Posts by Merton Campbell Crockett

Using Safari 7.0.1 running on an OSX 10.9.1, I am unable to "https://gotofail.com". Safari reports that it is unable to establish a secure connection to the web site.

I can use Firefox 27.0.1 running under OSX 10.9.1 to access the site. The problem is with the X.509 Server Certificate being used. The Common Name (CN) in the certificate identifies that the certificate is only valid for a host named "gotofail.com"; however, a DNS query for 184.173.139.237 returns the host name as "ec2-184-73-139-237.compute-1.amazonaws.com".

Clearly, the host names are different and the X.509 Server Certificate is not valid for the host to which the connection is established.

I've found similar problems with web sites using an improperly constructed wildcard names as the CN. The CN, *.familysearch.org, is used in a server certificate for a host named "familysearch.org". The certificate is only valid for any host in the familysearch.org domain. It is not valid for the domain name. It would have worked had the PTR record returned a name of "www.familysearch.org".

If you can establish a secure Safari connection to "https://gofail.com", your system is misconfigured.

Die Shadenfreude über Shitstorm

The English language inherited "Scheiße" from all the Germans flocking to northern England and southern Scotland and we are returning it in an anglicized form. Seems fair to me!

Touch pad?

Bang & Olufson laptop with a touch pad? I would have thought that you would just wave your hand over it like their old stereo systems.

"Huh?" is Right!

We will learn more next week when Dan Kaminsky presents his paper at Black Hat; however, we do know that the cache poisoning vulnerability is based on being able to predict the source port that will be used for a recursive query and what will be asked in the query.

For an end-user system, the risk of cache poisoning is mitigated by the fact that it's resolver does not perform recursion. If it can't answer a query from the resolver's cache, it sends a request with the recursion desired flag set to a name server that performs recursive queries on its behalf.

Basically, "Joe Hacker" has to guess what your next query is going to be and the port that will be used for that query.

If the resolver routines on the end-user system uses a pre-allocated port for its queries, "Joe Hacker" only needs to guess when you will send the query that he wants to poison.

On Mac OS X, lookupd functions as the resolver. It does not pre-allocate ports. It requests a dynamically assign ephemeral port from the operating system for each DNS query. Mac OS X uses the classic BSD round-robin approach to port allocation.

While the BSD algorithm for port assignment is predictable, "Joe Hacker" now needs to guess when the next DNS request is going to occur, the TTL returned on the previous query, and how busy the system is to determine the port that will be used.

To gather this information, "Joe Hacker" needs to compromise a system between the name server and the end-user system. If he is able to do that, then it doesn't matter what changes, if any, were made to the name resolution routines.

The nCircle research reported by Don Goodin is pure shite.

Who's Enid Blyton?

How many will know of Enid Blyton on the western shores of the pond?

Only some of us will have received Enid Blyton books in our Christmas Care packages from our grandparents in the UK. These were replaced by The Second World War and the History of the English-Speaking Peoples as we got older.

The principal advantage of the latter volumes is that one could understand what William F Buckley was saying on Firing Line without keeping a dictionary at the ready.

Doesn't Bode Well for Vista Class Action Suit

Jonathan Kramer claims: "You can't enforce a term that's impossible."

So, how does this impact the punters that bought piece of crap (pc) systems marked "Vista Capable" and now involved in a class action suit against Microsoft?

Kramer's interpretation implies that Microsoft wins and punters are SOL.

X11 Installed by Default

Under Mac OS X 10.5, X11 is installed by default as it is required by Terminal.app.

Unfortunately, the shift from the X Org version of X11 to the XFree86 version did cause more than a few problems. These weren't fixed until the release of Mac OS X 10.5.2 and this week's security update. If you are running any Leopard release prior to Mac OS X 10.5.2, you need to upgrade your system.

For those of us that migrated to Mac OS X because it had Unix under the hood, GIMP isn't a problem because there was never a version of Photoshop released for Unix.

