* Posts by Lee D

682 posts • joined 14 Feb 2013

Page:

Acer introduces a REVOLUTION in tablet tech: The PENCIL

Lee D
Silver badge

Re: Using a pencil is great

Exactly. The same problem is rife in anything that you can "just draw on".

I work in schools. I've seen many Smartboards etc. ruined by "this marker pen I found" or even ballpoint pens on soft, squidgy, touch surfaces. And even the kids in rougher schools realise that a well-place ruler throw can knock the lesson for six if they can stop the board working.

The alternative is fancy-schmany pens that cost £60 each, on a solid surface, and you can't use any substitute, or even IR-detectors and anything shiny on the board - and both are just worse options.

Although, the last Hitachi interactive whiteboards I bought actually came with 5 layers of peelable surface for just such instances and you could buy more. But we installed them, never told anyone (because I just know they'd peel them off for the slightest smudge), and then everyone who knew changed schools. I guarantee they were just binned after a while because nobody realised that there are four more layers underneath, ready to be used...

Same school had touchscreen all-in-one PC's with hard-glass touchscreens. Last I heard, the cleaners were smearing them with desk cleaner spray three times a day because of the fingerprints and the streaks that not using a proper cleaner was giving them. The screens are probably like looking through the bottom of a submarine by now.

1
0
Lee D
Silver badge

I'm thinking more along the "ordinary pencil graphite is conductive" (we use it in science classes for exactly that purpose) lines, which gives me a problem as IT guy when everyone is scrabbling conductive powder all over their shiny new tablets with their HDMI and charging sockets and USB and everything else.

That's just a STUPID idea, and a stupid demonstration to use. Sell a pencil with one end graphite and the other end a stylus. They are literally in pound-shops today.

1
0

Quid-A-Day veteran fuelled by vastly improved nosh stash

Lee D
Silver badge

Re: Living on..

As someone who was made to sit through the program where a family live in the 50's for a week, eating only 50's food and having only 50's appliances, etc. I think we could easily extrapolate back to a time when this could have been true of every human on the planet. But we're still here.

Rickets is pretty easy to cure. Sunshine and a drop of milk occasionally. The problem was only ever rife when indoors-living became the norm, or - like scurvy - if you were on a long sea-voyage away from fresh-food.

The thing about nutrition is that what's NEEDED it pretty miniscule, in tiny quantities, and naturally present in an awful lot of foods anyway. Malnutrition causing things like rickets is rare except where it's COMPLETE malnutrition - where no thought is given to food variety and people are given one particular food, or no food at all, for long periods. Just in the article, egg has enough vitamin D in it. A splash of milk (fortified in some countries!) provides enough calcium, etc.

The body is surprisingly durable. You would have to have a very, very prolonged and static diet in order to induce malnutrition in someone who has a free choice of modern food, no matter the spending limit.

2
1
Lee D
Silver badge

Cheat!

"salt, pepper and olive oil"

Cost? Because unless you pinched a sachet of each from some restaurant, likely they cost you more than 58p in themselves (even if you spread that particular quid out over many weeks of actual consumption).

"rhubarb was picked from the garden"

How much had to cost to plant, water, feed?

And how much did the pie cooking cost? I'm guessing, say, 200C for about 30 minutes? That could be 18p in electricity alone.

I know we're not tracking things to that kind of accuracy, but it's basically cheating three times in one day already.

"A quid a day - in ingredients only, not counting what I've got in the garden or the cupboards already" is slightly less impressive.

0
2
Lee D
Silver badge

It's like some of my friend's Facebook pages, but less interesting because the food doesn't stand a chance of making me salivate at the sight of it.

Seriously, guys, the article is about a budget. How about telling us how that budget was spent, in detail, rather than "look at this pie!" and then lots of tosh instead?

Although, to be honest, even then I don't find it THAT interesting that you can live on a quid a day, because I've done exactly that too.

1
4

Console makers game the EU Commission to avoid energy-use law

Lee D
Silver badge

Re: Low power standby mode?

Old hat.

Now if the machine doesn't boot up in a microsecond, instantly resuming your high-end 3D game, on a voice command given among a stream of consciousness throughout the day, it's not "the thing to have".

Let's not even get into the bluetooth / wireless controllers waking from sleep, the system updates in the background, the media player functionality offered out to the local network, etc.

Nothing turns off nowadays. Which is more worrying than anything.

0
1
Lee D
Silver badge

Re: They are computers

My non-gaming but not-cheap but certainly-no-longer-top-of-the-line laptop laughed at GTA V in it's native LCD resolution. Have you seen that game, it's gorgeous?

If a laptop with a 90W power supply (which isn't fully used, and yet the laptop has two spinning disks, screen, USB peripherals, wireless, bluetooth, fan, GPU, multi-core CPU, etc.) can do it, a huge desktop machine shouldn't be nearly 5 times as bad (the base gaming PSU is considered to be around 450-500W. Some of the graphics cards on PC's take MORE than my entire laptop sucks. And the performance advantage is no longer that huge.

And my laptop is a model several years old already. God knows what top-of-the-line gets you on laptops nowadays. I'm scared to imagine. The 1000 games on my Steam account "just work" and the laptop is on almost 24 hours a day even when I'm on holiday for work, leisure, browsing, gaming, travel, etc..

1
1

Quid-A-Day Nosh Posse taunted with sausage sarnie snap

Lee D
Silver badge

Re: Sausages

Absolutely.

As someone who has spent a period of their life doing things like rummaging down the back of the sofa (and hanging around in order to pick up pennies in the street) just to afford the cheapest loaf of bread possible, the scale of buying "cheap" properly is one of the killers. It's also that horrible scenario of "We'll have the money for all this next week", "So what are we going to eat until then?" which can actually end up costing you MORE and putting you back in the falling-short-of-food category the same time the next month through no real fault of your own.

And then you get the "Well, you can't be short of money because you just spent £100 at Costco" idiots. Well, yes. But that lot will feed us for two months. Maybe not fully, we might need to buy 16p loafs of bread here and there but that's purely because they just don't fit in the freezer with all the other stuff. Reduce our electricity bill? Sure, I'll pull the plug on the freezer and we can sit in the dark, and cold, AND have no food by the end of the week too.

Some "big" items are necessary to make the small savings cost-effective. Fridges and freezers are one. Dishwashers you can live without, however. Even an oven/microwave (preferably only one of the two). But a freezer costing £40 from the local secondhand dealer will save you more than it costs in a year - including electricity - from food that would otherwise be lost or the cost of buying everything fresh. Hell, we used to buy potatoes by the sack, make one large batch soup, freeze it down, and live off it for weeks on end.

The problem with "saving money", and especially things like Jamie Oliver's tips (where the "1p because we only used 5ml of tomato ketchup" thing is rife) is that they aren't actually doing this with a hard limit. If you don't physically have the ability to produce that extra penny when required, you can't have it. That's it. And few people understand that. And to "get" that penny somehow means calling in friend's favours (which are too precious to lose over a borrowed tenner), losing some valued asset of some kind (did an awful lot of eBaying of assets at cut-prices during those years), or having to pay back twice as much tomorrow and being in a worse position.

