* Posts by Jerren

43 publicly visible posts • joined 2 Jan 2009

Air gaps: Happy gas for infosec or a noble but inert idea?


More of a wetware problem....

One point I think the article doesn't drive home among the others mentioned is most of these attacks that span the air gaps require a bad actor to physically touch the systems. The malware doesn't magically materialize out of "thin air" some one had to put it that environment, weather it is hidden in the hardware at the factory, typed in from memory or uploaded by a flash drive there is a human behind it and there are well documented process and methods for protecting against these types of attacks, primarily by limiting access, requiring a minimum number of people to be in the room at any given time, division of labor, mandatory access controls, rotating the employees assignments and shifts to prevent collusion, monitoring of employees activities inside and outside of work, and limiting what is and is not allowed into the environment (e.g. no cell phones, electronics, paper, pens, etc.).

When the proper controls are in place and and properly managed the risk of data ex-filtration across an air gap is greatly reduced. Most incidents of this type that I have investigated are failures in physical security, and lets face it once you have physical access to the box it's essentially game over, there is no limit to what you can do at that point.

Mine's the one with the usb cufflinks.

Apple OSX Yosemite infested by nasty 'Rootpipe' vuln


Re: Is this just a rootkit that requires direct computer access? Can I yawn yet?

Well said foo_bar!

This is simply a privilege escalation exploit of a flaw in the OS, there are dozens of them out there in the Unix world and this is not surprising that there is an old one in OSX, it's probably one that was ported over from BSD. It appears that you already need a shell to the box with an authenticated user in order to exploit, not that hard but it will require a bit of skill for someone to actually use it.

For those complaining about waiting till January for a fix, it takes a long time to find, isolate and fix these types of problems and you want them to take their time so they don't spawn 2-3 more in the process. If you've never hacked a Linux kernel trust me it's not something you want to try to change and debug in a hurry... :-)

The author is going to release the exploit at some point but is giving the vendor time to release a patch prior to it's release we call this "responsible Disclosure" that's not to say someone may not find the bug and write an exploit in parallel but at least he gets credit for finding it and promises not to let anyone see the code till after it's fixed. Personally, as a pen tester I applaud them for that, but I'm also sure it will show up in Metasploit one way or the other around Christmas...

Microsoft to enter the STRUGGLE of the HUMAN WRIST


Fair points all, I guess I am charlie brown trying to kick the football, cause I have been chasing a decent smart watch now for about two decades... I have a couple pebbles a black and the steel and I find it's the little things that make it useful to me. Changing the music in the shower, controlling my go pro while skiing or snorkeling, and reading texts while my hands are full or when I can't get to my phone while driving etc, it comes in handy. The pedometer and sleep apps works ok but not as well as a fitbit or other specifically designed devices. And the text only watch face really turns a lot of heads even with high end watch collectors do a double take.

That said most of computer manufacturer versions that are being touted have a HUGE issue that I don't see being fixed fast enough - battery life. They claim 1-2 days of battery life with "normal" usage, lets face it how many of us are "normal usage" people especially when we first get them and are playing with all the features? I don't see the value in a watch that I have to charge over my lunch hour to get though the day, thanks but I'll wait for gen 2. Or in Microsoft's case gen 4-5? Am I the only one who bought the original Microsoft "smartwatch" back in the late 90's/early noughties? The battery was great, too bad the radio frequency updates were flakey at best...

Guys it's not hard, it's got to be useful, functional and have a battery that lasts for at least a week of "normal use" so we can get about 20 hours of hard use out of it and not look like we have a antique radio shack cb radio strapped to our wrist, oh and have an open api so we can write our own apps for things you never though of. Right now the closest thing out there is still the pebble, and I was really hoping for so much more by now...

Alienware injects EVEN MORE ALIEN into redesigned Area-51 gaming PC


Re: I think I can hear the death knell

Yes but with Quad GPU it might make a half decent (albeit expensive) password cracking rig... once you get Jack to compile properly to use it...

Is Google prepping an ARMY of WALKING ROBOTS?


Nexus 6

Now ya gone done it as soon as googlebots indexes this they will make a grab for fleshlight, realdoll and all the other naughty bits...

