Posts by Naselus

Re: No, they will completely disappear

"If the market for spinning drives reduces too much, there is not enough of a market to justify the expense of building a factory."

That's just circular logic. You're saying the market for spinning rust will shrink because it's out-competed by flash, and it will be out-competed by Flash because the market for spinning rust will have shrunk.

As for refuting DougS's points, I'll leave that to the sage words of, um, DougS in this thread, from when he argued the exact opposite: https://forums.theregister.co.uk/forum/1/2014/12/09/no_flash_datacentre_takeover/

Re: The iPhone 7 is a fine example of Cook-era Apple

"Ive appears to be phoning in designs now"

I never really saw any evidence of his supposed genius for design anyway tbh. Flat UIs, round corners, the entire iPhone 4 disaster from start to finish... he's not the world-class design maestro that people often proclaimed him. Very Apple, in that he'd do something profoundly obvious and call it brave, or profoundly unpopular and then just call his market idiots if they dared to dislike it... but not actually a particularly impressive or innovative designer.

Agreed on the rest of Cook's Apple though - he's just a bit of a duffer, isn't he? He's mostly coasted along by iterating existing product lines, and when he's picked a new idea to follow it's been derivative and usually a failure. Jobs regularly stole anything he could find, but at least had a good eye for what he should steal and a how to improve on it. Cook appears to just jump on whatever bandwagon is going (wearables, self-driving cars, Apple music) with little idea of what it's supposed to be for, and then delivers an overpriced and underspecced version years later, only to quietly drop it 18 months later when no-one but the most die-hard Apple fans goes for it.

For all his many faults, Jobs understood that a piece of tech should have a clear use to solve an existing problem (MP3 players for digital music on the go; iPhones for mobile net access; tablets for mobile consumption). Cook just doesn't seem to grasp that, and so goes for any old tat that a competitor is doing just for the sake of competing with them. He's slowly converting Apple into modern-day HP, run by the bean counters and lawyers rather than the designers and engineers.

Re: Request for nano-violins

And with that kind of modesty and self-deprecating humour, I'll bet you don't rub people up the wrong way or strike them as arrogant at all.

Re: Terrifying - NHS IT bods leave ports 445 and 139 open to the internet on firewalls?

Thing is, it could have just been 1 firewall at 1 pharmacy in the arse end of nowhere, connected to the 'net via the dial-up modem they received in 1998. No firewall. No decent security setup. No ports blocked and no updates because they take all week to download. Then you VPN into N3 and suddenly it spreads to the whole system, because you're inside.

I have literally seen exactly this setup in the NHS when I worked for them about 5 years back, so it's not far-fetched. Many of the trusts themselves have very good external security, but are helpless if someone can gain access from inside; it's still run on fortress-style security principles rather than compartmentalized.

Re: First, identify the risk

" First, document the risk, then identify the likelihood and the impact, then identify the mitigation strategy, and then consider the cost benefit for those mitigation strategies (which is where you get to constraints)."

And then email that information to literally everyone above you in the chain of command. And then take a copy of that email, and save it somewhere off-site where only you have access. Because when they ignore you completely and the shit hits the fan, you will need it.

Re: This guy is about to become a legend

I'm sure he reckons that the sacrifice will be worth it, if only the apocalyptic scourge of people texting during films can be vanquished forever.

Re: hey now..

Agreed. We honestly cannot sit here and spend 20 years whining that MS suck at security, and then complain about them suggesting maybe there should be some effort to do security properly. Especially since MS's security infrastructure is no longer the joke it was in 2003; charges of hypocrisy are a little unfair when the company has been spending a lot of money and throwing a lot of effort into moving away from it's previous bad practices for over a decade now.

Re: £800

"I still won't be able to give you a good answer apart from "that's how markets work"."

Increasingly it isn't. Flagships are a dying breed, and making them even bigger and more expensive while the actual performance difference from a <£300 phone is shrinking ain't gonna save them.

Re: Naive Question

Drivers.

For Vista onwards, Windows moved to a different driver framework that required things like 'keep kernel-mode drivers and user-mode drivers separate', 'don't just use the highest privileges possible by default', and 'why not try reading up on security standards before calling yourself a programmer'. All the things which had made earlier versions of Windows so unstable and fundamentally insecure, in other words, were now to be forbidden, so we could discover exciting new types of instability and insecurity rather than just bluescreening because your joystick decided to write into the kernel space for no reason.

This was basically why Vista didn't seem to work with anything initially - it demanded properly written drivers, at a point when basically no-one had bothered writing them to any decent standard. The reason Windows seemed to work with literally all the hardware in the world (to a given value of 'work', at any rate) is because prior to Vista/7 it didn't stop you from doing stupid and insecure things with your driver code. You could let the work experience kid cobble your driver together based on his Art History degree and 20 minutes of training, and companies literally did. After Vista, it did, and the immediate result was 90% of existing device drivers were suddenly forbidden from working.