However, it has to be said: If you're in this kind of position, and you have shiny new appliances, or the latest smartphone, etc. then you're cheating yourselves and others. I'd allow a cheap, second-hand computer. My ex- and I used to enter competitions online of an evening and that was our entertainment. We often won for no "cost" but our time. We used to get all kind of online discounts and vouchers and hints on how to save money and what offers were accepted where. She used to do online mystery shopping jobs and we often had to turn down retail mystery shopping jobs because we couldn't afford the £10 to buy an Argos Value kettle, return it the next day for refund, and comment on the service received (even if the company GUARANTEED repayment of expenses and costs, whether the refund was given or not). We didn't have a TV licence but we would have BBC iPlayer'd if it was around back then. The cost of a cheap throwaway machine saved you money. I was actually using an IBM Thinkpad 360 (with floppy and Windows 95) years after it was bin-fodder just to keep something in the house that could dial-up (local call rates with UK2.net and later as a backup to our cheap-as-chips PAYG broadband) and pay a bill online more cheaply, etc.

It's the people who literally start from zero that I worry about and would help out if I knew someone like that. But those who have a 4x4 SUV on the front lawn while moaning they can't afford a takeaway until the next benefits cheque? Zero sympathy. Stop having takeaways (except rarely when you've EARNED them as a treat), sell the car and buy something older and cheaper to run, and get on websites and start using your spare time to earn some money - or you'll be in that "hole" forever.

8
1

Welcome, stranger: Inside Microsoft's command line shell

Lee D
Silver badge

Re: Discovery

I stopped using powershell the moment I realised that a simple AD command to do something (I think it was related to promotion of a certain role, but can't remember off-hand) had gone from an 8-character name to something so long and unguessable that - even with autocomplete - there were ten similarly named, stupidly long, easy to confuse commands and that in any tutorial they had to be written out correctly and not jump off the sides of the screen when you typed them because otherwise it was too easy to hit the alternates.

That's not what you want when you're playing with AD in a Powershell box.

6
0
Lee D
Silver badge

And then you discovered 4DOS. Which was damn amazing. And the 4DOS tools worked on any DOS you put them on, too.

But, for years, my computer's scripting - every line from booting to loading drivers to starting games - was a combination of batch files, PC Pro / PC Magazine command-line utilities, and simple freeware.

STRINGS, CHOICE, AMENU, it's all coming flooding back.

Those were the days. When the computer did what you told it to and no more. And if you wanted, you could get 638Kb of base RAM out of 640Kb with enough drivers to play game X or run app X and just stick it in a menu. And a reboot took seconds and pushed you into a nice menu that loaded up the exact configuration you needed for a program, and you never even saw the jiggery-pokery to make it all work but you could at any point.

Can''t even squeeze a webpage into 640Kb now. Still have no control over what starts up or in what order when you start Windows and half the stuff you can't turn off without breaking completely unrelated features (did you know that if you stop the Window Search service, you can't then add a new keyboard language?).

Never used a batch file compiler because - well, you never needed to. A 386 was more than capable of churning through a batch file in no time at all.

31
0

Excessively fat virtual worlds – come on, it's your guilty secret

Lee D
Silver badge

Re: I agree

It's virtualised. You have hassle, you put it back on a real machine and/or stick them on any machine and run the virtualised image from it.

The beauty of a virtualised image is that you can do this. Going from physical to virtual, however, is more tricky.

0
0
Lee D
Silver badge

Re: I agree

Apart from live Exchange and SQL servers, virtually (sorry!) everything I've virtualised has ended up using less RAM, less disk, less CPU and less network.

Some of that is just because of over-speccing, some of that is just having a hypervisor that can properly cache all the boring parts that all the VM's use so they boot much faster, some of that is just plain fact that the machine sits idle much of the time.

And, so long as the machines don't all peak simultaneously, they are able to have a massive amount of resources "on-standby" whenever the need arises for that one-off operation.

From now on, whenever a random vendor wants to give me a machine for whatever specialist software, they'll be put onto a client which is on a clean image. When they've finished poncing about installing product X that's so special it needs to go on a machine all its own, I'll just clone the machine to a VM. Some of my suppliers already offer the "we'll just give you an pre-configured VM" product anyway. The ones that don't want to co-operate, they'll be put onto a RDP session to a VM instead of a full machine and hope they don't notice until too late into the process.

I VM'd all our servers when I arrived at my last workplace. With less actual hardware, we actually have much more capacity (twice as much as necessary as I added a lot of redundancy etc.) and the ability to do all kinds of fancy stuff. And only the SQL and Exchange servers actually demand a decent amount of RAM from the system - everything else is tottering along at a couple of Gig quite happily. Wouldn't want to deploy a full machine with ONLY 2Gb as a server, but as a server-VM, they are more than happy after booting to release all their RAM. Same for CPU (allocated most things as quad-cores, lucky if they see 1% CPU on average). Same for disk storage.

3
0

Stuff your RFID card, just let me through the damn door!

Lee D
Silver badge

Yeah, surely if the coil is slightly nearer one edge of the card, turning it over will increase the chances of it working? Certainly with fobs this is the case.

However, what "non-IT" people don't realise is that just holding it ON the RFID reader does nothing. It has to be moving in order to induce the current to power the radio circuit inside it.

1
19

Microsoft to offer special Surface 3 for schools

Lee D
Silver badge

Re: Cloud?

I work in schools. I've done their IT for something like 15 years now.

The schools won't care about client storage. You either store on a server, or you store in the cloud nowadays. And you're hardly storing anything anyway. The sum total work of a YEAR of kids will likely be a few Gigabyte unless you're storing lots of video - and the video you store will be all the intermediate work and not their final product.

The magic words are "VLE". Everything is done with web interfaces and portals anyway, interfacing into user areas. Other schools use Google Apps for Education (which gives you UNLIMITED online storage for email and for Drive if you're a school). Most schools will have redundant broadband as an absolute minimum and leased line as standard. A lot of them host their own website in-house, for services like the VLE, OWA, etc.

Yeah, sure, the net goes down sometimes, but it's not "business-critical" in that sense. You can do a few days without it just by saving locally, using the VLE internally, etc. but some of your outside services might suffer. And on leased line, a couple of days is the only outage you really see and you'll have broadband (or even 4G) backup for that. I've run a private school with 100s of machines, tablets and users from a bunch of 4G SIMs when our dual-ADSL2+ broadband contract was severed against our will. We got in another broadband line within the week and leased line in replacement within a couple of months.

You know all those "bring your iPads to school" kind of places? How do you think they are operating? The cheap Wifi-only iPads (don't want to give the KIDS 3G because it has no decent filtering) are 16Gb and most of that can be used up with apps and the OS upgrades. They use the cloud offerings and the VLE etc.

Your ability to teach is not hampered while the internal network keeps running. Your external services (submitting homework via Google Drive, or downloading the question sheet from your VLE) may be somewhat hampered but it doesn't take a lot to make them accessible from the world in an emergency.

Hell, most places use software like ClarionCall (web-based messaging service for emergency emails/texts or even just sending the newsletter home), some use Office 365, a lot use Google Drive, remote-desktop, VPN, etc. It's not actually that crucial at all to have local storage.

In fact, my deployment image - with every piece of software and every driver for every PC and laptop in school - is about 45Gb. And on most clients most of that is unused. The biggest things you'll ever deal with are roaming profiles but if you're deploying Surfaces and Chromebooks, etc. they have an entirely different use case anyway.

There's no reason to need a lot of local storage in a school, or even a lot of RAM. The last year of so is the first school I've worked at that guaranteed 4Gb of RAM in every PC. And we run Windows 8. Properly managed, it's just not a problem even with a "login surge" every hour as one class logs out of every PC and the next class comes in and logs into every PC.

And the amount of stuff you have to actually keep? Well, you submit that to the VLE from your Google Docs or whatever, and it gets stored in the server and backed up with your normal file storage. You aren't losing anything and don't need independent storage for everything.

