* Posts by aaaa

115 publicly visible posts • joined 17 Jan 2008

Page:

Ransomware scum launch wave of attacks on critical, but old, VMWare ESXi vuln

aaaa
Devil

Re: Attack Surface

From the VMware advisory:

"A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution."

So not anything to do with ports exposed to the "Internet".

For us, the COVID-19 rules caused a lot of disruption to data centre access and we've not been able to upgrade/patch a whole raft of systems. Remember ESXi is used by a lot of smaller companies who don't have enough servers to warrant a lot of automation and remote patching capabilities. One data centre I haven't been able to get people on site to since March 2020. Sure I could use 'remote hands' with the data centre staff, but for this security advisory and many others we just simply blocked the problem port on the firewall and disabled the service.

Australia blames Russia for harboring health insurance hackers

aaaa

Re: Victim Blaming?

The victims are the customers, not Medibank. No-one is blaming the customers.

Since this is a state sponsored attack - paying them or not paying them probably doesn't really determine their future behaviour - the state sponsor is satisfied with creating chaos, fear, uncertainty etc.

aaaa
FAIL

Details details details

Sure, let's go after the people who robbed the bank. But don't you think that maybe you should have installed a vault rather than a fly screen door? Shouldn't someone be held accountable for that?

I saw something in an earlier press release about how they gained access to a login that allowed them to access all 9 million records. That is a fundamental failure of:

- design

- implementation

- security

- IT governance

- QA

- legislation and/or law enforcement

- shareholder governance

But more than the fact all 9 million records were available to any account, what about field level security?

This is an enormous failure by coders/programmers turning a blind eye to poorly implemented systems and just walking home with the pay check. And all management up from there all the way to the prime ministers desk. We could look at the lack of protection for whistleblowers for a start.

I'm happy paying Twitter eight bucks a month because price isn't the same as value

aaaa
Devil

this comment has no value

So you came here to offer an uninformed opinion on a topic of no interest to you. Sounds like you should sign up to twitter.

T-Mobile US and SpaceX hope to deliver phone service from space

aaaa

Re: Colour me baffled...

Long term, this is absolutely right. We don't need all these mobile/cellular protocols, just data/internet protocol. Either delivered by satellite or by a terrestrial network.

But this T-Mo/SpaceX deal is just a stopgap. It will give SpaceX/Starlink some real world experience of dealing with handsets tho, which will probably be technically useful in delivering the long term solution eventually.

Tesla wants to take machine learning silicon to the Dojo

aaaa
Devil

PyTorch not PiTorch

PyTorch not PiTorch.

The one technical feature of the entire article. Misspelt.

If you're using older, vulnerable Cisco small biz routers, throw them out

aaaa

Re: Throw away 3 year old, core, infrastructure?

suggestions? I've struggled to find anyone so I'm looking at small appliances designed to run open source Pfsense or Netgate/Pfsense+

edit: I'm not using any of these particular devices, but ASA's and Branch routers, and I've had the same problem with Cisco refusing to patch critical security vulnerabilities despite us having support/TAC and the model not being anywhere near EOL

aaaa

Re: Amazed

I've documented in comments on past articles my own frustration with using Cisco for small business and particularly with them ceasing software updates for vulnerabilities when you have a support contract and well before the EOL date.

My current strategy is to migrate to small appliances designed to run open source Pfsense or Netgate/Pfsense+

Anyone here use these?

edit: I'm not using any of the particular cisco devices mentioned in this article, but ASA's and Branch routers

Apple has missed the video revolution

aaaa

Re: Apple dumbed down and threw pros under a bus

You can easily patch or add features daily, or hourly to an iPhone app using TestFlight. So entirely easy to quickly torn around an app for apple.

aaaa

Re: I'm no Hollywood editor...

yeah resolve is awesome and being used by more and more pro's. Usually on Mac (5 times faster on M1 Max). Which kinda shows the problem with this article. Here let me rewrite a shorter version of this article:

"I use one free program on windows that works really well, I then tried a port of it to Mac and it didn't run as well".

The article doesn't mention:

- he could bootcamp the MacBook (intel only)

- there are alternatives native to Mac

- the point of free software is not the price, but that you can change it/improve it

I wish there were more apps available for the M1 iPad Pro 12.9" - it's a seriously powerful machine that is lacking seriously powerful software. I don't think anyone ever expected Apple to stick a processor that powerful in a tablet. We're still catching up.

Far from MacOS being the laggard - iPadOS is the laggard.

edit: to add: I looked at his YouTube video - nothing there that iMovie (bundled with MacOS for 'free') can't do easily. Nothing as fancy as Davinci resolve needed. For 'live' equivalent, I've used CamTwist but there are lots of choices.