Meet NASA's Valkyrie: A silky busty robo superhero that'll save your life


Re: Marvel Sueball?

If marvel doesn't sue them Ozzie might once everyone starts calling Val "Iron maiden" as opposed to Iron man... It is a female robot form after all...

Deep beneath melting Antartic ice: A huge active volcano


Re: Incorrect...

A group frisky penguins where having a prolonged shag on top of the seismograph... nothing to see here ya can't find on natgeo folks...

Python regurgitates Dropbox secrets to boffins



"As Dropbox puts it: “In the case outlined here, the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user's Dropbox, open to attacks across the board.” (More on this in a minute.) "

Heh do we really have a minute anymore? A minute is about all it takes on most poorly protected home computers, less if your compromising multiple PC's on the same network (after the initial compromise of course... that point in the pen test when they you notify the client's security team "it's game over man").

The point here is just because you have to pwn the box first is not a barrier for anyone who wants to get your data, and once pwned this becomes just yet another pivot (YAP) to get that juicy delicious data (yum)... IMHO this is just like pivoting to attack the file server at this point just without all that extra logging and "security features" to deal with. Which is probably where that data belongs in the first place...

A win for pen testers and bad guys, yet another headache for corporate security teams to deal with in the age of BYOD.

EFF, Lessig battling copyright takedowns


Wrong target?

Maybe someone better versed in DCMA can explain this to me...

The original use of the music was part of this "amateur dance troop's performance" presumably in it's entirety. Assuming they did not obtain permission and pay the requisite fee's THEY are the primary offender in this case correct?

By using a small clip of the performance and not the entire work the Lessing is within the definition of the fair use clause of DCMA as most of us understand it, he did not include the entire performance of the videos or the song , perhaps he didn't declare and attribute properly (or perhaps he did which is how they located and targeted it over the others) but he is not the primary offender here. (note it looks like he is using other copyrighted clips like the John Stewart show, and a bunch of cartoons but there's not lawsuit there....)

So why are they not dragging Lessing into court and not the ones doing the fan based videos of the song? More importantly how the heck did this ever get to court in the first place? This one should take 5 minutes to move to dismiss and hopefully the judge will toss it out and fine the plaintiffs for a nuisance lawsuit.

Kiwi jetpack gets all-clear for manned tests


Re: Top speed?

Per the companies website the max range is about 30KM which is about 18 miles, I'm afraid you'd have to stop for gas a few times. They have some not-so commuter friendly restrictions on it too: It's only useable during daylight, you cannot fly over urban centers, line of site only, and requires you to basically dress like a Indy driver in a fireproof flight suit, horse-collar and helmet.

Not to mention that parachute won't help much at low level flight, and well nothing will help if you run into power lines or a building etc. (Of course if your in an urban setting flying into the building is misuse per the restrictions so forget the insurance payments and lawsuits against the manufacturer...)

File under expensive toy but not bloody practical for those of us waiting for the flying car that folds into a brief case and rocket belts we were promised would be around by now when we were kids....

Facebook's request to the flash industry: 'Make the worst flash possible'


Re: So what he's asking for is...

Make it so...

Yeah I'm leaving now as well...

LivingSocial admits major hacking attack on customer database


Hopefully things like this will encourage people never to use the same user ID and password on multiple sites, there are enough devices and apps out there for password management and plenty of high profile hacks out there that people should know better by now...

Mine's the one with the nifty MyLOK+ USB stick password manager in the pocket...

Researcher hacks aircraft controls with Android smartphone


Re: Knew It Was Coming

@ Pepper Your referring to the infamous DB Cooper case and several others who tried to copy his escape, and while some of the money was found I believe the case is still open and there is some speculation around if he survived the experience. The 727's now have a interlock called the cooper vane to prevent the rear stair from opening if the plane is not on the ground wheels down specifically to prevent this from happening again.

Get lost, drivers: Google Maps is not for you – US judge


Re: Actual Satnav units

Pretty much every built in sat nav system I've owned in the US all disable the keyboard and most touch screen input functions wile the vehicle is in motion. The Sync unit in my new Ford Truck allows for voice commands which I personally find a lot more distracting than a touch screen menu.

