* Posts by bolac

50 publicly visible posts • joined 14 Jun 2016

Japan's space agency suffers cyber attack, points finger at Active Directory

bolac

Active Directory is not exactly Rocket Science

No one can make it work. Even people who worked inside Microsoft keep telling me that it does not work there either.

In the explanations for the recent Azure secret key disaster, Microsoft has also (unknowingly?) admitted that they consider their client zone to be less secure than their server zone.

Microsoft: China stole secret key that unlocked US govt email from crash debug dump

bolac

Re: Caused the crash?

Crash dumps are considered highly sensitive for decades, literally since they exist. Microsoft is just ignoring established best practice.

bolac

Re: The full story?

The Solarwinds story already proved that Microsoft is just as clueless as anyone else when it comes to who is roaming in their network.

bolac

Re: No hardware, no secuirity.

Another common strategy would be to have a certificate chain. The long-term certificate is in the HSM and the intermediate which signs the tokens is very limited and has a short rotation cycle.

bolac

Crash dumps in production environment?

Does not everyone know that this is an absolute unacceptable practice?

Microsoft obviously not, they even collect crash dumps and other telemetry data from their «customers» production environments.

Safari is crippling the mobile market, and we never even noticed

bolac

Web Devs are the enemy of the user

It is not a curse, it is a blessing that Apple is not support all the shit that web devs come up with. I am not using any Apple device, I am using 100% open source for more than 20 years. But I am really grateful that Apple killed Third Party Cookies and refuses to support unnecessary standards that give websites access to anything.

We can't believe people use browsers to manage their passwords, says maker of password management tools

bolac

This is bullshit. Cross-platform software always sucks. Always. No exception. A tool should integrated into the system conventions as well as possible. A Windows application should follow Windows conventions, a Mac application should follow Mac conventions, and so on.

This is particularly true for a password manager, so you don't need insecure dirty clipboard tricks to enter passwords into forms. The only cross-platform thing we need in this area is a portable format for export/import and backups of password databases.

bolac

The whole industry only exists because Microsoft has no sane solution for Windows. On the other side, Mac users save their passwords in the Keychain, Linux users do the same with gnome-keyring and KDE kwallet for literal decades now.

NSO Group 'will no longer be responding to inquiries' about misuse of its software

bolac

Re: This is a strawman.

They cannot catch them, but it would be punishment enough if NSO associates had an international warrant on them, not being able to travel anywhere without fear of arrest.

bolac

Re: This is a strawman.

Another interesting question: How about terms of service? They used Amazon servers, fake Apple IDs, etc. It would be funny if Apple could sue them to never touch any iPhone again.

bolac

This is a strawman.

The whole issue is not just misuse of software. When you give someone a copy of your software, you have no control where it ends up. But this is not the issue at all here.

According to Amnesty, NSO operated the servers. NSO had lists of phone numbers for target people. NSO is not just a software manufacturer in this game. NSO is actively participating in the attacks, including the unlawful ones. They cannot just say: «Someone took our software and did an unlawful attack without our knowledge.» NSO was basically performing the unlawful attack themselves.

Windows 11 still doesn't understand our complex lives – and it hurts

bolac

Re: web Teams works on Linux

I was never talking about private PCs. Who even uses Windows on their private PC in 2021?

In every corporation where I worked (I am consultant) and that had teams (many refuse), thre was a copy in my user folder.. Are you sure that the enterprise install does not do the same thing, copy it to user folder?

bolac

Re: Browser Profiles

Another Pro Tip: Right click an EXE while Shift key pressed.

bolac

Re: Browser Profiles

You can also do two full graphical logins at the same time and switch with Alt+Ctrl+F1/F2/etc. Or you switch users using the GUI, but then you always have to unlock your screen.

Typically tty1 is the login screen and the user screens start from tty2 (modern distros) or from tt7 (traditional distros, because 1-6 were reserved for text console).

bolac

Re: web Teams works on Linux

Teams for Windows is also Electron. Electron is owned by Microsoft since the Github takeover. New OneNote and VS Code are Electron, too. The new Outlook One will be electron-based as well.

Teams on Windows is even worse. It is installed into the home folder. Even if you ask for global install, it will install one copy to Program Files and then one copy to each user's home folder. Including an auto updater which pulls binaries from the Internet and puts them in the home folder, where the versions are accumulating to gigabytes of old Chromium DLLs and what not.

But the biggest joke is that Microsoft made a tutorial how to improve Teams performance by whitelisting your home folder in the antivirus. You could not make this up.

https://github.com/MicrosoftDocs/OfficeDocs-SkypeForBusiness/blob/9df8f4069848c52ae810719e4baf171014b01452/Teams/teams-files-folders-antivirus-perf.md

bolac

Re: IE6

That is not surprising since Outlook is the IE6 of Mail User Agents and Excel is the IE6 of spreadsheet applications, it even fails at basic math.

bolac

Browser Profiles

With Firefox, you can have multiple browser profiles. They have completely different browsing histories, cookie stores, password stores, proxy settings etc. For example, set up one for work and one for personal use.

