Why is a build management tool doing exposed in the internet?
Amazing... next we will see the temperature controls of nuclear power plants exposed on the internet also...
No sweat, man, the client-side javacript totally validates the user input to prevent them sending an unsafe control rod configuration back to the server, it's rock solid.
2-wire is a deeply unrenowned maker of painfully shitty integrated DSL modem/router arrangements of the sort that you get because your ISP hates you. So, a very odd thing to see on an actual corporate network; but a plausible thing to use if you are trying to duplicate a 'standard newb user'(or if your security testing environment, for security and verisimilitude does actually have a bunch of consumer DSL lines set up).
Any trace of Vmware, on the other hand, is something of a dead giveaway of "Not a clueless home user". Maybe the install base of their Windows-on-mac product is big enough these days; but VMware-related virtual hardware devices, MACs, guest addons, etc.(on a desktop OS) are a bit of a dead giveaway that you've just hit somebody's burner test machine(on server OSes, obviously, landing in a VM is perfectly plausible in production environments). I'm surprised that somebody doing security-related work wouldn't make a greater effort to conceal the fact that they are in a VM, to avoid the possibility of rousing the suspicion of a sophisticated attacker.
If anything, I'd expect purpose-built mockups to exhibit greater uniformity than would mockups built from the discards of an actively iterating R&D project, or functional prototypes from a reasonably late stage of an R&D project...
Even substantially less expensive gear, with a much stronger incentive for mass production(small arms, light artillery, that sort of thing) handled by well reputed defense outfits with a century of experience tends to have enough 'Block A vs. Block B' and different revisions and licensed variants and things to keep military trivia enthusiasts arguing endlessly.
I'd imagine that very low quantity development hardware from the DPRK rocketry program has a certain number of 'file to fit' and 'option plate Z goes here if stage 1 pressure test is marginal' hand-scribbled annotations on the blueprints and assembly instructions.
I ran into an admittedly more banal example somewhere in the 2005-2006ish range: for reasons that predated my employment, the PBX was an OS2 warp system with a bunch of custom ISA cards running on an AT whitebox in the early pentium range. When(after years of giving us absolutely no trouble) the PSU died horribly, we ended up raiding my boxed-for-storage-high-school-nerd basement junk pile for a replacement because the entire outfit didn't have a single compatible replacement.
Alas, the Oh-so-shiny NEC Turnkey Solution that replaced it has been a gigantic pain in the ass ever since, but with the added bonus of being sophisticated enough to be inextricably hooked into an obsolete version of Exchange. Hooray!
I suspect that bandwidth would get tricky on that one.
If you went with a conventional thin-client model, just transmitting screen data one way and peripheral input the other, the bandwidth requirements would be modest; but the serious color-correction and other pro users would storm the building and gouge out your eyes when they saw what the artefacts that the usual thin-client protocols introduce are doing to their work.
If you went with an upload->process->download you could easily be on the hook for multi-minute transfers, depending on the operation and how many and how large the objects being operated on are.
But,OTOH, let's put it off until next quarter and let them worry about it.
Also, keeping the existing system has a 100% chance of being a nagging pain in the ass; but a pretty minimal chance of failing catastrophically in some novel way that the IT minions aren't already familiar with.
If we start development on a new system, it has a decent chance of being better; but a nonzero chance of going down in a firestorm of project-management failure, buck-passing, and overpriced Accenture code monkeys, which will make us look like total fuckups...
20GB is about 20 minutes of HD footage. Even for stills that's only a few hundred images if you are working in RAW. Can't imagine Adobe exects anyone to use it other than as a demo.
The first hit is free, kid, and since this 'cloud storage' only interacts with Adobe CS applications, and Adobe CS applications only interact with Adobe cloud storage or cloud storage that emulates a local filesystem, you'll have to buy expansion hits from us!
Actually, I imagine piracy is a major reason why Adobe would do this. Photoshop is probably the most pirated app of all time. Gimp will probably have a windfall of new users soon.
We'll see how it competes against "CS6-last-retail-cracked.torrent" in the marketplace of ideas(and, for that matter, unless Adobe is actually moving nontrivial amounts of computation to their servers, which will really please the DSL users crunching multi-GB layerfests, it isn't necessarily the case that Adobe's 'creative cloud' client DRM will be any stronger than their retail box DRM, from the perspective of a cracker/release group, though it very likely will be much more effective at ensuring compliance among users on number of seats and timely upgrades to the newest version).