As for the portable ones and early laptop devices I have found some of them to lock up when moving more than 5-10 MPH while others do not. I find it interesting that it's still legal in some states to have the old hocky puck antennae hooked to a laptop with cables and power inverters run all over the front seat that you have to bend down to look at but you can't suction-cup a touch screen to the window.

Of course it varies state by state so please don't judge us all by the strangeness of California. :-) I always found it quite odd that in New Jersey it's illegal to pump your own gas until I caught an episode of Jersey Shore.... context makes a huge difference!

Baby-boulder bowling burglar breaks Boulder Apple Store's $100k glass door


My Guess is "Unbreakable" glass probably cost too much so they went with the slightly less expensive "Insanely great" doors instead...

Civilization peaks: BEER-dispensing arcade game created

Thumb Up

How about the Highland games...

Port the old highland games with the caber toss and swap that sissy beer tap for a Scotch dispenser, higher you score the older the single malt you get. Now that would be worth playing.

Plug-in pwning challenge brings Pwn2Own prizes to $US560k


Re: Cake crumbs?

That's a big part of the problem it's kind of like a medical company that has found the cure for a disease but also makes drugs to treat the disease itself. They make more money in the long run treating the symptoms than actually curing the disease or in this case of security researchers selling prevention and detection tools, consulting services, selling the tools to exploit themselves versus telling the vendors how to fix the problems directly.

I understand the financial motivation of not wanting to disclose it all, but I think the real purpose of these competitions is for vendors to learn about potential weaknesses and ultimately FIX the problems to make the product better for everyone. Your getting cash, prizes, the priceless free publicity from the event, plus the good karma from helping make the products safer for the masses. I think all that should be more than enough to compensate you for telling them how you pwned their product but I guess that's why I'm not filthy rich... :-)

Disney World slaps pay-by-bonk stalker cuffs on grown-ups


Re: It looks like...

@Herby Actually I think the driver is a little different. Yes it probably will save them on staff who monitor the queues on live video to keep an eye on things and also provide more accurate wait times for the people who pay the extra money for the cell phone apps which they may sell more because of this.

The real driver is the same as the "Key To The World" cards they have been using for years as the room key, park admission, fast pass AND room charge.... Most people spend less when they are paying in "real" money than they do when using credit cards, although that is changing as more and more people use credit and debit cards in place of old fashioned cash and coins. By further abstracting things by making the payment vehicle a wrist band as opposed to room key with mag swipe which resembles a credit card. Instead of signing and comparing the signature on the back they use a pin to authenticate you. So even if your brain now says credit cards = Money your not thinking wristband = money let alone wristband = credit card = money and chances are you will spend more casually without thinking as much.

Most of the merchandise you find in the parks are impulse buys, separation of the thoughts of money from the payment mechanism is really a rather clever way of separating your money from your wallet. Which as someone who is married to a Disney Travel Agent can tell you they are VERY good at. :-)


@Collis Actually there are no lost children in Disney outside of the "Lost Boys" in the Peter Pan attraction... :-) Ok, sorry bad joke and this really is no laughing matter but there is a point to it:

Cast members (aka "Staff") are trained to talk to children and explain it's actually the Parent's who wander off and get lost. (And we do...) This keeps the kids calm and lets the cast member get vital information from the child to reunite them with the parents at guest services.

So, if you ever find yourself wandering off in a child like daze to say hello to Cinderella and realize your child is not there, simply find any cast member and they will radio it in immediately and all cast members will be on the lookout for the child while the parents are escorted to the front of the park for a happy reunion. (However, chances are you may be panicked and looking frantically around in which case the Cast Member will probably approach you, as they are trained to do...) They drill this into the cast and they take the situation very seriously most families are reunited in minutes although for the terrified parents it seems like an eternity.

While I doubt this technology will be more useful in locating the child or parents more than their pervasive video surveillance is, it may make positive ID of the parents easier but typically there's so much crying and hugging (and sometimes yelling) that's fairly obvious. But, I agree it would be a good thing if it speeds up the happily ever after reunion! :-)

Anti-virus products are rubbish, says Imperva


Re: Whitelist...

