44 posts • joined 10 Mar 2016
Re: The user has no freedom but to consent
The problem with hosts files is they don't allow wildcards. So when they point to you a dynamically made up server name, ie a43c56.adhack.com, it won't match. There are two better ways to do it. You can do wildcard matching in a proxy.pac file. You can create your own internal dns server, and create fake zone files that point *.doubleclick.net to 0.0.0.0. I like the second one because it automatically applies to all of my devices, tablets, phones, etc on the local network.
Re: Windows 7 "outdated"?
"put your Win7 OS into a VM"
This has many other advantages. You can snapshot the VM before an upgrade, and roll back bad ones. You can filter the network connections. You can filter which usb devices are allowed to communicate with the VM. The virtual hardware is standardized, so you never need to worry about weird, broken drivers. You can clone the VM for a special purpose, or for two pieces of software that don't cooperate on DLLs or drivers.
The downside is VMs use a lot of memory.
'Oh sh..' – the moment an infosec bod realized he was tracking a cop car's movements by its leaky cellular gateway
Re: There's no quality issue. It's a movement you benefit from.
FreeBSD recently adopted an appallingly bad code of conduct. The problems aren't as much with what it says, as what it doesn't. It has no transparency. There is no requirement that charges be publicly announced (in an anonymized fashion). There is no provision for defense. There is no requirement for the defendant to be informed that a charge is pending against them, so they are unable to plan our mount a defense. After the fact, appeals are allowed only to a tiny subset of penalties. Appeals are handled by the same committee. There is no way to appeal to a higher, or different, authority.
SCADA systems should never be connected to the internet. The vast majority of them have someone in a control booth 24x7. The boss can just call and ask "Is everything workiing?" If they insist on a status display, that should be done in a one-way export-only fashion, where the protected systems send status updates to an external web server. There's seldom that much status data to update, you could even do it with an RS-232 serial line, with the RX wire clipped.
Re: Limited growth company.
Also consider possible future expansions. They could get a daily upload of facial recognition data for known shoplifters from other locations. The human guards will recognize people they personally threw out before, but not ones from other malls or airports. They could also identify people by cell phone bluetooth beacons, wifi client addresses, car license plates, etc. All of that data would be very attractive to a mall. They could sell it to directed advertizers.
I really want an autonomous car.
There are many reasons I would want an autonomous car.
- It could drop me off at the store door, then go find parking. When I'm done, I would call it to come pick me up. I wouldn't have to carry my packages half a mile to my parking space.
- I could relax and watch video or something on long trips.
- It could drive me home after an evening out.
- I could send it off to get gas, or be serviced.
Re: Are there any legitimate uses for client side scripts on a banking website?
One common use is "responsive web design" where the js modifies the page to fit various size screens under certain rules. Many designers think it's better to make one page full of "if"s and rules than to maintain separate desktop and mobile sites. I see points for both sides, I think it depends on the site.
Rule 2) The device shall not become operational until the user has set up their own credentials.
This might be a bit much to expect from Grandma. It might be more user-friendly for every unit to have different default credentials, derived from the serial number, and printed on a card that comes with the device. If they lose the card, they can go to the company web site, enter the serial number, and get the default password. That also means the device can be used out of the box, without any setup that requires a computer they might not have.
routers and embedded devices
These days I mostly use ftp to get firmware images and data on and off of routers, switches, and embedded devices. The simple protocol, and low cpu / memory requirements make it a good fit in bootloaders and rescue images. Virtually all of those transfers are to or from an anonymous ftp server on the same protected management lan.
ftp is sometimes problematic on the internet, because the firewall has to inspect the protocol and open the ports for the data channel. Passive mode will get around your firewall, but not the other end's firewall. Active mode is the other way around. In linux, as a client, you have to load a kernel module, nf_conntrack_ftp, to get iptables to do the inspection to make active mode work.
Re: What is the benefit putting a cloud in the middle?
Peer to Peer has trouble with firewalls, especially NATing ones. If both ends have a firewall that prohibits unsolicited inbound connections, then PtP can't establish a connection. The work around in some small routers is UPNP, which allows an application to register with the firewall for an inbound pass. However, that is generally considered very insecure, and most corporate firewalls turn it off.
name me any business of over a very small size that's going to use the 192.168 range for it's LAN
That's the point, almost no corporate lans use 192.168.2.0/24, so it's wide open for another infected machine to assume that as a secondary IP.
We have to overlay 192.168.1.0/24 on one of our other subnets, on the same vlan, and provide a tftp server on it, for reinstalling certain voip phones. When you factory reset them, they don't even dhcp, they use a fixed ip on that subnet, and try to tftp their OS image from a fixed server ip.
I have one thing left that needs flash, VMware Vcenter. Unfortunately, I need to use it for work. I have a separate browser just for that.
That's one example of a growing problem. Many intranets contain legacy devices that need older protocols or ciphers, but for various reasons can't be easily replaced. As the browser companies delete support for those older features, we're forced to use obsolete browser versions to talk with these legacy systems. This becomes a big problem when you have to provide a secretary with two browsers, and tell them "only use browser B for X". They often forget, and venture out on the internet with the wrong browser.
Re: H/W vs S/W vs cloud
"a cloud service can be built to be much more secure than most people can build their own."
"can be built", "has been built", and "has been maintained" are all very different. I've seen several cloud services that were designed with good intentions, built with the best safeguards available, but then turned over to morons to operate and maintain. After a couple years, they're worse than useless.
