Posts by doublelayer

Re: NTLM?

That was LM, not NTLM, although NTLM 1 worked similarly and was also bad. This is a newer NTLM that is much better for its time, but not good enough for 2019.

Re: ZpulNg

Complain about smishing if you like, as it really is just phishing over SMS, but spear phishing is a useful term. It is very different than standard phishing, directed at one victim rather than a broad sweep, and demonstrably effective as it has been used successfully by many perpetrators in the past few years. I think that large a movement, and one that has seen results, deserves an identifying word. Similarly, I do not have a problem with the creation of such words as "ransomware" and "cryptojacking", neither of which existed before they became major trends in malware production.

Re: What muppet agrees to pay per hour?

It wouldn't take much effort to make it work; if you write something quickly, you can have a macro replayer retype it slowly and do whatever you please. If you have to have different documents up when the screenshot system works, you figure out the schedule, load up different-looking documents or old versions of whatever you have and have the program have a different one open each time the scheduled collection happens.

Re: Week count?

You get the locations of satellites with respect to one another, then calculate where the satellites are right now and use those two numbers to figure out where you are. If you think it's nineteen years ago, you may come up with a different answer to where the satellites are, and thus you would have the wrong answer to where you are as well.

Re: next-gen 32-bit microcontrollers????????????

I think the most memory I've seen paired with one of these is 512k, and 32k is quite typical. Of course, they probably have SOCs with more memory somewhere if they're planning to do voice recognition on them, but that gives you a sense of the typical scale of the things. They run one program, connected to a few basic hardware devices, and nothing else.

"You'll always need a device specific kernel, or maybe you should steer clear of x86 specific images as well?"

Not so. An x86 image will be capable of running on any x86 processor, assuming you can get the firmware to find it and boot to it and the drivers are working. Sure, some x86 systems hide the required things to do that, but that's not many of them and you could simply not buy them. Also, some chips that are old enough won't run a x86-64 image either at all or without a 32-bit bootloader.

That's quite different from the ARM landscape, where nothing will boot at all unless someone has tailored a bootloader for the specific device running it and for the specific image being run. This is why it's hard to flash a custom ROM to an android device* and why companies seeking a system that can't be reimaged are moving to it. For single-purpose devices, that's fine, but for computing, it has many limitations. I would want a device like this only if they had a universal firmware system that could boot anything that was written for the architecture. I'm not asking for universal drivers. I'm not asking for source available on every component. I'm asking only for the right to boot to any image I want; it's my responsibility to make sure it can boot.

*Installing a custom ROM on android devices: You can't have an image for the version of ARM used by the chip, nor by the chip manufacturer and architecture, nor even for the specific chip. Your ROM must be recompiled for each device you want to install it on, with a lot of fiddling with it and it never working. That's why these alternate androids only ever run on a few flagship phones.

Re: Who the hell uses Linux

Really?

"For desktops and laptops use Windows unless you're a Mac fan in which case go ahead. Because you want proper device drivers, power management with working suspend and hibernate etc."

You know that Linux runs on a lot of machines, right? With all of those things working? That when it's not working, it's because some manufacturer didn't release proper drivers for the thing so they could be used? Your counter suggestion is to run the single monoculture desktop OS that doesn't have a perfect track record dealing with device drivers either? Well, I guess there's no arguing with that.

"For servers use FreeBSD or a Solaris or similar as you need an operating system rather than a gaffer tape bundle of kernel and userland from different developers. Also a robust filesystem for your data and there is ZFS. You don't need things like snapd . For some applications maybe even go IBM."

Well, that was a weird statement. Er...let me parse that a bit.

"For servers use FreeBSD"

Fine, but you know that a lot of the stuff above the BSD is the same stuff that is above the Linux. So there is not much difference in all the stuff running on top of the kernel and base.

"or a Solaris or similar"

Why? I know it still exists, but there are some reasons it doesn't have a bunch of market share anymore.

"as you need an operating system rather than a gaffer tape bundle of kernel and userland from different developers."

Oh, that's why. Again, Linux, BSDs, and Solaris all use pieces in common; the desktop environments are interchangeable. The major difference is the kernel, which in all cases is monolithic. It's just a different one for each case, but all were built from contributions of more than one team. None are particularly taped together, especially after the massive amounts of testing each has received while running a bunch of servers.

