* Posts by aaaa

78 posts • joined 17 Jan 2008

Page:

Click here to see the New Zealand livestream mass-murder vid! This is the internet Facebook, YouTube, Twitter built!

aaaa
Unhappy

Why share?

Long one. Please bear with me.

So I just got back from the playground with my 2.5yo. The playground is beside a lake, and there is a carpark that faces the lake, and a scenic walking/biking track that goes around the lake.

As we're walking to the car I remote open the boot and a few seconds later a group of guys walking behind the cars, stop behind my car?

I find this a bit odd. Why walk behind the cars when there is a really nice scenic walk 5 steps away (around the lake). Why stop in the middle of the car park? Why stop behind my car.

I'd usually leave my child's bike and bottles and junk near the path and carry her to the car to strap her into her seat, then go back and get all the junk and put it in the boot. I leave the boot up during this process, because parking spots are at a premium, and I want anyone cruising for a spot to realise this is not going to happen quickly. But given this group of guys is now behind the car, I decide to carry toddler, bike, etc. all with me and put the stuff in the load space first, and then go around and strap her in.

They guys, 4 or 5 of then, mid-20's to mid-30's, white, 5'8" to 5'10" short hair and clean shaven, wearing athletiwear (shorts/t-shirts) remian behind my car the whole time, talking.

They are talking about the terrorist video. They are trying to decide which bits they like best. The shooting outside? The shooting inside?

I almost throw up.

I get my daughter strapped in, close the tailgate, and start the car. They move one car spot away, stop behind the next car. I lock the doors and reverse out. As I drive around the car park to the exit, they are still there. The lights change and I leave.

With 20/20 hindsight, I could have taken a good photo from the other side of the car park while waiting for the queue of traffic at the lights. But I didn't think of it. No I don't have a dashcam.

About 15 minutes later when I have time I call the local police station to 'report it. No they were not carrying anything. No they didn't seem to be prepared for any immediate violent act. Their loitering behind the cars in the car park was suspicious and their conversation revolting, but nothing more than that. The police directed me to a web page where I could record the particulars, which I promptly did. During the process of describing it, I realise that where they were standing was probably not covered by any security camera, possibly explaining their preference to remain there.

So why repeat all of this here?

Because the item the author of the article fails to address, is that A LOT OF PEOPLE like and share this stuff.

It's abhorrent that they do, but they do.

Yes it's less than the total user base of facebook, but it's clearly not a tiny proportion.

Yes, it's been proven clinically that it's a sign that they are more likely to abuse animals and people.

In China, I imagine they would not so much do a better job of banning the content, as severely reduce the points in your social balance once they found out you had watched it, and even more if you'd shared it. You'd likely never get a house, job, car or date ever again.

I don't want that to happen in facebook-land, and besides, it won't stop the guys in the car park, will it?

The root of the problem is people actually liking this stuff.

And whilst it's a socal problem, it's not a problem I think social networks can fix, and certainly not with time-delayed video.

'It's like they took a rug and covered it up': Flight booking web app used by scores of airlines still vuln to attack – claim

aaaa

and our technical teams took immediate action

The much-maligned epithet "all businesses are IT businesses" actually has quite a lot of relevance.

The phrase "and our technical teams took immediate action" shows just how out of touch senior management is.

It would be as if the director of Boeing, criticised that his planes can't stay in the air replied "our technical teams are taking immediate action...".

It's not your technical team that needs to take action, it's the whole company that needs to take action, starting with the board.

Apple in XS new sensation: Latest iPhone carries XS-sive price tag

aaaa
FAIL

I returned my iPhone X because I don't know how to ask for help

I had the iPhone X for about three days before it was returned because it basically became useless while driving and I was having to pull the thing out of my pocket and hold it up to my face for three seconds to check a text.

A quick google search found this answer:

From your post, I understand that you are not able to ask Siri to read your incoming text messages while you are driving; you are being prompted to unlock your iPhone. I’m happy to help you troubleshoot this situation!

From what you have stated, it sounds like you may have Messages previews disabled. Navigate to Settings > Notifications, Messages > and adjust Show Previews to Always. After making this adjustment, test this functionality again.

I just tested this on my iPhone X with latest iOS 11 and it works as advertised.

Apple leaks rekindle some hope for iPhone 'supercycle' this year

aaaa
Thumb Up

A lot of SE's

I like the smaller phones - and have an SE, and am eagerly awaiting the SE update.

Whilst it's not got a high price tag - I think there are a LOT of people waiting for that upgrade.

