2867 posts • joined 27 Nov 2009
Re: The security folks will say...
I agree, although it depends on what sort of shell is running. Is it a standard bash shell or is it running some custom application instead, which doesn't allow any access to the underlying OS, let alone uploading code?
If you are sshing into a full bash shell, the supplier will need to provide a patch. If you are sshing into a menu driven configuration program with no ability to upload code, then you probably don't need to patch. To exploit the latter you would first need a zero day buffer overflow of some sort to gain any access to the underlying OS, in which case, Meltdown/Spectre is the least of your problems.
As you say, if there is a patch that affects performance, but you can guarantee that no external code is run on the device and you only log on once a year, you can decide for yourself, whether the risk of not patching is worth it.
Re: everyone replaces their PCs
@AC re: Firewalls and blocking IPs.
Modern firewalls block traffic inteligently, based on more than IP address - all port, traffic type or traffic patterns. Some actually work on an "application" basis, so you can block the site for browsing for normal workers, but allow updates to be downloaded.
You can also block based on source (internal) IP as well, so your provisioning servers can pull down the updates and then push them out to the internal PCs. The endpoints don't need any access to the Internet for patching their OS or applications. Heck, you then even set up test groups to ensure the patches don't cause any problems, before rolling them out to the entire organisation.
Re: everyone replaces their PCs
@Tikimon I agree with you, apart from the last paragraph. If you thing Windows 10 is WAASS, I assume you aren't using an Android or iOS device for your mobile communications...
When properly configured, Windows 10 doesn't leak any more information than Windows 7, what it "leaks" is what you let it, for the most part. You want Cortana? It has to send additional information to the cloud to work, like an assistant. If you don't want Cortana, you disable it and that information isn't sent out. The same goes for many other services.
In fact, there controls in the latest version of Windows 10 are even more controllable than under Windows 7. You can allow / disallow specific applications access to the camera, microphone, location services etc. Something which older Windows couldn't do - that said it still doesn't stop me putting tape over the camera lens! Better safe than sorry.
I have used Windows 10 for a while now and I wouldn't want to go back to Windows 7 now, there are too many benefits, even if I have to take a couple of minutes when setting up a new machine / account to ensure that information leakage is set to the level I want to accept.
Re: everyone replaces their PCs
I don't see them not being replaced, at least not in most businesses. At my previous employer, the CAD and ERP employees were all working on PCs or workstations with at least twin 24" monitors. At my current employer, the programmers have a similar setup.
You can't really replace multiple large screen setups with a tablet.
Re: Market Saturation
The problem is, just because the old PCs are now insecure doesn't mean there is automatically budget available to replace them with new kit. If a company has just rolled out a bunch of new PCs in the last quarter, they aren't going to be replaced immediately, they will have to struggle on for another couple of years at least, even if they are a little slower than expected.
Older PCs that were already nearing the end of their lifecycles (2010 - 2013 range), I can see them being replaced sooner, especially if the reported slowdowns are as bad as the press are saying... But in typical companies, where the internal IT infrastructure has a lower priority than the cleaning crew, I don't see extra money being made available for new PCs, when the old one still "work".
Re: Market Saturation
Most people have PCs that are powerful enough for their needs.
My old 2010 Sony Vaio Core i7 got an SSD last year and went to my wife, it is fast enough for her needs. My 2015 HP Spectre x360 is more than fast enough currently for portable needs.
I did replace my 2008 Core2Quad Q6600 with a Ryzen 7 from Memory PC just before Christmas, because I wanted to experiment with Hyper-V.
At work, we rolled out over 20 new PCs in 2017 (company with 150 employees) at my last employer and this year, at my new employer, we have already rolled out 4 new PCs (2 ThinkPads and 2 Intel NUCs).
Some of those were PCs reaching the end of their useful lifecycle (5 - 8 year old PCs being replaced) or for new employees starting at the company. And that is the problem today, when the PCs don't stop working, they are often "good enough" for at least 5 years of use, whereas in the past, you really needed a new PC every couple of years.
Re: 3-2-1 @missingegg
@missingegg my stepdaughter went to Uni and I gave her 1TB of OneDrive storage, she had a Google account and a bunch of USB sticks... She stored all of her data on her MacBook Pro, didn't tell me the USB sticks didn't work (or rather the USB ports on the Mac didn't work properly).
