I think someone has been watching too much Ghost in the Shell lately ;)
2450 posts • joined 19 Dec 2010
I think someone has been watching too much Ghost in the Shell lately ;)
I mean: Windows 10 is mostly known for its continuous feature update model. How in the world can you label that 'secure' while you can't even be sure that some new update patches won't undo the current security model?
"That quick pace says at least some aspects of the enterprise are itching to get their hands on SQL Server without giving up their Linux infrastructure."
Interesting theory, but I think this one is more likely: "It says that Microsoft is itching to sell their SQL server to customers who don't want to give up their Linux infrastructure".
Because since when does Microsoft actually listen to what their customers want? I think Windows 10 has clearly demonstrated just how much Microsoft cares. They do care, but not about their customers but their own revenue, and will go literally out of their ways to try and secure it.
That's all this is in my opinion: the search for more revenue.
Just because it's OpenBSD doesn't imply that they're totally safe from any exploitable bug at all, it's a given that someday it can happen.
Even so, it is one of the reasons why I usually prefer not to use new projects but stick with those which have been around for a longer time already. In the end there are no absolute guarantees but with new(er) projects, such as OpenBSD's httpd, it remains to be seen if all minor diseases have been found and patched already.
Although older projects (Apache's httpd and Nginx come to mind) might not be as perfect where security is concerned they do have a rich history where most common caveats have already been dealt with.
"parents don't have a resource to look up the slang. Perhaps a system of tubes could be created."
What nonsense is that? Sorry, but I'm not sure if you're being sarcastic or serious, and I suspect the latter because the art of using search engines seems to be something dying out. Which I think is totally absurd.
So yeah: they do, it's called Google. The only thing, as with all things, is that you need to know how to use it. I find it a little awkward that you guys apparently couldn't find this, and I got it in 2 - 3 hits. I'm not even a parent! And for the record: even Bing helps out.
Google gives you a huge box on top of all your searches explaining the obvious.
Bing doesn't provide this but it did get me to the www.smsslang.com website as a first hit which also explained the whole thing. Granted: not as conclusive (people had to vote on things) but it does give you one giant heck of a hint. Slangit.com was more conclusive.
I use Opera which is build upon Chromium simply because I like some of the features but mistrust Google. So I'm hoping that Opera will keep out a lot of bullshit like this here. But even so, it never stopped to amaze me how intrusive the whole thing has become.
When I go to my Opera settings it even states that websites could ask for permission to access ny connected microphone, camera and MIDI devices. The recommended setting being "ask me", but I turned the whole thing off.
But seriously: a website asking me to access a microphone or camera? Not in a million years.
And now we're onto Bluetooth. Yaaay.
But it's the main thing which I think people should do more often: go carefully over the settings of your software (browser in this case) and (try to) figure out what each option does and if you really want to leave this turned on or off.
And thanks to Microsoft's new "hippie" upgrade model: also continue doing this from time to time. Because nowadays you can no longer be 100% sure that no silent updates haven't run which added, changed or removed certain features (especially when you're running Windows 10).
"Once ordinary people in former allied nations understand that the US is essentially a hostile combatant, and they actually begin to feel the heat from that aggression, they will refuse to have any dealings with it."
So basically most people in Europe who kept up with the happenings in the Middle East. For example: right now everyone agrees that Islamic State (IS) is a big threat to security, also given their recent spree's of violence within capital cities.
However, what often bothers me is that no one seems willing to address the exact origins of IS. Because that was a direct cause of the power vacuum occurring due to the removal of Saddam Hussein. A person who, ironically enough, got into power through massive support from the US in the first place. Many experts, including those from the US, warned the Bush administration about this massive risk but no.... Hussein had to go, and all under a false flag operation too no less.
And as a result we now have IS to deal with. Not only a massive threat to the population (no one ever stops to think about them!) but also the surrounding countries as well as Europe as a whole.
So yeah, I'd like to think that Europe should realize this thing very well by now. And it also never stops to amaze me why Europa has never ever protested against the US meddling in their own backyard. Because it's easy: the whole Iraq / Iran thing happened far away from the US, so they had nothing to worry about. But all surrounding countries and Europe as a whole suffered from it.
As can be clearly seen by the terrorist attacks from IS. Which basically all started when the US had to invade Iraq despite nearly every expert around warning against it.
People now worry about what Trump might do to the country and all, but I can't help wonder if he really can do any worse than Bush has done.