"Also a robust filesystem for your data and there is ZFS."

If you really want it, that runs on Linux too.

"You don't need things like snapd ."

That's a bit abrupt to switch back to the point, but I'll point out that you don't have to use snapd, and it's more likely to be used on desktops than servers. It was originally built to run on phones, and it helps with applications that need custom library versions so you don't mess up your environment. Complain about it if you have a problem, but know what it is and more importantly what it isn't.

"For some applications maybe even go IBM."

And again I must ask why. You may have had a reason, but without telling us what it is, you seem to be making suggestions at random with the only point being "don't run Linux". Your basis for this as stated here is full of holes. Try something else.

Re: Can anyone bother to explain

Certainly. You can argue all you like that country X is being unfair to country Y, and I'm likely going to agree with you. That doesn't change the facts I mentioned. If any country tries to funnel all of its connections through a government-controlled system, they aren't doing it to deal with foreign interference because that wouldn't work.

Imagine what would happen if the Democratic Republic of A and the People's Republic of B did this. A is worried that B will attack them, so they funnel all their connections through one system so they can turn off their network at any time. B is also a country, with a lot of power, so if they are planning to attack A's systems, they will put a computer inside A that can be controlled by an agent of B. They could do this by:

1. Use an international phone line to control the system if the network gets cut.

2. Use a satellite connection that they can control to uplink data to the machine.

3. Use a radio transmission to control the system.

4. Put a spy in front of the computer to do the work for them.

5. Run a wire across the border and don't tell anyone (this works better if A and B share a border, and requires the machine to be close to the border).

6. Just use another method to take out whatever they want to take out.

You couldn't stop anyone that way. Sure, cutting off the network would prevent some international attacks from criminal groups that happen to use that way to get in. In the same way, cutting all the electrical lines and having people run their own generators if they really need electricity would protect them from a malicious party delivering a much higher than expected voltage to their building and frying things. However, cutting electricity is more likely to be a method of repression, and the same is true of cutting network.

Re: Backups?

Yes, they should have. However, it doesn't sound as if they had terrible security elsewhere, as they commented that the VMs had different authentication and different setups, thus this attack couldn't be done by a single compromised set of credentials (hopefully). Still, if things are that large, they should have some place where email data was stored on offline and hopefully also offsite media.

Re: I've always wondered...

Emergency data isn't just "An emergency has occurred. Details here." They can include other information, for example communications from responders to a wildfire. That's voice because the people involved can't take the time to type out a message when they are both fighting the fire and looking out for a situation that means they have to get out of there. So there may be some need to put them on their own circuit that can't be restricted. It doesn't mean that other companies or users deserve that.

Sometimes, those questions reveal good answers. However, usually the answers are these:

"1) Why can't you put them through to support?"

I can. Support is backlogged. They'll be on hold with them. That's why they're ringing me, because they're angry about being on hold.

"2) Why is your support phone line so poor they can't even answer a phone, which is their one, primary and sole purpose?"

Either there are not enough support staff (not my responsibility if I'm answering another phone), some are sick, some other customer has a major problem and they're fixing it, it's a time of day where support has ended because we don't run 24 hour support but I'm working late, ...

"3) What do you expect users to do when they can't get through on the line they are supposed to? Write you a letter to solve their support problems?"

Per the answer to 1, I expect them to wait on hold. Then, perhaps, send a letter to the responsible party (I.E. the head of support or their superior) complaining about having to wait on hold. They should not complain about that to me, as that's not my job and I can't do anything about that.

"4) Why are your sales staff - when they get a call and can't get even through to support themselves - not able to have the most basic of support functions available to clear your sales lines for what THEY are intended for. Even if this is a limited checksheet, filing a ticket direct to support on the customer's behalf, etc.?"

Because sales is not support. You don't hire sales representatives for their ability to support customers, because that's not their job. If there is a convenient page that they can give you, that's always nice to have, but many users will either refuse to read it or have a problem that is more complex. In that case, it is not the job of sales to support the systems. I also don't expect that a customer that calls the HR department will get IT help.

By assaulting a sales office when support is bad, you are punishing the wrong people. The people responsible for the problem, assuming that there is a problem, are not the people answering the phones. Those people are trying to do their job, and you are preventing them from doing that without any good reason. As fun as your autodial story was in a BOFH way, it's not the right way to deal with the problem you faced.

