2265 posts • joined 29 Jun 2009
Don't even need a VPS, I'm using a pair of desktops I rescued from the dumpster almost 15 years ago (I grabbed a bunch and stockpiled spare parts and upgraded the machines as much as possible). I found a pair of Pentium-3 boxes with 512 megs of RAM and a pair of 20 GB disks is enough to server a hundred or so users comfortably. They sure knew how to make computers back then, very few failures in the 15 years since I first powered them up (and after the 3-4 years they survived under users' desks)
I just built my own root dns server.
I went with a simple OpenBSD box running nsd and a daily cron job that goes out and grabs "https://www.internic.net/domain/*.zone" and the *.arpa files, stuffs those files into /var/nsd/zones/, and restarts nsd. I have a pair of servers that are just recovered 1 Ghz P3 / 512m / 20g desktops with some extra NICs shoved in them. The two of them seem to handle around hundred users at a time (those are the only boxes on the network that allow port 53 traffic out to the internet and only machines that can listen on 53.
I've dumped www.internic.net into my /etc/hosts file since its IP address hasn't changed from 188.8.131.52 since it went live back in the 1980s (the damn thing is older than the internet, what with it being the root of the internet / World Wide Web and all...). If the IP changes, then something is definitely going wrong.
Between the IP being static and probably the most permanent thing on the internet, and the fact that they have their sig files posted and those too are static, I am very confident in the integrity of its data and then let DNSSEC take care of the rest. No need to trust any third parties, especially the likes of Google.
" login credentials for the hotel's telnet"
Telnet? Seriously? The hotel really should get a fine too, using telnet nowadays is a crime against technology...
Sunny Cali goes ballistic, this ransomware is atrocious. Even our IT bill will be something quite ferocious
Re: @oldtaku - Actually it's not Windows XP
I've been seeing more and more attacks against XP nowadays that I used to it. Mostly because while overall use of XP is down, the stuff that is still running it tends to be of a much higher value. Pretty much the only things on XP nowadays are going to be machines where there is a damn good reason it is still needed. Like those niche machines where the company would lose buckets of money if the machine no longer functioned, but would cost even more money to migrate.
The most common systems I've seen are those niche manufacturing systems (which would have very valuable designs and schematics on them), control systems for really expensive equipment (that tends to also produce very valuable medical records), embedded management OS for old EMC SANs (which are likely supporting some old, but mission-critical software), there are still a lot of ATMs / voting machines / kiosk systems that use it too.
Re: So many systems
Yeah, a lot of cities will either consolidate into a central "Information Services" group that handles IT for everyone. A lot of times this is run by an outside Manged Services Provider or something. I've also seen some municipalities where one group will get a massive grant, build out a bunch of IT equipment with the money, then rent out excess capacity to other agencies.
This is almost always done for cost-savings rather than the benefits of consolidation. Usually one of the first things to go it backups and monitoring software. This results in all eggs/one flimsy basket scenario which is ripe for RansomWare.
Re: So let's look at this again (again).
His computer was infected as well. Apparently at some point, he disabled the antivirus on his computer so he can install a key-gen for Microsoft Office, then when he turn his AV back on, it rightfully reported that he was infected with several bits of malware and some stuff that looked a lot like malware it hadn't seen before (The NSA exploit code). Since it hadn't seen it, the data was uploaded to Kaspersky's servers for further analysis (So it can be determined if it really is malware and so a definition can be made to detect it in the future and for other users).
So, more of:
Man takes classified spyware home
Disables antivirus because it was preventing him form running virus-riddled code
Run code, machine gets infected
Man turns Antivirus back on, it detects the infection and suspicious code as well
AV attempts to clean the malware it knows about
AV uploads suspicious code it never encountered before for analysis
Really, the only thing Kaspersky is guilty of is trying to protect other users from some unknown bit of malware.
The only use I can think of:
The only use for this that I can think of would be to start tinkering around with Linux equivalents of Windows-only software until ether the code or the user are good enough to just use straight Linux (Or at least Linux + Wine).
