Because it's too difficult to have a webform that does this as well so I don't have to copy/paste the email address?
201 posts • joined 28 Mar 2008
As much as TdR is abrasive in style, he does actually care about security, and having been involved in forking software and having to deal with patches, I fully sympathise with his point of view.
In fact, I just donated to OpenBSD because the OpenBSD project actually cares about code quality - and that means users benefit too. That's really important.
They were not using their own platform, they were using the free and open source package SMF. Exactly what version of it is not entirely clear, and it's been modified beyond pure aesthetic changes from the stock distribution. The extent of modification is not entirely clear.
The method used by SMF 2.0.x series (which is what they're using) is SHA1(lowercase(username) + password), which is what SMF has always used, and the developers are upgrading that in coming releases. I could try and defend the reasons for staying with this but most of them amount to 'OMG we have to keep compatibility with hosts' which is why it wasn't until this week that the 2.1 series actually bumped its minimum PHP version to 5.3+ instead of 5.1+ (and 2.0 series will work on PHP 4.4.x)
There are no known vulnerabilities in the 2.0.6 or 2.0.7 releases (the 2.0.7 release strictly addressed minor bug fixes and PHP 5.5 compatibility after the preg_replace function deprecated use of /e, both of which are therefore considered 'secure' releases by the developers).
I still wonder, though, whether this was the fault of the software or someone with a bad password. It's certainly not unheard of for admin passwords to have been bruteforced - and all kinds of things that happen afterwards. Unfortunately there is a persistent stubbornness from the SMF team about allowing their package manager to do what it does (find/replace on raw code, which of course requires it be writable!), and anyone who bruteforces or otherwise acquires an admin account subsequently can upload any code they like to the server and most admins leave it insecure.
My understanding is that the developers have reached out to Avast to find out what happened, though details are apparently not especially forthcoming.
Disclaimer: I am one of the people that, in the past, has contributed to SMF. I am not trying to defend my contributions; all I worked on were minor bug fixes and new stuff for the current in-development version as well as providing support.
I haven't seen anything in Shockwave in probably a decade - while in that time I've still seen a bunch of Flash and slightly less so for Java applets (mostly ones that I've been helping rewrite to be not applets!)
I honestly thought Shockwave was a dead thing... what can you do in Shockwave that you can't in Flash?
Peril sensitive sunglasses. Joo Janta 200 Super Chromatic Peril Sensitive Sunglasses, I assume he's referring to, which turn black at the first hint of trouble, allowing you to develop a relaxed attitude to danger by not letting you see anything that might alarm you.
Hitchhiker's Guide to the Galaxy is responsible for many such witticisms :D
DNT is great in theory, except it was doomed the minute Microsoft decided to make it on by default. A cynic mind might even suggest it was done deliberately to compromise the idea. Don't forget - this is not the first time something major has chosen to explicitly ignore DNT being set, on the basis that you couldn't actually rely on the user having made the choice.
Re: @ Peter Spicer - You know they have reached market saturation
Who actually says Apple does? There's been a lot of speculation about it, sure, but only the analysts are saying it. Thing is, Sony's tried it a number of times, Samsung's Galaxy Gear met with limited success and even Apple isn't so blind that it would try to launch a product in those shown-to-be-lukewarm waters unless it knew it had an angle that was unique and inspiring because the iFaithful aren't *that* faithful.
Re: Going against the trend
You do not need a TV licence to watch TV from a PC provided you are not watching 'live TV', i.e. shows as they are broadcast.
"You do not need a television licence to catch-up on television programmes in BBC iPlayer, only when you watch or record at the same time (or virtually the same time) as it is being broadcast or otherwise distributed to the public. In BBC iPlayer, this is through the Watch Live simulcast option.
Anyone in the UK watching or recording television as it's being broadcast or simulcast on any device - including mobiles, laptops and PCs - must, by law, be covered by a valid TV licence.
A 'live' TV programme is a programme, which is watched or recorded at the same time (or virtually the same time) as it is being broadcast or otherwise distributed to members of the public. As a general rule, if a person is watching a programme on a computer or other device at the same time as it is being shown on TV then the programme is 'live'. This is sometimes known as simulcasting."
Note you can substitute ITV Player, 4OD or 5 Catch-up (or whatever it's called now) for BBC iPlayer and everything still holds up true.
I thought the original article had a reasonably intelligent point, but trying to debunk it with the same methods was never going to work. Note: this is all about discrediting the report by attacking its methods than about proving that it is flawed for any other reason... it's almost an ad-hominem.
Mozilla CTO Eich: If your browser isn't open source (ahem, ahem, IE, Chrome, Safari), DON'T TRUST IT
This puff piece is nonsense.
Open source, theoretically, should be more provable as secure than not. Which is fine, if you have the time, resources etc. to actually audit such code.
Real users do not, they do not download and compile from source (Linux on the desktop is increasing, sure, but it's still a rounding error compared to the Win/OS X userbase, and even then most of the time they're not building from source either), they download a 'trusted binary'.
