Re: Gained?
The 480 also had a sealed battery.
6775 publicly visible posts • joined 27 Nov 2009
Given the telemetry data stills isn't fully documented, it, and the much more severe telemetry in Office 365, have already been declared as not GDPR compliant. Microsoft wanted to release a compliant version of Office 365 by the end of March.
Windows in blabbermouth mode has 422 data providers within Windows, "simple" or low mode "only" uses 410 data providers. The "secure" mode, only available on Enterprise versions of Windows only has 4 data providers. Office was much worse, running into the thousands of data providers.
Disabling the service DiagTrack should stop the tracking altogether.
If they are worried, then don't connect the damned things to the Internet! If it is a large solar plant, it shouldn't be on the Internet anyway, it should be using its own private network and at worst, a dedicated, isolate WAN to connect several plants together.
Either way, it should be isolated from the Internet. If they set it up properly, there is no risk.
I had a FitBit, that is also very easy to "fiddle". Sitting on the couch eating crisps can be good for a couple of hundred steps.
Chopping a salad and cooking a stir-fry is a couple of thousand steps... All very amusing
But then the FitBit went too far. I went to bed and the next morning it told me that I shouldn't ride a bike just before I go to sleep! Needless to say, my other half was not amused at being called a bike and the FitBit was banned from "nocturnal activities".
One of the best sales pitches I saw was a mainframe supplier.
The rep turned up with a massive machine, it was duly installed and he handed us a tape with source code. We should load it onto our existing system (a VAX) and on the new mainframe, compile it on both (using the optimization on the VAX) and to call him back in a week or so, when the mainframe was finished.
An hour later, when he got back to the office, there was a message that he should call us...
The test software was running fine on the mainframe, but the VAX was already finished!
It turns out that he had been too optimistic. The compiler checked the code:
1.) Input into the program: none.
2) Processing : check
3) Output from the program: none.
Optimization = processing is redundant, optimize it out of the executable. The program loaded into memory and quit immediately.
The mainframe, on the other hand, was busily building a multi-million point multi-dimensional array and filling it with randon numbers...
Been there and seen that many times as well - and averted it a few times myself by, you know, double checking before the meeting that everything still works.
I've seen the meeting room PC go through patch installation, delaying a telco by 30 minutes a few times...
No matter how hard I banged it into the support staff, they never thought to go round after "patch Tuesday" and ensure that all the meeting room kit was ready to go.
If it was my meeting, I'd always go in half an hour early, if the room was free, and ensure that everything was working. It saved my bacon a few times.
We are talking about banks here, how do you think they make money? By actually paying for licenses they "don't" need*?
* if the trial license is free, you don't need to pay for a development license, that would be throwing money away!
It is the same where I work, my LTE contract with Vodafone Germany say 500/100mbps maximum speed, but at work I get about 360bps (no, I didn't forget the M!) and at home I get 5mbps.
It is so slow at work that Vodafone's own speedtest app fails, because it says it can't get a data connection.
evidence-free insistence on the part of the US government and mobile industry that all those Chinese products that work just as well, are built to the same specs, but are much, much cheaper are a security threat.
Of course it is a security threat, the US can't insert its own spy software in the kit, if it is delivered directly from China instead of coming from the USA. Which page of the USA World Police playbook are you stuck on?
That is the point of the article, it seems like the developers have overseen how some of the system clean-up functions work and haven't enforced rigorous clean-up (E.g. overwriting the memory before releasing it).
The clipboard, browsers and other applications are beyond their control, but the safes should be ensuring that the passwords held in their memory are held safely and not leaked. Passing them on to the required application is a known risk that has to be taken into account, you can't really do anything about it with current operating system and application architectures. You'd need a new OS written from the ground up to be secure and handle information securely.
At least the developers seem to be taking it seriously, with at least LastPass have reacted and closed the hole.
Most of the solutions I've used will automatically fill in the password for you.
But the problem is, once the database is loaded, it is unencrypted in memory (1Password) or specific entries are held unecrypted in memory or cache, even after being used. This is over and above the clipboard. This is memory not being flushed properly within the programs themselves.
I use LastPass with a Yubikey. But that only helps when the LastPass database is closed or somebody is trying to hijack the account.
Once you have opened LastPass and used your token to log on, your database was still exposed (allegedly LastPass has now sorted out the problem).
And all the companies that got sued for using GNU/Linux at the beginning of the Century, because it also breached patents and included proprietary code?
A fair few companies settled, many for 6 figures, some for 7. It is rare these days, but not unheard of.
And that explains that ARM, Sparc and other processor architectures are also affected, how exactly?
It is an industry wide problem. It is something that dates back to the 90s, when processors weren't used for virtualization and weren't connected to the Internet. The processor designers had taken a line for designing performant multi-threading processors, then the industry decided virtualization was a thing and that connecting to the Internet was a thing.
Instead of going back to basics (and temporarily crippling the performance of new processor generations), they built out the current architectures (PowerPC, ARM, Sparc, Intel, AMD etc.) to allow these new features, but without ensuring that such side channel attacks could be blocked.
Intel does have the most problems, as they have Meltdown as well as nearly all Spectre variants, whereas the other chip designers / producers only have certain Spectre variants to deal with, but none of them come up smelling of roses.
"There are no compelling reasons that I can see to do business with the Chinese, so long as they have the structure in place to reach in and manipulate or spy on their customers. Those who are charging ahead blindly and embracing the Chinese technology without regard to these concerns may find themselves in a disadvantage in dealing with us."
I suppose they should be using Cisco or HP kit, which has been proven that the CIA/NSA has intercepted the latter's hardware and installed spyware in router and switch firmware and the former has patched a few dozen backdoors over the last year.
So, buy from US firms, where it is known that they have been manipulated in the past, or from a Chinese company that the US has alleged does the same thing, but can't provide any proof... Hmm, hard decision.
I'm guessing they had some sort of portforwarding on the perimeter pointing to the NAS and they weren't fully patched and/or it was a zeroday.
Just checked my QNAPs and they are fine, but none of them have any services set up to work over the Internet, everything is local network only.
Don't be a plonker and don't send pictures of your plonker* over the internet.
Regrdless of how rich or poor you are, don't upload anything you wouldn't want on the front page to the internet - and that includes chat apps, cloud storage etc.
* the same goes for women and their bits.
I remember spending a long summer in the early 90s re-writing hundreds of COBOL modules of an ERP system to be Y2K compliant. ISTR that they kept 2 digits on the input masks and database and used a sliding window technique to work out the century part for reporting and prefixing dates on the forms.
Yes, early 90s. My employer saw the event coming and wanted everything in and tested long before the final date.
In Germany it is clearly defined. Any person, in public or private who is "featured" in a photo has to give their explicit permission before a photo can be loaded onto the internet or published.
If they are part of a crowd in the background, that is okay, but if they are in the foreground, you need permission.
The same is true in Germany. All number plates must be obfiscated before they can be published, the same for people in the car, their faces and identity in general must be protected.
Dashcams are also quasi illegal. A court did decide that the last 30 seconds before a crash can be used as evidence in court, but that's it. Showing it to the insurance company, the police or posting it online is illegal, as is having a camera that constantly saves footage. If it doesn't just keep the last 30 seconds, you can't use it.
Luckily ANPR is still illegal over here, for the most part. Police forces have been rapped on the knuckles for using the ANPR photos to try and find offenders of crimes. As the purpose of the ANPR cameras is for average speed on a piece of road, it is illegal to use the information for anything else.
German bureaucracy for you.
That has been the case for a long time.
When I buy something on Amazon from a British seller, I still need an invoice with their German tax ID.
The seller can sell in any land of the EU without restriction, as long as they are registered for VAT / sales tax in that country.
Amazon had to change a few years back to comply as well. Especially as more and more businesses were buying through Amazon and required a valid Tax Ident. to claim the tax back.
I've had to send a few products back, because the seller on Amazon charged the German 19% MwSt, but didn't have a valid German tax number, so I couldn't reclaim the tax, so I couldn't put it through the books, so the product had to go back and I re-purchased from another seller that did have a valid tax code.
Amazon S.a.r.l can now only charged reduced tax on certain "virtual" items, but even that is limited.
For those born after 2000, maybe. For those born in the 20th Century, the aftermath of facism and communism still runs very deep.
For those that grew up in the East, it is especially deep ingrained.
I have a friend who was a teacher at a school in the DDR and lost her Job because one of the other teachers was a Stasi spy and reported her less than euphoric opinion of the Party - she didn't say anything negative, she just wasn't positive enough on that one occassion. She lost her job and could never work as a teacher again.
For people who grew up not knowing whether their parents, their spouse or their children might be spying on them for the Stasi, it is easy to see how the population in general has a hard time coming to terms with governments or corporations spying on them.
That is why drones can't be flown over industrial or residential areas, why number plate recognition cameras are illegal in most states and why CCTV is generally frowned upon and only allowed under certain circumstances.
Dashcams are quasi illegal - you can only use them to record the last 30 seconds before an accident and you (theoretically) can't upload it to YouTube, you can't use it to report someone and if you do upload it, you have to make the numberplates unrecognisable.
Given that background, it is easy to understand why people are reticent to let Google & Co. track them.
My better half is a native German and when she is at a party and people make photos, she explicitly states that they do not have her permission to upload any photos with her in them to the Internet. No tech is allowed into the house with a microphone or camera, with the exception of a smartphone, the laptop and tablet have their cameras taped over.