Posts by big_D 6778 publicly visible posts • joined 27 Nov 2009
That was my point. There are demonstrable attacks out there, but they are so slow, complicated, error prone and hard to implement that there are other, easier methods for most attackers.
And, apart from multi-tenant, you already have to be in a position to execute the code on the device, so there are easier methods of getting the information.
Security isn't sexy, MIPS are sexy... That is the problem, each new processor needs to be faster, not safer, than its predecessor.
In the old single-user not internet connected days, that wasn't a real problem. Today it is coming back to bite us.
That said, most of the exploits so far are theoretical with very few having been turned into actual malware - most of them require direct access to the machine, in which case the exploit is moot. Multi-tenant being the possible exception.
Yes, but the hackers only have to work out where there is an exploit to take advantage of. That is a lot easier than finding it, fixing it and making sure it doesn't break anything else.
Especially as the white hats would have to work themselves into the code. If it is open source from the beginning, finding and fixing will be much quicker than fixing in a codebase you aren't familiar with.
Yes, I used pfSense at a previous employer. A nice, cheap solution. We used a pair of old Pentium D machines for failover. Great for the basics.
My last employer used Palo Altos, excellent kit, but very expensive! It goes a lot deeper and blocks not just addresses, but it recognises data patterns and you block "by application", thousands of which are pre-defined. So, we could block cloud drives with a couple of clicks (DropBox, GDrive, OneDrive etc.).
We are currently using ZyWalls.
Ironically, at home I have a Ubiquiti Unifi Security Gateway and the first thing I did was block the trace.svc.ui.com domain to stop the telemetry.
In their defence, whilst they say that you can't disable it in the 4.1.x firmware at the moment, but there is a workaround.
If you do not wish to participate/provide this data, we will add an opt-out button in upcoming versions that will make it easy to opt-out of providing this data. In the meantime, you can block traffic from UniFi devices to trace.svc.ui.com.
I put a block on that domain at the firewall. Not ideal, but at least you can opt yourself out.
It is a shame, they make great hardware and it is relatively easy to set up. I really like it, apart from this issue.
I have no problems with sites showing me static image adverts.
What I have a problem with is tracking and "mutlimedia" adverts which, at best are annoying, at worst get misused to push malware.
Until the malvertising industry gets its act together, respects my privacy and actually takes responsibility for what it delivers, they won't have a place on my network.
Exactly. Linux has the same support issues that Windows has, just generally on shorter timescales.
I worked for a company that sold configured servers in 2015 with SUSE from 2000 on it, that hadn't had updates for nearly 10 years! Parts of their software wouldn't work on anything newer, so they just carried on using the unsupported Linux (hey, it's Linux, it is secure, it doesn't need patching). It was only when they couldn't get any more old-style RAID controllers that had drivers that would work on such an old system that they were forced to look at updating their software to work on modern Linux.
We had DOS clients, Mac clients (Mac Plus and Mac SE) using AppleTalk, a PC with an AppleTalk to Ethernet (thin cable coax) and a VMWare server.
Stable as houses. Well, until the training manager decided to take his PC with him to do a training course and simply unattached the coax from either site of the T-connector...
The point being, you got the charger with your iPod and you got further chargers with other devices.
The EU wants to remove the charger from the packaging of the products you buy. You buy a good quality charger, once. That's it. You don't buy 10 devices and have 9 redundant chargers kicking around.
We have a couple of phones, fitness trackers, headphones, Fire tablets, Kindles and a few other bits and bods, but for all these devices, we have 2 chargers in the kitchen and one in the bedroom (for the Kindles). That is enough to charge dozen or so devices.
10 - 15 years ago, they'd all have had different connectors and different voltages. The USB standard means that they can all share chargers. If the industry can then decide on a single quick-charging technology, you can even quick-charge everything using a single charger.
Apple argued any move compelling it to ditch the Lightning port, which has been a staple of the iPhone for almost a decade, would inconvenience its customers, simultaneously creating an "unprecedented volume" of electronic waste.
You mean, just like when they abandoned all those 30-pin peripherals and went to Lightning?