In fact, in my school, my first action was to ban USB keys. Rarely used, unreliable when heavily bashed about, a virus- and data-transferrence risk, and the cloud offerings we have do a better job for zero cost (I'm not issuing encrypted USB sticks to every member of staff just so they can take work home, and certainly not to every pupil).

In computing everything comes in cycles, thin-client, fat-client, centralised, decentralised, etc. At the end of the day you use both and all in everything you do. Thin-clients logging into VM's or using cloud offerings alongside fat clients for "real" work with access to the same data.

Site-wide wireless is the norm.

Tons of on-site servers, storage and services is the norm.

Redundant / resilient / leased lines are the norm.

VoIP and even SIP is the norm.

Cloud / Private Cloud (VLE) accounts are the norm.

The pupils are more than welcome to take their own backups but, you know what, when all your stuff is mirrored to all the possibilities anyway, they never need to. Google Apps for Educations offers not only AD authentication sync but even storage sync and EU-data protection guarantees (a billion times more than Apple does). And if you think on that as "working" space, but then have an official portal to submit "recorded" work (homework, coursework, etc.) it really doesn't matter if the cloud goes down or the Internet goes off.

11
0

Singapore's PM personally programmed C++ Suduko-solver

Lee D
Silver badge

Meritocracy

How many of the government ministers in the UK assigned to education, economy, digital services, etc. are actually officially qualified in that area? It's not even unusual to see someone be a minister of education one moment and then be minister of energy the next, or whatever, and I very much doubt they have any actual qualification in either subject.

And isn't this is the push that the government are trying to give young people? Get the skills first, then maybe the job will come along.

I don't get party-based politics at all, but anything that can end up with a former minister-of-whatever running the NHS or deciding children's future on the basis of zero experience, qualification or skills in those areas can't be a good idea. Yes there's a difference between being a teacher, running a school, running a borough education system and running the national education system, but surely you need SOMETHING more than just having been a minister before?

18
0

Yay, we're all European (Irish) now on Twitter (except Americans)

Lee D
Silver badge

"An Eu based employee can't be ordered to break eu law - but a US employee at head office can be ordered to remote in and copy the data."

The EU employees who provide that facility are, by definition, breaking EU data protection law.

It's against that law to provide access to someone who does not require it for their job, and also to allow that data to cross international borders. The courts interpret this to the extreme that even PROVIDING A POTENTIAL ABILITY to do such things is punishable (and, lately, with personal responsibility not just corporate!).

If you don't know this, and you work in IT in the EU, you really need to go read up on the EU law and case law.

0
0
Lee D
Silver badge

Constructive dismissal on unreasonable grounds.

You can't be ordered to break the law just to keep your job.

15
0
Lee D
Silver badge

The US can see it how they like.

Nobody in the EU side of the company can provide, help provide, or otherwise allow them to provide EU data to the US without breaking EU law.

Just because the US say they want the data, doesn't mean that ANYONE will give it to them. And the EU courts will just look at any data request and say "Doesn't apply".

You cannot be compelled, as an EU citizen, to break EU law in order that a DIFFERENT US company satisfy a US court order.

And, as pointed out, EU data rules are much stricter already. Nobody in the EU can assist the US in obtaining, or even provide access to, that data without breaking the law. And if the data is in the EU, the US company (an entirely separate legal entity) cannot demand access to it.

That's WHY Twitter etc. do this. The US can crow all they like. To comply with the order - in ANY fashion - is a breach of EU law. You can't be told "Do this or you'll go to jail" as well as "Don't do that or you'll go to jail" for the same things. And precedence is to the country with actual, legal jurisdiction over the data.

19
1

Apple will cut down 36,000 acres of forest in 'conservation scheme'

Lee D
Silver badge

Re: Forestry != woodland

If they could put some fecking finger-holes in their packaging, that would be great too.

I've unpacked many iPad Minis for work and there are no fingerholes to grip the internal box when you want to separate the top from bottom. As such you either a) tear said upper box or b) end up dropping the bottom box on the floor/desk as you shake it free.

Because of the wonderful "design" of these boxes, the iPad is also loose on top, glass upwards, without protection so the first thing to break if the box does open is the iPad itself. Then underneath that (again, no fingerholes so you have to "tip" the iPad into your other hand), there's a USB cable and plug which are sitting on the bottom of a big empty gap that would be perfect for, say, protecting the top of the iPad instead.

Everyone keeps telling me that Apple is all about the design and usability. I've yet to witness it in anything from the OS to the machines to the packaging.

10
3

BLAM! Valve slams brakes on Steam flimflam with $5 spam scram plan

Lee D
Silver badge

Re: Is this a problem?

As SteamID's follow a predictable pattern, and free accounts cost nothing but an email address to set up, and spamming a thousand users can be automated using Steam's WebAPI, yes... it's a problem. Maybe they haven't got to you but I've had a dozen or so and two just this week.

The hope is that you'll add them as a friend, then they send you an IM with a link. That link - if you're daft enough to click on it - goes to a credential-stealing page and - again, if you're daft enough - if you log into "Steam" on that website it gains access to your account. From there, it has another account that it can quickly (and probably automatically) spread from, can steal all your in-game items, stored inventory games, Steam Wallet cash, etc. and pass it off - again, automatically - to some central accounts that someone can flog all the gear from on the market and get payback instantly.

By the time Steam catch up, thousands of items are involved, there's thousands of transactions to revert, etc. and they may never know which ones were genuine and which were just people selling on that item they traded for. The big-name games have been stripped out of people's inventories and sold on (possibly even for real cash, Paypal, etc.), they have enough junk to craft expensive items via an automated API, and sell those one to unsuspecting users. You can even go to other markets (e.g. TF2WH, etc.) and trade things across different games etc. until you find something that people will pay cash for.

Given the setup, if you can eventually get even a couple of hundred quid, you've paid for all the infrastructure, steam accounts, programming (more likely script-kiddie downloads), etc. and if you're malicious maybe even cheated and got the accounts VAC-banned.

And all by just running a program that creates free accounts, automates some chats, trades and sales, and a weblink with some dodgy Javascript on it that plugs captured details back into the program.

1
0
Lee D
Silver badge

Re: "So without a new valid credit card daily, no go."

I'm pretty sure I've seen a lot of posts on Steam forums about not being able to use a credit card because it was tied into their friend's account etc.

There are *some* proxies, e.g. you can pay by PayPal, but even there the number of Steam accounts using the same PayPal account would be trivial to detect at Steam's end.

It's not meant as an "eliminate all spammers" method, but a hindrance to stop causal free-account spamming, I imagine.

The majority of market/friends list spam I see is Level-0 people with closed profiles and zero games (or only free games). This would seem to indicate that a pay-requirement would at least drastically reduce the number of spammy accounts even if it doesn't eliminate them.

3
0

Transparency thrust sees Met police buying up to 30,000 bodycams

Lee D
Silver badge

Re: Can't wait for... @AC

If it's an ordinary arrest, then terrorist stuff is irrelevant.

If terrorist stuff is relevant, then the COURT still gets to see the police footage.

If the courts still fail to convict police officers in the wrong, or convict innocent civilians with proof they are in the right, you have a problem that no amount of tech can solve anyway.

Everyone can moan, but police footage is a forward-step. The police footage of the recent murder-by-cop in America was released by the police themselves, and if they'd had body-cams, that would have been an invaluable instant-proof of what actually happened.