@AC - Actually no it's not code signing, it's basically hash enforcement at the os level - if the app and hash you have stored on PC when you try to save/execute dosn't match the version on the white-list on the server it is blocked. It's been a feature of windows server for years as well as several 3rd party tools.

This goes well beyond malware protection to address what users can and cannot load on their systems, if your group dosn't have permission to say run firefox you cannot install or run it period, weather it's a "trusted" source and code signed or not dosn't make a difference. if it's not on the list it's not going to run on your PC period.

I stand by my comments before, it's highly effective when done right, but it can take a lot more effort and money to implement properly than AV amd IPS devices like Imperva.

Thumb Up

Re: Whitelist...

@ John Beat me to it... ;-)

Black list and Heuristic Algorithms are great for catching stuff you already know about and they will catch what they know and a few things they shouldn't based on the patterns that have already been established. As a pen tester I can say none of the exploits I have used (ahem only with signed authorization or on my own boxes that is..) have ever tripped off an AV client, there are plenty of repackagers that are way too easy to use out there not to mention toolkits like SET that will do it for you from a menu option.

It dosn't mean they are worthless or you can safely surf naked (e.g. running with no AV/firewall) it just is what it is, a filter to catch know bad stuff. Think of it as getting a flu shot, it works against the bugs you predict you'll be exposed to but not everything that makes you sick.

White listing is a great solution, and I personally think it IS the best one, basically it only allows you to run what the system admins have "pre-blessed" is ok to run on your system. It works, it works very well when implemented properly....

Which is the problem. Most companies who sell white listing applications out there do not tell you the effort involved in maintaining that white-list. One security researcher I know once commented a corporation will need to hire 4 times the number of staff needed to run a proper AV and patch management implementation in the same environment. I mention patch management since that now has to be tied into the process since the patches themselves need to pass though the white-listing process as well, which can add delays in implementing patches which may cause friction for management who have been pushing for ever shortening patch cycles, of course white listing actually prevents the risks driving these demands in the first place it typically comes up in the discussion.

The other issue I see most commonly is delays or frustration due to over-complex white listing processes for new applications can cause users to rebel against corporate systems and you will see a surge in BYOD (Bring Your Own Device) or copying data to portable storage to use on personal laptops outside of the company's control. USB sticks get lost, personal laptops get hacked or stolen, it can be a nightmare if you do not have controls in place to enforce policies against it.

When all's said and done, a properly funded, managed, and implemented white-listing program offers the best defense against all exploits. Sadly, it's just too damn expensive for most organizations to do properly. :-(

Build a BONKERS test lab: Everything you need before you deploy



The other consideration is redundancy, the DROBO NAS solutions have the ability to loose 2 drives without loosing the entire array in raid 5 configurations with less overhead. Having recently had 2 drives fail within hours of each other on a old Terastation I can tell you honestly yes it CAN and sadly does happen!

Last thing I would want in my test lab would be to loose ALL of my VM's at once, even with backups your down for days restoring multi-terabyte drive arrays. Out of all of them the DROBO units seem to offer the most resiliency of the others out there for the price. Unless of course the entire DROBO box itself decides to take a dirt nap then your in trouble!

Reagan slams webmail providers for liberal bias


Re: So what?

Nailed It!

The only conclusion that can be drawn at all from those statements is that INDIVIDUALS as opposed to the anonymous "super" PAC's are donating more money to Obama than Romney on those specific sites and from those select companies.

What's disgusting here to me is American news Media today, the golden age of professional Journalism is long gone in this country with the age of cable... Am I the only one who sees the irony in Fox New's claim of "Fair and Balanced" News coverage? You have Fox News on one extreme and MSNBC with the Ed and Rachel Maddox Shows at the other and all the others fall somewhere in-between and just blindly playing the sound-bytes with no apparent care about the actual validity of the comments made in them. Every year it gets harder to cut though it all to get to the truth of what's actually going on. Used to be the news would verify information and report it factually, it was a matter of integrity and professionalism over ratings. Sadly today that's too boring when you have 900 channels to choose from.

