I bought a new xboxOne some time ago. the thing is so deeply integrated with Bing it makes me sick.
Now they are adding Cortana, presumably so they can use her amazing data mining capabilities for some undisclosed reason. Since she is basically the strapon for Bing, they might as well go all in, instead of just the tip.
Looks like it is time to look for the microphone and pour superglue into it. Good luck listening to me then Microsoft.
if done RIGHT, internet connectivity of the network of devices inside the car has all kinds of benefits.
1) devices that control fuel efficiency can have their firmwares updated by the manufacturer OTA, improving the product without ever taking it to a dealership for service.
2) Anomalies in function can be solved through the same mechanism as 1 above.
3) The obvious: Map data, fine location sensing from know wifi hotspots nearby, cloud data services, and other directly user-facing capabilities.
The issue: These vehicles do NOT do it right. They act like a local wired LAN, with each connected system treating the others as trusted peers, with no challenge/handshake or encryption. There is no digital signature checking on firmware or map data downloads, so man in the middle or local hacks are easy. These are terrible things, done out of cheapness and laxity of consideration for secure designs.
I remember about 8 years ago, mentioning that the proposed smart cars the industry was crowing about would be a hacker's paradise, because of compounding costs of manufacture driving security based design out the window.
Seems I was right, despite all the loud objections I got that called me crazy. Fancy that./shameless self promotion
Really, these recent reports of hackable cars all fail for the same reasons: The car's internal network is presumed secure, instead of presumed hostile. This ignores the primary rule of security-- if you can get local access, the security should be assumed broken.
Ideally, the data being sent through the internal network should be encrypted with unique keys between components, initially seeded at the factory with unique one time pads. The wifi network should be isolated completely from the internal network as well, and any instruction given should have a handshake challenge before being accepted.
All of those things will increase the costs of the vehicle considerably though, which is why none of the manufacturers are doing it.
It will require federal legislation to impose regulations for vehicle safety before that happens.
Seriously-- Itunes and all associated services run on storage controllers.
To me, the obvious answer is a botched OS upgrade on the storage controller head units.
If memory serves, Apple uses Netapp controllers. By now, the support for OnTap 7 should be nearing the end of the legacy support stage. That means data migration to clustered mode in Ontap 8.
Most likely, they established a snapmirror relationship with the new filer equipment, and got the data transferred, but couldnt get the VIF configuration right-- or their 7 mode filer pair went into a takeover-giveback loop cycle of panics.
Not saying netapp is bad equipment, just saying things can and sometimes do happen in a deployment upgrade.
I dont have access to anything that would give me insider knowledge of exactly what happened, but these seem like plausible explanations for an extended, unplanned 7 hour downtime.
It could also be a fibrechannel switch deciding it needed to drop its configuration data and act all goofy, taking out a big chunk of the fabric.
If microsoft decides that it needs to ignore user permissions for its updater, that means there is an alternate code path for getting elevated permissions baked in. If MS is doing that, they are inviting a wave of zero-day exploits like they have never seen before. (All the attacker needs to do is co-opt the update code path, and use it to drop anything anywhere they want!)
EG, microsoft would be doing something genuinely malware-like, and would be playing russian roulette with malware authors just so they can put an annoying autoinstaller on your system.
I like the prior suggestion from another poster; Create a file instead of a folder. This further complicates matters, because it requires a means to delete highly protected files before the update can succeed. Even if the installer was able to ignore the restrictions on the folder based idea, and drop shit inside, the file based idea would fail, because it would just append data to the file unless you delete the file first, then create a folder, then install.
Sitting on the update process with a debugger running would score you the entrypoints for the priv escallation. (easy enough to do in a VM)
I seriously doubt that even MS is THAT stupid. If they are that stupid, they deserve the bad press they will get when literally every win7 and win8 deployment gets backdoored hard by malware authors.
A similar, but less sure-fire way to block the update is to place a dummy.MSU file in the update cache folder with such protections, with the same names as the undesired updates. Windows update will then fail on the download phase of installing them, because it cannot create the files. it could just rename the download to evade it though.
The issue here is that MS is acting like they are confused over what the user wants.
They want to assert that the user has given permission, and that this is the end of the story. Users assert that they have said NO to the installer many times, and have even turned on the friendly registry flags to tell MS that they dont want the upgrade.
MS has ignored these, and done upgrades anyway, getting more and more forceful and obstinate.
So, force them to do something clearly malwarelike:
When you first set up your new Win7 deployment, proactively create a folder named GWX under %systemroot%.
Good. Now, set an ACL on it. (you can do this from the command line on versions of windows that neuter the GUI, "because end users dont need that.") Put an express DENY (no, not just uncheck allow, like you were trained to. no, outright deny. we really mean it.) on write, read, and execute, with propogation to child objects enabled, and do this for TrustedInstaller and System users, as well as the administrators group, and the builtin admin user. Only allow redaction of the change from your own, personal administration account that needs your password to be used.
Turn on automatic updates.
