network traffic. Today's malware usually wants to communicate on the network. So what's the traffic look like? Sending spam? Scanning? DDOS?

Something is fishy about just playing random tunes.

2
0

Chihuahua TERROR: Packs of TINY hounds menace Arizona

Brian Miller
Bronze badge

"It can tear a man's sock right off his foot!"

said Ted Johnson, of Red Meat.

Arizona has an open carry gun law, and people simply need to get over this thing of not eating dogs.

4
0

Altcoins will DESTROY the IT industry and spawn an infosec NIGHTMARE

Brian Miller
Bronze badge

Re: Dedicated mining ASIC chips etc won't crack passwords without modification

To actually turn an ASIC chip in to something to brute force a password would require changing the ASIC chips in a big way, I'd guess. Not to say someone (read: NSA) wouldn't do that.

An ASIC can be altered by the person implementing it. There are many different types of ASICs, from ones that must be fabbed, to ones that must be programmed by a device programmer, to ones that can have their logic changed in the field. When the Opteron first came out, there was a compatible FPGA chip that could be dropped into a second socket, and could be reprogrammed for specialized tasks rather quickly.

As for breaking passwords, there was an article a while back on Ars Technica about using video cards for that task. So between rainbow tables, known passwords, dictionaries, and brute force, it's a bad time for conventional passwords. Especially 123456!

0
0
Brian Miller
Bronze badge

All your passwords are belong to us!

The guys who will really go for the used video cards are the ones who can profit the most from them. Got a database full of "encrypted" passwords? Not for long! Then they will be plain text passwords.

Of course, all of these video cards could be scarfed up by science! Yes, you have a research budget, but no supercomputer. What to do? Lay your hands on that cheap post-coin goodness!

0
0

Sync'n'steal: Hackers brew Android-targeting Windows malware

Brian Miller
Bronze badge

Also, the user needs to click yes on the notice, "Do you trust this computer?" Most will probably say yes, but as mentioned, debugging needs to be turned on, and that is now "hidden."

1
0

Pervy TOILET CAMERA disguised as 'flash drive' sparks BOMB SCARE on Boeing 767

Brian Miller
Bronze badge

Re: Haven't you seen Fringe ?

If the USB spy cam was like this one, then there really isn't a lot of volume there.

I'm not an explosives expert, but I think that C4 requires a detonator stick of some sort, i.e., a blasting cap to set it off properly. Doesn't it just burn otherwise?

So you'd have to have a tiny blasting cap, that might actually not do the job, and some HE, all in a very tiny space. Now, just taping it to the wall in the loo would only make it a noisy firecracker. Sure, it would cause the plane to land, but I doubt it would cause any injury. Perhaps it would cure constipation, though.

6
0
Brian Miller
Bronze badge

More training needed?

What's nuts for this is that people think that something very, very small can blow up an airliner. Anybody remember the anthrax mailings? People were freaking out about dust on the shelves.

9
0

Mars One's certain-death space jolly shortlists 1,000 wannabe explorers

Brian Miller
Bronze badge

Sense of adventure, sense of reality

"Men wanted for hazardous journey. Small wages. Bitter cold. Long months of complete darkness. Constant danger. Safe return doubtful. Honour and recognition in case of success. —Ernest Shackleton."

Shackleton was honest and had a sense of reality. For this program, neither the organizers nor the hopeful participants have any sense of reality.

"People wanted for fatal journey. No wages. Bitter cold. Long months of complete boredom. Constant danger. No safe return. Honour and recognition as a footnote in television history in case of non-fatal landing."

I'm guessing that we should wait to launch humans to Mars after we've built a decent space elevator.

1
1

Blame Silicon Valley for the NSA's data slurp... and what to do about it

Brian Miller
Bronze badge

Re: The law is not the answer

"The same way the law favours you when the Daily Mail steals your photo."

You mean like the fellow who finally won out against the Daily Mail, but it took years? (There's too many search hits for the Daily Mail stealing photos.) Sure, the law favors your, but it will take a lot of effort, and it definitely isn't as easy as clicking through a few forms and getting a payout.

4
0

Yes, you ARE a member of a global technology elite

Brian Miller
Bronze badge

Re: It's not the code that matters

Code well, and debug well! I've had to debug another fellow's code that did intermittent overwrites due to network buffers being allocated on the local stack. Of course after the function ended, the IP data still went to those locations! Eww!!!! One fellow I worked with constantly sabotaged my code. He thought he was "improving" it.