And if you claim police brutality and JUST at the moment that would prove your case the footage cuts out? That should be no different to concealing or destroying evidence in other ways. No reported problems but they ONLY happened when the prisoner was walking down the stairs to the cells, and then worked immediately afterwards on inspection by the tech support? Yeah, a court cannot ignore that without being - in itself - corrupt and able to ignore whatever it likes anyway.

There's a million reasons to have cameras and none not to. Put them on. If there's a sudden spate of cameras going off only at critical moments, then it's easy to spot the pattern and discipline the officer. In the same way, if their ID isn't valid, their car isn't roadworthy or their uniform not compliant, the officers in question will be asked to return to the station to pick up a replacement immediately and anything that "may have happened" in between will be heavily scrutinised.

Put bodycams on. Make them work in pairs, if necessary. So *BOTH* of your cameras both stopped filming at a critical moment just before? Mmm. Yeah, a court and your lawyer won't see through that.

This solves the problem with the trust in the police. It doesn't solve the problem of trust in the courts or other parts of the justice system. But it's the police that always get the rap from the public when the CPS decides they don't have evidence to prosecute etc. so that isn't a situation you can fix.

Restore trust in the police, though, and suddenly the public have a much better reason to trust them. Bodycams are essential in this, in this day and age.

11
0

Graphic designs: Six speedy 17-inch gaming laptops

Lee D
Silver badge

Re: LeNOvo

Your OEM licence from MS explicitly gives you the right to wipe and reinstall a clean OS.

Maybe you can't with the restore disks supplied, but anyone with a brain enough to know about the Lenovo debacle and be worried about it can easily do a clean install of Windows on their fresh machine with the same licence.

3
0
Lee D
Silver badge

Quite.

But I tend to look upon these not as "gaming laptops" but "this is the only PC I'll need for the next few years".

I've used "gaming" laptops (some with WASD marked out in dots so you can feel them when gaming etc.) as my exclusive machines for years. Buy once, pay over the odds, still load all your games on Steam for years to come and still functions as your primary machine. Mine goes to work every day, all my evening stuff every day, all my gaming stuff every day, away with me on planes to watch DVD's etc. on holiday, and it's the only machine I use for work, play and just browsing. That, and a smartphone for connectivity if I'm out in the sticks.

I've used both MSI and Samsung laptops intended for gaming like this for the last 8 years at least, and it's great. No bulky desktop but gaming power. No huge screen and speaker setup but can plug into any HDMI TV wherever I am with all my games. No great battery life but enough to last a flight and power enough to do ANYTHING (movie transcoding etc. are greatly helped by powerful GPU's and to have a huge beast of a processor in a laptop just shows up all the Macbook Pro crowd).

If you buy one of these, you're going to be using it for everything you do. It's not going to be like the gaming machine in the basement that get 100fps but which you can't Google from comfortably and don't want to drag round people's houses for gaming nights. As such, the cost is reflective. £1000 for a laptop seems like the prices of 20 years ago, but the capability to have a gaming rig capable of anything that you can take anywhere, and not even have to sign out of your work account for, is great.

My MSI gaming laptop lasted 5 years before I broke the hinges. But that was 5 years of morning browsing, then travel to work in the car / on the train, then 8 hours of work, then travel back home, then 6-8 hours of TV, browsing, streaming, downloading, work, gaming (including an over-clock button that voids your warranty and 80 degree temperatures coming out of the graphics card), going on holiday with me, etc. That's a lot to ask of a machine and a £200 Acer just won't cut it for long under that kind of stress. Hell, I used to score the local cross-country runs and swimming galas on it, so it spent a good portion of its life wet and/or muddy. I could do that AND still work on stuff for the schools I worked for.

I replaced it with an overpowered Samsung that I've still got and which just recently laughed at the Steam version of GTA V - so it's still good going several years after I bought it. And it's got something ridiculous like 12 cores - my compile times are phenomenal compared to what I'd get on a "must slow down because of battery life" laptop.

Gaming laptop = best of every possible world. Get me a gaming laptop that I can convert to a tablet-size and I'll pay as much again. Sadly, batteries to support that amount of power are never light, nor small. And, notice, these laptops have several hard drives. One of them 2 SSD's and a spinning disk! My Samsung has twin 1Tb drives. That's enough to separate work/games, run RAID, etc. on which is not a normal laptop feature. And proper 1080p. And serious amounts of connectivity. And power enough to do SLI (!) or when you plug into a 36" TV at home.

Cheap laptops can't get close to this. I've seen laptops costing £400 that can barely run Age of Empires II HD on Steam, and that's a remake of a 15 year old game that doesn't use the 3D card for anything but blitting. To have RAID, SLI, etc. in a battery-backed unit costs - and £1000 is barely the price of a decent laptop from that "other" manufacturer that doesn't have those features.

8
1

Sysadmins, patch now: HTTP 'pings of death' are spewing across web to kill Windows servers

Lee D
Silver badge

Re: Don't like IIS?

A remote-root / DoS exploit in Apache that can take down your system? Those are so few and far between they are news items.

Heartbleed etc. is an information disclosure attack. It doesn't crash your servers. It doesn't provide remote-root. It doesn't take the server down to the point that NOTHING else works until someone comes along and manually intervenes.

Nobody is saying port all your IIS to Apache. What we're saying is: this is the cost of quick-and-dirty solutions. The licensing for your server, plus IIS, plus whatever web app you had developed? Probably could argue that it would have been better to stick on a "free" system and spend the money securing it instead. Hindsight and all that, but nobody's suggesting up-and-leaving IIS.

And though bugs exist in all software, this is a design bug. You put HTTP parsing into the kernel. That's just STUPID. If you'd asked me ten years ago about that, I'd have said it's stupid. You don't want the MACHINE crashing on a kernel level, taking every other service with it instantly, potentially losing data irretrievably, just because someone sent you a rogue packet. We changed the design of TCP stacks etc. years ago to get rid of junk like that, and the days of things like the Xmas Tree packets, smurf-attacks, fraggle-packets etc. are long gone.

I see any monoculture as a problem for a business, personally. If your app only works on Linux or only works on Windows, you have a problem. But reality steps in often and people don't care or realise about it. That doesn't mean that's the "right" answer. It just means that we make sacrifices from an ideal system to meet budget or time constraints.

However, it may well be worth investigating the budget/time implications of something like a simple script-kiddie attack on your server - almost identical to a decades-old Apache bug that never caused more than a service DoS on that software - taking down all your services in the hardest way possible (possibly inducing data loss) until you can patch against it.

Nobody have perfect home security. No business has the perfect lock on the door. But when you've been broken into a number of times by kids with lolly sticks, you might well be justified in thinking about upgrading, hardening or look more favourably on an alternative supplier next time.

9
0
Lee D
Silver badge

Nobody is pointing at MS and saying "Ha Ha! You have a bug in handling range requests!". As you point out, they could easily turn around and do the same thing (but it does make you wonder if anyone ever said "Hold on, look at this bug in Apache, could we have the same bug even if we're not using the same codebase?")

What we're pointing at and saying is "What the hell are you doing with HTTP parsing in the kernel?!" Because the second you say that, it sets off alarm bells in my head, even before this exploit existed.

Hanging an Apache process - which on any well managed system will do no worse than consume the allocated amount of CPU/RAM assigned to that user/process - is very different to BLUE-SCREENING (kernel dump / etc.) an entire machine (what if it's a hypervisor and the IIS service is an exposed, but secured, HTTP interface to it?) via a single HTTP request (possibly even for a non-existent file etc.!). That leads to data loss, in-memory structures being potentially revealed, etc. and is an order of magnitude more dangerous.

