* Posts by Ben Tasker

1431 posts • joined 23 Oct 2007

Page:

The eyes have IT: TSB to roll out iris-scanning tech for mobile banking

Ben Tasker
Silver badge

Re: I wasn't scared before...

> I never did get the idea behind biometrics for two reasons: you can't hide it and can't change it.

It's actually pretty good as a replacement for your username (which should be considered near public anyway), i.e. identification, other than that you can't change it (so not quite so convenient for forums as the like).

The problem with that, though, is there will always be the eejits who think biometrics are a good replacement for authentication. So, if you use it for identification, and someone else uses it for authentication, you get an overlap between data that can be public (i.e. usernames) and data that should be secret (i.e. passwords). Not quite as trivial to steal and use as a simple username string, but it does open the possibility of it happening - historically there's not been much effort put into protecting handles because they're considered publicly available knowledge.

So using biometrics for authentication is stupid (can't be changed if/when it leaks, currently technology is good but far from perfect etc), and using it for identification is a potentially bad idea too.

20
0

No one still thinks iOS is invulnerable to malware, right? Well, knock it off

Ben Tasker
Silver badge

Re: Jailbroken iPhones?

> It is all a matter of risk. IMHO, iOS is a lot less risky that Android.

Part of assessing the risk, though, isn't just weighing the probability that something will happen, but also of assessing the scale of the consequences if it does happen, despite the odds.

Clearly they're overstating the probability (or, at least, being very vague and misleading on it), but it does raise an interesting point. Assuming their stats (such as they are) are correct - the primary iOS target is enterprise devices. Meaning the malware is more likely to be targetted at exfiltrating data from, or getting a foothold in enterprise networks.

That's potentially much higher consequences than if you get one of the many, many, many ad serving android malware variants. And there's probably a much lower probability, if you get iOS malware, that it'll simply serve ads.

Basically, what I'm getting at, is advertising article not-with-standing, iOS has a lower probability of malware, but for a business the risk may be higher. So you should at least have plans in place.

6
1
Ben Tasker
Silver badge

Re: Hmmm...

> It's rather telling that they refused to provide actual figures to back-up their claims, especially the "percentage of enterprise iOS devices with malware tripled over the last two quarters while the rate of Android malware stayed relatively flat over the same period" one.

That's probably the one claim in their piece that I can believe

> It could've gone from 1 infected device to 3, whereas Android could've stayed flat at 20 million infected devices.

And that's why :)

11
1

UK government's war on e-cigs is over

Ben Tasker
Silver badge

Re: One has to wonder who is paying those guys off

Someone I used to work with brought kippers into the office for lunch once, we kicked him back out within seconds.

0
0
Ben Tasker
Silver badge

Re: No vaping in the workplace please(@Mephistro)

> This is exactly what vapers do, but they exhale a cloud that carries their exhalation a lot further,

Not really. The cloud makes it visible for a lot further, but their actual exhalation probably isn't travelling much (if any) further than a non-smoker breathing out when they've got a chest infection.

I'm not saying that certain vapers don't need to be a bit more aware of others, but it doesn't make what you've said any more correct.

I've worked with people who claimed to be sensitive to vape, and I've worked with people who didn't want to go outside to vape (days where the two overlapped were occasionally interesting). About the only conclusion you can reliably draw is that different people are... different. Well, that and some non-smokers (or worse, ex-smokers) can be incredibly and unnecessarily judgemental.

When you go out in public, you're breathing in whatever everyone else has exhaled, whether you can see it or not. Frankly, vape should be the very least of your concerns.

2
0

FREE wildcard HTTPS certs from Let's Encrypt for every Reg reader*

Ben Tasker
Silver badge

If you use shared hosting, you cannot use your own cert - and must pay your hosting company to add a cert.

Actually, a good number of hosting providers have been enabling LetsEncrypt support in CPanel (or whatever interface they expose to customers), so whilst this is true for some, it's no longer a hard and fast rule.

I get "free" hosting with my internet service, but this does not support SSL at all - so yes "all I have to do" is switch hosting which means paying someone else for something that is currently included in my internet package.