Even if you do want 'cloud' storage(it certainly has its uses), the trend of getting little tiny bits of it bundled under a zillion different credentials and EULAs and TOSes, from a bunch of different outfits that you are just trying to buy some other product from(and, excitingly, often hooked to specific applications, rather than some reasonably normal network file transfer mechanism) is totally fucked.
Yeah, I really want 5GB over here on dropbox, with one set of credentials, security issues, and iDevice applications that can sorta-kinda treat that 5GB as their filesystem; then another few GB over here on Skydrive, so that they work properly with MS' hotmail file attachment features, and then 20GB over here with Adobe that only 'Creative Cloud' applications can see...
It's a loss is basically every important respect: the credential soup is a pain in the ass and a likely security hazard, the fragmentation means that you need to manually shuffle around and/or duplicate files to support workflows that attempt to cross the ghastly little vendor silos, and the fact that the first-hit-is-free size limits are generally low creates an incentive for the vendor to gouge you on upgrades(If 'Creative cloud' only works with magic Adobe cloud storage, do you think that their per-GB overage prices will necessarily adhere to market norms for commodity cloud storage?).
It's as though a substantial fraction of your applications refused to use the OS's filesystem APIs and instead demanded their own partitions that they could format in their own weird way and store data in a way accessible only to themselves. Only better, because you have to remember a bunch of passwords, the files can go *poof* at any time, and the EULAs and TOSes are likely to be abusive!
Remember, when they say 'crime does not pay' they mean blue collar crime. The pen may or may not be mightier than the sword; but if you can rob somebody with one, you'll do a lot less hard time.
My suspicion would be that this is just another of Facebook's "Oh fuck, now we have shareholders to answer to" thrashing moves.
They've got crazy pageviews, lots of hours-per-month, and a huge pile of personal information; but they've been learning the hard way that cellphones are cutting into conventional page views(since even the best mobile browsers are still coping with a tiny screen), lots of hours-per-month can only really be monetized by pissing people off with increasingly aggressive ads and upsells, and that huge pile of personal information can be used either to maintain network effects or to scare users in temporarily valuable ways; but it is less obvious that it can be used for both at the same time...
We can only hope that we'll look back at them, as we now do on myspace, soon enough.
I don't think that HTML5 autoplays have become pesky enough to attract much attention; but Greasemonkey or equivalent should make detecting and neutering Video tags easy enough, even if the browser itself doesn't offer controls natively.
People are going to get pissed off at having their data get used by auto-playing video ads when they use FB for phones. Those using FB on desktops will probably figure out some way of filtering out the ads (maybe disable flash, or whatever they use to serve ads).
But if you disable flash, how can you play Zynga games?
My point is that, for NAT to work, the NAT system has to track activity between internal hosts sharing an external IP and the outside world in order to handle the address translation process. If it didn't, it wouldn't be able to rewrite a packet coming from the outside and send it on to the appropriate internal host.
So, if an outside entity knows that shared IP w.x.y.z did something, BT's NAT has to know which subscriber behind the NAT was responsible, because it would otherwise be incapable of correctly sending responses from the outside to that subscriber's internal IP.
Whether they retain this information as long as they do customIP information is unknown; but the address translation table must, for NAT to work, contain all the information needed to pin down a given activity to a given internal IP.
Given that the usual move when you have an IP and want to identify John Doe is to ask the ISP, I assume that the same principle will still work just fine. After all, if the ISP isn't keeping track of which traffic to a given IP needs to go to which subscriber, the system will break, so they will still know what the story is....
Fantastic! This will be just as wonderful as AOL was, back when they were still unsure about this whole 'ISP' fad, and offered ghastly semi-access to the internet proper. I think I just threw up in my mouth from all the nostalgia!
Let's not even talk about Adobe. Everything about their customer interaction process, whether it be downloads, activations, even getting them to take your damn money, appears to be cobbled together from a mixture of coldfusion from the mid 90's and a bitter, gnawing, hatred of all that exists, older than the primordial Void itself. All wrapped up in a ghastly AIR UI, naturally.
Based on the descriptions of the in-court hearings, the judge is completely and utterly ripshit with Prenda, so I can only imagine that he had one hell of a good time writing that ruling, once it became clear just how much hanging-yourself rope Prenda had voluntarily allocated themselves.
There's no benefit WHATSOEVER for the customer, and it's not even made the product cheaper. All it's managed to do is piss of just about everyone, probably including the poor bastards in tech support in Microsoft.
