346 posts • joined 14 Feb 2013
I had this with WStore once
My boss was negotiating a big deal for network hardware with them, and they seemed to be quite good by all accounts.
Next thing I know, my boss forwarded me an email he'd got: The people at WStore had been doing some internal chatting about our requests for discounts etc. and had managed to CC: him into the email. They quite plainly called him an idiot (for trying to get a discount?).
So I strung them along for weeks and then when they got shirty about wanting us to finally order, I mentioned the email. The guy on the other end went VERY quiet. And then apologised and said he understood why we wouldn't be ordering etc.
I never found out if anything more happened because from the time of the email, that company was on our purchasing blacklist.
The point of open source is not that a million people are constantly reviewing your code for free.
It's that bugs like this can be found by code inspection, by anyone. As you rightly point out, this is both a positive and a negative.
But the people who claim being open-source makes something secure are idiots. Sorry, they are. Nobody with brains REALLY thinks that. The difference is, once the problem is identified *I*, *you* or anyone else could knock up a patch in minutes and distribute it to the world. And that's pretty much what happened.
If you think that open-source = security, I'm sure you also think that being honest means people won't rob you. It's the same thing.
Re: Biased at all?
"drag your finger across it"
Sounds like a security feature to me... so you don't leave behind static fingerprints that can be Gummi-Bear'ed.
I don't believe PGP, or traditional PKE, has been cracked.
But someone REALLY wants everyone off PKE lately.
And, strangely, the alternative pushed is this new-fangled perfect-forward-secrecy (only available with Elliptic Curve from what I can see with OpenSSL), that's still new, unknown and (security-wise) basically untested.
When you think the trick is being done... it's already happened.
As far as I'm concerned, until I see a documented attack that cannot have happened any other way, I'll stick with what I know works. Call me back when EC has been in worldwide deployment for a decade or two.
Last I heard, the DVLA were debating making you tell them if you've had laser surgery as they have had a number of cases of people who've had it done and then - years later - their eyesight has deteriorated below the acceptable standard again.
I'm very short-sighted. I could just about get home on foot without my glasses but it would take forever and there's no way I could drive without them. But I don't particularly want a one-way process of grinding down my own biological lenses (that we have no way to fix), especially if it could be even slightly risky or - worse - temporary.
Sorry, but given the amount of people I see every day wearing glasses, I don't think there's any reason not to carry on wearing them. There's no longer the schoolboy stigma of my generation. There's no longer only the hideous NHS designs. There's enough products to choose (from 1-day-contacts to full glasses). There's enough competition. You can even order online if you have a vaguely recent prescription.
For the moment, I'll just stick with glasses. They rarely get in the way of my life.
One thing GUARANTEED to make me steer clear of a company...
When they try to put the kibosh on negative opinions of their services.
As far as I'm concerned, an attempt to silence a complaint (rather than just respond to it, prove it's untrue, etc.) is worth at least 100 unqualified negative complaints.
What don't you want me to know so bad that you want to pursue this and spend that much money on silencing rather than, for example, just saying "We don't believe the comments on that website are true, we have a complaints process with which we're happy to deal with those concerns raised"?
And I don't really care if it IS your competitor hosting the site. So long as what is on it has a modicum of truth (if it doesn't you can sue their asses off for slander etc.), how does that make any difference? If your competitors can say enough that's true about you to make you run to the courts to get them silenced, I think I'd rather use your competitors instead of you.
Fabulously customisable, runs on Windows or Linux, ties into AD, does full inventory and really powerful scripting/rules to promote / hand-off tickets.
And, er... let's just take my scenario again.
A web server has to boot at startup. It has to read wherever you've put the key and get the PRIVATE key out of it (in order to be able to decrypt communications encrypted by the PUBLIC key that you give out to everyone and send to them as part of TLS etc.).
So then that machine, when powered on, without requiring passphrases, has enough information to boot, log in at the service account user (e.g. "httpd" or equivalent), read the keystore and get the PRIVATE key out of it.
Game over. It might be more tricky but still game over. Encryption is useless if you're storing the credentials on the same disk and you are booting from it without supplying external information (e.g. dongle, manual login, etc.). It's either storing the key in plain text or it's storing it somewhere where it can get to using no more information than is contained on its default storage devices.
And, thus, why most OS's don't try to "obfuscate" access to it, because that's just pretending to actually be secure. Fact is, if you have enough info to boot up and decrypt SSL encrypted with your private key, you have enough information that the key is effectively plain-text.
Like almost every private key in the world stored on a Linux machine for use in an Apache SSL webserver, for example?
Yep. Unless you want to type a passphrase into the machine every time it boots up. Some people do this (i.e. those who take security very seriously), some don't (i.e. those more worried about getting the PC back up and running without having to physically be in front of it every reboot than someone who might have obtained root access to the machine stealing only their private key portion of their SSL certificate which they have to have accessible for, e.g. Apache, IIS, etc. to be able to read the other side of the SSL connection anyway).
Good practice says you encrypt the whole drive. Then "storing in plaintext" is neither here nor there. But if someone has read-access to your private keys which your webserver / SSH server / mail server etc. has to have access to, then it's game-over whether they are "encrypted" or not really. And, pretty much, means you can't reboot a system remotely and have it come back up with all your services operational.
Re: Battery boost looks cool
Oh, every mobile GPU has something similar, even earlier nVidia's.
Pretty much, it's pointless and doesn't work as advertised.
When you're plugged in, it doesn't take effect anyway.
When you're on battery, it just dims the screens, clocks down the GPU etc. It means your games run slower on battery, so most people who buy something like this - a high-end mobile GPU in a laptop - tend to want the most bang for their buck anyway, even if it only lasts 30 minutes less, they will just disable it or set minimum speeds that they know work. If you not one of those people, then you'll suffer jerky games on switchover and while on battery quite happily anyway - which makes me question why you'd buy a high-end GPU to use while on battery in the first place.
