* Posts by Daniel B.

3141 posts • joined 12 Oct 2007

Apple gets around to fixing those 77 security holes in OS X Yosemite

Daniel B.
Boffin

EFI Update

There's another very relevant update: they've finally fixed the EFI bug where EFI flash can be overwritten after waking up from sleep, as the areas that should be write-protected are flipped back to read/write when sleeping, but not turned back to read-only upon waking. Whoops!

3
0

Apple CORED: Boffins reveal password-killer 0-days for iOS and OS X

Daniel B.
Boffin

Re: Whooooops!

Apple currently still has, on its app store, an app expressly stating that it is intended to be used to "bypass your school filter", etc. It's as simple as installing it, and you get full, free, VPN access to the outside world that's almost undetectable.

If your school system can't stop VPNs, you're doing it wrong. Pretty much any corporate network I've had to plug into has blocked pretty much all VPN connection methods. Some proxies are even smart enough to detect "SSL" connections that have been transferring far more data than what a regular HTTPS request would require and cut off those connections.

6
1

Limited edition Iron Man S6 sells for $91,000 thanks to ... serial number

Daniel B.

Yeah, the Chinese have weird superstitions. It does make me wonder why the hell would a language have one of its numbers sound like "death", it just causes stupid stuff like this. Chinese buildings skip pretty much any floor with a 4 in it.

0
0

Unlucky, Palmer: Facebook's going to BAN Oculus pr0n apps

Daniel B.

So we skeptics were right

Once FB got on board, they were going to find a way to ruin it.

6
0

Shouty investor Elliot trains guns on Samsung merger

Daniel B.

Icahn smell something strange

Is this a real activist investor, or is it an "activist" of the kinds of Carl Icahn?

2
0
Daniel B.

Re: The Lee family should tell them to .....

You are wrong. They are useful way of holding parasitic or egomaniac managers (and controlling families) to account.

Thing is, "activist" investor these days is just the politically correct moniker for what used to be called a "corporate raider". Think Carl Icahn. So we're actually wary about this "investor"...

11
0

Everything Apple touted at WWDC – step inside our no-hype-zone™

Daniel B.
Joke

El Capitan?

So they're naming their next OS X release after a DuckTales character that's 400 years old, and obsessed with gold?

0
3

Did you almost prang a 737 jet with a drone over Dallas? The FAA would like a word

Daniel B.

Re: Freaking lasers*

Drone firmware should be aware of no-fly zones. IIRC they pushed an update to avoid drones being able to fly over the White House after that recent White House landing incident.

0
1

Doom, Mario, Pac-Man level up to video gaming's Hall of Fame

Daniel B.
Happy

Re: Rogue? Nethack?

Also, Zork.

It is pitch black. You are likely to be eaten by a grue.

7
0
Daniel B.
Go

Re: re: way more impact then Doom @stucs201

Yes, Doom was one of the first games to allow user generated content, and its successor, Quake, was all the rage for allowing TCP/IP play for free, and for the "mod" community that formed around it. Stuff from the Doom/Quake era is very relevant, as there's at least one game directly descended from that: Team Fortress 2.

0
0
Daniel B.
Go

Re: No Space Invaders !?!

Oh so very agreed. Space Invaders is as much of an icon as Pac-Man.

7
0
Daniel B.

They are saying Pokemon had a lack of impact on culture? It had way more impact then Doom

Um... nope. Pokemon is currently known more because there are still Pokemon games being cranked out, while Doom has mostly kept to a specific generation of gamers (though that might change now that id is cranking out a new DOOM). The squeaky kids playing "Call of Halo" games weren't even born when DOOM came out, of course they don't know about it, but will know about Pokemon because again, there are still Pokemon games being released.

And it still wouldn't make it as there are far more popular games still on the waiting list, like Sonic, Space Invaders, even Zelda. Sure, I'd expect other games as Lemmings, but maybe those weren't that known as I think they were.

8
0

Virgin Galactic will get into space 'within 18 months to two years'

Daniel B.

Re: Being picky... @wolfetone

So, mechanically, there is something in the gearbox designed to stop that.

Yes there is. It's fitted in quite a few cars that have 5 gears, and have Reverse in the same "lane" as 5th. The mechanical thingy actually seems to engage when you move the stick towards 5th; I've tested this on a 2001 Tsuru (Mk. 3 Sentra for the rest of the world) while stopped. I have no idea if it is possible to do it intentionally, like going from 2nd to Reverse though, and I'm not about to test it either.

