* Posts by Lewis R

29 posts • joined 7 Dec 2010

'The inmates have taken over the asylum': DNS godfather blasts DNS over HTTPS adoption

Lewis R

I'm struck...

...by the sheer number of people commenting who do not understand how DNS requests are sent or received, how DNS proxy works, and how zone transfers happen.

The real security concern for DNS is update security, to ensure that only authorized changes are made to a specific domain's addressing. DoH does nothing to ensure that integrity (neither does DoT, for that matter). True privacy on the net is a myth, so obfuscating lookup traffic is all form over substance. Every intervening router knows from whence the traffic originated and where it is destined. This is like printing phone books in code.

After selling his site for millions, founder hacked it for a second payday

Lewis R

Enough dumbness to go around

There was reportedly a non-compete covenant which expired. Had the seller merely kept a backup of the database after the sale (not saying the contract would have allowed that, but surely, less risky than accessing the data from someone else's site), much of this could have been avoided. I'm also not saying that this would have been morally above board.

As far as the buyer is concerned (the second time around), one would think that part of the due-diligence routine would be to be reasonably assured that the Company was not paying for contact information already in his (its) possession.

I can't help but feel like we're only getting one facet of the story.

No sympathy for criminals.

Disgraced US Secret Service agent coughs to second Bitcoin heist

Lewis R

For all of you non-Americans wondering why this becomes a US crime: a criminal act (theft) committed while on US soil (sitting in front of a workstation located here in the States connected to a server anywhere on this planet or anywhere else counts as "US soil") is a US crime, subject to prosecution here. That doesn't mean that he's *not* subject to prosecution or civil suit elsewhere, either.

As an accountant (an Enrolled Agent, recognized to practice before the Internal Revenue Service), let me just state that the Treasury Dept has somewhat clarified its stance on BTC in recent years. While US law forbids it being considered "currency," it *is* considered a capital asset, so stealing it is akin to stealing anything else (such as intellectual property, also able to be stolen via computer here from anywhere in the world).

Compound that with whether the BTC itself had already been subject to seizure by the US. In that case, he stole *from* the US, which of course, is also a crime. (I am not familiar with the full circumstances, and while I am an accountant, IANAL.)

Intel CEO Krzanich quits Trump's Manufacturing Council over response to Charlottesville rallies

Lewis R

"Well, the Goose-stepping, swastikas, and Nazi-style salutes might have been a good tip-off."

They weren't the only ones, and that was my point. Sorry you missed it.

Lewis R

Truly amazing... My President should have known (how?) *exactly* what hate groups were to blame for the violence - on both sides, and not just one defending itself against the other. The fact that he gave a clear, measured response once again seems not enough for the peanut gallery.

Hate is wrong - on all sides. We should all, as members of a (hopefully somewhat) civilized society reject it and call it out for what it is. Limiting such outrage to only those of which we were immediately aware would be shortsighted. No doubt, when other groups were/are identified, he would be vilified for not including them, as well.

If these "titans of industry" are this thin-skinned, good riddance. We need people who are willing to take a stand and focus on the matters with which they have been tasked and not stand around finger-pointing because they've heard something not politically correct. Grow up.

WannaCry vanquisher Marcus Hutchins pleads not guilty to flogging banking trojan Kronos

Lewis R

Why the US/Trump bashing?

Geez, guys...

First of all *my* President likely had nothing to do with this (why would he?). Next, there must have been *something* which warranted (pardon the pun) an arrest. I am not for one moment saying that I believe he is guilty (I surely do not have enough information to make such a claim).

The US system of justice is surely imperfect. Is it any worse than any others on the planet? I couldn't say, but surely, the UK system is also flawed (everyone arrested is guilty over there?)...

Now, for what we really must hope, is a judge who can grasp the underlying concepts, if not the technology itself. If he *is* guilty and is not convicted, it could open the door for others to work their way out of the system. If he is *not* guilty, then this could provide the basis for improving these kinds of investigations and cases.