My laptop has a 500 mobile nVidia graphics. It does the same stuff. As did my previous MSI with a similar, but earlier, chip (that one even let you "overclock" the chip with a Turbo button on the machine that voided your warranty). All the battery-saving got you a handful of minutes more out of the laptop if you were using the GPU. If you weren't, then it was mostly moot anyway and just the display-dimming saved more than enough power to get you out of a tight spot.
But when you actually want to play a game, you just plug it in. Anything else is just faffing about.
Re: "They can now allow processors to work at full power"
Yeah, it can only be burst mode.
But consider that you have a lot of processors nowadays that can sit idle and then slowly ramp up with demand. That could, potentially, be limited by the power supply capabilities and you might see some power / stability problems if you ramp up too fast for the battery alone to cope with.
There a burst-mode capacitor might come in handy, especially if you can control how long is allowed before the next state-change so the capacitor has a chance to recharge.
But, honestly, ultracapacitors are a really great idea - but we're so struggling with the practical implementation that we're desperately trying to find a middle-ground solution for the early prototypes that might a) come in handy, b) fund the rest of the ultracapacitor development. I don't think this is it.
The only time I've ever come across the ACS and such definitions was when I was applying for emigration to Australia.
Part of the visa requirement for one of the easier visas leading to permanent residency was to prove that you were an IT professional of various sorts. The criteria, definition and testing were basically set by the ACS. At the time, I didn't quite qualify but I don't remember them sounding unreasonable, and they were able to distinguish between, say, some guy doing casual IT, some guy in an IT job but nothing special and a guy who could actually go places in IT. As such, only the later job titles were suitable for the more critical visas, and rightly so.
And the job titles weren't enough - because the ACS's definition had to be met. It didn't matter that you were called "manager" or "consultant" or "analyst", if you couldn't prove that you do the things their definitions required, as a long-term professional job, then they would not class you as that job title.
It all seemed quite sensible at the time, which is why I was double-peeved that my jobs didn't meet the definitions. Hell, I believe they even have IT tests for immigration visas given by the ACS and/or their approved international institutions. That's why I think these things exist, not just for fun.
In the end, I was granted a Working Holiday Visa anyway (I was right to the edge of their age limits for letting you in, and technically could not have scraped through if I'd applied even a week later!) and didn't exercise it due to personal circumstances.
But I never saw the problem with the ACS and having such definitions. They would have awful trouble otherwise determining quite what kind of job someone does if some spotty oik tells them that they're an IT consultant - it could be the next Facebook guy, or some kid off the street who walks into businesses in a smart suit and just tells them to buy all his gear.
Re: In a similar vein....
Although this is, indeed, correct it still does not exclude a tech journalism site from eating their own dog-food.
It would take a phone call to your host, a few grand, and a bit of tinkering to enable both IPv6 access and SSL access (at least for the login stage, blanket SSL might impact the number of servers required, etc.).
But it annoys me that The Reg, Slashdot, all these "Ha, look how stupid these people are to not enable IPv6 / SSL / SPF / Whatever already" sites never have it enabled.
If I can do it in an afternoon for my own personal dedicated server, it shouldn't take the Reg this many years of snarky comments to also enable it for themselves. Hell, it's not like IPv6 even costs money on new product - anything you have almost certainly already supports it so even a limited never-ending "beta" would show you what percentage of people are likely to use it.
And The Reg's plans to show their support by IPv6 by putting up a single AAAA record and actually bothering to enable it for a single website, obviously show up BT's national-telco for not bothering to enable it for every single one of their customers?
Rule #1: You can post a snide article about IPv6 support when your website supports it. (And, yes, mine does).
Until then, you're just adding to the problem, not leading the way towards adoption.
Re: "Apple slams shut"
Without the apostrophe.
Hint for the future:
FORCIBLY MAKE THEM change any and all passwords when you leave.
1) It leaves you with a cast-iron defence if anything does go wrong after you've walked.
2) It means that someone has to take responsibility for everything you WERE doing before you go.
3) It'll mess up their systems something chronic when they don't realise where all the passwords used to be plugged in automatically.
Did this to my last place. I don't usually leave with bad feeling but in this case I had to go or sue them for constructive dismissal, basically. For sure I wasn't going to give them an easy way to blame me for something on my way out.
They were getting shirty about my access anyway (I'm the fecking domain admin, it's worth more than my reputation to bother to do anything, and I could almost certainly have done something you wouldn't even notice if I *DID* have any kind of malicious intent), so I made them change every password. Everything. The website. The servers. The cloud providers. The domain hosts. The network swtiches. The phones. The CCTV system. The Microsoft VL store. Everything I'd ever touched that could, potentially, be accessible remotely. About the only thing we couldn't do was local admin passwords / local BIOS passwords etc. (which are infeasible to change and I have to be in the damn place to make any use of them anyway).
This meant that they had to get someone in to take all those passwords off me, on short notice. They had to watch me do it - even on my laptop and other machines. They had to sign off to say they'd witnessed it being done (and, because they were employed just for that, they were very careful in their scrutiny before they would sign-off). They had to take the passwords onto paper and - with them - the responsibility. They had to know that there was no excuse for not having a password for system X because I'd given them everything. Verifiably. To an independent witness. They had to know that they couldn't say I hadn't shown them something because we'd had to remove the password for everything and give them admin to it somehow.
I made them clear the admin list on the domains. I made them verify my personal hard drives had nothing work-related on them (yep - I went through every folder on a laptop that was shared work/home but was using my personal hard drive in its second slot). I made them take responsibility for every system and subsystem and be the only person with the credentials / knowledge to do that. I even made them change my voicemail password. Hell, I not only handed in my access cards and keys, I had the guy revoke all the card numbers in front of me and double-check there were no rogue accounts or other accounts associated with those cards.
So now, no matter what hits the fan there, I cannot be held responsible for it. Not even vaguely. The system I handed over is the system you got, and I have no further part in it. When something crashes the next week, nothing they can do but fix it themselves. They can't claim improper handover. And it probably cost them a bomb to have someone come in and do that with me - while still paying my wages.
