They started putting ads with sound in them. It got to the point that if I forgot to turn off my speakers I'd get woken up in the night by an left in a tab I didn't bother closing.
Then the ads that would force the browser to a specific location on the page (breaking the website, but making it so you could see the ad).
They have no-one to blame but themselves. I honestly truthfully didn't give two shits about ads until they started talking and hijacking normally respectable websites. I mean - I do understand - that's how a lot of sites generate revenue so I feel bad, but my health and well being comes first - and talking ads that wake me up at 2 am are not healthy.
If some executive personally promised me no more sneaky backhanded, noisy ads - I would turn it off and try again for a while.
Serious question - why should any software vendor have to support anything 8-10 years old for free? Why not do what Microsoft does and just patch the crypto libs along with the OS on a regular cycle.
As someone who has done quality assurance - testing these patches has to be an absolute nightmare.
This part is actually FUD I think. This particular Dell private key does not chain up to a trusted root CA.
Also - Windows will only install drivers silently that are Microsoft WHQL signed - they are the only ones who sign these drivers, and this key does not chain up to that either.
At most you could sign a driver with this key, and install said driver onto a machine that had the public key already installed - assuming you had local admin as well - and for a user mode driver (like a printer) it will give you a soft warning "are you should you really want to do this", for a kernel mode driver it will give you a red "this will potentially harm/wreck this computer" warning.
Yes this is a terrible security problem, but the attack surface is relatively small (none of the Dell PC's I had - have this cert - I believe it only gets installed when using the support portal's check my serial/warranty feature).
Like anyone cares about breaking labor rules. The watchdogs (as many on here fondly point out) are an aging dinosaur.
There are plenty of cases of industrial accidents with thousands of labor board complaints that no-one did anything about, and during a conservative regime its even worse.
There's a reason you'd want to emulate an Amiga or a C64 - there are some cool games you can play on it.
One problem with OS/2 is it ran all the same apps that Windows did - other than vertical markets (like ATM's, zOS management etc) OS/2 had the exact same apps Windows does.
Sure OS/2 was more reliable than Windows 3.1 or Windows 95 (when OS/2 Warp shipped), but with Windows NT that all changed.
Even though 12 bucks an hour is above Virginia's minimum wage - there's plenty of research that if minimum wage was tied to inflation it should be around 22 dollars an hour.
I'm genuinely surprised congress doesn't talk about this more often - or as you suggest a guaranteed basic income wage (actually I'm not surprised this isn't a topic) - or at the very least corporate housing like they do in China.
Why not call both? You're acting like the paramedics who rush out there have zero clue how to get a hold of local security.
I work at a university campus - local security work closely with the police and they know to get a hold of them and absolutely rely on them to direct the real paramedics/police to the situation.
I work for a union shop in IT - and while the organization is under constant attack our contract has a section outlining the rules for hiring outside contractors. We actually have really qualified people working here. I think stability attracts those kinds of people even though we pay less than most places in town.
I've found enforcing the contract relies on catching management in the act, but at least there is a process lowly me can take that the upper upper upper executives take seriously - and if the violation is egregious enough lawyers can get involved, but I've never seen that happen.
So for anyone who has worked for the government I've seen this scenario play out dozens of times. So what happens when the IT department can't or simply won't keep up with customer demands? Customers outsource those demands - and these days you really can run all of your essential IT services from various cloud providers. There's even a Gartner term for this - "Shadow IT". So the money gets spent anyhow, without any oversight or governance that their central IT department has mandated as a policy. Worse - when the guy who setup said system moves on - the central IT dept often has to take over and manage this now essential system.
Windows XP working as a file server for license plate cameras? Please - that has shadow IT written all over it. Guy needed a file server, the IT guys told him to fuck off (because they have no money or staff), so he rummaged around for whatever piece of shit would power up and used that. And now thats its a national news article - guess what central IT's next project is? If he really cared about IT governance the file server wouldn't be a single XP box, with internal storage. This could have been a VM using some network storage system for FAR less.
These days any IT dept really needs to do what it takes (and that means having a CIO with the political willpower) to make IT keep pace or at least placate these requests in some way. One thing we would do is go ok - your budget, your servers, but we spec them to our standards, they live in our data center, use our storage systems, our backups and our physical/endpoint security.
PCI Compliance? While I agree its not 100% perfect - having documentation from some compliance officer at your company that you met or exceeded all their baseline recommendations should get you out of hot water if something bad were to happen.