To be fair, that's not so much a cost in SSL as a limitation in the hosting you're using

If you host more than one site, then you have to use SNI - which puts restrictions on the software you can use and also locks out older clients.

There're very few restrictions on the server side software nowadays, because most things now support SNI. The number of distinct older clients that don't support SNI in the wild is also now quite low (though, as you note, still with a *lot* of users behind them)

So yes, it's now really cheap - but it is not "free" in general.

It is (or can be) entirely free in the fiscal sense. You can get a cert for £0.00 (and have been able to for a long time).

But, you're right in that there are associated costs - additional processing overhead (however small, it's still there), the need to balance pissing off users with old software vs maintaining security.

But, on the other hand, if you're on cheap (or free) shared hosting, you probably don't have the user volume to have to worry too much about pissing the users off, and the additional processing overhead is your hosts problem.

2
0
Ben Tasker
Silver badge

Re: There is a dark evil danger to the big uptake of HTTPS

Hopefully can find more soon to say whether this is something I can trust with banking app etc or not, don't suppose anyone here at El Reg has more enlightenment than I can find thus far?

Has generally worked well enough for me. It was a while ago I set it up, but this is the setup I went with https://www.bentasker.co.uk/documentation/mobile-phones/277-android-protecting-your-network-data-from-local-snooping

I've not had any issues using banking (though I only do it in browser, as I'm not too comfortable with the state of banking apps (though they may have improved in the meantime).

That's assuming, of course, that you control the VPN server, and trust (to a given extent) the hosting provider. You also need to think about what type of server you're using, if it's an OpenVZ slice (for example) there's slightly more risk of someone in another slice on that server being able to jump slices. Probably still lower risk than random public wifi APs though.

The DNS misbehaviour you saw with Opera mini, was it just that you didn't see the queries transit the tunnel? IIRC it forwards all requests (including the initial DNS lookups) via one of Opera's servers, and hopefully that connection was going via the VPN?

2
0
Ben Tasker
Silver badge

Re: Multiple servers?

Let's Encrypt wildcard certs are probably tenable if you're going to use them on only one server. If you have more than one server, I suspect you'd have to nominate one server as the wildcard renewal server and then after a renewal, have it copy the new cert files to your other servers that need it

More or less what I do. Certbot writes the cert out into a git repo, and my wrapper script commits and pushes. Other machines on my edge poll periodically to see if the repo has new commits, if it does, git pull and then reload nginx.

One obvious trick is to buy a 3 years wildcard cert so you don't have to renew/re-install the certs on multiple servers too often.

As of CAB Forum Ballet 193, the maximum validity of a certificate is being capped again. So from next year (March IIRC), the maximum length of a cert will be 825 days (basically 2 years with a little padding to allow for renewal times).

There was a previous attempt to bring the lifetime down to 13 months, but it didn't pass. All the same, expect that 2 years to drop further at some point in the future (especially as it's Google who wanted 13 months, so changes may come via Chrome rather than a ballot).

1
0
Ben Tasker
Silver badge

doesn't this mean that the assurance level (or trustworthiness) of any HTTPS web site has just dropped a notch?

Not really. For DV level certs, you still just needed to exercise proof of control over the Domain (depending on the CA, that might be clicking a link in an email, creating a DNS record, or creating a specific page on the site).

So it's no harder to provide the proof for a cert. The only thing that's gone is the payment trail (but then, if you were that way inclined, you'd use stolen details anyway. Cert might get revoked eventually, but Chrome doesn't check CRLs and it'd take long enough for you to catch a few people out anyway).

So the assurance level hasn't really changed. What might be changing though (hopefully) is people's understanding of just what level of trust having a DV certificate actually implies (very little other than that you appear to have connected to the correct server)

0
0
Ben Tasker
Silver badge

Re: HTTP has got to go

You typed all that just to be wrong? Wow.

HTTP is acceptable for nothing, not even static pages.

Only a sith deals in absolutes.