And, also, all those niggly problems that I "just had" to fix before I left? Suddenly not so important compared to getting such a handover. I wasn't subjected to rubbish time-filling tasks, or handing over credentials to idiots to fix minor problems, or power-trip instructions from people who knew I was going, or anything else. They could not deny that the handover was the most important thing, especially as I was in charge of every machine - including the ones that paid wages and probably held all their secrets (I'm honest, so I never even look, but I for sure feel that a quick jaunt through their network areas would reveal an awful lot of dodginess to interested parties).
It's about liability. Let them take it. Let them forcibly and provably take it from you. Because the only outcome is that they then have all the liability while you have none.
I honestly used to look away every time our finance people typed in their passwords or authorised a smartcard bank transaction. They used to ask me why, when I had full access to everything they had - at least in theory - and had set up most of those systems. The answer was "Because I don't want to know it." It's for deniability. I can safely say that, although in theory I could have had theoretical access to anything, I never even knew their passwords (or could do anything but change them, thus arousing attention) so I could never have done anything with them.
Trust me, if you leave a workplace in bad feeling, you don't want to know these things. Force yourself to hand them - and their responsibility - over to the mug, sorry replacement, that takes over from you.
If a place is that bad that you take it upon yourself to leave, make sure every part of you leaves. Including your responsibilities towards them, and any accusations/suspicions against you. I haven't heard from my former employer since. They'd have an almost impossible task to even come up with an excuse to ring me.
Once had a "boss" (technically not my boss, but he thought he was) demand the domain admin password from me.
He'd bought a load of dictaphones that only saved in WMA (yes, seriously!)
And a piece of junk software that only loaded from MP3
And he insisted the two work together. Given that I had had no say in the purchase of either of the above, the short answer was No and the long answer only involved more O's. But he insisted. I knocked up a workaround using a piece of freeware that would convert any file saved in a particular "WMA" folder into an equivalent "MP3" folder. That wasn't enough apparently.
He was STILL phoning me several months later (after I'd left) to demand a domain admin password. Because, you know, they make these things all just kind of work no matter how possible they are.
He was (politely at first, then rudely as he disturbed me more and more about things I was no longer responsible for, while I was trying to work for a proper employer) directed to his boss, who happened to have signed off on my hand-off. This hand-off included two identical copies of a disc containing all possible information about the system - including passwords - and warned them only to give it to people who were taking on my responsibilities AND NOT this guy that was bugging me. Oh, and to store one in a separate safe place like... well.. a safe.
This guy knew nothing of the discs, though, nothing of the handover, nothing at all until I mentioned them - but was STILL ringing me weeks later demanding I give him domain administrator passwords that his boss was obviously in possession of (and his boss and I got on quite well, so they could have rung up personally if they'd lost them or something). In the end I had to just be rude and tell him to speak to his own boss about why he hadn't been given the passwords direct rather than hassling me. Eventually the calls stopped. I don't even care if he got the password, but I very much doubt that he did.
All because he was too stupid to check compatibility first. And thought that an admin password was the be-all-and-end-all of making things work.
"Free" is not free if I have to put in a credit card number at any point.
I keep considering signing up for one of these services. And the Amazon idea is tempting. They just don't give me anywhere near enough information to go on. What precisely do they have or not have? What are they going to have / not have in the future?
And, to be honest, I'm not sure I'd get my money's worth anyway. I'm sure Netflix, Lovefilm et al are great. I'm sure 20 years ago I would have killed for them. But my personal preferences now are actually for old junk that I've seen a million times. Apart from a series once every few years, I don't actually watch new content. I haven't been to the cinema in years.
I'd rather catch an episode and then, if I enjoy it, just buy the boxset of every episode ever made. It's just easier, cheaper, less hassle. The beauty of on-demand stuff is really that I don't have to wait for something to pop up and trial it, and that I can just leave it until all the series are out on DVD and then "trial" it - at my convenience - long enough to see if it's worth buying every episode of it. You used to have to wait for scheduled runs, etc. to do that, and sit through tons of other junk.
To be honest, I'd much rather pay TheBigBangTheory.com for the rights to watch every episode myself, than subscribe to one of these kinds of services. I'm just not sure I'd ever get my money's worth and I'd much rather the people who made the programmes got more of my money than the people who sell on other people's stuff, or the guy who prints out a fancy DVD cover.
Someone really needs to get a popular show like that (seems perfect, given the geek-based audience) and then - after a successful series run - just make and sell the episodes direct to the public without all the middle-men.
But if the product is just access to a handful of films that are lingering between cinema and DVD releases anyway, and some "boxsets" that eat into my data allowances and can't really be viewed offline, I can't see that it's worthwhile.
What am I missing people?
No, they can't.
You know why? If you don't get the job but the guy who handed over his password does? You talk to the Department for Work & Pensions. It is ILLEGAL to discriminate over the fact that you WOULD NOT break the law. Hence, read my extended threat properly.
You'd probably get more out of them by reporting them than you'd have earned in the first year on the job. This is when the compensation culture / settling out of court works FOR you.
I'm sure the guy who works 100 hours a week, doesn't report missing/broken safety gear, allows his employer to beat him, and gets paid once a year only when they have cash is also "happy" for his job. It doesn't make it any less illegal - or sensible - to hand over personal passwords against legally-binding contracts you have agreed to.
And you have to think what this reflects - this reflects on YOU (I'd happily use this question as a test in an interview for, say, an IT Manager to see whether they will happily breach the DPA just because you asked them to), and on your employer - they obviously don't give a damn about you breaking the law so long as you do what they tell you to.
There are some employers you just DO NOT want to work for. "Just because I need the job" will not excuse any and all evil, no matter the legality. And pulling out the "I need the job" card is the stupidest thing ever. "I worked down a mine that I knew was collapsing because I needed the job"... sorry, no sympathy.
Jobs are important. Money is important. But the courts suing your ass off will hurt you more in the long run, and working for an employer who is NOT BREAKING THE LAW is much more important if you want any kind of job security. Don't let it be you taking the fall, but your employer.