Go to the "about:profiles" page.

Edit: You can run them at the same time in separate windows (not in tabs of one window though). I also like to put a theme on some so the window has a different color to avoid confusion.

Also for my main private PC, I just added a completely separate Linux user for work stuff This way, everything contained in a separate home folder and can be easily removed from the private PC. I can use mail programs, contacts, calendars etc. without mixing up the two.

Excel Hell: It's not just blame for pandemic pandemonium being spread between the sheets

bolac

Re: All Spreadsheets Are Not Equal

What does it even mean? SQLite only has 2000 columns. The idiocy is using a column for each case to begin with.

The number of rows is 16 million.

bolac

Re: Alternative?

This is not fair. Gnumeric is actually very popular among scientists for decades because it is calculating accurately and mathematically correct.

bolac

All Spreadsheets Are Not Equal

It is not fair to say that all spreadsheets are equally shit. For example Gnumeric, the one created by the Gnome folks in two weeks as a demo app, was very popular among scientists because it calculated accurately and mathematically correct. For a decade, it was also a role model for good C programming.

AI-predicted protein structures could unlock vaccine for COVID-19 coronavirus... if correct... after clinical trials

bolac

Does not matter at all

This does not mean anything. The whole months-long effort in vaccine development is the testing for effectiveness and side-effects. The invention of new vaccine candidates takes only hours nowadays. This AI only does something that has never been a problem in the first place.

Running on Intel? If you want security, disable hyper-threading, says Linux kernel maintainer

bolac

It is not «almost» two years, it is literally two years. I am sure Greg and friends were working on these fixes before the issue went public (because of amazing investigation skills of El Reg).

Dr Symantec offers quick and painless checkup for VPNFilter menace on routers

bolac

Is this even possible

I thought all those things are impossible since Windows has the Defender Exploit Guard and all that other AI-ML stuff that detects unknown malware. At least that's what the snakeoil companies are promising all the time.

It's time for TLS 1.0 and 1.1 to die (die, die)

bolac

TLSv1.1 is not insecure

TLSv1.1 is not insecure, only TLSv1.0 is. However, TLSv1.1 has some insecure cipher suites (which are all deprecated by now, but badly configured clients and servers might use them), so it's still a good move to get rid of it.

Zimmerman and friends: 'Are you listening? PGP is not broken'

bolac

Worst bug? Meltdown already forgotten?

Linux Beep bug joke backfires as branded fix falls short

bolac

Re: Eh..

But you can use them without setuid by printing the ASCII "BELL" character. You only need Root if you want to do crazy things like change the frequency (i.e. tone).

bolac

Re: Who actually has beep installed?

The same is true for Redhat, Ubuntu and even Debian in cluding ancient versions. SuSE has an alias called "beep", which has nothing to do with the "beep" program discussed here.

Crims pull another SWIFT-ie, Indian bank stung for nearly US$2m

bolac

Re: There is little choice besides scanners

But even that is a stupid approach. If the data is not there, then that makes it even more stupid. It does not really help reliably, but it is a hassle for everyone else, for example people who want to park money into a newly opened bank account.

Some people being too stupid to protect their access credentials does not justify to make the life of innocent people more annoying even to the slightest extent.

bolac

You cannot really enhance the security of a shitty system by just adding some scanners. That's a ridiculous marketing lie that the snakeoil industry planted into the head of Microsoft Windows and Office users for decades.

Ubuntu reverting to Xorg in Bionic Beaver

bolac

Re: It is the video hardware driver's fault

Microcode is software, but in the sense that video files are software. Microcode are not computer programs.

bolac

Re: It is the video hardware driver's fault

Hardware does not have a license, hardware has patents.

bolac

Re: It is the video hardware driver's fault

If you are user A running a X session and want to run an X app with user B, A has to set:

$ xhost local:

Before Wayland, this was not required if user B was root. With Wayland, it is required for Root as well. That is the only differnece. Set it and you can run Synaptic etc.

Btw: It is really not a good idea to run graphical apps as root like Synaptic does, and everybody knows that, so this is just legacy mode anyway. The graphical admin app should run as user and only execute batch jobs as root.

bolac

Re: I find this slightly embarassing

Obligatory read:

https://simson.net/ref/ugh.pdf#page=161

bolac

It is the video hardware driver's fault

To be honest, it is a problem with video drivers by lazy manufacturers like NVIDIA. On my Macbook with Intel Iris I did not have a single Wayland crash since the beta of 17.10, and I am hotplugging different monitors and projectors with HDMI and DP (Thunderbolt) all the time.

And it by the way has very useful features, e.g. flexible scaling when mixing high- and low-dpi screens. And all remote things still work if you just set the permissions, which you had to do before anyway for anyone who's not root.

However, making it non-default for the LTS version sounds like a sane choice from Ubuntu's perspective.