"I wonder how the US government would react if Amazon were to release all US data on court request to Canadian authorities seeing as Amazon has a data center in Canada and moves data from USA and Canada regularly."
Simple: then there'd be hell to pay. When EU citizens travel to the US then the US reserves the right to go over everything they have, they even demand access to financial records.
So at one time the EU considered doing the opposite as well. All for the sake of security and setting a standard. Yeah... and all of a sudden there was massive resistance because what the EU had in mind was a blatant and disrespectful intrusion of privacy.
For the very same thing.
And this is why I refuse to go to the US. Out of principle. And no: that has nothing to do with Trump (which is a popular thing to do) but the same applied to Obama, Clinton and Bush. All different presidents and they all couldn't care less about the privacy of others.
"Never thought I'd see the day where Microsoft fought for user privacy and Google just rolled over and took it."
Windows phone 7.5 (old model): Each and every aspect which could intrude on my privacy had to be turned on. The start of using the thing was all opt-in, dozens of questions: "May Microsoft use data from keyboard entry?", "May Microsoft use data from speech entry?", etc, etc. If I had ignored it then this would be turned off.
Android phone (from a friend): We compared and he did not get any questions at all. In fact: all he had was opt-out stuff. Everything was turned on and left for him to turn off.
So yeah, I'm not so surprised here.
In my opinion that's all the whole IoT is to companies. Most people refuse to see it or look the other way, but in the end it's a massive threat to the Internet because of all the caveats.
I can't help think that those companies who do align themselves with IoT are in for a big surprise once regular users start to realize just how much collateral damage is being done without any of the involved company "experts" to try and do a thing about it.
Sword of Damocles anyone?
I know that in many enterprise situations the whole IT department has been put into a degraded state. As in: you want a test park but the beancounters in control over the budget don't deem this necessary. However, I also don't think it's fully the beancounters fault either. How many IT'ers step up to them after an incident like this to tell them exactly how this could have been avoided? Pretty sure that the costs for a test environment outweigh the costs of total downtime.
Even so... Enterprise, in my book (but I'm probably old school), means not taking any unnecessary risks. So most definitely NOT performing blind updates like this. First onto a test environment, then a controlled roll out. So yeah, I am surprised to read how many this hiccup affected.
"And makes me wonder why the student that found all these flaws 6 years ago didn't take his findings to the press when the electoral commity didn't respond to his findings."
Who says he didn't? Just because you have a story which can showcase a travesty doesn't automatically mean that the press are interested and will actually use it.
Why do you think online communication like social media and such became so popular for spreading news items?
For some reason many people consider a project which doesn't supply regular updates "dead". Even though said project is working like a charm and doing everything one could expect from it. Probably because some believe that it can always be done better, but as usual we're not going to bother trying to expand on things ourselves. Effort and all...
Quite frankly I can't help see a parallel here.
If MS didn't believe in VB anymore then I don't think they would have provided the runtime libraries in both Windows 8 as well as Windows 10. Just because they won't be developing the language as actively as they used to doesn't mean things will die off.
I mean, if you look back then the same thing was once said about VBA. Yet VBA can still provide an excellent way to automate Office and make it do all sorts of things. Who cares if new features will no longer find their way into it? It doesn't make the language obsolete, because the language can already do so much. Yet that's the part which most people forget or ignore: they don't look at what a product can do, they only keep staring at what they think it should be able to do.
Even up to a point where something already is possible but which people think should be done "better" or "easier".
Seeing is believing, but I don't think VB isn't going anywhere near /dev/null anytime soon.
Maybe they can put a few RFID chips in there as well, so that the medals become traceable ;)
Maybe I'm too cynical here, I cannot rule this out, but in my opinion Gitlab didn't have a choice but to go public. For the simple reason of damage control.
Think about it: what do you think would have happened if they covered things up only to see the details leaked at a later time? Then it would become double trouble; not only would the community start criticizing them about their plain out ridiculous backup "strategy" as well as them trying to cover it all up. If they had gone this route and the details did eventually emerge then they could have definitely kissed their companies reputation goodbye, maybe even the entire company.
So I don't see any goodwill here, only simple damage control. BUT.. I may be a little overcritical.
Even so... Overlooking the fact that 100+Gb worth of data gets "archived" in files of a few kilobytes large has nothing to do with making a simple mistake, that is a plain out display of stupidity at its finest.