If you work in the medical field - there's HIPAA - which again most hospitals, clinics and labs probably have a compliance person on staff that is supposed to set policy on this sort of thing and audit systems for compliance.
If you google around there's a standard for every single business/market you can think of.
Thats a pretty big deal when your on the hook for actually supporting what you release - at that volume - and maintaining compatibility.
I was working at Adobe ages ago on testing Vista and they let us know the app compatibility toolkit shims (which you can google - its a rather fascinating framework) they were putting in for Acrobat Reader 3 and 4 - to work around a window sizing issue. Reader 3 originally ran on Windows 3.1 and Windows 95 and Reader 4 was really only intended for 95/98/NT/2000 - but both products work just fine on Windows Vista and Windows 7 - if for some insane reason you don't want to upgrade.
I dunno - currently with all the applications we run on Centos, RHEL or Suse - if the vendor says has to run on xyz - I've found that upgrading and patching is a somewhat perilous process.
I think if this is true - you have to wonder what the statute of limitations is on this concept. One could easily argue that Java, C#, AS were all inspired by C/C++ - which was developed by AT&T Bell Labs. I'm sure there's some lawyer who could craft a case that they need to pay royalties now.
To change the command line in a microsoft signed patch you'd have to edit the patch manifest file (big xml file with installable rules, installed detection rules, etc etc) - which would break the code signing cert on that package.
Again - by default the windows client only installs MS Signed packages - you can set a policy to install packages signed by your own code signing cert, but that's not the default behavior (that action requires domain or local admin).
To bypass that you'd have to exploit MS's "authenticode" checking system, or have the signing password/key for MS's code signing cert or your Enterprises code signing cert. If any one of those 3 things is a thing - you have more serious problems anyhow.
This article is honestly a lot of fud - it relies on lazy Windows admins (and yes I admit there are far more of them around than lazy unix/linux admins).
Look at the attack vector - you can't just change where Windows checks for updates without local admin, or modifying the policy for the domain the machine is bound to - and you can't update the cert store for the same reasons. Yes privilege escalation attacks exist, but if someone has local admin on your windows box - why bother hacking the windows update service? Mitm attack would have to either exploit some bug in windows certificate trust, or have local admin on the box - and if you have local admin why bother hacking windows update.
And then mitm'ing the sync between WSUS and Microsoft - say you did leave in insecure - and do you download hackyourshit.exe, but its not signed by a root ca your clients recognize - the actual endpoints still won't install it - even if it did come from your update server. WSUS won't deploy non-ms signed updates out of the box fwiw. SUP (System Center's Software Update Point) will, but only if they are signed by a trusted root ca and the vendor is configured on the trusted list on the site server itself.
These guys might as well have written an article about hacking the SCCM Management Point and injecting rogue policies into its clients - its about as feasible tbh (ie not really).
What do you think provides the 220 voltage to the connector outside your house or to make the hydrogen or to make the steel to make the cars (or bicycles)?
Thats the way Adobe thought:) - I had a manager who was enthusiastically telling me how the 15 people they were hiring in Noida were going to be so much more cost effective (15 people - to replace me).
I got laid off, and they managed to lose every account I had - I still don't see the cost savings and that C level director still works there and last I heard everyone really loves him.
I have a friend who is a repo man - and the tracking devices he drops onto cars (like if he doesn't know where the person lives - he'll attach one of these and track it to his/her work and/or living address) are 100 times better packaged and more discrete than this. Properly installed you'd likely have a hard time finding it.
Hence why I thought it was a prank - no way a government agency would be this sloppy and allow it to be found so easily. Who knows though.
Slashdot Mirror
The one I work for does - its in his negotiated contract.
The other thing too keep in mind - that's 500k rent free in most cases. That is a massively huge perk.
I work at a smallish urban university and even our president has his own palace (its quite posh, even has staff).
They started putting ads with sound in them. It got to the point that if I forgot to turn off my speakers I'd get woken up in the night by an left in a tab I didn't bother closing.
Then the ads that would force the browser to a specific location on the page (breaking the website, but making it so you could see the ad).
They have no-one to blame but themselves. I honestly truthfully didn't give two shits about ads until they started talking and hijacking normally respectable websites. I mean - I do understand - that's how a lot of sites generate revenue so I feel bad, but my health and well being comes first - and talking ads that wake me up at 2 am are not healthy.