Watch as the GWX "update" fails to install, each and every time microsoft tries to install it.
No, you are rationalizing a decision to do something to someone.
The non-decision to click next to everything, which is where the "install recomended updates automatically" option pops up during first product activation, is an automatic one TO USE THE COMPUTER. It does not mean "rape me!"
Even if it did mean what you try so hard to say it means, the user may well decide that yes, they want updates to the OS they have installed-- not to install a new OS, especially since the OS they currently have has 4 more years of support-- which is the sensible way to interpret that, assuming you consider it a rational, active choice. (which for most users, it is not.)
Microsoft is placidly calling an OS upgrade to a new OS an update to an old OS. These are not the same things, and what MS is doing is wrong in both contexts.
There lies the domain of the MS Marketing director, who having submitted to the mandatory prefrontal lobotomy (a corporate requirement for the position), sits within the pallid cool glow of his curved LED monitor, simply cannot fathom what is making the users angry.
"It costs too much!" he mocks. "Make it free like OSX!"
So we do-- We make it a free update! We put it on Windows update, so it is convenient. Our telemetry tells us that most of our users dont subscribe to MSDN news sources, so we make it super easy to inform them about the update with the GWX app...
But there is no pleasing them!
First, they say that using windows update to spread awareness is a misuse of the critical update delivery pipeline-- So, we deploy additional telemetry software to verify the claim, and help synergize with development for the new programming apis we will use going forward, and now they complain we are spying on them!
So, we install those telemetry updates in updates more specific to that development harmonization, and they freak out even more!
Corporate wants to know why these users arent on board with windows 10, despite the free upgrade, and wont get off my back! What am I supposed to tell them, since those users keep uninstalling the telemetry suite that would let us know more about the issue!
Now, to top it all off, they complain about the functionality of the close button widget.
Ok, so we change the behavior-- they are still mad.
Ok, so we REMOVE the widget-- Even angrier!!
What is it that these people want!!?
(at this point, an intern enters the dread specter of marketing's office with a thick slab of useless paper copy to make his daily delivery, since despite email being a thing for over a decade, there are those in corporate that still insist on old fashioned interoffice memos. In a quivering, mewling tone reminiscient of a prepubescent youth, the freckled mouse of a man hazards a conjecture to his corporate master, knowing the perils of doing so.)
Perhaps they just dont want the update, and dont want to be told about it anymore?
At this, the dread specter of marketing erupts into a ballmer-esque frenzy, toppling his chair, and spraying thick droplets of foaming spittle as he rages--
DONT WANT THE UPDATE!? DONT WANT IT!?
he shrieks, grabbing the thick slab of papers from the poor interns hands, then throwing them in the air.
FIRST THEY COMPLAIN ABOUT HAVING TO PAY EVERY 3 YEARS, THEN WHEN WE RESTRUCTURE FOR THE NEW ADVERT MODEL, THEY DONT WANT THE UPDATE!?
Cowering on the floor, desperately trying to recover and recollate the precious memos that justify his position in the company, the intern timidly responds.
Perhaps they wanted us to respect their choice of when to do the update?
FUCK-EM! the prince of darkness snarls, returning to his desk and grabbing the back of his chair in a livid clawing motion. WE HAVE A SCHEDULE TO MEET, AND WE ARE BENDING OVER BACKWARDS FOR THESE INGRATES!
Does that mean that we will proceed with the forced updates sir?
The room fills with a thick, suffocating silence for a good seconds, as the knuckles on the back of the chair turn white with rage-clenching, followed by unnatural relaxation. In a now buttery smooth, and altogether inhumanly relaxed tone, the dread specter of marketing smiles deeply..
That is a HORRIBLE surrogate metric for determining quality.
The competency of their marketing department has no bearing on the competency of their engineering department.
I have seen brilliant, and innovative things totally hamstrung by lackluster marketing, and I have seen total filth that isnt worth even a cursory examination being presented in brilliant marketing materials.
How well they transcribe into obscure verbiage is a talent of the marketer. I can see wanting to make sure their marketing department is up to the task, since good products fail from bad marketing, but determining the value of the product from the marketing pitch?! What are you smoking?!
This is just the latest crop of buzzword bingo fruit that was sewn 10 years ago, when recruiters, HR drones, and venture capitalists started looking for absurd words on the coversheet.
That modern proposals resemble something coming from a Markov Chain generator script should come as no surprise to anyone. "Professional Resumes" look just as bad, with non-speak like "X years experience in a fast-paced, competative environment", when what they really mean is that they spent X years in the trenches of level 1 support purgatory.
Industry in general is addicted to useless jargon. Startups are just industry 2.0, and have enhanced the practice.
Why are they making and selling chips that gobble down the juice and roast the insides of desktop systems?
I mean, really? I can see liquidating old stock, but if the new chips and designs are just as powerful for less juice, why not incorporate across the whole line?
The idea here is not to drive an sdcard that fast (that wont work, because that is now how sdcards are designed to work.).