Then, on the way back from Uni, she threw her coffee flask in her backpack, along with her MacBook Pro... But forgot to close the flask first. By the time she got back home, there was a lovely crystal pattern across the inside of the screen and coffee was pouring out the ventilation slots. We tried drying out the hard drive, but it was encrusted with a sugary mess and despite all attempts, the data was lost, including her disertation.
The first thing I did with her replacement was to put a Carbonite subscription on it. It came up for renewal last month and she paid for the renewal (she has now graduated).
As you say, most people do nothing to protect their data, even if they are given multiple methods of protecting it.
No file exists, if there aren't at least 3 copies, on 2 different median and 1 is offsite...
In this case, only the Offsite part of the equation was fulfilled. I would never use a cloud service as the only source of my files. At best, for backup or sharing.
Re: Embedded systems
Exactly. If they gain access to the systems, you have bigger problems than Meltdown and Spectre - if they have gained access, they probably don't need those exploits to get at the data.
Re: Safe enough - IF no third party code
If they can get access through a backdoor, then Meltdown and Spectre vulnerability is moot. They already have full access, so don't need any further exploits.
Re: Of course they're not patching
The other point is, generally, they are using proprietary OS or at least management shells and no standard ports / shell tools available. That means somebody has to first compromise the SAN in order to be able to run a customized for that platform version of Meltdown or Spectre... Which probably means there is no point running Meltdown or Spectre exploits, as you have already gained access to the device, which you shouldn't be able to do anyway...
I.e. if the attacker is in a position to run Meltdown or Spectre attacks on your SAN, then Meltdown and Spectre are the least of your worries! (At least for the devices mentioned in this story)
Re: Tabs v spaces
RPG II anyone? Each position on the first line was another configuration parameter and woe betide you if you missed a character.
Then setting flags, using exact column positions.
Give me semi-colons and tabs/spaces any day!
And what about in-line or hanging opening curly brackets?
Re: Trivial? Hmmm.
@Christian Berger a computer can only guarantee that sort of precision if it is locally attached and if it is running a RT kernel. Standard Linux/UNIX/Windows kernels aren't real time and can't guarantee the response times required.
If the computer isn't doing anything else, it might work most of the time. But it just needs a delayed disk write to mess things up.
At a previous employer, we actually did real time control of the PLC, reading RFID tags and setting gates on the line depending on an algorithm that took into account the quality of the meat and the customers processing requirements. That worked very well, but needed local computers and a lot of know-how to get the system to run fast enough and reliably fast enough to receive transponder information and pass the decisions back to the PLC.
Re: No surprise really
They were designed to be air-gapped. Putting them on the Internet is just plain silly.
On the other hand, the EU has similar regulations.
Especially for financial data, in Germany, if you want to use a cloud system to process your company data that contains any financial data, it either has to be stored in Germany or you need a special dispensation from the Treasury (Finanzamt).
If you are running a modern system without AV, you have taken a conscious choice to remove it - either MS AV or the crud that was supplied by the PC supplier. Therefore you should be taking a care of the system through other methods and therefore should be keeping an eye out for such security problems.
Re: I remember the days ....
On the Amiga? You got updates when the next version of the OS was released, you didn't get patches, generally.
Re: I remember the days ....
But you didn't have the press shouting Armageddon from the roof tops before the patches were finished and forcing people's hands.
KDE on hardware, bash on VMs here.
Re: But how do they spread fires?
I would assume by fanning the flames of the bush fire with their wings, causing it to spread in a different direction or quicker.
The article talks about the spread of fire, not starting fires per se.
Re: Intel Inside...
Hmm, good timing... I bought a new PC just before Christmas and decided to go AMD after about a decade of Intel...
Re: Why would VMware like it?
I think that is part of the problem, plus using Azure with Hyper-V is going to be easier in the long-run, so VMWare are probably worried that Microsoft and its customers will use it as a stepping stone...
Re: UK not much better (in the quality of its arguments)
But, in this case, we are talking about Irish servers, owned by an Irish company on Irish soil, which just happens to be owned by an American company.
Microsoft can't legally hand over the data to the US without an Irish or EU warrant under EU and Irish law, regardless of what the US supreme court decides.
Re: Change "email" with "money"...
And maybe the state attorneys should actually study the law, before opening their mouths.
It is their own incompetence that has led to this problem. There have been legal mechanisms in place for decades to get access to this data, without them having to act like xenophobic idiots and which, if there was any reasonable case, would have gotten them the information years ago, without all this stupidity.
Rules of IoT
1. don't use IoT devices on your network.
2. if you need to use IoT devices, see rule 1.
As long as the driver architecture doesn't change, those features should still, probably work, but you get the new features and security updates promptly.
Fingerprint readers, wireless charging and many other fairly standard features are supported directly in android, although it will be a question of how well the drivers are implemented, as to whether they still work.
On the other hand, I'd rather have a secure phone and have something like HDR photos broken for a few days than have HDR photos and a pwmned phone...
It isn't just carriers. We have a fleet of Samsung Galaxy phones at work (S5 through S8) and none of them have been patched beyond August 2017. My personal Nexus device has the latest November updates...
When even the biggest Android suppliers can't be bothered to protect their customers, why should you ever buy a phone from them?
My Nexus is slowly nearing the end of its useful life, with updates planned for about another 12 months. The Pixel line are just too expensive and I don't know of any third party manufacturer that keeps their devices patched to cover the latest zero-day fixes. Does anyone know of any manufacturer that has released the November 2017 patches for their flagship devices, let alone models 12 months old or older?
That is the one thing I liked about Windows Phone, it offered central patching from MS, similar to that of Apple, and the configurability of Android. Unfortunately, it was too little, too late. I have both the Nexus and a Lumia 950. The 950 is a much better phone to use, but most of the apps I use have been pulled or are unstable (WhatsApp and FitBit being two prime examples, the former seems to use a random number generator to decide whether to notify you of incoming messages and the FitBit app would lose contact with the FitBit device and you either had to re-install the app or reboot the phone several times a day...
Although I don't like the iPhone, I feel it might be the only valid option for long term support, when I replace my Nexus next year... :-(
If this initiative from Google works, it might offer some hope. You can't release an Internet connected device today and not offer at least security updates in a timely manner for the lifetime* of the device.
* Judging by the people I know, lifetime is between 3 and 5 years.
Re: Cash for clunkers MK II
I have a Euro 6 diesel that isn't affected by the current scandal. but it isn't a Euro 6e(?) (there are no 6E diesels currently on the market, it is new and not officially ratified) and the talk is that only these new cars will be allowed into cities. There will also, if I remember the ADAC report recently, no possibility to retrofit existing cars to 6E specifications and getting them reclassified.
There are other incentives, like reduced / no road tax for electric vehicles currently and the performance is certainly on a par with many high end sport-saloons. Only the range is a problem - and that is a big problem in Germany, when people drive the 6-800KM from Munich to Hanover, Hamburg etc. for a business meeting, then drive back the same day or early the next morning.
A powerful diesel will do the trip to Hanover in around 5 hours (depending on traffic), but you need to keep the speed up above 200km/h most of the time. A quick fuel stop for 10 minutes, if you must - I did the trip in my old Ford Mondeo 2L diesel in around 5 hours without stopping, on my Honda VFR800 I did the trip in just over 4 hours, but needed to stop 3 times to refuel - is a very different equation to driving a Tesla, for example, which will quickly overheat and reduce speed and get nowhere near its normal range if you are pushing it constantly at 200+ km/h for hours on end.
That is one of the major reasons why electric isn't catching on very quickly for those that drive equivalent cars (Audi A6 / VW Passat / BMW 5 / Mercedes E etc.), because they generally drive long distances on a regular basis for work and the company doesn't have a lot of understanding for having to stop more often and for longer, when you are driving to a customer site.
The existing high-end German electric vehicles aren't on the list either.
The list is there for Jochen Average, they will spend between 8,000€ and 40,000€ on average, so putting a cap of 60K is way above what normal people spend on cars, and if you are buying in the luxury segment, you don't need the subsidy.
Re: Unlikely to be worse than a native VMware solution
vSphere management interface might be a buggy, steaming heap, but the ESXi itself is usually pretty rock solid.
Re: Fragile. Very fragile.
@Mage I've had a manager order site services to move a workstation/server (an old Burroughs running BTOS) from one table to another, because he needed the table for a new employee. Because I was working off-site at a customer and I was the only one capable of supporting the kit, he didn't know how to turn it off, so he just had them pick up all 6 modules in one go, whilst running and dump it on the "new" desk.
At one site, we had a memory upgrade on a VAX 11/780. The Digital technician turned up. The admins had moved all of the jobs and users from the machine to the next one in the row. The technician was told that the machine was now shut down and he could power it off... He threw the power on the wrong machine and the machine with the extra load suddenly found itself doing a Wyle Coyote, hanging in mid air over a tall cliff with no power...
Needless to say, one of the drives crapped out.
A while back the technical department needed to pull new network cables into the server room. The NAS standing behind the rack was in the way, so they just slid it across the floor until they could do their work, instead of contacting IT and getting it moved properly.
Likewise, one of the apprentices was told to turn off the electricity in the electrical engineering production hall, he turned off the power for the entire premises! Luckily the UPS cut in and the servers were fine, but the Quantum Superloader didn't like the transfer from mains to UPS and back and hung.
As much as these things should never happen, there is always somebody who should know better who just needs to quickly do something and doesn't thing about the consequences, whether it be a manager, a qualified technician or a trainee.
Paris: because even a qualified technician can leave her looking intelligent at times.
Re: Are we surprised?
Living in Germany, where such data collection is illegal, as is the use of CCTV in many situations*, then yes, I expect a modicum of privacy as defined by the law when I am out and about and I am carrying my smartphone.
If I have turned off location data, then I expect the device not to pass that on.
* Even in car cameras are quasi illegal. You cannot use them as evidence and you cannot post them on the internet without anonymising the other persons in the film (E.g. blurring faces and registration plates). If you don't, you can be prosecuted.
Re: Will Uber Go Under?
It is a good job they released the information this year, from next spring, if they wait more than 72 hours after the breach to inform authorities and affected persons (individually), they will face fines of up to 4% of their annual turnover (EU Data Protection).
Re: Good news, bad reporting
Yes. I hear American podcasts all the time that praise Google Translate, but they are usually doing American - Central-American Spanish translations. English - German is worryingly inaccurate.
At least you can train it. I once had some translations to do (English safety manual into German) and tried to short-cut the process due to time constraints and bunged a few paragraphs in Google Translate. Sentences written in formal English seemed to really mess up the translations, using slang or abbreviations were better, but the document was written in formal English.
"Do not open the case, high voltage inside" translated into "Das Gehäuse öffnen, Starkstrom drinnen" (Open the casing, high voltage inside).
"Do not open the case, no user serviceable parts inside" translated into "Das Gehäuse öffnen, nichts drinnen" (Open the case, nothing inside).
After laughing so hard I fell from my stool, I put the correct translations into Google Translate's corrections box and translated the document by hand.
Interestingly, "don't open the case,..." translated correctly into "Das Gehäuse nicht öffnen,..."
At least the corrections seem to have taken effect, the translation were better, last time I tried them.
I did work for a translation office for a while, which showed me that, although my translations were technically accurate and readable, they were still a long way from what a trained translator with doctorates in source and destination languages can generate.
Re: But the reason
The reason has nothing to do with teachers. That was just an example of a situation in which the use of such a device is ILLEGAL. The devices can be used to spy on the wearer and those in his or her vicinity without their knowledge, which is illegal, you are not allowed to use spy devices of any sort to spy on other people without their permission.
Even recording a telephone conversation is illegal, if you do not have the other parties permission in advance. You also have to let the person on the other end know in advance for what reasons you are making the recording (E.g. personal training purposes) and you are legally restricted to that use - you cannot, for example record a conversation for training purposes and later use it in court to show breach of contract, for example.
Re: Finally IoT Regulation???
This isn't so much a problem with IoT, as such, any type of spying device is illegal in Germany, without special licensing and can only then be used in certain circumstances by licensed persons (E.g. police or private detective agencies).
There is currently no legislation to allow helicopter parents to use such devices, therefore the order to stop selling them (although many come direct from China or other foreign sources) and to destroy the models in use.
Re: 'sustainable in the long run'
There are similar stories every couple of weeks about companies, mainly US based startups or multi-nationals, abusing their power in Germany and breaking the law and being taken to task by the German DPOs. Hamburg and Schleswig-Holstein being the two most prominent.
German's take their privacy very seriously and they even have released a set of notes on how businesses should configure Windows 10 Enterprise to make it acceptable as a platform for business use (turning off different levels of diagnostics' reporting by Group Policy, for example).
Drones were also a big topic earlier this year. They cannot be flown over towns, housing or public areas. You can only fly them over model aircraft airports and open fields.
Re: Widespread potential problem?
That is the agencies response, they said that mobile phones are fine, because everybody knows that they are remote listening devices and they are licensed as such - plus the user has to actually accept the call.
The problem with the watches, according to the Bundesnetzagentur is that they listen without the wearer or those in the vicinity being aware that they are being recorded, which is illegal in Germany.
According to the BNA, you can take the device to the local recycling centre and they will destroy it for you and give you a certificate of compliance.
Re: Good news, bad reporting
What is annoying is that they seem to have just copy and pasted the German statement into Google Translate and think that the results are readable. They are not, even simple sentence construction errors weren't corrected before posting, let alone where GT uses the wrong words.
There is a good reason why translation agencies haven't died out, Google Translate & Co. are not really usable for such tasks.
Re: I'm pleased with my 5.
@Boothy what would interest me is how OnePlus is with security updates?
Have you got Oreo yet? If not, have you at least received the November Android security patches?
Such things make me glad that I don't live in the Land of the Free (to be exploited).
Re: Ah, good old fashioned hypocrisy
Erm, you mean the states should have rights, unless it interferes with the puppet masters' profits.
Re: That's a big screw up
If they wanted it to appear when these devices gained popularity, they should have at least hit the holiday season last year!
Microsoft have been berated for being too late to the party already, with a preview in January and a product launch (Harmon Kardon) in October.
Perhaps you should actually read the Right to be Forgotten law.
The information has to be inaccurate, no longer relevant or fulfil a number of other criteria. It also doesn't apply to public figures, so your example would be newsworthy, as long as Trump couldn't prove the story was false, he couldn't get it removed.
An example of where you could get something removed would be:
You are arrested and charged with murder. You are later freed and the charges are dropped. You could get searches for your name to not return reports of your arrest for that alleged crime. Searches for the crime itself (E.g. searching on the victim's name) would still return the stories.
You are forgetting Google's credo:
“ALL THAT HAPPENS MUST BE KNOWN.”
Some of its other Orwellian maxims are “SECRETS ARE LIES,” “SHARING IS CARING” and “PRIVACY IS THEFT.”
Oh, wait, that was The Circle, but is reality really that different now?
No black and blue after the operation and no pain after the operation (see above).
It is a very quick and easy operation, usually done on an out-patient basis, at least here in Germany. I went to my local urologist, had the operation and got a taxi back home half an hour later.
A couple of days of abstinence and that was it.
I was in out in about 30 minutes, no bed, no ward. They operated and then sent me straight back home.
The bad part was, the doctor only checked the anaesthetic only worked on one side, when he cut into the other side, I told him politely that it wasn't blocking the pain (I grunted and screamed at him)... He did a Magnus Magnusson impression and said, "I've started so I'll (have to) finish."
Erm. that is fix the chipset / motherboard, not CPU...
Re: "...and women shouldn't wear ripped jeans, or walk alone after dark.
There isn't anything wrong with the naked human form. But I don't want pictures of my naked body circulating on the Internet, so I don't let anyone photograph me naked and I don't take any photos myself.
If other people want to make photos/films of themselves naked or having sex, that is their business, but it should be clear to them upfront, that those images might end up on the Internet. If they don't want those images plastered all over the 'Net for the rest of eternity, they should think twice before letting those photos/films be made...
Peephole cameras is something else, but you probably don't have them to upload to Faceplant in the first place. And, as others have said, hashing locally and uploading just the hash makes a lot more sense, although it will deprive the pervs at Faceplant of their jollies.