* Posts by Joe Montana

778 posts • joined 12 Mar 2007

Page:

Man responsible for least popular iteration of Windows UI uses iPad Pro as a desktop*

Joe Montana

Re: in Sinofsky's defence - is iPad Pro + iPadOS heading towards achieving the Windows 8 vision...?

// The security landscape is getting worse. The app security model for WIN32 and macOS was never designed for such a hostile security landscape. Mobile app models (secure sandbox; limitations; app store; automated updates; etc) are better suited to this.

This is the key point..

Traditional operating systems were designed by and for geeks. They are complex tools that require knowledge and experience to operate correctly.

They are kit cars, whereas an ipad is a ready to drive vehicle. You won't get the same performance or flexibility, but you will be able to drive to work or the shops without any hassle and that's what matters.

Fully featured computers have always been a niche product aimed at specialist use cases and only ended up being used by the masses because actual consumer oriented products were not available yet.

TCL 10L: Remember the white goods flinger that had a licence to make BlackBerrys? It made a new own-name phone

Joe Montana

Re: Tickle?

It's an acronym with no vowels, it can't be pronounced you simply say the letters - T C L.

https://www.youtube.com/watch?v=5QBHukn8Qm8

Linus Torvalds drops Intel and adopts 32-core AMD Ryzen Threadripper on personal PC

Joe Montana

Actually the os most often used with linus' kernel is probably android, followed by busybox...

Forget BYOD, this is BYOVM: Ransomware tries to evade antivirus by hiding in a virtual machine on infected systems

Joe Montana

Re: Use of SMBv1 for XP compat may be at the core

Encryption is not the reason to deprecate SMBv1... SMBv2 doesn't implement encryption either, and it's optional for newer versions of SMBv3.

The problem is the inherent complexity and age of the protocol, with smbv2/v3 being much cleaner and simpler.

However they are also not without problems, on windows the protocol is deeply embedded into the os and runs with a high privilege level, the protocol allows a lot more than just file sharing, and there are still weaknesses with the authentication system - especially ntlm.

Houseparty denied it had been hacked... while miscreants were abusing its dot-com domain name infrastructure

Joe Montana

Address recycling

Yet another reason why we need IPv6...

IPv4 address on AWS and other such platforms need to be recycled because there's a shortage of them, if a machine gets killed and they don't remove the DNS records then someone else will soon inherit them. The address allocations are also random and spread all over the address space AWS owns so if your trying to add firewall rules, or determine what the traffic is from a packet capture or logs its painful.

IPv6 allocations are based on blocks per customer, so houseparty will be allocated a large block by AWS and all of their allocations will come from that. If they drop a machine then the address goes dead and won't be allocated to a different customer as it still belongs to houseparty.

Another good example of this absolute mess is Zoom:

https://support.zoom.us/hc/en-us/articles/201362683-Network-Firewall-or-Proxy-Server-Settings-for-Zoom

75 separate spread out ipv4 blocks that belong to aws (and do zoom even control all the addresses in those blocks?), or a single ipv6 block that belongs exclusively to zoom... I know which i'd rather use for monitoring and firewall rule purposes.

DBA locked in police-guarded COVID-19-quarantine hotel for the last week shares his story with The Register

Joe Montana

Re: And this is why the Aussies are on top of it

What makes you think that reporting and testing in third world countries like myanmar and laos is at all accurate?

Also the vast majority of deaths have been elderly people with existing conditions, in developed countries with effective healthcare systems there are a lot of elderly and sick people still alive thanks to the healthcare, in third world countries people who would be in these categories are often already dead.

Many young and healthy people experience little or no symptoms, and third world countries are full of young healthy people because it's hard to survive there otherwise.

Happy birthday, ARM1. It is 35 years since Britain's Acorn RISC Machine chip sipped power for the first time

Joe Montana

Re: "All issues with management blobs etc. aside, this is a bit debatable IMO"

It didn't take ARM an age to get to desktop level, it took them an age to get back.

