Slashdot Mirror


User: Bert64

Bert64's activity in the archive.

Stories
0
Comments
12,200
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 12,200

  1. Re:Aliens vs. Predator... on Here We Go Again — Video Standards War 2010 · · Score: 1

    Actually, blank DVDs cost considerably less per megabyte than blank CDs...
    DVDs won't become cheaper than CDs, until CDs start being deprecated and companies wind down their production of the blanks.

  2. Re:Nothing new here.. on Here We Go Again — Video Standards War 2010 · · Score: 1

    Not exactly, you require a VCR from a specific time band...
    Original VHS recorders had a bug which the copy protection exploited... Later VCR manufacturers fixed this bug, but due to some legal action by macrovision were forced to intentionally re-implement it. If you have a VCR from the time period where the bug got fixed, then you could copy the tapes just fine.

  3. Re:Example of competition gone wrong on Malware Threat Reports Are "Apples and Oranges" · · Score: 1

    I say "virtually" because i did not have any straight default installs at my disposal to verify..

    Also there are too many different linux distributions to say with absolute certainty... A default install of Gentoo (having followed the standard installguide) has nothing listening on the network by default for instance...
    Also the Ubuntu machine i have here, only seems to have sshd and cupsd listening on the network, and i explicitly enabled those services.
    A tailored linux distro designed to perform a specific service will have more listening by default.

    Having looked at a default install of ubuntu netbook:
    CUPSD is listening, but only bound to 127.0.0.1
    avahi-daemon is listening on udp, but is not running as root

    While not a perfect situation, a single non root udp service which is relatively simple is a far better than the default state of a windows machine which will have extremely complex services such as msrpc and smb filesharing listening and running as SYSTEM by default, i believe there are other services too such as upnp...

    The differences are:
    The quantity of code which is exposed to the network, msrpc has FAR more functionality than avahi... plenty of scope for people to find exploitable holes.
    The privilege level - exploit a service running as a privileged user and its game over, exploit one running as a normal user and you still have work to do.
    Ease of removal - its easy to remove or disable avahi from ubuntu, how do you remove rpc and smb from a windows box? it's possible, but beyond the scope of typical users, which is why most users end up with the half assed crutch of hiding the service behind a firewall.

    And note, this is just ubuntu, i don't have default installs of other distributions at my disposal to verify.

    My point however, was that windows includes network listening services by default (msrpc, netbios etc) which are not only entirely unnecessary on a client system, but also not obvious how to remove. Why does a single user desktop sitting on the end of a consumer dsl line (or dialup) need to offer services to the outside world?

    A workstation aimed at clueless users should NOT have network listening services running by default, and should have them not listening rather than hidden behind a firewall. A firewall should be an extra line of defence, not the sole one.

    Older linux distros used to come with lots of listening services, and in all those cases it was trivially easy to disable them, it was not necessary to keep the services running but hidden behind a firewall.

  4. Re:Issues with AOL on Does a Lame E-Mail Address Really Matter? · · Score: 1

    Some mail providers are unable to receive GPG encrypted mail either (same deal, the mail gets modified in some way so the signature becomes invalidated)...

  5. Business email... on Does a Lame E-Mail Address Really Matter? · · Score: 1

    For a personal email i guess it's not so bad, at least for people working outside of IT..
    I would expect anyone who applies for an IT related job to have their own domain at least.

    What does put me off however, is businesses which use free email addresses... It's not uncommon to see a storefront or vehicle painted with the company name, phone number and logo on the side, and then a hotmail email address..
    It's even worse when the business has it's own domain name for a website, but does not use that domain to host their email...

  6. Re:I gave up on viruses a long time ago on Malware Threat Reports Are "Apples and Oranges" · · Score: 1

    Linux has a significantly higher proportion of the server market however, and is dominant in the supercomputer market... The areas where Linux is strong are generally more useful to a hacker, as the systems are more likely to be running 24/7 and have access to far more bandwidth. So yes, Linux is very much a target and has plenty of people working to find ways onto Linux machines.

  7. Re:Running multiple products on Malware Threat Reports Are "Apples and Oranges" · · Score: 1

    Warez doesn't typically come with malware, if anything pirate copies of various things often have malicious (defined as doing something detrimental to the user or his machine) code such as drm schemes removed.

    I have done many incident response jobs, where one or more machines inside a company becomes infected with something that the av they subscribe to fails to detect, and it falls upon me to investigate the infection. Very few of these machines have any warez on them, or evidence of trying to view things like porn (most of these companies use a filtering proxy which would detect that anyway). The vast majority of these users were infected through visiting legitimate websites that had been hacked.

  8. Re:Example of competition gone wrong on Malware Threat Reports Are "Apples and Oranges" · · Score: 1

    I agree, security is a process not a product..
    Unfortunately, our voices are nowhere near as loud as those of the vendors telling people that security is a product.

