Re: Q: how long is long enough?
AC: yes, if I had android. I use iOS and these limitations are well known and discussed in the article.
94 posts • joined 17 Jan 2008
So I'm tempted to wait 2 weeks to see if someone quickly manages to hack the cloud storage.
Or is 2 weeks not long enough?
I'm curious as to everyone's opinions.
Thanks El Reg for the article - genuinely helpful.
The limitations (no watch app, have to keep app in foreground, only works if other people also have their phone and app in foreground, etc.) are so many, that I find it difficult to feel like there is much imperative to load this app. I thought I'd feel some sense of pressure to comply and perform my civic duty - but I completly don't - and aside from a couple of friends who use android and are talking up how important it is to use the app - no peer pressure at all.
We saw this 20-30 years ago with the initial explosion of the web - everyone was using hosting companies, and all it takes is for the greedy host to rent out the same IP address to some SPAMMER and suddenly everyone blocks you because you were on the same IP address. This is just the same, but the modern cloud equivalent using shared hosting services / DNS. It's an inherent fault, and it will (thankfully) push people away from using them.
I'm already blocking most email from generic SMTP servers Google/AWS/Azure that use a generic DKIM. So it looks like I'll start to block most web sites hosted on generic domain names on Google/AWS/Azure too. If you want your email delivered, set up your own email server and your own domain name and your own private DKIM. It you want people to go to your own web site, don't redirect.
For the technically curious: we have two SPAM rule classes: for non-generic SMTP we look for keywords/SPAM scores and quarantine emails based on that; for generic SMTP/DKIM we look for keywords and quarantine ALL EMAILS unless they match a particular keywords that leads use/whitelist for existing customer email addresses.
Look, I totally agree, but I'm also curious why so so so many disagree (and pay fist fulls of dollars to prove it).
I saw things like 'back to my mac' as pretty awesome - the ability to travel anywhere in the world, but still get at my data on my home server. It was the direct opposite of 'the cloud'. But 'back to my mac' is no more, and the cloud is rather popular.
I *think* the idea that *our* data should be on *our* computers failed because:
1) there is more money to be made in cloud - people realise they lose everything the second they stop paying, so they keep paying. Increase price, repeat.
2) NAT. UPnP just didn't work waaay too often. Though I usually found that Apple's implementation via 'back to my mac' worked pretty well, I saw plenty of discussion posts saying people had trouble getting routers/firewalls to play nice
3) explaining it. Apple are masters of marketing, but even they couldn't turn this into a saleable pitch that could be understood by the masses.
4) utility. If someone burns my house down, if the video is stored in the cloud, there is a chance I may catch the culprit via the stored video - but if the primary storage in in the house that burned down, or in the cameras that burned down in the house, then not so much. Cloud does have some advantages.
5) luck. Most cloud service contracts I look at - everything from Amazon S3 to Office 365, the SLA is pretty rubblsh - but most people are pretty lucky - their cloud services don't fall over and lose all their data, so most people don't care.
As for me - last year I was going to upgrade all my Nest cameras to the new 4K ones, but when I saw that they were moving everything into Google I put a halt on it. I think I'll go with the iCloud Secure Video solution instead - but I'm annoyed that so far there are only HD and no 4K implementations... Meanwhile I'll keep the Nest HD cameras and pay the subscription as long as I'm not forced to migrate my account. Until I find a better solution.
This is a terrible model. It encourages the developers to write software that is buggy. Seriously: the only way you get paid is if people need support? You don't want that software.
I sponsored an open source project and we used this model - it was great when we started, because the project code was buggy, but with sponsoring the developers did a great job of improving the code, and within a year or two the user base had grown a hundred fold and the number of users paying for support was around .0001% - not enough to pay to keep the developers employed or the lights switched on.
Also not a lawyer...