1
0

US military's RAY-GUN truck BLASTS DRONES, mortars OUT OF THE SKY

Brian Miller
Bronze badge

Not quite the first thing to take out...

A highly visible laser truck is going to be the first thing any enemy will want to take out.

Actually, it's the Signal Corp that is the first target. Shut down the enemy's communication, then lay into them.

5
0

FreeBSD abandoning hardware randomness

Brian Miller
Bronze badge

Schneier blog already went into all of that

https://www.schneier.com/blog/archives/2013/10/insecurities_in.html

Theodore Ts'o, the original developer of /dev/random, also chimed in on the thread.

1
0

'Don't hate on me for my job!' Googlers caught up in SF rent protest ruckus

Brian Miller
Bronze badge

RAMMING SPEED!!

Too bad US traffic laws don't include the fact that people are responsible for their actions. When I was in Germany, I was told that if a child runs out in the street and gets hit by a car, it's the parent's fault for not training the child to stay out of the street. But one story sticks with me: protestors had "blocked" the road to a facility (nuke? I can't remember.) by lying down in the road. Then somebody, upon seeing this, jumped in their car, and drove down the road, full bore. Only seven or so protestors got their legs run over, and the rest had the sense to get out of the way. I was told that no charges were applied to the driver.

In Washington state, for a while it was fashionable to have protests on the freeway, until the legislature finally passed a law effectively banning the practice. Perhaps SF needs to do something similar.

7
12

Brit inventors' GRAVITY POWERED LIGHT ships out after just 1 year

Brian Miller
Bronze badge

Re: Nice idea

The Aladdin brand kerosene mantle lamp puts out something like 60W of light. I bought one, and when the power went out, oh is it great! My home looked like the power was on, but it was just a kerosene lamp. A standard wick lamp is quite a bit dimmer, though. Since I now live next door to the power company, the electricity rarely goes out.

The best alternative to the lamp is the Uco candle lantern, and I've lit my living room with one of those hanging from the ceiling light and using the top reflector. However, it's slightly more expensive than the gravity-powered light.

I can see this as a reasonable thing. Think of the alternatives: running a light off of a bicycle generator. The good generators are rather spendy, and that's for a first-world budget!

0
0

Two million TERRIBLE PASSWORDS stolen by malware attackers

Brian Miller
Bronze badge

Re: All I can say is this...

And watch that long password fall to a dictionary attack. Ars Technica: “thereisnofatebutwhat­wemake”—Turbo-charged cracking comes to long passwords, and How the Bible and YouTube are fueling the next frontier of password cracking. 1000 guesses per second is stupidly slow. Try 30 billion per second!

1
0

On the matter of shooting down Amazon delivery drones with shotguns

Brian Miller
Bronze badge

Shoot the drone when it's in range!

The drone isn't shot on the wing, it's shot on the rise. Let it deliver the package to the neighbor's house, then shoot it.

As for landing accuracy, I'm sure that a delivery drone would have a camera to observe for a landing target. The GPS just needs to get it within 15ft.

And as for drones out of 12-guage range, that's what the USB-activated Raspberry PI-controlled SAM is for.

0
0

Adorable, much-loved SEAHORSES are VICIOUS SLURPING KILLERS

Brian Miller
Bronze badge

Re: No video?

Figure 2: Reconstructed high speed holographic video frame sequence of H. zosterae feeding on A. tonsa.

It's over in just six frames. Not enough for a video.

I love the hunting strategy: sneak sneak sneak NAB

2
0

Twitter fires up stronger, anti-snooping encryption for its millions of twits

Brian Miller
Bronze badge

Re: Keeping secrets...

Hmmm, tweets from the twitterati that nobody can read.

Is there a down side to this?

5
0

US govt cuts squeeze crucial computer science, shoot country in foot

Brian Miller
Bronze badge

Why buy when you can rent?

Amazon throws together 26,496 cores, and gets ranked as #64 in the Top 500. Cycle Computing rented 156,314 cores for $33,000 and got a petaflop for 18 hours. Now, isn't that more effective than mandating the government has to fund everything?