  9. Re:Example of competition gone wrong on Malware Threat Reports Are "Apples and Oranges" · · Score: 2, Insightful

    The vast majority of said windows malware actually takes advantage of the user combined with the fact that user typically runs all his code as an admin.. Unix/Mac don't give you elevated privileges by default, and provide a well understood mechanism by which you can elevate your privileges which *should* make you think...

    There is also worm type malware which attacks open network services, windows ships with several services on by default, even on a workstation install, which cannot easily be turned off and are usually just hidden behind a software firewall... Linux/Mac ships with virtually nothing listening by default, anything that is listening can be turned off and a software firewall (if you choose to enable one) provides an extra level of security on top of that, not the last line of defence.

    The issue with unpatched software, while a concern for all platforms, is simply worse on windows platforms... While Linux distros typically have a centralised package manager which will update all of your software through a single consistent interface and all at the same time, windows has a mechanism for updating the core os, and then each application you install may or may not have its own separate update mechanism which might run in the background (wasting resources), might run when you try to use the program, might require you to explicitly run the update program, or it might not have any update mechanism whatsoever and thus require you to manually check the website for updates.

    As an extension to the above, the windows mentality of downloading and executing binary installers from websites lends itself to malware... Users are not encouraged to verify the legitimacy of the site they download from, nor are they encouraged to compare checksums of downloaded files.

    And let's not get started in the inherent flaws of the windows security model, sure NT (the kernel) had a very good security model when originally designed, but since then a lot of dos/win9x compatibility cruft has been forced on top. Think of the multiple versions of various apis retained for backwards compatibility, the authentication model designed so you dont need to send the password in the clear over the network, flawed because you can just send the hash instead, doubly flawed because they are now locked in to weak password hashing mechanisms.

  10. Re:Panic Averted - Resume Doing Nothing on IPv4 Will Not Die In 2010 · · Score: 1

    Yes, no incentive to go ipv6 only, but forcing them to go dual stack won't be too much of a burden. Once everything supports v6, people will end up using it without realising.

  11. Re:this isn't news... on Mozilla To Ditch Firefox Extensions? · · Score: 1

    As you say, leaked internal documents prove that embrace/extend/extinguish was used in the past...

    While they may appear to be opening up these days, there is currently no way to tell whether this is an honest attempt to play nice, or merely the first stage of embrace/extend/extinguish... Based on historical behavior however, the latter is the most likely but either way, we would be extremely foolish not to assume the worst, microsoft have done nothing to earn our trust but plenty to make us wary of them.
    As the saying goes, fool me once shame on you...

  12. Re:In other news.... on IPv4 Will Not Die In 2010 · · Score: 1

    The federal agencies were required to use equipment that "supports" ipv6...
    What this means, is that they bought kit which had ipv6 as a bullet point on the feature checklist, they have never enabled it, probably don't know how to enable it, certainly haven't tested it so for all we know the support in those devices may be extremely buggy to the point of being useless...
    And that's just for the backbone, other devices may have no support whatsoever...

    I played with a commercial vpn client that claimed to support ipv6 a while ago, the v6 support was extremely rudimentary and trivially easy to crash... Many combinations of packets with the ip type set to 6 and otherwise invalid data would crash it, like it had no sanity checking whatsoever.

  13. Re:Panic Averted - Resume Doing Nothing on IPv4 Will Not Die In 2010 · · Score: 1

    All modern OS's support v6 out of the box these days, but virtually no consumer level routers do...
    I spent ages looking for DSL routers which would support IPv6, and in the end my choice was between a custom built linux box, or a cisco. We need even the cheapest of routers to support ipv6 by default, and to enable it out of the box if the remote peer supports it too.

  14. Re:Panic Averted - Resume Doing Nothing on IPv4 Will Not Die In 2010 · · Score: 2, Informative

    You can use IPv6 and IPv4 at the same time, for instance one of my sites:

    www.ev4.org has address 213.165.238.250
    www.ev4.org has IPv6 address 2001:bd0:100:0:1::3

    The ipv4 address is shared (http/1.1 virtual hosting), but the ipv6 address is dedicated to that one site.

    The US government requires that any routing equipment must *support* ipv6, but not that it be used...

    We need governments, the ip registries and domain registries etc (basically anyone in a position to do so) to require that any internet accessible services are offered on both stacks, and for isps to be required to provide v6 connectivity at the same time as v4 (so people with modern equipment will end up using it without realising).

    You have to grow the egg artificially before it will hatch into a chicken...

  15. Re:Panic Averted - Resume Doing Nothing on IPv4 Will Not Die In 2010 · · Score: 1

    Ford don't even use those addresses on the Internet, they are only used internally for their LAN (where they should be using 10.x)... Ford's externally routable servers are in different ranges:

    dns005.ford.com has address 136.8.159.21
    dns006.ford.com has address 136.8.159.22
    extdns002.ford.com has address 136.1.7.11
    extdns001.ford.com has address 136.1.7.10

    Their web and mail seems to be handled by third parties now, but i dont think that was ever in their /8 block either.