The idea behind this is, you don't need a new charger with each new device you buy, they are standard, so you can share a charger between several devices. That produces less waste... In fact, my Huawei watch, my BT headphones and several other devices all came without chargers, because they all use a standard port (USB-C or Micro-USB) and I just use one of the dozen or so chargers I collected over the years; well 4 now, we had a big electronic clearout last year and brought all the old phones, chargers, hard drives and other Elektroschrott (electronic rubbish) to the recycling facility.
I now have 2 chargers in the kitchen, with USB-C and micro-USB, a charger with micro-USB upstairs and a spare charger in a draw in my office.
And it is more about the wall-wart end of the equation, moving that from USB-A (which Apple also uses) to USB-C. USB-C on both ends would be just be an added convenience, as you only need one cable as well.
I'm not saying this deal was good, or that IBM is a good partner for this.
Just that if the outsourcing is done properly and a conciencious partner is found, it can work out well for everybody involved.
The problem is that there are more cowboys around, like IBM, Accenture etc. these days that are just out for a quick buck, rather than those rarified few who do it properly.
With IT requiring fewer human resources over time to manage, outsourcing can spare a company money, if it is handled properly.
They either need to employ too many people or they need to make them redundant, which if they have been with the company for a long time can be expensive.
Theoretically, the outsourcer can manage the contract with fewer staff and reallocate the rest to other projects, minimizing the redundancies. That certainly worked well on a couple of projects I was involved with. In one, from the around 1,200 staff brought over, nearly 1,100 were still working for the company 10 years later. That was the highest retention/loyalty rate the company had ever seen with any of its outsourcing projects. They were re-allocated to projects elsewhere in the company and were well integrated.
It was only after a downsizing of the whole company 15 years after that outsourcing that a lot of those original employees left.
On the other hand, you have outsourcing that tries to constructively get people to leave after they've been outsourced and move more and more of the contract to cheaper (usually overseas) offices.
For a non-IT company, outsourcing a large pool of IT staff it no longer needs can make economic sense.
As an IT employee, if it is done like the first type, which I experienced, it can be a very positive experience, opening up new avenues, without having to look for a new job and not losing your length of service benefits. If it is just done as a money grab and a way to get rid of employees that neither company wants, it is a very bad thing. Unless the outsourcer has a bad reputation already, it is often a gamble, as to whether it will be a good or bad thing.
I worked on an SAP migration and re-engineering project in the mid 90s, the client "just" upgraded. I was on the project for 18 months for my part, I didn't come in at the beginning and I left long before the whole project was complete. Each month, my employer was billing the client over £1M for consultancy and project management.
But Fuller’s brewery Infor system is hardly a legacy application.
For Asahi, it is absolutely a legacy system. It is not a core part of their systems, it is a system brought on board as part of the legacy of Fuller's operations, therefore it totally fulfils the definition of a legacy system.
In general, IT, terms, it might not be an ancient, legacy system , but in the Asahi corporate world, it is definitely classed as a legacy system.
legacy, noun
leg·a·cy | \ ˈle-gə-sē How to pronounce legacy (audio) \
plural legacies
Definition of legacy
(Entry 1 of 2)
1 : a gift by will especially of money or other personal property : bequest She left us a legacy of a million dollars.
2 : something transmitted by or received from an ancestor or predecessor or from the past the legacy of the ancient philosophers The war left a legacy of pain and suffering.
3 : a candidate for membership in an organization (such as a school or fraternal order) who is given special status because of a familial relationship to a member .
The second definition is pertinent to the Asahi case, this is something handed down from the predecessor (previous owners, Fuller) to Asahi as part of their takeover.
Personnel would have to know and they should, confidentially, inform the systems administration team to immediately remove all access for the employee.
The sys admins don't need to know why, they just need to know who's accounts to lock out and change passwords on shared accounts.
If he had access to the admin account, it sounds like either it wasn't documented that he had access to it, or he was in a position to have added the account himself - the story makes it sound like the former.
He logged in on through his home computer to a protected network. That might be a disciplinary offence in and of itself. Certainly attaching a private machine to the company network where I work is a sacking offence, as is using a USB stick, external drive, smartphone or other personal devices to attach to company property of networks - guest network is the exception.
If he had to circumvent security processes to get his home computer to attach to the network, that would probably be construed as hacking.
Given we are talking about healthcare, I would hope that the use of personal devices was banned by policy.
In Germany, I believe you can go to the court and get the transcript, if you really want to.
But the media cannot use the full name, let alone the address (it is not relevant to the crime in 99.9% of cases). They are also barred in most cases from showing the accused's face, that goes for the victims as well.
There were a cases where the police did get the court to approve the issuing of an unblurred photo of a suspect or victim to help with identifying them or finding them. Once they had been identified / apprehended, the photos returned to being blurred out. So you'd see their face one evening, the next, they've been apprehended and the image is blurred again. Idiotic in some ways, but at least there is some privacy, especially useful if the person is then found not guilty.
Exactly.
I was just replying to the fact that people think it is just a simple case of recompiling for 64-bit. There are lots of reasons why it isn't that simple.
That the company didn't provide information in a timely manner to avoid this is a totally different matter. And how they have handled that stinks.
Yes and no. Apple are removing legacy interfaces, this is something Apple does regularly. It is what makes Windows such a monolithic system and more than its fair share of security problems, because Microsoft are very slow to remove legacy, if at all.
In this case, it is a problem with the software developer, because Apple are removing old interfaces that they no longer want to support - without regard as to whether it is at all feasible or economical for their developers to go with them.
The developer should have seen this coming and should have warned its user earlier. But, having worked with legacy systems, I can understand that it might not be feasible to modernise such an old codebase and that the only option would be a complete re-write, which on 30 years worth of code, isn't going to happen over night. You are going to need to freeze the current system for several years (no new features, no bug fixes, no compliance updates), whilst your developers work on replicating everything you had - and hoping that they haven't overlooked some kludge in the old code, so that the new code comes up with the same answers!
It can often be very difficult, if you have an old, legacy codebase. Chances are it isn't even written in Object C or Swift, it is probably written in COBOL, Lightspeed Pascal or something similar, with a bunch of kludges to keep it running on PowerPC OS X and then on Intel.
I've seen code written in the 90s that was just patched together. It was so wonky that the company was selling complete systems in 2015 based on a version of SUSE from 1999/2000, because the code "just about worked" and the programmers were too scared to address the issue of porting it to a more modern version of Linux. In the end, the lack of RAID drivers for modern hardware for the old SUSE forced them to address the problem, but it took a lot of effort and they had to put a freeze of new features and customer requests for over 2 years, because the whole programming staff was busy converting the system to the new version.
One of the biggest problems was that some of the code was bought-in from a company that went bankrupt in 1996, so there was no expertise for it and no real way to port it to something newer.
Without knowing the background, it is impossible to say if they were just dragging their feet or whether dropping the product completely is the more economical solution. From a user perspective, it is a crap situation, but I've seen enough old systems kept crawling along to not condemn them out of hand.
If they have to invest 3 - 5 years of development to get a replacement up to the feature specification of the old software, that is 3 - 5 years where you either need twice as many programmers or you cannot support and extend your old system (E.g. with changes in tax law), whilst the new system is being developed.
Every place I worked at had a backup strategy, even though it cost time and money.
It has been useful a couple of times. A lightning strike, for instance. Failover to Veeam hot stand-by, order new kit, install ESXi, shovel the data back from Veeam, back up and running.
Another place, however, the management had a "secret" NAS, that not even the sys admins were allowed to back up. Management said they'd do it themselves, never got around to it, then the CIO got phished by ransomeware... Which was the only system affected? Yep, the NAS that he was supposed to have backed up, the systems that us plebs used and were backed up every night weren't affected.
The EU, protecting UK citizens from its own Government for over 40 years. You're welcome...
I had this discussion with my cousin, who was pro-Brexit, a few years ago. He was totally unaware that a lot of the "EU meddling in UK laws", was actually the EU telling the UK that they had overstepped the mark and were infringing on their citizens' rights.
Dual citizenship is darned useful.
Maybe China is now reaching the same point the US did about 1.5 centuries ago, where starting to protect their own IP is strategically more important than stealing other countries IP.
For a long time, the USA was an international pariah for stealing IP from Europe, then it started innovating enough itself that suddenly protecting its IP was more important than stealing other people's IP.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
