Given that virtually anyone is still transmitting 4:3 ratio and every new widescreen TV I've come across defaults to showing it in 16:9 mode it doesn't surprise me that everyone thinks we have a fat problem..:-)
Lending is a consensual act between two adults, one of which is not financially astute and the other one is very likely to be on the wrong side of gray in their business practises.
Sorry, there IS reason to be very alert because there is enough margin in regulations for people to scam the crap out of the average Joe. And remember, going to court costs money - the money they just took.
There are ways to make money ethically, it just appears more and more that few bother.
The problem with those toys is that they have become business critical without having the capability to be in that position. I worked in the Global IT Risk Management section of a large bank for a while (non-UK), and -irony of ironies- their core risk management DB was in Access, and their way of speeding up this dog was to ship it to a fat terminal server in India and use Terminal Services.
The contractor in charge of this thing has a job for life, so he's not going to change it, inefficient as it is with muliple users accessing it (and license limits) and the company is too resource starved to do anything about it, so at the core of these guy's risk management processes sits.. a huge risk. The irony is IMHO breathtaking, especially since what it does is so basic it would take even an average college graduate with web and MySQL or PSQL skills two weeks to replicate the functionality, but documented (and a heck of a lot faster). I think it would have the shortest ROI time ever. It gets worse: the sole contractor who knows this thing.. is leaving.
And that's not where it stops. Once something like that works, everyone else piles on top of it with custom reports, other datafeeds, and before you know it you have the complex web of interdependencies Microsoft likes to keep itself in business, all built on the loose sand called Access. When that falls over, a large part of the business will fall on its nose, and I've had friends spend months unravelling stuff like that whilst keeping the show going at the same time.
Non-IT people should stay away from toys. Use it for Proof of Concept, thanks, but then let's use something sensible as core platform.
Access (and Excel, for that matter) have also enabled people to hack up 'business solutions' without the required baseline skills to evaluate if their 'solution' is actually technically, economically or logically correct.
in an age where transparency in the decision process is ever more important I keep coming across these 'solutions' where the original architect has long vanished, the decision model is at best unclear and is NEVER properly documented and sometimes whole departments depend on the result of such a black box.
The problems that causes are immense. Apart from the failure risk (those things are rarely backed up in a way that agrees with their importance), there's also the problem that such a model bears no scrutiny and is almost impossible to adapt to changing business situations, nor is it obviously under a decent change control mechanism.
Having said that, Access did at least enable people to discover what IT can do for them, as long as they don't think that hacking something together in Access makes them IT specialists. Access has sometimes allowed clients to model a Proof Of Concept quickly, although some of them seem to be switching to OpenOffice's Base (no specific reason, I just started to come across it). I must have a look at that..
Caveat: I had Vista "for Business" before I zapped it.
I bought a spare Sony VAIO (SZ4XWN(, and was told it was not possible to have XP on it. Well, for a combination that was allegedly "Vista ready" it sucked seven ways from Sunday. IE hang pretty much continuously unless I ran it as 'admin' (i.e. gave it the rights it should NEVER have), I had to wait for a Vista ready version of quite a lot of software (including anti-virus) and it hung for the most bizarre reasons, not exactly helped by the heap of crap that Sony insists on adding to a system.
In the end I gave up, put Linux on it and VMWared a freshly bought copy of XP Home. I just rebuilt it as Sony has eventually caved and produced XP drivers for this machine - it now works very well.
So, my *own* experience with Vista has been crap. I have since been told that the "Business" version is indeed the worst of the lot, which I find insane - that's where they could have made inroads. Instead, it's been the best marketing for both the Apple and Linux camps ever..
Well, yes, a death thread is meaningless - that's just a load of usenet messages with a questionable topic:-).
However, the problem with a death threat is that it could be genuine. There are apparently a few signs that indicate a 'genuine' one, and then (as I said before) we arrive at the question of liability. If somethign goes wrong and you had the information to at least try to prevent it from happening there is a question about your liability.
And if I receive a death threat I will damn well find out who and what if I can manage.
I don't know about the US but the issue of such a threat *IS* actually illegal in quite a few countries.
I think one has to be careful with Freedom of Speech claims. I find it interesting that many people seem to get up in arms about their rights but seem to conveniently ignore that rights always come accompanied by obligations. You can't have the one without the other. The classic antidote against Freedom of Speech is the yelling of "Fire!" in a theatre. Freedom of speech or not, if you do that you'll be arrested, and if someone dies in the stampede it'll end up being your liability.