The idea is to create an ssd socket that looks and feels like an sdcard type form factor for practical handling, transport, and installation purposes, but which is actually its own thing inside, capable of SSD type speeds over a very short serial interface. (the interconnect will measure in centimeters! Noise from high speed transmission will be minimal.)
By having a device like that, in such a slim package, many data aggressive devices can be improved-- photographers are the ones driving sdcard speeds. If they could jam an M.2 SSD into a camera, they would do it. M.2 is not meant for hot swapping, but there IS a class of sata III that *IS*. Look it up.
A drive going too fast for the interface is a tolerable problem that can be solved later.
A drive that is needlessly slow on the other hand....
Again, the idea here is for a friendly socket, like SDCard, into which such a tiny SSD can be inserted easily. SATA is just a nice industry standard interface with existing drivers that can be leveraged. You see this frequently with M.2 based SSDs. They present themselves as really fast SATA devices on their own dedicated controller. The idea here would be similar.
If you are concerned that the media is too fast for SATA, then give it a whole new interface to use, but be aware that adoption will be tricky.
Regardless, SATAIII speeds are lightyears faster than existing SDXC cards, even in the extended class 3 and 4 varieties. The digital camera market would eat it up like candy.
Offering it as an option on a tablet makes an otherwise unapetizing toy into an interesting prospect for purchase.
The problem is that when confronted with almost certain reprisal of the legal kind (corporations are sociopaths, and DO NOT engage ethically! if they can make you into a boogieman that just wanted to hard their customers, truth be damned-- it means that they can lie, say their systems are perfectly secure from most types of intrusion (despite the objective reality), and that by apprehending and prosecuting you, they have removed the threat to their customers. Their customers dont know any different, the corporation DOES NOTHING to improve security, all the while other, less ethical hackers are silently just scooping the details and making use of it clandestinely.) the choice becomes:
Report , and be hanged publicly-- attrocities continue.
Force the attrocities to light by giving the details to literal thugs, who then blow the lid off the thing with their excesses-- FORCING the attrocities to be stopped.
Either way, you are assured of being reamed. One of the two assures the attrocities stop.
That one is the most ethically dubious.
Denial is first and foremost what these big corps do, when confronted with an ethical disclosure. It costs nothing to do nothing, and anything that costs them extra detracts from shareholder value. Detracting from shareholder value is the single cardinal sin for corporations. Imaginary losses that could happen are not their concern. Downplaying the severity of the problem and ignoring it is their tactic of choice. ironically, this is why many young greyhats feel it necessary to scrape data from the unsecured server-- It PROVES that the server is insecure. it also proves that they did illegal access. The corporation already retains a legal team. Sicking them on you is an already justified business expense. Fixing the problem is not. They choose to fix the problem by arresting you, because ignoring the problem is easier and cheaper.
As an ethical reporter, you observe this. You see that people's data is being treated in a very dangerous and negligent manner. You consider it unethical to turn a blind eye to this, because this is people's privileged data they are mishandling. As a single person, who is disadvantaged from a legal position from the start, you only have the two above options. You can choose to martyr yourself and accomplish only your own downfall, or you can expose it publicly, see an initial outbreak of people being hurt, but rest assured that the hole WILL be fixed, and that after this period no further people will be silently victimized.
The ideal solution is to come forward and be protected for coming forward, and for the legal system to focus its attention on the negligent actions of the data's administrators for gross mishandling-- But that isnt how the world works.
Judges dont know the first thing about advanced searches, or why you might be looking for a publicly exchanged file from yesteryear that is no longer available from the original download source-- They eat the sob story about how you shamelessly violated some server some where, greedily seeking data that was not meant to be public, out of pure greed and malice. Because they dont know any better.
The media? they LOVE sensationalism, and "Evil hacker apprehended!" sounds so much better than "Data mismanagement leads to case of wrongful prosecution."
You are an ethical discloser. Your first and major desire is to see that the hole is closed. You see that the game is rigged.
You can choose to be impotent, and get slaughtered.
OR, you can choose to cause some chaos to ensure that no further harm happens later, and get slaughtered.
Either way, you will get slaughtered. The first one is the most ethical from a personal behavior point of view-- conducting one's self in the most ethical way they can, despite the poor outcome of abuse continuing silently. The second is the most ethical from the total societal point of view-- You exchange an unknown degree of abuse agains an unknowing public, i
That's part of the problem here-- The person who makes the discovery is systematically excluded from being considered a "good guy", because under the prevailing laws, they did indeed access privileged information without proper authorization. That this happened accidentally, or as a result of a completely harmless search is not important, and the prosecutor will attack with vengence all the same.
This leaves this person, who wants to do what is right (or what they percieve to be right), stuck with only bad choices.
1) ignore the whole thing and hope nobody audits the logs.
Ethical conundrum-- Knows that people's data is being leaked, and is very easy to obtain, understands consequences, has to rationalize potential victimization of those people agains personal legal safety. not pleasant.