It certainly doesn't do the customer any good(and it's extra annoying on the IT side: "C'mon Microsoft, we practically have to use a truck line to transport all the money we send you every year, we keep our licensing data squeaky clean, and we still have to dick around with activation every time we push a system image to a thousand workstations? Fuck you."); but I assume that MS didn't like the good old days when everybody who ran windows and gave a damn had a nice copy of Win2k Enterprise, VLK, sometimes with 'do not make illegal copies of this disk' scrawled in sharpie on the illegal disk copy for amusement's sake....
As a university student, my uni grants access to MS products like Windows, Visual Studio etc. It really was a matter of entering a serial and that was all that had to be done. I take it off the shelf windows activates more obtusely?
If memory serves, Windows phones home some data about the platform it finds itself on when it is activated(I don't know if it is particularly identifiable, or just a hash of whatever seems likely to be system specific, or somewhere in between), and some versions can be very unhappy if they come to the conclusion that they've previously been activated on different hardware. Enough time on the phone will get you a nice guy in India who will probably be able to fix it for you; but it definitely can happen.
It's generally a lot cheaper than other medical care. Go to a hospital and come back and complain to me about a 40 dollar copay at a psychologist's office.
Depends on your insurance coverage and/or how medical services are structured, labeled, and possibly subsidized in your jurisdiction.
Because GPs/PCPs have been recognized more widely, and much longer, as a standard medical maintenance/first line diagnosis and care feature, if you have healthcare access at all, you probably have access to some sort of MD who can legally prescribe most drugs, including common psych drugs. They won't necessarily be especially well qualified in that specialty; but they will be able to do it.
Getting a psychologist, if you are under a less classy insurance plan, can be a bit more exciting(and paying out of pocket will be Not Cheap), and insurers often have somewhat onerous and byzantine restrictions on number of sessions per year, total length of regular treatment, etc.(Not that it was relevant to me; but I once had an employer-provided policy that would provide more days of inpatient detox/rehab than it would sessions of outpatient talk therapy in a given calendar year, go figure...)
Why is a build management tool doing exposed in the internet?
Amazing... next we will see the temperature controls of nuclear power plants exposed on the internet also...
No sweat, man, the client-side javacript totally validates the user input to prevent them sending an unsafe control rod configuration back to the server, it's rock solid.
Better short your stock now, kids, one of Google's competitors just 'indexed the internet of things' right in Google's office before Google did.
Tut, tut, Sergei, falling behind in the race to make the world's information accessible. I'm ashamed of you.
Did you miss the bit where proper controls and judicial oversight aren't in place?
2-wire is a deeply unrenowned maker of painfully shitty integrated DSL modem/router arrangements of the sort that you get because your ISP hates you. So, a very odd thing to see on an actual corporate network; but a plausible thing to use if you are trying to duplicate a 'standard newb user'(or if your security testing environment, for security and verisimilitude does actually have a bunch of consumer DSL lines set up).
Any trace of Vmware, on the other hand, is something of a dead giveaway of "Not a clueless home user". Maybe the install base of their Windows-on-mac product is big enough these days; but VMware-related virtual hardware devices, MACs, guest addons, etc.(on a desktop OS) are a bit of a dead giveaway that you've just hit somebody's burner test machine(on server OSes, obviously, landing in a VM is perfectly plausible in production environments). I'm surprised that somebody doing security-related work wouldn't make a greater effort to conceal the fact that they are in a VM, to avoid the possibility of rousing the suspicion of a sophisticated attacker.
If anything, I'd expect purpose-built mockups to exhibit greater uniformity than would mockups built from the discards of an actively iterating R&D project, or functional prototypes from a reasonably late stage of an R&D project...
Even substantially less expensive gear, with a much stronger incentive for mass production(small arms, light artillery, that sort of thing) handled by well reputed defense outfits with a century of experience tends to have enough 'Block A vs. Block B' and different revisions and licensed variants and things to keep military trivia enthusiasts arguing endlessly.
I'd imagine that very low quantity development hardware from the DPRK rocketry program has a certain number of 'file to fit' and 'option plate Z goes here if stage 1 pressure test is marginal' hand-scribbled annotations on the blueprints and assembly instructions.
New York's "CityTime" timeclock/payroll system was a similar problem child. Never hand SAIC a blank check and a chance to self-supervise...
I ran into an admittedly more banal example somewhere in the 2005-2006ish range: for reasons that predated my employment, the PBX was an OS2 warp system with a bunch of custom ISA cards running on an AT whitebox in the early pentium range. When(after years of giving us absolutely no trouble) the PSU died horribly, we ended up raiding my boxed-for-storage-high-school-nerd basement junk pile for a replacement because the entire outfit didn't have a single compatible replacement.