Finally, as to him recovering his bail expenses, he *may* be able to file suit to recover those damages and his legal expenses, *if* he can prove that his arrest and prosecution was improper, which is highly doubtful. IANAL, and I am not offering this as advice, just tossing it out for purposes of conversation.

ATM security devs rush out patch after boffins deliver knockout blow

Lewis R

Re: So

Yeah, as the Managing Member of Arca Noae, the company which just released ArcaOS 5.0, our own OS/2-based distro, stories like this make me cringe.

The last time I saw an OS/2 system compromised by such code was...well...never.

ArcaOS also allows these ATM manufacturers to run their older OS/2 software on modern hardware. ArcaOS on a dual or quad core system with even 2GB RAM (well over our minimum requirements) is a thing of beauty. Put that on an SSD, and there even fewer moving parts to maintain. Such an ATM would be a tremendous asset, and not on the Microsoft patch-o'-the-week treadmill...

What is dead may never die: a new version of OS/2 just arrived

Lewis R

Some clarifications

As the Managing Member of Arca Noae, and one of the engineers who worked on the release of ArcaOS 5.0, just a few points to clarify (both from the article and from the comments, here):

1. $99 is introductory pricing for the personal edition. After the first 90 days (about 85 days left, now), the normal pricing takes effect, to wit, $129/license.

2. There are quantity discounts for the commercial version, starting at 25 seats.

3. The personal edition ships with 6 months of included support and maintenance, while the commercial edition ships with twelve months (1 year, not 2, as stated in the article). After that, support and maintenance is available for each by subscription.

4. There are still a good number of large (really large; huge) enterprises with OS/2 entrenched in their IT infrastructure. We know because we consult for more than a couple of them. Running OS/2 on modern hardware is a must for organizations like these, where virtualization - for one reason or another, whether due to lack of device driver support for connected hardware or performance reasons - is not a viable option.

5. ArcaOS ships with SMP support for up to 32 CPUs (I think 32 is the number, though it could actually be higher; I haven't actually tested on anything more than 4 8-core CPUs.

6. ArcaOS includes rudimentary PAE support, where we are able to utilize RAM above the 4GB boundary as a RAM disk with up to two partitions. This may not seem like much, but for any application which requires fast access to temporary files (cache, etc.), this is a HUGE performance gain.

7. ArcaOS is not a clone of OS/2. At its core, is a fully licensed MCP2 (Warp 4.52, a/k/a Merlin Convenience Pack 2) installation, with Arca Noae's fixes, updates, and modifications on top of that. In addition, the TCP/IP stack, ported from BSD, is in there, as are HPFS and JFS, the latter of which is fully maintained by Arca Noae. Indeed, we have a licensing agreement in place with IBM.

8. When IBM released SMP as an option for Warp, it was an option only available for Warp Server for eBusiness (WSeB). We did not license WSeB from IBM; we licensed Warp 4 (MCP2). We have a special SKU from IBM which allows us to bundle SMP with the MCP2 code.

9. ACPI support is ours. IBM included only basic ACPI support, using the OS2APIC PSD (Platform Support Driver). OS2APIC is barely useful on hardware built within the last 10 years. Arca Noae's ACPI driver is fully compliant through ACPICA 20170119.

Some follow-up to some other comments:

OS/2 (and ArcaOS) is indeed sensitive to substandard hardware. We do not claim to run on everything, and surely not on the cheapest junk floating about. Use that other OS from Redmond on that stuff - LOL.

While some may scoff at a new release of OS/2, let's bear in mind that any marketing failures on IBM's part should in no way be taken to mean that OS/2 was not technologically superior to its competitors at the time. As a NetWare engineer, I can attest to the fact that Novell's similar difficulty and lack of success in competing with the overwhelming marketing machine from that other company likewise should not be taken as any kind of statement that NetWare was not superior in its space, or that there are not still shops with NetWare running quietly and consistently to this day, managing mission critical operations, just as OS/2 is. If there were no demand for a new OS/2, Arca Noae would not have come into existence, and I can tell you unequivocally, the response to ArcaOS has been overwhelming.