The earliest ARM chips were used in desktops, and those machines were more than performance competitive with the common x86 and m68k designs of the time.

FTP is crusty and mostly dead, right? AWS just started supporting it anyway

Joe Montana

Re: Update it not kill it

It does, there is FTPS which is FTP over SSL...

The problem is NAT.

FTP uses separate ports for data transfer and control, and the benefit here is that you can remotely initiate transfers between 2 servers without the data having to touch your client (especially useful when you have slow or asymmetric connections)...

But this doesnt play well with firewalls or nat, the firewall doesn't know which ports to open or which address to translate them too. There are kludges for plain FTP where the firewall will watch for FTP control traffic and intercept the requests, but this won't work if the control channel is encrypted.

There are also techniques like bounce scanning, where you can make an ftp server connect to arbitrary host/port combinations as a slow form of port scanning, so you can see what's reachable from the perspective of the FTP server.

Joe Montana

Re: It's used because it works

What he did with FTP, could have been done just as easily with thousands of other file copy methods too..

SMB, NFS, SCP, RCP, RSYNC etc.

Freed from the office, home workers roam sunlit uplands of IPv6... 2 metres apart

Joe Montana

Re: Colour me disappointed...

It's more stupid than that...

They use cloudflare, and cloudflare fully support IPv6 by default, for some reason they've got it turned off or just not bothered to create the AAAA record.

From here the latency to cloudflare over ipv4 is usually over 3x higher than over ipv6, because of the overloaded nat gateway imposed on me by the isp.

Joe Montana

IPv6 by default

Many ISPs now provide IPv6 by default, and many providers are now using NAT for IPv4 connections - especially for mobile users...

As a consequence of this, connections going over IPv6 are generally faster and more reliable.

The more traffic goes over IPv6 the better for the ISP and the customers, as NAT gateways are considerably more expensive to operate than routers.

The lack of a NAT gateway can also reduce battery usage on mobile devices, as they can use longer sleep times for protocols like activesync without the gateway terminating the connection for being idle.

A lot of the users still stuck with IPv4 have explicitly turned it off, or are using antiquated equipment.

BT's Wi-Fi Disc ads banned because there's no evidence the things work

Joe Montana

Re: Standby for downvotes!

These repeaters work by consuming twice as much of the wireless spectrum, causing even more congestion for those around you... Wired backhaul combined with localised low power access points would be far more considerate to your neighbours.

Joe Montana

Re: MikroTik for the win

Given how widespread internet access is, why arent modern houses built with cat6 cabling and consideration for the optimal access point location(s)?

I rewired my older house and ran cat6 under the floors.

You. Drop and give me 20... per cent IPv6 by 2023, 80% by 2025, Uncle Sam tells its IT admins after years of slacking

Joe Montana

Re: IP6

Quite the contrary unless you're using ancient software...

Modern operating systems prefer ipv6 and are designed to use it, running modern systems on a legacy ipv4-only network is actually a security risk.

Same for devices, pretty much everything supports ipv6 and will prefer it. Anything that doesn't is generally either so old that its unsupported and a security hazard in its own right, or cheap garbage from china that is just as risky.

Joe Montana

Re: AAISP

I have the same setup, it works fine because the allocation from the ISP is a /56 which allows me to assign a /64 to each internal network.

As an added benefit, my hosts have the same addresses wether i'm connected to the home network, or accessing them remotely.

Joe Montana

Hosting anything requires inbound, and because of the lack of inbound connectivity you end up with devices that proxy through a third party server run by the manufacturer - do you trust a chinese server having access to your CCTV more than you trust a firewall under your own control?

P2p requires inbound - and p2p is not just for bittorrent, its useful for many things - especially reducing latency which is good for gaming and voip. With NAT you have to push your traffic through a third party server which increases latency and gives them leverage over you.

