Posts by RichardBarrell

Re: Is there any advantage left by using commercial certs?

As chroot mentions in the other comment, browser vendors eliminated the visual differences between EV and non-EV certificates a while back.

Empirical experiments were run & demonstrated pretty conclusively that nobody was checking for (or cared about) the extra UI widgets browsers used to put in the address bar for EV certs. In general, people do notice negative security indicators ("not secure", red bars, etc) but they don't notice the absence of positive security indicators (like https markers).

(When I say "nobody", I mean really, nobody. Not just lay audiences: people in IT, programming and information security too.)

> the lack of an ARM-native Chrome was the biggest issue with Windows 10 ARM

Mildly surprising, since so many Chromebooks are ARMs.

Thank you for explaining.

Re: up to 2TB, it makes no sense to go mechanical

I think you only get SMART disk failure warnings about 1 time in 3.

When Google published large scale statistics on mechanical hard disk failure rates in their server fleet (enough years ago that I feel old thinking about how long), one of the conclusions they mentioned was that SMART disk monitoring have them almost no false positives but lots of false negatives.

As I remember it, pretty much every time a drive announced an error via SMART, it died soon after. But when a drive failed, only about one third of the time was it preceded by SMART monitoring errors.

Re: New PC

FWIW if you're ever having difficulty finding PC cases that don't look like a disco ball covered in neon lights, I can strongly recommend Fractal Design. They have a whole range that all look like solid black monoliths from 2001.

Re: Link the world

I notice that with big projects written in Go, where you might have a couple of command line utilities, they all get bundled into one executable with "subcommands". Say, instead of having "foo-create", "foo-list" and "foo-delete" as separate executables, they'll output a single binary called "foo" that you run as "foo create" or "foo list" or "foo delete", so the file size overhead of static linking doesn't get multiplied up.

This has no real cost in performance, complication or convenience, it's just mildly interesting. Seems to happen with every language that uses static linking by default.

Plus it's microscopically trendy: you also see programs opt to use this style which are written in languages whose hello world binary is <10kB.

Re: This can be easily explained

PC relative addressing came back into vogue in the last decade or so because of address space layout randomisation :)

Re: This sounds more like an On Call than a Who Me? column

Must've been a shortage. Maybe nobody committed any sins this week? :D

Re: Home WiFi

Not at all. None of them do anything like that. You're only going to see that kind of feature in shiny expensive enterprise setups that include an IDS.

With home routers, you're lucky if they're not accepting telnet connections on the both the WAN and WLAN with hardcoded unchangeable password 'root'/'root'.

Re: What's next?

This is what's confusing me. Why are they talking about 2027 and 2040 as end of support dates? ERP system integrations break entire enterprises when they go wrong, so obviously nobody wants to touch it once it's working well enough. Why aren't SAP talking about perpetual support for all their products, or at least support dates through the next couple centuries?

Personally, if I owned a SaaS business which had a profitable install base of totally locked-in customers paying subscriptions, I'd be pleased as punch to let them continue handing over money to me for whatever they're running now forever. Scale back development on the obsolete version(s) to security fixes, legally required updates, y2038 fixes and operating system compatibility only.

As I understand it, this worked great for Basecamp - they wrote their core product from scratch several times without ever making existing customers update. They still have lots of customers on obsolete versions which have maintenance programmers but get no feature updates. (Of course the customers who've built custom processes around old versions don't really even want any new features that might break their stuff anyway.)

Re: RAM clear on power off ?

The story was that researchers worked out a trick for this where you spray the RAM chips with an aerosol to cool them down. The contents decay slower when they're colder, so the time to steal the data can be extended to minutes. :)

Re: Did anyone bother to test the RS6000 code?

It's plausible that this bug might only show up (at seemingly-random points) when you fed the software a manual with hundreds of pages, and most testing would likely have been done with quite short manuals.

Python 2 has a backticks feature, but all it ever did was call repr(). It never invoked a command in a shell like backticks do in bash, Perl or Ruby.

In Python 3 the backticks feature was taken out because it's so rarely used that most Python users didn't know it exists - and the thing it did wasn't particularly useful, and it was kinda confusing anyway. You can just type repr(), it's only 4 more bytes. :)

Someone crueller - but also someone equally cruel. :D

If I understand correctly what you mean, then no.

In the scenario described, the malicious traffic on tcp port 19421 isn't going through your site perimeter (by which I assume you mean a router at the edge of your network). It's going over the loopback device on the individual Mac being attacked. You're not going to block this in a router.

The attack goes roughly like this:

- I, a person who has once used Zoom, visit an ordinary website like https://www.evilbadguys.com/evil.html

- that website has a bit of HTML (or a bit of JS that generates HTML) in it like `<img src="http://localhost:19421/evil_bad_url">`

- now my browser generates a HTTP request to localhost:19421

- some badly written software running on my Mac is listening on :19421 for incoming connections, and does something unwise in response to that HTTP request, causing me to get spied on

- so the HTTP request which causes the bad thing to happen is going from my machine to my machine, just over the loopback device, without going through the perimeter at any point

- the only traffic that went through the perimeter was on tcp ports 80 or 443, because this was triggered by an ordinary website

Blocking connections to tcp 19421 at your perimeter isn't going to hurt anything but it also isn't going to fix anything. A firewall on the Mac itself which blocks traffic to port on the loopback device could block it. I think the firewall that comes with Mac OS can do that (but I can't offhand remember if loopback traffic skips it. I would expect not.).