0
0

MS scolds businesses for failing to eradicate 7-year-old malware

Daniel B.
Facepalm

Re: Microsoft is the malware cesspit (@ AC)

Stealing. You keep using that word. I don't think it means what you think it means.

Hint: There's a reason why theft and copyright infringement are treated as separate offenses in most jurisdictions.

1
0

Facebook flings PGP-encrypted email at world+dog. Don't lose your private key

Daniel B.
Boffin

Re: PGP is not security

A certain amount of metadata has to be in the clear, otherwise how does a public mail server know how to route your email? It at the very least needs to know what domain to send it to. So maybe metadata encrypted with a public key for that domain, then the server in that domain can route it to the appropriate user.

It can be hidden right now, with current tech, but both the sending and receiving MTAs have to support TLS.

Sender sends his email via SMTP to his outbound SMTP server. He does so via TLS.

Sending SMTP server initiates connection to receiving SMTP server, via TLS.

Send email over secure channel.

Receiving person check inbox via IMAP, using TLS.

The thing is, this will probably leak information in the sense that you will see a something sent to sending smtp, then a something of similar size being sent to the destination, so you can still infer who is getting the email even if you can't read the metadata.

0
0

Woman dumps ultra-rare $200,000 Apple 1 computer in the trash

Daniel B.
FAIL

Stupid widow

The recycling center says that the woman was "cleaning up" her late husband's stuff, which means she just grabbed everything and dumped it. Because she probably thought it was just annoying stuff taking up space, better used for cat furniture or something.

Maybe this will make housewives reassess what might be garbage, or actually highly valuable stuff.

1
3

'Logjam' crypto bug could be how the NSA cracked VPNs

Daniel B.

Because...

People are setting up their crypto with the default options, which include the EXPORT crap from decades ago. Which is why everyone is asking why they're still enabled by default. Interestingly, some SSL/TLS products have a "FIPS Compliant" switch; if you enable it, EXPORT ciphers are disabled to comply with FIPS, so that's an option as well.

0
0

NSA eggheads tried to bork Nork nukes with Stuxnet. It failed – report

Daniel B.
Boffin

Security by Ludditeness

Now that's a new one. By keeping your population in the Stone Age, the only reason to carry a USB stick is to smuggle either malware or contraband.

I'm... not sure I'd like to live somewhere like that at all.

1
0

Silk Road boss Ross Ulbricht to spend LIFE in PRISON without parole

Daniel B.
Go

Re: Take a good look

Illegal drugs lead to Mexico's cartel system. A legalised system doesn't - quite the opposite; it leads to pots (haha) of money for the state.

This. Is. So. Very. True.

Most former Mexican presidents have ended up arguing that legalization is very much needed to curb the cartel violence in Mexico. And it is probably the only way we're going to see the cartels go down. Unfortunately, the solution would require both Mexico and the US to legalize drugs.

6
1

Unmasking hidden Tor service users is too easy, say infosec bods

Daniel B.
Boffin

Re: Anonymous network developed by the US government compromised.

Less surprised these days. Would've been surprised if this had been discovered before the Snowden affair and the Silk Road and Freedom Hosting shutdown. And even then, I was still wary on blindly trusting that hidden services are going to be 100% untraceable...

2
0

Hardcore creationist finds 60-million-year-old fossils in backyard ... 'No, it hasn’t changed my mind about the Bible'

Daniel B.
Facepalm

This is got to be fun. It serves as proof that being a zealot on fundamentalist religious views just makes you stupid.

1
0

Fumbling Feds lose control of seized MegaUpload domains – to saucy vid slingers

Daniel B.
FAIL

EPIC FAIL

You'd expect the FBI to not let their domains lapse at all. Seems they didn't.

I'm also amused that it seems they seemed to have just put a CNAME on those domains.

0
0

It's the end of life as we know it for Windows Server 2003

Daniel B.
Boffin

Re: "Can you survive without support?"

It's about being able to actually get some help from Microsoft when it all goes pear-shaped.

Support is a good thing to have ... when it is actually good support. In my experience:

- IBM Support: Send Business Partner to fix. If it requires more people, IBM sends 'em.

- Sun Support: Send BP to fix. If issue not solved after X time, send local Sun engineer. If it still hasn't been fixed, fly in someone from Silicon Valley that will fix it.