NAT means you share an address with multiple users, if one of those users does something to get banned from a particular service then you are banned too. This is quite a significant problem in some countries where every isp uses cgnat.

NAT makes it difficult to determine the true source of traffic. Someone complains that malware traffic is originating from your home address, you have 20 devices and occasional visits from guests, which of them is infected with malware?

The ipv4 address space is too small that its practical to scan it all, so multiple strains of malware do so which at best just wastes your bandwidth.

NAT gateways generally have specific kludges for protocols like ftp.

NAT is _NOT_ a security feature, its broken.

If you want to control inbound traffic, use a stateful firewall.

NAT requires a stateful firewall, but a stateful firewall does not require nat. We were using stateful firewalls with routable ipv4 on both sides back when ipv4 addresses were plentiful, and we do the same thing today with ipv6.

NAT is a dirty hack, it causes problems and breaks things. The sooner it dies the better.

Joe Montana

Re: It's the hardware

For any non trivial network, IPv6 is much easier to manage than IPv4...

You have end to end connectivity, with firewall rules allowing or blocking traffic as required. You don't have address translation confusing the matter.

You have improved security because the rules are easier to understand, and when you allow or deny an address you're allowing just that address and not other things that might be behind it.

The address you see in logs is the address of the host, not the address of an intermediate node doing address translation.

You have a large enough address space to design everything properly without having to worry about address translation hacks.

If you're merging multiple previously separate organisations, or establishing vpn connections to third parties you don't get address conflicts.

IPv6 is better, IPv4 is old, broken and requires all kinds of nasty kludges to keep limping along.

That's why microsoft are moving to ipv6 and ditching ipv4:

https://labs.ripe.net/Members/mirjam/ipv6-only-at-microsoft

Joe Montana

Re: It's the hardware

Well another requirement is to have actively supported equipment for security reasons, and routers which don't support ipv6 are long since end of life.

Data surge as more Brits work from home? Not as hard on the network as their nightly Netflix binges, claims BT

Joe Montana

Re: What was that ?

The last mile connection is fibre but that doesn't mean the ISPs backhauls can cope with lots of users maxing out their fibre connections at once.

There could also be poor/limited peering between different ISPs, so even domestic traffic will clog up or take inefficient routes.

The UK is different, the last mile connections to users are often old and poor but the backhaul and peering is generally very good. Plus with the users on slower connections, you need many more of them to start saturating the backbone links anyway. Plus one user saturating their local adsl isn't going to have any effect on other users lines.

Corporate VPN huffing and puffing while everyone works from home over COVID-19? You're not alone, admins

Joe Montana

Re: 100% cloud

We did the same, but it actually worked much better when everyone worked from home... The office connection was terribly slow and most people's residential connections were much faster on their own let alone shared with 20 others.

Joe Montana

Re: 100% cloud

Many companies won't provide such a setup for use in the office, let alone at home... People are made to make do with whatever they have available even if it's grossly sub optimal.

Many of us actually have much better setups at home for our own personal use.

Built to last: Time to dispose of the disposable, unrepairable brick

Joe Montana

Commodity..

Over time software becomes commoditised, the existing versions provide all the features people actually need so there is no money to be made selling new versions. It's the end of the line for the business model of selling software.

It's going to be replaced with open source software or services, open source doesn't need to make a profit so it can quite happily go on providing only bugfixes.

RIP FTP? File Transfer Protocol switched off by default in Chrome 80

Joe Montana

Re: File Transfer Potocol

FTP worked just fine with the way IP was always designed, NAT is a horrible kludge that breaks things.

Joe Montana

Re: File Transfer Potocol

Use of NAT is also a big flaw that breaks more things than just FTP...

Move to IPv6, give each FTP server it's own address, use IP the way it was designed - end to end addressing.