A 'cheaper' iPhone X plus a 'new' SE could lead to a supercycle.. it's not beyond reason.

Australia on the cusp of showing the world how to break encryption

aaaa

iMessages in the Cloud

Apple recently introduced their ‘iMessages in the Cloud’ feature - and I think it’s aimed specifically at satisfying this type of legislation.

The iMessages are still encrypted end to end, but a copy is sent to Apple and stored on their iCloud server to which they have a master key and can respond to warrants etc.

To satisfy the Australian legislation all they need to do is ensure it’s turned on and can’t be turned off. Either explicitly or implicitly eg: by forcing it on for ‘australian’ sold devices, or when on an ‘Australian network’ or by allowing command and control to enable that remotely on specific devices.

The Cloud is convenient for sure - but your cloud provider (anywhere) must respond to warrants and must be able to decrypt your data. On a public cloud there is nothing stopping you ensuring that the data you store on a cloud is already encrypted with a key only you have - but as soon as you use things like iMessages in the Cloud then that’s not an option available to you.

Time to ditch the Facebook login: If customers' data should be protected, why hand it over to Zuckerberg?

aaaa

I've seen that...

I've seen 'login by facebook' option on a few sites. You mean some people actually use that option?

I even do have a facebook account, and don't use 'facebook login'. Lots of people in these comments are saying it's popular and 'for lazy people'. Really? I'm pretty lazy - but it never occured to me to use that option - partly because I've no idea what my facebook login and password is - you type it in once when you register and it never asks for it ever again AFAICT. If it ever asked me I'd have to open a new account - I don't even know what email address it's linked to to request a reset...

Honestly, I'm absolutely flabbergasted that anyone uses 'facebook login'. Are you really sure? Is there any actual hard data on how many people use it?

As other posts have said - it's just openid - so it's not like its presence on a web site counts for anything - the developer just added it by ticking a box. Sure it's insecure - but adding the option on our login page makes us look all millenial - no-one is actually going to use it, least of all millenials (never seen a snapchat login option).

aaaa

Re: my sons school forced me to use google/facebook

Looks to me like SIMS supports more than just Facebok - but lots of OpenID compatible logins, including their own (SIMS ID):

HTTP://WWW.SIMS-PARENT.CO.UK

'Housemate from hell' catches 24 new charges after alleged nightmare cyberstalking spree

aaaa

Re: Need help with a cyberstalker

I'm with @Sampler - definitely report to the local Australian cops, but reporting it in the US as a crime in the US (using a carriage service to threaten?). It may be worth contacting a US based lawyer too - primarily to find out if there are US based not-for-profits that may assist. If the cyberstalker is doing this to your friend, the chances are she's not the only one. As in this article - it's not until the cases start to come together that you really get traction.

From a technical POV - getting the evidence can be really really difficult - again as shown in this article. Law enforcement needed a VPN provider to co-operate to get anywhere at all. You can set a trap up though, maybe in combination with the phone call (see below). i.e.: your friend mentions they have a new computer or now using flikr or dropbox or something - with the hope that the stalker will try and break in to look for more material. And there will be - but all the files will be fingerprinted or whatever to prove they came from that source. All the cops need then is to find those files in the stalkers possession to prove breach of DCMA.

From a non-technical POV - getting the guy to admit it on tape is always handy (e.g.: record a phone call). It won't have any legal standing, but it will help others to get on board your friends case.

Bot-ched security: Chat system hacked to slurp hundreds of thousands of Delta Air Lines, Sears customers' bank cards

aaaa
FAIL

Version Control / Code Review? Hello!

Does no-one in modern IT do any QA or use Version Control? What ever happened to code reviews? Checking that what is being deployed is what was designed, and that other parts of the code haven't been changed? This is software development 101 people. Maybe it's all Git's fault - in which case throw it away and use tools that are fit for purpose. I know the toolchain I use does all this because it's the single most import reason why we use change management - to track what changes, because our QA and release process regularly asks: what changed? and needs good answers.

From the Delta.com/response web site:

We understand malware present in [24]7.ai’s software between Sept. 26 and Oct. 12, 2017, made unauthorized access possible for the following fields of information when manually completing a payment card purchase on any page of the delta.com desktop platform during the same timeframe: name, address, payment card number, CVV number, and expiration date.

So the answer is how an outsourced chat bot could access credit card info is answered - because it can access the DOM of the page beneath it.