(Hint: I'm currently temping BECAUSE I walked from a former employer who put undue demands on me and had no interest in the legality of actions I was asked to perform / my job / welfare requirements / etc. Since then, it's been revealed that they are doing everything from falsifying disciplinary meeting minutes - for other staff, not me, they knew too well to try it to take it that far as I was on the verge of suing for constructive dismissal anyway - to misreporting finances, to expecting me to casually break the DPA, to wondering why I don't subject myself to physical harm in order to do a job I'm not trained to do. I walked. I got another job. It starts in April. I'll suffer the less-employment in the meantime in order not to work for an employer performing potentially ILLEGAL activities and expecting me - and other employees who have also fled / threatened lawsuits - to collude and/or take the fall when independent auditors come knocking.)
Sorry, but I'd sack your partner. She just breached a legal agreement in order to provide access to her employer (something which is established in law that you cannot be forced to do).
If she works for some security-sensitive area (about the only excuse I can think of), then it's still unnecessary - they could have just send a request to Facebook etc. themselves.
The correct response is "Sod off". Followed by, possibly "I will not breach a binding legal contract in order to provide you with a sensitive password that accesses my personal information in breach of the Data Protection Act just because you say I must. And if you ask me, or anyone else in this interview process, that question again I will be reporting you to the Department of Work & Pensions. But, of course, you're only doing it as a test to check that I understand Data Protection laws and the legal effects of contracts, aren't you?"
Wow, so changing your username wipes out your badge?
Have been here since "before our records began" by the way... :-)
How comes I have only Bronze (a few days ago) but:
In total, your 1531 public posts have been upvoted 6926 times and downvoted 1708 times.
Shouldn't I have been Silver almost immediately upon meeting the criteria for Bronze?
I have to say that I'm happier putting my trust in VMWare. VMWare has one, clearly defined, purpose. Hyper-V is, from what I've seen of it, an MS bolt-on to the OS to try to catch up (and then farmed out as a separate product by trying to remove the rest of the visible parts of the Windows system from the hypervisor).
I've seen several corrupt Hyper-V configs. They seem to be quite easy to make happen, completely by accident, where you can get hypervisors with supposed VM-failover to other hypervisors which never actually happens. And you get things like multiple instances of a particular VM running on multiple (or even the same!) hypervisor quite easily when they shouldn't be, which jams things up. The fixes for the problems I saw were basically to go into an XML file on the hypervisors and wipe things out manually and then re-run the VM's, which isn't confidence-inspiring.
Not to mention that some requirements basically mean that the version of hypervisor you use is determining of - and a determinate of - what you intend to run inside it. Simple things like expanding a VM disk stored on your SAN can get quite complicated quite quickly. And simple things like being able to share drives between VM's didn't come along until much later (Server 2012-only, I believe).
I can't say I'm that impressed by what I've seen of Hyper-V. It seems to be a little bit flaky and a bodge and I wouldn't trust it not to fallover. And that's not what you want in something designed to provide higher-availability (wouldn't go so far as to claim HA with Hyper-V) through the use of VM's.
Then, from what I've read, simple things like USB passthrough, audio, disc burning, etc. either aren't present or just don't work as they should. Yeah, sure, they are more desktop-oriented features but it's still a bit of a killer when other competitors have supported such things for a while.
I'm sure it's handy because it's built-in to Windows Server. I'm sure it's good enough for a lot of purposes. But it makes me worry enough that I'd just find other software - software designed to do nothing BUT this kind of thing - if I had a pressing need to do it.
Re: Yes indeedy
I'm a mathematician, but this is based on a quick reading of this article alone so may be complete rubbish:
Imagine an endless list of random pluses and minuses.
Take any section of that list, or say every other symbol, or whatever kind of pattern you like from it. This gives you another list of pluses or minuses that you've plucked from the original list.
Work out whether you have more pluses than minuses in that or the other way around (or maybe an even number of both?). The difference is called the "discrepancy". A discrepancy of zero means there's the same number of pluses and minuses.
Using your (carefully-chosen) shorter list, and the discrepancy, you could then tell whether, for example, most of the pluses are in the beginning of your original list, or whether your list alternates between pluses and minuses, or whether it has a long run of pluses followed by a short run of minuses or whatever pattern you're looking for, just by looking at your short list extracted by a certain clever pattern. You can tell things about the infinite list just by carefully choosing the rule you use to extract the shorter list.
To translate the sentence: "For any sequence, Paul Erdős believed, you could find a finite sub-sequence that summed to a number bigger than any than you could choose – but he couldn't prove it."
What I think he's saying is, you can always find a smaller list inside that infinite list that - if you choose it carefully - has a discrepancy (i.e. more pluses or minuses) bigger than the original infinite list. So you could always "fudge" the numbers by misrepresenting the larger list with a carefully-chosen pattern.
But, to be honest, it's not entirely clear and probably a LOT more complicated than even the article makes out.
And I'd be hard-pushed to come up with something practical out of it (though I'm sure there would be - this is the sort of maths that sits behind things like coding theory and, thus, sending messages, compression, error-correction, RAID, etc.)
Stop being shocked and do something about it.
It's ALWAYS been a con, in the modern IP-based world. There's no reason at all that roaming even exists except to profiteer. Hell, most of the companies that charge you are foreign arms of the company you have a contract with anyway. And most of them are foreign-owned!
So of course people just switch it off. When it's cheaper to BUY ANOTHER PHONE in another country, use foreign SIMs and get the same service, then you have the ridiculous situation of wastage and having to "con" the cellular providers in order to get sensible prices. It should not be cheaper for me to buy a SIM card from a third-party company and use it on a foreign network - with my own damn phone - than it is to take my existing phone and phone/text the same damn numbers.
And when we talk Internet data, it's EVEN MORE ridiculous. Why does it cost more for me to use a French / Italian / Spanish data connection with an English contract phone than it does an English one? Sorry, it's all just packets - like SMS is nowadays too no doubt. (If they haven't worked out a way to transmit SMS as nothing more than a low-priority data packet on an IP backbone, converting to GSM at either end as necessary, then they really are just mugging us off).