Your argument would be valid if sharing music had consequences as dangerous as ignoring a death threat, and NAT is just one of the many flaws in the RIAA arguments. Moreover, that's just the technical side, we haven't even started on the abuse of procedure which is what is biting them as well (although I can't help wondering why it took so long for judges to recognise the abuse).
But the best argument is that file sharing is not going to kill anyone - ignoring a potentially valid death threat is. Not just from a human perspective, also from a liability perspective it strikes me as having just a little bit more power and I deem it thus less (not "NOT", just "less") likely that someone will make dumb absolute statements like the RIAA has made.
Yeah, right, a "taser for cars", and thus likely to be just as abused as the taser. Who cares you fry almost anything else in the vicinity such as cell phones, PDAs, car stereo, GPS or a pacemaker..
I have no idea what offence would justify the use of this gadget. Going 1 mph over the limit?/sarcasm
Well, that was also not the point I was making. In case it wasn't clear - it is standard practice to walk someone off the premises, but I also observed that that was IMHO *way* too late.
Or, in summary, from a security perspective it's a total waste of time.
Sorry, this is not news - any company with sensible management should do this (but maybe a bit more sensitive).
As a matter of fact, you're already too late - the moment someone decides to leave the company they're metally already "outside". You have no idea how long before the announcement they have started 'hamstering' office supplies:-).
Now, I jokes about this, but the dark version of this is theft of intellectual property. Client knowledge, company strategy and competition insight, codesr taking their code with them, etc - I can't see anyone inclined to take information to make their own life difficult by pre-announcing they're about to walk.
I just got up so I probably still have too much blood in my caffeine:-)
3. Here's a question: why is there no CentOS equivalent based on SuSE products? Think about it.
What about OpenSuSE?
Having said that, I did have to work with SLES 9 for a while and it's not an experience I want to repeat. Ever. Well, OK, unless the alternative is Worries for Windows or Windows ME. But even then. OpenSuSE is quite pleasant to work with, barring the apparent risk of Microsoft proximity.
Since I appear to hear from an expert, here's a question: where are the OS controls in CentOS/Red Hat? In SuSE you've got a thing called YAST which you can access via command line as well as GUI, and it pretty much does anything except EVMS setup or make coffee (which I need right now, dang) - I used to use RH until I found just how easy it was to manage a SuSE box (I'm usually too short on time to mine manuals too often). I looked at Fedora but discovered that the latest version would NOT work correctly on the HP DL 230 server I had (it only saw one SATA disk, for some reason/dev/sdb was absent which sort of screwed things up for mirroring:-). Don't think I tried CentOS then.
My needs are simple: I need a box which acts as a file server, email and LAMP engine (and Postgresql) for a couple of domains I'm playing with (Postfix, and access to mailboxes via IMAPs). It may also act as a KDE/Gnome desktop when I'm doing something mad with the desktop I use. Firewall and VPN duties will soon be taken care of by a Smoothwall box when I find a box small enough:-).
The argument for this change is that I'm trying to get a couple of things online in a fashion stable enough not to worry about it for a year other than the daily security patching (and I'm happy with that being automated, as long as the backup has worked correctly beforehand:-).
If I switch the main OS over I may cut over to Fedora on the desktops as well. I like Ubuntu but I tend to use desktops for trying out things that I subsequently put on a server (like groupware) which is simply easier by using the same platform.
Any help appreciated, I'm already breaking out the IRC clients:).
The only bit that I really wonder about with UAVs is how they avoid (1) collision with each other (as their use seems to increase and (2) interference with other flying objects (Campbell mobile phones, airlines etc:-).
And I'd really like to know if one's overhead - with a crash there is a serious chance of these things dropping, say, in the middle of traffic. Altitude + gravity makes for an awful lot of kinetic energy to disperse on impact..
If someone discovers that OOo Calc can accept and process trading feeds faster than MS Office you'll find Office ripped out of trading offices faster than you can say 'more profit'.
Traders don't really care one iota about what platform they run either - AFAIK most trade processors already prefer Linux with kernel mods for speed. In summary - if anyone proves this it's curtains for Office, and possibly Windows..
The moon is part of our ecological system, I'm not quite sure what would happen if we change anything up there. Besides, what are the odds a nuke would make it up there without some ill inspired military fool changing the target area?