Win32: Besides DAX (the Win32s subsystem built into Win-OS/2 in Warp 4), ArcaOS ships with Odin32, which is based on WINE. This allows us to run a number of more complex Win32 applications, and Odin32 can be further customized to work as a wrapper for even more complicated Win32 applications. Essentially, it's just a matter of properly mapping the Win32 calls to OS/2 calls, stubbing them out, or working around them for things which do not exist in OS/2. We can work with our development partners to support specific Win32 apps under consulting contract, and in fact, look forward to exploring such opportunities, so incidents which we've all seen recently (under XP) do not occur, while still allowing those applications to run nearly-natively.

Ah, and finally, why there are no try-before-you-buy offers: Our licensing with IBM does not allow for this. Every ArcaOS license includes an IBM OS/2 Warp 4 license. We can't just give those out for free!

Barrister fined after idiot husband slings unencrypted client data onto the internet

Lewis R

Re: Even more than meets the eye

<quote>

As for your business, I take it that you do not use a (shared) home computer for any client related activities...

</quote>

Actually, no, no I don't.

My wife has her own system, and each of my two daughters has her own system. I don't put client information on USB sticks which can be lost, either. (Well, there are some files which are delivered to us on USB stick, the data is copied to the server, and then the stick is securely erased - no kidding. In the days when we received data on burned optical media, the disc was copied and then shredded. Floppies were reformatted - and not quick formats, either.)

We maintain our own mail server, and handheld devices do not access other servers for mail. We don't use cloud services for anything (calendaring, messaging, email, file transport). Server backups are done in-house, with monthly tapes (LTO) encrypted and stored offsite in case of disaster. Each of our small offices is behind a secure, standalone firewall, and the offices are connected using IPSec VPN. Email (IMAP, POP3, and SMTP) is sent (transferred to and from the server and our connected devices) encrypted, including logon credentials (naturally, we don't encrypt mail sent outside the office, but we do not include sensitive information in client emails and immediately snip any such information sent to us (and try to practice "sane" quoting in messages). Loose lips sink ships.

We do not hire outside shredding companies, either. We do not allow tradesmen or even clients to wander freely about the office. In short, we take information security very seriously. There's nothing hard about it. It's just a matter of practice. I've been doing this since the days of NetWare 2.0 (and probably before; my dad had Litton minicomputers in the office in the 1970's, and even then, we were aware of the potential for theft of sensitive information. It's more a state of mind than anything else.

BTW, how *does* one properly quote in these forums? I've been a Reg reader for ages, but this mystery seems to elude me...

Lewis R

Even more than meets the eye

Wow. Where to begin?

First, the husband, unless covered by NDA, has no business having access to this information. That being said, he's just the tip of the iceberg, here. Was the data secured at all on her machine? What if the husband isn't the only one with access? Does she have a cleaning service? Does she leave her computer unattended when others are in her home/office/hotel/etc.?

If we were talking about leaving paper files lying about, there wouldn't even be room for debate.

Was the transport to the "cloud" secured? I'm talking here of the actual connection, separate and apart from the apparent lapse on the part of the cloud provider. As an IT professional and an accountant, I can tell you that we take extraordinary measures in our office to protect client data. I would never, ever entrust to an unknown third party (or a known third party, with unknown or known employees/contractors) sensitive client data. Such records should be kept under the direct control of principals and contracted staff, ONLY. What was she thinking? I don't give my wife access to my clients' information, just like she doesn't sit in on tax consultations. My daughter has access, but she *works* for me, under contract (with a non-disclosure clause - no kidding).

We have a stated privacy policy and an information security policy, which we really do review at least annually. Cleaning staff is not allowed into my personal office unless I am physically present in the office. Cleaning staff is not allowed into our file room or our server room, period. Why is this stuff so obvious to some of us and yet seems to escape so many others?

