* Posts by pixl97

295 publicly visible posts • joined 2 Mar 2011


About half of Python libraries in PyPI may have security issues, boffins say


Re: False positives

Doing a test on a different SAST scanner that picked up 16 issues in pbcore, where the paper said they picked up over 1000. Yes, I would say there is tons of FPs or they are looking at coding practices rather than actual security issues.


Magic Quandrant

So I have access to a SAST scanner and decided to run 'pbcore', one with over 1000 detected issues in their tests.

With the scanner and settings I used I picked up 16 issues. Only one being rated in the most dangerous category, as there is a potential for command injection when launching shell processes. It doesn't seem like this are FP's, maybe in python programming you're supposed to filter any user input before you get to modules like this. I can't say I'm a python programmer.

Are there issues in PyPI libs, yes. But from an initial glance they are not anywhere near what the paper is describing.

'The inmates have taken over the asylum': DNS godfather blasts DNS over HTTPS adoption


>But equally why has the DNS world not addressed this privacy problem?

Because they are at the crap end of everyone else's equipment....

Microsoft: We'll look at client DNS security, about 10 years from now.

Linux: We think this way is the bes(Other Linux: NO, this way is better!)

Phone makers: Security, buy a new phone if you want that.

ISP's: Security is a bad idea, we don't want it because then we cannot spy on you, so we're not going to update the massive infrastructure we control.

Middleware boxes: Duhhhhhh, grunt, moan... Hey Guize, we finally support Http/1.1!

And this is why Firefox and Google are jamming encDNS over HTTPS.

Microsoft still longs to be a 'lifestyle' brand, but the cupboard looks bare


Microsoft will further entrench their lifestyle brand by forcing the Xbox live gaming platform to require setup and sign-in before Windows Server 2019 will allow SMB shares and server services like DHCP and DNS to run. Attempting to remove the service via power shell will cause Windows to format the c: drive.

♫ The Core i9 clock cycles go up. Who cares where they come down?



I am Clockzilla and this is Clock-gate.

Up the stack with you: Microsoft's Denali project flashes skinny SSD controllers


> extracting costly extra software from SSDs and running it in the host server to gain cost and performance efficiencies

Oh yea, I remember this years ago. WinModems. If you ever had to support dialup you'll remember what kind of crap they were. Oh, yea, WinPrinters! Hmm, WinSSD sounds absolutely terrifying if history is anything to go by at this point.

Oh Brother: Hackers can crash your unpatched printers – researchers


Re: 2 things

>First off, who the fuck puts a printer on the open internet?

Why would I need the open internet when I could just put a post link on a website you visit that tries to send an HTTP POST to, where about 90% of the population has their private IPs, when you click an action on the site.

Microsoft downplays alarm over Windows Defender 'flaw'



All this talk of "must trust an untrustworthy .exe goes away the first moment makes a plug-in for Samba that can be used as part of a remote compromise. Suddenly your 'trusted' NAS can pick ilk at your Windows boxes and it will be very confusing as to what is occurring.

Intel launches 64-layer 3D flash client SSD


Re: Not exactly competitive in terms of price.

The same Sandisk 480GB is $160 now. SSD's have gone up in price *a lot* in the last year. Demand is higher than ever and every manufacturer is running into shortages. It is not fun purchasing enterprise SSD currently, end price on the exact same server build over a year ago has gone up considerably.

Clinton, Trump actually agree on something – blocking AT&T's Time Warner mega-buy


Re: Can we break them up instead?

ATT has already donated at least $200,000 to HRC.

Falling PC tide strands Seagate's disk drive boats. Will WDC follow?


Re: Is SSD really the reason?

HDDs are the most reliable capacity medium at the moment. And honestly there is no reason to run a multi-terabyte NAS on SSD for the average user.

That said, if you are using your NAS/SAN for both storing large files and doing a lot of random IO on small files, you should look at ZFS with an L2ARC. I use the FreeNAS distro for this, and the ssd acceleration really helps.

