Posts by vagabondo 530 publicly visible posts • joined 1 Aug 2008
You miss the point. Linus, and the other kernel developers, were not railing against a colleague or employee. They were expressing displeasure at a supplier (systemd) for repeatedly delivering a shoddy product that impacted on their work, and for largely disregarding customer (kernel developers and distribution admins) feedback.
@RAMChYLD
Yes systemd is a sysadmin nightmare. I have also struggled with adding a graphics to a working minimal system. Systemd has beens the only thing to frustrate upgrading from the long-termopenSuSE-11.4 without having someone on-site to force a reboot.
I understand the attractions of the systemd approach to boot-time and daemon management, but the implementation has been a bit amateur. The megalomaniac tendency to ensnare everything it touches just does not sit well with the 'nix philosophy.
@NT1
Thank you. The Nominet fees page that I referenced appears to be wrong/misleading. I will inform the Nominet office on Monday.
I really should have opened an account as a normal registrant, so that I was familiar with our customers' view of the web interface.
Thanks again for taking the time to correct my misunderstanding.
You can read all this stuff at http://www.nominet.org.uk/become-registrar/fees
If you ask Nominet to do it for you it's £10+vat per domain. But you can do it yourself, or more simply leave it to your new registrar. I do not know of any registrar who charges for transfers in. Choose your registrar depending on what other services (if any) that you need. Domain registration is often provided as a loss leader to sell other services. My company does not bill separately for domain registration and name servers, but bundle it in with our support and management services.
For what I thought was a predominately UK based site for IT professionals, there seems to be a lot of ignorance of the .uk registry displayed by the author and commenters.
"Internet Provider Security (IPS) tag" is a nonsense-term wrt Nominet and the .uk registry. This usage is an invention of Webfusion Ltd/123-reg.
Nominet members that are authorised to add, renew, and delete domains from the registry are called "registrars". Registrars used to be called "tag-holders". The tag (normally the abbreviated name of the registrar) is the registrar's id used in the registry databases. The domain is registered for a "registrant", who must supply an email address, and identifying information.
All registrants should be notified as to how they can use Nominet's web interface to update the registry information, including the tag(s) (if any) they wish to be associated with their domain(s). They can also ask any registrar to take them on as customers and change the tag for them. The system notifies the registrant, and both losing and gaining registrars of the change. This need not cost anything (although you have to pay Nominet or the new regstrar the upcoming registration fee). Nominet's rules do not allow a registrar to hold a registration as hostage for any reason. Of course this only works if the correct registrant information is held by Nominet.
Webfusion Ltd t/a 123-reg appear to be charging to change the outgoing tag, presumably because this is a nuisance for them, and is usually done by the new registrar as part of their service along with name servers etc.
Until a few days ago (and still in most cases) a domain transfer to a new registrant (not registrar) was done by Nominet staff, and required a written application, with evidence of identity and acceptance of liability in case of a challenged transfer. This used to cost £26. Now a registrar can be "accredited" (they need suitable level of indemnity insurance)
to transfer domains between registrants. The will normally charge for this service. If you check out nominet.org.uk, you can see that Webfusion Ltd (123-reg) are accredited.
So the message is -- Don't Panic! -- this was a bit of a non-story.
"... standard agreements that have been approved by trading standards ..."
And how would you classify the standard "social media" Ts&Cs -- "All rights are transferred to us, and we can change these conditions at any time so as to benefit us, oh and you have agreed just by reading this." The only appropriate classification would be "Here be Dragons -- run for your lives!"
Not just a bit missing, but a bit of a misrepresentation.
The background to this can be read in the Court of Session report, which is a bit turgid, but quite readable.
http://www.scotcourts.gov.uk/opinions/2010CSIH49.html
[Edit:] the Supreme Court PDF linked to in the article reproduces much of the information in the above Court of Session opinion.
Basically: In December 1998 Richard Durkin tried to buy a laptop from PC World in Aberdeen. The salesman (because o DSG's bizarre rules) was not able to open the box to check the specification, and suggested that once purchased it could be returned if incorrect. Unfortunately, instead of immediately unpacking it in the store, the buyer took it home, discovered that it did not match the item requested, and returned it the following day. After a dickhead PC World "manager" initially refusing to accept the returned item, they eventually accepted the matter as a non-sale and returned his deposit. HFC, the hire-purchase provi ders had claimed that he should still pay them for the returned item, but as their agent (PCWorld) had voided the
sale the matter seemed settled. However when he later tried to obtain a bank loan, and a mortgage, these were blocked due to a bad credit reference from HFC. He did all the right things, appealing to PC World, HFC, Equifax, and Experian, but was unable to get the bad mark removed.