The priest, the coder, the Bitcoin drug deals – and today's guilty verdicts

Lewis R

Not really about Bitcoin, and not about a priest...

The fact that Bitcoin was involved here makes little difference; it simply happened to be the currency used to enter into the transactions. It didn't provide so much obfuscation that law enforcement was unable to bring the case to court. Using Bitcoin in the title just sensationalizes the whole thing.

The pastor, as has been rightly pointed out, was/is not a priest, and from the article, it is impossible to say whether he was truly an ordained minister or some self-proclaimed purveyor of <fill in the blank>.

Ho-hum. The good news is that another bunch of stupid miscreants got their just desserts.

Stock market analogy? I think not. The fact that it may be harder to prove intent with pump & dump schemes does not legitimize them in any way.

Mozilla: Five... Four... Three... Two... One... Thunderbirds are – gone

Lewis R

SeaMonkey has flourished since Moz declared it a "project" and not a "product"

I guess the wheels started coming off the rails at Mozilla even before the rapid release cycle madness kicked into gear, where ratcheting up version numbers took precedence over actually fixing broken things and refining the software (product or project) to make it better.

FF is becoming (has become?) Chrome (Chromium) from another company, so it's no wonder, considering that that other company doesn't have its own email client (let alone suite), that Mozilla is eager to shed yet another differentiating factor...

Personally, I've been a SeaMonkey user since Netscape Communicator 4, and have been generally quite pleased with the focus of the Team (except when there's been too much of a rush to "keep up" with/"catch up" to the insane FF release cycle). Hopefully, TB can do as well (for my money, though, scrap the current TB code and fork the mail client off of SM...again).

World finally ready for USB-bootable OS/2

Lewis R

OS/2 Support is still alive and well

It's good to read a favorable article about OS/2 these days. Too often, we see a dismissal of the platform due to its maturity (if it's more than a month old, it must be abandoned...LOL).

There are a number of larger enterprises with installed bases of OS/2 or eComStation. For newer - read: modern - hardware (ACPI, etc.), there is the Arca Noae Drivers & Software subscription package, which is an affordable annual subscription to the latest ACPI, Panorama VESA driver, NIC drivers, and other necessities, and these all come with support.

Compared to the cost of replacement in such implementations, maintaining OS/2 is a viable option.

Full disclosure: I am a principal in Arca Noae, LLC, and an OS/2 professional. I won't post a direct link to the Arca Noae website, but it's easily found. I would invite all OS/2 developers here (or one-time developers) to contact us, as we're always looking for more OS/2 talent.

FTC to scavengers: Radio Shack corpse doesn't include customer data

Lewis R

Re: Be warned...

All too often, it doesn't even last *that* long... Ask anyone in the States with an Anthem health plan.

This is a serious conundrum, though. There is no personal guaranty. The asset (personally identifiable information, or PII) could be sold to a well-meaning organization which, in five years, sells to an overseas firm, beyond the reach of any US bankruptcy court or the FTC. Of course, it could also be pilfered from within long before that.

I always despised and resented the RS practice of asking for my name & phone number *every* blessed time I ran in to buy a pack of AA batteries. When I was younger and less attuned (read: young & stupid, for all of you under-50 types!), I would actually give them my mailing address. Ugh... I need to go shower, now.

Watch: Nasty JPEG pops corporate locks on Windows boxes

Lewis R

Only on Windows...

would a file with a .aspx extension have any meaning. on my OS/2, NetWare, and Linux boxes, .aspx is just a four-letter extension, and not executable. Setting that aside, my firewall would stop such an upload (if/when/as properly configured). Oh, well. Now I know why I don't expose windy boxes to the outside world (the glass breaks too easily).

Lewis R

Re: Dear El Reg

All your base are belong to us...