We'll pay stupidly-high prices until some legislation kicks in and then we'll find that it's always been possible to pay much more sensible, homogenous prices across Europe AND for the cellular companies to still make billions in profit so they can spend stupid amounts of money on 4G packages that they then sell with 1G data allowances still.
Of course we all just switch our phones off, buy another SIM in the airport or - like my Italian girlfriend - have a UK phone and another phone from the other country. She actually just takes both when we go abroad, and saves money by keeping both contracts open. How is that even possible, logically speaking? Most of her money actually goes to third-party international call routers, and Skype, and the cellular companies could be having that money instead if only they stopped DELIBERATELY TRYING TO CON US.
Don't block Skype on your 3G contracts - just make it so that I don't need to fecking use it. All you do is annoy me, go against the entire purpose of me having your service, and make me spend money with OTHER COMPANIES. Of course that hurts consumers, the cellular providers themselves (through their own stupidity, though, so who cares?) and small outfits trying to fight the traditions of the big incumbents.
To be honest, when abroad, I take my phone as an entertainment device. It's a small tablet that I can join to Wifi and Skype home, read anything critical on email, play games on the plane, etc. I don't think I've ever made a phone call to/from a foreign country using a mobile. Again, it's cheaper for my girlfriend's family in Italy to use our landline (bundled with our TV contract, that we NEVER otherwise use) to phone us from Italy / phone home when they are here, and the same on their side of the continent. That's a ludicrous state of affairs.
But, to be honest, by the time anything happens, it'll have little impact if this is really their planned timetable for fixing the problem. By the time you actually get to the point of having approval and being able to fix the problem, we'll all have been avoiding roaming for so long that we'll never trust it and will be probably be using some other technology / substitute instead.
Hell, I know people who'd rather pay WhatsApp instead of pay for a single international text. And I can't really blame them.
Too little, too late. If you'd mentioned this TEN YEARS AGO then maybe I'd think you actually meant it and/or could do something to fix it that might be useful to me.
Only if we let it.
Surely, that's the whole point of the open software / hardware movement? It's hardly a new thing.
Gimme a PC whose BIOS is open and Linux installed any day. It's just that we're not really there yet and people are prepared to sell out a percentage of their property to someone else. One large incident and it could easily turn around the other way and we'll need something to replace all this stuff with.
This is something I've not seen before.
Although there is an obvious security issue here (i.e. if someone can pretend to be that C&C IP address / domain then they can easily take out PC's with CompuTrace enabled with a remote-root exploit as simple as replacing the .exe they try to download), the biggest problem to me?
The BIOS tries to insert an executable into Windows internals, in place of an existing executable. This just SCREAMS potential problem with Windows updates that affect that file, Windows integrity checks, 32/64-bit (and newer similar technology) issues, forensics issues, and just the potential to blue-screen thousands of machines with NO HOPE of adequately repairing them without upgrading the firmware if they make a simple mistake or assumption.
I mean, just imagine if Windows 8.2 / 9 has a different file in the place of the one they replace, that does slightly more/less than the one they hijack? That could spell disaster. And do you have a way to turn off that BIOS function that is MODIFYING YOUR FILESYSTEM (probably without due regard for non-standard configurations? In work, I once had an AMI BIOS for two models of laptop that refused to boot if the byte at a certain offset on the first partition wasn't zero - makes your computer useless if you want to boot Linux, not use NTFS with that particular assumption intact (so good luck for the next NTFS version) and/or encrypt the filesystem. Had to fight to get an updated BIOS, which had "Alpha" and "DO NOT USE" written all over it)? No, you can't turn it off because it's a "security feature".
Sorry, they can play it down as much as they like but a BIOS should NOT be modifying the filesystem. Ever. At all. Certainly not to interfere with a particular Windows executable, insert itself at startup and/or provide SYSTEM access to a download that it grabs off the Internet or out of a BIOS that doesn't get updated for years at a time.
Reason enough that I'm glad that I've NEVER activated such security functions.
Re: GPS in smartphones
"Show me a 20 year old protocol that isn't."
But that's really the exception to the rule.
I'd rather have NMEA as then it DOESN'T MATTER to the majority of programs that use it (including things like gpsd which even Android etc. smartphones use internally). They don't need to "know" about Galileo. They just need a standard, old-fashioned NMEA sentence, same as they always used.
The cost for backward compatibility is clunky protocols, basically. But there's nothing particularly "wrong" with asking for backward compatibility with NMEA sentences from new location devices. So long as we don't hit an unsurpassable "limit" on the accuracy we can convey (alright, we might have to stick in a new sentence or two, in a way that old GPS-only software will just ignore, but still be able to read "normal" NMEA accuracy), there's nothing wrong with saving having to rewrite dozens of pieces of perfectly working software.
Think of it not as a replacement, but a redundant backup and complement to existing systems.
You can use GPS *AND* Galileo. This will provide more accurate data, an immunity to a single "GPS blocker" (for those idiots who are getting arrested after they interfere with airport landing GPS because they want to bunk off of work), quicker lock-on times (fastest-satellite-first), etc. And the more sats you put up - of any system - the better generally supported devices will get.
There's also a ton more commercial service in Galileo that people are crying out for, which is the real reason it exists, but even the basic consumer with an iPhone 6 or Galaxy S6 should be benefiting from the arrangement.
And, yes, it stops the US - in theory - holding the world to ransom if it wanted to. When people whine about ICANN, the NSA, etc., just apply the same logic to the GPS constellation and see where it leads. And that's without even assuming that the US could - one day in the future - see some of the new European states as "hostile".
Just give me an Android phone, or even a Bluetooth serial GPS device, that speaks NMEA sentences and can get fixes from GPS, GLONASS, Galileo or as many similar services as possible and I'll be a happy man.
Hell, I'd have it if it saved me a second on first lock, or it gave me a second longer in between high-rise buildings, and locked down my accuracy by a meter or so and the devices were not much more expensive than existing GPS-only devices. Those alone would aid my sat-nav apps in making sure I'm on the right road at the right time as much as possible, enough to justify an upgrade or additional purchase.
And I just put a GPS tracker on my car. I'd happily pay twice the price for it to use every satellite imaginable and/or every cellular network possible in order to make sure that if some git steals it that I stand a slightly better chance at noticing / recovering it.