2) Report the problem ethically, and risk being arrested for criminal hacking, and being drummed up as some dread pirate roberts of the hacking world, because some prosecutor has a hardon for being officious.
Ethical conundrum-- Knows that most instances of ethical disclosure do not result in closure of the security hole, and that doing so will almost certainly get them arrested, depending on who is leaking the data, and what data is being leaked.
3) Report the problem as a zero day and get paid for it, and use the money to evade prosecution-- know that people WILL have their data stolen and exploited, but that further use of the exploit will be stopped.
Ethical Conundrum-- Knowingly causes other people to be harmed, but also knows the potential for abuse will stop. Has a possible way of evading being punished by the legal system for essentially being a witness to criminal negligence.
Note, none of those are particularly ethical, and any one of them has their pros and cons-- The properly ethical route-- report, be assured safety for reporting, and being assured the hole will be closed, is not on the table.
A good deal of this modern hacking shit could be stopped in its tracks by fair legislation that makes ethical disclosure a sacrosanct act, with consequences for non-action on the side receiving the notice.
But no, the fiction of supervillian hackers who only want to cause chaos and disruption is too attractive to the media and court systems, and there is no financial incentive for big business to submit to that kind of thing over immediately trying to use the legal system to silence witnesses.
I expect it will be a cold day in hell before such a protection is even discussed, let alone implemented.
And in that time, the position of ethical reporters will only get worse and worse, ever more favoring taking the money and running.
What I am more interested in, is why isnt there a more user friendly SSD socket type out there akin to SDCard.
Your typical SDCard socket has ample interconnect leads and good enough conductivity to be driven similarly to a SATA device, and could even be seen as a SATA device. If this device is that small, the market for feild upgradable SSDs on ultrathin or ultracompact devices at SATA speeds is a deal changer. It makes me wonder why nobody has done it yet.
I could see constraints on SDCard based designs, as the addressing and write optimizing methods arent really tailored to full speed SATA operation, but an actual SSD design in that size range is another creature all together. I brand new SDCard type with no back compatibility driving at full SATA600 speeds would be phenomenal. They would outright dominate the digital camera market, and would enable a whole host of ultra-thin devices to get reasonable upgradable storage.
I say this because at that size, the 6 or so pins on a SATA connector could be upgraded to 8, (for DC power), the whole thing COULD be SDCard sized, AND bitching fast.
No, clearing the print spooler does exactly what it says on the tin.
You are just thinking that printers still only have 32k of memory inside them and need constant spoonfeeding (the reason print spooling even became a thing.*) Printers these days take multiple jobs all at once from the spooler, then handle document management internally. Clearing the windows spooler just stops more jobs being sent to the printer, it doesnt really remove jobs being run on the printer. You still have to manually cancel a hung job at the printer in most cases.
*Way back in the day, it was very hard to multitask, and the hardware was crappy. That's one of the reasons why print servers with a print queue were a thing-- A single computer does nothing but spoonfeed a weak-kneed impact printer over its LPT port, and accept incoming jobs over a network connection. This let an end user spam out a job, then get back to work, instead of having the OS juggle spoonfeeding the printer and doing user-oriented tasks at the same time, slowing both tasks down. When the printer was being spoon fed, a job would terminate if the queue was emptied, because the printer would stop being fed, and would end the job. Not so anymore.
I keep a locally cached version of the update along with the offline SP1 and IE11 installers for doing win7 reloads. Saves ages of time and hassle. You can never be too sure which systems will suffer the dreaded "cant properly run windows update" problem. Better to just proactively install the fix.
If you note, that is precisely what I was pointing out-- it all revolves around the motive.
These days, in the climate of people being arrested for pointing out a serious issue, stumbled upon innocently, for technical infractions of modern antihacking laws-- The potential exists for people that just want to see the server fixed, having to resort to unscurpulous practices to see that this happens, where in the past a friendly letter sufficed.
In such cases, the "extortion" is only a means, not the end. The desired end is properly secured servers, and proper treatment of sensitive data.
That's why I responded the way I did. These days, i would be torn between not reporting the exposed server at all (safest), or naming and shaming. if it was a corporate or bank server, I would be seriously fearful of "assertive prosecution"-- possibly enough to consider digging the hole deeper by selling access of the data to secure a way out of the country to evade prosecution- especially if the breach was really severe.
Now, wouldnt it just be better for everyone if there was some good samaritan verbiage on ethical disclosure instead?
People can only do the right thing, when it is safe for them to do the right thing.
Slashdot Mirror
I bought a new xboxOne some time ago. the thing is so deeply integrated with Bing it makes me sick.
Now they are adding Cortana, presumably so they can use her amazing data mining capabilities for some undisclosed reason. Since she is basically the strapon for Bing, they might as well go all in, instead of just the tip.
Looks like it is time to look for the microphone and pour superglue into it. Good luck listening to me then Microsoft.
if done RIGHT, internet connectivity of the network of devices inside the car has all kinds of benefits.
1) devices that control fuel efficiency can have their firmwares updated by the manufacturer OTA, improving the product without ever taking it to a dealership for service.