- Microsoft Support: Get sent to some Indian dude who will ask for logs and stuff, then answer 5 days later "don't know what happened!"

Want support? Go UNIX. Or Linux. Or even BSD and have your IT department fix stuff up by themselves!

6
2

Doom is BOOM! BOOM! BACK!

Daniel B.
Go

Oh yes...

Doom scared the willies out of me playing late at night in a dark room.

A Demon, in Command Center's dark maze, with a Rocket Launcher!!!!

That pretty much sums up the first time Doom actually scared me. I had selected the rocket launcher, was navigating through a maze in E1M4 when I started hearing growling noises behind me. I turn and find a Demon right in front of me. I panicked and shot the thing. At point blank range. With a freaking Rocket Launcher. Fortunately, I survived that with 11% Health. It also didn't help that the next level after that was the horribly dark Phobos Lab.

3
0
Daniel B.
Mushroom

Re: This sums up the problem:

Ah yes, the "Call of Halo" genre of FPS. I really, really hate that most FPS games have dumbed down to the 2 weapon limit, linear levels, regen health and checkpoint autosave systems, it has even infested games that used to be better, like Bioshock Infinite and Dead Space 3. Oh, and Duke Nukem Forever, which didn't suck because it should've been released in 1998 ... it sucked because DNF was basically following all the BAD things from the "Call of Halo" genre.

4
0

You can't put a price on LOVE, says Apple after court's Samsung payout slash

Daniel B.
Happy

Jagwyre

The El Reg / Apple love hate thing goes waaay back. That said, El Reg basically mocks every single IT outfit. Remember the Itanic? They really abide by their motto: Biting the hand that feeds IT.

17
0

PANIC! RSA keys are compromised!

Daniel B.
Boffin

Happy Crypto Friends

The thing is that anyone reading the original article would notice that p could be divided by 3. Which was a dead giveaway that either the key was broken, or that particular RNG was, or the key validation procedure was b0rked. Even the dude that published that was less concerned with cracking a 4096 bit key and more concerned on what would generate a key with a stupidly small prime number.

1
0

KA-BOOM! Russian rocket EXPLODES over Siberia minutes after lift-off

Daniel B.
Facepalm

Oh dear

Looks like our Prez Peña-Nieto is just extending his "Bad Luck Brian" aura to satellite launches as well. I also wonder why the hell haven't they just switched to SpaceX. It's closer to us, and those have better odds at actually not blowing up on launch. For those who don't know, Mexico has lost a lot of satellites thanks to shoddy Russian launches.

0
0

CSI GALAXY: Cause of death = STRANGULATION

Daniel B.

Re: Who killed them?

The BOFH, in the Server Room, with the Cooling Pipe!

5
0

Look out, law abiding folk: UK’s Counter-Extremism Bill slithers into view

Daniel B.
Facepalm

Re: One party state

Welp, you guys decided to give the Tories an absolute majority (though a weak one). You're just getting to reap what you sow real fast. :/

3
3

New Windows 10 will STAGGER to its feet, says Microsoft OS veep

Daniel B.
Boffin

Re: Will VM work

Win 10 looks so bad that I am seriously considering running a Macbook with VM so I can still use Visio, Autoroute and Microsoft Money which are the only reasons I still use Win 7. Anybody got any better ideas?

You're late into the game. I did exactly that in December 2012. My Win7 VM is rarely used these days, as I bought Office 2011 for Mac (it still has menus so you aren't forced to use Ribbon only) and Win7 is mostly used for Windows-only games or the few 2 or 3 programs that aren't available on Mac.

But yes, it's probably the best bet: you don't have to pay the MS tax, you keep an OS that does get commercial software, but also get a Unix OS underneath for other stuff. And you can run any other OS under VMs if you want to.

0
0
Daniel B.

Re: see nothing worthwhile on windows 10 here

The XBox One had a small surge during holiday season 2014 because MS made a steep discount around those dates. I think it has reverted to its regular price, so there's a good chance the surge is gone as well. But it's probably too little, too late: PS4 is way too ahead. The XBO isn't quite a failure, but it seems to have definitely lost this generation's console war. Honestly, MS should just close up that shop and let a more consumer and gamer-friendly console maker enter the market.

1
0

Chrome version 42 will pour your Java coffee down the drain: Plugin blocked by default

Daniel B.
Boffin

Re: Great.

"And Javascript - which I see is still fully supported in Chrome 42...."

I really hope you are joking and not that stupid?