Re: And of course...
Er... I think you'll find they both do since the introduction of Chip & PIN when the liabilities clauses were changed.
There were millions of those games.
The first was something like War or Tank or something but there really are millions of them around.
I've never seen them in school officially, the kids get bored once it's no longer about "coding" and instead about game theory and there's a load of nonsense about violence etc. spouted when you try to mention them.
Fact is, it's just Logo, which is taught in schools. Left, right, forward, pen up, pen down, and everything else is a programming abstraction to make those functions actually do stuff (e.g. loops, variables, etc. so it draws repeated circles a certain number of times). Had those floor turtles when I was at school, I have no reason to doubt they came about as a "non-violent" way of doing the Tank game in schools. Drawing a race course on a piece of paper and programming the turtle to navigate it was standard fare when I was a kid and half-decent schools still do similar (maybe in a virtual way).
The problem is that that's called "control" in school, not really programming (think industrial control). Programming is the abstract logic behind what you're trying to do. The loops, the conditions, the patterns. That's NOT delved into in any kind of way. That's what's needed to "win" at the tank game. But that's NOT what is taught.
Hell, I've seen private schools struggle to teach Logo. We have bigger problems because telling a computer what to do is NOT programming, but that's what curricula and teachers think it is.
You will not hear the words "loop invariant" (or even an equivalent phrase to explain the concept) in a secondary school programming class. Programming in schools is about giving orders, not making the computer "think".
What I find especially annoying?
I taught a kid to "code" (i.e. actually program, in a real language) in an afternoon. The next day he came back with a game he wrote.
A 15-year-old who was primarily interested in business, not IT, comes to me for two weeks of work experience, spends most of the time changing toner and stuff like that, and learns a language in an afternoon (because it was quiet and I had to do something with him), enough to go home and code a game overnight.
Thus, there is NO excuse why teachers can't code. Nor why the people pushing for coding shouldn't be able to code. Nor why we should HAVE to push coding in the first place (rather than it just being a normal part of the IT curriculum).
Coding is not hard. But the more you talk about it, and the less you MAKE PEOPLE DO IT, by putting it into the curriculum and hiring people worthy of teaching themselves it so they can teach kids it (which is what ALL your damn teachers should be doing, not crying about not having training or it being hard to teach what they were not taught), the less coders we'll have.
Which is fine by me. I'm able to code whatever I like, basically, and if it really becomes a rare skill it can only benefit myself (after working in a multitude of schools for 15 years - primary, secondary, sixth form, private and state - I have met one former COBOL programmer turned maths teacher, one guy who could tinker in Pascal, one former network manager / C programmer turned ICT teacher, a multitude of people who think that LT and RT in Logo is the epitome of programming and must be how Microsoft wrote Windows (the latter an opinion it's tempting to share) and THAT IS IT.
My daughter, though - teach her some damn coding or I'll do it my damn self.
Re: Virgin "Super" hub
Never had a problem.
Hell, the same wireless router has followed me for nearly ten years now. I haven't had to change the config of a single PC even when I've moved house / moved ISP / moved from cabled to wireless to power-line. All my port-forwards still there and working, all the usual junk turned off.
Did the same at work. We were so annoyed by BT's business hubs that we bought our own ADSL modems and just did it the old fashioned way. Even load-balancing two connections was easier than peeing about with their kit. Eventually went leased-line with Virgin, though, as demand grew. But still (to my knowledge) have the same PC sitting behind that connection providing the REAL firewall / NAT / etc. setup.
As far as I've ever heard, that's basically how all software houses operated in the 80's (and may still do).
Write/buy games, sell them off, spend money on your bonuses, declare yourself bankrupt, flog off the kit, sell off the developers, start a new company, hire the same developers (at less money), but up the kit (and now don't have to pay those royalties to anyone because you're a different company).
Throw in some company director changes and paperwork shenanigans and it was (apparently) above-board. But from what I read in the 80's to how those places got bought up in the modern age, it's always been the same.
For once, we don't have to explain to MP's/MEP's why this sort of thing is important, or push them to do it, or remind them that commercial services are not the end-all of consumer-provision.
I don't object to someone paying for, say, an internal Netflix that doesn't count towards their traffic limit. I do object to having my service degraded because I refuse to pay extra for it, though.
For once, politicians appear to have hit the nail on the head, and their wording seems quite useful, relevant, and wide-ranging.
Well, Steam has never been "against" Linux as such. Even in the early days, they said that it was something they wanted to do but couldn't. Steam for Linux is, undoubtedly, a success. The problem is the percentage of large studios offering games but Steam stepped up to the plate and has offered Steam for Linux for quite a while now. And it works just the same. It works well. And their converted games work as best they can. They didn't just wait until the chicken-and-egg situation could resolve itself, they pushed it and then sat staring at the game developers saying "Go on, then". Same for Steambox.
This move I don't find surprising from Valve. They care about their software-platform, not what hardware or OS you run it on. If they can sell you a game (or, now, software) on any platform, they can make money. Valve has never said "No" when asked in the past, only "We're trying".
And a Steam subscription to games that they are selling millions of units of is a drop in the ocean compared to the PR from the news of doing so, and the support of a community rallying behind them to champion their product.
Think of this - in a year's time, with SteamBox, Steam on Linux, and a year of Debian developers able to hack on the software, break it, update drivers, etc. alongside Steam... what will be the buying-base for something like, say, Half-Life 3? More or less than if they didn't?
I don't get why people are surprised by this. It's a sensible move by a sensible company.
I work in IT, in schools.
I'll be surprised if much changes "on the floor". Not because they are already doing it, but because most teachers can't code (I've met some maths teachers who could do more in FORTRAN and COBOL than the IT guys could in ANY language, and one former-C-programmer who went from network management to teaching, but that's about it).
And the reason I didn't go into teaching when I got my Maths & IT degree is purely because teaching is a horrible profession. The paperwork is immense. The discipline comes hard because most things aren't allowed. You spend most of your life as babysitter and social worker, not teaching.
