* Posts by big_D

2496 posts • joined 27 Nov 2009

LastPass now supports 2FA auth, completely undermines 2FA auth

big_D
Silver badge

2FA and OTP

Using a OTP as part of 2 factor authentication is a reasonably good method. BUT, if you are using it to authenticate an account on the mobile device where the 2FA is generated, then you completely lose any benefit of 2FA.

3
0
big_D
Silver badge

Banking

A comment to the bank sends a code comment in the article - mine doesn't, I need to generate a unique token using my debit card and card reader, plus the payee account number and the amount. This generates a unique code, which is used to verify the transaction. This is, for me, real 2 factor authentication.

13
0
big_D
Silver badge

Re: Better alternatives...

I use KeePass at work and LastPass privately. To be honest, I hate KeePass, it feels so awkward, compared to LastPass. The UI is the one part that LastPass really has done well.

3
8

Do we need Windows patch legislation?

big_D
Silver badge

@tiggity - in 2010, you could only get XP as a "downgrade" on new hardware, and only for Professional and Enterprise variants of Windows, so that excludes "your average punter".

Any business buying XP would have to order that extra, or they received a Windows 7/Windows 8 PC and an XP recovery CD. Either way, they had to know that XP wasn't the wisest option.

0
0
big_D
Silver badge

Re: @Doctor Syntax

But that isn't Microsoft's problem, per se. The user has been warned that support is running out and they either have to upgrade to a newer version (for free in many cases as the hardware will have had a valid license for a newer version of Windows) or they pay for ongoing support.

In this case, they did neither. They only have themselves to blame.

1
1
big_D
Silver badge

Re: All products have a support life

@JohnG it is still the same today, we have support agreements on all critical hardware and software and if something breaks down, the first question is the support agreement number / they check to see if support has been paid and the second is to check what firmware / software version number is in use and if it is old, the first step is to get it on a current version, to see if that fixes the problem.

(We had that with a server, a SAN and our SuperLoader recently)

1
0
big_D
Silver badge
Facepalm

Re: RE: Do we need Windows patch legislation?

At my last employer, they were still issuing servers to customers in 2015 with SUSE from 2000, because the libraries they used weren't compatible with newer versions and the company that had written the libraries had gone out of business...

But "it is Linux, so we don't need to worry about security updates," was the excuse for not finding a newer library or re-writing the software for a more modern version of Linux.

In fact, they did have to switch, because the Linux would no longer install on the current generation "low end" (i.e. Intel Pentium) servers. But security wasn't the driver.

0
0
big_D
Silver badge

@alain williams

I would agree with you, that the PCs were "only" 4 years old, when support for XP stopped, IF they hadn't been warned 10 years before that of when the end date for support was.

Those PCs were sold with Windows 7 Professional + downgrade rights to Windows XP, so there weren't even any licensing issues about upgrading and getting continued support. And if they were using Enterprise licensing with SA, versioning is irrelevant, they could have upgraded directly from XP to Windows 10, if they had wanted.

As it is, they ignored the warnings, still installed XP/ bought downgraded PCs and then, when the support period ended, they didn't take Microsoft up on the offer of extended, paid support. As the Germans say, selber Schuld.

7
2
big_D
Silver badge
Paris Hilton

@BoldMan

But then they only have themselves to blame, when it all goes pear-shaped.

The same is true with Windows XP. They were told a couple of years ago, that if they hadn't moved to Windows 7 or later, they would need to pay annual support to keep Windows XP patched. They decided not to cough up and now they are paying the price.

They could have paid and they would have received the patches to keep them safe from this exploit months before it was put in the wild. They decided to save a few pounds and now they are crying fould.

5
2
big_D
Silver badge

My last Windows Update for Windows 10 took around 20 seconds, on an HP Spectre x360 with a Skylake Core i5 processor, I think there is something seriously wrong with the configuration of your machine if it is taking more than a couple of minutes.

8
9
big_D
Silver badge

Re: All products have a support life

Windows XP does still get security patches, if you pay for them.

If you decide to continue using Windows XP, there is the option to pay Microsoft an annual fee to ensure that it get security updates. That is reasonable.