But I think this has nothing to do with human rights per se. but his ability to mount a defence to the extradition charges. ie: if those on the opposite side have access to client-in-confidence material from Mr Assange then his rights to a fair hearing are diminished, which the judge would need to take into account.
In front of this judge in the UK courts the prosecutors would be in contempt if they have this material, or perhaps even if they attempted to access the defences client communications. I also think they'd likely be disbarred.
How, where, when they obtained it is not so much the issue, as that if you have it, and you are attempting to use it in front of a UK judge, then you are potentially in a lot of trouble.
AC: The one question I would have is when did you buy the 5505?
If you check my link to community.cisco.com in the OP you'll see the answer to your question. You may have made a different decision based on the same criteria, but we purchased way before the end of sale date was even announced.
If I'd known that Cisco wouldn't honour it's contract, and retire the software early (in breach of contract) then the ROI wouldn't have stood up and I'd have proposed an alternative, but we have to go into contracts assuming good faith.
So I switched from HP gear to Cisco a few years ago, but recently discovered that our in-contract hardware, with an EOL of 2022 is no longer receiving security updates, even though that's exactly what the service contract promises.
For now I'm willing to suspend disbelief and assume left hand hasn't quite understood what right hand has done. Waiting to hear back from their legal dept. If they don't start issuing security updates for in-contract hardware, then there is no way I'll ever get permission to buy any cisco kit ever again - and I'm quite sure I'm not the only one.
So I switched from HP gear to Cisco a few years ago, but recently discovered that our in-contract hardware, with an EOL of 2022 is no longer receiving security updates, even though that's exactly what the service contract promises.
For now I'm willing to suspend disbelief and assume left hand hasn't quite understood what right hand has done. Waiting to hear back from their legal dept. If they don't start issuing security updates for in-contract hardware, then there is no way I'll ever get permission to buy any cisco kit ever again - and I'm quite sure I'm not the only one. Up until now it was one advisory - now with this latest set it's 3, but curiously the 'new' list includes one actually fixed for ASA5505 in IOS 18.104.22.168, so I don't know how that affects my theory...
These two replies pretty much sum up the argument on both sides.
My take: the problem is the definition of 'free' - GNU FSF defined it as 'freedom' like the 'free press' - you still need to pay for your copy of the New York Times even though it's the 'free press' and that 'free' software (or 'free press') is more valuable that non-free software (or the non-free press). You can pay via ad-supported online access to 5 articles a month, or pay via a subscription, or pick it up for free in the airport lounge because the airline paid for it with a small part of your airfare, but paying is required at some point by someone because otherwise you will only end up with non-free press.
I'm happy to write this software 'for free' for other people who are hobbyists/students doing stuff 'for free' too - but once you start to use my software primarily for commercial gain, then yes, I expect to be given a small reward for that, or a slightly larger small reward if I also agree to improve/maintain it for you. Why? Because it's fair certainly, but more importantly, because this is a very economically efficient way of finding valuable work - the economy doesn't bear the cost of all the software written that people don't find useful, it only bears the cost of the useful software.
If we don't pay - the result will be only non-free software.
Why don’t IT people blow the whistle when they see this at the organisations they work for? Is it just fear of losing a job (real enough/fair enough I gusss...)?
Or is it that IT skills have dropped so deplorably low that really no-one in these companies is aware that unencrypted data, plain text passwords, is really seriously bad. In an organisation this size, with a database this size, my guess is 10 to 100 people would have known the database scheme.
Finding these things by trial and error is too painful. There must be a better way. Any ideas?
And do I really want to hire one of those 10-100 folk who thought this was not worth blowing the whistle on?
Am I completely out of touch or what? I want to know, seriously, because this just looks crazy to me.
The suit (see the PDF linked to in the article) is about “iTunes and Pandora Music Purchasers” list offered for sale by CDM.
That is iTunes AND Pandora.
Any app on iOS that wants to access your music library can use this API (which requires user consent BTW):
Read all about it: https://developer.apple.com/documentation/medialibrary
If the user grants this permission, then the app can do what it likes with the data.