"No repository data was lost"
I'm not that thrilled about anything cloud based and prefer to host my own repositories. And here's one of the many reasons why. For starters: I actually check my backups on a regular basis, even when I don't need them.
I'm not even going to bother commenting any further because this is simply too big a fail. Makes you wonder what kind of geniuses work there. And what they're doing all day.
"And your self signing signature idea doesn't have legs because I can create a self signed signature for website.org and then MitM you. A CA needs to validate you control the domain."
You mean like those rogue CA's which will easily give you a signed certificate for existing domains like google.com? It's not as if HTTPS fully rules out any risk of a man in the middle attack as you make it sound.
I think they're seriously overdoing it. So now a website which doesn't use HTTPS gets labeled insecure by default? Even if that website doesn't even ask it's users for any credentials or such? That's plain out stupid. As to the safety of HTTPS itself, anyone already forgotten about all those rogue CA's which started releasing valid certificates for all sorts of domains?
Speaking of which: why not push for the acceptance of self signed certificates? I mean, if I go to a website "website.org" which is using a certificate issued by 'website.org' then isn't it a tad obvious that we're dealing with the same party? I mean, it's only encryption which is the main issue here. And that can also be easily handled by self signed certificates.
It's only those certificate vendors who try to generate more revenue for themselves which started all that nonsense identity hype. I'm sure we can do without that easily.
(about online petitions)
"It's the equivalent of signing a massive physical petition, as was done before the internet.".
Not per definition, not even close even.
The problem lies in the details: how the petition is carried out. Not many people who open such petitions also have the technical know-how to prevent abuse. You know: signing the petition multiple times using all the e-mail aliases you have for example. And speaking of which: what about actually verifying the validity of an e-mail address?
I know: let's request people to register prior to signing. All it takes is one valid e-mail address. Here we go again.
Maybe one sign per IP address? But that would deprive your family from signing. Or worse: those who know how public VPN's work will once again have plenty of ways to sign multiple times.
Online petitions are by far the same as physical ones.
"So that should be secure for about a week until the local crims re-learn the art of old-style lock picking."
Depends. The times where you could easily create a copy using some clay are long behind us. And then there's the time spend in front of a door to actually get the copy: I'm pretty sure the hotel got camera's and such.
Then there's another problem: every serious hotel will also provide safety boxes in a room, usually providing plenty of space to keep your valuables in. So even if they do breach a door then there's still no guarantee that they'll stumble across something useful.
Let's quote a famous princess: "The more you tighten your grip, the more star systems will slip through your fingers".
Yes, that's a movie quote, but it's oh so true. I get the impression that Oracle knows jack shit about basic economics. The reason I think this way is because they're also sure as heck clueless with regards to appealing to people (even their own employee's). How many geeks have ran out already?
Basic economics: selling a $500 product three times is fun ($1500). selling a $400 product 4 times is more fun ($1600). And why couldn't it happen? Less costs often means a higher appeal.
Oracle economics: selling a $500 product three times is fun ($1500). So lets raise the price to $1500, because 1500*3=4500!!1 My prediction: ending up with 1500*0=0. In Oracle economics this is a huge victory and a great achievement. The less customers you get the better. Why? Well, less customers means less administrative tasks, which means less costs so that's obviously good. They make "more" money and reduce costs at the same time.
Please keep it up Oracle! Maybe you should consider charging money for your downloads too. So: someone wants to download Java SE? Good! That'll cost you $50,-. You want to look at the MySQL documentation? $75,-. Start using NetBeans? $175,- please. Run MySQL open source version? Sure thing, please cough up $325,- licensing costs with a $25 download fee.
And here's the best idea ever: you click 'yes' on the Oracle site thinking it's about cookies? Congratulations, you just agreed to pay $199,- for the new Oracle website viewing fee! Websites costs money too you know!
Feel free to use these ideas Oracle, I won't even claim intellectual property or anything. I'll simply take pleasure in seeing you guys trainwreck yourself :)
It's something I never really understood. I can see ease of use and how you might be able to quickly (time = money afterall) set up one set of rules and propagate them. But you're still left with a box which you don't fully control. Call me paranoid, but I still recall those stories about the NSA gaining access to hardware routers because of known exploits and such.
And it's not as if a software firewall can't do the same thing. In fact, I'd even argue that it'll be a lot more flexible also allowing you much more customization.
Personally I'd take an OpenBSD run firewall over "hardware" any day of the week.