Either the price of the software needs to increase to cover the extended support costs - so, Windows would cost a couple of grand, instead of 100 UKP, because they will need to support it "forever", or the price needs to remain "affordable",with the knowledge that after a defined period of time (a period of time, which is defined in black and white before you ever buy the product, I might add) and after that period of time, you will either need to upgrade to a supported version, or you need to pay for the extended support.

Patching older versions of software is an expensive business and it needs to be paid for. If you don't like it, move to open source and patch it yourself, when the maintainers decide that your version is too old (18 months for most distributions, 5 years for some enterprise releases, I think only RedHat/CentOS and SLES offer anything approaching 10 years, and they cost real money).

13
1
big_D
Silver badge

Re: Lawyers

@davidp231 that is how I read it. The patch was issued to those that paid for it, as per the guidelines issued before XP support stopped.

This whole issue is insane. MS provide longer support than any other software company for its products, Heck, Google have announced that they will stop issuing updates to their own Android devices after 18 months and security patches after 2-3 years.

Apple dropped support for older Macs after only a few years - my 2007 iMac hasn't had a security update since 2014, but it still runs Windows 7, so it actually gets support from Microsoft for nearly twice as long as Apple provides for its own products!

If Microsoft had just stopped supporting XP all of a sudden, I could understand the outrage, but we are talking about users and businesses haveing over 15 years of warning that they would need to upgrade to a more modern version... And, for those that were short sighted enough not to be able to get their systems updated in time, they offered paid support.

If you are dumb enough to use out of date software and still dumber not to pay for extended support, then you are your own worst enemy.

Also, if they do change the law to make manufacturers provide support in perpetuaty, then it will have huge impacts on prices and how often new versions are released. Not an entirely bad thing, but we will see software prices climb again, as the long-term support needs to be calculated into the purchase price.

44
3

HP Inc wireless mouse can be spoofed

big_D
Silver badge

Re: Reminds me somewhat of the ghost-typist call-out.

Logitech and Microsoft both had this problem, about a decade ago. They got around it by doing proper encryption - Logitech used either XOR or a bitwise shift (can't remember which) to "encrypt" their original keyboards!

0
0

IoT needs security, says Microsoft without even a small trace of irony

big_D
Silver badge
Holmes

Re: IoT - Internet of Threats

As the saying goes, the "S" in IoT stands for security.

8
0

French fling fun-sized fine at Facebook for freakin' following folk

big_D
Silver badge

I deleted my account in 2008, had to create a new one in 2015, because my employer wanted me to manage their Facebook page and it was a way of keeping in touch with my family in the UK... But I am so busy with real life, that I only had time to post the official posts for the company every day.

Since I left the company, I think I have looked at Facebook maybe twice in the last 9 months, as I just don't have the time.

0
2

While Microsoft griped about NSA exploit stockpiles, it stockpiled patches: Friday's WinXP fix was built in February

big_D
Silver badge

Re: Latent product defect??

@MrDamage, every user has to accept the EULA before installing the software - even on a new machine, the EULA is shown and the user has to accept.

If they don't accept the EULA, they can take the software back and get a refund. Claiming that they hadn't read the EULA, when they have explicitly said that they have read and understood it won't stand up in court.

I agree, in Germany (for example), that would be hard to enforce, as it is what you have read before purchase that counts - that is why using an OS X CD on a non-Apple PC is legal; that restriction is only visible after you have paid for the product and opened the packaging.

It has also been proven in court, that for downloaded software, that the EULA must be read before installation begins, for it to be binding. Microsoft ensure that with, for example, the WIndows 10 upgrades that are downloaded, that you read the EULA before it attempts to write anything to disk.

It will depend very much on jurisdiction, whether the EULA being agreed to before the installation takes place, but after the purchase transaction has been completed, is binding or not.

0
0
big_D
Silver badge

Re: Plenty of blame to go around

@Oliver Jones, I agree with you, apart from the 30 years (10 years is more than long enough in IT terms) and the open sourcing.

If Microsoft hadn't offered cheap or free upgrades to newer versions of Windows or had stopped making Windows altogether, then I would agree. But they have brought out newer versions of Windows with improved security and stability, they have bent over backwards in some ways, to get people to upgrade, and for those that don't want to / can't upgrade, there is paid support.

In the case of the NHS, they decided the money was better spent on refubishing offices and other frivolities, rather than ensuring their infrastructure was secure.

1
0
big_D
Silver badge

Re: "Also trusts stripping all attachments on incoming mail as a precaution."