Seems likely the Pandora app is collecting info and then Pandora are selling it.
There is nothing in the suit to demonstrate Apple are selling these lists. There is a LOT in the suit to suggest Pandora are selling the list.
The whole thing is very little to do with Apple, unless you think Apple should add more restrictions to iOS app developer contracts.
But I wouldn't be at all surprised to find Pandora banned from the Apple App store soon.
> Until paid-for software comes with the same freedom to study and adapt it (even
> without the freedom to share it) as Open Source software, it really isn't a hard
> decision to make.
The problem is not paying for software. It's the T&C's (as many other previous posts pointed out).
Yours was the first post I saw point out that the fundamental problem with the T&C's is access to source code, so that if it's not commercially viable for the vendor to fix your problem - you can fix it yourself.
I run a company that sells software. All our software includes source code. Back in the day this was always done - a small company selling software to a large company could expect the customer to require a copy of the code kept 'in escrow' in case the small vendor dissappeared. We got around that by just simply supplying the source with the commercial binaries, and a license clear that the source is copyrighted by us and they can't resell the software or create derirative works. I'm not sure how many customers use the source, I've had a few reach out to point out missing headers that we forgot to include, so some clearly do check it. I only know of one customer who have ripped us off - but that's just by using 3000 copies of the binary when they are licensed for 10, no evidence they even tried to re-compile the source to do it.
I use a lot of open source software - and pay for all of it. I either donate, or if the vendor has a 'commercial' partnership arrangement I use it. Plus of course I submit bug fixes, donate the time of by dev team to work on code (because it helps us in the long run), etc.
The article did say why. That the binary was legitimiately signed and has been downloaded from a whitelisted location.
Reading between the lines I think you can say that it probably wasn't until one of the 600 MAC address affected PC's was installed with Kaspersky's software that the gig was up, because once the software activated, then anti-virus would quickly pick up on it - when it's dormant, there isn't any nefarious activity to detect...
Long one. Please bear with me.
So I just got back from the playground with my 2.5yo. The playground is beside a lake, and there is a carpark that faces the lake, and a scenic walking/biking track that goes around the lake.
As we're walking to the car I remote open the boot and a few seconds later a group of guys walking behind the cars, stop behind my car?
I find this a bit odd. Why walk behind the cars when there is a really nice scenic walk 5 steps away (around the lake). Why stop in the middle of the car park? Why stop behind my car.
I'd usually leave my child's bike and bottles and junk near the path and carry her to the car to strap her into her seat, then go back and get all the junk and put it in the boot. I leave the boot up during this process, because parking spots are at a premium, and I want anyone cruising for a spot to realise this is not going to happen quickly. But given this group of guys is now behind the car, I decide to carry toddler, bike, etc. all with me and put the stuff in the load space first, and then go around and strap her in.
They guys, 4 or 5 of then, mid-20's to mid-30's, white, 5'8" to 5'10" short hair and clean shaven, wearing athletiwear (shorts/t-shirts) remian behind my car the whole time, talking.
They are talking about the terrorist video. They are trying to decide which bits they like best. The shooting outside? The shooting inside?
I almost throw up.
I get my daughter strapped in, close the tailgate, and start the car. They move one car spot away, stop behind the next car. I lock the doors and reverse out. As I drive around the car park to the exit, they are still there. The lights change and I leave.
With 20/20 hindsight, I could have taken a good photo from the other side of the car park while waiting for the queue of traffic at the lights. But I didn't think of it. No I don't have a dashcam.
About 15 minutes later when I have time I call the local police station to 'report it. No they were not carrying anything. No they didn't seem to be prepared for any immediate violent act. Their loitering behind the cars in the car park was suspicious and their conversation revolting, but nothing more than that. The police directed me to a web page where I could record the particulars, which I promptly did. During the process of describing it, I realise that where they were standing was probably not covered by any security camera, possibly explaining their preference to remain there.