Open source, closed wallets, big profits – nobody wins the OSS rock, paper, scissors game

aaaa

Re: Sounds very much like the music industry

The French music industry is an interesting example of how this could be done:

https://www.npr.org/2021/01/11/954994402/how-france-is-helping-its-artists-during-the-pandemic

Things like CD's are taxed and the money distributed to professional musicians who are not currently working, because the French society values having musicians.

Similarly if a country valued having software developers/FOSS, they could tax all commercial software development (a new VAT rate maybe, or like national insurance for staff employed as software developers) and use it to pay 'unemployed' software developers (FOSS developers).

So Red Hat staff would still need to be paid by Red Hat. Apache foundation staff would need to be paid by Apache Foundation. It's just the 'volunteers' who don't have enough free hours left in a day for actual employment who would benefit, ie: the people who do the actual coding.

The devil is in the detail - but it could be done.

Log4j doesn't just blow a hole in your servers, it's reopening that can of worms: Is Big Biz exploiting open source?

aaaa

well, I only have 1 vendor application written in Java, and yes, it uses log4j.

So far I'm not a fan of Java applications, because it doesn't seem like I as a customer can replace an application library with a newer version without the vendors help. Maybe that's just this application.

It's not that the API is different, it's that the calling program is looking for library-1.1.1.jar and so I can't replace it with 1.1.1a.jar or whatever.

For that reason, yes, I think Java (or at least this Java app) is very insecure.

Bugs will be found. Updates will be needed. At least if the app is in C/C++ - I can just apt-get update to load a new ssl lib or glib and get the fixes with no intervention from the vendor of the app.

So now we need to re-install this vendors Java application from source just so we can apply security updates...

aaaa
Devil

Businesses are simply not in the business of fair dealing.

The article says "Businesses are simply not in the business of fair dealing." but I think that generalisation needs unpacking.

I've been responsible for a small open source project for almost 20 years.

From the outset, I've seen a very big difference in how users in different parts of the world approach us.

My technical lead explained it to me on day 1: the Germans can't use the software unless they've paid for it.

Contrast that to a large American bank that asked me "are you going to sue us" (I said no) and they said "then we won't pay you".

In another role, I've worked closely with a software vendor based in The Netherlands, and when they were bought by American Private Equity I watched with interest as the P/E firm came to realise they couldn't run the business into the ground because of the "employee board" vetoed any action which would be detrimental to the staff or the wellbeing of the company.

I'm not trying to say business in Europe is all sunshine and roses, but that actually "fair dealing" can be a part of business, and is a part of business throughout the world (but maybe a little more in some parts than others).

Apple says it will no longer punish those daring to repair their iPhone 13 screens

aaaa
Thumb Down

Re: make 3rd party repairs impossible

@DS999

Having each part of an iPhone be able to report a serial number? And Apple track all those serial numbers. And have 3rd party repairers access such information and update it. Reliably without bricking perfectly OK phones?

Maybe in some utopian future - meanwhile, to save me having my phone stolen, just prevent 3rd party repairs - I'm perfectly OK with that - Apple repair costs are cheap.

If u are not happy with restrictions on repairers: go buy a different phone - Android or whatever. You don't have to buy iPhone.

aaaa
Devil

make 3rd party repairs impossible

I'm all for Apple making it absolutely impossible for "3rd party" repairs on iPhone.

In my home town we have a Facebook community group.

Last summer, several people "lost" their iPhones at local beaches, and community members helped them track them down with "find my" (why people find this so hard I don't know).

Last known location - a "phone repair shop" some 40km away. (and no, the police won't investigate, but I've no idea why)

iPhone's are stolen regularly, and yet they are pretty useless to a pawn shop - so this is pretty much the only use for them. And iPhone parts are expensive. So I guess someone can spend a morning "collecting" iPhones and by the afternoon have a few dollars in their pocket from selling locked but otherwise good phones to a repair shop.

After iPhone's - the next most common thing stolen here are BMW's - and again, it's for parts. If BMW could stop 3rd party repairs, they absolutely would, because folk around here are now actively campaigning "don't buy a BMW" because it's bringing crime to the area (particularly at night). I doubt BMW are very happy about the crime or the consumer response.

You can buy BMW parts as "genuine" or “thirdparty”, but it doesn't stop people stealing BMW's for parts. Having "3rd party" suppliers for Apple parts is also not going to discourage or prevent the theft of iPhone's for parts. Making the iPhone irreparable (except by Apple/Authorised repairers) and/or the parts unuseful (as described here: the display can be replaced but it breaks Face ID) are significantly more effective strategies for combatting theft and keeping iPhone owners safe.

Terraria dev cancels Stadia port after Google disabled his email account for three weeks

aaaa
Thumb Up

Adwords

No mention of Adwords.

Google are an advertising company.

If you have a gmail account attached to Adwords spending $$$$ on display adds then I doubt they'll ever close your account.