@Paul 76, there have been enough buffer overflows in XML HTML and Zip over the years, so no, the WP isn't to blame, its default is not to execute macros or to execute signed macros.

The user has to open his machine up to attack, by allowing unsigned macros.

0
1

Never mind custody decisions, let's AI up our police cars

big_D
Silver badge

Re: Kit for cops

Except, that over here they would have to blur out the number plates and the faces of people. Filming them without permission on public streets is illegal... At the moment.

0
0

UK General Election 2017: How EU law will hit British politicians' Facebook fight

big_D
Silver badge

Re: A question

It might be moot for UK citizens, it certainly isn't for UK businesses wishing to continue doing business with Europe.

2
0
big_D
Silver badge
Paris Hilton

Re: A question

The other thing is, like we have seen with RIPA, the EU has been protecting UK citizens from their own government, yet a slim majority still wanted to get rid of the EU, as it was interferring with the government interferring in their lives... :-S

13
0
big_D
Silver badge

Re: A question

It could be, but it would mean that businesses in the UK would find it very difficult to do business with Europe.

The UK could repeal the EU DP laws (RIPA is a good example of this, it has been rejected by the EU courts and the ECHR several times as being illegal / breaking human rights doctrines) and sent back to the UK Parliament for re-working. Post Brexit the UK government said STFU EU, we'll implement it anyway, even if it breaks human rights conventions in the EU.

That alone will make it hard to do business in Europe post Brexit, if the UK government also castrates data protection law in favour of allowing big corporations to exploit its sheep voters citizens, then there will be next to no chance of UK businesses being able to effectively do business in Europe.

23
0

It's 2017 and Windows PCs are being owned by EPS files, webpages

big_D
Silver badge
Facepalm

Re: When you think things can't get any worse

Yep, whichever Intel programmer thought that was a good idea should be shot!

How long is the password you are sending me? 0 bytes, OK, I'll just compare the 0 bytes with the first 0 bytes of the correct password and see if they match... Oh, '' matches '38de34ef09e3', you have access!

I mean, the password has a fixed length that Intel knows about (it is dervied from some checksum), so it knows the password must be x characters long, so why even allow the incoming response to define how long its password is? And if it does, then surely the first check would be to see if its length matches that of the correct password!

But, no, if the response is 0 length, then it must be correct!

2
0
big_D
Silver badge
Pint

Re: Yes, a constant stream of vulns --

@tiggity that's OK, I use the same / similar addins on the Windows side as well, so we cancel each other out! :-D

0
0
big_D
Silver badge

Re: The Need For Speed

The last 2 I set up didn't have IE enabled (direct re-install of 10 Pro using Creater Update ISO). I tried to start IE for installing TM, but it wasn't installed, I had to go to optional features. I created a new account instead (policy doesn't allow the domain administrator to use Edge).

0
0
big_D
Silver badge

Re: Why does Microsoft still try and integrate applications into core OS

Our Windows 10 PCs don't even have Internet Explorer 11 installed by default, it is an option.

You can remove it by going into the Add/Remove Windows Features. You will get a warning, but you can remove it.

0
0
big_D
Silver badge

Re: Why does Microsoft still try and integrate applications into core OS

Edge is in reality a UWP application, but it is still getting updated via Windows Update. It is scheduled to move into the Windows Store with Redstone 3 later this year.

1
0
big_D
Silver badge

Re: Optional

Excactly @luminous. People who live in glass houses shouldn't throw stones.

My Linux PCs and servers also get regular patches for the Kernel and applications, my Android phone got the latest patches yesterday from Google, the iPhone gets regular patches, BSD and derivatives get patches.

If you have a computer, of any form, and it has an operating system installed, you can guarantee that it has undiscovered bugs and vulnerabilities. Even if it doesn't have an OS installed, it might still be vulnerable (look at the bugs found in the radio layer of smartphone last year or the current Intel AMT/IME debacle.

10
3
big_D
Silver badge

Re: It's 2017 and Microsoft is still the world's largest distributor of security vulnerabilities!

That title now goes to Google, there are more users of Chrome, ChromeOS and Android than there are Windows PCs.

4
1
big_D
Silver badge

Re: Riddled to high heaven

@s2bu and they have also had some bad CVEs in the recent past...