Back in the "old days", I'd have like being a teacher, and a teacher of IT. But back in those days I was taught BASIC in primary school / first year of secondary, and other languages by the time I was 16 anyway. Officially. In Computer Science lessons. And we weren't allowed to get away with claiming that word-processing something was "computer science", more than just using a computer as a basic tool. Hell, I was offered desktop publishing courses in sixth form and all sorts. By the time I hit university, the entire year of "Introduction to Programming" in Java that was mandatory was a yawn-fest and I skipped it and just handed in the assignments by email without even going to the lectures.
What we teach now isn't computer science. But a lot of teachers are convinced that they are computer science teachers when they teach that. They are in for a shock, as is any IT professional that goes into teaching. It's just not going to work.
(As some examples, I met a "e-Learning Co-ordinator" who thought a VLE was having some Android tablets in the classroom, lots of people who called the desktop chassis "the hard drive", another in a private school who thought that macros were "too hard" for primary-age kids to learn when other state primary schools had 11 year olds writing games using them, and many who thought that Logo was the pinnacle of programming experience).
As such, I wish any IT pro going into schools luck. And any IT teacher who thinks they can just go on a course (ECDL is the usual waste-of-time of preference) and learn all this stuff too.
Thought it was a competition.
Turned out to be an advert.
Stop wasting your money sponsoring a football stadium, Reg.
Never heard of openntpproject.org but I imagine pool.ntp.org really need to warn their server-hosts (of which I am one).
I'm pretty sure that with noquery, though, you can't do this in the first place but I never use the monitor lists either, so better safe than sorry.
As I've stated on these forums many a time.
Let's assume, no matter what, that you're right.
What the hell would you like us to do about it?
Re: Sign me up!!
"Is Bitcoin a high risk investment or a currency?"
It's a high-risk investment in a pseudo-currency. But that very much depends on what definition of currency you use, of course.
But I'm yet to actually discover a way in which investing in Bitcoin is any worse than what people are encouraged to do in terms of investing in specific companies, currencies, stocks, products, or futures when they start to delve into it.
Blinkered hatred for Bitcoin is fine. Maybe it's not a panacea. But quite what people have against it, especially when those same people won't touch the thing themselves, I haven't worked out. Are you warning *us* against it, trying to convince yourself, or just trying to make sure that your investment in it isn't watered down or discovered by others by spreading FUD?
Re: Sign me up!!
Does your workplace issue share-incentives?
The software "in beta"? Sorry, we're talking about a Google "beta" at best. And nobody says you have to use the official client. That's just nonsense to even bring up, based on the version number.
The only part you get sort-of-right is "unregulated". But then it turned out that even with regulation, even your Christmas hamper wasn't a safe bet either.
Personally, I bought some Bitcoin about six months ago, just as a test. They are cashable now, today, for five times the value I paid. They haven't dipped below 4-times the value from what I can see. If you're that way inclined, I'd rather spent £25 a month on Bitcoin than be in the work lottery syndicate, for example. And if I were able to easily buy them, I probably would put some money on them every month - like I do my Steam account, my National Lottery account, etc.
Nobody's forcing you, but I'd actually rather have that than any kind of "gym membership"-style incentive.
It's like mystery day today. Can someone explain to me the reasoning behind:
"The phone lines were flooded and it crashed the phone network."
So, the devices specifically designed to answer calls somehow "crashed" when... answering calls.
I can imagine phone lines becoming "busy", I can get them going down because of a power failure (as nobody uses the line power to power the phones any more, but even then - UPS?). But I don't get the excuse that something "crashed" because you asked it to do its job.
It's not like it was madly trying to perform the impossible and overflowed it's "calls in progress" integer stored in a byte or something. It has X lines, they are either on a call or not, why can't it handle it?
Which makes me suspect, as I already have for years, that "something crashed" is the excuse trotted out by IT departments when something is underspecced, or just not working as it should.
Crash has a particular meaning, you know. If your phone system crashes because of the number of incoming calls, then it was NEVER designed to handle that many calls. And that means you bought the wrong thing.
Not even sure what this means:
“On execution, the malware will inject the SQL server to cmd.exe, svchost.exe, explorer.exe and similar processes to hide itself as rootkits."
Someone care to explain?
And, again, sorry but if you're stupid enough to fall for that, then there's no helping you. We can't educate you about that (despite decades of advertising, leafleting and school visits about strangers at doors, targeted to all ages). We can't magically stop it happening. And if you're vulnerable then, no, you shouldn't be opening your own door / PC in the first place. It's up to the carers/family/neighbours to make sure that the vulnerable don't get scammed, because the police are already doing as much as they can do about that.
I had a bloke knock on my door. He was "from your electricity supplier", had a little clipboard, hi-vis jacket, hardhat, the works. I asked him who that supplier was. After the second guess, I told him to leave before I called the police. He protested, saying he just needed to put a card in my meter, etc. etc. etc. so I picked up my phone. He left and went to the next house. The entire STREET was filled with people doing the same thing, and it was an EDF cold-selling scam, but "official"... these guys had paperwork, your name, (sadly not your current electricity supplier), ID badges, worked for a big company, etc. It was still a scam, to get you to switch supplier.
If I'd had CCTV, I'd have pressed charges because he specifically tried to gain access to my property posing as "my" electricity supplier. I just filed complaints instead, but they were all over my entire road doing the same to all my neighbours, knowing it was impossible to prove what was said.
No-one can educate you or stop you from falling for a scam. As such, if you fall for one, you fall for them all. It's your responsibility to educate yourself, even if that means the hard way. And then you realise that just the simple truth of "trust no-one" applies to such things.
If you would fall for the roof scam, or the car scam, or the electricity scam, or the computer scam, it's because of YOU. If someone is vulnerable to falling for it, honestly, there's nothing you can do short of being there all the time, forcibly educating them to not speak to people trying to sell them things (or enter their property), or letting them be scammed. That's why they have secure housing with bright people on the door protecting their residents.