Face up to it, web searches and cat videos will drive advances in computing, not the weather.

3
1

Samsung v Apple: Titans await jury verdict on damages of MILLIONS

Brian Miller
Bronze badge

I'm shocked, shocked to find that ...

"I was quite shocked," he said on Friday. "They went and copied the iPhone."

Like Apple copied Xerox? Hello??

13
7

Decades ago, computing was saved by CMOS. Today, no hero is in sight

Brian Miller
Bronze badge

Re: The next giant leap

"And does anyone actually teach efficient software development anymore?"

You have a very valid point. When I went to college, we were taught multiple software design methodologies, such as JSP (Jackson Structured Programming) and Warnier-Orr. However, I've never met anyone at Microsoft who had ever heard of such a thing. Not JSP, but simply the concept of structured software design. Every single person I met there with a BS or above had no clue about doing anything except stupid tricks that didn't work on a real project.

JSP is like a hot chainsaw through soft butter when it comes to slicing and dicing stream data. I'd get asked, "how do you do that?" And I'd show them. And I'd get blank looks from people with glassy eyes.

The next "frontier" is software, and it's a frontier that has never kept up with hardware. What's the latest development? Everything runs as a scripting language so it's all "open." Stupid. But at some point we'll see a real OS for high performance computing, and the kernel, etc., will be really small.

5
0

Supreme Court can't find barge pole long enough to touch NSA lawsuit

Brian Miller
Bronze badge

Big difference between search and surveillance!

There's a big difference between watching what you do in public, and rifling through your stuff! Like the EFF, I'm disappointed in the Supreme Court. They chickened out. Who does the public go to for redress?

6
1

Coroner suggests cars should block mobile phones

Brian Miller
Bronze badge

Cell phone yakking != good driving

I've seen this before. A driver, in the fast lane, went from 65mph to 50mph because he got a call on his cell phone. No brake lights, he simply took his foot off the gas and kept driving at 50mph with his cell phone in his hand.

Some people have very limited attention spans. Either they drive, or they talk. But they don't do both.

The IT angle? The computer should drive the car. Right off to the side of the road, and then shut off the engine.

14
1

Oh My GOD! Have the TORIES ERASED THE INTERNET?*

Brian Miller
Bronze badge

How many Reg hacks does it take...

Why does it take the three of you to produce an article? And about a blog entry, no less.

Try this headline: "Muppet puts head up arse," or, "Internet found to work as advertised on the tin."

10
0

What's wrong with network monitoring tools? Where do I start...

Brian Miller
Bronze badge

I'm sorry, Dave. I'm afraid I can't do that.

Love the wish list! Especially all the packet capturing.

Honestly, a lot of what you want is not software, but hardware. Seriously expanded hardware. "What was the traffic for the last five minutes?" On what again, on how many ports in the system? You want something that the NSA would love, and only the NSA would be able to pay for it. Routers have 256Mb to 512Mb of memory, and switches have practically none. And you want the last five minutes of traffic available for all of those ports?? Insert appropriate Cheech and Chong quote here.

The reason that you haven't seen things like this is because companies don't devote a lot of resources to creating monitoring tools. When I worked for a "very large" firm that produced such a package, the development team wasn't very big. What you have asked for is rather close to Los Angeles asking for fiber, WiFi, and unicorns for everyone.

Sure, what you want is technically feasible. But at what cost? "I want a fancy flying fortress for two Cracker Jacks box tops."

"I'm sorry, Dave. I'm afraid I can't do that."

1
0

Google patent: THROAT TATTOO with lie-detecting mobe microphone built-in

Brian Miller
Bronze badge

Something for politicians!

Now, if only we could get these onto the necks of politicians, I think we'd have a much better government. Of course, they might need to be tranquilized and tagged first.

3
0

Apple iPhone factory workers imprisoned in virtual slavery – report

Brian Miller
Bronze badge

OK, so what can *we* do?

Motorola is assembling its X phone in Texas. So is the next phone we buy Motorola?

I buy green coffee, and there are a variety of certifications, like "Farm Gate" or "Fair Trade." But what do we do for consumer electronics?

2
1

Dodgy Kaspersky update borks THOUSANDS of NHS computers

Brian Miller
Bronze badge

Re: What happened...