The only reason we still walk around on this planet without too much extra glow is because people in charge of the switch (specifically Russion ones) had more guts and brains than was reasonable to expect from them given the propaganda both sides generate.
I don't know about you, but I find the idea of any nation (regardless of creed, religion and/or inclination) having enough capability to zap life on this globe rather worrying. MAD is indeed a very apt acronym.
LOL - but you do have a point. I just posted another reply in this thread.
On balance, I think it's a relatively useful idea (it requires an above average criminal to zap it), but it seems Lojack has in the process of creating this managed to open Pandora's box of self re-installing trojans. The potential of someone writing a hack to take over the HPA segment is something that worries me.
I give it 6 months before someone finds a trojan that manipulates the HPA to replace Lojack code with itself. For all I know, it may have already happened - for commercial espionage the incentive is definitely there as such a hack would survive the traditional company 'build' process.
So, interesting product, worrying implications. On a volume basis this is indeed a deterrent, it just enables other capabilities I'm not so sure I'd like to have in my BIOS. Going back to Sony it makes me happy I totally nuked the hard disk and installed Linux - that will stop at least factory installed rootkits:-).
Thanks, I didn't find that in the regular product descriptions.
The HPA area isn't that well protected but it would take at least a much smarter kind of criminal, and if you're that smart you could make a living in IT instead (there's an inclination and risk vs reward debate lurking here which I'm leaving aside:-) - that addressed the size issue, although I found that it apparently needs a working copy of Windows re-installed before it can reconstruct itself. This seems to imply that the BIOS component merely kickstarts the install of whatever lives in the HPA, which would makes sense given size constraints.
BIOS resident functions have implications for maintenance as you now have two different parties who have to collaborate for a BIOS patch, so I suspect this is based on some sort of API to keep it manageable. The ugly thing is that Lojack thus appears to have at least identified a potential route to write a TSR (Terminate & Stay resident) trojan, which is a door I would have hoped to stay closed a bit longer. I give it a couple of months before code appears to target that HPA component, and then the fun *really* starts - the moment someone finds a way to crack what's in the HPA you can replace it with your own version of the cookie monster and then all hell will break loose. This approach could offer a bigger industrial espionage backdoor to global information than Windows could ever present by itself.
This could get more interesting than I originally thought..
Interesting - you appear to state something that the supplier itself categorically avoids addressing on their website.
So we have now unsubstantiated claims in the wild the code will survive a reformat - but the manufacturer itself avoids any mention of survivability. I guess it's too obvious an instruction for wannabee thieves: zap the box before you plug it in. BTW, this is why I tend to remove recovery partitions - why help a thief to the original software? We have a DVD backup of it anyway (the Sony laptops need a dual layer one just to hold all the crap they install on top).
How did you arrive at the idea that Lojack survives a reformat? Do they state that in the product docs or FAQ? I'd be interested in the specific quote.
So, the conclusion is that this product requires a combination of dumb thieves and dumb buyers to work. That's still a pretty large group given the amount of Windows users (cough:-), but the supplier carefully leaves the obvious question unanswered.
I'd be rushing out to buy the product if I was convinced the statements I find are credible, but that's where my problem starts - the longer I look at what they're claiming the more problems I have with it.
The issue is the survivability of the software - they claim it will survive a reformat, and so far I heard a couple of theories how. Neither stacks up.
In principle, the claim is that they have somehow manage to write something with the capabilities of a boot sector virus, but which can hide itself in the system BIOS to survive a full reformat (to be precise, I don't think that was THEIR claim, someone else offered this as a theory ).
Let's consider how the code could survive.
(1) Read-only hard disk sector. There's no such thing, because it would be a dog to update. and to implement without special hardware, which would require device AND version specific code. I don't buy that.
(2) Hidden partition. This would mean they'd somehow managed to bribe M$ in using code that wouldn't look at a hard disk and spot the boot link to the code. Well, BIOS limits apply: it starts with a boot sector, and that gets overwritten. Bye bye code.
(3) Parked in the BIOS waiting for a bootup. Given the number of BIOS' out there and the variation per system and revision thereof I don't buy that one either. If it's so easy to do I would like to ask 3 questions: - why can't the Linux BIOS project do the same - why would a manufacturer leave so much on-chip space - would you be happy with something going to close to the metal with respect to system stability? I wouldn't trust a laptop to boot up from a copy of Ubuntu if someone had messed with the BIOS, let alone Windows, and I don't believe you have enough code space there to hide something that is sophisticated enough to (a) detect the OS and (b) insert the correct code.