Unsecured Azure blob exposed 500,000+ highly confidential docs from UK firm's CRM customers

aaaa

Re: No more Mr Nice Guy

Actually I think this comment has hit it on the head.

Fine the director - his directors liability insurance pays, everything stays the same.

Fine the company - the products or public liability insurance pays, everything stays the same.

Fine the customers - they cancel contracts, and scrutinise the next provider more carefully.

Apple opens pre-orders of iPhone 12 Mini and Pro Max models, the cheapest and most expensive in the lineup

aaaa
Devil

Re: Too little too late - for SE fans

I'm one of those SE2016 fans.

I did try android, but wasn't happy.

I ended up with Apple Watch Cellular S4. Very very happy. So much so I'm upgrading to the S6.

Weirdly the AW does require an iPhone somewhere to be turned on (to forward non iMessage SMS), but my old SE2016 can do that. Still, it's a glitch I hope Apple fix soon.

With AW I now have an even smaller phone than the SE, and I can reply to messenger and email and SMS/iMessage (and phone calls) on the go, but not get distracted on social media or websites/news. I can listen to music/podcasts via bluetooth headphones or the soundsystem in the car. Battery life is about the same as the SE2016.

The only downside I have discovered that I need a 'cheap' camera (or maybe a mini tablet) to keep in the glove box of the car, since I never have a camera on me anymore...

In fact now that the 'messaging' and 'other' functions of my phone have been separated, I look at the categories as quite distinct. A smart mobile/cellphone is good at messaging, portable hotspot, TV, streaming video player, web browser, music player, games machine, book reader, etc. etc. It's good at all. But it's also not great at any. It doesn't excel at any of those things. It's in the 'good enough' category and is stuck there.

So yeah - for a student on a budget I can see a smartphone as a necessary evil. But for an IT pro? We can afford to get the right tools for each job, and have better results every time.

Could I design a perfect smartphone? No. I no longer think such a device exists. Smartphones are headed for EoL pretty soon, to be replaced by a separate personal messaging device (watch/band) and secondary devices (mini tablets, sport cameras, book readers, 5G mobile hotspot, etc.).

Microsoft? More like: My software goes off... Azure AD, Outlook, Office.com, Teams, Authenticator, etc block unlucky folks from logging in

aaaa
Thumb Up

if only the internet was a distributed network

If only we had designed the internet to be distributed, and not centralised. Oh, the power of 20/20 hindsight. Imagine if we had designed the internet so we could even each have our own mail servers, and apps installed on our desktops, and our own file servers that didn't have to rely on a central server maintained in one place by one organisation. But we know blackberry were right when they designed all international email to go via Canada, and we know that we're happy with the Google/MS duopoly. Don't we?

We've come to wish you an unhappy birthday: Microsoft to yank services from Internet Explorer, kill off Legacy Edge by 2021

aaaa
WTF?

i love advertising

I just don't understand why anyone, ever, would use a web browser from an advertising company.

From the vendor of your OS? yes. From an independent open source foundation? yes. From an ISV with features you are willing to pay for? yes.

FROM AN A-D-V-E-R-T-I-S-I-N-G COMPANY ?!?!?!?

NO.

This is the sort of behaviour that I expect of unfathomable business types, or fasionistas, not developers or sysadmins.

I guess I'm clearly now officially old and out of touch, a luddite even.

Trump administration labels WeChat, TikTok ‘threats’ to national security, bans transactions with both

aaaa
Unhappy

i have an idea for an app

why worry about Apple or Google putting you out of business by unilaterally removing your product (app) for sale from their walled gardens when the president of their country behaves exactly the same way. Nothing to see here congress...

I'm actually quite a big fan of the Apple approach that Google has mimicked in recent years. But I'll gladly lose that to avoid political interference in app development.

Time for Apple and Google to make a stand like they did against encryption backdoors and say they'll simply allow people to download and install apps from outside the app store.

Australia's contact-tracing app regulation avoids 'woolly' principles in comparable cyber-laws, say lawyers

aaaa

Re: Q: how long is long enough?

AC: yes, if I had android. I use iOS and these limitations are well known and discussed in the article.

aaaa
Go

Q: how long is long enough?

So I'm tempted to wait 2 weeks to see if someone quickly manages to hack the cloud storage.

Or is 2 weeks not long enough?

I'm curious as to everyone's opinions.

Thanks El Reg for the article - genuinely helpful.

The limitations (no watch app, have to keep app in foreground, only works if other people also have their phone and app in foreground, etc.) are so many, that I find it difficult to feel like there is much imperative to load this app. I thought I'd feel some sense of pressure to comply and perform my civic duty - but I completly don't - and aside from a couple of friends who use android and are talking up how important it is to use the app - no peer pressure at all.