> with five 4TB drives (16TB net)

Sounds dangerous. Raid5 style systems shouldn't be implemented on larger disks due to the much larger chance of multi-disk read errors on full rebuilds. (and BeyondRaid is a type of raid5 unless you have the Pro unit)


Re: "spare "unused" storage capacity"

If you're posting on The Reg you're probably part of the 1% that does fill hard drives. As for the other 99%, they, in general don't.

It gets even worse for the drive spinners as business moves to SANs that both compress and deduplicate. VDI uses less disk space than ever. While I agree there are more files than ever before saved by businesses, dedupe is slashing the amount of space they take up.

Tech titans demand free speech law to head off President Trump


Re: Free Speech and Political Correctness

>when it comes to demonising and insulting others who most demand redress and apology when it offends them or they don't agree with what is being said.

Human are hypocrites, even you or me. unrestrained free speech has some downsides. You may have to sue someone in civil court. You may have to 'demand' a public apology. You may get in some very heated arguments.

But counter to that, here in the US the congress is trying to push some very dangerous anti-free speech laws where armed police officers can come arrest you for 'insulting others' or poorly defined 'hate speech'. Put me with the armchair fascists on this one, real fascists with the law and a gun are far more dangerous.

WD’s revenue wheels have fallen off. Profits are sinking, too


Re: So, if an enterprise buys ten 200GB SSDs it could then choose not to buy fifty 200GB HDDs.

To AC.

Because they are shooting for IOPS and not maximal space. Even fast hard drives may only get 500 IOPS. A single SSD can easily provide 50,000 IOPS.

But beyond your question, everything in enterprise storage is about reducing storage utilization. Most SANs offer deduplication and compression. Coupled with an SSD tier, many businesses realize they need less total storage with newer technologies yet still have very high performance.

What the world needs now is... not disk drives


Re: SSD outrageous premium

>Their maths don't add up.

Their math adds up perfectly. Charge very little for SSDs and you go bankrupt.

Right now they want to add SSDs to their top end lines where they might make a hundred or so profit on the laptop. But if you put cheap SSDs in the low end slabs there is very little reason to buy a $600+ notebook any longer. There is not a significant performance difference for the average user.

I've taken countless Core 2 duo laptops and replaced the slow rust with SSDs and they become a perfectly usable box even though they are years old now. Unless significant performance increases come in the near future a laptop with a large SSD might be the last PC you buy in a decade. This kills the manufacture.

Attack! Run. WTF? A decade of enterprise class fear and uncertainty with AWS


Re: @Sil

>Now, if they don't want to or can't compete on price for Linux instances, I understand.

From my understanding this is the point of the Windows 'Nano' edition they are working on for Windows 10 Server.

Connected smart cars are easily trackable, warns infosec bod


This may be more of a non-issue than many believe. Yes, a smart car will be trackable, just like a packet on the network. That is also how traffic will be optimizable, much more so than the constant traffic jams we have now. Why is this a non-issue then? If self driving smart cars become a thing, car ownership, in theory will drop dramatically and you'll just 'rent' the time it drives to work. Much like if someone tracks the taxi you ride to work, it means a whole lot less because it's likely to be a different one every day with many hundreds of different riders.

Hubble finds lonely 'void galaxy' floating in cosmic nothingness


Expanding space

So it seems likely that this is one of the first places that will becomes 'disconnected' with the rest of the universe as the metric expansion of space occurs. Since it's not closely gravitationally bound to any other galaxies everything will disappear sooner and they will truly be alone.

Prison telco recorded inmates' lawyer-client calls, hack reveals


Re: Securus is not part of the government...

>and certainly not part of the prosecution.

The particular problem here is the people who elicit Securus' services being installed are part of the government. There is competition in the market, so the provider that bends to the will of the agencies that are involved in provider selection are most likely to survive. The inmates are not the customer, they are a captive audience that has to pay whatever rate is dictated to them (the FTC recently decided that rate was far too high, Securus is still fighting that in court).

Horrid checkbox download bundlers drop patch-frozen Chrome


You know you're infected when

"Updates have been disabled by the administrator"

When I see that in Chrome the next tool running is MalwareBytes.