There are in fact usecases where plain HTTP is acceptable, and in fact entirely unavoidable. Thankfully they're becoming less common, but they do exist.

For example, I have a script/service that checks whether your ISP is intercepting HTTP connections (by, for example, passing them through a transparent proxy), whether they're messing with the data in any way, whether they cache (and if so, have they protected against cache poisoning attacks etc). That absolutely has to happen over port 80, because it's HTTP traffic that they fuck with.

Now, obviously that's a fairly obscure use case, but my point is this: When it comes to IT Security, if you speak in absolutes then you're likely as much of an idiot as you think the guy you're "correcting" is.

HTTPS is too easily brushed off by many people, but you do no-one any favours by being a die-hard about it. Especially when your response seems to not only assume that Port 80 is only ever used by a browser, but completely misreads the apparent intent of the post you were responding to.

Security starts by not blindly trusting on automated tools, and using that grey blub between your ears to think things through instead. Too much reliance on security tools such as HTTPS can create a massive risk in itself.

He's more right than you are ;)

Simply enabling HTTPS isn't enough (though it should be a first step in the absence of a strong case against it), but we've got to break this idea that users have developed that HTTPS means the site is safe. It's a dangerous false sense of security.

All the cert check actually does is verify that the server you're speaking to is authorised to speak for the domain you connected to. It doesn't make hs.bc any more legitimate.

3
0

Google Chrome's HTTPS ban-hammer drops on WoSign, StartCom in two months

Ben Tasker
Silver badge

Re: EU Anyone

Bloody ages if the affected entities are not complying with obvious independently created security standards not just upsetting Google.

I agree, they're probably OK as it's not Google (alone) who've set the standard.

It does raise an interesting question though (albeit largely hypothetical). Google is currently at odds with the rest of the CAB Forum on the subject of certificate validity periods. They've just been reduced to around 2 years max, but Google wanted 13 months in their ballot (which got voted down).

It wasn't so much the period, as how quickly Google wanted to switch that the other members objected to AIUI.

So, if Google were to go it a alone, and simply distrust anything older than 13 months in Chrome, at what point would that be considered an abuse of domination, if at all?

They haven't actually shown any sign of intending to do that, and it'd be a bloody stupid thing for them to do (though if they did, it'd more or less force the industry to comply), but I thought it was an interesting thought exercise.

4
0

Microsoft boasted it had rebuilt Skype 'from the ground up'. Instead, it should have buried it

Ben Tasker
Silver badge

Re: I got gify tho

9 times out of 10, if I type /gify [term] it gives me a gif that's seemingly completely unrelated to the term I gave it.

0
0
Ben Tasker
Silver badge

Re: So why then does Slack launch Skype if I click on a number?

That sounds like the file associations rather than the protocol ones.

On Win 10 it's called "Choose default apps by protocol" and then you'll see a TEL: entry, There's a guide here - https://www.howtogeek.com/223144/how-to-set-your-default-apps-in-windows-10/

It was oh so very, very helpful of Microsoft to break those up...

1
0
Ben Tasker
Silver badge

Re: Social disease

You've got to wonder if all the old software engineers haven't retired and it's the under 35s who've taken over product design ,

Oi, I'm under 35 and you can fuck off if you're going to try and lump me in with the kind of cretin that thinks that kind of design is an improvement.

It's possible I'm just odd for my age, but there's very little that get's released nowadays that I like the look of. It's more common that I'll be screaming blue murder at something because some fuckwit has dumbed down the interface and hidden/removed a config setting that I want to get at. Skype's update is a low even by that standard though

5
0
Ben Tasker
Silver badge

Re: a colleague skyped me..

... for some advice. I replied there were two options: a) do a particular thing b) do some other thing.

I then pressed return and looked on in dismay to see that Skype had, in my already sent message, translated A and B into the angel and beer emojis respectively.

Yeah, Skype's shit for that.

Best bet, is to tell it that every message you send is pre-formatted, put two exclamation marks on a single line, followed by an empty line, and then your message.

