Re: Offsite scripts GAH!
Why does my bank use 3 different off-site script sources on their login page?
Name and shame!
210 posts • joined 12 Apr 2008
just a moment
just a moment
I have just picked up some easter-eggs in the CIMON unit
It's going to go 100% HAL within 72 hours
Seriously though, if you did any work on coding that thing, the temptation to sneak something HAL-like in there would be impossible to ignore. Surely, when they ask it to play music, there must be at least a 1 in 10 chance of it singing "daisy daisy"?!
Security 101: if you don’t store it, it can’t be hacked.
I would've hoped at least when GDPR came in, one of the things businesses would've spotted was that data is a liability* to them and they should delete what they can as soon as they can. If someone hasn't purchased from you in that last 6 months (and you're not an automatic repeat biller), then probably best to delete the card number... it's not like you're saving the customer loads of time re-entering it when they hardly order from you anyway.
* previously it made sense to hoard as much data as possible. With GDPR the mining potential is limited because you're not allow to exploit it easily, and obviously, with GDPR, data loss can = financial loss.
I thought at the start of the article that perhaps we were being called on to solve this mystery...
I'd got as far as:
* The perp. is probably > 6 years old.
And that's based on the fact that the Pi in question is one of the early ones that still has the single row of header pins near the yellow composite connector and has polly-fuses (that caused USB power problems) near the LEDs. And those ones only had 256MB of RAM too. These Pis were AFAIK only sold for a few months in 2012. Of those, some had Hynix RAM, and some (I believe most), like the one in the picture, had Samsung RAM.
I am wearing a deerstalker and smoking a pipe by the way!
I've just migrated to Gnome (Ubuntu 18.04) from Unity (16.04) and... I miss the menus! I didn't ever like having them at the top of the screen (never liked that on MacOS or even Amiga!), but I did really like having them replace the window title.
Probably not the ideal place for new users to find and understand how to use them, but it really does save screen space which is particularly good when you have a laptop with ~800px vertically.
I'm also missing Unity lenses and HUD. And I'm irritated by stupid stuff like the lock screen looking like a phone lock screen to the extent of being able to swipe upwards (I press escape but that's not the point). And I really hate various sounds like the bell in the text editor (gedit) that AFAIK can't be disabled without disabling system-sounds altogether. And it's got a bloody sound that it makes when USB storage is inserted and removed. Just like Windows XP did! And an alert for the same events. Just like Windows XP. And that always really annoyed me because I *KNOW* when I've just inserted or removed USB storage devices... I don't need to be told about it.
In fact, Gnome is really bloody annoying. I'm trying to like it. It is at least a bit more configurable than Unity was, but good luck with quickly cobbling a little extension to do something simple because there's next to no documentation for any of it. Plus most of the extensions that do exist, don't work quite right! (Prolly because of lack of docs?! I dunno!).
You've made me rant now. Rant-end! :D
I could be wrong, but I believe Thunderbird 60 now has improved RSS handling... or something. (googles).
Okay, there's mention of Thunderbird and RSS here, but absolutely no mention of it in Mozilla's own "What's new in Thunderbird 60" blog post. So not much love from Mozilla. :(
On a separate note, can I no longer include HTML links in el-Reg comments?!!
Another article explaining the same "Shadow Profile" thing:
In case anyone isn't aware (I wasn't), where you might expect FB to allow advertisers to target people by obvious data like location, age, gender and things like "interests", they also allow advertisers to target users by their email address or phone numbers. Which means that advertising can be super-targeted... a clothes shop can target their own customers via FB with advertising in the full knowledge of what they've previously purchased.
And like that isn't bad enough, the information that is used for targeting includes phone numbers that are supposedly only used for two-factor authentication.
Aaand if that isn't bad enough, it can include contact details that they've skimmed from your FB-friends who have allowed FB access to their contacts.
All this stuff is part of a "shadow profile" and they won't tell you about that or let you download it.
This might be obvious to others, but personally, whilst I'd guessed they would build a profile that would place users in broadish categories for interests and perhaps infer a bit more data from that, I didn't know advertisers could target people so specifically. Which is really terrifying when you consider political campaigns.
So about that "routine maintenance".
it had identified a "handful" of accounts that showed "incorrect information", which included the wrong name and address
is never a good sign is it? So can we assume that *everyone* was affected then? I mean, one of the quoted tweets was from an ex-customer of theirs so... technically it's possible they've screwed things up for even more people than their entire customer base. I'm not saying they have, but the "Straight from the PR departments arse" comments are so utterly unconvincing as to make me question why they even bother.
So another case for disabling "allow_url_fopen"?
