Re: Security did no homework, just gut reaction
Defcon security did get involved and cleared out the issue.
3161 posts • joined 12 Oct 2007
Defcon security did get involved and cleared out the issue.
There’s DEFCON China now, but if anything that’s an actual oppressive regime you’d be dealing with.
StarTac probably didn't make it to the UK due to it being an analog phone (AMPS/NAMPS) released at a time when the EU had already jumped to GSM.
As for iPhones: I just upgraded from the 5s to a 6s. Why? Because the 6s is the last one that has the jack, and the 7 and 8 are still stupidly expensive at this point. And the X is already a non-starter as it removed the Home button and it has that horrible notch thing. I can cheer for Apple though, thanks to the X any non-X iPhone user is now less prone to being mugged or getting their phone stolen. The X is now the ultimate "mug me, I'm rich!" sign.
Other than that, I find it really dumb to splurge so much money on a smartphone. Especially when it's ugly.
I wouldn't sic Lennart Poettering even on my worst enemy. He's already ruined my formerly favorite OS with systemd, I'm not letting him touch anything related to computers.
Well, the old school Blackberry OS did have quite a number of apps, and at some point they were very useful for everyone. But they fumbled because the Blackberries were horribly underspecced and the "classic" OS was slow as hell. By the time they pushed out BlackBerry 10 it was too late, and their "clean slate" approach to apps (instead of offering a migration path) pretty much doomed them at a time when iOS and Android were taking the top spots for devs. Had they released BB10 back in 2009, when they were still one of the top players, they might've survived.
Hell, Nokia was on the right track on this; they were improving Symbian and cooking up a Plan B OS (Maemo, Harmattan) in case Symbian didn't survive. They were even looking into a migration path from Symbian to Maemo/Meego/Harmattan. It wasn't until Elop came in and set everything on fire that Nokia went down hard. All because Elop had to Borg Nokia for his Microsoft masters. Fortunately Nokia was able to jettison the diseased arm before it took them down.
But then, there's many of us who don't give a crap about apps. We just want a mobile phone to use as a phone, not some dinky, overpriced, portable computer.
That doesn't counter the previous user's comments though. He specifically mentioned a Smartphone, not a regular phone. If you want just the phone part of the thing, that's what feature phones, or even dumb cellphones are for. They're even coming back, through the revived not-quite-Nokia resurrection which is now free from Microsoft's claws.
There was some experiment a couple of years ago (2010) where whoever owned the 184.108.40.206/8 block experimented with advertising the 220.127.116.11/24 and 18.104.22.168/24 routes to the 'net. They got hit with a massive flow of garbage traffic due to these kind of stupid configs. It was so bad that they had to give up using those blocks. Wonder if that has been "solved" recently?
And where does your DNS get its resolution from? What is it’s parent? Or are you one of those muppets that are hammering the root servers directly?
Proper DNS implementation should be hammering the root servers directly. The only time you should be using a "parent" DNS is when you have your own complex DNS infrastructure inside the organization. Most orgs only have one or two DNS servers, in which case using the root.hints is the proper way of doing stuff.
Double down is recognized by pretty much anyone.
I'd rather not have California secede, precisely because they serve as a counterbalance to the Trumpster madness in the rest of the US.
They're not alone, the Northeastern Corridor also keeps mostly blue, but their 55 EC votes are necessary.
Ok, my previous comment may have sounded like unfounded hate for the platform ... but that wasn't the case in the beginning. Remember HPCs? Those sounded awesome, and that was what Windows CE was made for. I even owned an HP Jornada at some point, which was pretty good for its time. I was more of a Palm guy myself, but those ceased to be good when they went WinMo. The HP Jornada, however, never ceased to be good.
I actually think that the downturn came around the time they decided to morph Windows CE into Windows Mobile. From there they started doing weird things with the platform, then decided to kill it and create Windows Phone ... and everything from there was just pure crap.
I had quite a number of friends using Windows Mobile phones, mostly latecomers to Palm and a couple of pre-Android Samsung handsets. I only got to see a single person using a Windows Phone handset, and he hated its guts.
Their mentality was as though they had dominance. It was so arrogant, it was embarrassing. One of the (many) things that's made me move away from Windows development.