Which is still shit to have to do, but an easy habit to pick up and it tells skype to keep it's stinky fat fingers away from the text you actually want to send

0
0

Bonkers call to boycott Raspberry Pi Foundation over 'gay agenda'

Ben Tasker
Silver badge
Joke

Re: Holy crap - I saw it!!

> Bums to the wall?

It's supposed to prevent unwanted buggery. But, aside from the fact a gay guy is highly unlikely to just jump you, it does somewhat ignore the issue posed by an umexpected gloryhole...

2
0
Ben Tasker
Silver badge

Re: And ther rest...

You'd only notice that it is a woman doing the hugging if you notice the earrings.

I used to work with a bloke with a big shaggy beard who wore womens earings every day that I saw him. Earrings definitely aren't a good indicator to rely on.

6
1

Photobucket says photo-f**k-it, starts off-site image shakedown

Ben Tasker
Silver badge

Re: Full site hosting's not easy for everyone...

And yet, still miles better than Plesk....

I suspect the reason OP has issues with CPanel is because he has a reasonable idea of where thing should reasonably be, how they should be configured etc. Cpanel on the other hand is designed to be usable by the less technical, so things aren't located where we would expect to find them.

I've seen and dealt with far worse than CPanel, so I'd choose it over them, but at the end of the day I'm much happier just hopping on over port 22.

1
0

The bloke behind Star Fox is building a blockchain based casino. No, really

Ben Tasker
Silver badge

Re: http://provablyfair.org/

Exactly what I was going to post.

It's in active use by various sites too, including a number of Bitcoin gambling sites, so it's not like it's a theoretical concept that hasn't yet been put to the test.

0
0

UK and Ecuador working on Assange escape mechanism

Ben Tasker
Silver badge

Re: so well resourced

> The original reason for him being given bail (the EAW) has disappeared, so his lawyers could probably get the breach of bail issue resolved fairly easily (e.g. he surrenders to the court, the government keeps the bail money from his friends, he walks free)

Possibly, but it's by no means a given. He did jump bail, which is contempt of court. It doesn't matter whether you think you're being tried for something that's bollocks, you're expected to comply with the court's orders. Deliberately ignoring them isn't something that will be looked on kindly, and that's all on Assange to be honest. He seemed perfectly happy with our legal system when taking his case through every level, and then legged it when it was obvious it wasn't going his way.

The bail money is gone either way, and I suspect he'll get more than a ticking off when he eventually presents himself to court. One thing is for sure, though, should he ever get nicked again, he's well and truly burnt any chance of getting bail ever again. Though that, of course, will also be part of a conspiracy against him...

3
0
Ben Tasker
Silver badge

Re: The worst thing in the world for Assange...

It is, but it doesn't have quite as much impact while he's holed up because the conspiracy theorists just say that he's holed up because the US want him. When it'll really make a difference, is when he's in easy, easy reach and they do nothing

5
0
Ben Tasker
Silver badge

Re: The worst thing in the world for Assange...

It'd also be the smart thing for the US to do, as it'd help discredit Assange as a paranoid nutjob. But given who's running the place at the moment, I suspect that's less likely to happen.

8
0

Heaps of Windows 10 internal builds, private source code leak online

Ben Tasker
Silver badge

> But yeah - darn that evil Microsoft selling their software! ;)

To be fair, if you take your list (and add Microsoft to it), out of those you've only really got Microsoft and BAE where a leak of their software is likely to be a big deal to them (possibly Goldman too to some extent).

So if you start at a position of "Someone's software is going to leak (or has leaked)", then Microsoft is one in a list of two, and their business is based on the software itself, so they probably are at the top of that list.

All the others may well deserve to have something happen, but a software leak for them is unlikely to achieve the fuzzy feelgoods you want when saying "good, they deserve it". In fact, for some of those companies, it wouldn't be that different to hearing someone had broken a window in their building.

So OP was probably right, in that out of your list, there are 2 people who's business relies on the sale of software, Microsoft are the most dependant on it, so they probably deserve this the most.

But, you're right too - had your list been a list of companies in the same industry, Microsoft may not have been at the top (are they more deserving than Oracle?)