Big Bang left us with a perfect random number generator


Re: DoS attack

In theory your sensor logic would report errors when the input source was too hot or cold. For example if the NSA is blasting your receiver with a high energy beam you may want to return (ERROR: Big Crunch Final Countdown) or if no input is picked up at the receiver (ERROR: Heat Death Has Occurred).


Re: How random is random?

Olius, yo should look at the work DJB does.


There are potential attacks against multiple random sources at the CPU level, of course they would only be practical if say the NSA has replaced the microcode of the CPU you are using.

How to get 10Gbit/s home broadband in the US: Step 1. Move to Chattanooga, TN


Re: Too fast?

>(How fast are SSDs these days? SATA based ones will struggle.)

10GbE is 1.25GB/s. We're talking about bits so you have to divide by 8.

From the specs of a Samsung 850 SATA SSD: Up to 520 MBps, or half a 10 gig line. And that is slow. The 950 models (M.2 interface) are 2,500MB/s, or twice as fast as 10GbE.

The latest gen SSD's have accelerated far beyond our pitiful bandwidth here.

Sysadmin ignores 25 THOUSAND patches, among other sins


2 Years

2 Years of skipped patches, updates, and basic maintenance skipped at an accounting firm with just over 100 PCs is the worst I've seen. Most the Windows 7 computers had never had updates run, ever. Same with a bunch of the 2008 servers. The Exchange server had one patch level, maybe.

Everything worked, somehow, and of all things backups worked. I do feel sorry for the previous tech, the company had become so change averse that he was hamstrung by the fear something may go wrong that he had stopped doing any updates. Unfortunately this built up a huge maintenance debt and things started going wrong and he couldn't keep up, and they fired him because he didn't do his job.

They had another firm come in for a few weeks, and I assum told them they needed to change the way they did everything, and that, yes downtime had to occur. They got rid of them and I ended up on the project. Told them the same thing, this time it clicked and they figured out there was some kind of structure problem. Worked quite a few weekends since then getting everything caught up.

China bans HPC and UAV exports, citing national security


> or more with 2 Gbps of networking capacity.

What does that mean exactly? You can't sell a computer with 3 1Gbps network adapters in it?

Chrome extensions crocked with simple attack


In kind of a reverse attack from this I've recently ran into a different bug with HSTS and chrome with a logged in google profile.

I accidently redirected a site to the wrong IP. The second site has an HSTS header set for a different domain which expectedly errored out. Set the IP back to the correct site which does not have SSL listening at all, but now chrome tries to visit the site using https which breaks. The built in tool to delete HSTS doesn't show any entry and will not delete the site from the local HSTS database. Tried deleting all the chrome settings in the user profile but the issue keeps showing up (it doesn't show up for other logged in users on the computer), and I 'think', but am not sure that it comes back with the users settings that are stored on google.

Got an Android phone? SMASH IT with a hammer – and do it NOW


Re: Tightwads

So how much would an exploit like this bring on the darknet?

Microsoft: Hey, you. Done patching Windows this month? WRONG


This makes no sense. It's not a logical argument if you have any clue what is going on at all.

Flash is not an operating system.

Flash is now a browser.

Flash is a plugin for a browser that requires an operating system.

So lets do the math here. Windows Exploits + Internet Explorer Exploits + Flash Exploits. This holds true for other operating systems as well. Linux Exploits + Firefox Exploits + Flash Exploits.

Reddit meltdown: Top chat boards hidden as rebellion breaks out


Re: oh wow

Many other large subs like gaming, pics, movies, and music are down, each of those has over 7 million subscribers. It is really something to watch. It will be interesting to find out what happened with Victoria to set this all off.

Obama issues HTTPS-only order to US Federal sysadmins


Re: I just hope

>HSTS is still vulnerable

No, not if your url is part of the HSTS list.


>As for broken links, don't many browsers automatically try the HTTPS version if the HTTP version draws an error?

Not that I'm aware of unless the server sends a HSTS flag, with that flag it retries the link as https and automatically uses https for all further urls to that domain.


Re: For the want of another IP ...

>Figure a different way to make it safe and stop telling people to change when they clearly are unable to.

Sorry, that's not how security works. When something is insecure it is insecure no matter how poor or stupid people are. Yes, that is a dickish attitude, yet no the less true. Old versions of IE are broken far past SNI issues, they don't support the new TLS versions that fix many security issues, and they don't support PFS.