No operating system is safe or secure. If you want to make your PC secure, disconnect it from the main, drill holes in the disk, bury it in concrete, place the concrete block in a secure room, brick up the doorway... And be certain that it still isn't 100% safe.

5
4

Android O-mg. Google won't kill screen hijack nasties on Android 6, 7 until the summer

big_D
Silver badge

Re: I'm an Android user

I have to configure about half a dozen Android devices every week, because the users don't know how to set them up themselves - they can't even follow the on screen prompts for setting up their email account.

Outside the office, I am constantly being asked why so and so dialog has appeared, what does it mean, must the user do something. Generally, I just need to look at the explanatory text displayed on the screen and react to it...

9
2
big_D
Silver badge

Re: I'm an Android user

You? Probably not. 95% of Android users? Absolutely.

9
5

FCC blames DDoS for weekend web lockout

big_D
Silver badge

Re: Obvious ploy

There is nothing wrong with treating different types of traffic differently.

Voice and video calls need higher priority than most other traffic, streaming audio and video probably next up, web traffic doesn't need that much priority, email even lower...

What net neutrality is really about is not prioritising one type of voice traffic over another or, often, not counting anISP's own and "partner" services against data caps, whereas others, who can't / don't partner with them are disadvantaged.

6
0

London app dev wants to 'reinvent the bus'

big_D
Silver badge

Re: Not even a mention of the fuel

I was in Hamburg last year and a lot of the buses there were hybrid.

1
0

Michael Dell? More like Michael in-Dell-nial: No public cloud, no future

big_D
Silver badge

Re: Public Cloud

Not to mention data protection and legislation problems. If it is on-site, it is your problem. If it is hosted, you have no control over the hoster and if they splurge your data over the internet (or let someone steal it), it is still your problem, even though it is not your fault and you face prosecution for their failure...

Add in things like not being able to store personal information outside the EU (for EU based citizens and businesses) and, usually, financial/tax relevant data can't be stored outside of the country of origin withoug getting a special dispensation from the tax office / treasury, and you have real problems trying to even recommend cloud as a suitable alternative.

I like the convinience of cloud in some ways, but for a business based on a single site, doing manufacturing and where most of its employees are on site and sitting at the thin end of a 10mbps line, cloud makes little to no sense.

15
2

Team Macron praised for feeding phishing spies duff info

big_D
Silver badge

Re: Fake News

This sort of argument is why I thought the French reaction to the leaked emails was good.

A complete press blackout until after the election was finished. Macron couldn't say anything publicly, Le Pen either and the Press couldn't report on it, because it was leaked too close to the ballot.

1
0

Windows 10 S forces Bing, Edge on your kids. If you don't like it, get Win10 Pro – Microsoft

big_D
Silver badge

Re: Windows 7

When everything is turned off in Windows 10, it doesn't leak any more information back to Microsoft than Windows 7 does.

Windows 10 offers a lot more services, but for those, you need to allow more and more data to be passed back to MS.

I am assuming that cornz1 doesn't use an Android od iOS smartphone, if he is worried about data slurping.

8
20
big_D
Silver badge

Re: Meh, I give it a few months

@Alan Edwards it isn't ChromeOS, it is Chrome, in general, Android (>85% market share), search (in Europe over 90% market share) and services "pushed" on users through search results and failure to adhere to data protection rules.

3
3
big_D
Silver badge

Re: Meh, I give it a few months

One of the problems with Chromebooks, at least in Europe, is that they are more expensive than an equivalent PC with either Linux or Windows pre-installed.

Heck, the Samsung with ARM chip that came out a couple of years back was available for $599 in Germany. No wonder that Chromebooks have hardly made a dent in the market.

12
2
big_D
Silver badge
Mushroom

Re: Meh, I give it a few months

Monopoly? Good, then can we talk about not being able to install Firefox on my Chromebook?

40
7
big_D
Silver badge

Hmm ChromeOS

forces Chrome on users as well...

This was a move to counter ChromeOS in, among other places, education and Microsoft are trying to get developers to release their software through the store, so not really a surprise.

Given Mozilla's and Google's reluctance so far to use the store to distribute their browsers, it is a clever move on Microsoft's part. People will be forced to use Edge, something they probably only ever use to download Firefox or Chrome on most W10 PCs. Some people probably won't bother with the hassle of switching, more sophisticated users will get the free upgrade to 10 Pro and install their favourite browser.