And, of course, scammers will target the vulnerable because they are already unscrupulous - why should we think there's honour among thieves? Fact is, there is NOTHING you can do about that. Except spread stories of how "Trust No-one" is all you need to know (and no "but this guy is different" exceptions).
I work in schools. Teachers fall for it all the time.
I wash my hands of it. If they are that stupid, that's their problem to fix. Inside work, they shouldn't have enough permission and/or flexibility in the policies to even allow them to do anything like this.
If someone knocked on your door and they told you that the car on your driveway needed fixing and they could fix it for "just" £50, you'd do exactly what you are supposed to. Say thank you. Shut the door. Call your garage to see if they share the same opinion. You wouldn't pay the guy who reported it to you, or any stooge that he could arrange for you. And you certainly wouldn't do it there-and-then without checking.
And the whole "I'm from Microsoft" kind of junk? If some bloke knocked on your door claiming to be from Ford and that you should pay him money to fix your car that you've not reported any problem with, you should be equally suspicious.
Why things are different when they involve computers, I've never worked out.
Re: Can you ask VALVe about the State of SFS
And, again, someone blames Valve here.
The problem is, some of those games don't even EXIST any more. The studios that made them are gone, you can't buy them, the owner is in doubt, etc.
But what you are desiring requires a MASSIVE change to their licensing agreements with the software owners. Let's say that even 10% disagree with the entire concept of family mode. That makes "per game" impossible. Valve are still bound by the contract with the software owner and they can't just break it without getting them to sign up to a new one.
And that signing up might well lose, say, 10% of the Steam library if people don't want to sign it. It's not just a case of "Tough, accept it" or even "We'll do it without your permission anyway". Valve has contracts and those contracts DO NOT MENTION this facility and, if they want to change them, it will probably cost them dear. Sure, an indie studio might just say "Yeah, no problem", but trying to get someone like EA to co-operate? That's gonna cost a lot of money, if it's even possible.
And even the owners might have to abide by agreements for, for example, their internal libraries, their assets, their online servers, etc. in order to agree to such a change.
What you want is just not possible overnight or, I would posit, at all in the current licensing environment. It's like Sky suddenly saying "Oh, by the way, we're going to let everyone share every channel that you put on Sky with their friends for free" - sure, it can be done, but there are also a bucket-load of channels that will say "Hey, hold on a minute, you can't do that", not least those with pay-per-view, etc.
When you can get all these people to sign on the dotted line, you can do this. Until then, I'm amazed they even managed to word their contracts so they can do SFS *at all*.
What's that got to do with the machines you use?
And the answer, almost universally, is hassle, cost and upgradeability. Linux is out. You can't run any of the software you need (most school MIS's are .NET based and, no, Wine isn't adequate to do your salary runs, store your kids exam results, etc. on). Integration with MS networks.
Fact is, we have proper security so that it's not necessary to have a single-session OS, it just gets in the way. Time between lessons needs to be minimised - as one lot leave, another enter in any school of significant size and that means that logon/logoff has to be quick and boot time doesn't matter. When your software image changes, you'd have to redo the OS. You'll probably have half a dozen or more separate images already (for different subjects, etc, due to licensing costs of getting site licences for everything), so you're into several "self-booting" OS (so do you have to choose one each boot? Or manage ten images? If you're managing ten images, what's the advantage in having slax-style boots?).
I have deployed PXE-booting re-imaging clients. From BIOS to working desktop it was less than 10 minutes (it was Ghost back then - bloody WDS/SCCM just make my imaging times atrocious nowadays). Re-imaging was rare (probably one a month or more outside of normal imaging upgrades?). As such, your solution just adds a lot of network bandwidth and work to something that isn't a chore. There's little difference between PXE booting an image on demand and what you suggest (except for improved boot times for my solution, because I don't have to wait for the OS to boot every time, I can just leave it in suspend between users).
And then when you get into actually integrating those images into network server shares, software shares, databases, AD-structures, etc. then the actual time saved is negative. How much have malware etc. cost me in the last 15 years of school IT management? Probably about a working day or two. Two or three weeks if you count deploying an antivirus-suite network-wide. It's just insignificant, and a 10-minute re-image solves the problem permanently without needing fancy solutions.
Please note: I push Linux in schools. I've had Slax in schools. I pushed for SafeDesk (google it, it's dead) in schools. I am one of the first batch of Raspberry Pi'ers (still never deployed in a school, because of various similar "someone on the net says it should be good for schools despite not knowing what we do" problems). My last workplace had 50 Linux netbooks, half-a-dozen Linux-based touchscreens, a Linux server doing more tasks than all the Windows servers combined (including critical ones), an external Linux dedicated server doing similar, etc.
There are uses for such things, but people who think we should "just" do things in schools need to go work in one. Or a few dozen, like myself. Fact is, as much as I hate MS, when you're managing swathes of machines that need to run commercially-available software, web-apps and internet downloads, with a sensible management structure, it's easier to stay MS-only (especially with educational licensing). Without educational licensing, yeah, I'd question it greatly. Fact is, I pay less for MS software each year for an entire school that I have spent PERSONALLY on MS software just for myself in my life.
Have built a school network with their kit. About the only big plus for me at the time was that they were early in the game of making all-in-one PC's that were suitable for a school environment (i.e. no cobbling together monitor and base unit on a precarious stand, etc.).
It was almost universally rebranded Dell or similar kit. And although we got a good price at the time and the kit was decent enough, ever since I've avoided them.
They don't like giving prices, they never have what you want, they can't beat other suppliers, and they pushed their Classlink junk too much (no, I don't want a school network based on your half-assed implementation of a school PC management system). And, yes, they take a while to deliver.
To be honest, ever since, I've only ever included them to get the requisite "three quotes" from someone the finance people have heard of ("You haven't heard of Viglen? Well Alan Sugar used to run it!" works quite well when you have the quote you want and need to pad out to the requisite three equivalent quotes). And every time, they've lost.
- Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
- Mounties get their man: Heartbleed hacker suspect, 19, CUFFED
- Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
- Did a date calculation bug just cost hard-up Co-op Bank £110m?
- Feast your PUNY eyes on highest resolution phone display EVER