You (the system administrator) can't test it before it's applied. (Well, I couldn't do that with McAfee a dozen years back.) The definitions go out automatically, because you'd be testing those definitions every day, and the sales staff are opening dodgy attachments right now.

The real question for the various AV firms, and they've all been hit with this, is how did it escape their testing??? Shouldn't this stuff be automatic? Shouldn't the testing come up and say, "hey, this borks a normal installation," and raise a big red flag?

13
0

FACE IT: attempts to get Oz kids into IT jobs are FAILING

Brian Miller
Bronze badge

Basic education first, fairy stories, and discipline

Here's how to get children into the technical fields: read them fairy stories, and then read them more fairy stories. The imagination has to be sparked, and it has to be done at an early age. The basics of education need to be addressed, and also both a work and a play ethic has to be instilled. There are very, very few children who do this, and then retain it later, by their own nature. Mostly the education system seeks to batter down young minds, and smash everybody into the same can and label.

Another thing is discipline. A cousin of mine related to me her experiences trying to teach grade schoolers. The children were jumping up and down on the desks, totally out of control, and of course she couldn't thump them to make them behave. How do you teach discipline to children without disciplining them? Writing quality code takes discipline, and to really pursue it as a career means that you'll have to have that discipline for 50 years. It's learning and adaptation.

1
0

Lavabit bloke passes hat for open-source secure email master plan

Brian Miller
Bronze badge

Read the Ars Technica article about Lavabit's technology

Op-ed: Lavabit’s primary security claim wasn’t actually true

This actually wasn't a very secure system. I'll take a pass on Lavabit's bits.

0
0

It's the Inter-THREAT of THINGS: Lightbulb ARMY could turn on HUMANITY

Brian Miller
Bronze badge
Devil

Lightbulbs, irons, toasters, ...

Remember this one from the BBC? Russia: Hidden chips 'launch spam attacks from irons' Now you know!

The problem that it solves is a lack of spam. Even though a botnet can be used for good (Researcher sets up illegal 420,000 node botnet for IPv4 internet map), it's usually something malicious.

Now, there is already home automation that can remotely control lights. I have some. It's convenient for some things, like not having to go back to a room to turn off a light. Will everything have WiFi? Try this: if you have a phone or tablet with WiFi, take a look at all of the available connections in your surrounding area. Right now, near me, I count 11 networks. Some places I count over 20. Now, how can the light bulb be configured to connect to your network? Plus, you've secured your WiFi network. So now what, Wiley E. Coyote?

Sure, you can get a new IP light bulb, put the MAC address into your router filter, flick it on and off in a sequence to activate something, and then configure it. Since it would be a PITA to do this, I can only imagine that the LED bulbs would get something like this.

Or you could imagine what you'd do with suddenly 20 Raspberry Pis in your house.

The light bulbs aren't enough! I need these on sockets, too! And they all need controller pins and ports! YES! Imagine: IP wallpaper!!! Solar paint containing microchips with self-organizing connections!

Huh? What? No, there's no problem with grey goo. None at all...

1
0

Oil execs, bankers: You'll need this 'bulletproof carbon-nanotube-built' BUSINESS SUIT

Brian Miller
Bronze badge

Pictures!

Pictures from the firing range! It's a three-piece suit, with the vest part being the ballistic vest.

However, there wasn't a video of someone wearing the suit when it was shot. From the looks of the lining, someone wearing that may not have a bullet going through them, but may still have a bullet going into them.

Search for "Bulletproof Vest Test Goes Wrong" and take a look at what happens when someone gets shot with a 9mm when wearing a conventional vest.

1
0

ZOMBIE apocalypse! The 'LIVING DEAD' are HERE – Fox News confirmed it

Brian Miller
Bronze badge

I want the video!

They had a "WATCH LIVE" video there! I want to see Homeland Security going after the zombies! (Homeland Security is good for something, isn't it?)

I suppose that Lorem Ipsum is going to be mandated from now on.

3
0

Microsoft in a TIFF over Windows, Office bug that runs code hidden in pics

Brian Miller
Bronze badge

Typical code bug, bad checks on incoming data

This isn't about standard code being embedded in the TIFF file, it's about the TIFF file being subverted so that the programs reading it will suck in the bad code, and then execute TIFF data as though it were code.