Re: Mould breakers

Pis are brilliant for tasks where they run headless, performing network tasks, serving as simple servers, and the like. They also do a wonderful job when running complex equipment (driving motors, wired into automation setups, etc.). They do an OK job as desktops. It's the remaining category where it can be hard to justify. I prefer to use them when I have the parts lying around, mostly because I can use all the tools Linux has to offer, write a program or an OS image as suits the project, and expand things whenever necessary by attaching other hardware or creating new interfaces.

However, if I was making a time lapse camera that uplinks via WiFi and I wanted multiples of them, I'd have to use phones for that. The first problem is price. A raspberry pi 0W costs $10, and the camera for it costs $20. This makes it look like the cost will be only $30, but this brings me to the second reason to choose phones. Raspberry pis don't work well with batteries. They just don't last long enough for something this large. With a phone, I could use the same power bank to keep the phone charged, and when the bank died the phone could continue its job for hours on its battery while sending me a message to swap out the batteries. The pi would only run on the battery unless you also purchase a secondary UPS board for it, $15-25. Even then, the board is more power hungry under many circumstances because it doesn't have the type of power-saving stuff in software that phones do.

I think the point of the original post was more "You can't rely on a specific piece of hardware running forever" rather than "All hardware has the same lifespan". In that sense, that is correct. Software and hardware never had a miraculous period where it would run forever. Some systems will run a very long time, while others would fail quickly.

Re: I'm perfectly fine with minimal text and no images

You can use it fine with no images, sure, but minimal text? Usually, the main thing that helps me to decide whether the search worked is to read the summary text where my terms appeared. I can filter whether results are useful or just happen to mention my search term much more effectively with that than I can with the page title. I can also use that to identify pages that I've already effectively read, if the term was quoted in multiple places.

I also think it should not be possible to charge for linking to a page. That is antithetical to much of the web, and should remain so. I'm directing traffic to someone. If they want to make money on that, they should view me as a positive, whether I'm making money myself or simply thought they were a useful resource. I shouldn't have to pay for the privilege of telling someone they might find something else useful. I don't pay the newspapers if I suggest that someone goes and gets one to read a great article.

Re: Great

"Why did you buy a 3rd party phone if you care so much? Only an idiot would do such a thing."

Thanks for the compliment.

"1st party phone is a Google pixel"

That involves paying google a bunch of money, buying a hideously overpriced device, getting the wonderful extra google spyware unless I flash it, in which case there is no support... No thanks.

"2nd party phone is a network SIM free phone"

Sure, that is always nice to have. Some networks will make it a terrible pain to get one of those onto their network in the first place. Or maybe the person concerned got the phone from someone else, either an employer, as a gift, or from a previous owner.

"There is clearly nothing wrong with Android if some models get these patches every month, and many do."

Your logic says that there is nothing wrong with [x] if some examples of items in category [x] get good condition [y], with the clear indication that the remaining members don't get good condition [y]? So, in that case, you'd wholeheartedly agree with these statements, then:

1. There is nothing wrong with your car because some of those cars work perfectly well. The fact that it crashed yesterday, injuring the driver because the airbag didn't function properly and putting that pedestrian in the hospital because the brake pedal did not, if you want to be inordinately technical, activate the brakes, was clearly not anyone's fault, or if it was it was your fault.

2. There is nothing wrong with the lunch you had today because some people ate it and survived. The fact that yours, personally, was a little bit contaminated with antibiotic resistant bacteria and so were those of a number of others was clearly a fluke.

3. There is nothing wrong with floors because you can see many people walking on them and being supported just fine. Therefore, you are happy that you are falling through a hole in the floor because there is no problem with the floor over there where you are not right now.

4. There is no problem with Samsung Galaxy note 7s because there were one or two that never exploded. Many others did, resulting in a bit of flames and some injuries, but some didn't, so clearly it was fine.

A little tip, for there to be absolutely no problems with something means that all things in that category must work. That's why nothing is free of problems. Android is not even mostly free of problems.

The only site I've seen that does respect it is, in fact, adafruit. Nowhere else has ever warned me about this tracking, and of course many sites are known to completely ignore it. So you can pretty much assume the answer to what sites don't respect DNT is (*.* - *.adafruit.com). You will unfortunately have to be more active than that to stop tracking, and I'm glad that someone is killing the thing because checking that box probably provided some with a false sense of security about the whole business.

