Posts by Psion1k 26 publicly visible posts • joined 15 Jun 2017
I have to disagree on the CVE comment.
No-one would deny that a LOT of CVEs come from code that should have been written more securely (field length checks etc.) and thus could have been easily avoided. There will always be the CVEs that are generate due to a system being used in a way that was not envisioned ("I mean, how would use it THAT way!?!") and thus not accounted for.
A lot of people are disliking the idea of Windows 11, with most people citing one or more of the three reasons:
01) Everything Windows 11 does, Windows 10 can do if desired, though it may need to be configured/switched on.
02) A lot of Vendors still don't support Windows 11 and use it as an 'out' to not provide support.
03) It is a lot closer to a Mac interface, one of which they would have purchased ... if they had wanted a Mac in the first place.
There are other reasons of course, but those are the three I normally hear. Underlying all of that is the requirement for new hardware (supposedly) to basically get something you consider that you don't really want or need. The "required" hardware requirement can be largely bypassed, so you cannot even justify a minimum hardware spec as a reason to have Windows 11.
Unfortunately, the biggest push to upgrade is merely going to be MS stopping support for Windows 10, same as always. Most companies are having to comply with a framework of some sort that includes "Only Vendor supported hardware and software is allowed", meaning once MS say no more support, they HAVE to upgrade (whatever that takes) or be out of compliance, which can have a prohibitive effect on insurance premiums for unwarranted exposure etc.
https://en.wikipedia.org/wiki/List_of_Microsoft_Windows_versions
It is of note that:
- There are two types of version numbers, being "standard" Windows, which includes Windows 3 and 95 etc., as well as the NT versions, including Windows 2000 and above.
- A lot of the "Major" Windows updates after Windows 2000 (NT 5.0) are actually considered minor version updates according to the system version (e.g. Vista (NT 6.0) is the same base version up to Windows 8.1 (NT 6.3)).
This sort of reflects the article's assertion that very little has changed under the hood for most releases.
The prominent versions of Windows at the time were Windows Compact Edition, Windows Millennium Edition, and Windows NT.
It was a common joke that the next Windows edition was to be a combination of the three (which is sort of true for Win2k), though the moniker given was not so great:
- Windows Compact Edition (CE) + Windows Millennium Edition (ME) + Windows NT (NT) = Windows CEMENT
https://www.reddit.com/r/ProgrammerHumor/comments/2utm7b/windows_cement/
The problem with MOTP is that the seed can be present on multiple devices (and could technically be read programatically without the user knowing), so the Push method is considered more secure. Push is also required to satisfy 'impersonation resistance' (but not necessarily all that is needed), which itself requires that the user enters nothing for the authentication process into the target system, beyond a username and (optionally) a password.
OTP of any sort is better than no MFA, but generally Push is a better security option. The specific combination of a particular device receiving the request and the user having to enter a counter-code into the same device that can only be visually read from from the requesting system bolsters security immensely. It literally becomes next to impossible (without social engineering) to get a throw-away MFA approval.
"so many web hosts use free Let's Encrypt certificates which offer no authenticity guarantee as anyone can get a certificate with minimal verification of identity and none of probity"
Certificates serve multiple purposes. In the cases we are talking about, it can be broken down into three categories (there are more):
- Encryption: The certificate provides the key set required to encrypt and decrypt a traffic stream. This does NOT require identity validation etc. It is merely end to end encryption.
- Identity validation: This effectively means that you are trusting the providing authority who issued the certificate to validate that the owner of the certificate (that is used on the site you are visiting) is who they say they are. The only reliable certificates for this are the Extended Validation (EV) or better certificates, typically represented in browsers by a full green bar in the certificate area. As the name implies, this is representing the assumption that the certificate issuer has done background checks etc. to validate that the entity is, in fact, who they say they are. the caveat here is that if you do not trust (as a person) that the vetting organisation is doing the right thing (e.g. Symantec), it is worthless for that purpose. These are also generally, more expensive than other types.