Have to agree with you. Also because of a, in my opinion, contradiction in the whole story. First we get the story about the US weapons arsenal, followed by the Russian arsenal. Obviously hinting at yet another cold war. So far, understandable. To some degree.
Yet this is immediately followed by mention about China working on their nuclear arsenal, Pakistan (with the threat to Israel still in mind) and of course North Korea.
As much as I hate to say this but keeping your arsenal "on-par" with the rest is one of the things which kept us safe during the last cold war. Within that reasoning I'd personal feel less safe it the US wouldn't acknowledge the facts and maintain their arsenal like this. Quite frankly I think the same goes for Russia. Personally I'd honestly sooner expect the US and Russia cooperating against the current threats (IS comes to mind) than starting a new arms run between themselves again.
Action = reaction.
The tank moves, the water reacts and the fish tries to counter it. Like fish need to when they have to deal with a stream or something. This is clearly shown in the beginning. And when it reaches the edge of the tank it simple decides to remain there to sit out the unusual (for the fish) water behavior.
It's a somewhat interesting development but not that impressive. I mean; you have a white surface, you stick a sensor above it and merely need to determine the location of the orange dot. By current technical standards that's not very difficult anymore.
What is a certificate? In the end it's nothing more but a public key which got signed by a allegedly trusted party, the Certificate Authority. But what is stopping a software vendor from being his own CA? OpenSSL has been with us for a long time now and I can tell from personal experience that it's perfectly capable of setting up code signing.
This is a snippet from openssl.cnf which I use for that:
[ policy_CodeSigning ]
countryName = match
stateOrProvinceName = supplied
localityName = supplied
organizationName = supplied
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
I've been using my own CA for years now in both a hobby based environment but also a commercial one. Back in the days when this was still a thing we simply instructed our customers to install our CA certificate and then not to trust any of our code which wasn't signed by us.
I mean, what's so weird about this mindset? They trust our code to be run on their machines in the first place, so why wouldn't they trust us to sign our own code as a sign of approval for what we gave out?
As an extra bonus: if we were to screw up then its obvious where the blame lies. We wrote it, we signed it so obviously we mucked up.
Why would you even bother paying up tons of cash for nothing else but a little convenience? The only advantage over using your own certificate is that your customers don't have to do anything in order for their system to accept your code. That is... If you're lucky and they kept their certificate store up to date.
People need a change in mindset in my opinion. Website "security" (read: encryption) has already been brought back to some sanity where there are plenty of free and cheap CA's which can provide you with a working certificate, now it's time for round two I think.
But seriously, some people need an attitude adjustment I think. Just because a "well known" party certifies a certificate (read: signs a public key) doesn't imply that it's also all perfectly safe.
Not a silly question at all. The issue at hand: Hanzi (not to be confused with kanji). Speaking of kanjii: same applies to Japan by the way, not everyone can read those. And it's not because they're stupid or anything, but because the language is massive.
We have our alphabet with 26 letters in them. Hanzi, the Chinese characters, amount up to around tens of thousands. Where sometimes a small detail like a strike can put a whole new meaning to a character.
And guess what? Those road signs will usually be using hanji. There are plenty of people who can't read those, don't believe for a second that this guy is an exception or stupid or something.
Just because El Reg tries to make that connection doesn't mean it's also actually there. Until they reveal what he has been charged with you simply can't draw conclusions like that.
Or to make this more obvious: as El Reg mentioned he worked in the cybercrime unit between 2000 and 2006. He joined Kaspersky in 2012. Leaving a 6 year long gap in between and many (bad) things can happen in 6 years time.
"Thanks to SystemD I finally have shared filesystem clusters booting correctly the first time without a ton of hackery. (dovecot depends OCFS2, OCFS2 depends on iSCSI, iSCSI depends on networking) "
You almost make it sound as if this wasn't possible without systemd. I guess it's a miracle then that the process of setting something like this up on FreeBSD has always been relatively easy. And FreeBSD knows nothing of systemd.
Instead of thanking systemd I can't help wonder if you shouldn't have been scorning some package maintainers for creating a dependency hell instead. Also: merely removing said dependency hell did not remove nor change the underlying mindset. Within that reasoning I think its safe to conclude that systemd didn't fix anything, it only postponed the inevitable.
Sure, the lack of security in those devices is indeed the culprit causing it all but in my opinion the actual underlying issue is money. Plain old cashing in, grabbing the cash without having to do too much in return.