3
4

S is for Sandbox: The logic behind Microsoft's new lockdown Windows gambit

big_D
Silver badge

Re: "Windows 10 S isn't just for education, it will be seen on more and more devices"

@LDS the same argument goes for the Chromebook Pixel. That was a $1500 Chromebook and some ChromeOS users adored it and lament that they can't buy new ones.

There were a plethora of cheap-and-cheerful models released at the education sector ($189 and up) and MS said they are expecting more 10 S based devices to appear in the middle ground over the coming year.

1
0
big_D
Silver badge

Re: S is for Spyware

As someone who has to deal with Autodesk installations on a daily basis, I can say, that the sooner they get their PoS into the Store and containerized the better.

Having to write reams of Powershell code to get it configured properly is a pain.

1
2
big_D
Silver badge

Re: @big_D -- Windows Store, oh goody!

@Someone Else, when I met my wife, she didn't know how to install software, she got a friend to "put the web" on her PC (Firefox) and "that Skype thing". When we were together, I had to set up her PC for her (Windows 7).

When Windows 8 came along, I shrugged and thought "why not, it can't be worse," and lo-and-behold, after 20 minutes playing with Windows 8, she proudly came down stairs and exclaimed, that she had installed a clock app!

0
0
big_D
Silver badge

Re: @Big_D - Windows Store, oh goody!

@LDS WordPerfect weren't just DOS, Windows and OS/2, I had it on the Amiga (basically the DOS version in a console window) and I also used it on a VAX running under VMS. I think there was also a UNIX version at some point.

1
0
big_D
Silver badge

Re: S is for Spyware

They phone home, just like iOS, OS X, ChromeOS and Android (well, except you have more fine control over what is shared, compared to Android and ChromeOS).

5
2
big_D
Silver badge

Re: S is for Subsidised

This isn't just for schools.

MS has built some tools for education around Windows 10 S, but Windows 10 S isn't just for education, it will be seen on more and more devices for "normal" users as well, at least that is what MS said the aim was yesterday.

This is a move to try and show developers that they need to start looking to the future.

2
3
big_D
Silver badge

Re: Windows Store, oh goody!

It is supposed to be a method of encouraging developers to use the store and to ensure that their programs work in the store. If people are "forced" to use the store and they start complaining to the software developers that their software doesn't work, as opposed to cursing the store and downloading from the site, or developers notice that user numbers slowly drop off, because they aren't in the store, they might start to take the new Windows seriously and start to develop for it properly.

Microsoft is trying to throw away the insecure, bloated, legacy cruft that is Win32 and get people to move forward to a more modern, slimmer, safer experience.

At the moment it is difficult, because many devs, especially of big applications, can't be bothered to invest the time and effort needed to get their software working in the store, when they can just continue to make it available on media or for download. That makes a poor experience for users who don't know how to use a PC and don't know how to download and install software; they have grown up on app stores and the "old" way is inconvinient and error prone for them.

So, MS is at a crossroads and needs to start chipping away at the cruft. I suspect that the Win32 applications will slowly be banished to some sort of container, then they will be sandboxed more and more, so that it is less and less convinient to use old, legacy software and users will be looking to the store apps that work better than the old legacy cruft (UWP is getting better with each new version and getting more feature richt, compare it with the move from DOS to Windows, the DOS applications were more powerful and faster and the Windows applets were mere toys, until Windows got to 3.0 / 3.11 and Excel and Winword came along, then people suddenly saw the "light" and started moving towards Windows and complaining to software makers, when their applications didn't work in Windows' DOS Box or there wasn't a Windows native version available. Eventually those software makers either "got with the programme" or they went under. Where are Ashton Tate, WordStar, WordPerfect Corp., Lotus etc. today?

9
12

Microsoft sparks new war with Google with, er, $999+ lappies for kids

big_D
Silver badge
Coat

Re: Wake me up …

10:12 - the were doing telemetry gathering using cardboard and copper wire, bunging the data into an Excel sheet.

4
1

Male escort forgot pregnancy protection, scores data protection instead

big_D
Silver badge
Headmaster

liebefest

That would be Liebesfest...

3
0

Forums

Biting the hand that feeds IT © 1998–2017