So really, pretty much a reverse Wine (LINE?). So pretty much use the subsystem as the first step to transition, then when more than 50% of time is spent with applications running under emulated Linux, then its time to go to a Linux base with Wine to run the remaining Windows-only crud, then slowly go to a pure Linux.
Ah, the early Sun days
I remember those days where there desktop machines were really just mainframes / mini-computers that were trimmed down with the standard TTY and printer were replaced with a video controller and a keyboard. They'd go all weird weird when one of those wasn't working because the system never expected those things to not be available (what with them supposed to be soldered on...).
I also remember some of the models that tried to be smart and if a keyboard and/or monitor was missing at boot, the system assumed you are wanting to use Serial 0 as the console. So if you accidentally knocked out the keyboard at boot, the system would work just fine (OS would boot, daemons would start and begin doing their thing, etc), but nothing would be displayed on the console, nor would keyboard input do anything (Since the keyboard input is now routed to TTY1, but TTY0 is attached to the kernel).
A lot of it was just really teething issues and programmers needing to unlearn a bunch of assumptions from before the beginning of the transition from computers having their own rooms to them being out in the office.
The two-factor authentication scam had victims register with the scam's website (Purporting to be the IRS / FBI / ICE / etc). As part of registration, it used a legitimate two-factor authentication system and asked to 'help secure your account' to lend the scam credence. The scams were fairly similar, tey'd start with "You are being investigated by <agency>, log into <website> and register with case <number> to respond to the accusations and view your case file" then when they register, they are asked to add enable two-factor-authentication 'for their protection'. The scam would then keep going on and on asking for more and more money for 'processing fees' and 'filing fees' and 'fines'. Pretty much a standard 419 scam except rather than a Nigerian Prince, it is a Federal Agent and instead of money they promise, its either not being arrested or deported.
For the Israeli certificate on a fake Saudi Arabian bank website it was a matter of a fake website that used all the logos of the real one, but the URL was slightly wrong (in this case used an 'n' instead of an 'r' in the url). The website even had an EV certificate that used the correct name of the bank i the verified owner, and for all intents and purposes looked like the real bank's website. The thing even functioned just like the real bank (Every action was 'passed through' to the real bank's website). The thing that really tipped me off was that the EV certificate was signed by a certificate authority based out of Israel and has a history of working with Mossad, western intelligence agencies and malware mercenaries like the Equation Group.
Re: Not digging deeply myself, I wonder how much of your supposed privacy you need to give up
Call me paranoid, but I am so very worried about the amount of data that social media services are collecting especially when no one has really done anything to get rid of the whole FISC and their unconstitutional National Security Letters. I mean, at this point Facebook and their ilk have compiled a nice juicy database that contains our real names, locations, friends, religious beliefs, sexual orientations, nationalities, citizenship status, political position, etc (A lot of this isn't directly asked, but can be gleaned simply from the things people post). I am afraid of the day that the administration decides to just issue an NSL for that data, then use it to build their lists of 'undesirables'.
Due to the nature of NSLs, they may already have such a list and there is no way for us to know about it. And that frightens me more than anything ever could.
Yup, like I've been seeing quite a few phishing websites with Extended Verification Certificates, but are otherwise amateurish copies of the real things. But people trust them anyway because the bar at the top of the browser is green.
I've noticed that a couple of these phishing sites are using certificates issued by CAs that are either government-run or are suspiciously friendly to governments. Like the other day I noticed a phishing website purporting to be a fairly large Saudi bank held a certificate issued by an Israeli CA. Or an Indian bank that was using a Pakistani-issued certificate.
I've also seen password stealing pages that use captchas, scams that require two-factor authentication, and many other nasties that take advantage of security mechanism to appear legitimate.
Except Wordpad is a piece of shit when you want to work with files that have lines longer than however many would fit into about 7 inches of printed space.
Intentionally reading a log file in wordpad should be considered a cry for help...
Re: If you found yourself in charge of the in-box Windows 10 apps, what would you do with them?
" Or check myself into Bellevue for a long stretch..."
I should point out that Bellevue is also the name of a city in Washington State that is host to several Microsoft offices...