I think a couple of features might stop working. The capacitive touchscreen may have trouble: a quick test with my Android and a bit of cellophane suggests that they're not good at picking up fingers through plastic. I'd expect the WiFi and Bluetooth to stop working too, since water is mostly opaque to signals around 2.4GHz?

Re: Flash is still required

Try using Chrome or Safari but changing the user-agent so that it reports itself as being an iPad?

I've seen this work before on e.g. the BBC's website a couple years ago. They were doing UA sniffing to decide whether to try to show you the news video via a dirty dirty SWF or a nice cleanHTML5 video tag.

Re: never trust a PM

Surely you couldn't have fit 8GB RAM into a P2 box back then - that'd be about 6 grand's worth of (the cheapest possible available) chips at year 2000 prices?

8GB disk, maybe?

Re: If you want seamless updates...

When you dynamically link in a .so file, it's opened (read-only) and mmap()'d with the MAP_PRIVATE flag. This gives you a copy-on-write mapping. If you try to write to one of the pages in that mapping, the kernel will transparently stop you, make a copy of the page, then resume you with your own copy of the page. If a bunch of processes all link in the same .so file, they'll all share all of the pages in it that none of them try to write, and they'll each have their own private copy of each page that they do write.

In contemporary unixes, the pages from the text section ("text" in ELF land means "executable code") get marked as read-only by default, and the pages from the data section get marked as read-write by default. You can call mprotect() on the executable pages to make them writeable if you really want to (though this is considered a bad idea, and things like AppArmor or SELinux might stop you.)

For things like JITs that do runtime compiling of code, you're encouraged to do something like: call mmap(NULL, size, PROT_READ|PROT_WRITE, -1, 0) to get some pages that you can write but not execute, then write some code into them, then mprotect(addr, size, PROT_READ|PROT_EXEC) to mark them executable but no longer writable.

Having pages that are marked as writeable and executable simultaneously is allowed (unless you've got a super restrictive config set up with something like AppArmor or SELinux), but considered kind of a bad idea because it makes it easier to exploit things like buffer overrun vulnerabilities to get RCE.

Re: For the phone scammers ...

A conservatory on a 5th floor flat would look really cool though! Glass structures seemingly suspended in the sky are beautiful. That's why I always love to build them like that in Minecraft.

What do you mean, unrealistic structural mechanics? :)

Re: Did someone not do their EMC/FCC/CE testing then?

> "can even cause the connected Macs to freeze, requiring a restart." (? what's freezing here: the screen, the Mac, both?)

At a guess, it could be something like: the monitor goes faulty and repeatedly attaches and detaches from the display output on the Mac's video card; the Mac has to change the window manager & video card state when a monitor is attached or detached; the rapid toggling tickles a bug in the video driver or window manager, leading it to freeze; and you don't normally experience that bug because it's not normal to be able to repeatedly plug and unplug a monitor that quickly without a hardware fault.

Or maybe when the monitor's bugged it does something amusing like sending totally bogus EDID information that tickles a bug somewhere. "I have a width of -3200 pixels and I want to be driven at 4MHz" or something equally silly.

Given the complete uselessness of faulty hardware, bugs which only occur when you have faulty hardware plugged in aren't top of the priority list to fix. It's pretty reasonable that a problem like that could be left lying around for years.

Re: Counting

Tumblr host sites on lots of domains. If you own a domain name and have a Tumblr blog, you can configure both so Tumblr will serve your blog on that name. e.g. http://tumblr.snipe.net/ is one - the domain doesn't end in ".tumblr.com", it belongs to someone else. These probably are the ones being counted. It's very plausible that as many as 160k domains have been set up like this; Tumblr have lots and LOTS of users.

Tumblr also have a lot of subdomains, which must not have been counted. Tumblr serve every blog on its own subdomain. e.g. http://dooktrain.tumblr.com/ is a blog posting pictures of ferrets (and maybe other stuff, I didn't look). Tumblr have a LOT more than 160k registered blogs: as far as I can tell, well into the hundreds of millions. One estimate I saw put it at 300 million this July.

Disk traffic trumps voice. Voice is still soft-realtime, but people won't notice a 5ms delay in their voice traffic. You darn well will notice sluggishness if someone adds 5ms extra delay to every disk seek.

No. They do the javascript injection on some other site that doesn't have HTTPS turned on.

So you've got one browser tab on https://paypal.com, and another browser tab on http://any.other.site.com. Rizzo and Duong perform a MITM to inject some javascript into http://any.other.site.com, and the javascript on that page causes your browser to make more requests to https://paypal.com for them to eavesdrop on.