If some executive personally promised me no more sneaky backhanded, noisy ads - I would turn it off and try again for a while.
I'm pretty sure thats not happening ;).
So you can turn off Microsoft accounts by policy, and the long term servicing branch has little support for these features.
Also my end customers don't have local admin (which you need to encrypt the system yourself - outside our solution).
Anyhow that has been my solution for this sort of thing.
By Vendor's - you mean Apple. Its been a very long time since I've seen a phone that doesn't charge via usb (asides from the iphone).
Serious question - why should any software vendor have to support anything 8-10 years old for free? Why not do what Microsoft does and just patch the crypto libs along with the OS on a regular cycle.
As someone who has done quality assurance - testing these patches has to be an absolute nightmare.
This part is actually FUD I think. This particular Dell private key does not chain up to a trusted root CA.
Also - Windows will only install drivers silently that are Microsoft WHQL signed - they are the only ones who sign these drivers, and this key does not chain up to that either.
At most you could sign a driver with this key, and install said driver onto a machine that had the public key already installed - assuming you had local admin as well - and for a user mode driver (like a printer) it will give you a soft warning "are you should you really want to do this", for a kernel mode driver it will give you a red "this will potentially harm/wreck this computer" warning.
Yes this is a terrible security problem, but the attack surface is relatively small (none of the Dell PC's I had - have this cert - I believe it only gets installed when using the support portal's check my serial/warranty feature).
I could get those apps running on Windows 7 x86 no problem.
Not that is a solution, but its certainly better than what they have.
Like anyone cares about breaking labor rules. The watchdogs (as many on here fondly point out) are an aging dinosaur.
There are plenty of cases of industrial accidents with thousands of labor board complaints that no-one did anything about, and during a conservative regime its even worse.
There's a reason you'd want to emulate an Amiga or a C64 - there are some cool games you can play on it.
One problem with OS/2 is it ran all the same apps that Windows did - other than vertical markets (like ATM's, zOS management etc) OS/2 had the exact same apps Windows does.
Sure OS/2 was more reliable than Windows 3.1 or Windows 95 (when OS/2 Warp shipped), but with Windows NT that all changed.
Even though 12 bucks an hour is above Virginia's minimum wage - there's plenty of research that if minimum wage was tied to inflation it should be around 22 dollars an hour.
I'm genuinely surprised congress doesn't talk about this more often - or as you suggest a guaranteed basic income wage (actually I'm not surprised this isn't a topic) - or at the very least corporate housing like they do in China.
Why not call both? You're acting like the paramedics who rush out there have zero clue how to get a hold of local security.
I work at a university campus - local security work closely with the police and they know to get a hold of them and absolutely rely on them to direct the real paramedics/police to the situation.
I work for a union shop in IT - and while the organization is under constant attack our contract has a section outlining the rules for hiring outside contractors. We actually have really qualified people working here. I think stability attracts those kinds of people even though we pay less than most places in town.
I've found enforcing the contract relies on catching management in the act, but at least there is a process lowly me can take that the upper upper upper executives take seriously - and if the violation is egregious enough lawyers can get involved, but I've never seen that happen.
So for anyone who has worked for the government I've seen this scenario play out dozens of times. So what happens when the IT department can't or simply won't keep up with customer demands? Customers outsource those demands - and these days you really can run all of your essential IT services from various cloud providers. There's even a Gartner term for this - "Shadow IT". So the money gets spent anyhow, without any oversight or governance that their central IT department has mandated as a policy. Worse - when the guy who setup said system moves on - the central IT dept often has to take over and manage this now essential system.
Windows XP working as a file server for license plate cameras? Please - that has shadow IT written all over it. Guy needed a file server, the IT guys told him to fuck off (because they have no money or staff), so he rummaged around for whatever piece of shit would power up and used that. And now thats its a national news article - guess what central IT's next project is? If he really cared about IT governance the file server wouldn't be a single XP box, with internal storage. This could have been a VM using some network storage system for FAR less.
These days any IT dept really needs to do what it takes (and that means having a CIO with the political willpower) to make IT keep pace or at least placate these requests in some way. One thing we would do is go ok - your budget, your servers, but we spec them to our standards, they live in our data center, use our storage systems, our backups and our physical/endpoint security.