Wearables are now a two-horse race and Google lost very badly

aaaa
Happy

Smallest phone

I like a small phone, and for various reasons I'm kinda stuck in the Apple eco-system. I like my gen 1 iPhone SE, but I'm not looking forward to upgrading to either iPhone Huge, iPhone Enormous or iPhone Massive when the time comes. So I'm seriously considering keeping the SE and just buying an Apple Watch Cellular. Once the watch is configured, it goes in the draw. I think with Siri and a couple of apps I probably have everything I need until I get home.

Three things I'm still concerned about:

- I'm often stuck needing to do a little internet banking cash management when I'm at the shop - the Watch app seems to not allow transfers, only balances. I suppose I could use phone banking at a stretch tho. Or just keep my Apple Pay account topped up more regularly...

- battery life

- camera (but I think I have this worked out - buying a Red Hydrogen One as purely a camera)

I'll probably hang out on my decision until April or May and see it it looks like there will be an Apple Watch Series 4 with better battery...

iPhone X 'slump' is real, whisper supply chain moles

aaaa
IT Angle

Doesn't make sense

It just doesn't add up.

As AppleInsider wrote: "Apple has previously sold 50-60 million iPhones in total in its January quarter. Imagine launching three new flagship iPhones at the highest prices ever asked, while also introducing the widest array of new, cheaper options, and then "envisaging" that the vast majority of customers would all buy just one of those models: the most expensive iPhone X."

No way was the order for 45-50 million panels in the January 2018 quarter.

Maybe the order was for 20 million and Samsung thought they would over-produce / made a gamble.

There are too many 'unnamed sources' in these articles - the numbers just don't add up. It sounds like a story is being spun - and there is enough being hidden to make it impossible to tell why this story is being spun (an attempt to undermine Apple by Samsung - both a key supplier and a rival?).

But The Register repeating it all verbatim without any analysis or critical thinking is poor journalism.

Are you an open-sorcerer or free software warrior? Let us do battle

aaaa
Unhappy

Complete failure of stated objective

From the article "The OSI wanted to make free software "more understandable to newcomers and to business". They felt the term "free software", with "its seeming focus on price", was distracting."

Well - they are a complete failure are they not?

Look at the funding shortfall for even the most popular OSI software like OpenSSL. It only got addressed as a 'once off' and only after a helluva lot of publicity.

Free software has never been about price. It's like saying the Free Press is about having a free paper to read on the tube.

Free Software is more valuable than non-Free Software, and you should be paying for it. Or you know, don't pay, and find the software stops being supported suddenly because the programmers which were maintaining it had to go and get jobs at Tesco because they were about to be evicted, whilst their software was being used in mission critical and customer facing systems in 9 out of 10 fortune 500 companies. I wish I was making this up.

The Free Press is far more valuable than the non-Free Press. It's why we watch and PAY FOR the BBC for our international news, and not 'Russia Today'.

Uber quits GitHub for in-house code after 2016 data breach

aaaa
Devil

Git is a risk to any organisation

Git is a risk to any organisation trying to protect their Intellectual Property (IP), specifically:

- lack of security, particularly at file/branch level

- lack of auditing

- lack of centralised management tools (because it's distributed).

- lack of version history if developer 'loses' the repository, all that remains is what they 'published' or what was 'pulled' by the release process, easily less than 1 in 100 revisions.

Linus wrote Git because he was sick of having to do so much merging work - it doesn't get rid of the work - it pushes the work out to other people. Git is awesome if you are Linus - or working in a similar environment without IP and with volunteers/academics and where you can make everything everybody else's problem.

Git is rubbish at Commercial IT.

All the data breaches associated with Github show that Github makes it easy to upload things you shouldn’t to publicly accessible repos (or at least repo's not secured by SSH keys or 2FA). The on-premise solution we use (trying not to drop names) is designed exactly the opposite way. By default nothing is publicly accessible and you’d have to go to a lot of trouble to make it accessible, and then to enable anonymous access. It’s called security by design.

aaaa
Meh

Re: Pay less the CEO...

It does kinda, based on this (replaces the 'password' with the one-time-key:

https://stackoverflow.com/questions/25550481/git-authentication-fails-after-enabling-2fa

SSH keys are probably safer, but apparently Git on Windows has difficulty doing that (again from the link above).

I use CVSNT not Git, and it does SSH keys just fine, and is on premise, not cloud.

Meltdown, Spectre: The password theft bugs at the heart of Intel CPUs

aaaa

Re: x86/x32 Linux / Windows affected?

@AC - yep GRSecurity are kinda saying the same thing: https://twitter.com/grsecurity/status/949794658720337920

aaaa

Re: x86/x32 Linux / Windows affected?