Mine's the one with the CSPAN program guide in the pocket, If I'm going to get fed manure on TV it'll get it straight from the source and make up my own mind.

New Mac OS X: Mountain Lion roars at unauthorised apps


Defense in Depth...

The main problem here is a lack of awareness, understanding and application of defense in depth strategy by home users.

Of course you need AV, you always will need AV, but AV alone is not enough to protect you, you need a good firewall, not some $99 special you picked up at the big box store because someone told you you needed one and just plugged it in with default settings, a real one properly configured. In addition you still need HIDS, content filtering, and all the other things corporate users have ad a lot of common sense.

I see this as an attempt at application white listing, pure and simple. Quite frankly if more companies take this approach and control what can be run on their machines it makes it much more difficult to compromise the systems though traditional means and maintain persistence control for any period of time. Drives the pen testers crazy when done right.

Now the use of certs is good, but the problem here is they will only be as secure as the certs themselves, if developers share certs or a disgruntled employee signs his malware with a legitimate cert it will still get though the wall. That's why you need other defenses, if one or two fail hopeful the third or forth layer protects you, in security parlance it's called Defense in Depth, in layman's terms don't put all your eggs in one basket.

There is no silver bullet to security, but this is a step in the right direction IMHO.

Drink diet pop all the time? Look forward to VASCULAR DEATH


Zombies, et al.

The Living dead technically are not living or dead, hence the statistical anomalies. So stop running around fact checking...you'll only die tired!

Students busted for hacking computers, changing grades

Thumb Down

They apparently used hardware based keyloggers, which are virtually impossible to detect by software as they plug inline with the keyboard cable out of the back of the PC. More of a physical security issue. Besides almost every company I hear about being hacked all act dumbfounded at the breaches because they all had "AV and Firewalls" The biggest threats are from within, and AV can only stop what it knows about if ti's something new or just newly encrypted in low volumes it's not a priority and often times will slip right though most AV...

I don't think this was a case of a lack of being stimulated or engaged here, they used COTS hardware, a copied key from the janitor, it was fairly low tech breach overall. This is simply a case of B&E, academic fraud, and being greedy.


If they where smart....

1) They would not have done it at all, agreed. And this is the MOST important point!

2) They would have written their own software key-logger vrs a hardware one to make it harder to detect and hopefully harder to trace back to them. (kids and credit cards these days, way too lazy!)

3) They would have retrieved the hardware devices after they had captured the needed passwords to avoid detection. (Granted there is a risk of detection on re-entry but it appears these guys where rather proficient at infiltration of the school...)

4) And this is the big one.... they should have never tried to profit and never told anyone, ever!!!

Like most criminals it's the greed that gets them every time! But will they learn their lesson?

Now that they are expelled they have plenty of time to learn how to use metasploit and SET to do it from the outside (Just what we all need...).

School or not Security needs to be baked in to everything you do these days, and expulsion alone is not harsh enough to prevent the students from continuing down a rather dark and dangerous path.... lets hope their parents straighten them out before the courts have to!

Use iBooks Author, only Apple can ever publish the result



Sorry Lewis but your way off here.

Apple is creating the editing software, providing it to you for free in the app store, hosting/distributing the work on the ibooks bookstore and handling all the payment processing. Apple will also promote books in a similar way that the promote apps and songs as "featured content" in the iTunes store.

Hosting your book online for money IS something, it's a big thing. it cost money to host a web site and hope and pray someone will find and buy your book from it, or money to advertise the site to get people there. Apple is also providing you a way to get paid for your work, Published and protect your content from being distributed outside the official ibook store. (No one's a big fan of DRM until it's YOUR work getting ripped off...) Sure you have a web site you can sell it yourself, but now you have PCI DSS compliance headaches and costs to consider to have your site tested at least once a month and they don't process the cards for free and put the money in your account for nothing. Chances are the Processor and the bank will slap some fees on you for those services since they have to comply with PCI as well. Nor will all users feel comfortable buying your ebook off the internet from your site vrs Amazon or Apple.