So why repeat all of this here?
Because the item the author of the article fails to address, is that A LOT OF PEOPLE like and share this stuff.
It's abhorrent that they do, but they do.
Yes it's less than the total user base of facebook, but it's clearly not a tiny proportion.
Yes, it's been proven clinically that it's a sign that they are more likely to abuse animals and people.
In China, I imagine they would not so much do a better job of banning the content, as severely reduce the points in your social balance once they found out you had watched it, and even more if you'd shared it. You'd likely never get a house, job, car or date ever again.
I don't want that to happen in facebook-land, and besides, it won't stop the guys in the car park, will it?
The root of the problem is people actually liking this stuff.
And whilst it's a socal problem, it's not a problem I think social networks can fix, and certainly not with time-delayed video.
The much-maligned epithet "all businesses are IT businesses" actually has quite a lot of relevance.
The phrase "and our technical teams took immediate action" shows just how out of touch senior management is.
It would be as if the director of Boeing, criticised that his planes can't stay in the air replied "our technical teams are taking immediate action...".
It's not your technical team that needs to take action, it's the whole company that needs to take action, starting with the board.
I had the iPhone X for about three days before it was returned because it basically became useless while driving and I was having to pull the thing out of my pocket and hold it up to my face for three seconds to check a text.
A quick google search found this answer:
From your post, I understand that you are not able to ask Siri to read your incoming text messages while you are driving; you are being prompted to unlock your iPhone. I’m happy to help you troubleshoot this situation!
From what you have stated, it sounds like you may have Messages previews disabled. Navigate to Settings > Notifications, Messages > and adjust Show Previews to Always. After making this adjustment, test this functionality again.
I just tested this on my iPhone X with latest iOS 11 and it works as advertised.
Apple recently introduced their ‘iMessages in the Cloud’ feature - and I think it’s aimed specifically at satisfying this type of legislation.
The iMessages are still encrypted end to end, but a copy is sent to Apple and stored on their iCloud server to which they have a master key and can respond to warrants etc.
To satisfy the Australian legislation all they need to do is ensure it’s turned on and can’t be turned off. Either explicitly or implicitly eg: by forcing it on for ‘australian’ sold devices, or when on an ‘Australian network’ or by allowing command and control to enable that remotely on specific devices.
The Cloud is convenient for sure - but your cloud provider (anywhere) must respond to warrants and must be able to decrypt your data. On a public cloud there is nothing stopping you ensuring that the data you store on a cloud is already encrypted with a key only you have - but as soon as you use things like iMessages in the Cloud then that’s not an option available to you.
I've seen 'login by facebook' option on a few sites. You mean some people actually use that option?
I even do have a facebook account, and don't use 'facebook login'. Lots of people in these comments are saying it's popular and 'for lazy people'. Really? I'm pretty lazy - but it never occured to me to use that option - partly because I've no idea what my facebook login and password is - you type it in once when you register and it never asks for it ever again AFAICT. If it ever asked me I'd have to open a new account - I don't even know what email address it's linked to to request a reset...
Honestly, I'm absolutely flabbergasted that anyone uses 'facebook login'. Are you really sure? Is there any actual hard data on how many people use it?
As other posts have said - it's just openid - so it's not like its presence on a web site counts for anything - the developer just added it by ticking a box. Sure it's insecure - but adding the option on our login page makes us look all millenial - no-one is actually going to use it, least of all millenials (never seen a snapchat login option).
I'm with @Sampler - definitely report to the local Australian cops, but reporting it in the US as a crime in the US (using a carriage service to threaten?). It may be worth contacting a US based lawyer too - primarily to find out if there are US based not-for-profits that may assist. If the cyberstalker is doing this to your friend, the chances are she's not the only one. As in this article - it's not until the cases start to come together that you really get traction.