Re: Blockpad as a service
Can't forget the requisite shoehorning of Cortana into it.
"When in the history of computing hasn't a system come with a basic text editor ?"
RHEL 7 when you install using the 'minimal' option. Comes with a web server, but doesn't have nano, emacs, vim, vi, and even lacks ed. Fortunately it does have grep, sed, cat, and echo. RHEL has abandoned the command line and now expects you use the GUI for everything (Seriously, fuck you NetworkManager)
Porbably not just down due to the FBI
I'm thinking that they shut everything down not to arrest the guy, but to clean up the network and verify that everything is clean. He was on their network, and child porn tends to come paired with more than a few malware nasties (or at least in my experience of cleaning up networks that had been used by pedos to share their materials).
Two weeks does sound about right for how long it would take for the Feds to take what they need, and for an IT team to come in to quarantine the network, re-image everything that can be re-imaged, and do thorough scans on things that can't, and then replace any equipment that the feds took for their investigation.
Stop using passwords
Passwords are useful for authenticating user-computer interactions, but suck otherwise. But what machines are good at is certificates. With IoT devices, I figure the much easier way of doing things would be to have each device posses its own certificate signed by the controlling entity and authenticate by requiring a certificate signed by the same entity to communicate with it. To get the whole thing going in the first place, it could just have a USB port on it for initial configuration and only after configuring it does it turn on its network interfaces.
Big Cable tells US government: Now's not the time to talk about internet speeds – just give us the money
" the most technologically advanced nation on the planet"
I'm confused, isn't this article about the United States?
You don't need to leave it in a public place, this flaw could be exploited by someone that is normally allowed to use the machine, but not trusted with anything more than guest access rights. Like, say a work laptop. The dongle doesn't even have to be installed, just the driver software, so not out of the realm of possibility for the software to be installed as part of a corporate-standard image, in which case all of them would be exploitable.
The problem is that they set the driver's directory to give full permissions to the 'everyone' group, this even applies to the service executable, which runs at a security level that not even an enterprise admin has when logged in. (Essentially they set it to 777 and configured the daemon to run as root).
Really, the only thing you need to do is run cp <Malicious executable> C:\Program Files (x86)\Web Connecton\BackgroundService.exe as anyone who can access the system, and now you have unfettered access to the entire system at next boot. Hell, this could even be embedded into a simple autorun script.
"a minor security issue"
If a trivial flaw that allows anyone to run code with kernel-level permissions is a 'minor issue', I have to wonder what they'd consider 'major'. Like, what, does it have to somehow spawn arms and stab the user to death before burning down their house?
Except now, you'll be able to browse a 100 TB file 30 years from now and still see that a 3rd party had signed a message from some rando to some other rando.
Re: Blockchain ? Oh yeah, that thing that keeps growing and growing and ...
See, with the block chain now everyone can waste their disk space on undeletable data rather than just one entity that has the capability of pruning it over time.
The concept of verifying the veracity of the information recorded in a block chain is only possible if we know what generates that data in the first place and can trust it to write the correct data. The blockchain can really only provide proof that a certain piece of data had been written to it, not that the data itself is correct in any way.
Re: Lookalike Targeting
"On the other hand, a cohesive group will not get into shouting matches/get torn apart about divisive subjects."
I've found that the more homogeneous a group is, the more they are going to fight about trivial bullshit and fright more intensely. Like when you bring up bracket styles in development chat rooms / mailing lists and they'll be an inch away from stabbing someone over whether the function closing bracket gets its own line or not.
Re: Companies probably aren't doing this to discriminate
They are suing Facebook in addition to the organizations posting the job ads specifically for that reason. Facebook's pricing model for posting job opportunities is incentivizing posted to discriminate. The ACLU's goal here is to get Facebook to either A) eliminate the option of targeting jobs ads specifically to people based on their immutable characteristics or B) remove any cost difference between selecting one option versus two or more options.
Re: 47 mil? not enough
I've worked with many clients that will just pay the fine each time rather than actually fixing anything.