When you add up what it would cost to develop, distribute, protect, and market a multimedia ebook on your own, 30% suddenly dosn't look that bad.

Mine's the one with the ipad in the pocket...

Zappos coughs to HUGE data breach


IF you don't reuse them then you don't have to...

Big if there, and with so many websites around most people use one or two (hopefully) strong passwords on a number of sites. If any of them are compromised and the hashes decrypted (Lets face it brute forcing passwords ALWAYS works by definition) you now have a username, email address and password (as well as other personally identifiable information) that you can use to compromise other accounts.

Random usernames, and passwords on all accounts for every web site you access are well beyond most mere mortals, but there are a number of devices and software solutions out there to do this, people just need to invest in something that works for them and start randomizing their passwords. Personally I like MyLOK from ii2p (www.mylok.com) but it's currently only available in the US due to export limitations on the technology. Just find what works for you and use it!

Skilling up the cloud: What it means for infosecurity pros


Cloud Security = Oxymoron

Clouds as implemented by today's technology and could hosting providers are not secure-able unless you physically own all the hardware and networks involved which defeats the cost savings of leveraged cloud hosting. (aka a private cloud which is basically outsourced virtual server clusters)

Don't believe me ask your provider to demonstrate how they can trace an intrusion or network connection thought the leveraged cloud, which servers where compromised when, which routers, switches, etc. Most of the major hosting providers simply cannot provide the basic incident information you need to do a proper investigation or documentation required in most courts. It's hard enough to do this effectively with physical systems in a court of law, let alone trying to explain the layers of abstraction involved with the virtual machines in a cloud.

Log management/reviews how do you merge all those server logs into one unified manageable source, well that's more hardware and software = more $$$. How do you monitor your network traffic to detect anomalies? You can't. Why? Well because you might have visibility into other client's packets. Or worse, it they let you then that means someone has access to yours!

More important questions to ask are where exactly is my data located in the cloud and how many others share that same storage? Are the backups of that storage segregated or are they mixed together? Why you ask? Well all it takes is one warrant for all data, tapes and servers for company XYZ which live on the same infrastructure as yours to ruin your whole company. If they are mixed (and most are, again for cost savings) not only did you loose your servers (easy to replace) and the SANS (little harder to replace, and will take a while) but your backups as well! Possession is 9/10 of the law in the US the hosting provider owns the servers, the storage, and the backups in many courts they own your data unless a clear agreement is in place. Even so that agreement will not save you from a shutdown in the scenario above.

Worse if you are a smaller customer you may have to wait longer while the high priority customers get online first. Hope you have up to date Disaster recovery and Business continuity plans in place.... or at least an updated CV on hand you may need it.

Finally if the hosting provider is replicating the data in multiple countries you also can get in trouble especially with things like Personally Identifiable information, things that are commonplace in the US for example may be against the law in the UK.

Not secure and in many cases more trouble than they are worth! IMHO the cost to implement a secure cloud environment with today's technology will generally cost more than traditional server farms for most implementations. Fine for blogs and public information but I would resist the hype about putting proprietary, sensitive, or business critical data on them. If you do good luck come audit time! :)

DisplayLink tools up iPad as wireless Windows screen


The difference...

Price - Air display is a bit more expensive I think I paid around $10 for it when I purchased it last year. Well worth the cost though, for $8 more you get an app that works as a spare monitor on BOTH Mac and PC as well as touch screen remote control. I use it with my mac book and iPad when coding/debugging and when giving presentations on the road.

And for those of you who complain about the price of the ipad vrs a second monitor, well the ipad is a lot easier to travel with plus it's wireless! I don't think I would want to lug even a small LCD around the country with me, even if it survived the baggage handlers the extra bag fees eat you alive these days! :-)

And yes you can use VNC or similar free remote control products to do the remote control or monitor mirroring, in fact that's what I used to do when driving presentations from my iphone, but it does not give you the option of 2 monitors which is great for development that these products do.

Air Display works great on Macs,I have had no issues on any of my 3 mac systems running it on Leopard or Snow Leopard. I did hear some windows users where having intermittent issues with Windows although I have not had a problem with this when running on my windows 7/Vista test boxes, your mileage may vary.

