Posts by clocKwize

Not news

"code with administrator privileges able to perform actions only an administrator should be able to do"

This is not news, nor a vulnerability. Show me an application that can't be hooked in to in some way given the necessary permissions on the machine.

This is literally what people cracking applications do to remove licencing restrictions and game cheats do to hook in to a game and add extra functionality (like seeing through walls, automatically aiming at people, etc)

On the other side of the argument, its an impressive thing to reverse engineer an application to this extent, especially one so complex!

People who consider this evidence that Monzo isn't (as) secure as other banks are living in a dream world. Incidents like this slip through the net sometimes, and get noticed and fixed, at every company, everywhere - Humans aren't perfect. Monzo is being transparent about it and resolved it really quickly. Other banks, it is kept quiet. The only time it wouldn't be kept quiet is if someone external noticed, at which point they'd have to own up to it, but they'll do that in a way that diverts blame from the company.

"New and exciting feature"

Yeah, can I just have some plain old internet please?

You are an internet service provider, you should just provide internet.

My water provider just provides water.

If they cut my water supply by accident while installing a new and exciting banana milkshake pipe to my house, I'd be pretty pissed off.

I don't think it matters if the mac address is legit, spoofed or changed often, or if the phone has been binned.

If someone contacts them and says "Hey, I just checked my logs, someone connected to our Cafe's WiFi with that MAC address at 10:15am on the 35th of Febtober, and I checked the CCTV and there is a shifty looking guy sipping a coffee in a corner, surrounded by fireworks and empty boxes of nails, scrolling through facebook - want to check it out? I have the credit card number he used to buy his coffee" that'd be pretty damn useful.

I think its wrong to say its always managements fault, and we as developers should look at ourselves, BUT if management are allow it to the get to the point that everything *has* to be rushed, because of unrealistic deadlines, scope creep, bad planning, etc, etc, the developers *have* to cut the corners, regardless of wanting to do so or not. Goes back to the Cheap, Good and Fast. Except Fast is "faster than is possible, because nobody knows how big it is or how long it will take"

Great analogy with changing a car engine while on the motorway. I've experienced this a few times. It is not fun. Sometimes these things have to happen though.

Re: Contractor rights

my gaming PC popped up with a "windows needs to be activated" watermark much to my displeasure. Hopefully it goes away in a day or 2, but it is certainly not the end of the world.

Re: Contractor rights

why don't we stop writing code in languages that make it easy to screw up so easily like this?

There are plenty about nowadays, I'd rather my DHCP client be a little bit slower at processing packets if I had more confidence it would not process then incorrectly and execute code hidden in said packets...

Re: Contractor rights

Its very hard to apply these wide sweeping policies. "Third party" cookies are not all bad. My company builds software which our clients embed in their site. That makes it hard for us to place cookies on the users browser, even though we have every right to be there, we have permission to do so as the user has agreed to cookies on the site, which we are a integral part of. We have workarounds in place, but its worrying that totally legitimate cookies are being dropped due to ever moving policies.

I just installed this in a VM. I'm impressed for several reasons.

1. It works, it works really well

2. The sheer amount of effort involved to do this is astronomical

3. They didn't give up in 22 years. Its basically redundant before its reached beta. There might be some uses for it, I guess. I liked windows 2000 more than I like anything released after, but there is no mass market for going back to it.

My hat tips in the direction of the developers who have worked on this. Its a massive achievement.

I do find it hard to believe that not sharing some information with an anti-virus company can be considered a criminal offence. It doesn't make what they were doing illegal. They were providing a service that others provide, but with the ability to keep things anonymous, as someone else stated, you might be testing proprietary software and not want an analysis of it shared with security researchers, if it flagged up a false positive.

I'm not saying they weren't in business to help malware authors, but I'm sure it was all written in a way that made it look legit, they didn't call it test-your-malware.com. Which brings it down to, they didn't do anything to stop criminals using their service. But then, there are many services used by criminals, WhatsApp isn't called TerroristSafeChat, they don't actively stop criminals using it, because its encrypted, they can't see who is talking about what, so can't do anything about it.

Just seems a bit of a stretch to me.

The whole extradition thing is crazy. Jurisdiction is such a grey area now the internet is a thing.

Such hate. I haven't developed for windows in years but I have read with interest all the stuff about .NET core and things - all moving in a good direction, seems positive.

To say that .NET is a shit copy of Java is a bit harsh..

Saying everything should be developed natively is far too optimistic in this day when everyone wants the same app on their PC (windows), their laptop (mac), their phone (android) and their TV (WebOS or whatever). No company wants to develop the same app in different ways many times and support them all individually. Attempts at cross platform frameworks are not perfect by any means, but they're better than the alternative.

Re: Contractor rights

You'd think with the cost of building, launching and controlling Galileo, when they had the data, they'd spend the time and resource analysing it properly... surely that cost is a drop in the ocean compared to the initial outlay..

Baking in encryption does not mean something is secure. Who'd have thought?

Why is this news? There are many linters. This one isn't special, other than being created by a company thats generally in the news for other reasons.

He spent how long getting this working? All in the name of reducing distractions so he can get on with his job...

Its getting better. Evolution is happening. It has its quirks like every language, but its definitely getting better.

Youtube has a lot of learning material. People don't just watch cat videos. Some people use it as a tool to better themselves.

So.... there is no data security, if the production credentials are in a dev guide...

So.... there are no backups of production data...

So.... they let a junior developer who is totally new to their system set up it up on their own...

We all mess up once in a while. That is why we do things in such a way that its really damn hard to do things like this, without knowing what you are doing.