Or to put this simple: companies don't care. At all. And to make this even worse our (European) governments are far too busy debating the risks of cookies and how that might track customers (which, in all honestly, does have a sense of truth in it of course!) but who will then also totally ignore any requirements of ensuring (or trying to ensure) Internet safety.
Now... Of course this is a very hot topic. I mean, I could easily argue that it might be a good idea to set up a European firewall which can be used to shield us from obvious hacked (Chinese & Russian) machines (the ones every sysadmin knows about when they go through their auth or mail logs), but we all know that's a very bad idea because it can (and will) eventually be used for other censoring purposes.
But why don't we have anything like this yet on a smaller scale? When I provide plenty of logs and evidence that a machine somewhere in Holland (where I happen to live) has been compromised and is actually causing problems on the Internet then it remains to be seen if the hosting company will actually take action. Some of those which value their reputation a bit will, but most who value their income more tend to ignore it.
And the worst part of this is that our political leaders have basically done nothing what so ever to try and put a stop to all that. If I take such a story to the police here then I'll have a very hard time explaining what exactly is going on and I'm 100% sure that the outcome will only consist of me losing a few hours of my time (assuming they'll actually listen to me for that long).
Yet on the other hand the government here is all too eager to utilize the Internet for their own gain. Government information? Websites. Tax applications? Digital. Heck, there has even been mentioning to try and remove snail-mail from our tax department entirely and move it all to the digital age. Although this may sound wonderful to some of us it also overlooks the main issue here: our government gladly accepts the benefits from the digital age (setting up information on a CMS is far more cheaper than having to print & post it to individuals) but cannot be bothered to take up their responsibility.
Oh, sorry mr./mrs. politician, my deepest apologies. Of course you did act on your responsibilities. If you hadn't then we didn't have to click yes on nearly every frickin' website around because of something as trivial as a cookie. Yet when it comes to ignoring signs of a compromised machine which could be used for god knows what then it's all different and no penalties or regulation exists. At all.
So yeah, picture me very surprised how this Internet of broken Things mess has come about. Because.. what negative effects will this have for the manufacturers anyway? None!
"Continuous delivery is certainly what the cool kids are doing with software these days, so it's hard to fault Oracle on that front. And upgrades to major OS releases can be painful for ISVs and users alike. Removing the need to cope with big releases isn't terrible news."
You're right, it's not terrible news, it's horrendous. I'd like to know who those cool kids are, I assume Microsoft's Windows 10 is being addressed here?
The problem with this release model is that it makes things more dangerous and less controllable. It may work on a consumer level but most certainly not in the enterprise.
Example: FreeBSD's support cycle. As you can see there are 2 versions being maintained at the time of writing: 10.3 until April 30, 2018 and version 11 until 2021. Here's the thing: everyone knows where they stand here. When / if 10.4 comes out then you'll know that it won't contain major changes, new features to cope with, etc, etc. You'll know that it's still 10.x yet with several bug fixes. So upgrading is a relatively easily calculated risk.
This model also gives you plenty of time to prepare for an upgrade to 11, which will eventually be required. But as you can see here we have a whole year to plan for it. Actually a little more because 11 was released last year, and the end of support for 10.x has also been known for a while now.
But this new "hip(pie?) model" changes that. Now it can very well be possible that a minor release ships both a desperately required bugfix yet also comes with a totally undesired new or changed feature. That's simply not something which is always doable, depending on the environment of course.
What if the vendor decides to remove a specific functionality which is actually an extremely important detail within your environment? And don't say that it wouldn't happen, because those "cool kids" you spoke of have shown otherwise multiple times already.
For me this is far from providing better service to the customers, this is more or less shoving all required updates onto one huge pile and letting the customers sort out the mess. Less work, so lesser costs, for the provider and all the more burden for the customers / consumers.
"The study, of more than 2,000 US residents, presented participants with two claims about global warming. Researchers found that when presented consecutively, the influence well-established facts had on people were cancelled out by bogus claims made by campaigners."
And what "facts" would that be, considering that global warming is one of the most hottest topics for debate around the world right now?
My problem with this study is that it fully avoids the main issue: not relying fully on a single source of information, but instead also being able to challenge and question it. Even if the news you hear is something you might like or can agree with. Always be a little skeptical about the things you see and hear around you.
But it seems that this study fully seems to focus on people who "need" to be able to follow (and trust) one single news source. Call me skeptical if you will, but all that will achieve is making it easier to apply censorship. If people stop being skeptical and blindly believe what they hear "because the news source is trustworthy" then it will only be a matter of time before someone feeds them with different news through that same "trusted" news source.
The kind of news which doesn't have to be totally untrue, but which might suit their purposes just a little bit better.
Everyone who has been following the news around Solaris knows in what dire situation whOracle has maneuvered it. On a personal level I think it's an outrage to see how disrespectful Solaris is being managed here, a true Unix environment which has such a rich history behind it...
But enough semantics. I don't get it why HPE would even try to get into this hornets nest in the first place? I can understand that they smell revenue (support costs for Solaris became ridiculous after Sun was taken over) but surely there are much more profitable and reliable ways here?
For example by persuading companies to move away from Solaris. There are liable alternatives, even if you take ZFS and Zones and everything else into consideration. First I'm looking at a personal favorite of mine called FreeBSD, but the other BSD's should provide decent candidates as well. And what about HP's own Unix brand HP-UX?
But with the way Oracle has been manifesting itself as of late what else would you have expected to happen here?
"Real Americans are embarrassed this orange bag of trash made the cut for being a leader of anything other than a used car lot."
The funny thing though is that this same thing happened when Reagan had just been elected. People were certain that it would turn into a disaster because wasn't he merely an actor? That should get ugly really soon, because the guy had 0 political experiences.
And now most people around the world can agree that Reagan was one of the best presidents the US has had.
I'm not claiming that this is going to happen here as well, mind you. All I'm saying is that seeing is believing. The guy might just surprise you, if you give him a fair chance of course.
I'm actually an Opera user and I really enjoy the browser as-is. I think you guys got it all wrong though, this is just their attempt to appeal to the Win10 users :D
It's even worse than that:
"Screencaps can now be focused on a smaller area, so you don't need to grab the whole page for notes."
This is a non-feature, instead it's something which already exists within OneNote. I'm still using Office 2010 and guess what: OneNote allows me to do Win-S, a cross hair appears, and I can select exactly the area of the screen which I want to capture. It even allows me to use OCR on this picture (though.. it's not the best).
So how can this be a new feature in Win10/Office365 while Win7/Office2010 could already do this?
Of course I don't condone this and those asshats should be taken care off by law enforcement.
But on the other hand I also couldn't help grin a little bit: "Here's hoping those Enterprise bosses didn't outsource their IT departments". Because that is in my opinion the other side of the medal.
It is definitely no excuse, but yeah...
Regarding Ms. Palin all I can say is: "The enemy of my enemy is my friend". Now that Wikileaks targets people they don't like they're suddenly oh so sorry and fully supportive. Until that time when they show another blatant disregard of the rules and get called out for it again.
Some time ago in Holland a global company ("Unilever") wanted to get rid of a specific brand of butter ("Zeeuws Meisje") and so they decided to stop all marketing activities. They were convinced that this would be enough to slowly kill off the brand after which they could take it out of the market.
Result? After 6 months it turned out that the sales figures had gone up, not down.
"While it's perfectly understandable to sympathize with the Modisette family, it's hard to guess how this case will stand up in court."
The only thing I sympathize with is the loss of a child because some idiot didn't keep his attention where it belonged: on the road.
But unfortunately I can't sympathize with this family when it comes to their lawsuit because I consider that it to be plain out ridiculous. What's next? Sue a beer brand when a person has been drinking too much? If they would have targeted their anger at the moron behind the wheel, the one who killed their daughter then they would definitely have my sympathy, but not with this. This doesn't sound like a call for justice to me.
how long can they keep their head turned?
Until that time when they realize the effects it's having on their wallet (income).
If they do start using NFC then I'll bet it's only a matter of time before we get to read "reliable" study results which tell us things like: "Women with a breast implant buy a lot more lingerie than women without".
No, that's not big brother, that's your honest marketing research. Honest! ;)
It's always an issue with charity, some people really try hard to help out others in need while there are also those who try to make a (luxurious) living out of it (the well known directors and managers of charity organizations which get a fat monthly paycheck for all their "hard" work, while the volunteers are the ones who go through weather and rain to actually get things done).
I think a better example would be Bill Gates. He's known for his high donations to charity. However, most of those donations end up in a foundation run by none other than Bill Gates and his wife themselves. Now, that organization does a very fair share of helping out. But their expenses don't always match up to the large sums of money which are going in.
