The executive said he has seen similar manipulations of different vendors' computer hardware made by contractors in China, not just products from Supermicro. “Supermicro is a victim -- so is everyone else,” he said. Appleboum said his concern is that there are countless points in the supply chain in China where manipulations can be introduced, and deducing them can in many cases be impossible. “That's the problem with the Chinese supply chain,” he said.
According to the original article - the alleged Chinese culprit chip exploited via the BMC. Aspeed is the company that makes 99% of the BMC controllers in Supermicro boards. If China really did go through the trouble to develop a chip to exploit via Aspeed controllers.... why limit themselves to Supermicro? I know at least Tyan and Lenovo also use Aspeed. From China's intelligence perspective, they would want a solution that could work across multiple board vendors.
According to latest:
Appleboum said one key sign of the implant is that the manipulated Ethernet connector has metal sides instead of the usual plastic ones. The metal is necessary to diffuse heat from the chip hidden inside, which acts like a mini computer. "The module looks really innocent, high quality and 'original' but it was added as part of a supply chain attack," he said.
Really wish they would give us more to go on than just that. Not sure about other Slashdotters, but I have Tyan/Supermicro/Insert-Taiwanese-Motherboard-Manufacturer boards in production, and would really appreciate more information on what to look for.
If they are only charging customers the registry cost plus the ICANN fee as mentioned in the article, that means they are still operating at a loss if they 1) are accepting payment methods which cost money (i.e. credit cards, paypal, etc.) or 2) providing customer support to registrar customers. I would prefer they charged more to at least break-even since presumably they will do at least one if not both of these (they already accept credit cards for their other services). I have all my domains at NameSilo, which I really like, and while they charge a bit more than Cloudflare, at least I understand that they are making money and therefore NameSilo's domain registration service is sustainable.
I have used Cloudflare for years and really like them as well, but when a business announces pricing which would result in a loss or at best - not make any money, that makes me suspicious. I am left to assume they are counting on sales from their other services to make up for this - they are a business after all - beholden to investors who at some point expect ROI.
Cloudflare is stating "we promise to never charge you anything more than the wholesale price each TLD charges" - but that is not just a promise to "never" make money on domain registrations... if they are offering support for domain registrations or offer popular payment methods it is also a promise to always lose money on that part of their business. When a company makes a promise like that (i.e. unlimited bandwidth)... it calls for additional scrutiny. I'd be careful when considering Cloudflare for your domains - they have either not really thought this one through, or are rolling our their own bait and switch scheme.
I was a long time FF user years ago, but ended up switching to Chrome due to its speed relative to FF. I tried 57 when it came out, and love it - I am back to FF now and happy to say that it at least seems as fast as Chrome, but I prefer the FF experience overall. Hopefully they can port over these improvements to FF on Android since Chrome still seems to have a noticeable edge there.
Plus... you have to admit that it is kind of bad ass that a lot of these improvements are resulting from Rust - a language Mozilla developed in part to bring better resource utilization and security to FF. It appears this v57 improvement was largely resulting from the Stylo component (written in Rust) - but their roadmap calls for more components to be swapped out - so the good times may keep getting better for FF - I hope they do because competition is good for us all.
This is indeed one aspect of the many problems with our patent system,. Another is the corporate strategy, initiated over a decade ago, which has virtually eliminated the interaction between innovative small firms and larger firms with the need for innovation and the deep pockets required to drive innovative products to market. After my small firm was purchased in 2000, I was ordered to inform all engineers that it would be a major (i.e. firing) violation of corporate policy if they let themselves become aware of the intellectual property of any other firm. I was told that this had recently been adopted as corporate policy by most major firms as a brilliant defense against the feared "triple damages" awards for patent infringement. Corporate policy explicitly banning any effort to learn about other firms' patents currently eliminates any possibility of a court awarding triple damages - even if patent infringement were proven. Since most innovative small firms lack the financial resources needed to take on a multi-year legal battle, even if they were able to show infringement on their patent, this new corporate policy amounted to a free pass for large wealthy firms to simply steal innovations from innovative small firms. The worst thing that could happen would be that the small firm won in court, at which point the worst-case punishment would be to pay 'damages' - which are defined as simply the amount that the stealing firm would have had to pay had they properly licensed the patents from the small firm in the first place.