2) Anomalies in function can be solved through the same mechanism as 1 above.
3) The obvious: Map data, fine location sensing from know wifi hotspots nearby, cloud data services, and other directly user-facing capabilities.
The issue: These vehicles do NOT do it right. They act like a local wired LAN, with each connected system treating the others as trusted peers, with no challenge/handshake or encryption. There is no digital signature checking on firmware or map data downloads, so man in the middle or local hacks are easy. These are terrible things, done out of cheapness and laxity of consideration for secure designs.
But a good chunk of the legal experts in the country INSIST that tort reform isnt necessary!
I remember about 8 years ago, mentioning that the proposed smart cars the industry was crowing about would be a hacker's paradise, because of compounding costs of manufacture driving security based design out the window.
Seems I was right, despite all the loud objections I got that called me crazy. Fancy that. /shameless self promotion
Really, these recent reports of hackable cars all fail for the same reasons: The car's internal network is presumed secure, instead of presumed hostile. This ignores the primary rule of security-- if you can get local access, the security should be assumed broken.
Ideally, the data being sent through the internal network should be encrypted with unique keys between components, initially seeded at the factory with unique one time pads. The wifi network should be isolated completely from the internal network as well, and any instruction given should have a handshake challenge before being accepted.
All of those things will increase the costs of the vehicle considerably though, which is why none of the manufacturers are doing it.
It will require federal legislation to impose regulations for vehicle safety before that happens.
Seriously-- Itunes and all associated services run on storage controllers.
To me, the obvious answer is a botched OS upgrade on the storage controller head units.
If memory serves, Apple uses Netapp controllers. By now, the support for OnTap 7 should be nearing the end of the legacy support stage. That means data migration to clustered mode in Ontap 8.
Most likely, they established a snapmirror relationship with the new filer equipment, and got the data transferred, but couldnt get the VIF configuration right-- or their 7 mode filer pair went into a takeover-giveback loop cycle of panics.
Not saying netapp is bad equipment, just saying things can and sometimes do happen in a deployment upgrade.
I dont have access to anything that would give me insider knowledge of exactly what happened, but these seem like plausible explanations for an extended, unplanned 7 hour downtime.
It could also be a fibrechannel switch deciding it needed to drop its configuration data and act all goofy, taking out a big chunk of the fabric.
Or worse still, a combination of the two.
I seriously doubt it was planned or malicious.
If microsoft decides that it needs to ignore user permissions for its updater, that means there is an alternate code path for getting elevated permissions baked in. If MS is doing that, they are inviting a wave of zero-day exploits like they have never seen before. (All the attacker needs to do is co-opt the update code path, and use it to drop anything anywhere they want!)
EG, microsoft would be doing something genuinely malware-like, and would be playing russian roulette with malware authors just so they can put an annoying autoinstaller on your system.
I like the prior suggestion from another poster; Create a file instead of a folder. This further complicates matters, because it requires a means to delete highly protected files before the update can succeed. Even if the installer was able to ignore the restrictions on the folder based idea, and drop shit inside, the file based idea would fail, because it would just append data to the file unless you delete the file first, then create a folder, then install.
Sitting on the update process with a debugger running would score you the entrypoints for the priv escallation. (easy enough to do in a VM)
I seriously doubt that even MS is THAT stupid. If they are that stupid, they deserve the bad press they will get when literally every win7 and win8 deployment gets backdoored hard by malware authors.
A similar, but less sure-fire way to block the update is to place a dummy .MSU file in the update cache folder with such protections, with the same names as the undesired updates. Windows update will then fail on the download phase of installing them, because it cannot create the files. it could just rename the download to evade it though.
My method has worked for me so far.
Let me google that for you.
https://www.google.com/webhp?c...
Basically, it means being needlessly exagerating, over the top, or employing puffery.
The issue here is that MS is acting like they are confused over what the user wants.
They want to assert that the user has given permission, and that this is the end of the story. Users assert that they have said NO to the installer many times, and have even turned on the friendly registry flags to tell MS that they dont want the upgrade.
MS has ignored these, and done upgrades anyway, getting more and more forceful and obstinate.
So, force them to do something clearly malwarelike:
When you first set up your new Win7 deployment, proactively create a folder named GWX under %systemroot%.
Good. Now, set an ACL on it. (you can do this from the command line on versions of windows that neuter the GUI, "because end users dont need that.") Put an express DENY (no, not just uncheck allow, like you were trained to. no, outright deny. we really mean it.) on write, read, and execute, with propogation to child objects enabled, and do this for TrustedInstaller and System users, as well as the administrators group, and the builtin admin user. Only allow redaction of the change from your own, personal administration account that needs your password to be used.
Turn on automatic updates.
Watch as the GWX "update" fails to install, each and every time microsoft tries to install it.
Give MS the finger, and laugh.
Being bombastic is part of the humor, oh dull one.
No, you are rationalizing a decision to do something to someone.