But no matter how you twist or turn it: bottom line is that there are a lot of people profiting from charity, and I'm not referring to those who actually need it.
What has happened here is that someone accidentally discovered the NSA backdoor. That's right: this was an intended feature to be used by the NSA, probably thought off by some government drone.
Surely you can't blame them for overlooking the possibility that others might attempt to use it as well? ;)
I know Java has lost some serious love and gained a severe reputation dent due to the recent actions of (wh)Oracle (no, that's meant as: who? rcale :P) (yeah, sure!) :) Even so... I can't help still seriously liking the language for all its potential and provided options. Although I obviously am happy that all my (FreeBSD) servers fully utilize OpenJDK which doesn't suffer from the recent licence crapola.
But yah.. I can't help wonder: do we really need yet another Java container? I know they focus themselves on microservices, but I also think the gap between 'normal' and 'micro' (or embedded) has also become a lot more vague than it was in the old days.
And having said that I also can't help if it wouldn't have been a better move to put some extra weight onto already existing projects. In this case specifically Apache Tomcat (Java EE servlet container) and Apache TomEE (Java EE EJB container). The market is already pretty fractured and thanks to the Oracle overlords extremely fragile.
Just my 2 cents of course.
"This isn't a feature release: it's a time-sensitive security release which will disclose a security vulnerability upon publication."
Minor security release. It's not a remote exploit of some sort, but an information disclosure issue.
But even so: the same story applies. Do note that the complainers didn't do so because of the timespan (I can respect that people want to get the fix ASAP) but merely because it just so happened to be on a Holiday.
SSH is your friend here IMO.
"System administrators were stunned by the suggestion that a patch for the vulnerability would be released on December 25 when pretty much everyone working in IT will have the day off."
Do these people even realize what kind of software they're using? Open source, almost per definition, is a community effort and has never really bothered itself too much with commercial interests. Heck, I can even take this further: the Holiday season, or basically any day off is per definition a period where a lot of heroic geeks get a lot of work done on their beloved projects. Have we already sunk so deep that we totally forgot and ignore the very basics of open source and how it all started?
Boohoo, a MTA project which you can pick up for free and which also gets updated from time to time (also fully free of charge!) decides to release during a vacation. How inconsiderate! If only we had a way to log onto our servers from a distance and perform the update from there. Oh wait, we have. It's called SSH!
I think some people should think twice before complaining about things like these and stop to think how much they're actually contributing to these projects themselves for doing what they do. If you want a cozy release date which never conflicts with your precious vacation then please consider using a commercial product such as Microsoft Exchange. It'll cost you some, but at least you'll have solid guarantees that whenever you're celebrating Christmas so are the programmers. So no fear of any updates getting released at inconvenient times.
Sorry for the rant, but I think some people should seriously stop taking everything within open source projects for granted.
"Facebook has until Jan 31 to respond. The commission could impose a fine of 1 per cent of Facebook's turnover if its concerns are confirmed. Last year, Facebook earnings amounted to $17.9bn (£14.5bn)."
And here we go again: money talks. So how is handing out a fine to Facebook going to fix things for those consumers who might have been affected by this? The way I see it all this does is to help pay for the way too high paychecks these sleeping politicians get. And the people who it actually concerns... Well, they were simply out of luck.
"Why such disinterest? According to Rouffineau, almost two thirds of respondents felt that keeping software updated – their security – was not their responsibility."
Well, duh. This is not something exclusive to consumers by the way. Have you ever tried to track down spam or break in attempts on your servers? I have. And I have warned many ISP's and data centers alike that something was "totally not right". With all the required logs to show them exactly what was going on.
The result? Well, nothing of course. At that time (I was still young) I couldn't understand and also eventually gave up my tracking efforts. At later times I finally started to realize the obvious: although it might have been an affected machine, it was still a paying customer. Dun, dun duuun.
How many times have we read already that some things stopped working after a Windows update? Now, Windows is something people can usually fix themselves, but what do you do when your cool "Internet gizmo" stops responding?
Or what to think about games which get updates which change the entire nature of the game?
I think that those reasons should be taken into consideration as well.
You don't back up to the cloud or use online backup software. Instead get yourself something which can be used offline. Also get yourself a cheap NAS or even an external USB disk will do, then you can plug it in and back up your stuff to it. Just leave your computer running for the night and you should be fine.
Biting the hand that feeds IT © 1998–2017