    You also have HP, who thanks to their acquisition of DEC now own 2 A-class blocks... They actually make *some* use of them, but they also have other allocations as well.

  16. Dragging it out... on IPv4 Will Not Die In 2010 · · Score: 1

    I'm sure the registries will drag things out, pulling back some blocks, making it harder and more expensive to get new allocations etc, and putting pressure on organizations to cut down their IP usage.

    In the meantime, there is still very little support for IPv6 out there...

  17. Interesting... on Hotmailers Hawking Hoax Hunan Half-Offs · · Score: 1

    You can go and see other people's "orders" on that wedosale site:

    http://www.wedosale.com/vieworders.asp?orderno=20100108063848
    http://www.wedosale.com/vieworders.asp?orderno=20100108063731
    http://www.wedosale.com/vieworders.asp?orderno=20100108064033

    The order numbers are not sequential, they seem to be incremented by a random number each time but it would be easy to see what other people have ordered...
    The first part of the order number is clearly based on the date: 20100108

    The front page says you can pay with visa, but when you get to the order page the visa option seems to be missing... Once you complete an order it doesn't seem to do anything aside from putting your "order" into the vieworders system, it doesn't tell you where to send the money to or anything.

  18. Re:Fraudulent sales on Hotmailers Hawking Hoax Hunan Half-Offs · · Score: 1

    Because they give out cash at the other end, once someone has walked away with the cash it's gone and there's no real way to trace it...
    Getting a merchant account which enables you to receive credit card payments is a fairly complex process which requires you to prove the legitimacy of your business and pay a fair amount for the service. It's typically also tied to a bank account, and the bank will freeze your account if they think your up to no good... If you regularly empty out all the funds that will trigger suspicion.

  19. Re:Only 200,000? on Hotmailers Hawking Hoax Hunan Half-Offs · · Score: 1

    By doing that, you would get usernames and passwords for all kinds of services, not just hotmail...
    Also, 99% of your accounts would be chinese.

  20. Re:Meanwhile in Canada... on Factorization of a 768-Bit RSA Modulus · · Score: 1

    A lot of banks here still only support 128-bit, most of them only support 128-bit RC4 and don't have support for any kind of AES, let alone 256-bit.
    PayPal used to do AES256, but they also don't support it anymore, which seems quite ridiculous.

  21. Re:Seriously? on Slovak Police Planted Explosives On Air Travelers · · Score: 1

    Quality of life has very little to do with it, a lot of terrorists have grown up in western countries...
    Bin Laden comes from an extremely rich family and would have had access to pretty much any luxuries he wanted.

  22. Re:Seriously? on Slovak Police Planted Explosives On Air Travelers · · Score: 1

    Terrorist groups with a nuke won't try to smuggle it onto a plane, or any other kind of public transport... They could just drive into the center of a big city and detonate it in the car. Do you plan to stop every vehicle entering a populated area and search them for small nuclear devices?

    There really isn't much you can do to stop a small group of civilians who are determined to kill, and willing to sacrifice their own lives to do so. It is very much possible to kill without needing any weapons whatsoever, and anyone could do it. All these "security measures" will just anger the populace and eventually increase the number of people willing to make a stand against it, with terrorism being the only way to make a stand.

    Terrorists are the symptoms, you need to treat the sources - why are these people so angry that they want to kill you and are willing to give up their own lives to do so?

    You either need to appease them, wipe them out, or find something they *do* care about enough to make them fall in line (since they obviously don't fear losing their own lives).

    Traditionally in history, guerilla warfare like this was countered by simply wiping out the population until the attacks stopped, either because all the militants were killed or what few remained were too fearful of their entire population being annihilated.

  23. Re:Box on EA Shutting Down Video Game Servers Prematurely · · Score: 1

    People very rarely read the small print, or a lot of products currently on the market would not sell at all.

    Hopefully being screwed over a few times will teach people to actually read the small print!

    I bought quake (the original) many years ago, i have always been able to play it online, the sourcecode to the game was released a few years ago so i am able to play modernised versions (so i'm not even restricted to dosbox as with many older games).

  24. Do people never learn? on Y2.01K · · Score: 1

    With all the hype of y2k, you'd think that would be enough to push people into action and learn how to handle dates correctly... Instead, some people "fixed" y2k problems with another series of short sighted dirty hacks that are now starting to break again after only 10 years.

  25. Re:EVE Online. on EVE Online Battle Breaks Records (And Servers) · · Score: 1

    Games are not supposed to be useful, they are supposed to be fun..
    If you want to do something useful, go to work.