And it's that more dangerous PURELY because something that shouldn't be in the kernel, is. And MS couldn't make it work fast enough outside the kernel, by their own admission. Security or speed, appears to be the only mutually-exclusive choice.

Nobody cares about bugs. Bugs happen. Every day, every admin is patching against bugs. The severity of the bugs, however, is linked to the design of the system - and this system is designed, by default, to parse HTTP (possibly unauthenticated, possibly unsolicited, etc.) in the kernel-space with kernel-space privileges.

At that point, I just go "Duh!" and start checking all my servers to make sure that option isn't on EVEN after I've patched (it was on by default on some internal-only servers that I don't care about but even I'd turned it off on my external-facing servers that I set up a year ago!)

20
1

Revealed: The AMAZING technology behind Apple's $1299 Retina MacBooks – a lot of glue

Lee D
Silver badge

Re: @ AC

As others have pointed out, I have used. I've deployed several hundreds of the damn things, if not an order of magnitude more.

If anything, that's even more damning when I then say I've never bought one for myself.

Did you know that OS X can decide it just won't update on a Mac and pop up invisible dialogs on a black reboot screen that you can't get rid out without plugging in / unplugging a physical keyboard? My in-house Mac expert also tells me that they have to have official Apple wired keyboards when the servers are caught-short and boot into safe-mode as without them you can't confirm to boot back into the server (we've tried with ordinary keyboards, doesn't work). We have several hundred iPads on-site at the moment, and do you think I can stop kids from changing the name of the device to "Fred sucks... ha ha ha ... lol... ".

How about that when the iCloud went down the other week, all our iPads went into an infinite loop of asking for passwords every 10 seconds with NO way to turn it off? No "No to All" or "Don't bother me again"? iOS 8.3 fixed it this week but probably because they only realised that was what happens after the iCloud had gone down.

Apple have some redeeming features, but they do not balance out the negatives, by a long shot.

And managing a device will show you hundred times more things to hate than just "using" a device. Because managing implies usage also, but on an epic scale for testing purposes under a variety of situations and configurations and problems.

It wasn't until I started managing Windows devices that I realised a) why they basically own the majority of business networks worldwide but also b) why network administrators curse MS on a regular basis. When it's one device, for one user, and you can ignore a quirk, or set things up once the way you want for you, then life is easy.

4
1
Lee D
Silver badge

Re: macbook keyboard

That's the cost of buying Apple.

I don't like them, never owned them, but I'm sometimes forced to manage them. I do get that there are some, small advantages but I'm still shocked that people bother to buy them. But then, I never get why people ever buy new cars either. All that expense, which will never return in value, all the hassle of the "new" model that nobody but the original supplier has the parts for (or maybe even knows how to repair), everything more expensive to repair, just so you can have something shiny and on "zero" miles when you buy it.

I've yet to find, for me, a killer application that would make me buy an Apple product. Even one. Even as a expensive, luxury, "what the hell", toy.

And if you buy them en-masse, like the schools I work for, then you get no special privilege either. Want something fixed? Send it to a third-party or take it to an Apple shop where they're just going to replace it with a similar model.

Like casinos, and five-star hotels, I see the ornate, huge, empty shops with dozens of staff and expensive products all around and my first thought is "Customers are paying for this, and by implication they want me to pay for it too".

Sorry, but I've yet to find an Apple product that's worth the cost of two or three competitor's devices (in the same way I haven't yet found a car worth two or three times the cost of another car). Even if you include all the support warranties in the world.

And I don't see how it works for them, either. They are proprietary enough that they have had their own standard of just about everything from connectors to peripherals, etc. and they could easily make a proprietary, locked-down, modular computer that you can upgrade the individual modules for. Their machines enter softwawre obsolescence at the same rate, they break at the same rate, etc. but they cost twice as much and... to be honest... I don't see what you get for that price.

I once loaded up an OS X VM in VMWare. Even without graphics acceleration it was smooth and slick, I'll grant that. But the gentle ripple/swipe of the bottom bar is just an eye-candy trick as - even virtualised on a bog-standard laptop - that flies while everything else is the same speed or slower as every other VM with the same power put behind it (compile times for a large project of mine with - as close as possible - the same software, were comparable across the board). So even the OS isn't doing anything particular wonderful beyond a bit of eye-candy, And can be virtualised with only partial resources of my laptop that costs half the price of any Apple laptop and still compare.

And I just don't get the Retina thing at all. For the last ten years, I've not been able to identify individual pixels on my screen without getting so close that I can't see the whole screen at once. I don't even understand what I'd be buying there, beyond the equivalent of "PC HD".

17
6

Google's new scribble-tab-ulous handwriting interface for Android

Lee D
Silver badge

Really? I thought we'd pretty much established that handwriting recognition is so inaccurate and slow, even at the best of times, as to be useless until we get some quantum computing or similar going (and even then I don't see how the computer is supposed to interpret handwriting until it's able to interpret other things which would bring us into the "AI era" and thus make handwriting obsolete anyway).

It's a neat trick. I was playing with it back in VB3 with the Windows pen input libraries - I think I wrote a game using it once back in school.

But throughout university, I hand-wrote notes. I was studying Maths and Computing, and though our computing was up-to-scratch, there was - and may still not be - any sensible way to quickly take accurate mathematical notation on a computer. LaTeX was the closest you got and everything now still seems to be a pretty WYSIWYG GUI (or at least, that's what they used to be called) over the top of it. MathML appears to be a poor cousin to LaTeX. The lecturers I know write on boards or project pre-prepared slides and draw over them because notating maths is hard on a computer, but I'm long gone from my academic years so I might be wrong.

There are things I don't get, about information transference. Videos are the slowest, most horrendous way to impart knowledge. A picture tells a thousand words but a video is a long-drawn-out picture with someone talking. Audio is similarly slow and painful for me - by the time you explain it, you could have just shown me an example. There's a reason audiobooks take twice as long to listen to as it would do to just read the book. Handwriting is SLOW and inaccurate and painful on the reader. Even typing I find myself thinking too fast to get it down on the computer in time despite being a touch-typist for years. I can actually type while head is turned sideways having a conversation.

In terms of information transference, handwriting is dead and only survives because you can do it with minimal equipment. If you already have a tablet PC or smartphone, why are you handwriting? If typing on a virtual keyboard is too bad for you, buy a real one. There are some wonderful portable keyboards around.

But handwriting - on a powerful machine - just to get a line of text into a file? So wasteful.

I work in schools and, honestly, it's only because the schools keep pushing it that the children bother to write with a pen at all. I don't think it would be a huge loss to tell the schools to stop doing that and just have the kids type everything. I believe Finland/Sweden are looking at just that. Maybe just a block-capitals with a pen for emergencies? Past that, I think we'd have much brighter kids if they didn't spend half their school lives trying to curl their esses properly and were able to spend more time on using the words effectively and getting their message across. (As a child, I was always told off for my poor handwriting and despite often sitting the last half of the lesson on extension work or bored out of my brain, I spent FOREVER going back and forth on "neatening" my handwriting instead of learning anything).

If a politician were to hand-write a policy now, they'd be a laughing stock.

If the law were written on bits of paper, it would be a mess.

The NHS has spent decades trying to digitise horrible, old, unreadable handwritten medical notes.

Every sign, poster, advert, article, etc. you'll ever read is type-set.

Pretty much the only hand-written thing you'll see is a Post-It and school-work.

I don't get why we do it. I don't get why we need technology to do it.

Like the quill, and stone tablets, and hieroglyphs, handwriting is dead.

4
5

Googley TENTACLES reach towards YOUR email

Lee D
Silver badge

Re: Opt Out?