Even with SNI you get a base website that can give you a message. In this case the message should be download Chrome or Firefox or get a new operating system.


Re: I just hope

And break every old link in existence, not a good idea. It's better to use HSTS and certificate pinning. Any port 80's are automatically upgraded to 443 by the browser. Too bad Microsoft is only getting on board with HSTS on Windows 10.


Re: For the want of another IP ...

Stuart 22

If your equipment does not support SNI it does not need to be on the internet at all and almost certainly is at risk of being exploited by an unpatched vulnerability. XP is dead, so is IE. There is some reprieve as you can still run Chrome or Firefox on it, solving the SNI issue for now. I personally don't care if they don't know what a new browser is. At this point all their computer is, is a jump point for spam and viruses.

If your car is a dangerous old piece of crap the state doesn't have to register it for use on the road. While we don't have registration to get on the Internet (thank god), we can change people's behavior by making them upgrade to, at least somewhat more secure browsers if they want their social security or food stamps.

Microsoft: FINE, we'll help your web sessions be secure, SHEESH


>but if you enter http://www.google.com/ you certainly want the http version of the site

Google doesn't offer regular http for a reason. If you offer https services there are a plethra of reasons not to offer http for any reasons other than redirection. Offering both is a terrible security risk and that is why we have HSTS.

Altice to buy controlling stake in Suddenlink for NINE BEEELION dollars


Re: I am worried

Also a Suddenlink customer and was wondering the same thing. I worked for a cable company named TCA quite some number of years ago, and they were a pretty decent small time player. This was in the early days of cable, before DOCSIS 1 was finalized and had Terayon (or something close to that) modems. Not terribly long after I started working there we were bought by Cox, and wow, they, just like their name, are a bag of dicks. Full blown 'monetize' the customer scripts were given to us, about how we should treat the customer as a number of "RGU's" Revenue Generating Units, and how it was our job as techs to increase the number of RGUs each customer represented. We revolted in mass to the new scripts and told management that we were sticking with the old ones. They fixed peoples problems, and fast. The new shit they gave us was mostly marketing fluff and had very little training (which is very important for new employees) on actually fixing the problem that caused the customer to call in the first place.

They didn't fire us all, probably because they had some kind of contractual obligations that had to fulfill in the buyout, but I got out of there as quickly as possible. Not many years later Cox dumped their midwestern assets as they could not extract as much revenue as expected from their customers. The operation then turned in to Suddenlink which as been pretty decent.

Instagram's HTTPS cert expires, millions of crap photographers panic


I have to admit that I've let certs expire on some small easily missed sites before, but how the hell do you let a cert expire that has millions of people hitting it? You don't have to wait to the last day to put the new cert in. In general I'll replace the cert a full 30 days before it expires in case the cert provider decides it needs to take a while to review your account for one reason or another.

In-depth: Supermicro's youngest Twin is a real silent ice maiden


Re: Supermicro

I've done a number installations with Supermicro gear with 2012R2 as a SAN solution with LSI storage solutions. As you say, you can easily save over $10,000 over what HP or Dell sells.

Google open-sources HTTP/2-based RPC framework


Re: A critique of HTTP2.

>Local governments have no desire to spend resources negotiating SSL/TLS with every single smartphone in their area when things explode, rivers flood, or people are poisoned

Yea, I'm not sure what the writers of that were thinking, but that's exactly when you want the verifiability of TLS. Otherwise a third party could make things worse by pushing out fake updates or bad information. Yes, TLS has it's own issues, but non-TLS has no verifiability at all.

'People ACTUALLY CONFUSE Facebook and the internet in some places'


Most tech types would get it wrong too.

Ask most people who or what the Internet is and you'll they'll give you some strange answer, even most tech people that don't directly work with it. How many people will say off the top of their head that IANA makes the Internet, the internet?