Specifically, the exploit code performs a large memory heap-spray using ActiveX controls (instead of the usual scripting) and uses hardcoded ROP gadgets to allocate executable pages.

Check out the MS links in the article about how to get around the problem for now.

0
0

Antivirus bods grilled: Do YOU turn a blind eye to government spyware?

Brian Miller
Bronze badge

Don't bang dinner gong in front of hungry code diggers

Kurt Wismer is right that it would be very bad opsec to tell someone, "don't look there." That's exactly what they'll do! And then they'll blab all about it. That's what they do, all day, day in and day out. If the NSA asked anybody to ignore some code, it would have come out long before Edward Snowden. And how many AV and wanna-be AV firms and authors are there? Everybody wants a headline, and that would one would come flying out faster than the Streisand effect.

Would an AV company shut down like Lavabit and Silent Mail did? That's the real question.

0
0

Unsung DEAD WHALE EXPLODER hero, who gave the early internet a purpose, passes away

Brian Miller
Bronze badge

A note about the fellow whose car roof was flattened by ballistic whale

There was an explosives expert at hand. He told Mr. Thornton that he was using not enough dynamite to blow the whale into small bits, and the amount that he was using would send chunks all over. He was ignored, and it was his new car that got smacked with ballistic whale blubber.

3
0

IBM menaces Twitter IPO with patent infringement BOMBSHELL

Brian Miller
Bronze badge

Just shut down the USPTO

The USPTO is a bunch of buffoons. If this was done manually, would it be patentable? Really, shorthand and a ledger entry? But since it's a software patent, it's oh-so-unique to the world.

How many times can a variation on a lookup be patentable? Shorturl, bitly, tinyurl, goo.gl, mcaf.ee and others all apparently infringe on that IBM patent. Are they paying? I have no idea.

I remember when Microsoft got nailed with a patent lawsuit years back. Microsoft had bought an older patent, and implemented it. Then someone with a newer patent sued them for infringement, and won. The newer patent is infringed by the older patent? Huh?

It's broken. It's all broken, and it's killing technology. However, I can't foresee the political situation that would result in getting the mess fixed. Maybe after world-wide civilization collapses and there's no electricity to run technology. Yeah, that's when all of this will be fixed.

3
0

Anonymity is the enemy of privacy, says RSA grand fromage

Brian Miller
Bronze badge

Re: From the official NSA handbaook

Paraphrase: "We have to destroy privacy in order to save it!"

To quote the guys from CarTalk: "BoooOOOoooOOOOooooGUS!! That's bogus!"

10
0

DON'T BREW THAT CUPPA! Your kettle could be a SPAMBOT

Brian Miller
Bronze badge

Looks like normal circuitry, but we do live in a surveillance age

My coffee pot has a digital timer in it, and that control for the iron doesn't look out of place. However, we are coming into the "everything is connected everywhere" age, so I wouldn't doubt for a moment that a coffee pot or an iron could have WiFi communications in it. It would need to communicate with the electric meter somehow, to let the utility know about what you were doing to need that power.

Isn't surveillance just grand? Never mind your emails, they can snoop on your coffee and ironing.

1
0

Netgear router admin hole is WIDE OPEN, but DON'T you dare go in, warns infosec bod

Brian Miller
Bronze badge
FAIL

But DARPA is going to rescue us!!

Didn't anybody check out the DARPA challenge? Yes, the future will be secure!

BWAHAHAHAHAHAHAHAHAHAHAHA!!!!

Go for it, DARPA! Fix that firmware! Yeah! It's the stinking network that's the bug!!! How do you create a work-around when the router is garbage?

DARPA says: CHECK ENGINE

Oh, all right, back to tin cans and string, and IP over pigeon.

0
0

Coding: 'suitable for exceptionally dull weirdos'

Brian Miller
Bronze badge

Don't teach it, just let it be available

Don't bother teaching it. If the young chaps wants to learn it, just make it available. Have some good books.

I started learning on a Commodore PET 2001N, before I was in high school. Nobody taught me a thing, I learned it all from reading books. Yes, books, those things with real paper. That's all that's needed, just the computer and books. The kids that want to learn it will learn it, despite the best efforts made to keep them from it.

Should programming be taught to all students in the general education curricula? No. There's no point to that. It's not a mechanical skill, it does take talent, and being educated in writing software doesn't mean that someone can actually do it. There are ever so many college graduates with a big fancy degree who can't write good code!!