While this is considered a brilliant legal strategy, it is a disastrous national policy for technological innovation. It virtually eliminates the financial incentive for small firms to invest in innovation, by providing carte blanche for larger firms to simply steal that innovation; the logical large firm strategy in this case is to never discuss intellectual property with any small firm - simply steal it and defy them to take you to court. We do indeed need to make war on patent trolls, but even more importantly, we need to make war on patent thieves - by punishing deliberate ignorance of patent theft with large penalties. If it is proven that infringement occurred, and that the infringing firm had a policy of deliberate ignorance, the damage award should be at least tripled. Or - we should start letting speeders go free if they claim ignorance of the speed limit because they chose to deliberately avert their eyes every time a speed limit sign came near.
I wrote the backend for a registrar (NameSilo) and still help out with their developers from time to time. Because they offer free privacy and low prices - they get a lot of black hat use. Spamhaus frequently sends them abuse complaints and I have seen a few of them. What is amazing is that most of them offer little to no evidence of the wrongs a given domain has done. I am literally pasting from an email I was copied on here:
From NameSilo regarding an alleged malware domain:
This domain name is operated by cybercriminals and used to provide DNS
resolution to botnet domains, aimed to steal thousands of $$$ from
financial institutions. Please suspend it.
So in short - the registrar asked for evidence that the domain was violating their terms of service and spamhaus simply replies they are cybercriminals... trust us! After seeing other abuse reports from them, I can tell you that spamhaus has a very snub attitude and expects to be listened to. Once when Namesilo did not listen to them enough to their liking, they added namesilo.com to their RBL - they had me modify their MTA to route email around the block, but still - I think you can see the problem here - someone has to keep spamhaus in check.
This site is pretty straight forward: http://www.customerservicescoreboard.com/ - people can score companies based on the customer service they provide. Facebook / markmonitor.com decide for some reason that it infringes on their trademark based on this page: http://www.customerservicescoreboard.com/Facebook Which leads to the following big waste of time/resources simply to tell their legal team to leave them alone: 1) they receive the complaint 2) they contact their registrar http://www.namesilo.com/ to find out what problems if any they have with their domain 3) NameSilo recommends some trademark attorney and 4) the attorney files a response (http://www.customerservicescoreboard.com/images/CustomerServiceScoreboard_Facebook_Response.pdf) which more or less tells Facebook to please leave them alone and that their trademark infringement case is baseless.
Facebook ended up dropping the threat. But this goes to show you how ridiculous the situation has become. Sites like Facebook employ services like Markmonitor.com to basically send out thousands of trademark and/or dmca threats.
Is that they want to go after application layer security as well according to the NYTimes article (They want it to include "Developers of software that enables peer-to-peer communication must redesign their service to allow interception."). If that is the case, then this is a direct assault on the right to privacy for all US citizens. Even worse is that it is being touted as a way to catch the bad guys instead of a means to obtain the right to spy on the general population. Any self respecting bad guy will use application layer encryption (i.e. PGP etc.) that works independent of the transport encryption. Do you really think bad guys are going to use software that plays by the rules this law creates?
If this law also goes after application layer security - in other words, it tries to make it illegal to make/use software to enforce your own privacy - then this is a HUGE problem and we all need to act to help inform those around us who don't understand the repercussions of such a law. Right now we have the right to make/use software that protects our privacy. Do you want to live in a country that has removed this right in the name of protecting its citizenry from the evil doers?
I did not assert it was a format. As far as the format, I recommend Maildir++, which when coupled with Dovecot (the IMAP server I recommended) does exactly what you wrote "You could opt for MIME messages in a directory structure and use some fulltext index software (Google desktop, Apache Lucene etc.) You can probably find software that creates index lists (like by sender / subject / date)"
If this is really important to you, and you want it all to work across multiple workstations/OSes, your best bet will be to store it all in IMAP. If you have the means and motivation to run this yourself, I would recommend Dovecot. If you don't have the means and motivation, then you can use a service like Gmail to run your IMAP although you give up certain freedoms in doing so. For example, I use Dovecot coupled with Maildir++ as the physical storage format - as a result I can (if I wanted to) change to any email client I wish very quickly, use different email clients at the same time, etc.