They're used to that arrogance; somehow they don't realize that outside of the desktop/laptop PC OS and office productivity software, they're far from being the predominant player.
See how they pissed away their market share by trying to pull off the DRM fiasco and then ram Kinect down everyone's throats. By the time they relented, it was too late and the PS4 was outselling them 2:1. Even the Switch has sold more units, and that platform was released years after the XBone(d).
Agree with everything but this:
Kill Windows Mobile which with proper development would have been a major competitor for Google / Apple
Nope, Windows Mobile was a stillborn platform. Only Microsoft could believe that anyone would voluntarily get suckered into "that shit OS that always crashes on PCs". They went through many iterations of it and all of them failed. Windows CE. Windows Mobile. Windows Phone. Windows RT. The only thing where they succeeded was in killing any sucker that bet on the platform for their hardware: Sendo, Palm, Nokia. At least Nokia was able to jettison the diseased post-Elopocalypse crap before it took them down.
It's Hackerman, he hacked too much time!
Mine's the one with the Kung Fury logo.
I suspect this article caught the eye of the MRAs, MGTOW and their ilk, which would explain why the comments section seems odd compared to the regular commentards.
> If you even remotely care about security, you’ll need to check the client certificate at the firewall
You can't do that unless your firewall is performing a man-in-the-middle attack on the session - that is, spoofing a false server certificate back to the client, which the client is configured to trust.
Both are sort of right. You can check both client and server certificates at the firewall, because at that point, the communication is still being made in cleartext. Certificate exchanges are sent as part of the initial handshake. Firewalls are capable of MITMing stuff... however, parsing an X.509 certificate and validating it is going to be resource intensive. It's less the job of a regular firewall and more of an IDS/IPS thing, and even then it's going to be so resource intensive that it'll slow down all outgoing traffic. Why? Because you'll need to check all outgoing traffic, see if it's an SSL/TLS handshake, then check the handshake itself, parse the X.509 certs, validate them .... you get the idea.
This is going to suck, because the only way I see this being mitigated is by forcing all traffic to go through proxies, then having those proxies offload all CONNECT requests to an IPS. There's a lot of software out there that shits itself whenever you try to make it go through a proxy...
The certificate contains the data because that way, you can initiate a TLS connection, have it fail and the firewalls and IDS/IPS systems will only register a failed connection. However, the data dump will already have been sent.
It's sending information on a channel nobody's expecting to actually contain data.
On a side note, whatever happened to LOHAN?
There hasn't been an update since 2016.
Lester died in 2016; thus the project died with him.
Ah, someone has been paying attention to the internal Office version shown in the Registry.
OSX user here, and it's a vulnerability. It's probably somewhat mitigated in the sense that setting a password for root plugs the hole, but it's still an embarassment. Not sure if it's remotely exploitable, which would be bad. If it allows for su - without a password, it's probably bad, but it would still require someone to log in with a valid username/password before exploiting it.
If someone already has physical access to the system, there are larger issues at hand.
I did use that reference when I retweeted it.
I hope he doesn't lose his flight status due to that dick move. He's pretty talented to be able to draw that dog with his dong^Wjets, I mean, jets.
X.509 *certs* are usually valid for 1 or 2 years. The actual keys can be reused and in fact many companies do so because they don't have to generate another CSR if they do so. Bad practice? Sure. But not uncommon.
Now that made my day! And also buy a new keyboard!
Internet recovery is only used if the user explicitly chooses it, or when there is no recovery partition on the HDD/SSD.
I knew I couldn't be the only one mad at this change. I actually held off upgrading to El Capitan because of it. Ended up jumping from Yosemite to Sierra on April because APFS was actually piquing my interest. I didn't really expect it to be released with these kind of bugs, though.
So I guess we now know where the BOFH is working at these days!
Mobile operators have been clinging desperately to physical SIMs in order to prevent customers from switching easily.
Quite the opposite. Mobile operators would love for someone to make non-removable SIMs a thing as that would mean they would get handset lockdown for free. That's what used to happen in the pre-GSM world, and what has been going on for decades in the US with the horrible CDMA carriers.
I hope this crap doesn't take off, because the moment this jumps into GSM handsets, operators will lock 'em down hard. And all because Apple has to keep their control freakery alive.