Based on the above, I think the more realistic scenario is that the guy jacked in the laptop BEFORE he reformatted it and thus triggered the transmission, but that wouldn't sound so swell in the article. The nice thing for the company selling Lojack is that it simply has to abstain from commenting for the sales-driving myth to grow. I can see lots of CEOs already calling their CIO and mandate this as a corporate standard - but AFAIK it's based on complete BS which makes me not just wary to buy the product, I would now actively avoid the company because it's selling a product that is mediocre at best. You get a hint of that by their claims that they employ ex law enforcement personnel. Start thinking as a business, and you'll soon start asking the question where the sense would be in that.
In conclusion, I don't buy it in more ways than one. I've been messing with PCs since the IBM XT got cloned, and I will need some serious convincing before I'd believe/buy this story. My theory is that the reporter misunderstood the technology and the reseller is happy to let the myth build.
Which says: AVOID! You will end up with people having a false sense of security, which is worse than having none - and that is unforgivable.
Could be a good marketing coup, but I'd like to know how such a program could survive. To stick it "in the BIOS" implies deep knowledge of the BIOS (and a lot of space) of each system, so I have trouble believing that statement, especially if it then also does a re-install. Sorry, I have occasional attacks of gullibility but that is just too much to accept..
To copy a CD requires a CD writer which costs near to nothing. To replicate vinil costs (AFAIK) a heck of a lot more. The problem with that is that it would force the RIAA to abandon fighting little people and address the 'big' pirates again for whom such kit is a worthwhile investment (in other words, it's like hard work).
Slashdot Mirror
Given that virtually anyone is still transmitting 4:3 ratio and every new widescreen TV I've come across defaults to showing it in 16:9 mode it doesn't surprise me that everyone thinks we have a fat problem.. :-)
Lending is a consensual act between two adults, one of which is not financially astute and the other one is very likely to be on the wrong side of gray in their business practises.
Sorry, there IS reason to be very alert because there is enough margin in regulations for people to scam the crap out of the average Joe. And remember, going to court costs money - the money they just took.
There are ways to make money ethically, it just appears more and more that few bother.
The problem with those toys is that they have become business critical without having the capability to be in that position. I worked in the Global IT Risk Management section of a large bank for a while (non-UK), and -irony of ironies- their core risk management DB was in Access, and their way of speeding up this dog was to ship it to a fat terminal server in India and use Terminal Services.
.. a huge risk. The irony is IMHO breathtaking, especially since what it does is so basic it would take even an average college graduate with web and MySQL or PSQL skills two weeks to replicate the functionality, but documented (and a heck of a lot faster). I think it would have the shortest ROI time ever. It gets worse: the sole contractor who knows this thing .. is leaving.
The contractor in charge of this thing has a job for life, so he's not going to change it, inefficient as it is with muliple users accessing it (and license limits) and the company is too resource starved to do anything about it, so at the core of these guy's risk management processes sits
And that's not where it stops. Once something like that works, everyone else piles on top of it with custom reports, other datafeeds, and before you know it you have the complex web of interdependencies Microsoft likes to keep itself in business, all built on the loose sand called Access. When that falls over, a large part of the business will fall on its nose, and I've had friends spend months unravelling stuff like that whilst keeping the show going at the same time.
Non-IT people should stay away from toys. Use it for Proof of Concept, thanks, but then let's use something sensible as core platform.
Sensible Access
Access (and Excel, for that matter) have also enabled people to hack up 'business solutions' without the required baseline skills to evaluate if their 'solution' is actually technically, economically or logically correct.
in an age where transparency in the decision process is ever more important I keep coming across these 'solutions' where the original architect has long vanished, the decision model is at best unclear and is NEVER properly documented and sometimes whole departments depend on the result of such a black box.
The problems that causes are immense. Apart from the failure risk (those things are rarely backed up in a way that agrees with their importance), there's also the problem that such a model bears no scrutiny and is almost impossible to adapt to changing business situations, nor is it obviously under a decent change control mechanism.
Having said that, Access did at least enable people to discover what IT can do for them, as long as they don't think that hacking something together in Access makes them IT specialists. Access has sometimes allowed clients to model a Proof Of Concept quickly, although some of them seem to be switching to OpenOffice's Base (no specific reason, I just started to come across it). I must have a look at that..