And on a related note, it is **utterly ridiculous** that the PHP developers add features that extend the functionality of existing functions without requiring them to be explicitly enabled. Even the default Debian PHP production options are far too liberal for my liking.
/me adjusts my evil sysadmin hat for comfort.
I was going to try to explain a sketch with Paul Whitehouse painting light bulbs black... however I couldn't remember it, but the whole sketch (and indeed this comment) is wildly off-topic anyway.
But it's Friday and it's a funny sketch: https://youtu.be/86uuxCzNOI0
The light-bulb bit is just before the 2 minute mark but you're better watching from the start.
Can anyone explain how any organisation, but especially a bank, can so comprehensively cock up a system migration?
Surely they must have tested this? Isn't the system they were moving to already in use by the Spanish parent company? And on their list of contingencies, surely at the very end it said something like "...and lastly, Plan-Z, if it looks like we really can't get the migration working in a reasonable time-frame, we migrate *back* to the Lloyds system"
It's so ridiculously bad it's like they have no IT staff at all. It's like they just asked, I dunno, the cleaning staff it they knew about computers and if they could do it. And they said no. But they asked them to do it anyway.
How? How? How? I really can't wrap my head around that simple question!!
I think something has changed.
I believe previously they were hiding contact details if the domain was registered to an individual but not if registered to a company or organisation. But I registered a bunch of domains prior to them bringing in that rule, and so they didn't know and seemed to decide randomly if a domain was personal or not... and there was never a clear way to fix it either.
So I'm glad GDPR is here to fix that. :D
If they then uploaded modified firmware then you'd never be able to fix it either. It could then route (say) common bank domains through a remote proxy to capture password.*
* This bit would be beyond me personally, but I suspect a fake site with a LetsEncrypt cert, would be sufficient to fool the aforementioned 82%. The firmware upload might be hard on recent ISP routers also but maybe just changing the nameservers would be enough to redirect certain traffic.
My point is, I don't think this should be written off a FUD.
When we first heard mention of XPoint, the obvious market was in high-IO environments. But there was also mention of the idea of using this stuff in low-end hardware to replace the typical RAM + Flash.
I suspect the price is still too high for that to make sense right now, but who knows. Is that still a likely thing?
I had problems with the Companies House website earlier this week; specifically, the main site would work, but trying to login to actually do stuff, it seemed to get stuck not being able to resolve "ewf.companieshouse.gov.uk"... but it was *very* intermittent. In the end I had to stuff the IP I did manage to obtain into my hosts file.
The odd thing is, all companieshouse.gov.uk domains (that I've looked at) seem to have a 60 second TTL... which... you know, could've been a thing whilst they were trying to fix/migrate/mitigate some other thing. Maybe? But that was a few days ago (Monday 18th) and today, Thursday 21st, it's still like that.
But maybe they have a good reason, who knows!
Surely building a computer where software can perma-screw it up is the problem?
I mean, we _could_ blame Canonical for not testing it (or possibly using code not ready for release), or Intel for writing that code in the first place, but I can't help thinking that having the ability to re-write firmware *WITHOUT* any method to restore said firmware back to factory default/known-good-state is... well... shit.
I think if anyone should be sued, it should be Lenovo (and any other affected manufacturers), and they in turn may sue Intel because it's probably Intels fault. Some how.
A response is here. To quote the end part...
Reporter: There are some people who've seen what you've done and think, "what a complete idiot. You're time wasting for the fire service". What would you say to those people?
Jay Swingler: I don't care! Like. There... what about people who drink and drive? What about people who drink and start fights in the street at night? Is that not wasting police time as well?
In fact I wasn't wasting their time. They saved my life.
It's a compelling argument! Although, not wishing to pick nits, but no one ever said he was wasting _police_ time, since they weren't called. But otherwise, a rock solid square lump of an argument.
Honestly, when I heard about that flat-earther launching himself in a rocket to prove the Earth's flatness the other week, I did not think someone would out stupid him so soon.
And re people arguing about various dangerous things other people get up to, such as riding motorcycles fast, etc, they do at least have a "fun" factor to them. Ride bike crazy fast... dangerous... but you can see the fun and excitement.
Stick head in bag in cement in broken microwave. Wait for it to set. Nope... call me old fashioned, but I'm really not seeing how that works for anyone, although I'm possibly more troubled that this clown has a YouTube channel and presumably people watch it? Why? Exactly how dull does your life need to be that looking at that would be worthwhile?
Grumpy grump. Lawn etc etc.
...only 1 out of the 12 has a blank root password. I have reset the root password on all devices anyway however, I am struggling to see why only 1 of the 12 has this condition? Any thoughts other than someone else reset the password?