The non-decision to click next to everything, which is where the "install recomended updates automatically" option pops up during first product activation, is an automatic one TO USE THE COMPUTER. It does not mean "rape me!"
Even if it did mean what you try so hard to say it means, the user may well decide that yes, they want updates to the OS they have installed-- not to install a new OS, especially since the OS they currently have has 4 more years of support-- which is the sensible way to interpret that, assuming you consider it a rational, active choice. (which for most users, it is not.)
Microsoft is placidly calling an OS upgrade to a new OS an update to an old OS. These are not the same things, and what MS is doing is wrong in both contexts.
NO.
BOTH are AUTOMATIC decisions, done from wrote repitition.
The woman puts on her makeup, as she always has.
The computer user clicks next on everything as they always have.
The insistance that either is a conscious, willfull choice to have something done to them is sick. Get over yourself.
"She obviously wanted it! If she didnt, why was she showing leg under that slutty red and black dress, and wearing whore makup at night like that!"
Because that's what the "You did agree! You had had suggested updates turned on!" really amounts to.
There lies the domain of the MS Marketing director, who having submitted to the mandatory prefrontal lobotomy (a corporate requirement for the position), sits within the pallid cool glow of his curved LED monitor, simply cannot fathom what is making the users angry.
"It costs too much!" he mocks. "Make it free like OSX!"
So we do-- We make it a free update! We put it on Windows update, so it is convenient. Our telemetry tells us that most of our users dont subscribe to MSDN news sources, so we make it super easy to inform them about the update with the GWX app...
But there is no pleasing them!
First, they say that using windows update to spread awareness is a misuse of the critical update delivery pipeline-- So, we deploy additional telemetry software to verify the claim, and help synergize with development for the new programming apis we will use going forward, and now they complain we are spying on them!
So, we install those telemetry updates in updates more specific to that development harmonization, and they freak out even more!
Corporate wants to know why these users arent on board with windows 10, despite the free upgrade, and wont get off my back! What am I supposed to tell them, since those users keep uninstalling the telemetry suite that would let us know more about the issue!
Now, to top it all off, they complain about the functionality of the close button widget.
Ok, so we change the behavior-- they are still mad.
Ok, so we REMOVE the widget-- Even angrier!!
What is it that these people want!!?
(at this point, an intern enters the dread specter of marketing's office with a thick slab of useless paper copy to make his daily delivery, since despite email being a thing for over a decade, there are those in corporate that still insist on old fashioned interoffice memos. In a quivering, mewling tone reminiscient of a prepubescent youth, the freckled mouse of a man hazards a conjecture to his corporate master, knowing the perils of doing so.)
Perhaps they just dont want the update, and dont want to be told about it anymore?
At this, the dread specter of marketing erupts into a ballmer-esque frenzy, toppling his chair, and spraying thick droplets of foaming spittle as he rages--
DONT WANT THE UPDATE!? DONT WANT IT!?
he shrieks, grabbing the thick slab of papers from the poor interns hands, then throwing them in the air.
FIRST THEY COMPLAIN ABOUT HAVING TO PAY EVERY 3 YEARS, THEN WHEN WE RESTRUCTURE FOR THE NEW ADVERT MODEL, THEY DONT WANT THE UPDATE!?
Cowering on the floor, desperately trying to recover and recollate the precious memos that justify his position in the company, the intern timidly responds.
Perhaps they wanted us to respect their choice of when to do the update?
FUCK-EM! the prince of darkness snarls, returning to his desk and grabbing the back of his chair in a livid clawing motion. WE HAVE A SCHEDULE TO MEET, AND WE ARE BENDING OVER BACKWARDS FOR THESE INGRATES!
Does that mean that we will proceed with the forced updates sir?
The room fills with a thick, suffocating silence for a good seconds, as the knuckles on the back of the chair turn white with rage-clenching, followed by unnatural relaxation. In a now buttery smooth, and altogether inhumanly relaxed tone, the dread specter of marketing smiles deeply..
Of course we will. We owe it to them, after all.
That is a HORRIBLE surrogate metric for determining quality.
The competency of their marketing department has no bearing on the competency of their engineering department.
I have seen brilliant, and innovative things totally hamstrung by lackluster marketing, and I have seen total filth that isnt worth even a cursory examination being presented in brilliant marketing materials.
How well they transcribe into obscure verbiage is a talent of the marketer. I can see wanting to make sure their marketing department is up to the task, since good products fail from bad marketing, but determining the value of the product from the marketing pitch?! What are you smoking?!
Will you also streamline production and maximize shareholder value?!
This is just the latest crop of buzzword bingo fruit that was sewn 10 years ago, when recruiters, HR drones, and venture capitalists started looking for absurd words on the coversheet.
That modern proposals resemble something coming from a Markov Chain generator script should come as no surprise to anyone. "Professional Resumes" look just as bad, with non-speak like "X years experience in a fast-paced, competative environment", when what they really mean is that they spent X years in the trenches of level 1 support purgatory.