‪WannaCry‬pt ransomware note likely written by Google Translate-using Chinese speakers

bolac

Bloggers found this weeks ago:

https://steemit.com/hacking/@wh1sks/wannacry-ransom-message-was-translated-using-google-translate-but-with-a-few-changes

Germany gives social networks 24 hours to delete criminal content

bolac

Re: Insults??

Insults have been illegal in Germany since always.

https://dejure.org/gesetze/StGB/185.html

bolac

Re: Deutschland über alles. I think we have heard that before!

No. It has nothing to do with "America first".

To stick to the pizza example: "Pizza über alles" means "I think pizza is better than everything else". It does NOT mean "I think we should put pizza above everything". It is just a observational statement, it has no connotation of "should be" or "want".

bolac

Re: Possibly incorrect translation

It does not matter, those German terms are just as undefined political propaganda bullshit bingo as they are in English. They are seemingly using legally defined terms, but they are misusing them intentionally.

For example "public call to commit crime" and "threatening" don't require new laws. They were illegal to begin with. Those things are illegal even in America, because you can grammatically distinguish an imperative "kill this guy" from a mere opinion statement "I wish this guy had a car accident".

bolac

Re: Deutschland über alles. I think we have heard that before!

No, it has a completely differnet meaning.

"uber alles" is used for everything in German, like "for the world" in English.

For example, if pizza is your favorite food, you would say "pizza for the world" in English and "Pizza über alles" in German. It just means "there is nothing better than pizza"- It has no connotation of ruling oder domination or anything. It also does not mean that you put pizza above something, it means that you find out that it is above something.

bolac

Greetings from Germany

Fun fact: The person who is complaining is to be informed, but the one who is deleted does not even know the reason and has no court or something to complain about the deletion.

Microsoft's new hardware: eight x86 cores, 40 GPU cores

bolac

Multiprocessing

PS3 had eight cores ten years ago. Is Microsoft still unable to write multi-threaded software, or why are they limiting themselves to the same number of CPUs that my cheap China phone had three years ago?

Security slip-ups in 1Password and other password managers 'extremely worrying'

bolac

Why not just set the Master Password in your browser's password store?

Also every decent Desktop Environment (i.e. every single one except Windows) comes with a password manager built-in.

Google Chrome 56's crypto tweak 'borked thousands of computers' using Blue Coat security

bolac

Re: So Google balme Bluecoat...

It agreed already. Firefox will have it in the next release as well. That was announced months ago.

bolac

Re: Where is this TLS 1.3 specification?

>security tool

There is your oxymoron already.

Git fscked by SHA-1 collision? Not so fast, says Linus Torvalds

bolac

Git repos should be pulled using HTTPS. HTTPS should not be used with SHA1. TLS is where the security is coming from, git itself does not have signatures.

Windows 10 Anniversary Update crushed exploits without need of patches

bolac

Why is font rendering in the kernel in the first place?

Every other system has this in a sandbox all along. This kind of sandbox is called a “process”.

Microsoft preps defence against the dark arts for enterprise customers

bolac

Buzzword security for the management

A VM is not better than any other sandbox, when it comes to security. Especially in this case, where you need to render stuff on the screen, you will have to need some complex code that talks to the host OS.

It is just a waste of resources.

Apple quietly launches next-gen encrypted file system

bolac

Re: Next-gen?

Sorry, I confused the two cases. I meant to say that case sensitivity does not work properly, and that case insensitivity is a huge mess with Unicode.

It boils down to the fact that it is very complex to properly define equivalence of two Unicode filenames. By the way, OSX is in fact the only OS doing this. Windows (NT) does not do this (the case insensitivity is emulated by the Win32 subsystem), and even iOS is case sensitive all along.

And HFS+ is not just old. That's not the issue at all. Being old would not be a huge issue if it just worked. But it doesn't. HFS+ is known to be very unreliable and for having very poor performance. This is not a case of “we still use the old system because it runs”.

Last but not least: There were already security issues with git arising from HFS+'s case insensitivity.

bolac

NTFS

It might be important to note that NTFS is always case sensitive. The case insensitivity in Windows is emulated by the Win32 API.

Even Microsoft figured in 1993 already that case insensitivity is a huge mess that has to be avoided in the FS layer.

bolac

Next-gen?

APFS is not really next-gen, it just appears new compared to HFS+, which is stuck in the early 90's.

HFS+ has the following “features”:

- Case insensitive mode does not work (properly).

- Case sensitive mode is a total failure because we don't live in times of ASCII. Defining what equality of two Unicode strings actually means is hard enough anyway, and not getting any easier by mixing up cases.

- HFS+ stores all the metadata in the first blocks, which makes it perform very poorly. In times of SSD it seems less relevant, but it isn't. It totally cripples backup speed on USB 3.0 HDDs.

Also: The fact that the port of ZFS to OSX was cancelled gives me a very bad feeling about OSX's state in the layers above.