He sued HFC etc. in Aberdeen Sheriff Court and won in 2006. He claimed actual losses of £250,000, but was awarded a total of £116, 674.
However Mr Durkin disagreed with the method used to calculate the damages, and appealed to the Court of Session in Edinburgh in 2010. HFC took this opportunity to counter-appeal, trying to argue that his hire-purchase contract with them was separate from the rescinded sale contract with PC World, and that the Sheriff had been wrong in law. Alas Mr Durkin's side made a few mistakes when responding to HFC's counter-claim, e.g. omitting evidential documents from the appendices. As a result of that legal cock-up HFC prevailed, Mr Durkin was liable for the escalating costs, and lost his £116, 674 award from the Sheriff Court.
The Court of Session findings have now been appealed in the Supreme Court in London. The original Sheriff's opinion that the loan agreement was dependent on the sale, and should have been rescinded along with the sale contract,
has now become a precedent with standing throughout the UK. For legal-technical reasons Mr Durkin's damages have been set at £8000. Some lawyers have no doubt stuffed their pockets with considerably more.
Pics and map in this article from the Sydney Morning Herald.
http://www.smh.com.au/nsw/water-buffalo-on-the-loose-in-newtown-20140325-35f4t.htm
on any computing device, there is always the potential for problems. Obviously instead of the proliferation of adware, etc. the Android ecosystem needs to grow up; with repositories either run by entities that can be held legally liable for their wares, or opensource with active community oversight and trusted signatures.
" If the attacker were to create malware that auto-started on power-up, the user's only option would be to completely wipe the device via a boot loader recovery."
Isn't it possible to boot with a known good image, then mount the bad partition and fix it. This is pretty normal when the boot system gets screwed, or to repair a damaged filesystem, etc. Or the bad filesystm/SD card could be removed an mounted on a PC, where the offending configuration can be edited -- that's what I do when playing with my tablets.
"I thought the mantra was: 'Gnu's Not Unix'.....??"
Here "Unix" is a shorthand for Unix, Gnu/Linux, BSDs, OSX, and even some MS Windows servers.
You really have to read the stuff at http://www.welivesecurity.com -- the article here is unclear to the point of being downright misleading. More like a techie Daily Mail/Sun article than what we expect from El Reg.
"I may live to eat my words, but: ..."
probably because this attack is reported as potentially affecting many OSs; e.g. BSD Unices, Gnu/Linux, OSX, and MS Windows.
The technical report at http://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/ is really interesting and usefull.
The quick check for infection is given as a one-liner:
$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
" ... and had a unit market share of 75.2% ... "
As this came from a financial report it could well have a basis in truth. The market in question would be measured in terms of sales. The figures would be somewhat different if they were in respect of deployments.
"......Google Apps ..."
We should also warn charities about the risks of giving up their (and their clients') data to a data mining/selling company in a jurisdiction where European style data protection laws do not exist. Any organization that is responsible for storing and/or processing sensitive data should be wary of third party cloud "solutions".
"HTML is a lot more secure than PDF"
I think that you are confusing the ISO standard for PDF with Adobe's proprietary software, and its extensions to the standard. Just as there are many W3C standards compliant browsers for HTML, there are several PDF generators and viewers written to the ISO standard.
It would be difficult for any other company or project to even remotely approach the level and consistency of security vulnerability that has been historically achieved by Adobe and Microsoft.
" is specific only to the UK Cabinet Office"
No this applies to all UK government offices.
"whatever format the Cabinet Office decides to use as their particular standard, they'll be dealing with documents in the other standard as well"
There is plenty of software that can produce ISO standard ODF documents. Do you know of any available software that can produce ISO standard OOXML documents? Last I heard Microsoft had not managed it.
How can OOXML be considered open when there is no published description comprehensive enough to permit an implementation?
" the practical demise of KDE and Koffice"
KDUE4 is alive and kicking (KDE-4.12.2 is the current version). KOffice was succeeded by the Calligra suite 3-4 years ago.
Abiword etc. support ODF in the Gnome environment. And besides LibreOffice and OpenOffice there are others for Free, Open, and proprietary environments.
Of course it will always be possible to create document loaded with macros, etc. that will need a specific environment to work optimally, but for the most part ODF allows the essential transfer of information between collaborating users. For finished wore the Cabinet Office specified the use of PDF.
The most important thing is that government offices should not mandate the purchase/use of any particular manufacturers software by citizens or businesses. This is what MS is trying to achieve by vigorously promoting its own closed document formats. Our government should be acting on our behalf, not promoting the profits of a forign corporation and its associates.
The real data transport savings are to be made with broadcast and on-demand entertainment media streaming. Most publishers of these use content delivery/distribution networks , who place there nodes with the ISPs. So, apart from providing data scraping opportunities on sensitive data, how does this proposal help anyone?