Total guess, but perhaps if you've upgraded the OS then you'd have a root password set previously, whereas a fresh install fails because of a bug in the new installer?
At risk of #whataboutism, there was an issue with Ubuntu way way way back, where the installer stored the root password in a temporary file and then failed to delete it after install. Leaving it world-readable. That, from a technical standpoint, was similarly embarrassing!
To be fair, it was fixed quickly. And Canonical's entire annual development budget was probably a pittance compared with Apple. But embarrassing bugs are embarrassing. And for some reason I always remember those ones.
My old MacBook 3,1 will run the CPU (Core2 Duo) at half clock speed if used without it's battery. I don't know why this is, but my suspicion is that the PSU is unable to supply enough juice if the CPU is running full-tilt and presumably relies on the battery to pick up the slack in those instances.
"Chief reckons biz did well despite 'negative impact' of EU regs"
Maybe this was because they basically didn't deliver the expected service: O2 admits to throttling network bandwidth for EU data roamers
...so yeah, that'll help. And also brazenly patting him|her self on the back for it too. Profit, profit, profit... and screw the customers.
Slightly off topic here, but DeX was mentioned so...
The whole idea of using just one phone to fit my entire computing needs just seems a bit pointless given that computers aren't really all that expensive?
Surely the reason high-end mobile phones are expensive is largely down to the R&D costs of squeezing lots of high-performance components into a ridiculously small package and then optimising the software to switch most of it off most of the time in order to save power.
It's clever, and brilliant... but I don't feel any great need to only have one CPU/data-storage device. That only really makes sense if you're trying to sell expensive phones and can try to justify the cost by saying "yeah, but you can also use it as a computer", like some how that makes up for it.
The down-side is I'm going to be even more screwed if I lose/break my phone because now I can't even use my computer!
However, what I *do* want is the SoC from one of these high-end phones, in a box, with high-bandwidth ports available. So imagine a Samsung Pi (for want of a better name); it would have a high-performance SoC, but with a heat sink on it so it can run in Full-Beanz mode for sustained periods. It would have display-port and USB-C for decent bandwidth peripheral connection. It would have at least SATA 3 for SSD connection.
And then I can buy that *AND* a phone!
What's in it for Samsung? Well, if I can run Linux on something like that, then really that can happily be my regular desktop (I don't personally need Windows apps), and so presumably lots of other devs/nerds would think like-wise. And that would likely mean people would actually develop specifically for that platform.
... So pretend I'm from Samsung and I'm taking orders; who's in?
The Web Share stuff seems like a good idea, but I can't help wondering if the likes of Facebook and Twitter will really be happy with *not* having their code embedded on loads of websites and therefore no longer being able to glean meta-data about where their users browse?
Wasn't some company recently accused of tracking users on third-party sites even after they'd logged out?
Also re the WebUSB stuff... it'll be fine! Seriously you guys are worrying about nothing. It won't do anything without confirmation, and it means you can update some kit without needing to install Windows *just* to do that. It may be exploited, but outside of a bug in the implementation, I can't see it being more exploitable than downloading *.exe files.
I appreciate MS isn't quite the same as MS of old, and I do understand this might well be good for both parties and customers alike. But historically, partnering with MS hasn't turned out well for the partner that isn't MS... so I'm wondering what Redhat hope will come out of this?
Or is it Redhat shareholders hoping that eventually Redhat will be bought out?
Or maybe I'm just being cynical?! :D
To give Three some credit, once we’d found someone senior enough she was genuinely interested in the problem, took ownership and got it sorted
The only way I can think you could speak to someone who actually knows stuff is... SHIBBOLEET! Am I right?
Also, is this a problem that could be solved by DNS?
<quote>I remember learning that Gaelic didn't have words for the same colours as English, they had ones for blue-greens and grey-blues that we don't have.</quote>
I seem to recall seeing a programme on TV in the last... year or three... about somewhere foreign* (even more exotic that Scotland), where they also had names for colours that we* would consider mere shades. To their way of thinking, those colours were utterly distinct. The opposite was also true, so (I can't remember the colours in question) there was this funny thing where they'd ask them to spot the difference between one colour and another, and they honestly struggled.
So it's interesting how language affects how individuals perceive the world. It's also probably a reason why I *should* learn at least one other language... I won't though! ;-)
* For context, I'm from England, don't speak anything but English, and anywhere outside the British Isles *is* both foreign, and probably exotic to my mind! :D
I don't believe the printer includes the date, time or location.
Apparently, these days, they do... :-O (as well as serial no.)
I've linked slashdot simply because there's a bunch of links to useful articles from there.
Biting the hand that feeds IT © 1998–2018