That's not a problem.

Use one-time email addresses at your domains.

When they distribute your address against your will, you file a claim against them for damages.

I once had a company contact me to sell a very specific product. The email they sent to was one I'd only EVER given to a company selling that product, but both were completely different companies.

When I dug deeper, I got a very embarassed managing director admit to me that they'd "had an employee" take the customer database of the other company when they left them, they joined the new company, and they'd just spammed everyone in that database for custom.

I just passed it off to the ICO at that point.

16
1

Veeam lobs backup bombs, with Cisco lighting the fuse

Lee D
Silver badge

If you have Veeam, it means you probably have a virtualised server environment with some kind of network storage to push it to.

At that point, endpoint backup is worthless. You almost certainly are using the storage for data, replicated via DFS, you're backing up the VM's of the servers too to the same location, and you probably have client-deployment from network. As such, the clients are nothing more than fat terminals into your real system where the data and applications are stored. And everything else is in your network profile.

Not quite sure who this is targeting, as the places that have VM's backed up to network-accessible Veeam repositories almost certainly don't care about data on the client because it's all on the network anyway. And re-imaging the setup probably takes 20 minutes, if you have a brain, and uses built-in server tools.

0
4

Fancy six months of security nirvana for free? Read on...

Lee D
Silver badge

Re: @1980...

Not being funny but does Windows do any of that either?

I've never seen options in the Windows install process for screen-reading drivers or for even text-to-speech. Maybe if you bought it pre-set up, with JAWS, but otherwise how do you go about installing Windows like that? That's hardly a fair comparison.

And last I checked, Slackware had a particular install kernel and build just for screen-readers/text-to-speech and is (not entirely, but primarily) a CLI-based system. It appears that in 14.1 Speakup is part of the mainline kernel so it's not even a different kernel any more. If Slackware has it, I'm damn sure some of the more friendly distros must have options too.

But quite how often is a blind person going to be installing the OS from scratch on a computer they can't see? I wouldn't even like to try to get through initial Windows setup after a sysprepped install to a desktop they can start to install JAWS from, to be honest.

I'm sorry, but it's a very niche usage case and as such sees very niche usage and expensive equipment or not a lot of deployment and testing. How many blind people open up a DAB radio and can just get started, no problems? How many blind people can set up online banking for themselves without problems (with the key-code generators etc. nowadays)? I'm sure there are ways and means of doing those things that almost entirely consist of "let's avoid this and do it another way" or "let's get someone sighted in to do this".

Much as I might champion your independence, some things are just not built with you in mind and move too fast to always include and consider a niche usage.

0
1
Lee D
Silver badge

Re: BitDefender = Crap.

Upload random stuff to VirusTotal. Of the things that I know are definitely viruses, even plucked from a 20 year old inbox, about 25%-50% of AV just doesn't detect anything malicious at all.

The new stuff, you're lucky if one or two of the major AV vendors flags it.

Now go in (if it's something like a Javascript-based exploit, etc.), change a handful of variable names and condition checks at random, just enough to change the checksum but not enough to change the actual execution of the code, re-upload it and wait while all the AV vendors listed there see what they think of your file. If half of those that detect the virus detect your "variant" as well, I'll be impressed.

Generally speaking, AV sucks in this regard. And its entire premise is sold on this kind of thing not being possible (with all their "heuristics" etc.). Sorry, but it's baloney, and a quick jaunt through VirusTotal (which tested against something like 50 AV products) tells you that.

In fact, VirusTotal *IS* my virus detector. It's not an "anti-virus" because that's called "proper security", but VT does a damn job good of telling me whether a file is a known virus or not even if only 1/50 detection engines find anything malicious. I only use it when I have a suspicious file that I *must* open, as the first safeguard of many.

1
1
Lee D
Silver badge

Re: And just below this, in 'More from the Register...'

Amazed your comment was accepted.

Every time I point out similar things, my posts are moderated into oblivion.

5
1
Lee D
Silver badge

Re: What, like Mac users?

I've been a PC user since I was a teenager back in the DOS days. The only virus I've ever personally caught was one on demo of a game from a cover CD from a well-respected PC magazine (which shows you how long ago that was!). I manually cleared it myself seconds after I noticed it arrive on my PC and killed it off.

I upload things to VirusTotal if I'm at all concerned about them, and I just don't have anything that auto-executes anyway.

I have got a full antivirus suite (I bought the full version of Comodo Internet Security when ZoneAlarm no longer fulfilled my software firewall needs) and whenever I do bother to update it, I run a scan just in case. It usually finds a handful of dodgy JS files in the browser cache (that have never affected the browser anyway and are usually there but totally ignored by the browser), it throws a wobbly at some of the tools I deliberately have installed (Sysinternals PSKill, etc.), it picks up a handful of things in my archaic mailboxes (that go back to 1997) that I know about and can't be bothered to "clean" properly (usually attachments with JS that will never be executed anyway, and which were designed to infect IE on Windows 98...), and that's about it.

There's obviously plenty of these things around - in work, the Sophos goes mad on a regular basis stripping attachments out of people's inboxes - but if you have anywhere near a brain, they don't affect you or your users. I've taken complete messes of PC's and - because I'm around someone's house - even without all the proper tools it doesn't take much to clean them up to the point where you can slap on a free antivirus and purge whatever remains, no matter how bad they get. But I'm still not complacent with even my home machines.

I honestly get more false positives from things classed as "hacking tools" (like PSKill) etc. than anything else.

4
1
Lee D
Silver badge

Ever feel that The Reg is beginning to target the wrong audience nowadays?

6
1

Got iOS 8.3 installed? Pssh, you are SO last week… version 8.4 is out

Lee D
Silver badge

Tell me when they give controlled, as a authorised, enrolled, supervised access with profiles and MDM's for the damn basics.

For iPads, you cannot stop people putting a passcode on (e.g. kids in schools using iPads) and nor can you stop someone with the passcode from changing it. But resetting the passcode is a faff if you don't know what it is.

You cannot automatically install apps from your MDM without having the "install apps" permission. That gives anyone the right to install apps. Your only restriction is age-related, but most of the VPN apps advertised to "bypass all filters" are rated as 4+ and Apple refuse to deal with the problem (I have the email if you would like to see it). So basically any idiot can bypass your entire filtering with a free app.

You cannot prevent people changing the name of the device, removing or changing wireless network details (there are tricks with profiles and device "supervision" but they can all be got around), and a whole host of other features that have been there for years and which can wreak havoc on any managed device. For a while, there was nothing stopping someone setting web restrictions and then "failing" the login for several dozen tries until the "next attempt" you were allowed was sometime next month. Now they have an option for "on/off" but still no way to override it or clear it if it does get turned on (short of resetting and reinstalling the entire iPad).

And why? Because all the MDM manufacturers can ever do is what's specified in the MDM API and it doesn't let you do half the stuff you want to do. And when it does, it only does so in such a way that there are myriad knock-on effects from assigning that permission. And usually it involves putting supervision on and off which requires physical USB connection to a particular nominated Apple server.

It's like group policy, but from back in the 90's when group policy barely let you change any options you needed to and so you ended up with logon scripts and third party utils. Except you can't put on any login scripts or third party utils that change those settings - at least not in a way that they can't be removed or reset or otherwise cleared off.

Apple devices are not fit for use for many of the jobs they are sold for. Things like the email client are chicken feed in comparison to the time and effort wasted trying to stop users turning on simple options. But, hey, we can have Family Sharing which we'll prompt you for every so often until you turn it on with no way to turn the prompt off until someone agrees to set it up.