From a technical POV - getting the evidence can be really really difficult - again as shown in this article. Law enforcement needed a VPN provider to co-operate to get anywhere at all. You can set a trap up though, maybe in combination with the phone call (see below). i.e.: your friend mentions they have a new computer or now using flikr or dropbox or something - with the hope that the stalker will try and break in to look for more material. And there will be - but all the files will be fingerprinted or whatever to prove they came from that source. All the cops need then is to find those files in the stalkers possession to prove breach of DCMA.
From a non-technical POV - getting the guy to admit it on tape is always handy (e.g.: record a phone call). It won't have any legal standing, but it will help others to get on board your friends case.
Does no-one in modern IT do any QA or use Version Control? What ever happened to code reviews? Checking that what is being deployed is what was designed, and that other parts of the code haven't been changed? This is software development 101 people. Maybe it's all Git's fault - in which case throw it away and use tools that are fit for purpose. I know the toolchain I use does all this because it's the single most import reason why we use change management - to track what changes, because our QA and release process regularly asks: what changed? and needs good answers.
From the Delta.com/response web site:
We understand malware present in 7.ai’s software between Sept. 26 and Oct. 12, 2017, made unauthorized access possible for the following fields of information when manually completing a payment card purchase on any page of the delta.com desktop platform during the same timeframe: name, address, payment card number, CVV number, and expiration date.
So the answer is how an outsourced chat bot could access credit card info is answered - because it can access the DOM of the page beneath it.
I like a small phone, and for various reasons I'm kinda stuck in the Apple eco-system. I like my gen 1 iPhone SE, but I'm not looking forward to upgrading to either iPhone Huge, iPhone Enormous or iPhone Massive when the time comes. So I'm seriously considering keeping the SE and just buying an Apple Watch Cellular. Once the watch is configured, it goes in the draw. I think with Siri and a couple of apps I probably have everything I need until I get home.
Three things I'm still concerned about:
- I'm often stuck needing to do a little internet banking cash management when I'm at the shop - the Watch app seems to not allow transfers, only balances. I suppose I could use phone banking at a stretch tho. Or just keep my Apple Pay account topped up more regularly...
- battery life
- camera (but I think I have this worked out - buying a Red Hydrogen One as purely a camera)
I'll probably hang out on my decision until April or May and see it it looks like there will be an Apple Watch Series 4 with better battery...
It just doesn't add up.
As AppleInsider wrote: "Apple has previously sold 50-60 million iPhones in total in its January quarter. Imagine launching three new flagship iPhones at the highest prices ever asked, while also introducing the widest array of new, cheaper options, and then "envisaging" that the vast majority of customers would all buy just one of those models: the most expensive iPhone X."
No way was the order for 45-50 million panels in the January 2018 quarter.
Maybe the order was for 20 million and Samsung thought they would over-produce / made a gamble.
There are too many 'unnamed sources' in these articles - the numbers just don't add up. It sounds like a story is being spun - and there is enough being hidden to make it impossible to tell why this story is being spun (an attempt to undermine Apple by Samsung - both a key supplier and a rival?).
But The Register repeating it all verbatim without any analysis or critical thinking is poor journalism.
From the article "The OSI wanted to make free software "more understandable to newcomers and to business". They felt the term "free software", with "its seeming focus on price", was distracting."
Well - they are a complete failure are they not?
Look at the funding shortfall for even the most popular OSI software like OpenSSL. It only got addressed as a 'once off' and only after a helluva lot of publicity.
Free software has never been about price. It's like saying the Free Press is about having a free paper to read on the tube.
Free Software is more valuable than non-Free Software, and you should be paying for it. Or you know, don't pay, and find the software stops being supported suddenly because the programmers which were maintaining it had to go and get jobs at Tesco because they were about to be evicted, whilst their software was being used in mission critical and customer facing systems in 9 out of 10 fortune 500 companies. I wish I was making this up.