But the Linux patch is specifically for x86-64, e.g.: this advisory from Debain:

https://lists.debian.org/debian-security-announce/2018/msg00000.html

This specific attack has been named Meltdown and is addressed in the Linux kernel for the Intel x86-64 architecture by a patch set named Kernel Page Table Isolation, enforcing a near complete separation of the kernel and userspace address maps and preventing the attack.

If it affects i386 then why isn't the i386 kernel being updated?

aaaa
Meh

x86/x32 Linux / Windows affected?

Can anyone explain if x86/x32 Windows and Linux is affected? Everything I've seen so far says it's x64 only (or rather x64 microcode). In fact El Reg refer to "The crucial Meltdown-exploiting x86-64 code can be as simple as...".

From memory I'm thinking that at boot Windows/Linux x32 place the processor into a non-64 bit mode that disables virtualisation etc. If you try and execute any x64 assembler 'under' Windows x32 it just barfs (again, from memory). (bonus points: can anyone confirm if you can run x64 assembler from an x32 windows process on an x64 OS host?)

I'm thinking therefore that if you want to browse the web (javascript!) then just do it from an x32 OS install. An x32 browser (Firefox etc.) is not really any help I think if the OS is x64 - but if the OS is x32 it should be safe?

But I see that the Microsoft patch KB4056891 has been made available for W10x32. I guess they can still apply the same mitigation measures for x32 - but I wouldn't think it's needed.

I'm confused - can anyone clear it up for me?

Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign

aaaa
Happy

Refunds and Compensation

Companies like Apple that offer a 'no questions asked' refund policy are going to be very very busy refunding every Christmas gift with an 'Intel insude'. You think Apple (and other vendors) are just going to take that hit? Intel will be paying compensation to vendors for sure, certainly for every chip shipped in the past 3 months - but more likely 6-12 months since this will affect the pipeline and inventory too. Who's going to buy anything with 'Intel inside' unless the vendor can guarantee that it's new silicon?

Consumer law will also come into play as Aqua Marina detailed in "I wonder where we stand legally now?" (above).

But the really interesting thing will be whether companies like HPE go to bat for their enterprise support customers. Because that'll be a killer whitebox shakedown. i.e.: 'I bought HPE and they replaced my server CPU' and 'I bought a whitebox and now it runs 30% slower and I've got no recourse'. It's little cost to HPE and a marketing windfall - they just have to jump on the cueball-intel bandwagon.

This is going to be good fun to watch.

Google says broader right to be forgotten is 'serious assault' on freedom

aaaa
WTF?

rather disingenuous.

There are narrow areas where public interest trumps private interests. There are already laws which cover this. Criminal Records and Official Transcripts of Parliament etc. Google's argument is rather disingenuous.

Thousand-dollar iPhone X's Face ID wrecked by '$150 3D-printed mask'

aaaa

Re: Ars Technica

Just read it - yeah, much fuller (and better) article.

aaaa
Boffin

they failed to unlock the phone

Let me re-write the article based on an actual quote in the article:

The creation wasn't able to defeat Face ID at first, [then it locked and required a passcode].

They were spectacularly unsuccessful. Rather than El Reg criticise their over-optimistic press release, they've bought in whole heartedly.

Shame El Reg, shame.

nbn™'s problems were known – in 2008, a year before its birth

aaaa
Childcatcher

Ideology over good policy

Good politics is to let the policy wonks in the public service determine the structures and framework based on interviews/panels/committee's of expert, representatives from industry and representatives of customers.

Both Labor and ALP have pursued ideology over policy - insisting the design come from the minister's office, not the PS.

All up though - at least the headaches may have been worth it with Labor's plan - the ALP promised to scrap the whole thing, but came up with the absolute worse case scenario instead: pay top dollar for minimum result. TBT it was Tony trying to sabotage Malcolm's career. Whenever I see it brought up I always assume Tony is behind any leak/headline/report - engaging with the mud slinging is just to Tony's advantage - which is something I never want to be tricked into doing.

Australian senator Pauline Hanson wants devilish scam calls to flash '666'

aaaa
IT Angle

what's a "phone call"?

What's a "phone call"? Is it like SMS? I don't understand.

It's Patch Blues-day: Bad October Windows updates trigger BSODs

aaaa
FAIL

Engineering 101

You should never have delta updates in WSUS.

So you have two types of updates. You write a computer program to process updates - which should only ever receive one of those two types.

Isn't engineering 101 to 'check' which type of update it is, and if it's one you haven't explicitly coded to handle, you reject it/skip it?

