IDC figures
I think the point is that it's too early to know exactly how much was spent in 2021, so IDC is guesstimating right now.
C.
3493 publicly visible posts • joined 21 Sep 2011
FWIW your now-deleted previous post made what looked like a baseless accusation of criminal activity so a moderator removed it.
Also FWIW Cloudflare's pretty open about the position it takes: it doesn't want to decide what's right or wrong on the internet. It doesn't want to be the arbiter of what is allowed to be hosted. Eg:
Cloudflare: We dumped Daily Stormer not because they're Nazis but because they said we love Nazis
Cloudflare speaks out amid allegations it safeguards banned terror gangs' websites
If you report spam or malware-based abuse to Cloudflare, feel free to CC us in (news@theregister.com) and we'll take a look at the same time.
C.
No, they're not supposed to contain arbitrary code.
What happens is, with these kinds of bugs, is that there is a payload of instructions carefully placed within the multimedia file that is otherwise just data. When the file is parsed, the vulnerability in the parser is exploited to allow the payload to eventually execute.
There are steps in between to get around the OS's security defenses.
C.
"How big would the article be for a Windows vuln that let any fucker get admin privileges?"
For a Windows vuln for which patches are already out? Typically a few sentences: there are EoP holes in every Windows Patch Tuesday.
If we write a whole article about an EoP it's usually because a patch isn't out yet (it's a zero day) or it's being actively exploited or that the bug is particularly interesting, or that someone on the team was at a loose end and had enough time and material to write a whole article.
"C'mon El reg, there was a time when you weren't afraid to put the boot into ANY OS, even Linux. Are you really that frightened of a load of pissy comments?"
No. We often assign stories based on how much time and scribes we've got available. For Dirty Pipe, we wanted to get it out as soon as possible as the next lead item on the weekly roundup.
In fact think of it as a Dirty Pipe story with bonus material, as the DP section is quite a lot more than a couple of paragraphs.
We'll look at the Android angle next (it's also mentioned in the article).
Good news is that we've hired two writers this month to cover security, so expect more security stories sooner rather than later.
"Step the fuck up."
Sigh, why this angry?
C.
If you overwrite an entry in /etc/password so that the password field is blank, no password is needed. (If there's an x, use the shadow file.)
So, just blank out root's password entry with the DirtyPipe overwrite and everyone can get root.
PS: Another example would be to pick a root-owned setuid binary and overwrite it so that it simply spawns a root shell, and then restore the binary to normal.
C.
I guess the point of this is that - a la SolarWinds - you modify some popular software in a supply chain attack, and the code is deployed all over the world.
In order to target specific labs, you get them to process a sample with an IP address and port in it so you know which lab you're breaking into.
It's very theoretical, we thought it was interesting, and we think readers will understand the threat. We'll keep the feedback in mind for future.
C.
Ah yeah, they are closely related.
The DNA issue is encoding hidden messages in perfectly valid data, and having an AI spot that; and the trigger detection is identifying when a model is seemingly deliberately misbehaving on special inputs.
One involves undoing steganography in input data, and the other sensing that a model has a secret trigger.
C.
Yeah, we missed out a word. It's fixed. Email corrections@theregister.com if you spot a typo, please.
FWIW we prioritize being accurate and technical. If you spot a typo in a story – like a missing word or wrong tense, or something – it's because whoever was writing or editing the piece had their mind on something more important, or was on a deadline.
C.
My wife only ever used her Windows laptop with Chrome and things that could run in Chrome. So I got her a decent Chrome laptop. Updates regularly. Just runs Chrome.
Much less hassle than having to fix a Windows Vista / 10 / 11 laptop. FWIW I use Fedora on my personal systems and Debian on work systems.
C.
We've added to the piece more info one what they teens were convicted of. The media has focused on the FSB building bit because it's kinda amusing and also, the boys went and did something to the actual building.
They were also charged with making and planning to test their homemade explosives in empty buildings, using Pringles cans as containers.
C.
IMHO it's possible to argue that Meltdown was a defect because Intel trivially broke one or more of the data security guarantees it gave in its documentation (IIRC, it's been a while so ICBW).
Spectre's a bit different IMHO because while it could be exploited to leak data, it was more like discerning info through instrumentation.
Whereas, Meltdown was as simple as placing a load after a branch instruction and seeing if the load was speculatively executed even if the branch was taken. And it was found that the speculative load occurred before security checks were performed, allowing one to figure out the content of memory that would have been trapped if read directly.
AIUI the chap who found Meltdown - a Googler straight out of uni - read the Intel soft dev manual, saw the part that said if a branch is taken, the CPU won't execute the instructions that follow immediately after the branch, and thought, 'yeah but I wonder if it does?'
Meltdown to me looked trivial to exploit, just a straight up bug in the design of the pipeline. Spectre looked more nuanced: a side effect of other optimizations.
As I said, ICBW.
C.
Thanks. Just a bit busy with other things right now and didn't want to hold up the article while trying to think of something clever.
To reveal what's behind the curtain, we were having a debate over whether Nvidia's statement was a denial or not. We decided it wasn't a denial – it was Nv putting on the best spin it could publicly – and that was what drove the headline, getting that right, not making a pun.
When -- sorry, if -- the deal collapses we'll do Nvidia loses Arm's race or something like that.
I might have to steal disarmed for something like RISC-V or x86 diss-Arms for the next round of benchmark claims.
C.
Hi -- What we meant to say was that we didn't report on the rumors at the time because we didn't want to cause harm with unverified tip offs. If we're gonna say an organization is about to collapse, we want to be really sure of it.
We never shy from reporting on something just because it might end in bad publicity. For that reason, I've taken out the paragraph.
C.
No, what we (and Microsoft) means is: tightly coupling the coprocessor to the CPU cores within the same package makes it harder for someone to sniff the communications.
It might be possible to do that with a side-channel attack, but really it's about stopping physical bus snooping.
C.
Actually, the plugin is pretty simple: it checks to see if there is cut'n'pasted code in a file from other parts of the project (or maybe even just the same file).
If that happens, it's generally a sign of poor programming, so it may suggest you refactor (try again). I've tweaked the headlines to reflect this.
C.
Not all hospital beds are the same: different wards, different levels of care, etc. I don't even have to assume that figure you gave is correct.
The point is: hospitals are at near capacity -- around 95% in the UK this week – and a surge in COVID-19 cases will push them over the edge, and people will be denied or given limited care. That's why we vaccinate: so we don't clog up the health system, and put others in danger, with a mostly solved problem.
"The NHS was put on a crisis footing as hospitals in England were told to discharge as many patients as possible while estimated daily Omicron cases hit 200,000 and the variant claimed its first life in the UK." (Source)
"Hotels are being turned into temporary care facilities staffed with workers flown in from Spain and Greece to relieve rising pressure on NHS hospital beds." (Source)
C.
Keep on movin' those goal posts.
In fact, keep on moving them all the way out the door, down the street, over the road, across the bridge, all the way into a pharmacy or a doctor's office, all the way over to the uncomfortable chair where you can sit down and get a jab and move on.
C.
Personally speaking, I don't care how spreadable it is if it's been reduced, through vaccination or mutation, to literally nothing more than a bad cold -- no long-term effects, no risk of death.
I can put up with a cold.
"COVID case rates among the fully vaccinated are now higher than those in the unvaccinated"
I don't know what point you're trying to make here but if it's what I think it is, you're off base. The same report you quote says: "Comparing case rates among vaccinated and unvaccinated populations should not be used to estimate vaccine effectiveness against COVID-19 infection."
C.
I think everyone who reads The Reg knows what the nuclear football is in the context of the vice president of the United States of America. It's been referenced on TV, and in movies, articles, and books.
It's like we don't have to explain what the FBI is. Everyone's seen the X Files.
C.
Yeah it's an error that happens when a sentence is partially edited and the rest is left unchanged, accidentally.
It's a process oversight rather than a misunderstanding of the language. Don't forget to hit the corrections link or email corrections@ if you spot something wrong.
C.
Don't be so defensive: if someone raided a bank vault and made off with diamonds and then sold them for $2m in cash, then the article would say the thief made $2m from stolen diamonds.
If someone runs a scam and launders people's online vouchers into Bitcoins, then the article would say just that.
At some point, usually at the top, we have to mention the money and assets involved. In this case, the teen bought BTC using his ill-gotten gains.
C.
And yet here we are.
Your other comment was rejected for anti-vax disinformation. You said: "the vaccine does not prevent someone acquiring and subsequently transmitting COVID. This is particularly true of the overwhelmingly dominant Delta variant."
Which is disingenuous bollocks. The CDC says:
"Infections with the Delta variant in vaccinated persons potentially have reduced transmissibility than infections in unvaccinated persons, although additional studies are needed."
Not quite the picture you painted. Yeah you can still get the virus and spread it if vaccinated, but the vaccine is not totally powerless in this situation; there are signs it has an effect and we'll know for sure with more science.
On the one hand, we're trying to lightly moderate these forums so people can argue it and figure it all out without us policing individual points. On the other hand, we can't flame Facebook for spreading anti-vax nonsense and then turn a total blind eye to it on our own boards.
C.