- Code-signing: Similar to encryption, but for the purpose of determining if the code has been altered from when it was signed. The same methods are used for DKIM and the like.
So saying that LE certs are unfit for purpose for transport encryption is incorrect.
The printer driver does more than act as an output. At the very least, it is the main mechanism that informs the OS of how WYSIWYG is supposed to operate/look, so affects display etc.
The issue here though, is the Print Spooler is capable of pulling a printer driver from *anywhere*, and that can be from (effectively) a malware repository, introducing nasties onto a machine in the process. This is especially bad when coupled with the auto-elevation required for installing most printer drivers automatically.
I suspect that what is meant is that if you poke a dead/vulnerable alias, it will either not respond, or respond with a standard message effectively saying "no such website here", so is probably ripe for hijacking.
Any other response from the URL poked means it is still in use by "something", so they skip to the next possibility.
For MS, any such responding DNS entries are targets for removal.
The article is not about finding already compromised sub-domains, but about preventing future compromises from stale DNS records, though some sort of hunt and destroy for such is probably needed.
In the end it doesn't matter. If people seeking to find devices to abuse have to wade through a vast ocean of addresses, they just make a bigger botnet.
The sheer size of the address space may make it harder to find a specific device on an address, but it won't stop them trying.
After all, such people are not using their own resources to do the searching.
I think the answer is the same as always. The current politicians don't care.
They will have their pensions, jobs from their mates, and a massive fortune that will isolate them from any real consequences.
To sum up, it will be someone else's problem to deal with the fallout.
Definitely want a company that gets the details correct, at least.
"Any DoD-alleged delay is a self-inflicted injury based on its refusal to ensure that DoD conducted this significant procurement in accordance with the law and in a manner above approach," Oracle said.
If they can't even get an age-old saying right, they certainly are not "beyond reproach" in their attention to detail. :P
. . . leaves a bit to be desired these days, to my way of thinking.
(The following are my personal opinions. Obviously people will have their own opinions and preferences, which they have every right to. I can't help it if they are wrong. :P )
Not affecting just Samsungs (though they do seems to lead the charge), I am not a fan of wall-to-wall glass for the display. Trying to pick one of those up always tries to activate something on the screen. Taking one out of your pocket can do things like activating the camera etc., even if locked, when combined with gestures etc. You effectively NEED a case just to use it, because just holding/gripping it causes screen presses.
I like to have areas at the top and bottom of the screen, and the actual sides of the phone that are "dead", so no reactions. Designed along those lines, a notch becomes unnecessary, so no need to gnash teeth over that one. You also gain the ability to have dedicated buttons (not on-screen ones) for Home / Back / etc. functions. My personal preference was a design like the HTC 10.
Another gripe is battery life. With apps on phones pulling juice like it is unlimited (I'm looking at you Pokemon Go) options for bigger (or swappable) batteries is something I want to see.
The arguments for having smaller batteries generally come down to weight. If its an option, people can select what they want. I don't mind a heavier phone myself. Also makes it harder to have it slip out of a pocket unnoticed (or at all).
The arguments for non-swappable batteries come down to water-proofing, generally. While nice, I suspect it has a lot more to do with making the phones less serviceable, so you feel forced to buy a new handset when the battery life becomes useless. I'd prefer to be able to carry extra batteries that I can swap in as needed.
A small battery, which is non-swappable, combined with an app that sucks power (you would think an in-built Pikachu would extend the battery life), means you have have to use a powerbank to keep it going. Surprisingly (yeah, not so much), this causes the battery to heat up considerably, and can cook the battery into ineffectiveness. This usually shows up as the phone turning off earlier than the percentage gauge would indicate (worst I have seen inside 12 months is turning off at 65% on a 3000mAh battery). Bigger batteries either obviate the need for power banks, or do not generate the same sort of heat while being inline charged by a powerbank.
