Alexa, why have you locked the front door?
I've checked the weather, Tim. There's a risk of thunderstorms. Thunderstorms are dangerous. It's not safe for you to go out.
304 posts • joined 10 Jun 2009
I've checked the weather, Tim. There's a risk of thunderstorms. Thunderstorms are dangerous. It's not safe for you to go out.
We're too stingy to pay for our own systems experts we prefer to just shout at people when things go wrong,
He might have been better going to a jeweller? Aren't they used to getting stuck rings off?
In all seriousness, one of their miniature cutters would surely have done the job :)
For PCs during that period, in pure tech terms , Acorn's ARM machines running RISC-OS were way ahead of offerings from anyone else and prior to that the BBC micro (built by Acorn).
It's just such a shame that Acorn lacked any international marketing savvy then.
I'm staying with Windows 7.
IPv6 is badly designed and thought out. It could have been made backwards compatible with IPv4 which would have ensured a smooth and orderly adoption but the 'designers' thought they could do 'better' with the result that it has had to be dragged kicking and screaming into the world and twenty years on it's still ignored by many.
See https://cr.yp.to/djbdns/ipv6mess.html for a detailed analysis of how the IPv6 designers got it so horribly wrong.
I'll just point out that the various plugins to disable the API only do so for unauthorised users, so if you install one then you need to log out from the admin panel to see it in action, otherwise the API will still return any info you request.
I really, really wish they'd just kept all this shit as a plugin though, which is where it belongs.
Thanks, I have now found https://wordpress.org/plugins/disable-json-api/ which has been updated to disable the whole REST API for unauthorised users.
But I can't get my head around why the Wordpress developers haven't made this isn't the default state, If individual users have a use for the API then fine they could switch it on. But then again I don't see the argument for moving the API into core in the first place, rather than leaving it as an addon (where it started life). To me it smacks of a "look at us aren't we clever for doing this" type of thing, rather than something that is genuinely useful to most people.
There are all sorts of things you could build on top of the API, but I'm suggest that for 99% of them you'd be better off doing it a different way.
If you think the API is a good idea, just append
to any Wordpress blog base URL running 4.7 or greater and see the some of the information it's happy to offer up by default without any authorisation.
I just had a look at the details of the bug. It was found in the new REST API that Wordpress enabled by default for the first time in 4.7.0
When I read the patchnotes for 4.7.0 I sighed inwardly at having a new API which I had no interest in using currently, enabled by default and I looked for a way to turn it off. It seemed that there was no easy way to disable it and the documentation I found cautioned against doing so anyway as the API is apparently used by unspecified core routines
Here's a quote from someone on StackOverflow:
"The REST API is not really a security issue, but I suppose some could surface in the future. It's much more important to look at Hardening WordPress - WordPress Codex and Brute Force Attacks - WordPress Codex
As of WordPress 4.7, the filter provided in core for disabling the REST API (via functions.php) was removed because the API is in core now. There is no official option to disable the API as some core functionality depends on it. So if you disable the API, you may see breakage because by default the API core and is available for use by themes and plugins and other sites."
(I bet the author of that reply feels pretty stupid about that first sentence now!)
The whole thing is just an accident waiting to happen. I shall look again at ways to turn off this unwanted API.
"Unfortunately, it is by now impossible to avoid this abomination if you have to stick with a major distribution".
I hate the philosophy of systemd too, but it's still fairly straightforward to run the current Debian release using sysvinit instead.
I switched all my servers back to sysvinit when I discovered that during a standard reboot systemd was shutting down logging to syslog BEFORE all applications had been cleanly shutdown, thus important messages were lost. For instance, If you just went by syslog it would appear as though Mysql had crashed and not been shut down cleanly.
Anyway a guide to switching back to sysvinit here, it's very simple:
The major dedicated server supplier I use is still happy to provide 16 free IPv4 addresses with even its low end servers (with justification of course).
When all the hype about Docker started I had a look at it and timely security updates was something that put me off the whole thing. That and the layer upon layer of the filesystem structure with seemingly no easy way to merge redundant layers was frankly a little psychotic (it may be better now, I haven't checked).
The EU has decided to get Microsoft to design some nagware to get the British Government to invoke Article 50.
An EU spokesman said "We're seriously fed up that the British PM keeps clicking 'not just now thanks' on the reminders we've sent him so far"
Or is the only tech relevance that this was a press release by a travel company with a website?
How long before we get one or more dedicated TV channels for the footage? Channel 5 are 75% of the way there already!
Hotmail/Outlook/Windows Live Mail or whatever they are calling it this week is also titsup at the moment.
Presumably, as the results were "in line with our expectations" the CEO and the rest of the management fat-cats will be taking home their six-figure bonuses and seven-figure salaries as usual then, which probably goes a long way to explaining the loss...
I have a house in rural France and around here nobody seems to have heard or care about H&S rules.
It's common to see people working on steeply pitched roofs without any safety equipment whatsoever.
There's one old boy who works on his own with a van and a long ladder repairing roof tiles. He was at a house across from me last year and it made me feel quite queasy to see him going up on the roof all on his own, even climbing the ladder one-handed as he held on to a stack of new tiles on his shoulder with the other.
is that there is no concept of archiving. So to properly verify the current entries you need the whole blockchain which just keeps growing and growing.
Unless that is, you have some sort of central authority to sign and publish checkpoints in the chain periodically.
Yep, Apple need to get off their high-horse. All they've effectively done is create a super-super user. It doesn't make root problems magically go away, it just moves the target.
Meanwhile, slightly offtopic, but try checking the details of an HTTPS certificate in mobile Safari... and you can't.
I just checked both my recent Android devices (one of which is a fully patched Nexus 7, running Marshmellow) and both are running a Linux kernel version 3.4.x, so why is kernel 3.10 mentioned?