Industry in general is addicted to useless jargon. Startups are just industry 2.0, and have enhanced the practice.
Why are they making and selling chips that gobble down the juice and roast the insides of desktop systems?
I mean, really? I can see liquidating old stock, but if the new chips and designs are just as powerful for less juice, why not incorporate across the whole line?
The idea here is not to drive an sdcard that fast (that wont work, because that is now how sdcards are designed to work.).
The idea is to create an ssd socket that looks and feels like an sdcard type form factor for practical handling, transport, and installation purposes, but which is actually its own thing inside, capable of SSD type speeds over a very short serial interface. (the interconnect will measure in centimeters! Noise from high speed transmission will be minimal.)
By having a device like that, in such a slim package, many data aggressive devices can be improved-- photographers are the ones driving sdcard speeds. If they could jam an M.2 SSD into a camera, they would do it. M.2 is not meant for hot swapping, but there IS a class of sata III that *IS*. Look it up.
A drive going too fast for the interface is a tolerable problem that can be solved later.
A drive that is needlessly slow on the other hand....
Again, the idea here is for a friendly socket, like SDCard, into which such a tiny SSD can be inserted easily. SATA is just a nice industry standard interface with existing drivers that can be leveraged. You see this frequently with M.2 based SSDs. They present themselves as really fast SATA devices on their own dedicated controller. The idea here would be similar.
If you are concerned that the media is too fast for SATA, then give it a whole new interface to use, but be aware that adoption will be tricky.
Regardless, SATAIII speeds are lightyears faster than existing SDXC cards, even in the extended class 3 and 4 varieties. The digital camera market would eat it up like candy.
Offering it as an option on a tablet makes an otherwise unapetizing toy into an interesting prospect for purchase.
etc.
I agree, which is why i took option 2.
The problem is that when confronted with almost certain reprisal of the legal kind (corporations are sociopaths, and DO NOT engage ethically! if they can make you into a boogieman that just wanted to hard their customers, truth be damned-- it means that they can lie, say their systems are perfectly secure from most types of intrusion (despite the objective reality), and that by apprehending and prosecuting you, they have removed the threat to their customers. Their customers dont know any different, the corporation DOES NOTHING to improve security, all the while other, less ethical hackers are silently just scooping the details and making use of it clandestinely.) the choice becomes:
Report , and be hanged publicly-- attrocities continue.
Force the attrocities to light by giving the details to literal thugs, who then blow the lid off the thing with their excesses-- FORCING the attrocities to be stopped.
Either way, you are assured of being reamed. One of the two assures the attrocities stop.
That one is the most ethically dubious.
Denial is first and foremost what these big corps do, when confronted with an ethical disclosure. It costs nothing to do nothing, and anything that costs them extra detracts from shareholder value. Detracting from shareholder value is the single cardinal sin for corporations. Imaginary losses that could happen are not their concern. Downplaying the severity of the problem and ignoring it is their tactic of choice. ironically, this is why many young greyhats feel it necessary to scrape data from the unsecured server-- It PROVES that the server is insecure. it also proves that they did illegal access. The corporation already retains a legal team. Sicking them on you is an already justified business expense. Fixing the problem is not. They choose to fix the problem by arresting you, because ignoring the problem is easier and cheaper.
As an ethical reporter, you observe this. You see that people's data is being treated in a very dangerous and negligent manner. You consider it unethical to turn a blind eye to this, because this is people's privileged data they are mishandling. As a single person, who is disadvantaged from a legal position from the start, you only have the two above options. You can choose to martyr yourself and accomplish only your own downfall, or you can expose it publicly, see an initial outbreak of people being hurt, but rest assured that the hole WILL be fixed, and that after this period no further people will be silently victimized.
The ideal solution is to come forward and be protected for coming forward, and for the legal system to focus its attention on the negligent actions of the data's administrators for gross mishandling-- But that isnt how the world works.
Judges dont know the first thing about advanced searches, or why you might be looking for a publicly exchanged file from yesteryear that is no longer available from the original download source-- They eat the sob story about how you shamelessly violated some server some where, greedily seeking data that was not meant to be public, out of pure greed and malice. Because they dont know any better.
The media? they LOVE sensationalism, and "Evil hacker apprehended!" sounds so much better than "Data mismanagement leads to case of wrongful prosecution."
You are an ethical discloser. Your first and major desire is to see that the hole is closed. You see that the game is rigged.
You can choose to be impotent, and get slaughtered.
OR, you can choose to cause some chaos to ensure that no further harm happens later, and get slaughtered.
Either way, you will get slaughtered. The first one is the most ethical from a personal behavior point of view-- conducting one's self in the most ethical way they can, despite the poor outcome of abuse continuing silently. The second is the most ethical from the total societal point of view-- You exchange an unknown degree of abuse agains an unknowing public, i
That's part of the problem here-- The person who makes the discovery is systematically excluded from being considered a "good guy", because under the prevailing laws, they did indeed access privileged information without proper authorization. That this happened accidentally, or as a result of a completely harmless search is not important, and the prosecutor will attack with vengence all the same.