I also noticed people griping about the inclusion (or lack of) a 3.5mm jack for headphones. My personal preference is to have one built in, but most phones come with a USB-C-to-3.5mm jack adapter, if it does not have one, so not really an issue, unless you need to have the headphones in AND charge it simultaneously.
Personally, I am not inclined to ever have a Samsung phone, as have always felt that they are too restrictive in their UI design, and the physical units have always felt rather "cheap" in the construction department, though I admit that they do look shiny. To be fair, I have always preferred the metal bodies of phones like the HTCs.
As a last comment, the "in-screen fingerprint reader" is a two-sided thing. On the one hand, it allows more screen real-estate for those that want wall-to-wall screen on the phones, but on the other hand, forget about using a screen protector overlay, if you want to use it. The thing is sonic; a screen protector will block it. So you get to choose to have an extra layer of protection for your screen, or using the fingerprint reader.
"for those of using VM's, this could pose a real problem"
The method used to allocate the space appears to be a reservation made in the NTFS file table mechanics, rather than a physical allocation. This means that if you are using thin drives, they get no bigger than usual, and thick drives are all pre-allocated anyway.
There should be difference, other than the used space REPORTED on the drive being 7 GiB higher in the VM OS. There is no physical difference on what is layed down on the disk, so this should look pretty much the same as usual to the hypervisor and its storage.
---
How this works was confirmed in the comments section of the MS page by Craig Barkhouse [MSFT]:
"The idea is NTFS provides a mechanism for the servicing stack to specify how much space it needs reserved, say 7GB. Then NTFS reserves that 7GB for servicing usage only. What is the effect of that? Well the visible free space on C: drops by 7GB, which reduces how much space normal applications can use. Servicing can use those 7GB however. And as servicing eats into those 7GB, the visible free space on C: is not affected (unless servicing uses beyond the 7GB that was reserved). The way NTFS knows to use the reserved space as opposed to the general user space is that servicing marks its own files and directories in a special way."
This was confirmed in the comments section of the MS page by Craig Barkhouse [MSFT]:
"The idea is NTFS provides a mechanism for the servicing stack to specify how much space it needs reserved, say 7GB. Then NTFS reserves that 7GB for servicing usage only. What is the effect of that? Well the visible free space on C: drops by 7GB, which reduces how much space normal applications can use. Servicing can use those 7GB however. And as servicing eats into those 7GB, the visible free space on C: is not affected (unless servicing uses beyond the 7GB that was reserved). The way NTFS knows to use the reserved space as opposed to the general user space is that servicing marks its own files and directories in a special way."
I suspect that the difference here is that unless the space is exceeded, it will show as +7 GiB USED space, permanently, regardless of how much of that space is actually in current use. If this is the case, Pre-Allocated may be a better description than Reserved.
So:
Free Space = Total Logical Drive Capacity - Reserved space
e.g. for an empty 300 GiB drive with the reserve on it, the free drive capacity would be:
293 GiB = 300 GiB - 7 GiB
Not a bad idea of itself, especially if it can be reserved on custom drives etc.
"For a simple reason - airlines and others have imposed Wh limits on what they'll tolerate as installed on carryon luggage and/or checked baggage.
Samsung _could_ make a thicker S9 with 6000mAh battery, but then you'd have to leave it at home when you go to the airport."
According to this AnandTech review, the Samsung S9+ comes with a 3500mAh battery, which comes out at 13.47Wh.
https://www.anandtech.com/show/12520/the-galaxy-s9-review/8
According to this explanation at PetaPixel, 100 watt-hours (Wh) is the limit.
https://petapixel.com/2018/05/16/tsa-battery-restrictions-clearing-up-confusion-on-flying-with-lithium-ion/
The FAA also say the same, though it is listed under uninstalled batteries/powerbanks
https://www.faa.gov/about/initiatives/hazmat_safety/more_info/?hazmat=7
So even at 6000mAh (<28Wh), it is well below the 100Wh limit.