One insurance client was particularly egregious about it. They split the company into 3 pieces: The top organization the name, equipment, liabilities for underwriting policies, etc. A middle, regional layer that held the actual customer data. Then the bottom layer was the 'independent clubs' that actually interacted with the customer and handled the day-to-day stuff. The local 'clubs' would license logos and trademarked items from the upper company then contract through the middle layer for IT services and resell the middle company's insurance policies (underwritten by the top org).
It was designed this way so that the middle organization could be run as cheaply as possible and just pay fines for not complying with SOx, PCI/DSS, etc until they got shut down by the Feds. At that point they company would be liquidated, and assets (insurance polices, customer data) sold to a new organization that has just started up the day before and be staffed by all the former workers of the old company using the same equipment and same buildings as before. So essentially, they just change the logos and slightly change the name of the middle organization, and since the clubs are using the upper company's name and logos, no one outside the scheme even notice this change. So they get to keep on making massive profits while not doing a damned thing to actually protect customer data.
Don't go after the Hyper-scale market
They should go after the start-up market. Worm into the small, growing markets, then profit off them once they are behemoths. Really, the best tactic would probably be to tweak the architecture to be optimal for Machine Learning, Node.js, software-defined-whatever, or whatever today's fancy new shiny technology people are using to spackle over poor planning and terrible coding practices. And if it helps sell it, call it something like the "Raspberry Wedding Cake" so they can exploit how much the mainstream tech press loves to fawn over the RasPi while also showing how much more powerful it is (IE, its like a Pi(e) but can serve many, many more people with one).
Intel unseated the big players in the IT space not by marketing to the customers that were perfectly content with their rooms full of mating dinosaurs and dumb terminals. But rather they went after the home user, the small businesses, the people and organizations that could never even do more than dream about having a computer of their own.
"The Chrome team has also updated the browser's Web Authentication API with a third type of credential, PublicKeyCredential, to complement the two other types it already supports, PasswordCredential and FederatedCredential"
So, wait, are they just now supporting x.509 / PKCS? That method of authentication has been around for decades... Or is it that the browser is now implementing the whole thing itself (which a whole other bit of failure). Really, to be secure, it should be that the browser receives a challenge from the authenticator, passes the challenge off to the OS, then the OS handles the key decryption and decryption of the challenge, returns the response to the browser, then the browser forwards it on to the authenticator. Having the browser aware of the keys themselves is quite worrying...
It feels like this is just going to end in failure like when OpenSSL decided to implement their own malloc().
Re: I'm sympathetic
Exactly, I am in love with the idea of the internet, but what it has turned into, not so much.
Really, I'd be on board with someone building an entirely new network, especially if it was even slightly less dominated by the yanks and their propensity towards collecting data to spy on people and/or sell it to the highest bidder.
I miss my old bank
I used to sue a local credit union that was founded by a bunch of employees of a computer security firm, unfortunately they got bought out by some regional crap bank that in turn got acquired by Capital One. But, in any case, they didn't fuck around with passwords, rather they just used smart cards and gave away the readers to whoever needed one (The employees would have one anyway). You could create your certs if you had the know-how and they'd just sign add it to your account login. Multiple certs could be placed on a card and each could be restricted to certain functions.
This was a small credit union that held, maybe, $2mil in assets, and in 1998. How is it that 20 years later, they are still ore secure than the vast majority of banks, especially those that are sitting on a trillion+ USD in their vaults?
Re: The NCSC agrees
"This is why my websites insist the password is entered by ASCII code,"
ASCII is too common, the secure method would be EBCDIC, or BAUDOT if you really want security.
From my cold dead hard drive
Seeing how Windows has gotten over the last couple of years, I am so glad I still have my old-ish computer and my Windows 7 Pro (KN) ISOs and CD keys. Not getting any new patches is fine by me, the code is pretty stable at this point and any remaining bugs are easy to avoid or at least recoverable. Security patches will keep coming for another 2 years and even then, my prevention mechanisms seem to work just anyway: Network firewall / proxy system running privoxy and ClamAV, A different AV product on the desktop, regular backups (with how little space Win7 takes up a pair of 2 TB external drives have lasted me quite some time), frequent scanning with the sysinternals tools (weekly on the live system, booting into a MDOP/DaRT DVD and scanning the offline system either monthly or after something unusual is afoot).