Then again, here in OZ they keep building tunnels without putting in safety gates - you know a 'cheap' steel (upside down) U shape thingy set at the maximum height for vehicles? The idea being rather than a 3m vehicle ploughing into a 2.6m tunnel and causing major delays and days of remedial roadwork - the truck can hit the gate and be safely/easily moved to a slip road and leaving the tunnel itself undamaged. So if actual engineers no longer do basic safety, it's little surprise software engineers just ignore it altogether.

I'm sure that by reducing the total project cost by 0.01% and skimping on Engineering 101 some middle manager got a whopping great bonus and promotion. Well done. You're totally awesome. High five! Rock Star!

Avast urges devs to secure toolchains after hacked build box led to CCleaner disaster

aaaa

Re: Mount hobby horse. Charge!!!!!!

@Brewster - the detail in the article is very thin - it says 'This was the system used by a lead developer at the 30-person outfit to generate code' which suggests to me that it wasn't what most would consider a 'secure build environment' - more like some environment you log into. I decided to assume the author knew more than what's been written and go with the spirit of the headline 'Avast urges devs to secure toolchains'. Ie: the build system wasn't secure, and I'd argue was barely deserving of the name.

@everyone - have u not heard of VMware? Teams of 1 can definitely have secure independent build systems.

aaaa
FAIL

XcodeGhost again, cmon people!

The Register covered the XCodeGhost fiasco where some high profile app developers were releasing code built using compromised tools:

https://www.theregister.co.uk/2015/09/23/xcodeghost_ios_app_infection_toll_rises_to_four_thousand/

I said it then, and I'll repeat: What commercial software company would dare allow a developer machine to create a customer build? Requiring a 'pristine' build environment is software engineering 101.

You commit your code - the build server checks out the code and performs the build in a clean environment.

Publish the list of companies that build on developer PC's far and wide - so we all know to avoid anything they ever produce ever again. Have we learned nothing about software engineering in the past 35 years?

New prison law will let UK mobile networks deploy IMSI catchers

aaaa

Re: Encryption aware phone?

For iPhone - iOS 5 (and later) apparently - though as other posters have said - you need to disable 2G - because whilst 2G is 'encrypted' it's so weak it almost doesn't matter. And I think SMS is never encrypted.

http://twitpic.com/58fxoa.

Linux kernel hardeners Grsecurity sue open source's Bruce Perens

aaaa
Unhappy

Missing the point

We continue to see the great coders behind the software we are all using going without cash for their work - even though their work is being heavily commercialised. e.g.: OpenSSL.

GRSecurity has just tried to work out some method to get paid. He's still contributing GPL code - which is arguably more than many people commenting have done.

I personally have contributed quite a few thousand lines of open source code, plus paid staff over $1M to write open source code that had over 1.4M downloads in a year, plus made financial contributions to FSF and individual open source projects. But I'm now of the opinion that OSS is dead. Without a way to financially compensate those that do the work, programmers would rather spend their time writing for iOS or something, anything that has half a chance of paying the rent.

Back in the day it was OK - individuals and companies liberally gave money to support these projects, or your employer paid you to work on it - now - not so much, and when you hit upon some 'subscription' contract that customers are happy with - this guy decides to use his power and influence to scare your customers off.

He could have just left GRSecurity alone and let the people who wanted to pay to pay, and those who didn't want to didn't have to.

More coders are going to see this and think 'write for open source? yeaaaah riiiiight.'.

New iPhone details leak: Yes, Apple is still chasing Samsung

aaaa
Happy

Apple excels in iterative technical improvements, and marketing

When Apple released the iPod - there were also a furore about it not being anything new. But it was successful, and the features missing in the first release were iteratively built upon.

I remember hearing the CEO of Nokia interviewed on Radio 5Live (Wake up to money) just after the iPhone was released, he said something like 'nothing to worry about - no one wants an iPhone and Apple won't be able to mass manufacture'.

In addition to excelling at iterative technical improvements, and marketing, they are also pretty good with manufacture/supply-chain-management and hardware design (including silicon now). Their processors are iterative improvements on reference designs - but they are way ahead of the pack on power/performance.

Yes - all this tech is not 'new' - but Apple are iteratively building on what others did, but making it more usable* and will market it very very well.

Note: * certainly this is somewhat subjective. As others have said here - fingerprint readers - blah - disable please! Done that for years until I got an iPhone with 'touch id' - it's so easy to use, and stops my nephews and nieces from watching me enter a passcode then re-use it when I'm out of the room. Sure - it won't stop a determined criminal or law enforcement - but that's not what I need it for.