I don't think he's stupid. He's probably right: the only way to have a truly secure browser is to disable all client-side running code. If code can run in your client, it can be theoretically exploited.

Most stuff that downloads and runs code from the 'net should have some kind of sandbox, or at least a way to verify if the code you're going to run is safe. Some schemes do either sandboxes, code authentication, or both. But not all of 'em. So we usually get from the most secure schemes (Java does both), to the shitty security ones (Javascript does sandbox, but no code auth), to nonexistant (Oh, it seems you have an ActiveX object! I'll run it! Full access to everything! Oh no I's been pwned!!!)

So basically, if you're agreeing with Google killing Java, you should be asking for Google to kill JavaScript as well. Because its security model is shittier.

1
0
Daniel B.
Boffin

Re: Not the end of the world

I would concur with your idea, which is why I dislike JavaScript: it has caused far more grief than Java, and it usually has more exploits doing the rounds, what about CSRF, XSS and all those "nice" things. Java at least has the code signing security stuff, which means that only signed apps have access to your local stuff, JS has no such crypto protections.

On java applets, sure the applets themselves didn't really integrate with webpages, but there are some websites that do some kind of client-side Java that does seamlessly integrate with the websites. Classic Hushmail is an example of this, when you enable Java.

1
0
Daniel B.
Boffin

Re: Sigh...

And the irony is that Java is probably the most secure of the "stuff that can run remote code" out there, even though it did have gaping holes a couple of years ago. But alas, it has been permanently tainted by those dark days.

Funny that JavaScript is "teh hotness" these days with web developers, but that thing is actually worse than Java in the security field. Its just going to be a matter of time for truly evil JavaScript malware to really screw the pooch. Meanwhile, what can be used that isn't Java or .NET for client-side heavy stuff (i.e. strong encryption, digital signatures)? There's no way I'm trusting on JS for that. At least Java does have the security sandbox by default.

1
0

EMEA PC market circling rim, headed for U-bend plunge

Daniel B.

Re: Growth

Windows 8 probably did a better job of killing off PC sales worldwide than any other attempt ever. Windows 10 is hardly the anti-Windows 8 they've been touting, so I doubt they'll rebound.

3
1

Cisco boss Chambers: It's our fault H-1B visa shakeup is struggling

Daniel B.
Facepalm

Re: What an ass clown

Cisco gear does have graphical interfaces. But any competent sysadmin can and must be able to manage stuff using CLIs. In fact, the lack of CLI on certain products is a larger problem than lack of kiddie GUIs on stuff that is only managed by competent IT folks.

0
0

Struggling through the Crystal Maze in our hunt for a spare CAT5

Daniel B.

Someone actually noticed a switch was added? What gave it away, the sudden increase in productivity and decrease in complaining about network access?

The still-active DHCP usually does that, as it will wreak havoc on the rest of the network.

Even if you disable DHCP before connecting it, some mildly competent IT departments will notice that a certain switch port is now serving more than one MAC address, a dead giveaway that someone's plugged a switch in there.

0
0
Daniel B.

Aquarium

One of my jobs involved that particular layout. It was funny, because the whole floor was remodeled from a "sushi bar" layout to the "aquarium" layout, supposedly to use them as conference rooms. But what really happened was that we were stuck into those conference rooms. The good thing is that we didn't have Ethernet port shortages, but we did need to raise a ticket so that the network dudes would enable 'em and put 'em on the correct VLAN. It was fun, as the conf room we were assigned to was small, so our 2 person team was very comfortable.

0
0
Daniel B.

Re: WiFi

Wifi is garbage for anything that isn't residential use. Corporate networks use a lot of bandwidth and wifi is ill-equipped to handle that much stuff. Moving multi-GB files is already a lengthy process when most of your nodes are still stuck on 100BaseT, doing it on wifi would probably kill the wifi link for everyone else.

Wifi is for lazy people who can't be arsed with running CAT5e through the building.

5
3

Why are enterprises being irresistibly drawn towards SSDs?

Daniel B.

Well...

An SSD easily knocks 2 minutes (it's probably closer to 5 minutes) off our fat client bootup and login to usable desktop.

Most companies where I've worked keep all PCs turned on. Desktop boot times don't matter if you aren't booting up that much.

1
1
Daniel B.

RAID

If you scribble random data all over just one of the drives, your RAID controller won't notice, and will return that data 50% of the time, when it reads the relevant sectors from the corrupted drive.