Cyber crims put feet up for Chrimbo: 2014's seasonal retail breaches fell

Lewis R

Too soon to tell

I can't imagine how Big Blue is able to make such a claim so soon. I wouldn't expect us to really know anything for at least several months, if at all (not all companies ethically disclose such breaches, even when they do have evidence).

World, face Palm: PDA brand to RISE FROM THE GRAVE

Lewis R

Re: Hmmm...

...a better, more secure handheld than A--le or G--gle...er...S-ms-ng, perhaps...?

Full disclosure: I own, and use daily, the HP Pre 3 (the Palm webOS phone which almost never was). I much prefer webOS to Android, and would not think of using an Android phone if I could help it. I'm also typing this on an HP Touchpad, running webOS.

Feds charge man in $1m 'Dr Evil' scam to blackmail Mitt Romney

Lewis R

Re: Actually...the non-issue (IMO) is exactly what Obama wanted..

Rand's grasp of human nature (the true essence of Man's Desires) was uncanny. Her prescience was amazing (as was Orwell's).

Failing to grasp that, when confronted by our common time, is truly sad (and accounts for why we're in this mess right now, with a Government Behemoth as it has become, and the Executive Branch grabbing for more and more control).

You have my pity. Time to get yourself some good reading material.

The OP of this thread was spot on.

(PS: As a practicing accountant, I can tell you that economics isn't nearly as hard to grasp as Liberals would like us to believe.)

Ed Iacobucci: Brains behind OS/2 and Citrix, nicest guy in tech

Lewis R
Pint

OS/2 is still a superior OS - check out eComStation

Not to shift the subject from the sad news of Ed's passing, but particularly in light of the disastrous UI which has been foisted upon users of some other OS from Redmond, Washington, I am thankful that I spend my days immersed in the Workplace Shell, OS/2's "killer app."

OS/2 is now the core of eComStation, which has consistently improved upon the functionality and hardware compatibility of OS/2 Warp Server for eBusiness. eComStation 2.2 is now in beta, and due to be released soon. So, Ed's legacy lives on.

As a consultant in the US who does deploy Citrix solutions, I get a bit of a kick out of telling clients that Citrix started as an app to provide terminal services on OS/2.

Cheers, Ed, and thanks so much for getting us OS/2 users off to a great start.

Firefox: Use new stealth window to satisfy your wife, suggests Mozilla

Lewis R
Thumb Up

Re: Still miss the Netscape N

I have the N throbber installed in SeaMonkey and Firefox... If you visit my FTP server and browse down from ftp://ftp.2rosenthals.com/pub/Mozilla to the Netscape directory (I have purposely avoided the direct link, as I believe that AOL probably still owns the rights to the N logo artwork <ahem>), you will find a couple of packages there to suit your fancy.

GoDaddy stopped by massive DDoS attack

Lewis R

GoDaddy says the problem was internal, and not external

In case anyone is interested in hearing GD's side of the story:

http://www.godaddy.com/newscenter/release-view.aspx?news_item_id=410

Believe it, or not.

Lewis R

Re: Can somebody explain this

...because without access to the registrar, it is not possible to verify which DNS provider is authoritative for the domain. There is a finite lifespan of the cache, and when that runs out, the NS record in the zone must be refreshed. To do that, the registrar (point of delegation) must be contacted. If unavailable, the zone expires.

While it is handy to have records with long TTL's, it makes propagating delegation changes more difficult, as the NS records won't be refreshed for a longer period of time.

Lewis R

Stop playing the blame game, and consider what has happened

Even DynDNS has suffered through DDoS attacks (many of them). Nobody is immune, and to assume that someone *is* immune is a fool's pursuit. See http://www.theregister.co.uk/2011/06/21/netsol_flood/ for yet another example, against a registrar who charges considerably more per domain (and enjoys a more "highbrow" reputation) than GD.

GoDaddy provides a decent registration service, and their DNS isn't bad (I prefer Dyn, but that, of course, adds another $30 per zone to the annual maintenance, and many companies register domains by the tens or hundreds...these numbers add up quickly).