Everything you need to know about the Petya, er, NotPetya nasty trashing PCs worldwide

aaaa
Unhappy

Re: WMI (and seriously - passwords in memory?)

@patrickstar

I haven't seen anyone mention that NotPetya requires Admin privileges in order to get the admin credentials from memory. I'm sure I've read quite the opposite - admin privs are NOT required. My bit of googling gave similar results for Linux (but I'm no expert there - I'm just agreeing with what other posts here have said - Linux has the same deficiency).

I have seen a little suggestion it's related to the ability to run gdb on linux (which I think all users can), and the SYSTEM account in Windows (not the SeDebugPrivilege priv), i.e.: via "psexec -s", via post exploitation tools, scheduled tasks, etc - see the mimikatz doco for details.

So all my comments are based on the assumption that NotPetya doesn't require admin privs to read the memory where the credentials are - so from my POV there is a quite fundamental difference in memory space security on Linux/Windows compared with to Solaris/HPUX/OS400 etc.

@thored

The GPO setting “Interactive logon: number of previous logons to cache (in case domain controller is not available)” controls the caching of logins to the HKEY_LOCAL_MACHINE\Security\Cache registry key, not to the LSASS memory AFIACT. Surely if there was a GPO setting to mitigate this the article would have mentioned that in addition to CredentialGuard. No - I think the point of the article (and @ patrickstar's comments too) are that on Windows that CredentialGuard is the only feasible mitigation.

I've not seen anyone else suggest a way to shut down WMI command line access either - so I assume it's a bust too.

aaaa

Re: WMI (and seriously - passwords in memory?)

@patrickstar

Cached credentials are presumably in the Kernel or at least another processes memory.

In VMS, pa-risc HPUX and Sparc Solaris, user processes can't read the memory space of other user processes, and certainly not Kernel memory (not unless you are superuser). So no - kerberos doesn't have the same problem on *ix.

I've been trying to google for an answer, what I found is vague - so I'll assume you are right- Linux and Windows both suffer from this malady of allowing any process free reign of reading all the memory space. So yes - kerberos on LINUX would have the same problem. There is a whole other thread in these comments about whether Linux is any better than windows or not.

But if you know that OS allows your memory to be read, then you should code with that in mind - there is no need to keep the password itself in memory - you can hash it with a low collision hash. Or at least only keep the password in memory during the actual password compare and then zero the memory out.

aaaa
Alert

Re: Bring Back

Mark 110 - classic straw man.

> In the data centre, lets have Windows, Solaris, AiX et al, again.

Who even mentioned Linux?

Of course it's understood that Linux is untested and untrusted, it's why the poster didn't mention it in the list of what to put in the data centre. And I'm sure windows was only listed as a concession because in the real world you can't exclude it entirely.

aaaa

WMI (and seriously - passwords in memory?)

The fact I've not seen anyone tell sysadmins to disable WMI - I assume means you can't feasibly do this without breaking exchange and/or ad? The port used is RPC - so blocking the port isn't an option because AD would barf.

And seriously, Windows 2000 up to an including Windows 10 all store the system administrator password in a form that can be decrypted with a simple API call?

Yeah - I know Windows 10 Enterprise Edition has the option of enabling 'credential guard', but it's hardly a single click exercise (and not an 'install' option without major scripting work) - and I've not seen a single PC with it on in the field... (actually I've seen very few W10EE in the field, most of it's "pro").

BA's 'global IT system failure' was due to 'power surge'

aaaa
Unhappy

Insurance and lack of competiton

Fast forward 3 years and the parent company had decided that outsourcing the IT services was the way to go, and I was made redundant. In the following 4 years, they had three major outages, 1 of which lasted for over 2 weeks. I'm told that the cost of their losses for the least of those incidents was about €20,000,

And they probably had insurance to recover that €20K, cheaper than maintaining a reliable system, and when the 'competition' doesn't offer a service which is demonstrably more reliable - there is no competitive pressure to do any better.

aaaa

Paying for criticism

The biggest problem I see with outsourcing is lack of criticism.

Ie: your own IT team will freely criticise management decisions and choices of technology etc.

Once you outsource it's a lot of "yes sir, no sir".