Personally, I would prefer a heavier device with a bigger battery, as I often have to resort to charging the phone on the fly due to low battery, which itself is against recommendations and both generates excessive heat, and reduces battery life.
"the April 2018 Update was nearasdamnit at the 90 per cent mark in terms of Windows 10 usage. The figure is not quite as high as that achieved by the Fall Creators Update, but the speed at which 1803 rolled out is impressive nonetheless."
This is hardly surprising. When MS finally enforced their support policy removing patch availability from the original versions of Win10, most people upgraded at that point to 1709, hence its high numbers, (1803 had only just been released, so was untested and thus to be avoided). It did, however, trigger an upgrade culture, by necessity. Coupled with the WannaCry outbreak basically killing WinXP, this pushed most of the world to the (then) current versions of Windows.
Previously a lot of software vendors would not officially support the newer version of windows rolling out every 6 months, but now they have no choice. For the most part, businesses will not tolerate enforced security vulnerabilities caused by having to stay on old OS versions due to lack of vendor support in their programs . . . mainly due to legal liability, I suspect.
Any vendor not offering support for the current OSes run a very real risk of losing their customer base to a competitor.
If Apple have declared that there is no way to crack the encryption, as backed-up by their spec testing, and if they honestly believe that to be true, then I see no problem with Apple attempting to crack it. By their own declaration, they will not succeed.
However, given that they have declared this, and have the testing to 'prove' the uncrackable nature of the algorithm, why should they be forced to pay for the cracking process?
If the FBI insist that Apple have a go at it, let the FBI pay for the engineer time out of their own budget. That would likely put a natural cap on it somewhere, because someone would be bleating about the expense fairly rapidly, I would think.
This would most likely be done using peering arrangements and source routing, rather than packet inspection, so the VPN would be detrimental if you had purchased the service.
It would literally be that if you are paying the premium to access a service, the traffic headed to that service (based on the destination address) is routed by the high speed peer link for that service, rather than the 'general' internet. A VPN traffic stream would go to the VPN endpoint (from the point-of-view of the ISP network), rather than the service, so would be treated as 'general' traffic.
I think you missed the point. No-one is arguing that Nosal did the wrong thing. The argument is that the basis upon which the decision was made has potential well beyond its intended scope.
To reiterate the article's example (I have no idea personally if the conditions are real, just using the example):
- Netflix state in their EULA that only the account holder may posses the login credentials for their account, that they cannot be shared with anyone.
- You as the Netflix customer then share your login credentials with your spouse, who uses them to watch a show, in violation of the EULA.
Using the same argument basis that put Nosal behind bars, both you and your spouse have engaged in criminal activity:
- You have directly violated the EULA by giving out your credentials.
- Your spouse (more to the point), has accessed the service using a set of credentials that they have no right to.
Using Nosal as a precedent, your spouse is now considered a hacker.
The whole thing is that there is no limitation on the quoted precedent, and while it seems insane, we know lawyers don't always work with common-sense, they work with law and legal precedents, regardless of reality.
"Does anybody have a good theory of this phenomenon?"
That one is, unfortunately, a fairly easy answer.
It takes "effort" to analyse or try to recall something, and people (in general) are basically lazy.
It is just easier to go to the local oracle (usually google) and get the answer. To make it even worse, as it is a subconscious tenet that "it is easier", people are likely to persist in entering the same question in different ways to get a desirable answer, rather than to stop and try to figure it out themselves, regardless of objective difficulty.
I'm fairly certain that I have seen at least one study coming to the conclusion that easy access to information sources such as Google are having a direct effect on physical brain size, and ability to store facts and figures. People are literally downsizing their brains from lack of use in certain ways.
Another way of looking at it is that we have added the internet as a queriable external memory device to our brains / thought processes, and use it in preference to our "on-board" facilities. Like a muscle not used much, you can expect deterioration.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