Short passwords 'hopelessly inadequate', say boffins


@chem Serious lock?

Seriously? Most PC case locks take less than 2 minutes to circumvent if your serious about getting in and have a little know how, a bit longer if your trying to not leave any physical evidence of the intrusion. :-)

All kidding aside though, valid point if you have physical access to the box you have the box and by extension possibly the network it's only a matter of time.

I've worked at places that went to great extremes, even to the point of "disabling" all external ports, in all cased if you really want to get in you can get in. Just like cracking a safe it's just a matter of having three things: 1) The time to get the job done, 2) the right tools and 3) the knowledge of how to use them.

What concerns me the most it the tools are more readily available, faster and easier to use than ever...

Mines the one with the lockpics attached to the USB stick.

Microsoft digs Macs in back-to-school ads


A couple things missing....

Ok I recently took the plunge and purchased the 17" Macbook pro, so far it's been the best laptop I have ever owned and I have owed several over the years including some from Alienware and other high end laptops. (I'm an IT veteran of over 25 years) I'm mostly a web security, architect and software designer these days, not a gamer and so far I am extremely pleased with it for what I need.

Few points to consider here:

Overall build quality - The MBP17 is by far one of the most solid well engineered laptops I have ever used. every detail appears to be well though out and not just thrown in there because it fits that way the way most PC laptops seem to be in comparison. It's less than half the thickness of my wife's 6 month old HP laptop (without it's bulging battery pack with it it's roughly 1/4 the thickness) and even though mine is a 17' and her's is a 15" mine weighs less. It's solid aluminum body while not colorful is classy, and I think makes the plastic ones look cheap personally. Small touches like a closing cover over the express card slot to keep dust out and the clever button that shows you the current battery charge without booking up are very nice. The mag safe charger cable and brick are much nicer than any PC power connectors I have used, no shorting or sparking if you connect a live cable. (Haven't we all at least once done this?)

CPU - All of the Macbook Pro's support Hardware Virtulization, even the lower end 13" models, most of the PC laptops you will find at the big box stores do not (or at least didn't as of a month ago when I was looking around) Anyone running windows 7 who wants to ever run a MS Virtual PC (aka windows XP mode) on their laptop will be disappointed after shelling out the cash for Windows 7 pro or Ultamate to find the hardware on their new PC won't support it. I do a lot of development so VM's are a must. Enterprise customers need the XP mode for legacy software.

Flexibility - You can run a PC on a mac, not the other way around. And with the latest Parellels Software they PC apps just show up in their own apps folder. Start up and shutdown of Windows 7 is faster than on a similarly configured PC (PC actually has more RAM maybee that's part of it but who knows.) The PC based apps I still use run fin without issues.

Office Apps - I run Office 2007 and 2010 on the PC's, Open office on my linux boxes, I run Apple's iWork package on my mac, mostly because it was less than half the cost of MS Office. Yes office has more bells and whistles but I find the items on the iWork easier to use to create stunning layouts, I even find myself using Adobe in-design less and Pages more and more.

The touch pad - it's a multi-touch pad, not a touch pad and yes it takes a while to get the hang of but is very intuitive and powerful. I have never been a fan of touch pads, in fact I hate them with a passion but this one is easier and works better than any I have ever used, and I almost never use my mouse anymore just the pad.

Battery - While I'm not seeing 9 hours on battery while actually doing work (I did bump the cable out one night and it ran on battery for over 10 hours idle though) I constantly get a good 5-6 doing regular work (coding mostly) with no issues or fear of completely running out of power. I have yet to have a windows laptop provide me the same performance without a bulky spare battery pack attached.

Support - The one time I called support for an issue with the time machine backups (which turned out to be a bad external drive no the mac btw.) I was connected to a support person in under 2 minutes and then escalated to a specialist in under 5, problem was sorted in quick order. In contrast to HP which is supposed to have the best support in the PC world a similar support call took over 3 hours. Time is money I need to be working not running though the same thing 10 times over and bounced around the globe.