Unfortunately, lots of the devices used by the NHS (think MRI scanners, X-ray machines, and other hugely expensive medical equipment designed with a 50-year lifespan) have horribly-written drivers created by companies that ceased to exist 20 years ago, and so new drivers were never created. So the NHS kept using Windows XP on the machines connected to those devices, but also hooked them into the network so they could transfer those scans around - via port 445, using SMB v1, which is precisely the protocol which this worm used to spread itself.

Which basically explains the whole situation, tbh.

"Why's that such a bad thing?"

You run a large estate of 600+ machines. If you have all of them on one O/S, you hire one engineer on 50k and 3 technicians on 20k. If you have them on a 12 bespoke OSes, you hire 12 specialist engineers on 50k each, and each of them spends 90% of his time doing nothing.

That's why.

Re: IWatch...intelligent strap-ons coming soon

" it sort-of was a fairly pointless/useless product when I bought it - tho' it allegedly is now quietly wiping the floor with all the other wearables."

Worth noting that's still not exactly a high bar. Wearables still haven't actually found a good reason to exist yet, so wiping the floor with the competition is like being the hardest kid in preschool.

Re: Homeopathy for Computers

Did you not forget to dilute it with 8 trillion leading 0s?

Re: A dish best served cold

"Anon because I might be right"

You aren't.

Firstly, a state actor attack would be far better targeted. Stuxnet, for example, actually checked the serial numbers of the centrifuges it targeted to ensure that it only hit ones created in the right date span to impact only those bought by Iran. The vector on this attack, on the other hand, literally just spammed itself out to every available IP address that had port 445 open.

Second, US retaliation would almost certainly involve using a few zero-days. If you want to prove that you have vastly more power than your opponent, then you want to do something that literally resembles friggin' magic from his point of view. You want to show him that he can do nothing whatsoever to defend his critical infrastructure from your attacks. This did not; nothing in this hadn't already been discovered and patched. If the best thing the US can throw at Russia could be taken out by just switching on your WSUS server in the past three months, then there's no point even doing it because it would make them look weak, not strong.

Thirdly, and most importantly, most of the original bits of this were actually quite shittily written. Oh sure, there was a genuine bit of high-tech NSA code in there from the shadow broker leak... but there was also a fair load of primitive crap there too. It's a bit like an 16 year old came into possession of an F-16; it was destructive as hell but he didn't really know how to fly it.

I've just finished in a webinar on the incident, and there's literally 5 different layers of my SMB's security that blocked this (patching, permissions, firewall, commercial AV, VLANs). And we're not exactly cutting-edge - just running best practice.

In short, if this was state-backed, then the state in question would have to be somewhere like Honduras, not one of the big-league infosec powers.

It's international. UK, Spain, Italy, China, Russia, Vietnam, Kazakhstan and Taiwan so far reporting massive numbers of infections.

Re: Try setting up a bank like Uber

"Eventually this will become a business school case study of a potentially great company destroyed by management arrogance"

And what an astonishing level of arrogance there's been. Uber's regular flouting of laws and regulations, actual attempts at obstruction of justice, willingness to spy on it's own customers for no reason beyond their own entertainment, contempt for employees, rampant price-gouges and the rest of the litany of horrors that pours out of the company every week means there's already a dozen fair cases for imprisoning half the upper management.

The business model adopted by Uber tries to bankrupt all competitors through burning vast quantities of venture capital, in the hope that they can then become a monopoly and jack up prices to insane levels (while simultaneously slashing wages). This is just writing abuse of markets into your business plan, and is the kind of thing which can only occur when there's an excess of available investment capital floating around.

Frankly, it's the same kind of behaviour that was discovered to be going on at Enron. But at least Enron were more competent about covering it up.

Re: It was most likely hist real IP

Yeah, there's whole warehouses in India being used to run this kind of scam. Wasn't there one that was busted a few months back, and the people working there were amazed to discover that they didn't really work for Microsoft?

Can't tell if the downvoters were Microsoft fans, or just people who don't believe there'll ever be a working version of the fall update.

Re: A solution.

"Your contempt of "most users" notwithstanding (albeit probably not far off the mark)"

I wasn't being contemptuous. It's literally true. Most users cannot do anything outside their usual daily tasks on a computer, and there's no reason to assume that they should be able to, or that it makes them stupid for not being able to. I can't operate half the software that they use either, since an in-depth knowledge of CAD software simply never comes up in my day-to-day life. That doesn't make me stupid either.