MS Access. Probably only serious data analysts really need it
No serious data analyst would ever use a toy like MS Access. They use Teradata, Oracle, etc. For smaller things, Postgresql and Mysql are great. A real object storage system, or relational database, combined with even a little elementary script coding is far more powerful than Access.
For other types of work, SAS or R are good. It depends on what you're doing.
I've occasionally had to deal with "applications" that a consultant had written in Access. They were always horrible, and scaled very badly. They always seem to try to develop with test data of a few hundred rows. Then they're surprised when the business dumps in 100,000 rows, and their app falls over.
buffer in ram
Why would there be anything to extract from the device? It should be keeping the audio buffer in RAM. If it were in flash, it would run through the erase cycles too quickly. So when the cops unplugged it, it should have blanked. If they left it plugged in, it should have overwritten that part of the circular buffer after a few minutes.
existing contracts and future instability
I suspect part of the price hike is to compensate for the existing contracts at lower prices. The new ones get gouged to make up for MS's losses on the old ones. Also, they may be factoring in some "insurance" for future instability in the UK pound vs the US dollar. Between BREXIT and Trump, the financial future is uncertain.
Experts to Congress: You must act on IoT security. Congress: Encourage industry to develop best practices, you say?
Standards in the US would also affect china, due to dev costs
It's expensive to make multiple versions of code for an IoT device. So imposing security standards for selling into the US will cause the IoT developers to improve their code in products released worldwide.
The same thing happened when Europe legislated Reduction of Hazardous Substances. It took a few years, but now virtually all consumer electronics meet RoHS, regardless of the country they're sold into.
snaps are a stupid way to badly reinvent LD_LIBRARY_PATH
For over 20 years, every version of unix I'm aware of has supported using the LD_LIBRARY_PATH environment variable to avoid library conflicts. If you need a specific version of libjpeg, just put it in it's own directory, and set the variable.
Having offended everyone else in the world, Linus Torvalds calls own lawyers a 'nasty festering disease'
lawyers scare deveopers into leaving projects
Linus is right about the BusyBox GPL lawsuit. Bringing in lawyers scared the developers into leaving. That ended up hurting everyone.
Programmers usually don't understand or trust lawyers. There have been too many stories about people losing everything. The developers don't want to be caught in the splash zone, so they abandon the project. It can take years to recover.
Re: a slow motion trainwreck
"And then COME BACK because the software they need doesn't run anywhere else. You might as well be Walking on the Sun..."
Why do people keep repeating this FUD? I'm a network and systems administrator. There are only two applications I still need for work that require windows. I very seldom use either. Both run fine in VirtualBox VMs. One actually runs better in a VM than on bare metal, due to quirks in how it's networking interacts with VPNs. There used to be more, but most of them now have Linux replacements. My need for windows has shrunk dramatically over the years.
Re: is there a comprehensive list of cockups?
I would suggest VirtualBox, VMplayer, or something similar, to run windows VMs as guests on your Linux system. You can snapshot the windows image, and back out when it eats itself. It gives windows a simpler, virtual, "hardware" platform with more common drivers. It lets you sharply limit access to attached devices. For example, you can explicitly list which USB devices the VM can see. I have two of these guest VMs, one for each windows only software application I still need. Keeping them separate also keeps the apps from fighting over DLLs.
statistics are inadequate to draw any conclusion
This report is based on too little data to mean anything, nor draw any conclusions. On page 1 of the pdf, "http://www.chinalaborwatch.org/upfile/2016_08_23/Pegatron-report%20FlAug.pdf", the report says "Pegatron is one of Apple's major suppliers, employing almost one hundred thousand workers in Mainland China". Most of the numbers in the report are based on paystub data. However, on page 5, there is a table showing how many paystubs they analysed. Over 10 months, they collected a total of 2015 paystubs. One month, Jun 2015, they got only 4 paystubs. The peak was 1064 in Oct 2015. The average number of paystubs they got per month was 202. That is only 0.20 % of the workforce. That is not enough data to be a worthwhile statistical universe.
I have no doubt Apple is pressuring them to reduce costs. Conditions there might well be awful. However, I can't tell one way or the other from this study, because it's statistics are insufficient.
Re: Of course...
I understand you're joking. However, Linux has had most of these things for years. The exception is LEDBAT, RFC 6817. The actual dates are
RFC 7413 TCP Fast Open (TFO): kernel 3.13, 19 Jan 2014, https://kernelnewbies.org/Linux_3.13
Initial Congestion Window 10 (ICW10): kernel 2.6.39, 18 May 2011, https://kernelnewbies.org/Linux_2_6_39
TCP Recent ACKnowledgment: 4.4, 10 Jan 2016, https://kernelnewbies.org/Linux_4.4
Tail Loss Probe: 3.10, 30 Jun 2013, https://kernelnewbies.org/Linux_3.10
TCP LEDBAT RFC 6817: As far as I can tell, Linux does not have this yet.
appearance over function
Gnome has a long standing problem with valuing appearance over functionality. They keep making big, fat titlebars on everything that eat up screen real-estate. Yet, their image app is just now obtaining some of the functionality that xv had in 1993.
They don't understand that a window manager should be a tool that helps you get things done, but otherwise gets out of your way.
They also have an arrogant belief that their graphic design and use cases are the only things users will ever need. They have been actively deleting customization options.
GUIs don't scale
I've got over 1000 switches, and 60+ routers, firewalls, and load balancers from 5 different vendors. I've never seen a GUI that comes close to handling all that. We used to have CiscoWorks, but it only applied to our Cisco devices, only did a few things, and didn't do those well. I don't have time to repeat a gui action on hundreds of devices. I _need_ to use APIs, and scriptable CLIs.