Sure at my company I can connect to our production system, and in theory could wipe it, if I wanted to. It would have to be very very deliberate. If it did happen, we have several layers of backup we can fall back on to. Fortunately it has never happened.

If something like this can happen so easily by accident, it is not the junior developers fault, it is the CTO for not ensuring that the systems are built with consideration for such things.

Hopefully the CTO gets fired. He deserves it. I'd like to say the junior dev could file for wrongful dismissal, but try explaining the above to a judge who has no idea how to computer. It'd be a waste of everyones time.

Even if Bixby was amazingly clever, I still wouldn't use it. My Bixby button switches to the most recently used app, good for switching between 2 things. That is far more useful than a voice assistant (even a good one).

After playing a fair bit with BMW computer systems, the key thing I noticed that I thought made it robust and easy to swap parts in and out was the fact that pretty much everything has its own individual computing module, which communicates with everything else via a network of some kind (CAN, Ethernet, Fibre for media stuff). This means if one module breaks, AC for instance, your airbags still work..

Putting everything in 1 module with containers sounds like half way to disaster. Sure if 1 container goes wrong, it can probably be easily restarted or fixed or whatever, but sounds like when something worse happens, the whole car will be useless until you buy a new computer for it..

I love reading stuff like this, absolutely fascinating. When will manufacturers of devices that are accessible over any kind of network (routers, ip cameras, clever cars, washing machines..) realise that they must do it responsibly or it will ruin their reputation and in the worst case, cause safety issues (cars crashing) or global internet fails (ip camera botnets)

I suspect a consultancy headed by these guys is the next step. Will manufacturers just continue to bury their head in the sand and continue to hope nobody looks to hard at their systems though?

The only way to be confident in your backup plan is to have tests to make sure its working.

If you backup nightly, you could automate grabbing the latest backup, restoring it to a throw away instance, ensuring that it completed properly by checking record counts in various tables. You could run that every other day. Or better yet, once your backup process has completed, to verify that it has indeed worked properly.

You could still get caught out in many ways but verification to some extent would give you more confidence.

I can understand how this has happened though, start-ups are not the same as large corporations with the resource to have people spent a long time ensuring backups are rock solid and testing disaster recovery efforts monthly etc. In an ideal world, that'd be quiet high on the agenda, but realistically, breaking even is the first hurdle and you don't (technically) need a backup plan for that, so it gets put to the bottom of the list.

Non-tech people don't understand the implications. They want a "smart" X because the marketing hype makes it sound awesome and that it'll make their life easier.

The marketing doesn't tell them it will require them to keep on top of updates if they like keeping their personal information personal. That'd be bad marketing, people will think "damn, I don't really want more things to worry about, and I don't want to spend more time administering my smart cat flap, because if I spend *any* time doing that, it basically negates its usefulness".

If your smart cat flap stops a neighbouring kitty getting in your house, thats awesome. Its one less thing to worry about, and will save you potentially an hour in the next 5 years. But if you have to spend half an hour updating it once every 3 months because someone worked out how to use it as a backdoor in to your network, whats the point?

I've always said this - its a game of cat and mouse, someone finds and exploits a bug, then it gets fixed. The only way to get ahead is to pay some cats to do it for you. The kind of people who'd happily spend days searching for something to exploit or sit staring at thousands of lines of assembly code trying to find a weakness. The same kind of person who'll be doing it without your knowledge. This is a different kind of job than someone who secures your systems and networks against attack. Both are required

I went to a friends house last night and played with a Vive for the first time. its far better than I expected and thoroughly enjoyable. If I could justify £700 on gaming, I would definitely buy one. This is all.

I don't think the problem is something that executes when you a file.. there are a lot of file types that do this, not just js files.. people just need to not be idiots and download and run files when they don't trust them.

I tried using a case sensitive file system on osx once already. never again. Lots of software just doesn't work, because it expects osx to be case insensitive.

Most importantly, Photoshop won't install (almost as important Hearthstone won't install).

I found some old thread about photoshop issue, boils down to the application linking to apple frameworks and xcode not being able to handle it, which left adobe basically saying, we can't fix it. It could be them passing the buck but either way, its something that'll need to be addressed by lots of application developers and apple themselves.

But good job on apple for bringing file systems in to the 21st century.

Is is possible that a large percentage of the population just don't have a need for super fast broadband? I would feel inconvenienced without at least 40mbps, but my in laws are very happy with their 3mbps even though there are bigger and better plans available, they can do all the things they need, so why pay more?

The whole premise that short urls are based on is in the name. They shorten urls to smaller ones. Whoever put pre-authenticated urls in to a short form should be shot. Its not the problem of the short url.

The FBI don't know the procedure to unlock it? So they just let some random guy/company have their possibly important piece of evidence to unlock it, without any idea how they were going to do it?

If i were the FBI, I'd want to know exactly what was being done and how it worked to ensure that it wouldn't in any way damage any evidence on the phone..

What if they attempted it and then it triggered the wipe procedure? Whoops sorry guys.. They'd have thought about that situation and would have sense checked what was going on themselves first.

Invasion of privacy

Nothing to do with the admin, he shouldn't be reading the emails, should just forward them on.

Why even have a catch-all for misspelt emails? Let the user receive an undelivered mail message like every other mail server does.

Sounds like an excuse to read other peoples mail.

My company also loves slack - we use email for formal bits, everything else is on slack. Much quicker to communicate and bonus cat gifs.

Does it really matter what protocol it uses? You can hook in to it in several ways without caring..