Alas, the Oh-so-shiny NEC Turnkey Solution that replaced it has been a gigantic pain in the ass ever since, but with the added bonus of being sophisticated enough to be inextricably hooked into an obsolete version of Exchange. Hooray!
I suspect that bandwidth would get tricky on that one.
If you went with a conventional thin-client model, just transmitting screen data one way and peripheral input the other, the bandwidth requirements would be modest; but the serious color-correction and other pro users would storm the building and gouge out your eyes when they saw what the artefacts that the usual thin-client protocols introduce are doing to their work.
If you went with an upload->process->download you could easily be on the hook for multi-minute transfers, depending on the operation and how many and how large the objects being operated on are.
Oh, that's brutal. Definitely run away screaming from something that old...
But,OTOH, let's put it off until next quarter and let them worry about it.
Also, keeping the existing system has a 100% chance of being a nagging pain in the ass; but a pretty minimal chance of failing catastrophically in some novel way that the IT minions aren't already familiar with.
If we start development on a new system, it has a decent chance of being better; but a nonzero chance of going down in a firestorm of project-management failure, buck-passing, and overpriced Accenture code monkeys, which will make us look like total fuckups...
20GB is about 20 minutes of HD footage. Even for stills that's only a few hundred images if you are working in RAW. Can't imagine Adobe exects anyone to use it other than as a demo.
The first hit is free, kid, and since this 'cloud storage' only interacts with Adobe CS applications, and Adobe CS applications only interact with Adobe cloud storage or cloud storage that emulates a local filesystem, you'll have to buy expansion hits from us!
Actually, I imagine piracy is a major reason why Adobe would do this. Photoshop is probably the most pirated app of all time. Gimp will probably have a windfall of new users soon.
We'll see how it competes against "CS6-last-retail-cracked.torrent" in the marketplace of ideas(and, for that matter, unless Adobe is actually moving nontrivial amounts of computation to their servers, which will really please the DSL users crunching multi-GB layerfests, it isn't necessarily the case that Adobe's 'creative cloud' client DRM will be any stronger than their retail box DRM, from the perspective of a cracker/release group, though it very likely will be much more effective at ensuring compliance among users on number of seats and timely upgrades to the newest version).
"Cloud" storage. And I'm not going to pay for it.
Even if you do want 'cloud' storage(it certainly has its uses), the trend of getting little tiny bits of it bundled under a zillion different credentials and EULAs and TOSes, from a bunch of different outfits that you are just trying to buy some other product from(and, excitingly, often hooked to specific applications, rather than some reasonably normal network file transfer mechanism) is totally fucked.
Yeah, I really want 5GB over here on dropbox, with one set of credentials, security issues, and iDevice applications that can sorta-kinda treat that 5GB as their filesystem; then another few GB over here on Skydrive, so that they work properly with MS' hotmail file attachment features, and then 20GB over here with Adobe that only 'Creative Cloud' applications can see...
It's a loss is basically every important respect: the credential soup is a pain in the ass and a likely security hazard, the fragmentation means that you need to manually shuffle around and/or duplicate files to support workflows that attempt to cross the ghastly little vendor silos, and the fact that the first-hit-is-free size limits are generally low creates an incentive for the vendor to gouge you on upgrades(If 'Creative cloud' only works with magic Adobe cloud storage, do you think that their per-GB overage prices will necessarily adhere to market norms for commodity cloud storage?).
It's as though a substantial fraction of your applications refused to use the OS's filesystem APIs and instead demanded their own partitions that they could format in their own weird way and store data in a way accessible only to themselves. Only better, because you have to remember a bunch of passwords, the files can go *poof* at any time, and the EULAs and TOSes are likely to be abusive!
Remember, when they say 'crime does not pay' they mean blue collar crime. The pen may or may not be mightier than the sword; but if you can rob somebody with one, you'll do a lot less hard time.
My suspicion would be that this is just another of Facebook's "Oh fuck, now we have shareholders to answer to" thrashing moves.
They've got crazy pageviews, lots of hours-per-month, and a huge pile of personal information; but they've been learning the hard way that cellphones are cutting into conventional page views(since even the best mobile browsers are still coping with a tiny screen), lots of hours-per-month can only really be monetized by pissing people off with increasingly aggressive ads and upsells, and that huge pile of personal information can be used either to maintain network effects or to scare users in temporarily valuable ways; but it is less obvious that it can be used for both at the same time...