Download this update from mybrowser.microsoft.com. Oh, sorry, that was malware on a hijacked sub-domain. Oops

aaaa
FAIL

generic names - on Google/AWS/Azure

We saw this 20-30 years ago with the initial explosion of the web - everyone was using hosting companies, and all it takes is for the greedy host to rent out the same IP address to some SPAMMER and suddenly everyone blocks you because you were on the same IP address. This is just the same, but the modern cloud equivalent using shared hosting services / DNS. It's an inherent fault, and it will (thankfully) push people away from using them.

I'm already blocking most email from generic SMTP servers Google/AWS/Azure that use a generic DKIM. So it looks like I'll start to block most web sites hosted on generic domain names on Google/AWS/Azure too. If you want your email delivered, set up your own email server and your own domain name and your own private DKIM. It you want people to go to your own web site, don't redirect.

For the technically curious: we have two SPAM rule classes: for non-generic SMTP we look for keywords/SPAM scores and quarantine emails based on that; for generic SMTP/DKIM we look for keywords and quarantine ALL EMAILS unless they match a particular keywords that leads use/whitelist for existing customer email addresses.

Blow me down with a feather, well, storage server software update gone awry: Nest vid streams go dark for 16 hours

aaaa
IT Angle

Re: Remind me again ...

Look, I totally agree, but I'm also curious why so so so many disagree (and pay fist fulls of dollars to prove it).

I saw things like 'back to my mac' as pretty awesome - the ability to travel anywhere in the world, but still get at my data on my home server. It was the direct opposite of 'the cloud'. But 'back to my mac' is no more, and the cloud is rather popular.

I *think* the idea that *our* data should be on *our* computers failed because:

1) there is more money to be made in cloud - people realise they lose everything the second they stop paying, so they keep paying. Increase price, repeat.

2) NAT. UPnP just didn't work waaay too often. Though I usually found that Apple's implementation via 'back to my mac' worked pretty well, I saw plenty of discussion posts saying people had trouble getting routers/firewalls to play nice

3) explaining it. Apple are masters of marketing, but even they couldn't turn this into a saleable pitch that could be understood by the masses.

4) utility. If someone burns my house down, if the video is stored in the cloud, there is a chance I may catch the culprit via the stored video - but if the primary storage in in the house that burned down, or in the cameras that burned down in the house, then not so much. Cloud does have some advantages.

5) luck. Most cloud service contracts I look at - everything from Amazon S3 to Office 365, the SLA is pretty rubblsh - but most people are pretty lucky - their cloud services don't fall over and lose all their data, so most people don't care.

As for me - last year I was going to upgrade all my Nest cameras to the new 4K ones, but when I saw that they were moving everything into Google I put a halt on it. I think I'll go with the iCloud Secure Video solution instead - but I'm annoyed that so far there are only HD and no 4K implementations... Meanwhile I'll keep the Nest HD cameras and pay the subscription as long as I'm not forced to migrate my account. Until I find a better solution.

FUSE for macOS: Why a popular open source library became closed source and commercially licensed

aaaa

Re: There's always the Eudora model (free software, support via contract)

This is a terrible model. It encourages the developers to write software that is buggy. Seriously: the only way you get paid is if people need support? You don't want that software.

I sponsored an open source project and we used this model - it was great when we started, because the project code was buggy, but with sponsoring the developers did a great job of improving the code, and within a year or two the user base had grown a hundred fold and the number of users paying for support was around .0001% - not enough to pay to keep the developers employed or the lights switched on.

I'll take your frame to another dimension, pay close attention: This AI auto-generates 3D objects from 2D snaps

aaaa
Devil

re-write the heading

This AI auto-generates 3D objects from from 24 differently angled 2D snaps.

Not quite as ground breaking as it seems. I think people have been generating 3D objects usnig multiple camera angles for years...

Judge to interview Assange over claims Spanish security firm snooped on him during Ecuador embassy stint

aaaa

Re: A Non - Lawyer Writes...

Also not a lawyer...

But I think this has nothing to do with human rights per se. but his ability to mount a defence to the extradition charges. ie: if those on the opposite side have access to client-in-confidence material from Mr Assange then his rights to a fair hearing are diminished, which the judge would need to take into account.

In front of this judge in the UK courts the prosecutors would be in contempt if they have this material, or perhaps even if they attempted to access the defences client communications. I also think they'd likely be disbarred.

How, where, when they obtained it is not so much the issue, as that if you have it, and you are attempting to use it in front of a UK judge, then you are potentially in a lot of trouble.

Four words from Cisco to strike fear into the most hardened techies: Guest account as root

aaaa

Re: No updates for in-contract non-EOL cisco devices

AC: The one question I would have is when did you buy the 5505?

If you check my link to community.cisco.com in the OP you'll see the answer to your question. You may have made a different decision based on the same criteria, but we purchased way before the end of sale date was even announced.