9
1

Cheeky IT rival parks 'we're hiring' van outside 'vote Tory' firm Storm Technologies

Ben Tasker
Silver badge

Re: FACTS

> The media twisted the story to try and make it interesting. it WAS office banter, taken out of context. shame they could not print the email in full, then people could see for themselves it was banter.

Presumably you received a copy, and could in fact post it to support your argument?

> Lastly, EVEN if he wanted us to vote for XYZ, how on earth would he police, 120+ employees to confirm exactly which box they did tick ?!

He doesn't actually need to police it. That's the thing with threats, it's the chance that you could follow through that tends to influence people. He may not be able to police it, but once the threat has been made, if you need your job to support your family/pay the mortgage, are you going to take that risk?

There are plenty of examples in history of people changing their behaviour on the offchance that those in power might find out (despite the odds being low), it's an effective mechanism.

2
0

Samsung releases 49-inch desktop monitor with 32:9 aspect ratio

Ben Tasker
Silver badge

Re: Huh?

> As for work, I'd rather have multiple monitors as it's far easier to snap multiple apps in place that way

You're thinking too small. My first thought was that if I went for these, I'd get two (for precisely the reasons you mentioned)

1
0

British prime minister slams Facebook and pals for votes

Ben Tasker
Silver badge

> The second is because a nation based on Islam is unpalatable. (Afghanistan/Egypt)

Nah, I don't buy that argument to be honest.

Indonesia is a Muslim majority country, and we've not made even the beginnings of an excuse to go and invade them. Nor the Maldives or various other countries which have a higher percentage of Muslims than Indonesia or Egypt.

I think it's more that the leadership of Afghanistan/Egypt were unpalatable and happened to be Muslim, rather than it actually having much to do with religion. Other than that those leaders used religion to try and justify their views/methods, but in that case the religion is still just being used an an excuse to be a twatspanner

16
1

Media players wide open to malware fired from booby-trapped subtitles

Ben Tasker
Silver badge

Re: Blah blah blah

> After checking the patches, it turns out it's a zip file parsing problem which allows files to be created above the parent directory where it's decompressed to (i.e. allowing ../something).

Thanks for that. Saved me from trying to hunt down info that should have been in the advisory (and El Reg could've tracked down).

3
0

LastPass now supports 2FA auth, completely undermines 2FA auth

Ben Tasker
Silver badge

Re: "Nothing can go wrong with this"

> Agreed, but non-cloud based managers trump all

Nope, you're still trading security for convenience there.

As others have said, a single keylogger (or malware targeting password lockers) and you're toast.

They're better than a purely cloud-based storage solution, sure, but don't compare to the security of a properly secured offline record.

Whether it's worth that trade, of course, is something else - I'd argue it should actually vary by the importance of (and ramifications of losing) the password. Social media logins and stuff? Get a bit of convenience. Credentials to access your life savings? Maybe give up a bit of that convenience

> Why trust one login to a single cloud provider with all your logins seems nuts to me.

Me too. Not to say that LastPass haven't put an impressive amount of effort into trying to ensure that a compromise of them doesn't mean a compromise for you, but it's still an exorbitant amount of trust to place in a 3rd party.

2
0
Ben Tasker
Silver badge
Joke

Re: "detect if anyone is anyone"

> "Anyone" is in the Shorter OED (Sixth Edition, page 95) - can't vouch for any others.

In my head, Pompous has read that and is in the process of reenacting a very specific blackadder scene as he realises there's a word missing from his dictionary

0
0
Ben Tasker
Silver badge

Re: @big_D: Banking

They seem to have a good system but don't lose your gadget on an overseas holiday,

They had a good system, but they seem increasingly desperate to ruin it by having everyone generate a code through their (shoddy) app instead.

I'd guess it's probably to do with the cost of getting RSA tokens, but they seem to be pushing the app generator harder and harder, so I've a feeling when the batteries give out on my dongle it may be hard to replace.

3
0
Ben Tasker
Silver badge

Re: "Nothing can go wrong with this"

Those who believe pen and paper is decrepit, inflexible and open to abuse from someone close to you unless a cipher get used. Then there's the camp who believe if it can be hacked- it will.