Is this bug related to Android version or Linux kernel?
Have to agree there.
Not being a fan of the massive phablet, I was happy to snap up an HTC one mini 2 last year at a bargain price since it apparently wasn't a popular model, but I'm very happy with it. But the rumoured design just leaves me cold.
My understanding is that TLS was a 'rebranding' of SSL when it got to v3.1 (i.e. TLS v1.0 = SSLv3.1) . However reports often seem to mix the terms as we have in this story ( "An attacker can exploit support for the obsolete SSLv2 protocol – which modern clients have phased out but is still supported by many servers – to decrypt TLS connections.")
So in simple terms is my TLSv1.2 connection vulnerable simply because the server still supports SSLv2 (even if I'm not using it) or only if my connection is actually SSLv2?
And if I'm confused (as an experienced IT person) what hope does the average user have?
Not that I'm complacent, I patch the Linux servers I manage at least every week.
However security consultants like to make the latest bug sound like the end of the world, when really it isn't and isn't anywhere near. Well-managed servers will get patched in a timely fashion, some badly managed servers will get deservedly bitten, need to be rebuilt, and in the process we may get to learn who the IT-incompetent companies are (I'm looking at you Talk-Talk).
The world will keep turning and a few more cowboys will go to the wall.
"Oh yeah, and what about the man page on "ln" which eschews the usual unix idiom and waffles so effectively that no-one can figure out which comes first: the file name or the link name. man pages are a cowpat in the field of technical documentation."
I don't know what Man page you were looking at but on Debian 8.3 man ln starts:
ln - make links between files
ln [OPTION]... [-T] TARGET LINK_NAME (1st form)
Then goes on to list the variations and what each option does. Pretty clear to me.
a former BT engineer may post the real story in "On Call"!
Systemd may not be the principle culprit but it's certainly an accessory to the crime. Why does it mount that special filesystem r/w by default?
Just another little bit of evidence that the systemd developers don't think things through and that their whole approach is a disaster waiting to happen.
If you build your own kernel, presumably you'll incorporate the kernel patch for this bug, which has already been released, so you won't have to worry whether CONFIG_KEYS is set or not.
(yes that really was a programme in 2015, gawd help us!)
Erm, they were never going to do the things in that leaked report anyway. It's a standard trick to release rumours of extreme policies so that you can look magnanimous when you don't implement what you were never going to do!
Unfortunately, here in Britain nobody explained the tactic properly to David Cameron and George Osborne so they plough ahead with daft policies only to be forced into a u-turn later...
If you're trusted sufficiently to get close enough to one of these routers to plug in a malicious usb key, presumably you're also close enough to pull out the power cable, take a hammer to it, or simply hit the off switch!
My installation is not standard, I know exactly what to do to install certificates since at the moment I'm using a self-signed one for testing. So can I get generate a certificate without all the self-install gubbins?
I can't see that the 'spaceship' operator helps in any great way other than to allow people to write 'clever' code which obfuscates what it does and leaves a maintenance programmer wondering if it might just have been a typo.
and I have a piece of paper to prove it!
Anyone else remember the fad for 'selling' bits of space several years ago? Someone gave me a certificate of land ownership from MoonEstates as a xmas pressy. I shall pass it down to my heirs and one day one of them may be very rich... (or not)!
and so do six-figure salaries for doing sod all.
Anyone checked if the VMs at
have been updated?
(I only run Windows > 7 in VMs now and that's only for compatibility testing)
"Is there a list of those domains anywhere? Presumably they're good sites for freebies. Does Google have a public listing of blocked sites?"
"It's safer to sit behind a computer than to go into the field to gather intelligence"
Indeed, and that leads on to trying to fight a war with bombs and drones instead of putting 'boots on the ground' because it's safer. Wars can never be won solely from the air, they just create more refugees and more radicals out for revenge. Also, sad though it is to say it, casualties on your own side help to get the politicians talking to find a peace.
Don't know if it this is related but our spam filters have picked up a batch of spam/malware emails all being sent from several different @talktalk.net email addresses to what appears to be a list of emails in address books.
Could just be a co-incidence or someone may already be exploiting the stolen data.
Yes, it's weird that a guy in charge of a supposedly cutting-edge OS still has his haircut (wig/dye) stuck in the 90s!
Now it's their turn.
Unless you have a very large room and a very large TV your eyes physically can't register any difference between the HD we have now and 4K.
I won't bore people with the details here but go and research the biology of the eye if you're interested.
The main application for 4K (apart from manufacturers trying to con people into buying expensive TVs) is for use on the massive screens in public spaces.
Plenty of people with more money than sense there then.
Virtual Reality doesn't make any difference. No matter how much you shake and dance, the last three drops go down your pants.
I had a look at Docker when all the hype started about a year or so ago. It's certainly makes installing things very easy, so you don't need to know anything about dependencies within a system. But really is this ignorance a good thing?
The major issue is that it completely cuts you off from the normal security updates of your chosen Linux distribution, you're reliant on your container maintainer (or mass of chained in container maintainers) to provide an update in a timely fashion.
A smaller issue is that the layered file system structure used by containers can grow to be very inefficient.
If your keyfile is never copied anywhere and only kept on the memory stick, I'm assuming you actually have two very special memory sticks? One kept somewhere very safe? Otherwise what happens if the memory stick dies?
Dedicated server companies such as OVH still offer 16 IPv4 addresses with even their mid-range servers for free... so apparently no-one has told them that IPv4 addresses have run out!
(see https://www.soyoustart.com/us/essential-servers/ )
Has someone done a security audit on the charity website? I'd hate to see an 'Ashley Madison' happen to them!
Biting the hand that feeds IT © 1998–2017