First learned about them thanks to Quest magazine, which showcased how they worked. Though I had seen them in the Snoopy feature where the Peanuts gang goes to France. Back then, the magazine was also talking about a huge engineering feat: the construction of the Chunnel.
Given that the examples for social networking they used are far from being the predominant players anywhere (even Google has realized that Google+ is just not going to take off), it'll probably be dismissed.
I've got a 5s as well, and it still works pretty well; I got mine in 2015 as I didn't want the monster sized screens. It still works, the only caveat being the 16Gb storage (should've gone for 64Gb) but other than that, it works. And yes, I've got the latest iOS version installed.
Compare to my wife's Huawei, which is sluggish and keeps crashing even though it's just a year old.
Honestly the only ones I haven't seen go bad are the Samsung phones. Most cheap android devices just stop working as intended after the first year.
Ask Karen Silkwood how that works out.
Please don't talk about those. I consider them the reason why Nokia nearly died, as they were the ones made after the Elopocalypse.
Ah, I thought I was the only one keeping to RHEL/CentOS 6 to avoid the systemd crap. I'm using a mix of ext4 and xfs on those systems. :)
Light years ahead of anything Windows can do.
Everything is light years ahead of anything Windows, period.
As for snapshots, that's available on ZFS too, mostly because btrfs was originally born as an Open Source equivalent to ZFS, mostly sponsored by Oracle. But then Oracle bought Sun and they got access to ZFS, so btrfs was "no longer important". :(
I did try btrfs at some point, but it just didn't work well, so I had to move to ZFS. The latter is supported on pretty much every single OS except Windows (again, everyone's light years ahead of Redmond's OS) so it also serves as a multiplatform FS.
For a start. The very founding principle of ZFS (that many people forget) is that it was designed as, and continues to be maintained as a JBOD DAS file system.
This is actually a feature. You simply stick disks into your system, and set up zpools with RAIDZ1/2/3 instead. You'll get exactly the same functionality offered by RAID5/6, but without the dependency on the RAID controller. Ever had a RAID controller failure? Back in 2009, I found out that fakeraid controllers do weird stuff and thus their "RAID" arrays can't be read by other controllers, only the ones from the same brand/chipset you originally used.
ZFS pools can be imported to any system and will always work.
So yes, I'd rather have ZFS on raidz2 than a RAID controller that might leave me SOL if it breaks down and I can't get the same chipset when it does.
It's the caterpillar drive, of course!
This kinda makes me feel better I didn't make it to DEFCON25. But damn, this has all the hallmarks of sloppy investigation. Why would a malware author willingly travel into the US?
I know a lot of people that aren't ever going to let go of cash.
Every time I read "cheque" in an English article, I'm wondering if Spanish is really taking over the language...
Y'all be joking about 1234 as a password, but I once worked at a place where the "secure" default password was 1223, because "everyone might try 1234, but they won't think about 1223! See, secure!
Please just kill the ducking thing. Get rid of systemd and bring back upstart. This is getting stupid.
I actually know some companies where your login is your employee id. Yes, including in UNIX systems.
Having worked in some fairly large enterprises, I have typically seen from 100% Windows to about 60-70% Windows. That's including ~1,500+ server estates with ~1k Windows and ~400 Linux - the rest were either big strange beasts (mainframe and similar) or VMware hosts.
Financial sector here. Large banks, and I mean large enough to be known globally, have all their stuff running on UNIX. At a certain bank where I worked at, the majority of servers were Sun hardware running Solaris, IBM blades running Linux, and a dozen Windows servers used as domain controllers. And of course, the core systems running on IBM Mainframes.
But really, the ratio of UNIX-to-Windows was something like 300 to 10, and I'm probably being generous to Microsoft.
Someone was wearing the Microsoft-tinted glasses when they made those stats.
Any going forward with RISC non-Craptel stuff is good. :)
Remember, this is the company that came out with the Ribbon, the Windows 8 UI and thought that anti-consumer DRM was an awesome feature for their next generation gaming console.
Also known as the Xbox moment, when you realize that your shit sandwich only made everyone flock to the PS4.
There's an emoji for that!
Actually, a properly configured Linux system has user directories permissions set as 640 by default.
Biting the hand that feeds IT © 1998–2018