This report ranks customer service amongst popular companies/services. Obviously it is not apples to apples since many of these services require payment to render customer service, but I'd say it seems to reiterate the main point of this thread.
I am not real familiar with ceph and after going through the pain to learn more about glusterfs (http://www.gluster.org/) only to learn that gluster was not quite ready for primetime (this was about 6 month ago - may have changed), I am a bit skeptical. Anyone know the main differences between ceph and glusterfs (besides that glusterfs can run in userspace)?
Depending on how you look at it, this is either a sign chrome users don't need additional help getting flash installed or that google is simply catering to their users who have a special affinity for the flash plugin - you decide.
My guess would be this is some special strategic bond between Adobe and Google to further push flash since silverlight is by far the fastest growing plugin technology - but that growth is partially tied to the growth of Windows 7 which comes with silverlight.
A while back I got tired of everybody tracking me online so I cracked down on permanent browser storage. I ended up getting rid of all cookies on browser close and ran these commands:
With sudo: chown -R root.root/home/user/.macromedia/home/user/.adobe/Flash_Player/ chmod -R 0600/home/user/.macromedia/home/user/.adobe/Flash_Player/
The flash cookie problem was solved and I have not noticed anything has changed. Of course, I don't really see much flash other than flash ads - so it might break some things I am unaware of.
On windows the same directories are stored elsewhere - but the same overall technique should work fine I would think.
Makes me wonder how much if this is due to people switching from Google vs just buying a new PC (at least when I set up my Dad's PC it did). Bing market share growth follows a very similar trend to Windows 7 market share growth.
According to StatOwl.com, Bing has around 4% market share. However, it should be noted that they measure traffic driven to actual sites as a result of using search engines for their metrics. So if we assume both ComScore and StatOwl are correct in their reported data. Then around 6% of the new Bing traffic can't seem to find what they are looking for with Bing.
That means that it would appear shockwave users do not frequently upgrade. They probably had to install the plugin to view something and then they forget about it. In this case, this may leave more people open to attack.
Slashdot Mirror
According to the original article - the alleged Chinese culprit chip exploited via the BMC. Aspeed is the company that makes 99% of the BMC controllers in Supermicro boards. If China really did go through the trouble to develop a chip to exploit via Aspeed controllers.... why limit themselves to Supermicro? I know at least Tyan and Lenovo also use Aspeed. From China's intelligence perspective, they would want a solution that could work across multiple board vendors.
According to latest:
Really wish they would give us more to go on than just that. Not sure about other Slashdotters, but I have Tyan/Supermicro/Insert-Taiwanese-Motherboard-Manufacturer boards in production, and would really appreciate more information on what to look for.
If they are only charging customers the registry cost plus the ICANN fee as mentioned in the article, that means they are still operating at a loss if they 1) are accepting payment methods which cost money (i.e. credit cards, paypal, etc.) or 2) providing customer support to registrar customers. I would prefer they charged more to at least break-even since presumably they will do at least one if not both of these (they already accept credit cards for their other services). I have all my domains at NameSilo, which I really like, and while they charge a bit more than Cloudflare, at least I understand that they are making money and therefore NameSilo's domain registration service is sustainable.
I have used Cloudflare for years and really like them as well, but when a business announces pricing which would result in a loss or at best - not make any money, that makes me suspicious. I am left to assume they are counting on sales from their other services to make up for this - they are a business after all - beholden to investors who at some point expect ROI.
Cloudflare is stating "we promise to never charge you anything more than the wholesale price each TLD charges" - but that is not just a promise to "never" make money on domain registrations... if they are offering support for domain registrations or offer popular payment methods it is also a promise to always lose money on that part of their business. When a company makes a promise like that (i.e. unlimited bandwidth)... it calls for additional scrutiny. I'd be careful when considering Cloudflare for your domains - they have either not really thought this one through, or are rolling our their own bait and switch scheme.