The reason FTP uses separate data connections is so you can do FXP - open two control connections to two different FTP servers, send a STOR to one and a GET to the other and tell the two servers to talk directly to each other without the data having to be pulled down to your connection and then uploaded again. This was especially useful in the days of extremely slow connections, but is still useful today where you might have servers with multi gigabit connections to each other, but clients on asymmetric connections with poor upstream performance, clients on mobile connections, clients with small data caps etc.

Joe Montana

Re: File Transfer Potocol

FTP doesn't support authentication via keys either...

And SCP is probably easier to automate than SFTP:

scp file [email protected]:/path/to/destination/file

Brits may still be struck by Lightning, but EU lawmakers vote for bloc-wide common charging rules

Joe Montana

Re: Yet the same Apple

I also have a 30pin connector in the car, and it works fine with a 30pin to lightning adapter...

Petition asking Microsoft to open-source Windows 7 sails past 7,777-signature goal

Joe Montana

Blackhats...

The idea that people aren't already looking for vulnerabilities is extremely naive...

Organisations like the NSA almost certainly have access to the source code, and probably used that access to develop the suite of vulnerabilities that leaked a couple of years ago. There's no reason to believe they don't continue to do so.

There are also almost certainly underground leaks of source code out there, also being used by people with malicious intent.

The only difference open sourcing would make, is that whitehat researchers would be able to look for vulnerabilities too and might actually fix vulnerabilities rather than trying to exploit them.

The Curse of macOS Catalina strikes again as AccountEdge stays 32-bit

Joe Montana

64bit accounting software in preparation for hyperinflation

If we end up suffering from hyperinflation after brexit, you may need 64bit integers to calculate your balance in the now worthless currency. Just recall what happened to the zimbabwe dollar.

Joe Montana

Printer and scanner?

Why does your printer and scanner require specific software?

I have a LaserJet 4200 which wikipedia tells me is from 2002, it still works perfectly with pretty much anything. It supports Postscript and PCL so i can print from the very latest systems (catalina has no problem), and even from vintage unix boxes or amigaos.

There's nothing to stop you running a 32bit vm either...

I updated to Catalina when it came out and everything just continued working. Apple has had 64bit support since the first port to x86 (even 10.4 could run 64bit cli tools) and even 64bit PPC support before that, it's not like the removal of 32bit is a surprise to anyone.

Many vendors updated their mac apps to 64bit years ago, so they just continue working if you update to catalina and users don't notice a thing.

The problem is those who just keep kicking the can down the road until it becomes a major problem and then panic leaving users in the lurch instead of a smooth migration, the same thing that's currently happening with ipv6 deployment. Behaving like this shows contempt for your customers, so i wouldnt want to use software supplied by such a vendor.

LibreOffice 6.4 nearly done as open-source office software project prepares for 10th anniversary

Joe Montana

Re: Usability

You shouldnt be learning fixed menus anyway, you should be learning how to locate the options you need wherever they may be hidden. Software changes, there are multiple programs capable of doing a single task and there are multiple different versions of each one. If you get too used to the way a particular program/version does things you'll start having problems when its updated and things move.

Joe Montana

Re: "Has Excel succeeded?..." at charting?

It stems from a typical office environment where only the msoffice tools are provided to users, and users only have training in these tools.

Yes a proper database would be better, but the users aren't provided with one and don't know how to use one anyway.

It's like those people who strap huge unsafe loads to the back of their motorbike because they don't have access to a truck. They have a bike, and they know how to ride a bike so that's what they use even tho it's a poor tool and ends up being dangerous.

Jet2 hacker who deleted every account on UK company's domain cops 5 months in jail

Joe Montana

Sophistication and planning?

This wasn't an attack with "a high level of sophistication and planning", this was a poorly configured network and a guy who knew just enough to be dangerous... If he really knew what he was doing he would have known what monitoring was in place and taken better steps to cover his tracks.

Why was a service account for a printer able to login from outside the organisation?

Why did a printer service account have admin privileges?