If I'd known that Cisco wouldn't honour it's contract, and retire the software early (in breach of contract) then the ROI wouldn't have stood up and I'd have proposed an alternative, but we have to go into contracts assuming good faith.

aaaa
FAIL

No updates for in-contract non-EOL cisco devices

So I switched from HP gear to Cisco a few years ago, but recently discovered that our in-contract hardware, with an EOL of 2022 is no longer receiving security updates, even though that's exactly what the service contract promises.

https://community.cisco.com/t5/small-business-security/asa5505-software-update-to-9-4-to-resolve-security-advisory/m-p/3918845/highlight/true#M7158.

For now I'm willing to suspend disbelief and assume left hand hasn't quite understood what right hand has done. Waiting to hear back from their legal dept. If they don't start issuing security updates for in-contract hardware, then there is no way I'll ever get permission to buy any cisco kit ever again - and I'm quite sure I'm not the only one.

Life's certainties: Death, taxes, and Cisco patching more serious vulnerabilities

aaaa
FAIL

Still no updates for in-contract non-EOL cisco devices

So I switched from HP gear to Cisco a few years ago, but recently discovered that our in-contract hardware, with an EOL of 2022 is no longer receiving security updates, even though that's exactly what the service contract promises.

https://community.cisco.com/t5/small-business-security/asa5505-software-update-to-9-4-to-resolve-security-advisory/m-p/3918845/highlight/true#M7158.

For now I'm willing to suspend disbelief and assume left hand hasn't quite understood what right hand has done. Waiting to hear back from their legal dept. If they don't start issuing security updates for in-contract hardware, then there is no way I'll ever get permission to buy any cisco kit ever again - and I'm quite sure I'm not the only one. Up until now it was one advisory - now with this latest set it's 3, but curiously the 'new' list includes one actually fixed for ASA5505 in IOS 9.2.4.8, so I don't know how that affects my theory...

After banning adverts in command-line terminals, NPM floats idea of Patreon-style donations to open-source devs

aaaa

Re: Payment

These two replies pretty much sum up the argument on both sides.

My take: the problem is the definition of 'free' - GNU FSF defined it as 'freedom' like the 'free press' - you still need to pay for your copy of the New York Times even though it's the 'free press' and that 'free' software (or 'free press') is more valuable that non-free software (or the non-free press). You can pay via ad-supported online access to 5 articles a month, or pay via a subscription, or pick it up for free in the airport lounge because the airline paid for it with a small part of your airfare, but paying is required at some point by someone because otherwise you will only end up with non-free press.

I'm happy to write this software 'for free' for other people who are hobbyists/students doing stuff 'for free' too - but once you start to use my software primarily for commercial gain, then yes, I expect to be given a small reward for that, or a slightly larger small reward if I also agree to improve/maintain it for you. Why? Because it's fair certainly, but more importantly, because this is a very economically efficient way of finding valuable work - the economy doesn't bear the cost of all the software written that people don't find useful, it only bears the cost of the useful software.

If we don't pay - the result will be only non-free software.

Not very Suprema: Biometric access biz bares 27 million records and plaintext admin creds

aaaa
IT Angle

Why no whistle blower’s?

Why don’t IT people blow the whistle when they see this at the organisations they work for? Is it just fear of losing a job (real enough/fair enough I gusss...)?

Or is it that IT skills have dropped so deplorably low that really no-one in these companies is aware that unencrypted data, plain text passwords, is really seriously bad. In an organisation this size, with a database this size, my guess is 10 to 100 people would have known the database scheme.

Finding these things by trial and error is too painful. There must be a better way. Any ideas?

And do I really want to hire one of those 10-100 folk who thought this was not worth blowing the whistle on?

Am I completely out of touch or what? I want to know, seriously, because this just looks crazy to me.

Apple's privacy schtick is just an act, say folks suing the iGiant: iTunes 'purchase histories sold' to data slurpers

aaaa

Pandora not Apple.

The suit (see the PDF linked to in the article) is about “iTunes and Pandora Music Purchasers” list offered for sale by CDM.

That is iTunes AND Pandora.

Any app on iOS that wants to access your music library can use this API (which requires user consent BTW):

Read all about it: https://developer.apple.com/documentation/medialibrary

If the user grants this permission, then the app can do what it likes with the data.

Seems likely the Pandora app is collecting info and then Pandora are selling it.

There is nothing in the suit to demonstrate Apple are selling these lists. There is a LOT in the suit to suggest Pandora are selling the list.

The whole thing is very little to do with Apple, unless you think Apple should add more restrictions to iOS app developer contracts.

But I wouldn't be at all surprised to find Pandora banned from the Apple App store soon.

What bugs me the most? World+dog just accepts crap software resilience

aaaa
IT Angle

Re: And this is why I will never pay for software

> Until paid-for software comes with the same freedom to study and adapt it (even

> without the freedom to share it) as Open Source software, it really isn't a hard

> decision to make.