Caveat: I had Vista "for Business" before I zapped it.
I bought a spare Sony VAIO (SZ4XWN(, and was told it was not possible to have XP on it. Well, for a combination that was allegedly "Vista ready" it sucked seven ways from Sunday. IE hang pretty much continuously unless I ran it as 'admin' (i.e. gave it the rights it should NEVER have), I had to wait for a Vista ready version of quite a lot of software (including anti-virus) and it hung for the most bizarre reasons, not exactly helped by the heap of crap that Sony insists on adding to a system.
In the end I gave up, put Linux on it and VMWared a freshly bought copy of XP Home. I just rebuilt it as Sony has eventually caved and produced XP drivers for this machine - it now works very well.
So, my *own* experience with Vista has been crap. I have since been told that the "Business" version is indeed the worst of the lot, which I find insane - that's where they could have made inroads. Instead, it's been the best marketing for both the Apple and Linux camps ever..
Well, yes, a death thread is meaningless - that's just a load of usenet messages with a questionable topic :-).
However, the problem with a death threat is that it could be genuine. There are apparently a few signs that indicate a 'genuine' one, and then (as I said before) we arrive at the question of liability. If somethign goes wrong and you had the information to at least try to prevent it from happening there is a question about your liability.
And if I receive a death threat I will damn well find out who and what if I can manage.
I don't know about the US but the issue of such a threat *IS* actually illegal in quite a few countries.
I think one has to be careful with Freedom of Speech claims. I find it interesting that many people seem to get up in arms about their rights but seem to conveniently ignore that rights always come accompanied by obligations. You can't have the one without the other. The classic antidote against Freedom of Speech is the yelling of "Fire!" in a theatre. Freedom of speech or not, if you do that you'll be arrested, and if someone dies in the stampede it'll end up being your liability.
Your argument would be valid if sharing music had consequences as dangerous as ignoring a death threat, and NAT is just one of the many flaws in the RIAA arguments. Moreover, that's just the technical side, we haven't even started on the abuse of procedure which is what is biting them as well (although I can't help wondering why it took so long for judges to recognise the abuse).
But the best argument is that file sharing is not going to kill anyone - ignoring a potentially valid death threat is. Not just from a human perspective, also from a liability perspective it strikes me as having just a little bit more power and I deem it thus less (not "NOT", just "less") likely that someone will make dumb absolute statements like the RIAA has made.
Yeah, right, a "taser for cars", and thus likely to be just as abused as the taser. Who cares you fry almost anything else in the vicinity such as cell phones, PDAs, car stereo, GPS or a pacemaker..
/sarcasm
I have no idea what offence would justify the use of this gadget. Going 1 mph over the limit?
Well, that was also not the point I was making. In case it wasn't clear - it is standard practice to walk someone off the premises, but I also observed that that was IMHO *way* too late.
Or, in summary, from a security perspective it's a total waste of time.
Sorry, this is not news - any company with sensible management should do this (but maybe a bit more sensitive).
:-).
:-).
As a matter of fact, you're already too late - the moment someone decides to leave the company they're metally already "outside". You have no idea how long before the announcement they have started 'hamstering' office supplies
Now, I jokes about this, but the dark version of this is theft of intellectual property. Client knowledge, company strategy and competition insight, codesr taking their code with them, etc - I can't see anyone inclined to take information to make their own life difficult by pre-announcing they're about to walk.
In conclusion - nothing to see here
I just got up so I probably still have too much blood in my caffeine :-)
/dev/sdb was absent which sort of screwed things up for mirroring :-). Don't think I tried CentOS then.
:-).
:-).
:).
3. Here's a question: why is there no CentOS equivalent based on SuSE products? Think about it.
What about OpenSuSE?
Having said that, I did have to work with SLES 9 for a while and it's not an experience I want to repeat. Ever. Well, OK, unless the alternative is Worries for Windows or Windows ME. But even then. OpenSuSE is quite pleasant to work with, barring the apparent risk of Microsoft proximity.