The Free Press is far more valuable than the non-Free Press. It's why we watch and PAY FOR the BBC for our international news, and not 'Russia Today'.
Git is a risk to any organisation trying to protect their Intellectual Property (IP), specifically:
- lack of security, particularly at file/branch level
- lack of auditing
- lack of centralised management tools (because it's distributed).
- lack of version history if developer 'loses' the repository, all that remains is what they 'published' or what was 'pulled' by the release process, easily less than 1 in 100 revisions.
Linus wrote Git because he was sick of having to do so much merging work - it doesn't get rid of the work - it pushes the work out to other people. Git is awesome if you are Linus - or working in a similar environment without IP and with volunteers/academics and where you can make everything everybody else's problem.
Git is rubbish at Commercial IT.
All the data breaches associated with Github show that Github makes it easy to upload things you shouldn’t to publicly accessible repos (or at least repo's not secured by SSH keys or 2FA). The on-premise solution we use (trying not to drop names) is designed exactly the opposite way. By default nothing is publicly accessible and you’d have to go to a lot of trouble to make it accessible, and then to enable anonymous access. It’s called security by design.
It does kinda, based on this (replaces the 'password' with the one-time-key:
SSH keys are probably safer, but apparently Git on Windows has difficulty doing that (again from the link above).
I use CVSNT not Git, and it does SSH keys just fine, and is on premise, not cloud.
But the Linux patch is specifically for x86-64, e.g.: this advisory from Debain:
This specific attack has been named Meltdown and is addressed in the Linux kernel for the Intel x86-64 architecture by a patch set named Kernel Page Table Isolation, enforcing a near complete separation of the kernel and userspace address maps and preventing the attack.
If it affects i386 then why isn't the i386 kernel being updated?
Can anyone explain if x86/x32 Windows and Linux is affected? Everything I've seen so far says it's x64 only (or rather x64 microcode). In fact El Reg refer to "The crucial Meltdown-exploiting x86-64 code can be as simple as...".
From memory I'm thinking that at boot Windows/Linux x32 place the processor into a non-64 bit mode that disables virtualisation etc. If you try and execute any x64 assembler 'under' Windows x32 it just barfs (again, from memory). (bonus points: can anyone confirm if you can run x64 assembler from an x32 windows process on an x64 OS host?)
But I see that the Microsoft patch KB4056891 has been made available for W10x32. I guess they can still apply the same mitigation measures for x32 - but I wouldn't think it's needed.
I'm confused - can anyone clear it up for me?
Companies like Apple that offer a 'no questions asked' refund policy are going to be very very busy refunding every Christmas gift with an 'Intel insude'. You think Apple (and other vendors) are just going to take that hit? Intel will be paying compensation to vendors for sure, certainly for every chip shipped in the past 3 months - but more likely 6-12 months since this will affect the pipeline and inventory too. Who's going to buy anything with 'Intel inside' unless the vendor can guarantee that it's new silicon?
Consumer law will also come into play as Aqua Marina detailed in "I wonder where we stand legally now?" (above).
But the really interesting thing will be whether companies like HPE go to bat for their enterprise support customers. Because that'll be a killer whitebox shakedown. i.e.: 'I bought HPE and they replaced my server CPU' and 'I bought a whitebox and now it runs 30% slower and I've got no recourse'. It's little cost to HPE and a marketing windfall - they just have to jump on the cueball-intel bandwagon.
This is going to be good fun to watch.
Let me re-write the article based on an actual quote in the article:
The creation wasn't able to defeat Face ID at first, [then it locked and required a passcode].
They were spectacularly unsuccessful. Rather than El Reg criticise their over-optimistic press release, they've bought in whole heartedly.
Shame El Reg, shame.
Good politics is to let the policy wonks in the public service determine the structures and framework based on interviews/panels/committee's of expert, representatives from industry and representatives of customers.
Both Labor and ALP have pursued ideology over policy - insisting the design come from the minister's office, not the PS.