The vast majority of users don't have the slightest idea of what a proxy is, or how you'd tell your computer to use one, or even why you'd want to. As for programming a spam bot... why would you assume that they're doing that, as opposed to just downloading one off the shelf?

Look, if you want to talk slacktivism, look at actual slacktivists rather than postulating the existence of some kind of hyper-intelligent superengineer with an in-depth understanding of networking principles and a working knowledge of Java. Thankfull,y we have loads of examples from the real world of who they actually are. Take a look at Anonymous's Project Chanology, for example, the infamous attack on the Church of Scientology back in 2008. They used a network stress-testing tool called Low Orbit Ion Cannon to commit DDOS attacks. The guys using it didn't write a DDOS tool, they just downloaded it. The majority of them had no idea that their IP addresses could be traced from it, and that they'd need to use VPNs or proxies to mask the traffic. They were not IT engineers and had no clue what the tool itself was actually doing, they just knew that if you put a name in the address bar, it would knock the website offline. They were mostly just kids, and many of them were horrified when the police turned up at their door because they simply didn't know that the traffic could be traced back to their computers.

THAT is the vast majority of the people we're discussing here. They're accountants, or architects, or customer service advisers, or shop assistants. They want to do something about political subject X, and they know that they can download this tool to enable them to do it, but without the slightest understanding of the context or consequences of their actions and with no idea how to cover their tracks or evade even basic countermeasures. They'll use the tool which achieves the objective, but they're not going toknow about the other tools which ill enable them to hide the fact they've done it.

"Contractors are supposed to be people with years of experience and skill, who can come into a job and hit the ground running with merely a 'here's your desk'."

That's the ideal, yes. The actual reality of the situation is that many companies hire 'contractors' to cover first line support. They're putting kids who just left high school on contract - hell, my first job, at the age of about 19, was a contract role. That's not some seasoned expert coming in and being paid top dollar for highly specialized skills. It's companies exploiting contracting in order to avoid having to offer full-time positions. I knew guys who were stuck on contracts for 5+ years in jobs that barely paid enough to feed them week to week, because there was no other options. And that was prior to 2008, during the boom years - now it's actually worse.

It's easy to look at shit like this and think 'I'm a contractor, I bill $8k a month, I don't see why they're having trouble', but actually a lot of contractors aren't really self employed by any sane measure, don't want to be self employed, and just don't have a choice in the matter.

With interest rates on UK 30-year gilts currently 0.8% lower than inflation, lenders effectively pay the government to borrow from them. Our 30-year gilt fixed rate is presently 1.5%, so if the economy picks up and inflation rises the amount that the debt shrinks in real terms will increase. So it makes perfect macro-economic sense to borrow and invest now, and bugger all sense to pay off debt at present.

And 'Labour's last set of debts' - or, more accurately, all debt ever generated by all Labour governments in the UK, ever, combined - is about the same amount that the present Conservative government have added to that debt in the last 7 years. Partially this is because austerity has never worked to clear up an economic mess, and partially it's because most governments manage to borrow more money than their predecessors because inflation is a thing that happens.

There's some really, really, really good reasons not to vote for Labour right now - the fact that the party is about as united as a combined Israeli-Palestinian football team, for example - but the supposedly superior economic competence of the Tories is certainly not one of them. Macroeconomics is not the same as balancing your household budget.

Re: What I don't understand

"So that they can access their list of logins even if they don't have access to their home PC or the drawer containing the USB key I assume."

Well, except for when there's literally any connection problem between you and wherever the hell the company has decided to dump your data. Like, y'know, what just happened.

Combine with that the increased attack vectors when your password DB is always online and relying on the security regime implemented by the work experience kid of passvault company A, which in turn relies on the security regime implemented by the work experience kids at Cloud Company B, and you're looking at a whole bunch of downsides for the sake of not having to carry a 7 gram USB stick around with you.

Re: Why?

"Thus being able to sketch on a tablet is of little value if the sketch isn't easily and quickly available (ie. with little if any user intervention) on another device eg. CAD station"

Even there, as the construction industry moves away from old-school CAD-based technical drawing (eg, Microstation and suchlike, which basically just allow you to do the same thing architects have done for 300 years only faster) and toward 3D Building Information Modelling, the usefulness of a hand-drawn sketch or markup is slowly disappearing too - the buildings are being literally built in Revit from programming-style classes instead of drawn, so interaction with the model is becoming increasingly dependent on a fully interactive data-rich environment.

Tablets not only lack the sheer grunt needed to open such models, but would be a nightmare to try and interactive with effectively when what you really want is an 8-button mouse and a full keyboard of shortcuts.