3
2

Android gets biometric voice unlocking

Lee D
Silver badge

Yesterday, our in-house Apple expert discovered that if he says "Call <name>" to his iPhone, that it automatically dials that number and then, when answered, puts the speakerphone on without confirmation or audio feedback. Whether it's locked or not.

I'm pretty sure there must be an option there somewhere (and if not, disabling that annoying Siri thing), but this kind of stuff is stupid to have the possibility of unless there's a clear indication that the phone is listening. You've only got to enable that option by accident (easily done on a touchscreen in your pocket over time or if you have a co-worker "borrow" your phone) and you can be in trouble.

2
1

Because the server room is certainly no place for pets

Lee D
Silver badge

I'm a firm believer in "If it ain't broke."

The problem comes from any sort of contingency plans, however. You always have to think "What happens if?". The scope of that varies based on the need and criticality of the system, but that often involves the question "What if everything goes and we have to start again from bare data?" If the only answer is "We have to rebuild it exactly as was", then that's a risk. The chances are you may not be ABLE to do that in the future, even on an existing supported system.

It's not a lack of skills, necessarily (though I've witnessed that too, and been brought to workplaces where nobody virtualised because nobody knew it was possible!), but a lack of foresight.

The problem also comes from "migration". That suggests, in computer terminology, a "move". Removing what you have, putting it elsewhere, losing the original. That's a STUPID migration strategy.

But there's nothing stopping a co-existence between the systems while wrinkles are ironed out. That's the PROPER way to do anything. Run both systems in tandem, actually feed the live data into both even if only one actually gives the outputs to other working systems. Check that both systems handle the same things in the same way within the same timeframe and are equally reliable before you THINK about switching the old one off. In that circumstance, there's no reason to avoid such migration.

However, virtualisation has its advantages to virtually (sorry!) every user. It's just a matter of getting there. I've yet to see somewhere that wouldn't benefit from virtualisation, to be honest. They may not want it, it may not be justified cost-wise against their existing systems, but its incredibly hard to find somewhere that wouldn't see the benefits.

And, sorry, but IT moves fast. Although I'm a stalwart and constantly get ribbed for holding back on new technologies, both personally and professionally, you do have to move on at some point. And it's at that point that you'll wish you'd virtualised years ago. Virtualisation is as old as the hills, itself, precisely because it's such a wonderful and established technology.

Migrating a large physical system is a scary prospect, but it's like emulation - we do this to preserve the system, to provide rollback, reproducibility, guaranteed knowledge that it's a working system once we get it up, and that we can get it up on any hardware that passes our way. The move from physical to virtual is horrendous, scary, prone to error, etc. But you never hear of people going back from virtual to physical systems, or struggling to move or upgrade their virtual systems around once they are there.

Virtualisation is a technology that won't die yet, and for good reason. Stay on your old systems as long as you like. They'll work. But run them on modern, supported, warranted hardware that you can get hold of in a jiffy and doesn't cost a fortune to support. And then when you want to upgrade, you can, safe in the knowledge that the old system is only a rollback/checkpoint away - exactly as you'd left it. Hell, even exactly as you left it the last day it was a physical system, if need be.

6
1

Cisco and Level 3 team up to squash brute force server hijackers

Lee D
Silver badge

It might get individual attackers but entire botnets? No.

I've seen co-ordinated attacks from botnets where hundreds of separate and geographically-disparate systems will coordinate on the same username list to brute force the password.

For my systems, SSH is administrative use only, so it got put behind port-knocking. Mail collection from that machine is administrative only, so it got put behind port-knocking. Users who need it can be bundled with a port-knocking utility that runs on logon quite easily.

I'm not suggesting it for mass-email servers, but those should be managed properly anyway. However, for all those other servers that are offering SSH for administrative purposes, hiding them behind either a different port number or port knocking cuts out brute-force attempts immediately.

Your solution relies a single attacker only ever coming from a single IP. Even with your rate-limiting, a botnet of anywhere near decent size could still perform several million attempts a day just by handing off portions of a brute force task to a few thousands of its machines. And the chances of you picking up on it are even less, and the chances of blocking it (without affecting legitimate users) are near-zero.

I'm fast moving all external provided services to be behind the VPN for known users. There are few devices these days that can't handle VPN'ing in to get a job done. For public-facing services (website HTTP, SMTP) rate-limiting is all you have and only keeps the most stupid of brute-forcing idiots away. However, for my use (where my personal server is only logged into by me, but potentially from multiple locations unknown beforehand) I find port-knocking the middle-ground that stops all brute-forcing while allowing me - with one extra click - to get everything I need access to. At work, anything critical is behind the VPN and the VPN is certificate-managed and rate-limited.

0
1
Lee D
Silver badge

Re: Use pam to put a wait time between logins

Only if they stay on the same IP address?

When I do log packets for debugging, I see thousands of hosts all co-operating to try different sections of the same username list simultaneously. They are obviously compromised machines (loads of dynamic IP's and web-servers etc.) taking part in a co-ordinated botnet much as the article describes. The same is true for HTTP, POP3, IMAP, SMTP and SSH brute-forces and you can see the same set of attempted usernames/passwords go past sometimes.

The only way to stop THAT is to block access to unknown IP's (stupid, counter-productive) or allow your own users to be DoS'd because there's been X thousands attempts in the last hour from the rest of the world.

This kind of rate-limiting is fine for individual, sole workstations attacking you but is ineffective against any kind of co-ordinated botnet. Hell, just the IP range of something like Amazon Cloud can be so huge that you could end up with millions of attempts even with all your rate-limiting.

0
1
Lee D
Silver badge

Don't leave SSH ports open to the Internet and demand public-key authentication for all users.

I thought this was standard practice?

(That said, I used port-knocking for my servers just to stop this junk... there is no POP3/IMAP/SSH/etc. port to contact on the server at all until you "knock" the server, and then they are only open for your IP and no others... the space and hassle saved on logs, connection limiting, etc. are worth the "apt-get install knockd" and the one-file setup alone, and I don't need to worry about IP whitelists, what happens if I come in on a foreign IP, and even my smartphone has port-knocking apps that tie into ConnectBot so you can still SSH in with one click yourself anyway. No more "secure", technically, but just a lot more closed-off from public view preventing brute-force attempts entirely and filling my logs with spam).

0
1

Foreign firms must obey EU laws no matter where they're based, says EU. Hear that, Google?

Lee D
Silver badge

Quite right.

No matter where your headquarters are, if you are TRADING in the EU, under whatever sector, you are bound by EU law.

And, with "google.co.uk" etc. not to mention all their advertising business targeting and taking money from UK customers, they are certainly trading in the EU even if they are an American/Irish company.

The tax law might be complex in such areas, but the consumer law isn't. Enforcement might be tricky but nowhere near impossible, as Microsoft found out despite only having the same US/Irish presence.

12
2

Wi-Fi hotspots can put iPhones into ETERNAL super slow-mo

Lee D
Silver badge

Re: re: Lee d

You don't.

An unencrypted (passphrase-less) or well-known-passphrase network is inherently susceptible to SSID duplication attacks. You just set up an SSID with the same name and same passphrase and people will join it unless they happen to know the original BSSID (which nobody publishes or takes any note of).

This is why PSK is pretty insecure for such things and why ALL public wifi with well-known passphrases is just basically an open connection that should be firewalled off, VPN'd through or limited to SSL-based usage only (even there, there's the possibility of DNS-spoofing until we get DNSSEC and SSL is heavily tied into DNS being authoritative).