This leaves this person, who wants to do what is right (or what they percieve to be right), stuck with only bad choices.
1) ignore the whole thing and hope nobody audits the logs.
Ethical conundrum-- Knows that people's data is being leaked, and is very easy to obtain, understands consequences, has to rationalize potential victimization of those people agains personal legal safety. not pleasant.
2) Report the problem ethically, and risk being arrested for criminal hacking, and being drummed up as some dread pirate roberts of the hacking world, because some prosecutor has a hardon for being officious.
Ethical conundrum-- Knows that most instances of ethical disclosure do not result in closure of the security hole, and that doing so will almost certainly get them arrested, depending on who is leaking the data, and what data is being leaked.
3) Report the problem as a zero day and get paid for it, and use the money to evade prosecution-- know that people WILL have their data stolen and exploited, but that further use of the exploit will be stopped.
Ethical Conundrum-- Knowingly causes other people to be harmed, but also knows the potential for abuse will stop. Has a possible way of evading being punished by the legal system for essentially being a witness to criminal negligence.
Note, none of those are particularly ethical, and any one of them has their pros and cons-- The properly ethical route-- report, be assured safety for reporting, and being assured the hole will be closed, is not on the table.
A good deal of this modern hacking shit could be stopped in its tracks by fair legislation that makes ethical disclosure a sacrosanct act, with consequences for non-action on the side receiving the notice.
But no, the fiction of supervillian hackers who only want to cause chaos and disruption is too attractive to the media and court systems, and there is no financial incentive for big business to submit to that kind of thing over immediately trying to use the legal system to silence witnesses.
I expect it will be a cold day in hell before such a protection is even discussed, let alone implemented.
And in that time, the position of ethical reporters will only get worse and worse, ever more favoring taking the money and running.
You can already get 256gb SDcards.
What I am more interested in, is why isnt there a more user friendly SSD socket type out there akin to SDCard.
Your typical SDCard socket has ample interconnect leads and good enough conductivity to be driven similarly to a SATA device, and could even be seen as a SATA device. If this device is that small, the market for feild upgradable SSDs on ultrathin or ultracompact devices at SATA speeds is a deal changer. It makes me wonder why nobody has done it yet.
I could see constraints on SDCard based designs, as the addressing and write optimizing methods arent really tailored to full speed SATA operation, but an actual SSD design in that size range is another creature all together. I brand new SDCard type with no back compatibility driving at full SATA600 speeds would be phenomenal. They would outright dominate the digital camera market, and would enable a whole host of ultra-thin devices to get reasonable upgradable storage.
I say this because at that size, the 6 or so pins on a SATA connector could be upgraded to 8, (for DC power), the whole thing COULD be SDCard sized, AND bitching fast.
No, clearing the print spooler does exactly what it says on the tin.
You are just thinking that printers still only have 32k of memory inside them and need constant spoonfeeding (the reason print spooling even became a thing.*) Printers these days take multiple jobs all at once from the spooler, then handle document management internally. Clearing the windows spooler just stops more jobs being sent to the printer, it doesnt really remove jobs being run on the printer. You still have to manually cancel a hung job at the printer in most cases.
*Way back in the day, it was very hard to multitask, and the hardware was crappy. That's one of the reasons why print servers with a print queue were a thing-- A single computer does nothing but spoonfeed a weak-kneed impact printer over its LPT port, and accept incoming jobs over a network connection. This let an end user spam out a job, then get back to work, instead of having the OS juggle spoonfeeding the printer and doing user-oriented tasks at the same time, slowing both tasks down. When the printer was being spoon fed, a job would terminate if the queue was emptied, because the printer would stop being fed, and would end the job. Not so anymore.
There is a stand-alone update to address that very issue.
https://www.reddit.com/r/sysad...
I keep a locally cached version of the update along with the offline SP1 and IE11 installers for doing win7 reloads. Saves ages of time and hassle. You can never be too sure which systems will suffer the dreaded "cant properly run windows update" problem. Better to just proactively install the fix.
If you note, that is precisely what I was pointing out-- it all revolves around the motive.
These days, in the climate of people being arrested for pointing out a serious issue, stumbled upon innocently, for technical infractions of modern antihacking laws-- The potential exists for people that just want to see the server fixed, having to resort to unscurpulous practices to see that this happens, where in the past a friendly letter sufficed.
In such cases, the "extortion" is only a means, not the end. The desired end is properly secured servers, and proper treatment of sensitive data.
That's why I responded the way I did. These days, i would be torn between not reporting the exposed server at all (safest), or naming and shaming. if it was a corporate or bank server, I would be seriously fearful of "assertive prosecution"-- possibly enough to consider digging the hole deeper by selling access of the data to secure a way out of the country to evade prosecution- especially if the breach was really severe.
Now, wouldnt it just be better for everyone if there was some good samaritan verbiage on ethical disclosure instead?
People can only do the right thing, when it is safe for them to do the right thing.