All up though - at least the headaches may have been worth it with Labor's plan - the ALP promised to scrap the whole thing, but came up with the absolute worse case scenario instead: pay top dollar for minimum result. TBT it was Tony trying to sabotage Malcolm's career. Whenever I see it brought up I always assume Tony is behind any leak/headline/report - engaging with the mud slinging is just to Tony's advantage - which is something I never want to be tricked into doing.
You should never have delta updates in WSUS.
So you have two types of updates. You write a computer program to process updates - which should only ever receive one of those two types.
Isn't engineering 101 to 'check' which type of update it is, and if it's one you haven't explicitly coded to handle, you reject it/skip it?
Then again, here in OZ they keep building tunnels without putting in safety gates - you know a 'cheap' steel (upside down) U shape thingy set at the maximum height for vehicles? The idea being rather than a 3m vehicle ploughing into a 2.6m tunnel and causing major delays and days of remedial roadwork - the truck can hit the gate and be safely/easily moved to a slip road and leaving the tunnel itself undamaged. So if actual engineers no longer do basic safety, it's little surprise software engineers just ignore it altogether.
I'm sure that by reducing the total project cost by 0.01% and skimping on Engineering 101 some middle manager got a whopping great bonus and promotion. Well done. You're totally awesome. High five! Rock Star!
@Brewster - the detail in the article is very thin - it says 'This was the system used by a lead developer at the 30-person outfit to generate code' which suggests to me that it wasn't what most would consider a 'secure build environment' - more like some environment you log into. I decided to assume the author knew more than what's been written and go with the spirit of the headline 'Avast urges devs to secure toolchains'. Ie: the build system wasn't secure, and I'd argue was barely deserving of the name.
@everyone - have u not heard of VMware? Teams of 1 can definitely have secure independent build systems.
The Register covered the XCodeGhost fiasco where some high profile app developers were releasing code built using compromised tools:
I said it then, and I'll repeat: What commercial software company would dare allow a developer machine to create a customer build? Requiring a 'pristine' build environment is software engineering 101.
You commit your code - the build server checks out the code and performs the build in a clean environment.
Publish the list of companies that build on developer PC's far and wide - so we all know to avoid anything they ever produce ever again. Have we learned nothing about software engineering in the past 35 years?
We continue to see the great coders behind the software we are all using going without cash for their work - even though their work is being heavily commercialised. e.g.: OpenSSL.
GRSecurity has just tried to work out some method to get paid. He's still contributing GPL code - which is arguably more than many people commenting have done.
I personally have contributed quite a few thousand lines of open source code, plus paid staff over $1M to write open source code that had over 1.4M downloads in a year, plus made financial contributions to FSF and individual open source projects. But I'm now of the opinion that OSS is dead. Without a way to financially compensate those that do the work, programmers would rather spend their time writing for iOS or something, anything that has half a chance of paying the rent.
Back in the day it was OK - individuals and companies liberally gave money to support these projects, or your employer paid you to work on it - now - not so much, and when you hit upon some 'subscription' contract that customers are happy with - this guy decides to use his power and influence to scare your customers off.
He could have just left GRSecurity alone and let the people who wanted to pay to pay, and those who didn't want to didn't have to.
More coders are going to see this and think 'write for open source? yeaaaah riiiiight.'.
When Apple released the iPod - there were also a furore about it not being anything new. But it was successful, and the features missing in the first release were iteratively built upon.
I remember hearing the CEO of Nokia interviewed on Radio 5Live (Wake up to money) just after the iPhone was released, he said something like 'nothing to worry about - no one wants an iPhone and Apple won't be able to mass manufacture'.
In addition to excelling at iterative technical improvements, and marketing, they are also pretty good with manufacture/supply-chain-management and hardware design (including silicon now). Their processors are iterative improvements on reference designs - but they are way ahead of the pack on power/performance.
Yes - all this tech is not 'new' - but Apple are iteratively building on what others did, but making it more usable* and will market it very very well.