But that's not the point. Not only are you joining a wifi network, you are then accepting a pushed profile onto your machine. This is akin to installing a piece of software - it's like going on Starbuck's wifi and then your browser is replacing your page with a downloaded executable that you then blindly run.

1) Stop using public wifi as any type of trusted network. If you have the passphrase, so does everyone else, and they can spoof the network and/or decrypt your communication anyway. Public wifi is untrusted, hostile, Internet. That's all. No matter what else they tell you. Until they start issuing proper signed certificates etc. to prove they are the original network (which is a nightmare for client installation), they aren't secure. And the closest "security" they can have is to tell the owners (if they bother to look) that there's a identically named network with the same passphrase nearby. In very expensive Cisco Meraki networks that are deployed in such places, you get an email alert as an administrator and you can try to "contain" the network (which means blast it off the airwaves with client disassociation messages, as far as I can tell).

2) Don't install things that just pop up unexpected. Profile installation is a system-level action on Apple devices, and profiles are capable of installing any amount and severity of settings. You cannot install one "accidentally" without clicking through a lot of scary dialogues.

This isn't a "stupid-Apple" attack (and I am quite happy to jump on those normally, as I hate all Apple products with a vengeance and have NEVER owned a single one). This is a "stupid-user" attack. If you perform similar actions on any other OS, the same problem with occur, vulnerability or not. You're taking incredibly stupid and high-end actions on your system based on something random and untrusted popping up on your screen despite lots of large scary warnings.

4
2
Lee D
Silver badge

So if you convince users to join a rogue wifi network, and then to install a profile when prompted, then they could do nasty things on your computer?

Well, duh.

Similarly if you convince Windows users to join a wifi network and then to install ak program when prompted, then they could get nasty things on their computer too.

2
2

Aluminum bendy battery is boffins' answer to EXPLODING Li-ion menace

Lee D
Silver badge

Re: So just what does 'charges in minutes' mean?

"Quick charging" claims are always bogus.

The only way to manage that is to have incredibly high voltages involved, which become a danger themselves as that allows them to arc more easily. So you'd need something like a 400V battery to make it sensible, and step-down circuitry in a mobile phone to get it back to sensible levels.

And the batteries we use everyday, worldwide, tend to be thoroughly in the stupidly-low-voltage ranges. 12v is common, 24v is around but less common, anything higher is considered "specialist" and usually purely to avoid high currents as you specify (most larger home solar installations are 24v purely because it then halves the current so you can still use the same cables/charge controllers without having to upgrade - in some models, the charge controller and cables are identical between kits and you just change the batteries for 24v batteries as you expand the system capacity).

Your house probably only has 100A incoming at most. You're basically saying that you're going to deliver enough current - for a short time - to power your entire house. You're talking bomb-level energies here if that goes wrong.

There's a reason that even electric car chargers are still basically 240v (or even 400v) and HOURS of charging. I have a 32A commando connector (building site 220v connector) on the side of my house. It powers a 20A electric kiln to 1600 degrees. It's a scary amount of energy, and a scarily thick cable to do so safely, and cable thickness is related only to current, not voltage - I^2 * R. I could charge an electric car with it and it would still take hours. And, yes, that's 240v but the reason we use 240v is PURELY to decrease the current-carrying-copper-thickness required for currents (at 12v AC with the same power, we'd be pushing 20 times the current, up to 260A, just for a normal 13A appliance - and 260A requires something ludicrous like a 30mm-thick conductor for each part of the cable).

What they are suggesting is that your mobile phone charger would somehow build up that amount of current (I assume it would build it up over time and then deliver it in one quick charge, like electric welding kit, as otherwise it would just fuse your house) down a tiny cable into a tiny battery, and get the charging time EXACTLY right and be able to detect faults quick enough to stop before the battery blows.

It's ALL a nonsense.

Quick charging won't happen until we have high-voltage batteries, chargers and convertors small enough to put in the devices in question. We haven't bothered to do that for electric cars yet, so fast-charging of mobile phones or AA's is still a nonsense. There's a reason your laptop batteries are 19v, because that keeps the amps down (2-3 in your average laptop?). At 12v, the same power would draw up to 5A, which needs thicker conductors throughout.

Increased power = increased current or increased voltage.

increased current = thicker cables

increased voltages = more difficult voltage step-downs, less common hardware, greater arcing distance, etc.

There's no way around it.

0
1
Lee D
Silver badge

I don't think you want a structural component to be at anything above ground, and you certainly don't want it to be part of a reaction.

It will either (depending on which end of the connection it is) lose integrity, or gain potentially conductive traces, while also reacting with things around it, modifying its properties depending on its charge state, and try to discharge into any and all connected metallic structures.

You really *DON'T* want to be using the structural parts of an aircraft for anything other than structure.

There's a reason that you earth just about everything you can, and the first thing you do on landing is earth again.

1
1

Ex-cop: Holborn fireball comms outage cover for £200m bling heist gang

Lee D
Silver badge

"Alarm"

"BT outage"

Join the dots.

5
1
Lee D
Silver badge

What are the chances that the "alarm system" was somehow tied into those BT lines affected by the outage?

11
1

Oh no, Moto! Cable modem has hardcoded 'technician' backdoor

Lee D
Silver badge

Have always done this.

As far as I'm concerned, a modem or cable router or ADSL router is just a modem. It's also the "hostile" side of the network. Invariably I then plug it into a real router/firewall that I have control over. Historically, for both work and personal, that's been everything from a Freesco single-floppy-linux router, to Slackware distributions, to WRT54G's with custom firmware, you name it.

Currently my Virgin Superhub is in modem-only mode and goes to a proper firewall. Even then, doing something like DMZ'ing my machine to the world would trigger the software firewall on the individual clients too (not to mention the IPS on the firewall). Hell, for many years I used to VPN across my internal home wireless network because WEP couldn't be trusted and WPA2 was too expensive to deploy. And I'm a gamer and it barely added 1ms to my gaming pings, even over wireless, even with all the house machines doing the same (so there's really NO excuse).

Sure, you might get into my modem, but the modem isn't party to anything SSL-encrypted anyway, and all unencrypted stuff I assume is perfectly sniffable by anyone else on the net - if they are in my modem or not! And trying to get into the local net from there will be blocked just as any other malicious traffic coming from the Internet.

I deploy work and home networks this way precisely because of problems like this. You can't trust the cheap routers you're given by your ISP and you can't even go out and buy a decent home router and trust that alone.

At my previous workplace there was still a pile of untouched BT ADSL2 routers in their boxes and wrapping because we never used them. Their replacements were pure modems that didn't try to offer their own wireless / BTOpenZone, etc. that went into a Linux router with multiple Ethernet cards, which secured the 500 users behind it and load-balanced the connections.

At this workplace - same thing, but with a set of Cisco routers doing HSRP failover in between so the Linux machines doesn't have to.

Even bridging / modem mode, however, is not a defence in itself - in the same way that it's possible for YOU to turn it back into a router with DMZ to the network, it's possible (theoretically) for an attacker to do the same. Virgin SuperHubs still offer a web interface on 192.168.100.1, I believe, that lets you turn modem mode off and the firmware auto-updates. One slip in that configuration and you have a modem that's working against you.

Always put something in front of it, even just for one machine. And if WPA2 is ever weakened, investigate putting VPN over local wireless links. It costs nothing with OpenVPN, IPSec functionality in Windows, etc. And when, as often happens for me in work, you come up against odd traffic flows you have a machine on the border already that you can analyse traffic from without needing to port-mirror or use DMZ etc. to diagnose it.

8
1

Page:

Forums