Since I appear to hear from an expert, here's a question: where are the OS controls in CentOS/Red Hat? In SuSE you've got a thing called YAST which you can access via command line as well as GUI, and it pretty much does anything except EVMS setup or make coffee (which I need right now, dang) - I used to use RH until I found just how easy it was to manage a SuSE box (I'm usually too short on time to mine manuals too often). I looked at Fedora but discovered that the latest version would NOT work correctly on the HP DL 230 server I had (it only saw one SATA disk, for some reason
My needs are simple: I need a box which acts as a file server, email and LAMP engine (and Postgresql) for a couple of domains I'm playing with (Postfix, and access to mailboxes via IMAPs). It may also act as a KDE/Gnome desktop when I'm doing something mad with the desktop I use. Firewall and VPN duties will soon be taken care of by a Smoothwall box when I find a box small enough
The argument for this change is that I'm trying to get a couple of things online in a fashion stable enough not to worry about it for a year other than the daily security patching (and I'm happy with that being automated, as long as the backup has worked correctly beforehand
If I switch the main OS over I may cut over to Fedora on the desktops as well. I like Ubuntu but I tend to use desktops for trying out things that I subsequently put on a server (like groupware) which is simply easier by using the same platform.
Any help appreciated, I'm already breaking out the IRC clients
Look, that comment made me laugh hardest of all because of the unintentional irony. It's an absolute gem.
:-).
I *love* people making unintentional mistakes like that, but hell, I'm twisted.
Just not bitter
The only bit that I really wonder about with UAVs is how they avoid (1) collision with each other (as their use seems to increase and (2) interference with other flying objects (Campbell mobile phones, airlines etc :-).
And I'd really like to know if one's overhead - with a crash there is a serious chance of these things dropping, say, in the middle of traffic. Altitude + gravity makes for an awful lot of kinetic energy to disperse on impact..
If someone discovers that OOo Calc can accept and process trading feeds faster than MS Office you'll find Office ripped out of trading offices faster than you can say 'more profit'.
Traders don't really care one iota about what platform they run either - AFAIK most trade processors already prefer Linux with kernel mods for speed. In summary - if anyone proves this it's curtains for Office, and possibly Windows..
If you're in a proper Thai restaurant, order sticky rice (in advance :-). That will also help control the fire, and it's nice to start with..
The moon is part of our ecological system, I'm not quite sure what would happen if we change anything up there. Besides, what are the odds a nuke would make it up there without some ill inspired military fool changing the target area?
The only reason we still walk around on this planet without too much extra glow is because people in charge of the switch (specifically Russion ones) had more guts and brains than was reasonable to expect from them given the propaganda both sides generate.
I don't know about you, but I find the idea of any nation (regardless of creed, religion and/or inclination) having enough capability to zap life on this globe rather worrying. MAD is indeed a very apt acronym.
LOL - but you do have a point. I just posted another reply in this thread.
:-).
On balance, I think it's a relatively useful idea (it requires an above average criminal to zap it), but it seems Lojack has in the process of creating this managed to open Pandora's box of self re-installing trojans. The potential of someone writing a hack to take over the HPA segment is something that worries me.
I give it 6 months before someone finds a trojan that manipulates the HPA to replace Lojack code with itself. For all I know, it may have already happened - for commercial espionage the incentive is definitely there as such a hack would survive the traditional company 'build' process.
So, interesting product, worrying implications. On a volume basis this is indeed a deterrent, it just enables other capabilities I'm not so sure I'd like to have in my BIOS. Going back to Sony it makes me happy I totally nuked the hard disk and installed Linux - that will stop at least factory installed rootkits
Thanks, I didn't find that in the regular product descriptions.
:-) - that addressed the size issue, although I found that it apparently needs a working copy of Windows re-installed before it can reconstruct itself. This seems to imply that the BIOS component merely kickstarts the install of whatever lives in the HPA, which would makes sense given size constraints.
The HPA area isn't that well protected but it would take at least a much smarter kind of criminal, and if you're that smart you could make a living in IT instead (there's an inclination and risk vs reward debate lurking here which I'm leaving aside
BIOS resident functions have implications for maintenance as you now have two different parties who have to collaborate for a BIOS patch, so I suspect this is based on some sort of API to keep it manageable. The ugly thing is that Lojack thus appears to have at least identified a potential route to write a TSR (Terminate & Stay resident) trojan, which is a door I would have hoped to stay closed a bit longer. I give it a couple of months before code appears to target that HPA component, and then the fun *really* starts - the moment someone finds a way to crack what's in the HPA you can replace it with your own version of the cookie monster and then all hell will break loose. This approach could offer a bigger industrial espionage backdoor to global information than Windows could ever present by itself.
This could get more interesting than I originally thought..
Thanks for the data.