Adobe finds, patches ANOTHER exploited Flash 0day



Chrome did have a lot of bugs. In fact I assume all browsers have a great number of bugs because they try to do everything and the kitchen sink. That said, both Chrome and FF update quickly when there are active exploits in the wild. With IE you'll have to wait till patch Tuesday, unless it is really bad. Adobe is rather hated for taking a long time to patch exploits, and even worse, their update program taking forever to actually update, with the default setting of check once a week.

UK consumers particularly prone to piss-poor patching


Re: Dan 55

No, He's probably a standard user, not an admin. On domain networks java update will not download correctly if you are a standard user and eleivate to a domain admin. You have to log in as a admin to get it to work in the first place.

PEAK APPLE: iOS 8 is least popular Cupertino mobile OS in all of HUMAN HISTORY


Re: Still refusing to admit

>Why the mighty eff does a mobile OS need to be so big while doing so little?

Because Apple doesn't make small. Even on Windows iTunes is huge. It also benefits them if they ignore bloated application sized. Oh, 8GB iPhone isn't big enough, well spend another $100 more for 16GB total storage. iOS running slow? Buy an iPhone 7 with 42 bajillion cores.

If phones were kept for a long time, or very low profit items, they may focus on more optimized applications, but that is not the case. Phones get replaced fast and ease of programming for the developer is the focus. We're going to have to deal with the fat os for a long time.

HGST polishes Ultrastar SSD whoppers, stuffs with denser Intel flash


Re: is it really enterprise grade

What are you going on about Nate. That is not laptop form factor, and will not fit in many laptops. It is a 2.5 inch form factor drive, but its around 5mm thick. No different than the 2.5" enterprise spinning rust.

Most larger storage arrays have gone to 2.5" for higher density IOPs in spinning rust, SSDs keep the same format for convenience.

Or do you work for WDC who doesn't have a flash line up yet and is trying to FUD the technology?

Exploit emerges for LZO algo hole


Re: Nuno

You've not done your reading on this exploit yet. It went from 'not exploitable' to 'exploitable in a case or two' to 'we're finding new exploit avenues every day'.

I'd have thought you'd have learned after looking at 20+ years of netsec experience online that vulnerabilities never get better after being released, the only potential is to get worse.

Microsoft to push out penultimate XP patch on March Patch Tuesday


Dearly departed.

It is with unfortunate regret that we inform you that Yugguy has passed away in an auto accident. Shortly after performing maintenance on his Honda Civic his car was seen speeding out of control before crashing in to a concrete pylon and bursting in to flame. Upon further investigation a Stuxnet variant was found on a thumb drive in his laptop computer. No other details are available at this time.

Google promises 10Gps fiber network to blast 4K into living rooms


Re: Carp

If I watch Netflix on my Wii on Google Fiber, it too will show slow speeds. Stream speed != Internet speed.

Snapchat: In 'theory' you could hack... Oh CRAP is that 4.6 MILLION users' details?


>I tried "fuckyou@somewhere.com" and it appears that that entirely made up name had already been pawned at Adobe.

Oh, how original. I'm sure you if tried asdf@asdf.com or one of the other top 100 made up email addresses you'd find them in commonly hacked databases. Even on sites that require a validation email doesn't mean your address is ever deleted from the server if it's not validated.

Massive! Yahoo! Mail! outage! going! on! FOURTH! straight! day!


Re: This is a symptom, not a problem

It's been going on longer that they are even admitting. Some weeks ago I noticed messages sent to my yahoo account had gone from taking about a minute or two to show up to ever increasing amounts of times. Even worse, if you sent the same message a few times you would get one message almost instantly, one twenty minutes later, and the other just disappeared never to be seen again. Something is very wrong there.

Just when you were considering Red Hat Linux 6.5, here comes 7


Much needed packages finally here.

I installed downloaded the boot iso and did a net install inside a virtualbox today. The install worked rather well. Many things like setting the root password could be done while the packages were installing allowing the installer to do 2 things at once. Systemd and firewalld are going to take some getting used to though. The updated httpd-2.4, mariadb(mysql)5.5, and updated php were much needed.


Re: and will it have python > 2.4 FINALLY?

[root@localhost ~]# rpm -q python


[root@localhost ~]# cat /etc/redhat-release

Red Hat Enterprise Linux Everything release 7.0 Beta (Maipo)