The two aren't mutually exclusive. It's about assessing the risk you're trying to counter.

Whilst it'd be easy for someone nearby to nab your password book and take photos, it requires physical proximity, so as long as you're actually securing the book you've probably got a low risk of that happening (outside of being deliberately targeted). Post-it notes on the back of your keyboard are another matter though, as you've not taken steps to secure them.

Stored online, on the other hand, there's no physical proximity required and anyone with an internet connection can have a go (though not all will have the ability to be successful). It takes away the advantage of physical proximity (leaving aside people should-surfing your master password) but opens the number of possible culprits from a select few to potentially billions of people.

There's also another risk inherent with trusting a third party with your credentials - they might, without malice, make a mistake that leads to credential leakage. That's another risk that isn't present with a little book of passwords.

To be honest, I see it more as a convenience trade-off than a security decision. If passwords are in a little book, and you haven't got that book with you, you're out of luck. If their online, then you can get at them any time (the problem being, that others could too).

If you were after ultimate password storage security (with convenience not being a consideration), you'd generate long random passwords, write them in a book and lock that book in a safe that no-one else can open. Of course, you're screwed if you need a password while at work, or if the house burns down.

Cloud based password managers are still better than memorising (and re-using) a small number of less complex passwords, but anyone who tells you they're more secure than pen, paper and a little bit of effort is an idiot.

7
0
Ben Tasker
Silver badge

include those who only allow an arbitrary subset of special characters: so maybe "-" is allowed, but not "/", "%" but not "$", and so on.

Yep, it's one of my bugbears too, but actually, so are the majority of complexity rules - especially when the buggers don't tell you what they are head of time.

Mind you, there's quite a lot wrong with a lot of things people think are "standard practice", or that they will improve security.

Making it harder to come up with an acceptable password doesn't automatically make those passwords harder to crack, the rules often make it easier because they exclude a huge number of (otherwise) acceptable passwords.

6
0

Phishing scum going legit to beat browser warnings

Ben Tasker
Silver badge

Re: unless scammers also get EV certificates

Yes, uneducated users will assume that connection is safe if "https" is present in the URL window, but they should also know to check for whom the certificate had been issued.

Clearly, the Chrome developers would disagree with you, given they've moved "view certificate" from being

- Click on the padlock

- View certificate details

To

- Open developer tools

- switch to the Security tab

- Select view certificate

And when challenged on it, explicitly said that they didn't feel it was something a regular user needed.

7
0
Ben Tasker
Silver badge

Free SSL certs are the wrong answer to a real problem, and unluckily the end result will be that sites using SSL cannot be trusted anyway.

They're also the right answer to the problem they're trying to solve.

The question is, how can I be sure I'm talking to an authorised endpoint for www.hsbc.co.uk - which SSL certificates do very well.

The question is not how can I be sure I'm talking to an authorised endpoint for HSBC?

The difference is, that the first is simply checking that the cert is valid for the domain you're going to.

The second is looking to try and authenticate that the endpoint is authorised for use by a specific organisation, which is going to fall flat if you haven't noticed the URL is hsbc.evilsite.invalid.

Certs exist purely to authenticate that you're going to a permitted endpoint for the domain you're accessing, before establishing an encrypted connection (and potentially transmitting sensitive data).

Realising you're going to the wrong domain is down to you (though reviewing the cert can help you with that). That's an issue whether the cert is free or not.

6
1

While Microsoft griped about NSA exploit stockpiles, it stockpiled patches: Friday's WinXP fix was built in February

Ben Tasker
Silver badge

Re: Plenty of blame to go around

Not sure that analogy is strictly correct. If the brake fault could only be activated by malicious intervention then not many car companies would be rushing forward to correct it especially on vehicles that are 17 years old and well out of warranty.

Probably depends on what the malicious bugger needs to do. If it's simply thump on your car door as he walks past, then they probably would be, particularly if there were still a high number of them in the market (or if it also affected a more popular model, as is the case with Win 7/8)

2
1

Good news, OpenVPN fans: Your software's only a little bit buggy

Ben Tasker
Silver badge
Joke

Re: Those are bugs?