Absolutely yes.

The problem is not paying for software. It's the T&C's (as many other previous posts pointed out).

Yours was the first post I saw point out that the fundamental problem with the T&C's is access to source code, so that if it's not commercially viable for the vendor to fix your problem - you can fix it yourself.

I run a company that sells software. All our software includes source code. Back in the day this was always done - a small company selling software to a large company could expect the customer to require a copy of the code kept 'in escrow' in case the small vendor dissappeared. We got around that by just simply supplying the source with the commercial binaries, and a license clear that the source is copyrighted by us and they can't resell the software or create derirative works. I'm not sure how many customers use the source, I've had a few reach out to point out missing headers that we forgot to include, so some clearly do check it. I only know of one customer who have ripped us off - but that's just by using 3000 copies of the binary when they are licensed for 10, no evidence they even tried to re-compile the source to do it.

I use a lot of open source software - and pay for all of it. I either donate, or if the vendor has a 'commercial' partnership arrangement I use it. Plus of course I submit bug fixes, donate the time of by dev team to work on code (because it helps us in the long run), etc.

Spyware sneaks into 'million-ish' Asus PCs via poisoned software updates, says Kaspersky

aaaa
Happy

Re: Modern times

But I don't think you'll be able to say that in 25 years time, about a PC you buy today.

aaaa
Big Brother

6 months to find...

The article did say why. That the binary was legitimiately signed and has been downloaded from a whitelisted location.

Reading between the lines I think you can say that it probably wasn't until one of the 600 MAC address affected PC's was installed with Kaspersky's software that the gig was up, because once the software activated, then anti-virus would quickly pick up on it - when it's dormant, there isn't any nefarious activity to detect...

Click here to see the New Zealand livestream mass-murder vid! This is the internet Facebook, YouTube, Twitter built!

aaaa
Unhappy

Why share?

Long one. Please bear with me.

So I just got back from the playground with my 2.5yo. The playground is beside a lake, and there is a carpark that faces the lake, and a scenic walking/biking track that goes around the lake.

As we're walking to the car I remote open the boot and a few seconds later a group of guys walking behind the cars, stop behind my car?

I find this a bit odd. Why walk behind the cars when there is a really nice scenic walk 5 steps away (around the lake). Why stop in the middle of the car park? Why stop behind my car.

I'd usually leave my child's bike and bottles and junk near the path and carry her to the car to strap her into her seat, then go back and get all the junk and put it in the boot. I leave the boot up during this process, because parking spots are at a premium, and I want anyone cruising for a spot to realise this is not going to happen quickly. But given this group of guys is now behind the car, I decide to carry toddler, bike, etc. all with me and put the stuff in the load space first, and then go around and strap her in.

They guys, 4 or 5 of then, mid-20's to mid-30's, white, 5'8" to 5'10" short hair and clean shaven, wearing athletiwear (shorts/t-shirts) remian behind my car the whole time, talking.

They are talking about the terrorist video. They are trying to decide which bits they like best. The shooting outside? The shooting inside?

I almost throw up.

I get my daughter strapped in, close the tailgate, and start the car. They move one car spot away, stop behind the next car. I lock the doors and reverse out. As I drive around the car park to the exit, they are still there. The lights change and I leave.

With 20/20 hindsight, I could have taken a good photo from the other side of the car park while waiting for the queue of traffic at the lights. But I didn't think of it. No I don't have a dashcam.

About 15 minutes later when I have time I call the local police station to 'report it. No they were not carrying anything. No they didn't seem to be prepared for any immediate violent act. Their loitering behind the cars in the car park was suspicious and their conversation revolting, but nothing more than that. The police directed me to a web page where I could record the particulars, which I promptly did. During the process of describing it, I realise that where they were standing was probably not covered by any security camera, possibly explaining their preference to remain there.

So why repeat all of this here?

Because the item the author of the article fails to address, is that A LOT OF PEOPLE like and share this stuff.

It's abhorrent that they do, but they do.

Yes it's less than the total user base of facebook, but it's clearly not a tiny proportion.

Yes, it's been proven clinically that it's a sign that they are more likely to abuse animals and people.

In China, I imagine they would not so much do a better job of banning the content, as severely reduce the points in your social balance once they found out you had watched it, and even more if you'd shared it. You'd likely never get a house, job, car or date ever again.

I don't want that to happen in facebook-land, and besides, it won't stop the guys in the car park, will it?

The root of the problem is people actually liking this stuff.

And whilst it's a socal problem, it's not a problem I think social networks can fix, and certainly not with time-delayed video.

'It's like they took a rug and covered it up': Flight booking web app used by scores of airlines still vuln to attack – claim

aaaa

and our technical teams took immediate action

The much-maligned epithet "all businesses are IT businesses" actually has quite a lot of relevance.