RBS also had a huge IT failure about 12 months after outsourcing to India (from memory) and despite government enquiry there was very little said at the end of the day. I agree strongly with other suggestions here that there needs to be some legislative penealty for companies who outsource then fail. They shouldn't be allowed to 'justify' it as being unrelated. The tests are just to black/white - whereas this is a complex phycological issue - it's not about IT skills - I'm sure TATA are great at that - it's about human ego and reward, same as how the GFC taught governments that they need to control how financial sales people are rewarded - the global IT crisis will eventually team politicians the same thing about they CIO's

America 'will ban carry-on laptops on flights from UK, Europe to US'

aaaa

Power on at checkpoint

Just post 9/11 I remember every security checkpoint I went through at every airport required I take my laptop out and power it on. Whatever happened to that? I haven't been asked now in years... It was a sensible security precaution in my view (though if u were determined I guess I could see a way or two around it). Preferable to checking your devices in the hold anyway.

Spammy Google Home spouts audio ads without warning – now throw yours in the trash

aaaa
Joke

Shock news! Device from advertising company plays advertisment!

Google is an advertising company. Seriously, what did you people expect?

What is most surprising about this article:

a)- Device from advertising company plays advertisements

b) People with AdBlock Plus surprised to discover everyone else sees adverts

c) No-one likes advertisements, but everyone likes Google

d) The Register finds fault with IT company who is not Apple (or HP)

Microsoft foists fake file system for fat Git repos

aaaa
Alert

Proves Git is unsuitable for commercial dev work

Linus was clear that he designed Git to reduce the pressure off him personally, by making more work for everyone else (https://marc.info/?l=linux-kernel&m=111288700902396) - it's great for him, and maybe for a lot of other open source 'community' projects.

MS have bastardised Git so that it's not longer distributed, and therefore you don't get the performance or workflow benefits (after the initial overhead of a 'clone') of working 'offline'. The only reason to do this is because you are 'forcing' everyone to merge into a central source frequently anyway - which is what Linus was trying to avoid.

OK - it remains 'compatible' so presumably someone can still use a 'normal' git client to do a 'full' checkout, but I wonder why MS don't just use TeamSystem - it's their own product after all, surely they would prefer to make changes to improve their own product? Is this a sneaky way of them warning the market that TeamSystem is going away?

All distributed version control lacks fine ACL's and fine grained auditing (because commits can be made to 'local' repositories then merged up as 'fat blobs') and many other security and IP protections that commercial software development normally requires.

Macbook seized or stolen? But you've set a FileVault password, right? Ha, it's useless

aaaa
Boffin

Firmware Password

My MacBook Pro nicely integrates the firmware/boot password with the FileVault 2 encryption - meaning if they are the same password, I'm only prompted for this once. The reason for this is obvious: Apple expect you to use the two together. The FileVault 2 encryption without boot password protection is subject to all sorts of attack vectors. But when the EFI is Boot password protected - then you can't boot off an external thunderbolt device to use this DMA hack, or many other attacks.

That the article leaves this out is unfortunate - it means that people using Mac OS 10.10 etc. won't realise there is an option besides upgrading to 10.12.2; and worse, will lead many people to be misinformed...

Not protecting the FileVault 2 password from DBA attack is poor work on Apple's part - and it's good to know it is now fixed. But in the 'real world' this attack is going to fail on all but the most poorly configured devices.

It's now illegal in the US to punish customers for posting bad web reviews

aaaa
Joke

built in escape clause...

also removes any protections for reviews and posts that are found to be false or misleading

But any negative review is misleading, obviously, like duh?!?

A single typo may have tipped US election Trump's way

aaaa

Re: legitimate/illegitimate

"How about just using simpler words to start with?"

Someone called out to him "Can I turn the power on?" and he shouted back some simple words "I'm working above you. DO NOT TURN THE POWER ON."

That's the opposite of simple. Simple would have been NO! except I worked in electronics for years and never heard that word from a tradesman - the technical parlance is F**K OFF.

But back to the main subject. The reply about the phishing email was way too complex, he should have gone with you're fired, clear and to the point, difficult to misconstrue.

UK Home Secretary signs off on Lauri Love's extradition to US

aaaa

Is Asperger's a "get out of gaol free card"?

OK - my opinion? For many years, western countries view of extradition is that it's fine provided that the laws, personal protections and separation between the courts and government in the country to which you are being extradited are reasonably similar to your own country - particularly in relation to the crimes you are being charged with. I think that many people feel that the USA are no longer 'in step' with other liberal democracies - particularly in how they treat crimes against state agencies, but crucially in the areas of 'personal protections' (which includes diminished responsibility for those with impaired cognitive ability, and also protection against unlawful means of interrogation). But you could argue that one (of many) reasons the UK conservative government largely campaigned for BREXIT is that they are also out of step with most liberal democracies and find the EU court of human rights a problem, so may prefer that he be extradited and charged in the USA than in the UK under European law. My opinion - he deserves to be tried at home, and under the current laws (before BREXIT) because the USA cannot prove his human rights will be adequately protected if he's extradited. My hope is that he'll seek asylum in the embassy of a country who is receptive to his plight.