Re: And we thought that Apple stuff was expensive tat

It doesn't compare well in price to Apple's iMac 5k; that starts lower in specs but also much lower in price. Then again, I suppose there must be people who want a 28 inch touchscreen for some reason, and Apple doesn't have that. I'm sure people have a reason. I don't know what it is, but it will come to me, maybe.

In the general scheme of things, both of these machines are much more expensive than will be needed by pretty much everybody. They price themselves out of consumer range, don't include enough processing power to run all the games that serious gamers want to play, and are too screen focused for the massive data processing people. I can see something like this being used by serious graphics users, but that's not a big market, and plenty of them have been satisfied with less.

Re: Re Good job Python isn't a syntax Nazi.

I agree, but sometimes you don't have that authority. I recently had to work with code where the writer (I don't know what is wrong with them, but something clearly is) had mixed tabs and spaces with *every* number of indenting spaces from 1 to 17 and several lines indented at random numbers above 17. This was C code, and the indentation didn't match up all that well with the brackets. Thankfully, this code was put under my branch, so I was able to thoroughly reindent the thing. However, I wouldn't mind something external preventing them from doing that to the code in the first place.

Re: Crypto-busting test case

"If an encrypted computer (I'm going to assume that means "encrypted data on the hard drive" in this case) is a ["]problem with a solution["][my statement], what is the point of encrypting any computer...?"

The point is to prevent data being stolen with a machine. If you were to rob me in the street today, you'd get my computer, but not the data on it. You could try some passwords, but it wouldn't get you in, and the security of my data would be intact. That's because it's not worth a ton of money to you. $190 million in bitcoin, on the contrary, is worth quite a bit to people, including to the people who run this company who could face some negligence cases if they don't get access to the thing. That makes it possible to invest some more resources into brute forcing passwords. For example, if the encryption is done using bitlocker on Windows, the passwords aren't super-secure*. It would be possible to brute force the possibilities of the default code if you had the inclination. For $190 million, the inclination is there more than for the random files I happen to have, and it is thus more likely to be attempted by this company than it is by a street thief who already has the main source of value, the hardware of my laptop.

*The default password for bitlocker is a 6-digit numeric pin. This machine could use a different system and/or a more secure password. This system could in fact not be encrypted at all. However, automatically typing in all combinations of digits is doable if you are willing to spend a couple of weeks on it, and other methods of trying to crack the password are doable too.

Re: This is really tight

There could be a lot of benefits in having publicity. Don't publicize the errors much, just say that they were fixed, and the person reporting them got $large_amount_of_money from you. That attracts others to try to find vulnerabilities in your system so they can get $large_amount_of_money too. Not that you always pay them a large amount--that depends on the scale of the bugs they found for you--but if the bugs were indeed critical, they deserve it and you can use it.

Re: An open letter

I'm aware of that, and perhaps my joke is not the style of rebuttal you would submit to the professor personally. That doesn't change the fact that he is wrong. It doesn't change all of the reports made to all of the companies that never did anything (for an example, see the tracking watches that have been known to be insecure for a year but are still insecure, about which multiple articles have been posted here in the past week). He seems to think that negligence doesn't exist. Either the company fixes their thing or they calculate that it is not important enough and are fixing something more important. That's not true; companies sometimes choose not to fix anything because they are spending all their time on the next product. That is a problem, it happens too often, and something needs to be done about it. Disclosure is a way to get something done, and if this professor refuses to acknowledge that the problem exists, he can't help to fix it. So I would argue that my comments, informal and inappropriate in tone as they would be if I submitted it as an official rebuttal, are still accurate.

Re: Putting dates in names

Perhaps I should clarify my statement. Neither mv nor cp complain about copying a file over another one *by default*, which is how everyone runs them. Since these tools don't do a lot of, to me, more obvious things without my having to tell them with switches, I would think that -i should be on by default. So much did I think this that I assumed that it was.

Re: SS7 hacked?

"One suspects that it's [phone hacking] easier and more lucrative now that everyone and everything is cloudy."