The phrase "and our technical teams took immediate action" shows just how out of touch senior management is.

It would be as if the director of Boeing, criticised that his planes can't stay in the air replied "our technical teams are taking immediate action...".

It's not your technical team that needs to take action, it's the whole company that needs to take action, starting with the board.

Apple in XS new sensation: Latest iPhone carries XS-sive price tag

aaaa
FAIL

I returned my iPhone X because I don't know how to ask for help

I had the iPhone X for about three days before it was returned because it basically became useless while driving and I was having to pull the thing out of my pocket and hold it up to my face for three seconds to check a text.

A quick google search found this answer:

From your post, I understand that you are not able to ask Siri to read your incoming text messages while you are driving; you are being prompted to unlock your iPhone. I’m happy to help you troubleshoot this situation!

From what you have stated, it sounds like you may have Messages previews disabled. Navigate to Settings > Notifications, Messages > and adjust Show Previews to Always. After making this adjustment, test this functionality again.

I just tested this on my iPhone X with latest iOS 11 and it works as advertised.

Apple leaks rekindle some hope for iPhone 'supercycle' this year

aaaa
Thumb Up

A lot of SE's

I like the smaller phones - and have an SE, and am eagerly awaiting the SE update.

Whilst it's not got a high price tag - I think there are a LOT of people waiting for that upgrade.

A 'cheaper' iPhone X plus a 'new' SE could lead to a supercycle.. it's not beyond reason.

Australia on the cusp of showing the world how to break encryption

aaaa

iMessages in the Cloud

Apple recently introduced their ‘iMessages in the Cloud’ feature - and I think it’s aimed specifically at satisfying this type of legislation.

The iMessages are still encrypted end to end, but a copy is sent to Apple and stored on their iCloud server to which they have a master key and can respond to warrants etc.

To satisfy the Australian legislation all they need to do is ensure it’s turned on and can’t be turned off. Either explicitly or implicitly eg: by forcing it on for ‘australian’ sold devices, or when on an ‘Australian network’ or by allowing command and control to enable that remotely on specific devices.

The Cloud is convenient for sure - but your cloud provider (anywhere) must respond to warrants and must be able to decrypt your data. On a public cloud there is nothing stopping you ensuring that the data you store on a cloud is already encrypted with a key only you have - but as soon as you use things like iMessages in the Cloud then that’s not an option available to you.

Time to ditch the Facebook login: If customers' data should be protected, why hand it over to Zuckerberg?

aaaa

I've seen that...

I've seen 'login by facebook' option on a few sites. You mean some people actually use that option?

I even do have a facebook account, and don't use 'facebook login'. Lots of people in these comments are saying it's popular and 'for lazy people'. Really? I'm pretty lazy - but it never occured to me to use that option - partly because I've no idea what my facebook login and password is - you type it in once when you register and it never asks for it ever again AFAICT. If it ever asked me I'd have to open a new account - I don't even know what email address it's linked to to request a reset...

Honestly, I'm absolutely flabbergasted that anyone uses 'facebook login'. Are you really sure? Is there any actual hard data on how many people use it?

As other posts have said - it's just openid - so it's not like its presence on a web site counts for anything - the developer just added it by ticking a box. Sure it's insecure - but adding the option on our login page makes us look all millenial - no-one is actually going to use it, least of all millenials (never seen a snapchat login option).

aaaa

Re: my sons school forced me to use google/facebook

Looks to me like SIMS supports more than just Facebok - but lots of OpenID compatible logins, including their own (SIMS ID):

HTTP://WWW.SIMS-PARENT.CO.UK

'Housemate from hell' catches 24 new charges after alleged nightmare cyberstalking spree

aaaa

Re: Need help with a cyberstalker

I'm with @Sampler - definitely report to the local Australian cops, but reporting it in the US as a crime in the US (using a carriage service to threaten?). It may be worth contacting a US based lawyer too - primarily to find out if there are US based not-for-profits that may assist. If the cyberstalker is doing this to your friend, the chances are she's not the only one. As in this article - it's not until the cases start to come together that you really get traction.

From a technical POV - getting the evidence can be really really difficult - again as shown in this article. Law enforcement needed a VPN provider to co-operate to get anywhere at all. You can set a trap up though, maybe in combination with the phone call (see below). i.e.: your friend mentions they have a new computer or now using flikr or dropbox or something - with the hope that the stalker will try and break in to look for more material. And there will be - but all the files will be fingerprinted or whatever to prove they came from that source. All the cops need then is to find those files in the stalkers possession to prove breach of DCMA.

From a non-technical POV - getting the guy to admit it on tape is always handy (e.g.: record a phone call). It won't have any legal standing, but it will help others to get on board your friends case.

Bot-ched security: Chat system hacked to slurp hundreds of thousands of Delta Air Lines, Sears customers' bank cards

aaaa
FAIL

Version Control / Code Review? Hello!

