* Posts by Outer mongolian custard monster from outer space (honest)

95 posts • joined 15 Mar 2017

Page:

Oh Snapd! Gimme-root-now security bug lets miscreants sock it to your Ubuntu boxes

Outer mongolian custard monster from outer space (honest)

Re: snapd and systemd

This is linux, and its open source. Learn how to compile it from source.

https://wiki.videolan.org/UnixCompile/

Props if you then do more learning and make a package, even maybe submit it upstream or take over being the vlc maintainer, I'm sure the repo people would be thrilled to accept the later version as you won't be the only person in that same boat. All those packages on your device were already put together by people doing this very process...

You got a smart speaker but you're worried about privacy. First off, why'd you buy one? Secondly, check out Project Alias

Outer mongolian custard monster from outer space (honest)

Re: you could simply not put the creepy things in your home

"homeassistant"

Outer mongolian custard monster from outer space (honest)

Re: you could simply not put the creepy things in your home

"cmu pocketsphinx" <-- duckduckgo this...

The D in SystemD stands for Dammmit... Security holes found in much-adored Linux toolkit

Outer mongolian custard monster from outer space (honest)

Re: Security access method found in much-installed Linux Backdoor

FTFYT

Oh, I wish it could be Black Friday every day-aayyy, when the wallets start jingling but it's still a week till we're paiii-iid

Outer mongolian custard monster from outer space (honest)

Re: Amusing trademarks work both ways.

*cough*

https://www.collinsdictionary.com/dictionary/spanish-english/pajero

Outer mongolian custard monster from outer space (honest)

Re: Meanwhile in western France...

To be fair, the ongoing gillets jaunes protest has meant most supermarket's have been deserted this week even in mid week. Especially when you get outside of Paris, it has been common to see a roundabout with gillet jaunes slowing traffic, although also as given outside of Paris most people seem to support this, its all very polite and controlled and just viewed as a minor thing that was brewing over years of the particular cause repeating itself ( Edouard Philippe completely ignoring vast swathes of the country outside of Paris who were most affected, who didn't want either this or the 80km limit etc).

What I'm *really* shocked at is to get this far down the comments and unless I'm blind, not seeing *anything* by ledswinger, phil o'sophical and all the other brexit troll's who usually inhabit these sections. Their handlers must be cutting back on the wage bills by only having them work in single time periods :-)

Alexa heard what you did last summer – and she knows what that was, too: AI recognizes activities from sound

Outer mongolian custard monster from outer space (honest)

Re: Yeah

"Quite, and the researchers saying 'this should all be doable locally as people don't really want to be spied on' is like saying 'Lions don't really want to hurt people' - but they have to eat, right?"

Sure, but put away your paranoia for a instant and remember this is CMU saying this, as in the people that developed CMU Sphinx, and pocket sphinx. Which today is about the best bet for a local only speech recognition system as your able to compile/build at home. For that they should be at least given a small amount of the benefit of the doubt that they were being sincere.

I should know, I've been making my own smart speaker that is local network only to control some local network only home automation devices and currently I have pocketsphinx running on a beaglebone black but have some tuning issues to overcome...

Of course amazon et all will pish all over their good priniciples and aims, but there's still a small chance to carve out out a niche for privacy respecting alternatives because of these guys/gals work.

C'mon, if you say your device is 'unhackable', you're just asking for it: Bitfi retracts edgy claim

Outer mongolian custard monster from outer space (honest)

Its associated with John Mcaffee, that should tell you all you need to know about its credentials.

My respect for John stems from the fact that he's so obviously hatstand and out there that nobody serious can take him seriously, yet, somehow, he still manages to find idiots who do.

Been following along with this on twitter, its been break time amusement for weeks.

Bank on it: It's either legal to port-scan someone without consent or it's not, fumes researcher

Outer mongolian custard monster from outer space (honest)

it really scans just the local loopback address?

Chocolate fireguard level then, cue malware authors just moving their tools to binding only to active ethernet addresses instead of everything in a really short timeframe.

Who fancies a six-core, 128GB RAM, 8TB NVMe … laptop?

Outer mongolian custard monster from outer space (honest)

I'd buy one, on two caveats, first that those synaptics buttons are hardware buttons, not emulated in the driver software. I still buy thinkpad's for that reason.

Secondly, I want you to buy one and throw it about first and see if its rugged enough for mobile usage. My one and only foray into big shiny luggable laptops was a asus, and 4 flights in it lost a third of its screen and the local asus dealer wouldn't honour its guarantee after I told him it happened on a flight in hold luggage (stupid attack of honesty), the way another repair guy explained it to me was they'd made the screen wider by adding a extra panel to the right on the standard one and joined it with fine wires. I still have it, it still only shows 2/3 of the screen but its regulated to doing vehicle stuff now, and we fit all the display mode on the working bit :-)

Sod it, I'll just buy another stinkpad for now. I can always fend off muggers with a blow from that in a emergency.

EU summons a CYBER FORCE into existence

Outer mongolian custard monster from outer space (honest)

Re: And everybody this "Force" is set up to catch ...

Its ok, there's plenty in the market to go round for everyone, not sure how you can quantify how many good candidates you have lost though to be so sure of yourself :-)

Anyway, off to play with ripstech wp exploit. Looks fun :-)

Outer mongolian custard monster from outer space (honest)

Re: And everybody this "Force" is set up to catch ...

Fraid not Jake, not any longer. A few years back and I was with you 100%. Now we're forced to use the term because its become widespread and nobody outside our little niche gets how cheesy it all is. A little bit of me dies inside each time I have to write "cyber security consultant" on something, because I started to get solicited for doorman roles for posh clubs when I used "Security Consultant" in the descriptive fields. I was considering writing (in)offensive security specialist, but not sure too many people would get the wry joke.

Its a bit like mr mimikatz (Benjamin Delpy) saying the problem in security is "security professionals" and how crap they all on on twitter, yeah there are some dead wood box tickers, but equally just because someone works in the field it isn't a given they're going to be that way.

Don't get me started on the pale male and stale meme crowd.

Generalizations are bad m'kay?

Dixons Carphone 'fesses to mega-breach: Probes 'attempt to compromise' 5.9m payment cards

Outer mongolian custard monster from outer space (honest)

Re: Ha Jokes on Them

Don't you have to have leather trousers with no bum in them to have a wallet on a chain?

Personally I put my wallet and phone in the big inside pocket inside the jacket, then by the time you've fell off and burst the main zip and slid far enough further to drag it inside out and abrade the liner away, dropping your phone is the least of your worries. Also stops it getting too wet. Soggy money is no fun.

Outer mongolian custard monster from outer space (honest)

Define properly secured at the perimeter. And bear in mind I was reading a paper today about how to bypass the akamai waf during a exploitation (I'm a offensive security bod before the mob tries to lynch me). The point being, that info is freely available on the net if you know where to research and both sides of the game have it. If you've evaded the waf, your attack will look like normal web traffic anyway if you get it to dump out via the same web server as a response unless you set off a sensor getting it to throw a reverse shell via a port or similar.

Devuan ships second stable cut of its systemd-free Linux

Outer mongolian custard monster from outer space (honest)

Re: systemd-free?

Philip, yes if it leads to Debian doing what they refused to do at the time of systemD's adoption and take onboard the possibility to completely remove it for those who choose not to use it. Diversity in the ecosystem, choice, its all good.

Also

s/allowed/currently\ allowed\ as\ a\ short\ term\ workaround/

Its a tiny but important linguistical difference.

Outer mongolian custard monster from outer space (honest)

Re: systemd-free?

I dont think "relaxed" is the correct term Ian in fact taken overall its somewhat disintegrous to state that to support the argument that one is equivalent to the other. In the reality of here and now, its a small dep and not used so in the interests of expediency its there as a known issue.

The difference then becomes (I believe) that Devuan is commited long term to eliminating this and is already working through the list of packages. I don't believe base Debian has the same commitment?

I have nothing against Debian apart from its decision to go to systemD, I've been dabbling with it since I got given a install cd at a show where I bought my first cd rom drive by Debian volunteers when running Slackware, but I currently have 5 installs of Devuan churning away since the project first released and 0 of Debian.

In defence of online ads: The 'net ain't free and you ain't paying

Outer mongolian custard monster from outer space (honest)

Re: Ads are OK. Data gathering behind my back is not.

Speak for yourself Jim, I've hosted content for free on my own servers since the late 90's, and not one single advert has ever appeared on any of the domains I'm responsible for, nor has anyone else ever paid a penny towards their upkeep.

I did it because I was interested in the subject and it was my way of paying a little back. That's the actual spirit of the earlier internet, not trying to monetarize everything with ad's or spam youtube with stupid clickbait crap videos just to get subscribers enough to get into earning enough to not have to actually work for a living alongside your passions.

Adverts, meh, if they *have* to be on a site, they better be obvious theyre adverts, and they better not be targetted or mr ghostery and captain adblock amongst others will be deployed. Of the very few that are honest and show relevant adverts I do even lift my adblocking solution.

UK military may recruit wheezy, alcoholic keyboard warriors

Outer mongolian custard monster from outer space (honest)

Re: "At last! A valid use of a 'hacker in a hoodie' stereotype stock image"

Dan, easy, have a synergy km setup and a second keyboard on a kvm for early boot recovery, couple of different hardware/os's, one for browsing dodgy places during research, one set up as a compiler etc, keep them viewable so you can keep one eye on a long process while doing something else elsewhere. Throw in a 2nd kvm which goes out to my server room via a dedicated cable + kvm extender, and bingo, you have 6 screens and 3 keyboards. Though mostly two of them sit down the side of the desk out the damn way unless something goes wrong.

In my defence, I had to pay for all 6 of my 19" monitors, so that means I made the bracketry myself and cleared out the secondhand shop a few times. Short arms and deep pockets me...

Loose .zips sink chips: How poisoned archives can hack your computer

Outer mongolian custard monster from outer space (honest)

And holy crap el reg? 5 captcha's just to post a comment with actual facts in it? Do you even want people to post here still?

Outer mongolian custard monster from outer space (honest)

*Sigh*, I tested this as soon as THN broke it on twitter, its just for libraries.

Untarring and unzipping as root is dumb (I did it on a throwaway vm so you don't have to...) but linux command line zip and tar are both patched in the shell anyway, since the 1990's for tar and somewhere around 2006 for zip. I didn't even bother testing the other variants. It really is the old 2006 path recursive attack that some libraries were never fixed for still in use, except it has a logo, and people running round twitter trying to make a "name" for themselves in the security community to get hired.

root@testbox:/home/testuser/zip-slip-vulnerability/archives# tar -xvf zip-slip.tar

good.txt

tar: Removing leading `../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../' from member names

tar: ../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/evil.txt: Member name contains '..'

tar: Exiting with failure status due to previous errors

root@testbox:/home/testuser/zip-slip-vulnerability/archives# ls -la *evil*

ls: cannot access '*evil*': No such file or directory

root@testbox:/home/testuser/zip-slip-vulnerability/archives#

root@testbox:/home/testuser/zip-slip-vulnerability/archives# unzip zip-slip.zip

Archive: zip-slip.zip

extracting: good.txt

warning: skipped "../" path component(s) in ../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/evil.txt

extracting: tmp/evil.txt

root@testbox:/home/testuser/zip-slip-vulnerability/archives# ls -lR tmp

tmp:

total 4

-rw-r--r-- 1 root root 20 Apr 15 22:04 evil.txt

root@testbox:/home/testuser/zip-slip-vulnerability/archives#

Advanced VPNFilter malware menacing routers worldwide

Outer mongolian custard monster from outer space (honest)

Update time el reg?

https://www.thedailybeast.com/exclusive-fbi-seizes-control-of-russian-botnet

Seriously, Cisco? Another hard-coded password? Sheesh

Outer mongolian custard monster from outer space (honest)

cve-2018-0222 "because in this day and age, no serious enterprise class vendor still hard codes credentials and embeds secret hidden accounts in firmware" - as said by some clueless middle manager commentard, whilst belittling my experience for even suggesting it still happens.

Time to ditch the front door key? Nest's new wireless smart lock is surprisingly convenient

Outer mongolian custard monster from outer space (honest)

Chris, you know your mac address is a software config right? You want to base your home security and not letting in strangers on the basis that they also don't know this fact?

Intel admits a load of its CPUs have Spectre v2 flaw that can't be fixed

Outer mongolian custard monster from outer space (honest)

I use the 6600 as a vm host using vmware/virtual box and use a completely different machine for browsing with a kvm for when doing research, as er, it can end up in some less salubrious places quite often so that's even more critical to stay on top of & I'll have to uplift that because its running a ivybridge 2127U but that's not a big loss, any cheap box will do for that, its just a glorified web browser + vpn client host. I'm still a bit annoyed that the 6600 needs isolating and its instances not allowed to route out as a fix though as to upgrade to something more modern but capable takes what I consider a not insignificant* sum of money.

But, yeah, hands up, I'm being super grouchy, I have to make some investment in new kit because of someone else's mess. I know the nuances and I'm just going to have to suck it up and pass this cost onto my clients. But when it comes to SME's, you try telling 9/10ths of the world they need to landfill their devices because there's a unpatched flaw in the cpu they use on the machine and they absolutely must be able to use facebook and twitter while at their desk. And are all the affected machines going to go to landfill or end up in corporate disposal for the next decade?

I personally think intel should have ate the extra dev + test costs as a goodwill gesture and supported the mess they made, rather than apparently trying to turn it into a profit op to drive new cpu purchases to replace the ones they already sold you. Even if they prioritized the newer arches first it would have kept more options open longer term. At the end of the day, they made this mess with their product, washing their hands isn't going to take all of the compromised product out of the second user ecosystem for years.

*i.e. its mine and I've got short arms and deep pockets

Outer mongolian custard monster from outer space (honest)

I'm hoping they were asking how many vulnerabilities do I develop per day. Sorry, I don't have a metric for that you can put in a spreadsheet to decide how to crank the hamster wheel HR want to put all our staff* on.

Latest shiny is for all those cool kids who game on their pc's isn't it? for computational loads it copes rather well.

If you meant how out of date is it? I'm assuming from the idiocy you are a PHB, but the packages were updated last night by cron if that helps.

There's security – then there's barbed wire-laced pains in the arse

Outer mongolian custard monster from outer space (honest)

Shhh Sonia, stop making sense. The management lynch mobs will be along for you shortly :-)

Europe dumps 300,000 UK-owned .EU domains into the Brexit bin

Outer mongolian custard monster from outer space (honest)

Re: Plenty of venom still

MonkeyCee, upvoted also. Summarises the situation precisely for me also.

I come on here, comment on security stuff because that's my speciality, yet when the words "brexit" or it seems a article by Kieran arrives, there's this big flood of new usernames and anon posters. And the usual names who only ever comment on brexit stuff (Phil O, Leadswinger etc).

I should just not bother reading anything brexit related on el reg, which Ive decided to do hereon (though I'm going to hit submit for one last time). Easier to just move on I guess, and thats my entire attitude to brexit now, when they accept my citizenship application that puts me beyond expecting some politicians to do the right thing I'll be able to do that.

Cambridge Analytica seeks data protection assistant

Outer mongolian custard monster from outer space (honest)

I showed this to my wife, and she said immediately "oh there you go, you like a challenge, you should apply". Thats why I love her, she's such a subtle troll at times :-)

One does presume it comes with a entire fireproof bodysuit and a liking for being pursued by angry mobs however. Perhaps they should rejig the title, "wanted, snowball juggler for important mission navigating hell".

Fake news is fake data, 'which makes it our problem', info-slurpers told

Outer mongolian custard monster from outer space (honest)

So, I interviewed for a role answering to the c-suite's at a data processing company recently who held masses of 3rd parties customer confidential data in a cloud env to process it, and the overwhelming thing I came away with about the entire company from the various interviews is that they don't give a rats ass about the data itself or if they have a corporate trustworthy stance, and their entire focus all about protecting their ip algo from walking out the doors because they trust none of their minimum wage coders and data scientists. No I didn't take the role.

So to distil the recommendations down to plain speak, be trustworthy = write nice words on the website and pretend to care so that people will keep giving them not fake data because it ruins their business model. Not unlike Facebook are currently desperately trying to do.

Me? I have a fb account. Perhaps more than one. Happily peeing in the well to poison their data sets while at the same time maintaining placeholder accounts to stop someone else spaffing things on my behalf.

Sigh. Cisco security kit has Java deserialisation bug and a default password SNAFU

Outer mongolian custard monster from outer space (honest)

Re: In 2018?

But Jack, in 2018 its preposterous to imagine a professional vendor doing this* and you must be an idiot to suggest otherwise.

*Source some middle managers pretending to be technical on El Reg's forums.

UK.gov cooks up code of conduct to enforce a smidge of security on Internet of S**t kit

Outer mongolian custard monster from outer space (honest)

Re: No password reset

No, that implies that THAT device has a unique password.

So if you push the "oh poo make everything default button", it should revert its firmware to that unique password stored somewhere as a backup.

Perhaps we could then retain access to that backup with something high tech, like having it printed on the case somewhere out of sight requiring physical access and interaction to view should we loose it?

Also strikes me that install of the backup recovery firmware defaulting to a generic could be acceptable as long as thats not the out of the box firmware applied.

The bit I do not agree with is that all devices should update automatically as a mandatory thing. No, I don't want to give manufacturers carte blanche to push new unwanted features at me and delete functionality they decide was a bit too generous in future. I'm ok if its a feature I can disable deliberately knowing this however.

CryptoLurker hacker crew skulk about like cyberspies, earn $$$

Outer mongolian custard monster from outer space (honest)

Re: "If the user tries to stop the process, the computer system reboots."

Please dont wish that onto linux Pascal. We need windows as a buffer zone against average idiocy.

Some might say that process of improving the user experience at the expense of unixifcation has already started of late...

10 PRINT "ZX81 at 37" 20 GOTO 10

Outer mongolian custard monster from outer space (honest)

Re: I still use mine

"

I still use mine

It's in the loft, controlling my central heating. Needs to be started up again whenever there's a power outage but other than that, it's been fine for over thirty years (so far).

"

You sir win the internets. And to think I still feel guilty when I go to my old house and see the underfloor heating controller running on a pentium 90 powered toshiba laptop with a broken screen, running some years out of date version of redhat linux (hedwig I think was the last time it got upgraded, relax its now totally airgapped for some years now, although at one point it was the NAT and fax gateway for the house via a modem at the same time :p ). When I power it up and hear that brick being dragged round on a slate roof from the tiny hard disk and marvel that apache still manages to come up clean and present a working gui, until that bit works parts of my nether anatomy tighten slightly while I worry if I can rebuild it and redeploy all the source to something newer assuming I can find something with the right hardware ports to interface to my homemade controller while wondering if its finally time I swapped it for a atmel based pic system I made a few years back as contingency.

I bet you have a couple of spare zx81's stashed as DR too...

Outer mongolian custard monster from outer space (honest)

I had one, well a couple after accidents with shorts and electrical issues, 1k at first, then the infamous sinclair ram pack. Cured wobbly ram pack crashes by gluing zx81 and rampack solidly to a formica board, end of crashes.

Also decided to get a bit experimental, built my own full size keyboard from a recycled industrial keyboard from the "Computer Junk Shop" in wallasey (magic emporium) which at the time was jammed full of weird stuff and PETS and decomissioned mini's amongst other wonders and learnt about keyboard matrix's etc. Also added a extra chip piggybacked on the char rom, and this meant that the ascii charset got shunted into ram and could be edited for customisable graphics!

Also remember the wonderful "Buzz" organ, which drew bands onto a CRT tv causing it to hum loudly with the abuse. Different keys produced different band frequencies, which caused different tones of hum, voila a organ on a machine with no sound hardware.

For tapes we found a certain brand of small tape deck was perfectly matched, and I still have one today (it was a sharp, I'd have to go dig it out as my zx81 today is a display cabinet thing rather than in actual use, and its original not sprouting hook up wire out of every melted in hole in its casing like my real one was)

Did the writing stuff in z80, then encoding it into hex, then ascii, and storing it as a load of REM statements and jmp into it to run like another poster above. Tedious but fun to learn and do. It was just what you did back in those days wasn't it? I think it was fantastic and I really pity a youngster of today trying to try and understand the innards of a x64 apu based black box system to the same level we were able to read and understand that simple little 8 bitter. I showed my son zx81 basic and helped him write the classic hello world goto 10 3 liner in it on the actual computer and he got it straight away, so still some value in simplicity.

Also have the cushions in my gamesroom with mazogs on them, ascii graphics being perfectly suited to replication in patchwork designs, also in tiling, although the floor has a giant space invader tiled in, as my wife said mazogs would be a bit too obscure if we ever sold the house :D

Nostalgia, still, glad time and performance has moved on, and the original keyboard is still bloody awful even today.

Apple 'wellness' unit launched for staff: The genius will see you now

Outer mongolian custard monster from outer space (honest)

Actually rather astute move, I know its traditional to hate apple but, think. What does sickness and absenteeism cost companies?