Easier, maybe. More lucrative, no. In general, all the things that used to be expensive are cheap now. People don't need to hack for cheap calls over long distances, because that is included. The only types of attack that are prevalent on the network are pretending to be someone else and intercepting others' messages. Given how little attention is paid to all those scammers spoofing caller ID, it is clear that the only type of hacking that is getting dealt with is message interception, which isn't that big. The attackers have to use this in combination with other things, usually social engineering, so most try the easier method of social engineering everything from the victim, rather than social engineering some things and accessing the phone system for the rest.

Re: An ARM version might be more useful...

Maybe, but you would need to connect it to an HDMI screen and USB input devices. That doesn't make it less disposable because you could keep those parts even if you were paranoid enough to destroy the pi (you don't need to), but it would be clunky. Unfortunately, there isn't a convenient system for using a pi portably. As much as I like it, battery performance isn't great and there isn't much hardware that can be carried without trailing wires behind you. For portable usage, the easiest solution is probably still the old-fashioned laptop.

Re: "but it also treats mobile users like adults capable of making their own decisions"

You want more selfishness? Fine. I don't want people to give up all their information because it gives companies that seek to violate my privacy more ammunition with which to attack me. Either they will have better systems for gathering and using information I don't want them to have, or they'll have collected a bunch of my information from other people I've met. Does that logic work for you?

On the topic of saving people from themselves, that doesn't need to apply to everyone. I think most would agree it applies to children. Adults can walk into dangerous situations if they want, but if I see a child doing that, I'm going to stop them and explain why that is a bad idea unless someone else is already doing so, even if they're not my child. The app concerned here targeted older children, giving them a relatively substantial amount of money for a person in middle school while taking a bunch of information, probably without explaining exactly what information and what they were going to do with it. Am I allowed to save them from themselves?

Re: Ex designer of military kit

Disclaimer: I have never used military equipment. I'm not stating things, I am asking them.

All those requirements about what the machine must withstand make a lot of sense for why the prices are higher. However, I have a couple of questions. First, do they require that a device be capable of use in all of those situations simultaneously? For example, I would have assumed that machines intended to be installed in airplanes would be distinct from other classes of devices, as a ground or tank based machine would not need to sustain the G forces, the weird acceleration, or the recoil of firing plane-mounted guns. Second, do military computers really have the same specifications of top of the line machines? I don't know about the military models, but every time I have looked at or been requested to find computers for difficult environmental conditions, the options have been the following:

1. Machines with very old specs, usually something designed for windows XP or some old version of android.

2. Devices with somewhat modern specs, but with little access to the system. You stick with the OS installed on it and just write your application over that. This can be problematic when the device is running some restrictive OS like android (there are many of those).

3. Devices that seem to have a modern processor, but are very heavy, power intensive, and run very hot. These would often be unacceptable for military use per the specifications above because they use fans to dissipate the heat and, as far as I'm concerned, seem to be of somewhat dubious build quality.

I would assume that most military machines are running a slower system that is capable of running the program required, but does not have a ton of extra speed or graphics capability. From the original post, the machines described were sufficiently behind the machines of the time in terms of computing capability. From your experience, is most military hardware more advanced or more restrictively specced than I had assumed?

Re: Can he actually provide proof that the Facetime bug actually caused him a problem?

If the bug was used, it can be proven. When the call comes in, the phone will ring normally, bringing this to the attention of the person in the meeting. The records will show if someone grouped themselves into the call. Whether you can prove harm can be tricky, but it wouldn't be hard to prove that the bug was used, and having that happen in a private deposition would probably be enough reason to say there was some negative outcome for you. If they did their research, they can probably prove fault by Apple. If they only have some evidence that someone listened in some way, they probably won't.

Re: Bug?

Given that the phone is ringing, it's not that useful to a spy system, as you would only get thirty seconds of data before they answer or hang up on you. It is still a major problem, but it is a very small and mostly useless backdoor if you were in an actively malicious mood.

Re: But but - Apple protects our privacy!

Apple didn't do this as a symbolic gesture. That app was running before the cert was revoked, and those installs have presumably all broken. There was a problem, actively existing, and Apple fixed it. In addition, they never allowed the app into the appstore, meaning they were already blocking it. Only by using this workaround and not telling Apple about it could Facebook get the app onto people's devices. When they found out that Facebook was doing that, they put a stop to it. Exactly what did Apple do wrong here?