44 posts • joined 27 Jul 2010
Re: This doesn't make sense
"Their data" may mean "our data" and nobody should be able to leave that exposed.
I completely agree - by "should be able to" I meant "with the current implementation as I understand it, the worst I expect to be possible is that..." rather than "it's acceptable for an incompetent admin to be able to..." Upvoted both for the principle expressed and for catching my sloppy wording.
This doesn't make sense
Both this article and the Kromtech post are missing something critical. It sounds like they're talking about Amazon's managed Elasticsearch Service offering, where you point and click (or not) through the console to have a cluster set up for you. But that service doesn't give you host access and it doesn't even let you install ES plugins of your choice, even if you are enough of a muppet to not configure any security.
The worst a dumb customer should be able to do is leave all their data exposed for the stealing and/or deleting. But Kromtech claim "the lack of authentication allowed the installation of malware on the ElasticSearch servers." If those managed ES versions can be remotely compromised through their REST APIs, wouldn't that be a fairly obvious thing for a provider to have patched?
If on the other hand we're talking customer-built (unmanaged) ES clusters, then the majority of the article is misleading if not downright wrong.
Security and obscurity
So if the Chrome team's mission is to help users be secure, why has Chrome ca. 56 made it so much harder to view certificate details? Up until recently you could right-click on the "Secure" marker in the address bar and go straight to the cert - now all that gives you is a link to a generic help page, and you have to drill down into the Developer Tools UI to find this information.
In what world is this an improvement?
Re: You can change that behaviour
Preferences -> Screensaver -> Customize -> Ask for a custom message when locking the screen from the menu
Re: The first thing that occurs to me
Don't be so quick to dismiss the topic - Canadian academic Robert J. Smith? (yes, the question mark is deliberate) has modeled zombies and Bieber Fever as well as his more serious work on mathematical epidemiology:
Mathematicians care about the abstract model, not pesky little application details. And when the zombie apocalypse strikes, you'll be glad their work got funded.
Re: Well thought out strategy
She ruled that Gonzales was right to bill them for the 55.2 hours of lawyer's time he had paid for.
What about the parking fees? Trust El Reg to leave out the most important part...
Well played indeed
I for one welcome our 16-bit virtualised overlords.
Re: Must stop glancing at headlines
Well for all we know, there could be 2,046,820,352 ZX81s providing that 1952GB, with 15,990,784 clustered together for each vCPU (because not even Amazon with their "everything fails, all the time" design philosophy would trust those dodgy RAM expansion cartridges).
Re: The bet on aliens landing
It's all in the wording, folks
As our friendly El Reg headline-writers know well:
Re: "Killing season"?
Agreed. I appreciate a witty Reg subheading as much as the next reader, but this one was poorly chosen and detracts from the otherwise respectful tone of the article.
CVE details? Yeah right...
Oracle gives its risk matrices to everyone but keeps the details of individual CVEs (Common Vulnerabilities and Exposures) to users with log-ins to its support portal.
This is incorrect. The Patch Availability documents linked to from the announcement are just that - they detail which patches to download for which product versions and link to other support docs for known issues, non-standard patching instructions, etc. They don't provide paying customers any more detail on the vulnerabilities than what Joe Public can infer from the risk matrices, which shouldn't be surprising:
(I have my own support contract with Oracle as an independent consultant, so the above is based on first-hand readings of the docs.)
In the unlikely event I ever bump into Frank Ostrowski I'll be more than happy to compensate him for any alleged loss of licence fee at the time (I was 11 or 12 so my pocket money would not have extended as far as ordering software from Germany) and buy him as many pints as he can sink in a night.
Well said, sir. A good chunk of the troubleshooting skills that keep me employed today trace right back to breaking copy protection on games I could never afford as a kid. For all it's cold comfort to the vendors of yesteryear who went out of business, it would be an honour to meet them and repay my childhood debts.
Type mismatch error
100,000 is read as "one hundred thousand". "Few one hundred thousand" != "Few hundred thousand". Please stop making my brain hurt this early in the morning.
When size really matters
For even more resource-constrained environments there's Tiny Core Linux (http://tinycorelinux.net). A basic FLWM LiveCD image weighs in at 15MB and it'll run happily in 64MB RAM. Obviously that doesn't give you a lot of functionality, but it has a nice fine-grained package system that you can tailor to get exactly what you want and nothing else.
I'm not sure I'd be game to use it for my primary work machine (mostly because security updates are ad-hoc, AFAICT), but for special-purpose boxen it's hard to get more lightweight that this.
Meh, who needs hackers when a network failure can take down all your ATC radar at once:
The IT questions in Section 27 are interesting:
Have you illegally or without proper authorization accessed or attempted to access any information technology system?
Have you illegally or without authorization, modified, destroyed, manipulated, or denied others access to information residing on an information technology system or attempted any of the above?
Have you introduced, removed, or used hardware, software, or media in connection with any information technology system without authorization, when specifically prohibited by rules, procedures, guidelines, or regulations or attempted any of the above?
If you're applying for clearance to work at the NSA, the correct answer is presumably "yes".
Life imitating art?
Meanwhile, in the background, MalumPoS uses regular expressions to sift through memory and locate fresh credit card information.
The sins of the fathers
... the LogJam flaw shows how internet regulations and architecture decisions made more than 20 years ago are continuing to throw up problems.
Headlining El Reg in 2035:
"Modern internet vulnerable thanks to mid-2010s panic over paedophiles and terrorists. Also, Paris."
That was worth a Ctrl-U, just to learn that the Stupid Sh*t No One Needs & Terrible Ideas Hackathon is actually a thing.
Colleen Josephson, we salute you.
[Citation needed], but I'm guessing that's a reference to section 48 of the Telecommunications (Interception Capability and Security) Act 2013:
This requires network operators to advise the GCSB when they make changes within "areas of specified security interest" as defined in section 47. That section lists things like interception capability, storage of customer or network admin credentials, and parts of the network that aggregate large volumes of customer data (in flight or at rest). I'm neither a lawyer nor a network engineer, so hopefully someone better qualified can explain what this all means in practical terms.
Re: Emoji vs emoticon
I'd always assumed that "emoji" was a portmanteau of the "emo" in emoticon and the Japanese "ji" meaning character (as in "kanji", literally "Han [Chinese] characters"), but it's actually a Japanese word in its own right.
Kenkyusha's New Japanese-English Dictionary (5th ed.) defines it as "a pictorial symbol; picture writing; a pictograph" and gives the kanji 絵文字 (絵 "e" means picture, as in the famous ukiyo-e art style, and 文字 "moji" means written character). According to the Japanese Wikipedia article on 絵文字 the first encoded emoji was the baseball symbol in CO-59, a 1959 interchange code used by a group of large newspapers (carried into Unicode as U+26BE).
The Hacker's Handbook
The Hacker's Handbook was one of my most prized possessions as a spotty teenager. Reading the text now (http://www.textfiles.com/etext/MODERN/hhbk), I have to smile at gems like this:
"Hacking is an activity like few others: it is semi-legal, seldom encouraged, and in its full extent so vast that no individual or group, short of an organisation like GCHQ or NSA, could hope to grasp a fraction of the possibilities."
They sure got that right...
Not just Canada
Here in NZ they want a blanket right to demand passwords even without reasonable cause:
But it's okay, they promise not to disclose any lawful content and we all know government agencies never abuse their powers.
Use the source, Luke
Is there really "zero chance" the malware authors could hack drive firmware without access to the source code? Sure, publicly available firmware binaries are probably obfuscated in nasty ways and would require a lot of reverse engineering even after decryption, but why should that be beyond the ability of a well-resourced organisation like the NSA? There's a long tradition of amateurs hacking DVD-ROM firmware to disable region locking, for example - if J. Random Hacker can do this in the comfort of their own basement, why can't the professionals do it on a grander scale?
"You agree that access to the Support Portal, including access to the service request function, will be granted only to your designated support contacts and that the Materials may be used only in support of your authorized use of the Oracle product and/or cloud services for which you have a current support contract. Except as specifically provided in your agreement with Oracle, the Materials may not be used to provide services for or to third parties and may not be shared with or accessed by third parties."
Where it gets murky is the situation you've described, where you pick up knowledge in the course of your authorised access that happens to be helpful to a third party sometime in the future. My guess would be that saying "oh hey, I have a downloaded copy of a support article that might come in handy here" is out, but saying "I've hit this problem before and I remember what the fix was" is ok - unless Oracle want to claim they own the part of your brain holding their content, of course...
It sounds like the behaviour described in the article, offering patches you've written yourself without access to licensed support material, is quite different from what they're squabbling about in the lawsuit. Whether it contravenes some other license clause is a whole separate question.
Gentlemen, you can't fight in here! This is the War Room!
Interesting that out of all the potential applications they chose to highlight powering aircraft. With the level of scepticism they must have expected, surely the last thing they need is to remind people of the 1950s atomic-power-will-solve-everything optimism that fuelled the Aircraft Nuclear Propulsion programme. Then again, if they could demo this puppy in a B-36 I for one would buy tickets to watch.
(Mine's the one with the lead lining.)
Re: Close with Z80 - but what about the 6502?
"Or better yet how about one which spins up half a million Z80 instances, half a million 6502, and none of those instances would talk to each other?"
Just the ticket for anyone wanting to virtualise half a million Commodore 128s (and who doesn't?).
On the A3090
Good address for an IBM site.
Re: Are you insane?
"Black hats would be combing it over for vulnerabilities applicable to Vista, 7, 8, and 8.1 too."
So the same as MS-DOS 1.1 then.
Re: How do you rank them?
I propose a new unit of unquantifiable performance, the Wally:
Re: Orwell vs Huxley
> TOTALLY! Shades of Pink Floyd's "The Wall" HA!
Or the Roger Waters solo album Amused to Death, which was inspired by Postman.
Re: Upgrading from JRE 1.6
To be fair to Oracle, EBS has been certified with JRE 7 since December:
The Metalink notes say they also support IE9 and Firefox ESR 17 on Win7. I have a lot of gripes about how Oracle handles certification and patching in general, but in this case the criticism isn't justified.
Re: "Should custom Android keyboards even be allowed?"
Of course not, because why would any phone user ever need an input method for a language that doesn't come pre-installed by their provider? If English was good enough for Our Lord it should be good enough for us.
What could possibly go wrong?
This worked a treat in Western Australia:
Somebody think of the mathematicians!
In maths TeX and its cubs are pretty much the standard for writing technical books. Surely Apple know the education sector well enough to realise this, and don't expect serious authors to use drag-and-droolware?
Am I the only one who hears the Quake 3 announcer voice when they read the probe's name?
Never mind the borokkusu
To be fair to the company, I can see how they might have got the name. The katakana (Japanese syllabic text) stamped on the logo reads ボロックス "borokkusu". That's also how you'd transliterate the English word "blocks" into Japanese - the extra vowels turn up because Japanese is built around what we'd consider to be consonant-vowel syllables. Since the Bollox range seems to be owner-designed kitset-style homes, "blocks" almost makes sense.
Then again I'm nowhere near fluent in Japanese, so this could all be a load of borrokusu.
Nimrod R1 retirement
Last I heard the R1 was slated for retirement in 2011, to be replaced by Rivet Joint:
Has the defence review said anythng about this?
> So how is nsLoginManagerPrompter.js modified under Windows - is it
> only people running as admin ? The article doesn't make it clear.
Well firefox.exe runs as the logged-in user, and by default unprivileged users only have read/exec privs on the Program Files directory tree. So short of finding some sneaky way to subvert a privileged service (Windows equivalent of daemon), it's hard to see how this could work without admin rights.
The more interesting part of question - which neither El Reg nor Webroot answer - is how FF is tricked into modifying this file even if the user does have write access to it. Presumably it's not an arbitrary file overwrite vuln or the trojan would be doing much worse mischief. I can't find any relevant mention of nsLoginManagerPrompter.js on bugzilla.mozilla.org, so I guess either the Mozilla team are quietly fixing this or the whole thing is bogus.
To be fair, not just Linux
> The global .js files on Linux are protected.
So are the global .js files on Windows, unless the user runs with Admin rights. Yes, I know lots of users do, but "I'm safe because I don't run as root" is different from "I'm safe because I run <insert OS here>".
Deja vu all over again
But who needs history when you can have hype?
Apples and Oranges
So how is IBM tying z/OS licenses to IBM hardware any different from Apple tying MacOS licenses to Apple hardware?
And as long as the customer purchases a legit license, isn't talk of intellectual property rights irrelevant? Even if the clone-makers need to know the secret herbs and spices to support the OS, doesn't competition law allow the OS vendor to demand a "fair and non-discriminatory" license and NDA?