Interesting - you appear to state something that the supplier itself categorically avoids addressing on their website.
:-), but the supplier carefully leaves the obvious question unanswered.
So we have now unsubstantiated claims in the wild the code will survive a reformat - but the manufacturer itself avoids any mention of survivability. I guess it's too obvious an instruction for wannabee thieves: zap the box before you plug it in. BTW, this is why I tend to remove recovery partitions - why help a thief to the original software? We have a DVD backup of it anyway (the Sony laptops need a dual layer one just to hold all the crap they install on top).
How did you arrive at the idea that Lojack survives a reformat? Do they state that in the product docs or FAQ? I'd be interested in the specific quote.
So, the conclusion is that this product requires a combination of dumb thieves and dumb buyers to work. That's still a pretty large group given the amount of Windows users (cough
Which is an answer in itself.
If this was remotely possible, don't you think there would be legions of professional criminal coders busy working out how it was done?
It's the holy grail of Trojan engineering..
I'd be rushing out to buy the product if I was convinced the statements I find are credible, but that's where my problem starts - the longer I look at what they're claiming the more problems I have with it.
The issue is the survivability of the software - they claim it will survive a reformat, and so far I heard a couple of theories how. Neither stacks up.
In principle, the claim is that they have somehow manage to write something with the capabilities of a boot sector virus, but which can hide itself in the system BIOS to survive a full reformat (to be precise, I don't think that was THEIR claim, someone else offered this as a theory ).
Let's consider how the code could survive.
(1) Read-only hard disk sector. There's no such thing, because it would be a dog to update. and to implement without special hardware, which would require device AND version specific code. I don't buy that.
(2) Hidden partition. This would mean they'd somehow managed to bribe M$ in using code that wouldn't look at a hard disk and spot the boot link to the code. Well, BIOS limits apply: it starts with a boot sector, and that gets overwritten. Bye bye code.
(3) Parked in the BIOS waiting for a bootup. Given the number of BIOS' out there and the variation per system and revision thereof I don't buy that one either. If it's so easy to do I would like to ask 3 questions:
- why can't the Linux BIOS project do the same
- why would a manufacturer leave so much on-chip space
- would you be happy with something going to close to the metal with respect to system stability? I wouldn't trust a laptop to boot up from a copy of Ubuntu if someone had messed with the BIOS, let alone Windows, and I don't believe you have enough code space there to hide something that is sophisticated enough to (a) detect the OS and (b) insert the correct code.
Based on the above, I think the more realistic scenario is that the guy jacked in the laptop BEFORE he reformatted it and thus triggered the transmission, but that wouldn't sound so swell in the article. The nice thing for the company selling Lojack is that it simply has to abstain from commenting for the sales-driving myth to grow. I can see lots of CEOs already calling their CIO and mandate this as a corporate standard - but AFAIK it's based on complete BS which makes me not just wary to buy the product, I would now actively avoid the company because it's selling a product that is mediocre at best. You get a hint of that by their claims that they employ ex law enforcement personnel. Start thinking as a business, and you'll soon start asking the question where the sense would be in that.
In conclusion, I don't buy it in more ways than one. I've been messing with PCs since the IBM XT got cloned, and I will need some serious convincing before I'd believe/buy this story. My theory is that the reporter misunderstood the technology and the reseller is happy to let the myth build.
Which says: AVOID! You will end up with people having a false sense of security, which is worse than having none - and that is unforgivable.
I mean, it thus should stop Paris Hilton ever going to Canada, no?
See http://www.trust-us.ch/cryptome/01-Cryptome-061213/lojack-hack.pdf. Maybe they did solve the problem, but that still makes me worried about responses to vulnerabilities.
And I don't like the idea of a system reporting to some 3rd party where it is. I have no way to check that information is only used in a benign way..
AFAIK the product and its support was found to be rather deficient [PDF file].
Could be a good marketing coup, but I'd like to know how such a program could survive. To stick it "in the BIOS" implies deep knowledge of the BIOS (and a lot of space) of each system, so I have trouble believing that statement, especially if it then also does a re-install. Sorry, I have occasional attacks of gullibility but that is just too much to accept..
To copy a CD requires a CD writer which costs near to nothing. To replicate vinil costs (AFAIK) a heck of a lot more. The problem with that is that it would force the RIAA to abandon fighting little people and address the 'big' pirates again for whom such kit is a worthwhile investment (in other words, it's like hard work).