> and free to prevent double-free's, etc.

If something's worth doing once, it's worth doing twice.

> And, seriously, once done once it can carry over in other projects really quite easily. Literally a page of code that wraps calls, and then forcing people to use your safe alternatives by some kind of redefinition or overloading.

Yup, with the added benefit that if/when we find out the "safe" way the wrapper uses is really unsafe, you've got a single reference point to update, rather than having to find all the now-not-safe methods used in the code.

1
0

For now, GNU GPL is an enforceable contract, says US federal judge

Ben Tasker
Silver badge

Re: UK position ...

> This is why it doesn't matter if you refuse to sign a new contract at work ... if you continue to turn up, you are deemed to have accepted them.

I don't get how anyone could object to a change in terms, refuse to sign and then continue turning up after the new terms are considered "in effect".

It seems like a strange, strange thing to do, given the protections that are there to avail yourself of when something like this comes up.

0
0
Ben Tasker
Silver badge

Re: Technical Point

The consideration is paid when you distribute your modifications.

Yup, you could argue that it's an executory consideration (you're promising to do something in the future)

An exchange of promises meets the bar to be considered a consideration, so you'd probably have a good argument there

2
0
Ben Tasker
Silver badge

It is not a contract, at least not in the UK. A contract absolutley has to have an exchange (e.g. £1) to bind it. No money, no contract.

Incorrect.

There has to be a consideration, that's usually money, but can be anything of value. To put it another way, you essentially have to forgo or sacrifice something.

4
0
Ben Tasker
Silver badge

Re: One point of criticism though...

Assuming the company bothers to pay attention

Well, yes, the GPL, like any other license is reliant on people actually observing the terms of the license. Otherwise the copyright holder will need to try and enforce the terms.

0
0
Ben Tasker
Silver badge

Re: Technical Point

> I thought there was an old legal principle that for a contract to exist, there had to be 'consideration'.

There does, however it's not that black and white. If you're given something for free in a shop, no money has changed hands but you can still legally make a claim if it's not fit for purpose.

But, if I put my lawyer hat on for a minute, I'd actually spin this around.

If I provide you this software you will abide by the GPL.

The promise is that you'll abide by the GPL, the software is the consideration. With the added benefit that I've provided the consiseration so have the right to enforce the contract.

Whether that'd stand up in a court of law is something else, but spinning it round does fit nicely with copyleft vs copyright

1
0
Ben Tasker
Silver badge

Re: One point of criticism though...

Actually I always get the impression that the main intent is to get more software licensed under the GPL, simply because the given freedom is actually limited. You can't take a project licensed under the GPL, fork it, and decide to release it under another free open source license. Even though the software would effectively remain free.

You're looking at it through a developers eyes. It's users freedom that the license seeks to protect, the GPL aims to ensure that if code is released, you as a user will always have the right to use it, modify it and pass it onto your friends.

If the license allowed you to release derivatives under a license that didn't provide for all of these, it wouldn't really be doing it's job would it?

To put it another way, if you release something as MIT then, yes, that code is free. I can integrate it into my proprietary codebase (so as a developer I've got freedom). But my users can't then modify and redistribute my stuff which may be fundamentally based upon yours.

Things like MIT give freedom one step down the chain, the GPL pushes that all the way downstream.

Whether you're more comfortable with the former or the latter should dictate your choice of license.

But yeah, the effect is to ensure that more software (everything downstream) is GPL as that's neccessitated by the aim of the license

9
3

UK hospital meltdown after ransomware worm uses NSA vuln to raid IT

Ben Tasker
Silver badge

Re: Alternatives?

> 1: You do not normally have to use Windows. There are more secure alternatives.

If you've just spent millions on an MRI machine and the software for it is Windows only, you do.

> 2: If you do have to use Windows, do you really have to use FAT or NTFS for your data?