Note: * certainly this is somewhat subjective. As others have said here - fingerprint readers - blah - disable please! Done that for years until I got an iPhone with 'touch id' - it's so easy to use, and stops my nephews and nieces from watching me enter a passcode then re-use it when I'm out of the room. Sure - it won't stop a determined criminal or law enforcement - but that's not what I need it for.
I haven't seen anyone mention that NotPetya requires Admin privileges in order to get the admin credentials from memory. I'm sure I've read quite the opposite - admin privs are NOT required. My bit of googling gave similar results for Linux (but I'm no expert there - I'm just agreeing with what other posts here have said - Linux has the same deficiency).
I have seen a little suggestion it's related to the ability to run gdb on linux (which I think all users can), and the SYSTEM account in Windows (not the SeDebugPrivilege priv), i.e.: via "psexec -s", via post exploitation tools, scheduled tasks, etc - see the mimikatz doco for details.
So all my comments are based on the assumption that NotPetya doesn't require admin privs to read the memory where the credentials are - so from my POV there is a quite fundamental difference in memory space security on Linux/Windows compared with to Solaris/HPUX/OS400 etc.
The GPO setting “Interactive logon: number of previous logons to cache (in case domain controller is not available)” controls the caching of logins to the HKEY_LOCAL_MACHINE\Security\Cache registry key, not to the LSASS memory AFIACT. Surely if there was a GPO setting to mitigate this the article would have mentioned that in addition to CredentialGuard. No - I think the point of the article (and @ patrickstar's comments too) are that on Windows that CredentialGuard is the only feasible mitigation.
I've not seen anyone else suggest a way to shut down WMI command line access either - so I assume it's a bust too.
Cached credentials are presumably in the Kernel or at least another processes memory.
In VMS, pa-risc HPUX and Sparc Solaris, user processes can't read the memory space of other user processes, and certainly not Kernel memory (not unless you are superuser). So no - kerberos doesn't have the same problem on *ix.
I've been trying to google for an answer, what I found is vague - so I'll assume you are right- Linux and Windows both suffer from this malady of allowing any process free reign of reading all the memory space. So yes - kerberos on LINUX would have the same problem. There is a whole other thread in these comments about whether Linux is any better than windows or not.
But if you know that OS allows your memory to be read, then you should code with that in mind - there is no need to keep the password itself in memory - you can hash it with a low collision hash. Or at least only keep the password in memory during the actual password compare and then zero the memory out.
Mark 110 - classic straw man.
> In the data centre, lets have Windows, Solaris, AiX et al, again.
Who even mentioned Linux?
Of course it's understood that Linux is untested and untrusted, it's why the poster didn't mention it in the list of what to put in the data centre. And I'm sure windows was only listed as a concession because in the real world you can't exclude it entirely.
The fact I've not seen anyone tell sysadmins to disable WMI - I assume means you can't feasibly do this without breaking exchange and/or ad? The port used is RPC - so blocking the port isn't an option because AD would barf.
And seriously, Windows 2000 up to an including Windows 10 all store the system administrator password in a form that can be decrypted with a simple API call?
Yeah - I know Windows 10 Enterprise Edition has the option of enabling 'credential guard', but it's hardly a single click exercise (and not an 'install' option without major scripting work) - and I've not seen a single PC with it on in the field... (actually I've seen very few W10EE in the field, most of it's "pro").
Fast forward 3 years and the parent company had decided that outsourcing the IT services was the way to go, and I was made redundant. In the following 4 years, they had three major outages, 1 of which lasted for over 2 weeks. I'm told that the cost of their losses for the least of those incidents was about €20,000,
And they probably had insurance to recover that €20K, cheaper than maintaining a reliable system, and when the 'competition' doesn't offer a service which is demonstrably more reliable - there is no competitive pressure to do any better.
Biting the hand that feeds IT © 1998–2020