This bit about requiring inside knowledge to do the hack quickly, i've seen enough internal pentests where domain admin was compromised within 15 minutes, and given what has been disclosed about service accounts and password sharing i cant imagine it would have been very hard at this place.

That's Microsoft price: Now you can enjoy a BSOD from the comfort of your driving seat

Joe Montana

Disk failure

Disks are usually the first things to die, especially in harsh environments... But with a small embedded os it's quite possible to load everything into ram and power down the boot drive, or boot diskless over the network etc... Proper embedded devices fail a lot less often than windows.

Labour: Free British broadband for country if we win general election

Joe Montana

Re: "Labor is pro-remain, right?"

Democracy is always like that when scaled up to an entire country, people don't understand what they're voting for and the masses are easily controlled by the media.

I see your blue passport and raise you a green number plate: UK mulls rewards scheme for zero-emission vehicles

Joe Montana

Re: Green number plates, green cars, green as grass?

Nothing unintentional about it...

In fact, pricing the poor off the roads will result in less traffic for the rich.

Joe Montana

Re: Go Dutch?

Cheaper cars actually weigh more than the more expensive models, due to the use of cheaper but heavier components and materials. And the average weight of vehicles has been going up due to the increase in features (mainly safety features).

Many highend cars are made of carbon fibre or aluminium, cheaper cars tend to still be made of steel.

Just a friendly reminder there were no at-the-time classified secrets on Clinton's email server. Yes, the one everyone lost their minds over

Joe Montana

Re: Red Herring

For any form of questionable action, they will just meet in person and discuss off the record - the same way questionable things have been done for hundreds of years.

Father of Unix Ken Thompson checkmated: Old eight-char password is finally cracked

Joe Montana

Should be

Should be salted, but often aren't...

Windows still uses NTLM, which is not salted.

Various developers try to roll their own password storage mechanism instead of relying on a tried and tested one, and in 99% of cases they manage to make something with serious weaknesses.

Joe Montana

DES

The DES algorithm used by ancient unix systems (ie the one mentioned in this article) is also salted.

But it only supported a maximum length of 8 characters, so increasing the length was not possible.

It was good enough at the time, and easily swapped out with a stronger algorithm.

Joe Montana

DES

On a unix system yes, the algorithm would have been DEScrypt.. Many years ago someone built an FPGA setup which could brute force any DES password in a few hours.

DES passwords also had a maximum length of 8 characters, so it simply wasnt possible to have a longer password.

Modern unix systems would use crypt-md5, crypt-sha512 or bcrypt which are much stronger than DES and support much longer passwords.

On the other hand, even the latest versions of windows still use NTLM which is based on MD4. They also use an AES based algorithm as well, but it's not possible to migrate entirely to a new algorithm like unix can because the hashing algorithms are an inherent part of network authentication protocols among other things - so the newer algorithm can largely just be ignored.

NTLM is not salted, although it does support longer passwords than DES, generally NTLM is even faster to crack than DES - especially if you're going after multiple hashes in parallel.

You can also in many cases pass the hash, which renders the encryption algorithm totally irrelevant anyway as the hash becomes an equivalent of plaintext.

Pupil mental health monitor promises app rewrite after hardcoded login creds discovered

Joe Montana

Re: Every company after a data leak

The problem being if you report systemic XSS and give one or two examples, the client typically fixes the examples and ignores the wording to check the rest of their code and implement something robust. In many cases, the fixes will also be very poor - for instance i've seen a report where the example was a typical alert box containing the string "XSS", their "solution" was to check for that exact injection string.

Plus you get other "fixes" where people completely fail to understand basic security concepts, so you find a bug like xss or whatever - their "solution" is to encrypt the form data in javascript first because encryption is the answer to everything... Nevermind that the attacker controls the client and can therefore encrypt whatever payload they want too.

As sales crash, Gartner wonders who can rescue the smartphone market ... Aha, it is I! 5G Man!