> You need Adobe for some of HMRC's PDF forms.
Yes, and HNRC will fine companies until they succumb and buy a MS Win machine or licence so as to be able to run their specified version of Adobe Reader. However the article states that PDF is to be for non-editable documents. Hopefully non-editable will include forms, and that HMRC will abandon their traditional intransigence and comply with the guidelines. Even better if the guidlines are made mandatory.
From the current forum header:
NOTICE: A vulnerability in the forum SEO plugin we have been using has been found making it necessary to discontinue it's use. Existing links in Google, Yahoo, Bing, etc. as well as any existing bookmarks may have problems. The search engines will get our sitemap and it shouldn't take long for them to depreciate the old URLs and start replacing them with new. We apologize for the inconvenience.
I hope that the never re-instate the SEO plug-in. It mangled/obfuscated many URL links in order to "spy" on users, and prevent some of us behind corporate firewalls from following the linked pages.
> Doesn't it seem odd that ...
I am not sure, but I think that VBulletin is a remnant of the Novell takeover of SuSE.
Apart from any security issues, it causes frequent usability problems for new posters, as the methods for preventing code-mangling are non-intuitive. It also does not play nicely with the FOSS tools/clients favoured by many of the local experts. Hopefully this will be a prod to move to a more amenable platform.
Andy, you must try harder at the witticism attempts. The article clearly states that email addresses and not passwords were accessed.
We await the onslaught of phishing spam, possibly encouraging the installation of a great new font (see Xorg vulnerability story); but more likely another "Please click here to reset your password" variant.
@Hans 1
> Did you follow the links in the article ? Sadly it is that old ....
Yes, and I addressed this in another thread. My recollection of the change from XFree to X.org, is that there was supposed to be a re-write. Certainly the X.Org libXfont did not exist before this millenium, and is dated as eight years old by Freedesktop.org.
The possibility of a crafted BDF overflow vulnerability in this library was known in 2004
CVE-2007-1352
Description
Integer overflow in the FontFileInitTable function in X.Org libXfont before 20070403 allows remote authenticated users to execute arbitrary code via a long first line in the fonts.dir file, which results in a heap overflow.
And an (inelegant) OpenBSD workaround/patch promptly published.
I suspect (but have no evidence) that the present story is the result of a rediscovery of this flaw, and the subsequent release of a Ubuntu security update. And that the offending libXfont code was blindly copied from the earlier work.
@AC Thursday 9th January 2014 20:25 GMT
It only takes 10 seconds with a search engine to realize that the most likely trigger for this story was probably the widely reported Ubuntu security update announcement:
@big_D
> Own machine? And all of those people working on multi-user machines?
> We have around 50 people working on one machine here...
The actual phrase used was:
" ... their own machine/instance."
If you have 50 untrusted logins/users and allow them to install their random software, fonts, etc., then it would be prudent to provide them with their own virtual desktop o.r chrooted (jail) environment. I.e. their own "instance".
This is mostly from my somewhat flawed memory, and corrections are welcomed.
Originally this article's title referred to X Windows. It was changed to X.org following a deleted post from someone who seemed to think that the term "Windows" with respect to GUIs was the exclusive property of Microsoft.
"Windows" as in WIMP has been in common use for graphical desktops a long time before Microsoft. The X Windowing system achieved prominence in the early eighties. X.org dates from the late nineties, and the current code from since the X.org Foundation c. 10 years ago. Either it is X Windows and 22 years or X.org, it can't be X.org and 22 years.
libxfont itself appears to be 8 years old, and the X.org code 10-15 years old.
This particular bug seems to have been known since 2007.
Either there has been a regression, or earlier reports were ignored, I don't know.
> Hell, you could probably write some code in lex or use cpp to find stuff like this,
But there really should be no need to. The compiler/language should catch/prevent this stuff. This, and much else, is a consequence of the fashion for using "C" (a really good portable assembler) for just about everything. There have been better tools for at least 30 years. The great thing about computing is that the repetitive, boring stuff is fairly easily automated.
We should also keep this in perspective. This is a desktop application. So for the most part any vulnerability enables the user to break their own machine/instance. Without such flaws how are people going to jail-break/root their proprietary phones, tablets, etc?
The article says that the flaw is 22 years old. I thought that the present Xorg code dates from 10 years ago?
The Aceer Revo range of net-top boxes are directly comparable, and cost in the range of £200 complete with RAM and HDD. We have been using them (both Intel and AMD versions) as the mainstream desktop boxes for a few years. For us a major plus is being able to buy them without MS licences (recent ones came with FreeDOS) or EFI lock-in.
I just wish that we could buy VDU screens with integrated DC power supplies to cut down on the cables.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