Out of the box - While various PC makers add various software (mostly trials) with the mac you get enough to get started with for most needs, iphoto, Itunes, i movie, mail, ical, preview (document/pdf reader) Garage band, time machine (automatic backups) idvd, safari, photo booth, ichat, etc all come out of the box. This is enough for most home users. Most other software as mentioned earlier is easy to find and install. (in OSX you just drag the file to the apps folder to install) You also get a full linux and xwindows environment as well. As well as a relatively easy scripting language and automation tools.

Developer tools included - Yup Xcode is on the install DVD just install it, now you can write, compile, and debug software for the mac. Last time Microsoft shipped any development tools with windows was what Dos 6.22? Yes you can download the community versions of their development tools but it's just not the same. I honestly did not expect to see this for free on the Mac but was pleasantly surprised.

Finally the dang thing just works, it does what i need when I ask it to, my letterhead in office 2007 always fights me after saving the initial template, in Pages it just works. No hangs no spontaneous reboots, I can set up remote ssh/ftps mounts and work with files on my servers directly. Almost no learning curve for me, but if I did need help I can always schedule a one to one training session at my local Apple store for free with the apple care

Bottom line, like many things in life it's still a ya get what you pay for situation. You pay more for the mac (a lot more granted) but if you can afford it and it suits your personal and professional needs I would go for it. I don't think I'll buy anything else form here on.

Seagate announces ugly diskless NAS filer

Thumb Down

Side Mounted Drives?

I get nervous when I see side mounted drives, it could just me my experience but they seem to go bad faster than mounting them top side up. I'll stick with the Buffalo TeraStation Pro's for now I have been using their products for about 3-4 years now for backups and they have performed flawlessly.

US kiddies treated to Playboy TV



We never get service like that from Comcast... I think it's time to switch!

BOFH: The PFY Chronicles



I'll take the BOFH in the graveyard with the backhoe burning the management alive in an open grave after he has arranged compensation and hush money from the company FTW!

Cheers Simon well played.

Swindon twins with Walt Disney World


After looking at the magic circle I get it...

This must be the city Disney deemed in most dire need of a monorail system...

Generators and UPS fail in London datacentre outage


Wouldn't a more proper title be...

"Tata's Datacenter goes tits up?"

Mobile internet? It ain't just for the iPhone


Been doing that for years....

Used to be you could buy the snapdial software and usb cable at your local Best Buy stores here in the US, it's sole purpose was to use your cell phone as a wireless internet adapter, all you needed was a cell phone with a internet connection... only drawback is it dropped the connection every time someone called your cell... Tethering is nothing new...

Newfangled rootkits survive hard disk wiping

Paris Hilton

No big deal...

This is not that big of a deal, just flash the bios before you reload the OS on the box, problem solved, unless they prevent flashing in some way, then in that case just replace the chip. If this becomes a real problem someone will have a standard service (mail us your BIOS chip and we'll overnight you a new one) or some kit to make this easy even for consumers.

Paris well she's now crying because she doesn't know how to flash the BIOS and now has to wait an extra 5-10 minutes more for me to fix her computer.

Obama says his new chopper is 'procurement gone amuck'


The real question is...

How a helicopter that is not able to take of vertically under load was allowed to be selected in the first place no matter who makes it? If the base configuration is not fit for purpose who in their right mind would think it would even get off the ground after you add all the extra kit on it it? Just a little common sense could have avoided this whole mess...

Russian rides Phantom to OS immortality

Black Helicopters

Military Applications

I think the big win here would be for the boffins at DARPA and for the larger governments who need an OS that could reboot immediately to it's previous state after a massive EMP discharge. If you can harden the system and the flash memory you could significantly reduce the time needed to get critical systems online and the vehicle or device back in the fight faster. For warships and tanks that may not be that large of a concern but any modern fighter plane or bomber that looses all computer control is basically a flying brick until those systems can come back online, every second counts there.

We may never see it in the commercial sector but there is a niche for it, and a highly lucrative one at that.

Swoopo - eBay's (more) evil twin


Banned in several States?

Interesting how you cannot register if you are a resident of several states in the US, I wonder if the lawsuits have already started...