And of course then there is the argument about compilers - I seem to recall a fantastic piece about compromising compilers from Ken Thompson. It was written 30 years ago, but here's the thing... when the Mozilla folks build the binaries for Windows, what do they use? I see from their Windows build requirements page that they use Visual Studio and cygwin in concert (VS for the compilation, cygwin for the linking, presumably? Not clear.) But you're still relying on those tools to be uncompromised. That means trusting VS and cygwin (and possibly gcc) - and you can't audit VS.
http://c2.com/cgi/wiki?TheKenThompsonHack is mildly scary reading. Not totally scary, but mildly scary.
"At that time, the NSA had a trusted role in the community-wide effort to strength, not weaken, encryption"
Wait, am I reading that right? Why would it ever be in the NSA's interest to make encryption stronger for the masses?
I mean, it wasn't until that long ago that encryption tools required a munitions licence to distribute because they were weapons of a sort. Seems to me that keeping an eye on the industry and maybe slipping the odd slight hurdle into it, on the sly, would absolutely be SOP for them. But maybe I'm just too cynical.
Like some of the other commentators, I moved away from WinAmp with its 3.0 release.
Since I have a decent collection of tracker mods from ye olden games, I wanted a player that could handle reading all kinds of formats and ended up with XMPlay with one of the plugins (DelixTracker) which handles everything I can throw at it.
To the one person who asked about music devices, XMPlay lets you specify which device you want to use, including WAV encoding or LAME (for MP3) or OGG output should you need to transfer formats.
Disclaimer: I don't have a degree, however I did tackle the fundamentals of this in Decision Maths as part of an A Level in Maths so while I may not be as boffiny as some here, I do understand what NP problems are and the relevance thereof.
The only time I can actually recall using the various things I learned was in the midst of writing bits for an RTS game, where pathfinding was required. Whether you go down the road of A* or D- or whatever in between, you're still talking dancing about with Dijkstra's algorithm to some degree.
Having an understanding of the differences between bubble sort, quick sort, exchange sort etc. is always useful too and where it can be an advantage not to use the good old quick sort (if the data is already mostly or completely in order, for example, quick sort may not be any use to you over a bubble sort)
The other algorithms covered - travelling salesman, shortest method of connecting a weighted graph (like network cabling) have applications out there in the real world but I've never encountered them, and neither have any of the folks I know, but I'm sure there are uses for them.
Re: Disable Find my iPhone?
That's great, until you either want to actually use anything that's on the Internet - or shock, horror use the phone for the purpose for which it was designed, i.e. to actually talk to another human being.
Airplane mode just makes it, quite effectively, an iPod Touch.
Re: That's not the right way to do it
I didn't have any problem using the current (not beta) versions of Xcode, including the 6.1.3 APIs and whatnot to push a build of my current app to my first gen iPad, which still runs 5.0 (it can run 5.1 but 5.0 was memory hungry enough on it)... Depending on how far back you want to go you might have to jump through a few hoops but that's par for the course when using any of Apple's dev tools.
Re: I wonder if it's straightforward role reversal
He's not calling you a Chev, he's referring to Chevy - Chevrolet - the car manufacturer. As in 'as a fashion statement they are right up there with Chevrolet', a brand not entirely known for its fashionability, except the Corvette (as noted by the poster)
I'm intrigued by the whole 'shared memory' thing because it's nothing new at all. I'm not talking about the setup that PCs have had in recent times where the video memory was carved out of the main system memory, but every time I've seen it mentioned, I've just remembered the Amiga.
For those not familiar with the Amiga's innards (and this is a simplification, the real picture is more complex but I've forgotten most of the detail), there were essentially two kinds of memory hived out of the total system memory. The first was 'chip' memory, which could be read by all the main chips, which is where graphics and sound had to be stored. The second, was 'fast' memory where only the main controller could access, meaning that you stuffed application code there where possible, because the CPU could access it faster than it could if it were reading from chip memory. It was also possible to switch some from one to the other (e.g. like the later Amigas had a ton of chip memory but a lot of programs expected that if it saw that much memory, some of it had to be fast memory and promptly went splut)
So yeah, sharing memory between subsystems on a more unified level is not a new concept, especially when you're talking about memory that both the CPU and graphics setup can share between and essentially allow the graphics to grab from memory without the CPU being involved... it just reminds me of 1986 or thereabouts...
Friend of mine is using a 3 year old iMac... and using Parallels to run Steam games where there isn't a native version of the game for OS X. I was watching him play Assassin's Creed III on it the other day and it performs surprisingly well on a 3 year old machine running through an emulation layer. In fact, when we rebooted it and ran it through Boot Camp (i.e. native Windows), it wasn't actually significantly better.
Me, I'm using a MacBook Pro (developing for the mobile things) and I'm in Boot Camp most of the time. Don't know what it is but Parallels just doesn't run very well for me. Guess my friend is the lucky one.
Not understanding what the problem is here... she had gold bullion (physical item) in her house, which was stolen.
Unless there was some exclusion in the policy against gold bullion, I can't see that they have much of a leg to stand on... it wasn't obtained illegally as such... are they claiming the gold was proceeds from a crime? If so, what crime, actually, was committed? Seems to me that the worst that could be claimed was breach of contract (her with Blizzard) which in any case is neither a criminal matter nor anything the hell to do with the insurer refusing to pay out for the gold bullion.
What I could imagine, though, is that the gold bullion was worth more than what she had insured and that she wasn't going to get the full value back...