The only thing that should be done is set up computers and let the kids who want to learn have a go at them. "Schooling" is factory teaching, placing people on an assembly line of so-called education. At the end, everybody is supposed to be equal. Sorry, real life and real people aren't like that. Writing software takes a special knack, and that's all there is to it.

0
0

Amazon: Wow, look at this $17bn we made. Uh, oh wait, it's gone already

Brian Miller
Bronze badge

Amazon's robot minions

Well, the Kiva page does mention "robot minions."

Of course they're minions. Right up until they give you orders, you fleshy collection of bacteria!

1
0

They've taken my storage hostage ... now what?

Brian Miller
Bronze badge
Go

Backups, backups, backups!

Once upon a time, backups were taken seriously.

OK, so that was only a long, long time ago, in a galaxy far, far away. But some of us in this galaxy, on this very planet, did take it seriously. And ya know what? Backups work!

This really isn't about a trojan or virus or whatever, it's about a failure to properly back up data. Imagine for a moment that, instead of stealthy malware encrypting all it finds, utility workers outside crossed the lines, and fried everything on the circuits. Instead of 120V on the line, imagine that it was briefly touched with 480V. (That actually happened to some people I knew.) Now, instead of taunting messages, the equipment is fried to a crisp. Time to replace everything.

If proper backups have been done, then you replace the machine, grab last week's tape and last night's diff, and restore everything. Done. Or in the article's case, isolate the malware, flatten everything, and restore from tape.

Oh, did I mention tape? Yes, that's always good and needed. Funny how backup software works best with tape. Lots and lots of cheap tape, cartridge after cartridge, no problems. Backup software doesn't work so well with anything else, despite what's claimed on the package.

And that brings up something else: Keep your scanners up to date!! Enforce virus scanners for all machines in the organization. Not only the definitions, but also the engines.

Face it, they are out to get you, so it isn't paranoia, it's normal and reasonable precautions and defense.

5
0

Reply-all email lightning storm STRIKES TWICE at Cisco

Brian Miller
Bronze badge
WTF?

Why is this news?

Stuff like this happens all the time in large companies, e.g. Microsoft. Yes, it bogs things down. No, it's not a cataclysm.

To start a storm: send an email out to a distribution list.

Someone replies, "I don't want this email. Please remove me."

Someone else replies, "Me, too!"

Someone else replies, "Me, three!"

And then really stupid comments follow.

Solution: fire people who can't rationally deal with email. Also, fire the people who have flagged themselves as idiots.

6
0

DARPA slaps $2m on the bar for the ULTIMATE security bug SLAYER

Brian Miller
Bronze badge

Re: Statement of intention

Um, no, that's not it at all.

Once upon a time, like about 18 years ago, I was hired to do "software maintenance" on a product. Well, what I received was a .zip file 20Mb in size, and that was it. The product was a gateway router, running in the background on MS-DOS. 2/3 of the code was C, and 1/3 was assembly. The compiler vendor was out of business, the software had been hacked on for a decade, there were over 100 unique compilation flags (#ifdef, for memory models, code that wasn't used, and on and on), a terrible number of global variables, structures that were accessed from anywhere in the code, and the mess was absolutely not portable to either Borland or Microsoft. The source code control database was missing, and evidently the programmers weren't using it anyways because the product was compiled from many similar directories depending on what they were kind of trying to do.

I had to get everything compiling again, and fix bugs in it. And yes, I fixed every bug I could reproduce.

So when DARPA wants a tool that can handle a mess like this, I say, "Go for it, fools!"

The closest that I've seen has been from Microsoft, with the Pex tool. The tool can follow a C# program's path, map it out, and generate tests. However, it's easy to write code that Pex can't map, and so the tool becomes useless.

Here's another couple of tools from Microsoft: Stylecop and FXcop. Stylecop works on the source code, and fxcop works on the compiled code. How often are these avoided? All the time.

The problem is not the lack of tools or methodologies, it's the lack of will to write good code. Java was supposed to be a write-once-run-anywhere solution, and provide a marvelous bulwark against malicious and heinous activities by miscreants. Now, how many times has Java and .NET been patched for security holes? Does using either result in inherently secure programs? Sorry, no, try again.

4
0

Page: