No, they dont. But they didn't have before, therefore Its worked 100% in preventing catching it.
115 posts • joined 15 Mar 2017
"Security is Clearview's top priority",they just forgot to mention of their ip and algo's.
I interviewed for a c suite level security bod at a cloud startup, and the entire interview was geared to how I would protect the above for them, when I asked around the PII they held on the cloud of thousands of people's medical reports, nobody gave a flying fig about any aspect of it.
I declined the job, I never was cut out for taking more filthy lucre at the expense of taking pills to keep my conscience dormant.
samesite=none;secure just means the cookie has to have been transmitted over a secure channel (https) from the 3rd party server, therefore protecting it from snooping in transit.
I'm struggling also to see what huge leap making the bad cookie originate from a https server offers up to defeating various attacks in this case.
Also a value of none breaks older browers that won't rend the page as a result. Previously it had to be missing, lax or secure to be valid.
Only because of system bundles. I got a bundle ps4 a while back, because it was the cheapest option to get a spare console that could go online, the bundle included a download of fifa that to this day I have never bothered to claim.
Its like buying the windows machine bundle and installing linux on it day0, because it was 50 quid cheaper than buying the linux option because of subsidy & every secondhand shop you go in has multiple copies of fifa sitting unloved and unwanted.
I've got a french keyboard (azerty) on my thinkpad, but its mapped to qwerty layout. Its great, nobody else can ever really get their heads round where things should be, unless they're touch typists used to qwerty layout. :)
to the article, I have been issued a macbook pro by the corporate overlords, and I hate it (the keyboard really sucks, the oversize hipster touchpad is crap, and when it comes to doing really low level stuff, its hard sometimes to wrest complete control of the underlying bluetooth/audio etc hardware to do stupid things in the name of research and have it work as a corporate build afterwards...). I much prefer my stinkpad, and use it in preference whenever its permitted...
You ring EDF up, tell them the meter supply number on the tag and tell them you moved in, then they send you some forms to fill in and ask for some periphery evidence that you should have, and bingo, the bill arrives in the name of the new account holder. Magic. And if you don't do this, the account ceases and the electrons stop visiting you because the EDF peeps come and pull the main fuse outside the property if your still on bakelite meters and bits of twisted wires for fuses between poles nailed to a piece of wood era French electrics or turn the Linky off if you've been blessed with the snot avocado green box install.
The only real caveat is that for the bill to be proof of other things, it has to have been issued in the last 3 months, so its even sort of evidence that you still are at that property (or at least they'll know where to find you if they need to).
Now, if you need a NEW supply where there isn't a existing meter to take over, that's more fun and involves the dreaded consuel inspection. But I've done that too and its really just about making sure the install is safe and got a good ground, and conforms to wiring colours and specs etc.
This was a legal thing way back. I wrote a LaTEX template once for a large bank in the UK, and it took the values filled in on a webform for a mortage application, and then presented a pre-filled in pdf to print out and sign and fax back.
I asked and was told that the signature carried different weight in the law because it was a "live signature".
If you got into home ownership misery from my work. Sorry. I just needed to pay my mortgage that month and works work :D
Neither are you, having seen your posts on El Reg, please no, I'd like to keep a english channel's width away from you at minimum.
To op, In France you just need a edf bill, and everyone else accepts that. Edf will take money from anyone when they issue the account on proof of house ownership or proof you are renting the property and you won't get electricity without a edf connection. That's fact, not ranting from a fake news provider.
It is actually easier than dealing with all that though. We have a second property down the road thats currently empty, and they put the card in the postbox which I empty every few months. Then they fitted that property with a transponder that can be read from outside, and now the person in the little van just parks up outside for a minute to read it.
This property has a linky, its powerline as others have said, had a good chat with the installer who turned out to know more than how to screw it in place about all sorts of interesting aspects and poke round with it out of curiosity.
I'd really like to get a spare one to go to town on properly though...
You can use devuan etc as a good interim solution and just swap one or two of them to *bsd to get a feel for it. Its worth doing because there's a chance in future that upstream changes will force the systemd-free distro's into abandoning their resistance.
*bsd is actually pretty close a experience with the ports enabled, just the occasional thing slightly different. Flags, syntax etc, just enough to trip you up at first but not enough to be worth loosing sleep over. People see my laptop and don't even realize its bsd underneath.
If you have to have stuff that has a hard dependancy on a certain os/version for support, that's what virutal machines are for. Its a shame that my vm host now has linux vm's in amongst the more usual suspects but that's how life goes.
Personally I'm happy that bastard files haven't been renamed yet. I take great delight in indicating this to my son by handing him the one with the makers having etched "Flat Bastard" on the body near the tag.
To other poster, its gudgeon pin in engineering terms. A gudgeon is a small freshwater fish.
Insert historical comment about this being 2019 and no manufacturer hard codes the SAME default public/private keys into all their devices. Yet again.
I hope the baying mob that went after me on el reg's comment sections for suggesting this happens regular as clockwork in devices I test are by now, after multiple stories detailing this exact issue, actually starting to get just the tiniest of glimmers of a inkling of how completely clueless they were.
I had a much more minor incident, I was doing web and linuxy stuff for a more established consultant who resold my time out occasionally, and on this occasion he'd managed to sell me as capable of installing some line printers onto a Solaris based warehousing system, a operating system I made clear that I had no experience of to him at the time.
After goading and considerable prodding thought I'd very very cautiously give it a go, after telling Alan yet again I didn't know what I was doing really, and him insisting I tried anyway "as its not live yet anyway". So there's 4 temps furiously entering inventory data as fast as they can in four terminals to get the inventory system populated with the stock ready for the go live in two days time, and we arrived onsite mid afternoon and after a hour I had got a shell and felt about and installed the drivers by running the bundled shell scripts, but things weren't playing the game, so I decided one process called "printr" was the culprit and had to be shut down. It ignored a -HUP, so it got the big kill -9 shotgun, and that worked. Sadly I could tell it had because I heard the screams from around the room as a entire day's data entry went down the toilet as it cached all the data entries in ram until told to write it out, which they did at the end of each day. We fired it back up quick and it was devoid of entries...
On the plus side, at that point the printer started working perfectly, so I apologised profusely to the temps for ruining their work and made my exit. And the temps were paid hourly.
This is linux, and its open source. Learn how to compile it from source.
Props if you then do more learning and make a package, even maybe submit it upstream or take over being the vlc maintainer, I'm sure the repo people would be thrilled to accept the later version as you won't be the only person in that same boat. All those packages on your device were already put together by people doing this very process...
To be fair, the ongoing gillets jaunes protest has meant most supermarket's have been deserted this week even in mid week. Especially when you get outside of Paris, it has been common to see a roundabout with gillet jaunes slowing traffic, although also as given outside of Paris most people seem to support this, its all very polite and controlled and just viewed as a minor thing that was brewing over years of the particular cause repeating itself ( Edouard Philippe completely ignoring vast swathes of the country outside of Paris who were most affected, who didn't want either this or the 80km limit etc).
What I'm *really* shocked at is to get this far down the comments and unless I'm blind, not seeing *anything* by ledswinger, phil o'sophical and all the other brexit troll's who usually inhabit these sections. Their handlers must be cutting back on the wage bills by only having them work in single time periods :-)
"Quite, and the researchers saying 'this should all be doable locally as people don't really want to be spied on' is like saying 'Lions don't really want to hurt people' - but they have to eat, right?"
Sure, but put away your paranoia for a instant and remember this is CMU saying this, as in the people that developed CMU Sphinx, and pocket sphinx. Which today is about the best bet for a local only speech recognition system as your able to compile/build at home. For that they should be at least given a small amount of the benefit of the doubt that they were being sincere.
I should know, I've been making my own smart speaker that is local network only to control some local network only home automation devices and currently I have pocketsphinx running on a beaglebone black but have some tuning issues to overcome...
Of course amazon et all will pish all over their good priniciples and aims, but there's still a small chance to carve out out a niche for privacy respecting alternatives because of these guys/gals work.
Its associated with John Mcaffee, that should tell you all you need to know about its credentials.
My respect for John stems from the fact that he's so obviously hatstand and out there that nobody serious can take him seriously, yet, somehow, he still manages to find idiots who do.
Been following along with this on twitter, its been break time amusement for weeks.
I'd buy one, on two caveats, first that those synaptics buttons are hardware buttons, not emulated in the driver software. I still buy thinkpad's for that reason.
Secondly, I want you to buy one and throw it about first and see if its rugged enough for mobile usage. My one and only foray into big shiny luggable laptops was a asus, and 4 flights in it lost a third of its screen and the local asus dealer wouldn't honour its guarantee after I told him it happened on a flight in hold luggage (stupid attack of honesty), the way another repair guy explained it to me was they'd made the screen wider by adding a extra panel to the right on the standard one and joined it with fine wires. I still have it, it still only shows 2/3 of the screen but its regulated to doing vehicle stuff now, and we fit all the display mode on the working bit :-)
Sod it, I'll just buy another stinkpad for now. I can always fend off muggers with a blow from that in a emergency.
Fraid not Jake, not any longer. A few years back and I was with you 100%. Now we're forced to use the term because its become widespread and nobody outside our little niche gets how cheesy it all is. A little bit of me dies inside each time I have to write "cyber security consultant" on something, because I started to get solicited for doorman roles for posh clubs when I used "Security Consultant" in the descriptive fields. I was considering writing (in)offensive security specialist, but not sure too many people would get the wry joke.
Its a bit like mr mimikatz (Benjamin Delpy) saying the problem in security is "security professionals" and how crap they all on on twitter, yeah there are some dead wood box tickers, but equally just because someone works in the field it isn't a given they're going to be that way.
Don't get me started on the pale male and stale meme crowd.
Generalizations are bad m'kay?
Don't you have to have leather trousers with no bum in them to have a wallet on a chain?
Personally I put my wallet and phone in the big inside pocket inside the jacket, then by the time you've fell off and burst the main zip and slid far enough further to drag it inside out and abrade the liner away, dropping your phone is the least of your worries. Also stops it getting too wet. Soggy money is no fun.
Define properly secured at the perimeter. And bear in mind I was reading a paper today about how to bypass the akamai waf during a exploitation (I'm a offensive security bod before the mob tries to lynch me). The point being, that info is freely available on the net if you know where to research and both sides of the game have it. If you've evaded the waf, your attack will look like normal web traffic anyway if you get it to dump out via the same web server as a response unless you set off a sensor getting it to throw a reverse shell via a port or similar.
Philip, yes if it leads to Debian doing what they refused to do at the time of systemD's adoption and take onboard the possibility to completely remove it for those who choose not to use it. Diversity in the ecosystem, choice, its all good.
s/allowed/currently\ allowed\ as\ a\ short\ term\ workaround/
Its a tiny but important linguistical difference.
I dont think "relaxed" is the correct term Ian in fact taken overall its somewhat disintegrous to state that to support the argument that one is equivalent to the other. In the reality of here and now, its a small dep and not used so in the interests of expediency its there as a known issue.
The difference then becomes (I believe) that Devuan is commited long term to eliminating this and is already working through the list of packages. I don't believe base Debian has the same commitment?
I have nothing against Debian apart from its decision to go to systemD, I've been dabbling with it since I got given a install cd at a show where I bought my first cd rom drive by Debian volunteers when running Slackware, but I currently have 5 installs of Devuan churning away since the project first released and 0 of Debian.
Speak for yourself Jim, I've hosted content for free on my own servers since the late 90's, and not one single advert has ever appeared on any of the domains I'm responsible for, nor has anyone else ever paid a penny towards their upkeep.
I did it because I was interested in the subject and it was my way of paying a little back. That's the actual spirit of the earlier internet, not trying to monetarize everything with ad's or spam youtube with stupid clickbait crap videos just to get subscribers enough to get into earning enough to not have to actually work for a living alongside your passions.
Adverts, meh, if they *have* to be on a site, they better be obvious theyre adverts, and they better not be targetted or mr ghostery and captain adblock amongst others will be deployed. Of the very few that are honest and show relevant adverts I do even lift my adblocking solution.
Dan, easy, have a synergy km setup and a second keyboard on a kvm for early boot recovery, couple of different hardware/os's, one for browsing dodgy places during research, one set up as a compiler etc, keep them viewable so you can keep one eye on a long process while doing something else elsewhere. Throw in a 2nd kvm which goes out to my server room via a dedicated cable + kvm extender, and bingo, you have 6 screens and 3 keyboards. Though mostly two of them sit down the side of the desk out the damn way unless something goes wrong.
In my defence, I had to pay for all 6 of my 19" monitors, so that means I made the bracketry myself and cleared out the secondhand shop a few times. Short arms and deep pockets me...
*Sigh*, I tested this as soon as THN broke it on twitter, its just for libraries.
Untarring and unzipping as root is dumb (I did it on a throwaway vm so you don't have to...) but linux command line zip and tar are both patched in the shell anyway, since the 1990's for tar and somewhere around 2006 for zip. I didn't even bother testing the other variants. It really is the old 2006 path recursive attack that some libraries were never fixed for still in use, except it has a logo, and people running round twitter trying to make a "name" for themselves in the security community to get hired.
root@testbox:/home/testuser/zip-slip-vulnerability/archives# tar -xvf zip-slip.tar
tar: Removing leading `../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../' from member names
tar: ../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/evil.txt: Member name contains '..'
tar: Exiting with failure status due to previous errors
root@testbox:/home/testuser/zip-slip-vulnerability/archives# ls -la *evil*
ls: cannot access '*evil*': No such file or directory
root@testbox:/home/testuser/zip-slip-vulnerability/archives# unzip zip-slip.zip
warning: skipped "../" path component(s) in ../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/evil.txt
root@testbox:/home/testuser/zip-slip-vulnerability/archives# ls -lR tmp
-rw-r--r-- 1 root root 20 Apr 15 22:04 evil.txt
I use the 6600 as a vm host using vmware/virtual box and use a completely different machine for browsing with a kvm for when doing research, as er, it can end up in some less salubrious places quite often so that's even more critical to stay on top of & I'll have to uplift that because its running a ivybridge 2127U but that's not a big loss, any cheap box will do for that, its just a glorified web browser + vpn client host. I'm still a bit annoyed that the 6600 needs isolating and its instances not allowed to route out as a fix though as to upgrade to something more modern but capable takes what I consider a not insignificant* sum of money.
But, yeah, hands up, I'm being super grouchy, I have to make some investment in new kit because of someone else's mess. I know the nuances and I'm just going to have to suck it up and pass this cost onto my clients. But when it comes to SME's, you try telling 9/10ths of the world they need to landfill their devices because there's a unpatched flaw in the cpu they use on the machine and they absolutely must be able to use facebook and twitter while at their desk. And are all the affected machines going to go to landfill or end up in corporate disposal for the next decade?
I personally think intel should have ate the extra dev + test costs as a goodwill gesture and supported the mess they made, rather than apparently trying to turn it into a profit op to drive new cpu purchases to replace the ones they already sold you. Even if they prioritized the newer arches first it would have kept more options open longer term. At the end of the day, they made this mess with their product, washing their hands isn't going to take all of the compromised product out of the second user ecosystem for years.
*i.e. its mine and I've got short arms and deep pockets
I'm hoping they were asking how many vulnerabilities do I develop per day. Sorry, I don't have a metric for that you can put in a spreadsheet to decide how to crank the hamster wheel HR want to put all our staff* on.
Latest shiny is for all those cool kids who game on their pc's isn't it? for computational loads it copes rather well.
If you meant how out of date is it? I'm assuming from the idiocy you are a PHB, but the packages were updated last night by cron if that helps.
MonkeyCee, upvoted also. Summarises the situation precisely for me also.
I come on here, comment on security stuff because that's my speciality, yet when the words "brexit" or it seems a article by Kieran arrives, there's this big flood of new usernames and anon posters. And the usual names who only ever comment on brexit stuff (Phil O, Leadswinger etc).
I should just not bother reading anything brexit related on el reg, which Ive decided to do hereon (though I'm going to hit submit for one last time). Easier to just move on I guess, and thats my entire attitude to brexit now, when they accept my citizenship application that puts me beyond expecting some politicians to do the right thing I'll be able to do that.
I showed this to my wife, and she said immediately "oh there you go, you like a challenge, you should apply". Thats why I love her, she's such a subtle troll at times :-)
One does presume it comes with a entire fireproof bodysuit and a liking for being pursued by angry mobs however. Perhaps they should rejig the title, "wanted, snowball juggler for important mission navigating hell".
So, I interviewed for a role answering to the c-suite's at a data processing company recently who held masses of 3rd parties customer confidential data in a cloud env to process it, and the overwhelming thing I came away with about the entire company from the various interviews is that they don't give a rats ass about the data itself or if they have a corporate trustworthy stance, and their entire focus all about protecting their ip algo from walking out the doors because they trust none of their minimum wage coders and data scientists. No I didn't take the role.
So to distil the recommendations down to plain speak, be trustworthy = write nice words on the website and pretend to care so that people will keep giving them not fake data because it ruins their business model. Not unlike Facebook are currently desperately trying to do.
Me? I have a fb account. Perhaps more than one. Happily peeing in the well to poison their data sets while at the same time maintaining placeholder accounts to stop someone else spaffing things on my behalf.
Biting the hand that feeds IT © 1998–2020