But, really, I have yet to see a compelling reason to even move to anything newer and every reason to stay the hell away from anything after Windows 7, especially when it seems that every time Microsoft releases a new feature, they just end up undoing it in the next version, but making it crappier than it was before (EG, the Start Menu). Especially since these new features seem to do nothing that would make life easier for me, and instead just expand my system's attack surface and punch holes everywhere.
Re: Hack against third-party interface
Might not have been, the bank could've left the admin port exposed to the links the ATMs use to connect to the network. In that way all the group needed to do was to compromise a single ATM, something that would be fairly easy to do with enough resources (Easiest way would be to practice on stolen ATMs, then bribe or extort the clerk at a store to look the other way while they compromise a live ATM).
Or maybe the switch had a security bug that allowed connected clients to perform admin functions. This is simply a risk when you have clients in untrustable locations accessing sensitive networks. Its an unavoidable risk since those remote machines have to have access to do their thing. This was likely their downfall, they thought that jsut because the interface was only on a trusted network, that they were safe.
Not absolving the bank, they really needed to be much more vigilant to things going on on their network and their remote devices should always do some kind of mutual authentication to ensure that they aren't talking to an exploited or counterfeit machines.
Re: More cloud anyone?
Another of those convoluted ad hominem attempts at an insult. I presume they meant to use the greek letter "μ" (mu), which is used in measurement systems to indicate the prefix 'micro'. The dollar sign because that has been standard parlance.
I'd give it a 8/10 for creativity, but a 1/10 for readability.
Besides, to whose benefit is this? The vast majority of people commenting here are already quite familiar with Microsoft being greedy assholes and aren't going to argue with you about it. And its not like you have to obfuscate their name, Microsoft has much better things to do than to cruise a forum like this trolling for people that aren't fans...
Re: I can see the future
New t-shirts aren't needed. One of my coworkers has a fairly large collection of punk-band t-shirts with morphed faces and other imagery on it. Those shirts will screw up AIs without a problem.
Those photo t-shirts you get at the mall seem to work quite well themselves. A former classmate of mine wears t-shirts with a photo of the FBI's poster for their most-wanted for that week and it will constantly trigger AI systems at various venues that have implemented AI (They actually work for the FBI and are doing it to increase awareness).
Smut slinger dreams of AI software to create hardcore flicks with your face – plus other machine-learning news
Re: Just say no
I'd expand that to handling any personal data at all.
"slice by slice of 2D images". I know I am being pedantic, but the MRI machine does not make 2-D images. Rather it produces 1-dimensional lines that are arrayed onto a radial plot by the attached computer (Learned this when I reverse-engineered the protocol since the computer attached was no longer usable and the hospital didn't have the $100k to buy a new one. Found out it was generic serial but over a proprietary port).
But, really, the best thing that AI could be used for would be to correct for organ movement throughout the scan to produce a better image, its quite hard to get a good image of the heart when it is busy doing its thing, trying to find tumors on a lung that is
The second best would probably be to establish a program where you'd get a full-body scan during a yearly physical and then the AI compares the scan data over time to identify anything that appears to be growing or shrinking that shouldn't be doing so.
The second worst idea would be to let an advertising company get anywhere near such data (I consider Facebook and Google ad-slingers since that is where their money comes from).
The worst is trying to 'fill-in' gaps in images. The point of taking MRI images is to detect those tiny anomalies and now they want to use AI to throw data that it 'thinks' should be in there. If your training data is healthy bodies, congratulations, you are now going to see a suspiciously high number of clean scans.
Satellite internet is complete shit. Last time I use one, the daily cap was so low that I would hit it not too long after waking up. The cap was around 250 MB or so (I think they bumped it to 500 MB a few years ago). Then there was the massive latency, which would cause some of my connections to restart and absorb even more of the bandwidth cap.
"$600bn spent on defence every year."
Its $720 billion now. And that is just the public budget, which ignores the one-off projects. Also ignores the stuff that isn't precisely defense, like the budgets for the TLAs, Homeland Security, and so on.
Removing Gambling Apps?
Can we have that here too? I am so tired of seeing ad after ad for yet another bullshit 'slot machine' bit of shovel-ware (And of course the ad is also designed so the exit button is ridiculously easy to miss, so you end up on the store page for the shitty thing)...
"caught in the middle of the escalating trade feud between the US and China."
Kinda their own fault at this point. The have hundreds of billions of dollars in cash, there is nothing stopping them from using some of it to build a factory in a country that isn't rife with human rights violations led by a pudgy wanna-be dictator. Or China...
"criminal fines of up to $750,000 when he is sentenced later this year."
Too bad the victims of his scheme aren't going to see a single dime of that money... It always angers me how our 'Justice' System will levy fines, but then do nothing with the proceeds to help the victims of that crime or to prevent the crime in the future. Seriously, all it seems to do is incentivize the justice system to let widespread fraud happen.
At 90 GB, the data was probably a slimmed-down patch for iTunes or iOS...
Re: if we can put a man on the moon, we can...
Actually, we can fix world hunger. Humanity currently produces about 30 trillion calories of food per day, enough for every human to have 3500-4000. We also have the technology and manufacturing capacity to solve the distribution problems. The only problem is getting the funding to do so (current estimates peg it at about 100-150 billion USD per year to cover >95% of the human population).
Re: Nothing worthwhile in the post-2012 gTLDs anyway
I've been thinking about updating it to do stuff like what you recommend; right now its just a simple shell script that I wrote back in later 2012 and isn't much more than a 'curl', a dozen 'sed' lines, and the 'kill -HUP' to restart bind.
Nothing worthwhile in the post-2012 gTLDs anyway
I've been running my own pseudo-root DNS server just so I can block so much of this bullshit. It grabs the root.zone file off the internic ftp site once a week, then goes into the downloaded file, and rips out every TLD longer than 3 characters, most of the 3-letter ones, and a selection of the two-letter ones. Absolutely no regrets.
I even block my employer's gTLD since it does nothing but redirect to the appropriate sub-domain of the .com page (really, all it is is a bunch of CNAME records for each of the subdomains with an @ CNAME to point to www.company.com).
Too bad I haven't gotten one
I'm one of those weirdos with a password manager and no passwords are re-used, so if I see a password, I can tell you exactly where it was gathered from...
California lawmakers: We swear on our avocados we'll pass 'strongest net neutrality protections' in America
When will they just make the internet a public utility already?
I've been wondering what it would take for states to finally just sell internet services as a public utility already. The local government here seem to not be terrible at providing fresh water, sewer, electrical service, trash services, and their municipal internet services for the local libraries / schools / hospitals / public buildings. At the very least, I don't think they could possibly any worse than Comcast and CenturyLink (The only two providers we have here).
I've always wondered if the cooling effects of a core not being used all the time would give you enough room in the thermal budget to increase the number of cores overall.
I figure that if a core's usage with hyper-threading is less than half of its usage when it is turned on, that could free up enough electrical energy and thermal capacity to add in another entire core. The break-even might even be higher than that because you'd be dissipating the same amount of heat over a larger surface area.
It'd add to the complexity of the chip, but if you can squeeze out more performance, it could be worth it.
Such an analysis would be useless
The effects of hyperthreading vary quite a bit based on the workload you are feeding it. The simplest method would probably be to profile a day's worth of work, disable HT, the repeat the exact same workload to see if there is a performance difference.
The easiest way might be to build two systems exactly the same (Same hardware, OS, software, etc. but one has HT turned on and the other doesn't), then run some sort of mirroring device so that both machines get the exact same data and do the exact same work.
I've seen MySQL databases do everything from falling to pieces to flying like a speed demon with Hyperthreading in different states. I've seen it vary that much with the same data, but slightly different queries used to process the data. One of our web applications went from an application-based spin-lock structure to using MySQL's atomic operations, in this case disabling HT actually increased performance about 10-15% despite having half as many threads available.