Like someone said earlier, even sites not hosted with GoDaddy were affected, so hosting really had no bearing on the impact of this.

Even sites registered with GD but using off-site DNS would have been impacted, as without access to the point of delegation (registrar), eventually, the DNS cache would have expired and nobody would know *who* the authoritative nameservers *were* for such sites.

We've also somehow bought into the idea that a single individual (even with a botnet in place) could possibly pull this off, against the resources of an outfit the size of GD (bringing up new net links on new addresses, and updating DNS every few minutes, from many scattered places). I, for one, am not buying it simply on the say-so of some twit on tw-tter. It was likely a group effort, and one which took considerable planning to pull off (and that by no means should be taken as a statement of admiration for these slime).

Clearly, we need better safeguards at layers 3 & 4 against DDoS, before the traffic hits the intended target(s). This isn't a failure (only) of GD (in this case), but of the networks connecting the internet to GD (and how many of them were involved and yet somehow failed to mitigate the attack?).

Microsoft Azure goes titsup across Western Europe

Lewis R

The "CLOUD" = One or More Boxes Hosted by Someone Else

The more people depend on remote boxes hosted by large, ubiquitous organizations, the more of these reports we're likely to see.

C'mon, people: Wise up. Invest in your own infrastructure & regain some level of autonomy.

'Dated and cheesy' Aero ripped from Windows 8

Lewis R

Another reason why I use eComStation

I've been an OS/2 user since 1990 or so. The Workplace Shell (the "desktop" in Windowsspeak) is funtionally the same interface now as it was when Warp 4 was released in '96 or so, with enhancements added over time. Thus, once I got past the initial learning curve (and my other users did), we coyld focus on more important things, such as RUNNING THE SOFTWARE.

Aero is hideuous, and Explorer is hardly object-oriented (whereas the Workplace Shell was designe from the ground up to be an OOUI and not a GUI).

I'll stick with what I know and with what works.

Apache confirms new OpenOffice build by 2012

Lewis R
Pint

Choice is the most important point

I was never an MS Office user (unless you count Word 5 and 5.5 for DOS & OS/2 - Word was a "bound" application, with a single executable running as a native OS/2 or DOS app). I was (and still am) a Lotus user, and never took to Excel (and yes, I've been using this stuff since Lotus 1a).

Considering the decline in the past 10 years of office suite choices, I'm happy to see LO *and* OO in the marketplace, and the ability to easily share code (not just documents, but macros, formulas, and procedures, as well) between them is a good thing.

I don't use MS apps in my office, and as an IT consultant, I try to find good alternatives for clients. While none of us are really certain where the whole LO / OO situation will end up, in the meantime, I think it's better to have both of them around, and besides, the only bad publicity is no publicity, so this attention, if nothing else, just might make someone consider trying a different solution (one or the other - or both) instead of sticking with the status quo.

Attachmate acquisition stalls Novell's Q1

Lewis R

Here! Here!

Okay, so I'm Novell certified & partial to SUSE (and NetWare - but that's a different story), but I absolutely prefer working with SUSE/SLES than pretty much any other distro.

Mass mind control artist condemns El Reg to obscurity

Lewis R

@ Mr. Ed

We're in agreement.

It's amazing how all it takes is for one person to take one thing Rush has to say out of context, and the nuts come out of the woodwork.

Someone in this chain of nonsense commented about socialism being some sort of balance between capitalism and communism... Geez, people, go back to civics class...

Rush is *not* evil. His comments concerning the Reg are from the eyes of someone who is unfamiliar with the tech circles; naturally, from his POV, the Reg is "obscure." I'm a NetWare consultant; from the POV of a die-hard M$ consultant, NetWare is a "legacy," "fringe" OS - yet, I work with it every day. A little perspective goes a long way.

Sheesh...

Biting the hand that feeds IT © 1998–2018