NeoOffice or OpenOffice supplies the tools needed to handle documents sent to you by your colleagues with Windows-based systems.

I just got a Mac Pro (2008). I selected VMWare Fusion for my virtual environment as it allowed me to create a Windows XP virtual machine from a running system. This got me around a problem with only having a Windows XP Pro OEM install disk because I had designed my own system. The old system went to the hazardous waste facility last week.

Need to standardize references to Microsoft + Yahoo!

I suggest that the standard reference be "Microscroo!" sans quotes. The exclamation point is required to allow El Reg to continue to use its existing headline standard.

"Ballmer! Microscroo! Bash! Google! Again!"

"Microscroo! Tells! EU! Where! To! Go!"

BBC Weather: London Five Day Forecast

It seems a bit strange to show only three days of a five day forecast. Perhaps, they should change the title to "The best of the five day forecast".

The weather graphic for "Sunny" appears to be a depiction of a day when the fog hasn't burned off. Other than the bluish tint, it doesn't look that much different from the "Cloudy" graphic.

M C Crockett

Annual Review: Waste of Time!

To justify their existence, Human Resources develops a new annual review process or a new spin on an old process every few years. Well, it's not really new. They just reword the form and reorder the sections to conform with what is being taught in university today. They seem to spend significantly more time developing a new logo and name for the annual review process.

I suspect that there may be some value in the process during the first five years of employment. I don't know for sure. During the first 25 years working for my company, I was on the road at a customer site when it was time for the annual review. I never saw the form and assume that my supervisor, at the time, filled it in for me.

Now that I've worked for the company for 30 years and don't travel as much, I've had to fill out the forms. They're ridiculous.

Identify what training you need to perform your job. What? Why didn't you make this offer 30 years ago? You're paying me 75 percent more than the average annual salary of others performing the same function because I had to learn what I needed to know while the technology was being developed. And, in some cases, I had to develop the technology because none existed.

Where do you want to be 10 years from now? Retired! However, given the Pension Protection Act of 2006, I may need to retire next year because I'm going to be penalized should I continue to work.

I've been blessed with supervisors that haven't had a clue about what I do or how I do it. They have been looking at the success of their projects and listening to their customers. On more than one occasion, I have received an annual salary increase exceeding 20 percent as a result.

I have won numerous company awards for special projects. In the United States, the Engineering Council has an event similar to the movie industry's Academy Awards. I was nominated by my company for my work in IT Security. Unfortunately, I didn't walk away with that year's "Oscar". That went to a lead engineer on a much "sexier" NASA project.

Although I only received a Merit Award for being a finalist, it did translate into a sizable salary increase. When you get down to it, this is the most important metric of your value to a company.

The point of this diatribe? The annual review process is a waste of time! You are much better off doing the best that you can on every assignment with a touch of creativity and as much elan as you can muster. It translates to the most important metric of all: the interest of the Internal/Inland Revenue Service in your well-being.

Fixed fee versus Commission

Were Microsoft's lawyers paid a fixed fee, they would have most likely produced a similar EULA but being paid on a commission basis it is, clearly, in their best interest to use many words as possible to say the same thing.

Truth in Advertising?

I have numerous colleagues that would simply commend Amazon on its "Truth in Advertising" stance.

Interactive Application System (IAS) Anyone?

Rosenblum's quest might be answered by porting the RSX-11D, or it's successor IAS, operating system to current hardware.

It provided the bare basics. It handled interrupts, hardware or software; scheduled processes; and provided interprocess communications.

All devices were handled by a special class of processes known as device handlers. They were special in the sense that they serviced interrupts in kernel mode but otherwise ran as any other applications but at higher priorities.

Except for the physical aspects of I/O provided by device handlers; file systems, databases, keyboards, displays, etc. were applications called by other applications to perform some function.

RSX-11D was implemented by Digital Equipment Corporation in the Seventies. Carnegie Mellon University re-introduced this approach in the Nineties calling it the Mach kernel. Rosenblum seems to want to re-introduce the same approach calling it ... VMWare?