Most ransomware can encrypt data on any mount that your install can write to, so it doesn't matter too much whether you're using FAT/NTFS locally or NFS or Samba to go upstream. Having a journal'd filesystem upstream is only so much help when near every file you've got has been encrypted.

Obviously it'd be nice if there were restrictions in place on who/what could edit or remove existing files, but we don't currently know that that's not the case here. It only takes someone with those permissions and you're back in this position.

3
1

You only need 60 bytes to hose Linux's rpcbind

Ben Tasker
Silver badge

You'll quite often find (particularly with AMI's others have built) that there's all sorts of crap listening, but that the Security Policy is locked down by default (so you have to go and permit the ports/protos in AWS).

Which is all well and good until some tosser sets up and Allow All from Everywhere without thinking about it.

1
0

systemd-free Devuan Linux hits version 1.0.0

Ben Tasker
Silver badge

Re: Honest inquiry

> But what if you're pressed on the other side of the coin: It's a "five nine's" service that's gone down, and because it's a holiday or whatever, no one's around to verify its state if it goes down,

So you've got a service you're advertising as five nines, but haven't provisioned for appropriate monitoring coverage out of hours?

Your problem there isn't your init system, it's your failure of planning to properly support the service you're offering. As other have said, if the component that went down is brought back up automatically, it could lead to data corruption - so you really want someone to verify things before simply sticking back in service.

10
0
Ben Tasker
Silver badge

Re: Honest inquiry

> Does Gnome "do one thing and do it well"?

Gnome is amongst the worst examples you could possibly have picked, given that it's another project that's continually criticised (generally for dumbing down and removing useful features).

It's also a Desktop Environment, so it's kind of expected that it'll contain a wide variety of binaries (just as XFCE, KDE and other DE's do). It's still largely focused on one area though - being a Desktop Environment.

Systemd was supposed to be init, but the wider project has now pulled in other things too (ranging from udev to network management). Technically those other area's aren't part of the init process (in that they're not in PID 1) but they are now part of systemd, leading to systemd increasingly becoming a dependancy for other packages which shouldn't otherwise require systemd specifically.

I have days where I outright hate SystemD, and I have days where I'm ambivalent about it. Can't say I've ever felt good about SystemD though (though the same is probably true for SysV). JournalD and FirewallD though, can die in a fire.

33
0

LinkedIn U-turns on Bluetooth-enabled 'Tinder for marketers'

Ben Tasker
Silver badge

Re: Deleted on all of my devices

> While you can somewhat tame the web version using nuclear winter levels of noscript and adblock,

I've gone a bit far and broken it, it'll load and then get stuck waiting for something or other that I've blocked to load.

Just hasn't seemed worth the effort of troubleshooting it vs just not going there.

1
0

Cuffing Assange a 'priority' for the USA says attorney-general

Ben Tasker
Silver badge

Re: Assange is not a "leaker"; he's a "leakee"

> but legally he's no more a criminal than any journalist

Actually, he is. He has a conviction and a criminal record from his Mendax days. Not all Journalists have a criminal record, so your statement is incorrect

I know that's not the point you were making, but you're wrong so I thought I'd point it out for you.

4
0

Sysadmin 'trashed old bosses' Oracle database with ticking logic bomb'

Ben Tasker
Silver badge

> And why did they need outside help to figure out what was going on? I smell rats on both sides of this equation.

I can see two possibilities (which aren't mutually exclusive) here

1) They no longer had the skills in-house to investigate and resolve the issues they'd encountered.

2) Because it related to their year-end filings, they wanted an independent 3rd party to investigate so that they'd have an "independent" outfit to verify the issue if the taxman, share-holders or anyone else came knocking

Neither sounds too unlikely or unreasonable to me.

0
0

Uber responds to Waymo: We don't even use that tech you say we stole

Ben Tasker
Silver badge
Joke

Re: For those of us who

For those of us who can't be arsed, could you tell us what Article 10 of the Andorran Consituation says?

5th Amendment is the right against being compelled to incriminate yourself by testifying.

4
0

Page:

Forums

Biting the hand that feeds IT © 1998–2017