PCI Compliance? While I agree its not 100% perfect - having documentation from some compliance officer at your company that you met or exceeded all their baseline recommendations should get you out of hot water if something bad were to happen.
If you work in the medical field - there's HIPAA - which again most hospitals, clinics and labs probably have a compliance person on staff that is supposed to set policy on this sort of thing and audit systems for compliance.
If you google around there's a standard for every single business/market you can think of.
Thats a pretty big deal when your on the hook for actually supporting what you release - at that volume - and maintaining compatibility.
I was working at Adobe ages ago on testing Vista and they let us know the app compatibility toolkit shims (which you can google - its a rather fascinating framework) they were putting in for Acrobat Reader 3 and 4 - to work around a window sizing issue. Reader 3 originally ran on Windows 3.1 and Windows 95 and Reader 4 was really only intended for 95/98/NT/2000 - but both products work just fine on Windows Vista and Windows 7 - if for some insane reason you don't want to upgrade.
I dunno - currently with all the applications we run on Centos, RHEL or Suse - if the vendor says has to run on xyz - I've found that upgrading and patching is a somewhat perilous process.
It's still not a fork - if you're talking about code repositories. No-one went to Sys 5's repository and made a fork to develop Linux.
There are licensed variants where this did happen - Linux isn't one of them ;).
APIs are copyrightable.
I think if this is true - you have to wonder what the statute of limitations is on this concept. One could easily argue that Java, C#, AS were all inspired by C/C++ - which was developed by AT&T Bell Labs. I'm sure there's some lawyer who could craft a case that they need to pay royalties now.
To change the command line in a microsoft signed patch you'd have to edit the patch manifest file (big xml file with installable rules, installed detection rules, etc etc) - which would break the code signing cert on that package.
Again - by default the windows client only installs MS Signed packages - you can set a policy to install packages signed by your own code signing cert, but that's not the default behavior (that action requires domain or local admin).
To bypass that you'd have to exploit MS's "authenticode" checking system, or have the signing password/key for MS's code signing cert or your Enterprises code signing cert. If any one of those 3 things is a thing - you have more serious problems anyhow.
This article is honestly a lot of fud - it relies on lazy Windows admins (and yes I admit there are far more of them around than lazy unix/linux admins).
Look at the attack vector - you can't just change where Windows checks for updates without local admin, or modifying the policy for the domain the machine is bound to - and you can't update the cert store for the same reasons. Yes privilege escalation attacks exist, but if someone has local admin on your windows box - why bother hacking the windows update service? Mitm attack would have to either exploit some bug in windows certificate trust, or have local admin on the box - and if you have local admin why bother hacking windows update.
And then mitm'ing the sync between WSUS and Microsoft - say you did leave in insecure - and do you download hackyourshit.exe, but its not signed by a root ca your clients recognize - the actual endpoints still won't install it - even if it did come from your update server. WSUS won't deploy non-ms signed updates out of the box fwiw. SUP (System Center's Software Update Point) will, but only if they are signed by a trusted root ca and the vendor is configured on the trusted list on the site server itself.
These guys might as well have written an article about hacking the SCCM Management Point and injecting rogue policies into its clients - its about as feasible tbh (ie not really).
Learn to powershell?:
To read a variable:
Get-ChildItem Env:
or
$env:Varname
and to set
[environment]::SetEnvironmentVariable("Var","Value","User/Machine")
evening doing this from cmd.exe isn't all that hard - in fact its just like ms-dos was:
SET variable=string
Then
echo %variable%
Seriously - this hasn't changed in 34-35 years.
What do you think provides the 220 voltage to the connector outside your house or to make the hydrogen or to make the steel to make the cars (or bicycles)?
http://blogs.wsj.com/numbers/m...
We have a long way to go still ;).
Thats the way Adobe thought :) - I had a manager who was enthusiastically telling me how the 15 people they were hiring in Noida were going to be so much more cost effective (15 people - to replace me).
I got laid off, and they managed to lose every account I had - I still don't see the cost savings and that C level director still works there and last I heard everyone really loves him.
I have a friend who is a repo man - and the tracking devices he drops onto cars (like if he doesn't know where the person lives - he'll attach one of these and track it to his/her work and/or living address) are 100 times better packaged and more discrete than this. Properly installed you'd likely have a hard time finding it.
Hence why I thought it was a prank - no way a government agency would be this sloppy and allow it to be found so easily. Who knows though.