Joe Montana

Over subscribed

That theoretical peak of 300mbps is based on there being no other users around.. The reason you get 60 instead of 300 is because there *are* other users around, and the number of users is not likely to decrease. The more users who are using wireless technology, the slower it gets for everyone. You should use wired wherever you can, to conserve bandwidth for devices where wired isn't an option.

From pen-test to penitentiary: Infosec duo cuffed after physically breaking into courthouse during IT security assessment

Joe Montana

Re: More info required

Sometimes you are asked if you have ever been "convicted"... But sometimes you are asked if you have ever been "arrested".

This can happen on security clearance processes, job applications, visa applications etc. Having been arrested and subsequently released without charge is not as bad as being convicted, but it can still be damaging in some circumstances.

Joe Montana

Re: Doing their job to the fullest extent?

Having data on a system should not enable you to break that system unless there are serious flaws with it... Most security systems are available on the open market to be studied, relying on obscurity to hide serious flaws is not a good approach.

Joe Montana

Re: hire a more reputable firm

"Because if you're too explicit, it's not a fair test."

It's not a true test in any case, there are many things that a real criminal might try that a law abiding firm cannot.

So when doing a test like this, someone sufficiently senior should always be fully aware of what's going on, even if the staff on the ground are not. The idea being that if you get caught, the incident is escalated to the senior guy within the target organisation who is aware and the test stops at that point before getting escalated to external agencies like the police.

In many cases a test has to be totally contrived so you can test multiple layers of their defence. You might not be able to breach their first layer in the limited time that you have, but that's not to say its impossible. You also want to take an "assume breach" scenario where someone has breached any number of the layers, so you can test the lower layers more thoroughly.

Hacks are highly opportunistic, for instance someone who's usually on the ball and won't fall for common scans might be having a bad day and let something through.

Not so easy to make a quick getaway when it takes 3 hours to juice up your motor, eh Brits?

Joe Montana

Re: Another stupid number

And considering even a fast charge might take an hour, how long do you have to wait if the charging points are busy?

With traditional fuels, each customer only takes a couple of minutes to fill up their car, and in many cases more of this time is spent browsing the shop and paying than actually pumping gas.

Female-free speaker list causes PHP show to collapse when diversity-oriented devs jump ship

Joe Montana

Re: This needs to stop

Industries are never going to be representative of society as a whole, because different people have different interests and those interest are in a large part driven by their peers during childhood. Girls are simply less likely to be interested in technology than boys, this is their choice and their right. Almost all industries are biased in one way or another.

Facial recognition - and optical recognition of any kind is harder when you have less contrast. If the faces are dark and so is the background it's simply a more difficult problem. If facial recognition was better at recognising dark faces than white ones, then people would be complaining that cctv cameras for detecting crimes were intentionally persecuting blacks.

Joe Montana

Ridiculous

So the conference made an open call for papers, to which anyone was free to submit, and only one woman submitted a proposal...

How is this the conference organisers fault? Clearly not many women were interested in giving a talk there, and the one that was had recently given the same talk elsewhere. If you don't like it, why not encourage girls to get into technology at a young age instead of causing hassle for people who have no say in the matter.

Microsoft's only gone and published the exFAT spec, now supports popping it in the Linux kernel

Joe Montana

Re: Is Microsoft really that desperate ?

MS treat its users the way they do because they can.. When users are locked in you can treat them however you want and there's nothing they can do about it.

You constantly hear people complaining about MS, and yet they still remain customers. Until significant numbers of them start becoming ex customers, they have no reason to change.

Similarly the company is unlikely to change, no doubt EEE is still their strategy... If you're running a linux vm in azure, it could just as easily become a linux vm in aws - MS have never been able to compete in an open field, so they will be looking for some way to lock customers in here too.

Joe Montana

Re: What if ...

Microsoft intentionally don't support any other filesystems, and there are several which are designed specifically for flash based storage. Exfat is by no means the best option, the one and only reason it's widely used is because it's the only option supported by windows.

Page:

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2020