What's losing steam at Apple? Pretty much everything

aaaa
Flame

If only I could make sense of your commentary...

"The iPad continued its downward slide in shipments with 9.95 million units, a 9 per cent drop in revenue. However, sales of higher-cost tablets led to revenues of $4.88bn, a 7 per cent gain on last year."

What are you saying? "a 9 per cent drop in revenue" or "a 7 per cent gain"?

Seems to me you had written the headline and are twisting the numbers to fit.

Let me write it for you:

iPad revenues were up because the ASP of the iPad was up due to the iPad Pro.

iPhone revenues were down because the ASP of the iPhone was down due to the iPhone SE.

MacBook revenues were down because no new releases vs. last years new MacBook Pro.

Since the bulk of the business is still iPhone, therefore total revenues were down.

Labor's broadband policy decides 39% fibre is healthy NBN diet

aaaa

Re: Do voters care?

You may be right, but just as likely are wrong.

1. Even if you connect at 25M, you don't have contention with everyone else sharing the same HFC from the node, resulting in better performance.

2. Just because I connect at 25M today, doesn't mean I don't appreciate (and highly value) that I can increase speed in 6 months when my situation changes.

Just how many voters are engaged about these issues is the key question. Opinion I've seen elsewhere is that it's significant in a couple of key seats, and Labour think this policy is just what's needed to win a few extra hundred votes there.

Australia's broadband policy is a flimsy, cynical House of Cards

aaaa
Flame

Private/Municipal Network anyone?

I notice that increasingly in the US, small areas (municipalities) are implementing their own FTTP. It makes the area more attractive to middle class, potentially increasing land prices, increasing tax take for the local government. I know of at least a couple of areas around Sydney where the math surely wouldn't be too hard (Avalon, Mosman, Cremorne). You could even trunk onto the NBN. Surely this is the future - but someone has to be first - I suspect there would be a lot of political pressure not to - since it would highlight the failure of the national approach, so it would need to be an independent controlled council/mayor.

Yelp minimum wage row shines spotlight on … broke, fired employee

aaaa

Not only the USA

Victim blaming is not unique to the USA. It's your fault for being poor, could be the motto for Sydney Australia.

Feds look left and right for support – and see everyone backing Apple

aaaa

Re: FBI mishandled evidence again

I asked this myself yesterday. And I see the same point raised on almost all articles about this. But not many responses (same here). Clearly those of us that know this, also know therefore the legal case is about the law, not about obtaining the data. i.e.: as written in the article, the FBI are trying to use the courts to bypass the legislature.

FBI iPhone unlock order reaction: Trump, Rubio say no to Apple. EFF and Twitter say yes

aaaa

Why is this even necessary?

Can someone tell me why this is even necessary? Presumably the iPhone encryption algorithm is a known one. Why can't they just clone the device (by extracting the flash chip if necessary) then run the desired brute force attack on equipment of their own choosing. Once it's decrypted they can put I back in the phone if they really need to - which I doubt they do. AFAICT whilst you *can* use a complex passcode on iPhone - this particular one is protected with just a 4 digit key. It's not going to be hard to crack once the data is off the phone. If I'm right then this is clearly NOT about 'just this one phone'. I guess I must be missing something obvious - maybe someone at El Reg can write an article explaining it to me.

Web ad tried to make my iPhone spaff a premium-rate text, says snapper

aaaa

iOS 8.4.1 update was important

yep - lots of security bods predicted that the combination of known security exploits (both crash/data execution and execution of unsigned code) would lead to exploits.

https://support.apple.com/en-au/HT205030

Of course we can't be sure, but my guess is that the problem is 8.4 specific - but the 8.4.1 release / fix was not out for long before iOS 9 replaced it - and for some of us who don't want to be guinea pigs for a major new release, that's a problem.

XCodeGhost iOS infection toll rises from 39 to a WHOPPING 4,000 apps

aaaa
Unhappy

Build systems?

What commercial software company would dare allow a developer machine to create a customer build? Requiring a 'pristine' build environment is software engineering 101. To install this Trojan Xcode they had to turn gatekeeper off. No QA manager - no programmer worth employing does this in a build env. I can pardon it (only just) on a random dev laptop - but not a build machine. Please publish this list of companies far and wide - so we all know to avoid anything they ever produce ever again. Have we learned nothing about software engineering in the past 35 years?

Page:

Biting the hand that feeds IT © 1998–2019