Does no-one in modern IT do any QA or use Version Control? What ever happened to code reviews? Checking that what is being deployed is what was designed, and that other parts of the code haven't been changed? This is software development 101 people. Maybe it's all Git's fault - in which case throw it away and use tools that are fit for purpose. I know the toolchain I use does all this because it's the single most import reason why we use change management - to track what changes, because our QA and release process regularly asks: what changed? and needs good answers.

From the Delta.com/response web site:

We understand malware present in [24]7.ai’s software between Sept. 26 and Oct. 12, 2017, made unauthorized access possible for the following fields of information when manually completing a payment card purchase on any page of the delta.com desktop platform during the same timeframe: name, address, payment card number, CVV number, and expiration date.

So the answer is how an outsourced chat bot could access credit card info is answered - because it can access the DOM of the page beneath it.

Wearables are now a two-horse race and Google lost very badly

aaaa
Happy

Smallest phone

I like a small phone, and for various reasons I'm kinda stuck in the Apple eco-system. I like my gen 1 iPhone SE, but I'm not looking forward to upgrading to either iPhone Huge, iPhone Enormous or iPhone Massive when the time comes. So I'm seriously considering keeping the SE and just buying an Apple Watch Cellular. Once the watch is configured, it goes in the draw. I think with Siri and a couple of apps I probably have everything I need until I get home.

Three things I'm still concerned about:

- I'm often stuck needing to do a little internet banking cash management when I'm at the shop - the Watch app seems to not allow transfers, only balances. I suppose I could use phone banking at a stretch tho. Or just keep my Apple Pay account topped up more regularly...

- battery life

- camera (but I think I have this worked out - buying a Red Hydrogen One as purely a camera)

I'll probably hang out on my decision until April or May and see it it looks like there will be an Apple Watch Series 4 with better battery...

iPhone X 'slump' is real, whisper supply chain moles

aaaa
IT Angle

Doesn't make sense

It just doesn't add up.

As AppleInsider wrote: "Apple has previously sold 50-60 million iPhones in total in its January quarter. Imagine launching three new flagship iPhones at the highest prices ever asked, while also introducing the widest array of new, cheaper options, and then "envisaging" that the vast majority of customers would all buy just one of those models: the most expensive iPhone X."

No way was the order for 45-50 million panels in the January 2018 quarter.

Maybe the order was for 20 million and Samsung thought they would over-produce / made a gamble.

There are too many 'unnamed sources' in these articles - the numbers just don't add up. It sounds like a story is being spun - and there is enough being hidden to make it impossible to tell why this story is being spun (an attempt to undermine Apple by Samsung - both a key supplier and a rival?).

But The Register repeating it all verbatim without any analysis or critical thinking is poor journalism.

Are you an open-sorcerer or free software warrior? Let us do battle

aaaa
Unhappy

Complete failure of stated objective

From the article "The OSI wanted to make free software "more understandable to newcomers and to business". They felt the term "free software", with "its seeming focus on price", was distracting."

Well - they are a complete failure are they not?

Look at the funding shortfall for even the most popular OSI software like OpenSSL. It only got addressed as a 'once off' and only after a helluva lot of publicity.

Free software has never been about price. It's like saying the Free Press is about having a free paper to read on the tube.

Free Software is more valuable than non-Free Software, and you should be paying for it. Or you know, don't pay, and find the software stops being supported suddenly because the programmers which were maintaining it had to go and get jobs at Tesco because they were about to be evicted, whilst their software was being used in mission critical and customer facing systems in 9 out of 10 fortune 500 companies. I wish I was making this up.

The Free Press is far more valuable than the non-Free Press. It's why we watch and PAY FOR the BBC for our international news, and not 'Russia Today'.

Uber quits GitHub for in-house code after 2016 data breach

aaaa
Devil

Git is a risk to any organisation

Git is a risk to any organisation trying to protect their Intellectual Property (IP), specifically:

- lack of security, particularly at file/branch level

- lack of auditing

- lack of centralised management tools (because it's distributed).

- lack of version history if developer 'loses' the repository, all that remains is what they 'published' or what was 'pulled' by the release process, easily less than 1 in 100 revisions.

Linus wrote Git because he was sick of having to do so much merging work - it doesn't get rid of the work - it pushes the work out to other people. Git is awesome if you are Linus - or working in a similar environment without IP and with volunteers/academics and where you can make everything everybody else's problem.

Git is rubbish at Commercial IT.

All the data breaches associated with Github show that Github makes it easy to upload things you shouldn’t to publicly accessible repos (or at least repo's not secured by SSH keys or 2FA). The on-premise solution we use (trying not to drop names) is designed exactly the opposite way. By default nothing is publicly accessible and you’d have to go to a lot of trouble to make it accessible, and then to enable anonymous access. It’s called security by design.

Page: