* Posts by tom dial

2187 publicly visible posts • joined 16 Jan 2011

Everything you need to know about the Petya, er, NotPetya nasty trashing PCs worldwide

tom dial Silver badge

Re: The real blame goes to..

Microsoft released patches for currently supported operating systems two months before the WannaCry exploit. Unless things have changed dramatically since the middle of 2012, outward facing US DoD systems were patched well before a month after patch release - the requirement then was to patch Category I vulnerabilities within 15 days of patch availability. EternalBlue unquestionably was a Category I vulnerability. So was use of an unsupported software product like Windows XP, although there is no remediation for that, not even application of a patch for the vulnerability; Windows XP would have been disallowed within the DoD as of April 30, 2014.

Use of SMB version 1 might or might not have been as severe a vulnerability, but it would have been one beginning when Microsoft deprecated it, and at worst ought to have been discontinued within 180 days, which would have been before the end of 2014.

The DoD is a far from perfect organization in IT as in other things. But the outlines of their information assurance standards are not that hard to understand or, in principle, to implement. Their implementation is tedious, annoying, expensive in terms of staffing, and all too often disruptive to the operations the IT staff support.

Many organizations, including the DoD agency that employed me, do not consider IT part of their core mission. For some, not including my agency, that result in treating it as a cost center to be starved of staff and funds to the maximum possible extent, taking heedless of the potential cost and damage that inattention to security patching and configuration can bring.

Blaming the NSA may have some merit, but their behavior in retaining some vulnerability knowledge was approved at the highest level in the executive branch and certainly is not meaningfully different from that of similar agencies in other countries. At least as much blame is due the management of organizations victim to these recent attacks.

We'll drag Microsoft in front of Supremes over Irish email spat – DoJ

tom dial Silver badge

The hypothetical case setup was specified in such a way that the operators in the foreign jurisdiction are not able to assist, for instance because the data are encrypted using a key they do not possess. The courts in that jurisdiction might have the authority to order those under their jurisdiction to comply, but they do not have the power, and they do not have the authority to order the US based operators, who have the power to comply, to do so. US courts, under the second circuit's reasoning, do not have the authority to demand that the US operators, who are able to produce the required data, to do so. The MLATs, and the related and supporting laws, likely need to be refined to cover process in such cases; if not, it seems quite likely that such services will be offered if they have not been already.

tom dial Silver badge

Hypothetical case:

${US Co} contracts with ${NonUS Co} for data center and storage service located physically outside the US (the two companies being unrelated) but retains full operational control of the servers and storage. ${US Co} then offers for sale email and data processing storage services to US customers, guaranteeing that all processing and storage will be offshore.

Where does the US government go for assistance when they find a US-based (alleged) criminal enterprise is using ${US Co}'s service for its email and data processing needs? Stipulating that ${NonUS Co} cannot assist under a MLAT, should ${US Co} be immune from executing an otherwise proper warrant for data related to operation of the alleged criminal enterprise?

tom dial Silver badge

While I could be wrong, I quite doubt that any action by the US Congress would support Microsoft's position in the matter. Their best, probably only hope, is in the possibility that the Supreme Court will allow the second circuit's decision to stand. The issue, overall, is fairly complex owing to the possible permutations of jurisdiction over the crime, the suspect, the data storage operator, the data storage facility, the legalities surrounding operation of the storage facility, and numerous other things. Orin Kerr has written extensively on the Stored Communications Act, including several pieces in the Washington Post Volokh Conspiracy blog, that are worth reading.

The Second Circuit's analysis primarily addressed the law as written, and may be correct; as a non-lawyer, I do not feel competent to judge that. Its reasoning, however, points the way toward legislation that would remedy the problem, for US courts, by making clear that the provisions apply to stored communications in facilities under direct control of companies, like Microsoft, that operate under US jurisdiction or do business in the US. However, such an extension would be difficult or impossible to enforce on companies that contract with non-US companies, possibly including non-US subsidiaries, subject to foreign governance, for their off-shore data processing.

In the end, this type of search probably is best handled by refining (or if necessary establishing) mutual legal assistance treaties. No country is likely to be pleased by the idea that their criminal investigation may be thwarted by the unintentional actions of a third party like Microsoft in choosing, for its own business purposes, to store customer data in a particular data center. The Second Circuit, I think, misconstrued the technology at the time the SCA was passed in 1986, but technological change since then certainly has reduced the significance of national boundaries in data processing, to a degree that almost certainly warrants MLAT renegotiation in the subject area combined with coordinated legal changes in the respective countries.

Homeland Security: Putin’s hackers tried to crack electoral networks in 21 US states

tom dial Silver badge

There probably is really nothing very significant about the claimed Russian attempts to influence the US election. The claimed propaganda initiatives would not have swayed many votes, if any, although they might have had some bias confirmation effects on the excessively gullible. The hacking reportedly did little more than touch registration data that, for the most part, is public record data available for purchase by parties and candidates, not to mention freely available from careless purchaser/aggregators.

There also is little the government can do about organizations like RT and other less obvious propaganda outlets, especially when there are home grown ones that are, in fact quite similar but almost certainly not under foreign control. The first amendment is a very high wall against any kind of press regulation, where "press" clearly includes internet sites.

The federal government might be able to offer state election officials technical help in safeguarding systems used in election administration and management, but it is not clear that their efforts would not be better spent in other areas like security of federal government systems or critical infrastructure. The standards and guidelines have been publicly and freely available from NIST for years. Failure to apply them consistently across even the federal government is largely a function of management ignorance and budget limitations. The first may be partly remediable, but if the future is like that past the second probably is not: throwing money at election operations problems after the 2000 election got us the execrable touch screen machines.

If anything, the recent "revelations" show that we should think seriously about reverting to manually counted paper ballots and tally sheets, with no software more complex than Visicalc and no computers or peripherals that ever touched a network.

Debian 9 feels like home with security upgrades and a flaming vulpine warming your toes

tom dial Silver badge

Re: Nice changes-

Devuan 9 ("ascii") also is quite decent, although on the machine I put it on the splash screen says "debian 8" for some reason. I assume this will be switched to GA shortly.

tom dial Silver badge

Re: Um. Excuse me?

I took that to mean that local customisations would need redo, as is proper.

When I started work as a mainframe system programmer 25 years ago, my boss laid out three rules:

1. We do not code.

2. We do no work without a change request.

3. We install with vendor defaults.

They were not followed rigidly, but contributed a good deal, I think, to system stability and to ease and cost of maintenance. I generally have adhered to them and rarely had trouble since then.

NSA had NFI about opsec: 2016 audit found laughably bad security

tom dial Silver badge

Re: This can't be real

DoD data centers have been dealing with mandatory access control on mainframes (RACF, Top Secret, ACF-2) for at least thirty years. It was not easy to implement, and in the large data centers its maintenance supports a security administration staff of a dozen or two. An administrator once told me he had looked into a MAC system for the 3B2 system he managed and decided that since it was being used only for unclassified batch jobs and accessed by only a small number of people, it was far more effort to implement than it was worth and would take up far too much of his time to administer.

tom dial Silver badge

Re: 2 sweet FA

The CAC, as far as I know, was universally used in DoD by 2009 or earlier. For PCs. My agency had a number of non-PC machines in locked or otherwise access controlled rooms that were not equipped for 2FA either with smartcard readers or the requisite software. I suspect that in the major DISA data centers that also was true, especially for the likes of zSeries and Unisys mainframes. I certainly wouldn't argue that it was a good thing, but it would have taken more than a minor effort to implement across the number and variety of machines I suspect are present on NSA premises.

One more comment on the finding about reduction in the number of administrators with privileged access: one of the actions taken reportedly was to do administration in pairs. That would have run seriously against an absolute reduction in privileged access personnel since it would increase the labor required for administration by a factor of at least two.

Oxford profs tell Twitter, Facebook to take action against political bots

tom dial Silver badge

Re: Nope, the truth is not relative

Would a political bot oriented to spread alarm about global warming, then, be somehow better than some others? Once we go beyond T&C prohibition of bots generally, it is fairly clear that which bots are allowable becomes an extremely political question, one that in the US the government generally cannot regulate. More specifically, with limited exceptions, the government may not, unless and until the first amendment is rewritten significantly, restrict speech based on truth value, and that probably is true of programs like the bots Wooley and Guilbeault describe in their paper on the subject as exemplified in the US 2016 presidential election.

FOIA documents show the Kafkaesque state of US mass surveillance

tom dial Silver badge

Re: To Constitute or not to Constitute...

The Register article said that the plaintiff (not defendant) was denied access to relevant case law, but the claim was not supported in the documents the article linked to (https://regmedia.co.uk/2017/06/16/secret_shutterstock.pdf). The quotes the article attributed to Judge Collyer do not occur anywhere in in the unredacted partts of either document included in that PDF file. Perhaps the link is incorrect.

The issue was whether the order complied with statutory law and the Constitution. Both litigants will have had access to the arguments made on either side. If the plaintiff was denied access to other decisions, it may or may not have affected the outcome; my guess is that it would not. The unredacted parts of the decision show that Judge Collyer considered a number of prior decisions, quite a few of them (e. g., Riley v. California) publicly available, in addition to the law and the specific facts. A good deal was redacted from the version released publicly, but the both the plaintiff and the government will have seen the unredacted versions and have had access to the various briefs and to the oral arguments if there were any.

The FISC is not secret, nor are its processes - to the litigants. It deals in classified material, and many or most of its actions are classified. Otherwise, it (and the FISCR) are ordinary federal courts doing the kind of thing such courts do with respect to a particular subject area. Even the fact that its decisions are not public is not unique, as civil litigation in other courts sometimes results in decisions, albeit largely negotiated settlements, that are not public.

It may be that there is too much classified "stuff" including much of the FISC proceedings and decisions. That is a matter for the Congress to address when it takes up the question of FISA renewal later this year, and it almost certainly will be brought up for consideration in that context.

tom dial Silver badge

Re: "Foreign Intelligence Surveillance Court,"

The FISC and the FISCR are Article III courts in the same way as the Supreme Court and other subordinate federal courts, and are staffed by judges nominated by the president and confirmed by the senate. The main differences are that the judges are assigned to them by the Chief Justice of the Supreme Court and that the subject matter and decisions are generally classified.

tom dial Silver badge

Re: To Constitute or not to Constitute...

The sixth amendment refers to criminal matters. The question in this case was primarily about the law, with constitutional questions in the background as always is the case. If criminals in the usual sense were involved at all, they were not either government or the unnamed company that initially declined to comply with the order to provide data, but the targets of the particular selectors specified in the original order.

The matter at issue would have been known in full to the litigants on both sides, and to the court. The fact that the document released publicly has redactions doesn't bear on that.

tom dial Silver badge

Re: Isn't this the opposite of some nation-states laws: Innocent until proven guilty?

No. This was a civil action. "Presumption of innocence" refers to criminal matters.

tom dial Silver badge

Re: To Constitute or not to Constitute...

The FISC, in the redacted opinion to which the article linked, clearly did not ignore the US Constitution. While a good deal of detail was redacted, pages 27-29 and 36 clearly indicate that the court considered constitutional arguments and dealt with them in a way consistent with statutory law and judicial precedents, and concluded that the order, which it affirmed, was lawful and constitutional. The fact one may disagree with the court's conclusion or reasoning (to the extent it is comprehensible after the redactions) does not show that the Constitution was ignored, with or without impunity.

Worried about election hacking? There's a technology fix – Helios

tom dial Silver badge

Re: It's total bollocks

I am prepared to argue that part of the problem in the US stems from evisceration of the traditional "machine" political party organizations, which performed a number of useful quasi-governmental functions including, not insignificantly, voter education and turnout management.

tom dial Silver badge

Re: "Besides, having a way for a voter to prove they have voted "

In the US nobody has to express a preference when registering unless they want to vote in a partisan primary election. In that case, they have to indicate a preference for a political party and, in some places to attest that they voted for more of that party than of others in a prior election if they were not previously registered to that party. And there is, of course, no requirement that the expressed preference be truthful, which in some states has led to gaming of a sort that is easily imagined.

tom dial Silver badge

Re: My exact thought

In the US State of Ohio, when I was involved with precinct level election management, the ballot number was recorded before the ballot was given to the voter, and the strip with the ballot number was removed when the voter returned the ballot, and the ballot, without identifying marks, was put in the ballot box (later, fed into the locked and sealed counting machine). This ensured anonymity to a high degree of certainty.

tom dial Silver badge

Re: My exact thought

According to the Helios claims, the system ensures anonymity. The documentation is a bit sketchier than a set of Linux man pages, but I suppose one with suitable skills might go through the source code to see how it is done and, perhaps, whether the code is as bulletproof as it needs to be.

tom dial Silver badge

Re: "Because you can"

There have been relatively well known ways to put a thumb on the scale in a paper ballot election for at least, I would guess, 150 years. Most of them are not difficult for a moderately skilled illusionist to execute, or for another to detect while being executed. That said, optical machine counting evades nearly all of them, although at a cost of a statistically knowable rate of read errors due to such things as smudges and dirt in the equipment.

The key thing that paper ballots have on their side is that the process for using and counting them is quite transparent and understandable by people of very modest technical skills, something that is untrue of touch screen voting machines (with or without a paper log) or even punch card ballots or the much earlier mechanical lever and wheel machines. It certainly is not true of encryption based gimmickry like the Helios system, which requires the voters and election administrators alike to accept on faith what might as well be magic.

Five Eyes nations stare menacingly at tech biz and its encryption

tom dial Silver badge

Re: NSA = Nothing Safe Anymore!

It might be appropriate to ask whether Apple, Microsoft, or any other provider who signs software can keep their secret keys safe. We certainly have seen a number of cases in which certificate authorities have been unable to do so, and there is no bigger back door to privacy protection than the capability to sign a boot loader and put it into the download area for updates.

tom dial Silver badge

Re: Privacy of a Trrrst?

Some in the US were well ahead of December 7, 1941 in opposing the German launch of war and supporting defense of Britain. As evidence I suggest my parents who, as memvers of the American Hospital in Britain at Park Prewett Hospital near Basingstoke left New York for Britain in late August, 1940. They lacked certainty about whether they would be received by the British or their German conquerors, and arrived in London in early September during the Blitz, returning to the US in mid or late 1941. They, the other members of the hospital staff, and the Allied Relief Fund that provided part of their support certainly were not paying a lot of attention to any business opportunity.

Cuffed: Govt contractor 'used work PC to leak' evidence of Russia's US election hacking

tom dial Silver badge

Re: The question of course is what would the GRU gain by access to a company writing this S/W?

The company does not provide voting machine software. Its business is voter registration database and list management for election operations officials. That includes a number of machines designed (according to their web site) to make it easy for officials to verify whether a citizen is registered to vote at a location.

Monkeying with the machines, or the underlying databases could disrupt election operations by removing or changing data for registered voters and forcing provisional voting, or by adding unauthorized voters, which could allow the electronic equivalent of ballot box stuffing. Not at all good, but within the bounds of historical election practice in some parts of the US and probably in some other countries as well.

tom dial Silver badge

You have given a fairly accurate description of the rules Ohio Secretary of State J. Kenneth Blackwell laid out about 2002 for electronic voting machines. Some of the machines had built in ethernet or modems, but use of those were prohibited. In addition, when machines were in service, all access doors were taped shut using serially numbered seals that could not be removed without destroying them. The seal numbers were recorded manually on paper (again under supervision of election officials from more than one party).

tom dial Silver badge

Evidence that the NSA did not provide the information to the FBI (and DHS)?

Both the DHS and the FBI issued warnings to states in August, 2016 about attempts to penetrate state voter registration databases. This was reported publicly at the time, and it is not unlikely that the information that triggered the warnings came partly from the NSA.

That the NSA snoops on the GRU whenever and however it can is certain. Under FISA section 702, this allows them to take note of such things as identifiable spear phishing by presumed GRU agents directed at US targets. Other parts of the US Code allow them to report such activities to the FBI, as may well have happened in late 2015, when the FBI contacted the Democratic National Committee to tell them they were hacked. Whether that constitutes snooping on the US targets is a matter of definition, but it is plainly legal at present, as well as very likely acceptable to many of the victims of such attacks.

tom dial Silver badge

Re: Can someone with more knowledge on the subject answer me this:

Abraham Lincoln won the 1860 presidential election by the same rules, give or take a few changes over the next 150+ years, with about 40% of the total vote. Events of the following five years establish quite decisively that he did not in any reasonable sense have a mandate to govern. While the results are far less lopsided, it remains true that in 2016 none of the candidates was the choice of a majority of those who voted, and that probably is true of the population of eligible voters as well. To claim that any of them would have a mandate stretches the common understanding a bit too far. It would be better to say that because we accept the legitimacy of the constitutional procedures (if we do) we should in consequence of that accept the legitimacy of the president chosen according to those rules.

tom dial Silver badge

Have all the upvotes I can give for a perceptive analysis. My only quibble is about selecting Trump and the Republican party for special attention. As HL Mencken observed and documented hilariously over a period of nearly thirty years beginning about 1920, the issues apply to all parties and incumbents generally and, over time, roughly equally.

tom dial Silver badge

Re: Can someone with more knowledge on the subject answer me this:

Trump won, and legitimately so by the rules generally in effect for somewhere between 100 and 227 years.

Nevertheless, there is no earthly justification for a claim that he had a mandate.

Do cops need a warrant to stalk you using your cellphone records? US Supremes to mull it over

tom dial Silver badge

It is not clear that any other customer's metadata was "uncovered" by the police request. According to the ACLU report on US v Carpenter, the request was for records relating to the accused, Timothy Carpenter and Timothy Sanders. It does not seem to have been a "fishing exercise."

It would be reasonable in circumstances similar to those in Carpenter for police to obtain a warrant. There was an ongoing investigation, and they clearly suspected Carpenter, Sanders, or both, and might well have been able to get a warrant based on probable cause without a great deal of difficulty. Superficially, though, this case also seems similar to Smith v Maryland, in which the Supreme Court found a warrant for metadata unnecesary, but also somewhat dissimilar in that the location data sought in Carpenter was a given in Smith, and did not exist in the same sense. Metadata now is much more extensive and problematic than it was in 1976, and a different answer in this case will not necessarily overturn Smith.

If Carpenter wins, he and maybe his accomplice are likely to get no better than a retrial without the phone company location data, and may yet be convicted on the other evidence available to the prosecutor.

Pai guy not too privacy shy, says your caller ID can't block IP, so anons go bye

tom dial Silver badge

Re: >If they are simply legalised pirates then I'm not going to cry too much when one of them dies

Ticketing for revenue often is not a police department initiative as such, but a use of the police by the city government for revenue production in lieu of taxes. That was probably the case in Ferguson, and the Cleveland suburb of Linndale comes to my mind in the context. About a quarter mile of Interstate 71 passes through Linndale, a municipality of 52 acres with a population of 177 - and a police department. For many years it was reported to patrol that piece of I-71 and derive the overwhelmiing majority of it the municipal operating budget by ticketing those exceeding the speed limit. It is extreme, but certainly not unique.

tom dial Silver badge

There are about a million police officers in the US, out of which a few hundred, perhaps, have proved to be risks to civilians in any given year. In the matter of black lives, police officers are a minor factor compared to all others, and the plainly outrageous cases that cause national uproar are a small fraction of those. Concerned expressions about police misbehavior toward black and other minority citizens have a much firmer basis when referred to Terry stops, traffic tickets for revenue, and similar activities, which are likely to have a lot to do with factors other than race perception, and remedies that go beyond weeding out the bad cops or, better (but probably not possible) removing them from the applicant pool before their hire.

Senators want FBI to vet FCC's 'cyberattack' claims

tom dial Silver badge

In my humble opinion

The FBI has a number of more important matters to deal with, the first of them getting on with its inquiry into Russian attempts to interfere with the 2016 US general election and the numerous allegations of contacts between Trump campaign and White House personnel and the not very subtle suggestions that they were improper or even illegal.

If the FBI has enough manpower to spend on a DDOS claim involving the FCC, which plainly was going to do what it was, they can use them instead to expedite those investigations. Whether one is for or against Trump, they are important enough to require completion as rapidly as possible.

Distro watch for Ubuntu lovers: What's ahead in Linux land

tom dial Silver badge

Re: Printing

If you use CUPS, as seems reasonable, there is very large number of supported printers, although probably significantly fewer of them than the full range of printers. Some require proprietary bundles that may involve some difficulty and some lack support for all features. Most HP printers, including some very old ones like the 1020 and p1505, are fully supported through HP Linux Imaging and Printing*.

I have had few problems with printing (all HP, though). Windows machines have been more problematic than Linux ones because the Windows interface to those managed using CUPS is a bit more obscure and maybe a bit less stable - I have a multifunction printer that had been set up with a Windows system that has been forgotten and apparently needs to be set up again.

* Full disclosure: I do own shares in HPE and HPQ (and Keysight and Agilent).

tom dial Silver badge

FreeBSD works just fine*, and will run from a USB drive (i. e., installed on a USB drive) and also runs quite nicely as a VM under qemu/kvm.

*HP EliteBook 8570w, Shuttle Xpc SK22G20, Supermicro X9DR3-LN4F+

tom dial Silver badge

Re: Now if just 1 major PC maker installed Linux by default...

The claim that it is hard for OEMs to deliver supported drivers for their hardware seems quite badly overstated. Debian maintainers are, indeed, picky about proprietary (i. e., non-free) software in the "main" repository. They are less so about what is in "contrib" and much less so about "non-free," which on my systems has five or six hundred packages, a good many of them drivers, many with blobs or blob downloader/installers.

The problem likely has more to do with overall unwillingness of device manufacturers to develop and test Linux drivers in addition to those for the rather different Windows environment.

tom dial Silver badge

Re: Now if just 1 major PC maker installed Linux by default...

It might be more palatable to Microsoft if manufacturers offered one or more Linux distributions alongside Windows if the price were the same in all cases. If, in addition, the money collected for the Linux sales were sent to the respective distribution maintainers instead of Microsoft, everyone would benefit.

Tech firms send Congress checklist of surveillance reforms

tom dial Silver badge

Re: Scurrilously off-topic

Exactly who owns the browsing history? That seems to be the core question, and it might make for an interesting piece of litigation.

TRUMP SCANDAL! No, not that one. Or that one. Or that one. Or that one.

tom dial Silver badge

Re: Casus belli

Not without a fourth amendment warrant they don't. Review the kerfluffle over James Comey's notifications to the Congress shortly before the election in connection with Anthony Wiener's laptop.

tom dial Silver badge

Re: Nothing to see here

To a first approximation, and probably a further refinement or two, the reported action is not materially different from the attempt by the FBI in late 2015 to alert the Democratic National Committee that their servers had been penetrated. The main difference seems to be that that the Trump organization paid attention, rather than ignoring it for months of repeated FBI contacts as the DNC did.

Init freedom declared as systemd-free Devuan hits stable 1.0.0 status

tom dial Silver badge

Would that be "network-manager is unreplaced by wicd in Devuan?" I seem to remember wicd from my earliest attempts to install and configure Debian on a netbook a decade or so ago.

'Do not tell Elon': Ex-SpaceX man claims firm cut corners on NASA part tests

tom dial Silver badge

Re: Differing cultures

MILSPEC equipment and parts often are extremely costly, partly for just this reason. I recall a particular high frequency transistor many years ago that could be ordered as either a military qualified unit or not; the MILSPEC price was about $35 each, and the others, with identical packaging and specifications, were priced at less than $3.50. They all would have been made on the same line, in groups of many, by largely automated processes, and almost to a certainty differed only in whether they were tested on an individual or small sample basis.

Democracy-minded DEF CON hackers promise punishing probe on US election computers

tom dial Silver badge

Re: Hacking or Deliberate

The Wikipedia article, which discusses the various complexities involved in the Florida vote counting, is a much better source here.

The plain fact is that in Florida, in the 2000 election, the presidential race was a tie and could have been settled as reasonably by a few tosses of a fair coin.

tom dial Silver badge

Re: Hacking or Deliberate

Many, if not most, US electronic voting machines do have a paper trail in the form of a printed paper tape. During the final part of the voter interaction the tape was printed and displayed under a locked transparent panel as the voter's choices were shown on the screen. A diligent voter would have no trouble verifying that (a) the selections shown on the screen were those he or she made during the vote collection phase, and (b) were the same as those shone on the paper tape.

That was true of the Diebold machines in Ohio that I used and, as an election official, managed during the period from about 2002 to 2005, and also of the identical appearing machine with a different label that I used last election in Utah.

That said, it probably is true that corrupt software in the machines could show one thing on the screen, the same thing on the tape, and something a bit different on the memory card used for the data collection. To make that stick, it also would be necessary for the same corrupt software to show identical sums on the screen, the end of the tape, and internal to the memory card, but the same corrupt software should have no trouble with that.

Probably the best compromise overall is the manually prepared optically scanned ballot, which gives decently rapid results, is easy for the voter, and also easy to recount if there is a question. I understand Ohio transitioned to that as the earlier machines got to EOL, and I was a bit surprised to see the older variety in Utah.

Dormant Linux kernel vulnerability finally slayed

tom dial Silver badge

Re: @alain williams

"You can also wait for Debian, Redhat or Suse, but you do not have to."

In the case of my systems, I waited for Debian until 0739 US Mountain time on 9 March 2017 when unattended upgrades installed the upgraded kernel. I suspect users of other major distributions received similarly timely updates. I waited a couple of days more to reboot, since the vulnerability was local and the affected kernel module was not, in fact, loaded.

Google leak-hunting team put under unwelcome spotlight

tom dial Silver badge

Re: More to this than meets the eye.

The Brian Katz who is subject of this article appears not to be the same Brian Katz who is Next Generation National Security Fellow, 2017 at the Center for New American Security and Country Director for Syria in the Office of the Secretary of defense. The CNAS biographical information does not mention previous employment at Google, but indicates a B.S. in Economics from Duke University and an M.A. in International Relations from Johns Hopkins. The Brian Katz of Google claims a B.A. in Criminology from the University of Miami (FL).

"Brian Katz" is not an uncommon name and care in distinguishing among its various bearers is worthwhile - a Google search easily finds at least two attorneys named Brian Katz, one of whom appears to have the same middle initial as Google's security guy.

Ransomware scum have already unleashed kill-switch-free WannaCry‬pt‪ variant

tom dial Silver badge

Re: Inevitable

Microsoft became aware of the particular vulnerability soon enough to develop and issue a remedial patch for the vulnerability more than five weeks before its first reported use in malware. The notion that ShadowBrokers reported the vulnerabilty to them is much less plausible than the more common presumption that the NSA did so. The patch was marked "critical" and that should have informed anyone paying attention of the need for prompt action. US DoD rules require deployment of these items within 10 days of availability, and while they do not always meet that, those who do not have to report often and in detail on the deployment until it is complete.

The firmware the FBI wanted from apple, contrary to repeated claims, was not installable on "an iphone" in the general sense. The order required it to be specific to the iPhone described in detail in the court order and required that it not be usable for other iPhones. That is something that Apple certainly could have ensured since the code would need to be signed by them. Apple certainly would have been ordered to provide similar firmware in other cases. However, if the cryptographic implementation was secure and Apple continued to control the signing process, release of any or all copies of such firmware would not have been able to compromise untargeted iPhones.

tom dial Silver badge

Re: Inevitable

The present"back door" would be through compromise of Apple's (or Microsoft's) code signing key(s) or use of the keys to sign bogus software. Is there really reason to suppose that their security protections are fundamentally superior to those at the NSA? Would they not be subject in a similar way to vulnerability from disloyal or planted employees or accidents that expose them in environments less protected than planned.

Wannacry: Everything you still need to know because there were so many unanswered Qs

tom dial Silver badge

Re: Oh, the irony!

"... you can pick/choose which updates to install."

Those who turn off automatic security patch application do need to actually choose and apply the important patches. A patch for a remotely exploitable vulnerability that allows execution of arbitrary code (e. g., MS17-010), NVD severity 8.7 if I recall correctly, is an Important Patch by any standard. Anyone clued in and attentive enough to have taken over patch management should have applied it within a couple of weeks from issue.

What is dead may never die: a new version of OS/2 just arrived

tom dial Silver badge

Re: To quote a popular song ... 'Let it go !!!'

"running it on anything [but IBM machines] was pretty much Russian Roulette because it looked up specific things only found in IBM BIOSs" ...

I am quite skeptical of this. I ran it for a time on self assembled '486 and dual Pentium Pro systems. Neither one had an IBM BIOS, and neither one had noticeable problems with OS/2. Unlike Windows of the time, it was rock solid. It did give problems with VMs on qemu/kvm when tried a few years ago.

Do we need Windows patch legislation?

tom dial Silver badge

Product lifetime. Therefore a meaningless statement, as probably ought to have been obvious.