We can only hope that we'll look back at them, as we now do on myspace, soon enough.
I don't think that HTML5 autoplays have become pesky enough to attract much attention; but Greasemonkey or equivalent should make detecting and neutering Video tags easy enough, even if the browser itself doesn't offer controls natively.
People are going to get pissed off at having their data get used by auto-playing video ads when they use FB for phones. Those using FB on desktops will probably figure out some way of filtering out the ads (maybe disable flash, or whatever they use to serve ads).
But if you disable flash, how can you play Zynga games?
My point is that, for NAT to work, the NAT system has to track activity between internal hosts sharing an external IP and the outside world in order to handle the address translation process. If it didn't, it wouldn't be able to rewrite a packet coming from the outside and send it on to the appropriate internal host.
So, if an outside entity knows that shared IP w.x.y.z did something, BT's NAT has to know which subscriber behind the NAT was responsible, because it would otherwise be incapable of correctly sending responses from the outside to that subscriber's internal IP.
Whether they retain this information as long as they do customIP information is unknown; but the address translation table must, for NAT to work, contain all the information needed to pin down a given activity to a given internal IP.
Given that the usual move when you have an IP and want to identify John Doe is to ask the ISP, I assume that the same principle will still work just fine. After all, if the ISP isn't keeping track of which traffic to a given IP needs to go to which subscriber, the system will break, so they will still know what the story is....
Fantastic! This will be just as wonderful as AOL was, back when they were still unsure about this whole 'ISP' fad, and offered ghastly semi-access to the internet proper. I think I just threw up in my mouth from all the nostalgia!
Let's not even talk about Adobe. Everything about their customer interaction process, whether it be downloads, activations, even getting them to take your damn money, appears to be cobbled together from a mixture of coldfusion from the mid 90's and a bitter, gnawing, hatred of all that exists, older than the primordial Void itself. All wrapped up in a ghastly AIR UI, naturally.
Based on the descriptions of the in-court hearings, the judge is completely and utterly ripshit with Prenda, so I can only imagine that he had one hell of a good time writing that ruling, once it became clear just how much hanging-yourself rope Prenda had voluntarily allocated themselves.
There's no benefit WHATSOEVER for the customer, and it's not even made the product cheaper. All it's managed to do is piss of just about everyone, probably including the poor bastards in tech support in Microsoft.
It certainly doesn't do the customer any good(and it's extra annoying on the IT side: "C'mon Microsoft, we practically have to use a truck line to transport all the money we send you every year, we keep our licensing data squeaky clean, and we still have to dick around with activation every time we push a system image to a thousand workstations? Fuck you."); but I assume that MS didn't like the good old days when everybody who ran windows and gave a damn had a nice copy of Win2k Enterprise, VLK, sometimes with 'do not make illegal copies of this disk' scrawled in sharpie on the illegal disk copy for amusement's sake....
As a university student, my uni grants access to MS products like Windows, Visual Studio etc. It really was a matter of entering a serial and that was all that had to be done. I take it off the shelf windows activates more obtusely?
If memory serves, Windows phones home some data about the platform it finds itself on when it is activated(I don't know if it is particularly identifiable, or just a hash of whatever seems likely to be system specific, or somewhere in between), and some versions can be very unhappy if they come to the conclusion that they've previously been activated on different hardware. Enough time on the phone will get you a nice guy in India who will probably be able to fix it for you; but it definitely can happen.
It's generally a lot cheaper than other medical care. Go to a hospital and come back and complain to me about a 40 dollar copay at a psychologist's office.
Depends on your insurance coverage and/or how medical services are structured, labeled, and possibly subsidized in your jurisdiction.
Because GPs/PCPs have been recognized more widely, and much longer, as a standard medical maintenance/first line diagnosis and care feature, if you have healthcare access at all, you probably have access to some sort of MD who can legally prescribe most drugs, including common psych drugs. They won't necessarily be especially well qualified in that specialty; but they will be able to do it.
Getting a psychologist, if you are under a less classy insurance plan, can be a bit more exciting(and paying out of pocket will be Not Cheap), and insurers often have somewhat onerous and byzantine restrictions on number of sessions per year, total length of regular treatment, etc.(Not that it was relevant to me; but I once had an employer-provided policy that would provide more days of inpatient detox/rehab than it would sessions of outpatient talk therapy in a given calendar year, go figure...)