I worked a contract where they had regular deliveries of "free*" fruit, because they found it reduced the sickness and time off problem, increasing productivity. Same place also had drinks machines on free vend. I asked why, and was told because the cost of a can of coke was less than the time downtime cost for some crucial dev to wander down the street, cross the road to the newsagents and buy their own.

Great working environment too, often found myself working on something until 10pm or later to get something done to help hit the team deadlines (paid by hourly rate, so don't cry for me too much). We actually appreciated the cold callous social tuning efforts. My wife calls it my unicorn contract, in that its one I'd go back for if they still existed in the same form today**, and nobody else measures up to.

*free as in paid for by the company

** they were bought out by a larger competitor who they were taking market share from, and the new overlords put a stop to all that caring nonsense and offshored most of the work

Data science before algorithms, declares Bosch's new top techie

Outer mongolian custard monster from outer space (honest)

In this thread, a surprisingly depressing sight. AManFromMars making more sense than some new talking head making a PR release.

FIrst thoughts on reading the statement, "and this guy wants me to share road space with products designed by people he's given this advice to???"

Who wanted a future in which AI can copy your voice and say things you never uttered? Who?!

Outer mongolian custard monster from outer space (honest)

page 3, did I miss the post where someone commented that it was a good job half of society is installing automated remote upload recording devices* into their homes to generate content for this "service"?

Ties in really nicely doesn't it.

* Alexa, google home etc.

Dell EMC squashes pair of VMAX virtual appliance bugs

Outer mongolian custard monster from outer space (honest)

Re-reads comments on :-

https://forums.theregister.co.uk/forum/1/2018/01/12/storage_area_networks_patches_spectre_meltdown_bugs/

*says nothing*.

Should SANs be patched to fix the Spectre and Meltdown bugs? Er ... yes and no

Outer mongolian custard monster from outer space (honest)

Re: Safe enough - IF no third party code

"If there is a "secret" engineering backdoor then this is a much significnat problem than spectre or meltdown."

Go down and watch the team commissioning all your new hardware, discreetly shoulder surf them, if it has in life failure, see how the vendor's engineer recovers it. It can be very very enlightening.

These are our industries dirty secrets tucked away and not spoken of openly much because they make the life of people running the hardware easier on a day to day basis. Trot out the DC and pull that chassis and recover it back to base as per official procedure to get it back vs get a coffee sit at your desk and use the "shortcut" to make life easier. I know what the majority of (human) people would do.

People leave teams, move companies, talk to other people inappropriately occasionally, find things independently when they shouldn't and other shenanigans. Yes its been our role if its discovered to have that removed or controlled when it becomes known but then you are into asking for vendor fixes for issues on a black box appliance. Are you suggesting this simply does not happen?

Its a much broader topic I agree, but its why I have difficulties taking at face values any statements from PR releases that something is a black box system therefore does not require any attention to the insides. Ever.

Last post in this thread.

Outer mongolian custard monster from outer space (honest)

Re: Safe enough - IF no third party code

This is the classic "its ok to bake secret recovery/engineering/legal intercept accounts into things" fallacy.

All I know is if I find it (and they don't fess up and tell me about these things beforehand usually), its there, so could others, I wasn't blessed with super powers or the ability to do things other clever people could not do given sufficient commitment or the right combination of circumstances...

Outer mongolian custard monster from outer space (honest)

Re: Safe enough - IF no third party code

In the murky commercial world, that is a over simplistic view of what the situation is however. I know of several SAN products that do not officially offer any way to get execution on them, but find the "secret" engineering backdoor, and you are in.

Do you implicitly trust the fox with the henhouse in this case?

Outer mongolian custard monster from outer space (honest)

Some of the responses are true, they're x86 but not all Linux underneath. Netapp for one was originally a fork of a *bsd (as anyone who's played with the 22/7 menu will be aware). A tool reported security issues in a Netapp Filer during testing although I couldn't reproduce the attack manually, due diligence process meant it had to be raised as a incident and after some work with NetApp themselves, the tool was found to be misidentifying the version of the daemon (relying on simple version string), and code analysis shown they fixed the vulnerable code in their library but didn't bump the version string up, so to a dumb analysis tool, it looked like it was open to the world to attack.

For the others, that's quite common, "its like a washing machine, blackbox system" ergo, they do not feel they have to fix the mess inside. Which is acceptable in some quarters, unless there really is no vectors that they haven't taken into consideration or are hiding for business reasons.

WD My Cloud NAS devices have hard-wired backdoor

Outer mongolian custard monster from outer space (honest)

Re: Down with this sort of thing...

Code review? insert jaundiced cackle...

Outer mongolian custard monster from outer space (honest)
FAIL

What like these, reviewed by el reg some time back with no consideration of security or how it might be a pwn point for your entire network by the reviewer...

https://forums.theregister.co.uk/forum/1/2017/09/26/my_cloud_home_review/

Interesting user name choice. :-

"Noun 1. briony - a vine of the genus Bryonia having large leaves and small flowers and yielding acrid juice with emetic and purgative properties

WDC's My Cloud Home Duo is a natty piece of kit but beware iContent

Outer mongolian custard monster from outer space (honest)

It seems not , neither did everyone else.

https://thehackernews.com/2018/01/western-digital-mycloud.html

Russia could chop vital undersea web cables, warns Brit military chief

Outer mongolian custard monster from outer space (honest)

This isnt a new threat, I remember having this discussion and the possibility of intercept/monitoring on the repeaters with collegues. There's alarming systems and other devices of course but to be fair, dragging a ships anchor through one "accidentally" would be rather little green man style of operations.

However timing of this in reality makes It fit being a military budget inducing narrative to suddenly care and acknowledge it publically.

It would cause economic chaos and have all sorts of not immediately obvious side effects, which even someone as insular and bubble inhabiting as Ledswinger would be heavily affected by.

Hey, we've toned down the 'destroying society' shtick, Facebook insists

Outer mongolian custard monster from outer space (honest)

Re: facebook eventually imploding.

RE el reg as social media. Apparently only if you use your actual name :-)

If anyone is curious, my current username stems from demonstrating to a co-worker who insisted that el reg usernames were all genuine and vetted that he knew even less about user validation than he did about network security.

Tired of despairing of Trump and Brexit? Why not despair about YouTube stars instead?

Outer mongolian custard monster from outer space (honest)

Re: WTF is wrong with this world?

But Kiwi, this is exactly the issue. A few years ago, there would be a small thread in a forum or on a wiki etc, and you'd view it, and there'd be some photo's showing you what a good valve seat looks like, what a bad one is, how to check if a valve is pocketed, another couple of shots showing pencil marks or however your tracking contact on the seats and the process, maybe a bit about making a lapping tool so it gave the correct reciprocating motion, or at least where to get one of the nasty plastic versions that last a few heads.

It was dead easy to grasp, because it was clear, concise and well, you could see.

Now, hardly anyone bothers to make pages like that, if I make up a static page detailing how I built something, there's immediately some dick saying "where's the youtube of it?" because they want spoon feeding or maybe they just fancy spaffing half a hour of their life away.

When in reality, what they were being given before was the pure information, and the chance to step up and learn a little, which when your doing simple stuff like lapping in a valve, will lead you to develop critical thinking, a eye for things and the ability to think a bit.

Throw into that mix that a staggering amount of yt engineering has massive glaring errors (look at the amount of yt "honing" videos using ball hones to try and correct out of round cylinders because the person doesn't know better) and you have the perfect crap storm forming. I realized that a few years ago when I watched some guy trying to turn his pistons for his engine undersize to fit a different block. Not only did he attempt it on a mini lathe (and fair play, you can turn out good work on even a mini lathe) but then he used a 3 jaw to chuck it in, and didnt dial the piston in. Even if he'd dialed it in correct, pistons are oval anyway to allow fo expansion around skirt near the pin bosses. The guy had thousands of likes on his video, and people posting up "oh great, I'll that too", but when I tried to mention the above was called all sorts.

so tl,dr; none of its curated, and its riddled with drivel, so you might pull off a complex job you couldnt tackle before, or you might fubar it up.

This is not a pop at people learning stuff. Everyone starts somewhere and not being a simple consumer is to be lauded. I just despair a bit at big content moneytising the niche stuff and turning it to shit with their policies.

I still watch yt, but for entertainment shows (roadkill etc). Yeah its just like switching on a tv, I know its going to be mindless scripted drivel but eyes wide open on that.

Page:

Biting the hand that feeds IT © 1998–2019