Um... That only applies to RAID1. RAID5/6 does actual parity check on stuff and thus won't return corrupted data. Even better if you're using ZFS, which actually has data integrity checks. ZFS+raidz1 is the best option out there, if you really care that much about corruptible data.

0
1

Microsoft uses Windows Update to force Windows 10 ads onto older PCs

Daniel B.

Re: Strange

However, sneaking Win10 onto home users' machines for free would probably be a benefit to everybody.

No it isn't. Given that Windows 10 hasn't fully backed off from the Metro UI disgrace, it's going to cause unending headaches to those of us who have non-IT family members, who will proceed to nag us on "where did everything go?".

17
0

Non-American nerds jam immigration pleading for right to live in the US

Daniel B.
Boffin

Re: Rather interesting @martinusher

Yes, I'm very annoyed that H1B is basically "the Indian visa" these days. I've been offered a couple of jobs in the US, but it seems that these are offered via the TN-2 visa mostly because H1Bs run out real quick. TN sucks in the sense that you're locked to the same employer, if you quit or are fired you have to leave the country ASAP. No grace period, no looking for another job. H1-Bs are better for some of these cases.

But then there's even more reasons for immigration reform. Fix it so that both immigrants (and non-immigrants, as H1-B is a nonimmigrant visa) and US citizens aren't shafted by US corporations.

0
0
Daniel B.

Re: Rather interesting

Lay off the Fox News koolaid, AC. H1B employers can't give lower wages to H1B holders, immigration law mandates a higher wage to avoid "taking them over a US citizen". They also have to prove there's a shortage of available US citizens to do the job. There is a real shortage, probably because CompSci degrees are still low in the US.

Oh, and Mexican illegals aren't looking for entitledness, they're looking for better wages.

4
9

GitHub jammed by injected JavaScript, servers whacked by DDoS

Daniel B.

Wrong Language!

Uninstalling Java won't do anything. The stuff they're using is JavaSCRIPT, which can only be dealt with by either NoScript or by disabling JavaScript on your browser. But the latter would break all tyhose Web2.0/HTML5 bloatware eye candy so the only real solution is NoScript on dodgy websites.

3
0

Bye bye, booth babes. IT security catwalk RSA nixes sexy outfits

Daniel B.
Boffin

Re: As someone from the con / geek community

As you see more and more busy body wannabe tech feminists (as opposed to women with actual skills) enter the tech circles... you'll see more and more of this.

It has even infested DEFCON. The one last year had Hacker Jeopardy get PG-ified as Vanna Vinyl didn't strip down on that edition, due to insistence of the feminazis. (Note: "feminazis" and "feminists" aren't the same thing. "Feminazis" are the radical zealot subgroup within the feminist movement, but not representative of feminism as a whole.)

I might get RSA banning booth babes, but DEFCON? That's just ruining the fun in an event that isn't meant to be business-oriented or PC at all. Reading this thread pretty much talks for itself.

0
0

How a hack on Prince Philip's Prestel account led to UK computer law

Daniel B.

Re: It was dail-up in more senses than the link....

Yes, that's how it reads given that Maggie Thatcher was involved in it. Another black mark on her history of oppression...

3
7

One API to rule them all: The great network switch silicon heist

Daniel B.

Solution looking for a problem?

This has the very distinct smell of being a solution looking for a problem. The only people worried about switch dev code are switch vendors themselves. Why add a useless API to that stuff? Packets aren't going to be routed easier with them. Switches and routers have to do minimal functions at very fast speeds, the less coe they have to execute, the better. Why bloat it with something that isn't even needed? It's not like I'm going to install IOS on a 3Com switch, which is the only thing I'd see this API being useful for.

0
0

FREAKing hell: ALL Windows versions vulnerable to SSL snoop

Daniel B.
Boffin

Re: Bork IE<9

The Freakattack site says that it is still vulnerable, is that because it just checks for IE 11, or because even with these settings (AFAIK TLS 1.1 is still secure) IE 11 is vulnerable and can be forced to use a weaker protocol?

Yes, unfortunately TLS 1.x doesn't mean that EXPORT ciphers are disabled at all. I've tested a couple of sites, and TLS still can negotiate EXP-RC4-MD5, which makes cryptographers' eyes bleed. The problem is that EXPORT should have been removed from the default set of ciphers at least a decade ago.

0
0

Forums

Biting the hand that feeds IT © 1998–2017