I was a long time FF user years ago, but ended up switching to Chrome due to its speed relative to FF. I tried 57 when it came out, and love it - I am back to FF now and happy to say that it at least seems as fast as Chrome, but I prefer the FF experience overall. Hopefully they can port over these improvements to FF on Android since Chrome still seems to have a noticeable edge there. Plus... you have to admit that it is kind of bad ass that a lot of these improvements are resulting from Rust - a language Mozilla developed in part to bring better resource utilization and security to FF. It appears this v57 improvement was largely resulting from the Stylo component (written in Rust) - but their roadmap calls for more components to be swapped out - so the good times may keep getting better for FF - I hope they do because competition is good for us all.
This is indeed one aspect of the many problems with our patent system,. Another is the corporate strategy, initiated over a decade ago, which has virtually eliminated the interaction between innovative small firms and larger firms with the need for innovation and the deep pockets required to drive innovative products to market. After my small firm was purchased in 2000, I was ordered to inform all engineers that it would be a major (i.e. firing) violation of corporate policy if they let themselves become aware of the intellectual property of any other firm. I was told that this had recently been adopted as corporate policy by most major firms as a brilliant defense against the feared "triple damages" awards for patent infringement. Corporate policy explicitly banning any effort to learn about other firms' patents currently eliminates any possibility of a court awarding triple damages - even if patent infringement were proven. Since most innovative small firms lack the financial resources needed to take on a multi-year legal battle, even if they were able to show infringement on their patent, this new corporate policy amounted to a free pass for large wealthy firms to simply steal innovations from innovative small firms. The worst thing that could happen would be that the small firm won in court, at which point the worst-case punishment would be to pay 'damages' - which are defined as simply the amount that the stealing firm would have had to pay had they properly licensed the patents from the small firm in the first place. While this is considered a brilliant legal strategy, it is a disastrous national policy for technological innovation. It virtually eliminates the financial incentive for small firms to invest in innovation, by providing carte blanche for larger firms to simply steal that innovation; the logical large firm strategy in this case is to never discuss intellectual property with any small firm - simply steal it and defy them to take you to court. We do indeed need to make war on patent trolls, but even more importantly, we need to make war on patent thieves - by punishing deliberate ignorance of patent theft with large penalties. If it is proven that infringement occurred, and that the infringing firm had a policy of deliberate ignorance, the damage award should be at least tripled. Or - we should start letting speeders go free if they claim ignorance of the speed limit because they chose to deliberately avert their eyes every time a speed limit sign came near.
From NameSilo regarding an alleged malware domain:
From Spamhaus:
So in short - the registrar asked for evidence that the domain was violating their terms of service and spamhaus simply replies they are cybercriminals... trust us! After seeing other abuse reports from them, I can tell you that spamhaus has a very snub attitude and expects to be listened to. Once when Namesilo did not listen to them enough to their liking, they added namesilo.com to their RBL - they had me modify their MTA to route email around the block, but still - I think you can see the problem here - someone has to keep spamhaus in check.
http://www.namesilo.com/
NameSilo - I would highly recommend them
This site is pretty straight forward: http://www.customerservicescoreboard.com/ - people can score companies based on the customer service they provide. Facebook / markmonitor.com decide for some reason that it infringes on their trademark based on this page: http://www.customerservicescoreboard.com/Facebook Which leads to the following big waste of time/resources simply to tell their legal team to leave them alone: 1) they receive the complaint 2) they contact their registrar http://www.namesilo.com/ to find out what problems if any they have with their domain 3) NameSilo recommends some trademark attorney and 4) the attorney files a response (http://www.customerservicescoreboard.com/images/CustomerServiceScoreboard_Facebook_Response.pdf) which more or less tells Facebook to please leave them alone and that their trademark infringement case is baseless. Facebook ended up dropping the threat. But this goes to show you how ridiculous the situation has become. Sites like Facebook employ services like Markmonitor.com to basically send out thousands of trademark and/or dmca threats.
Is that they want to go after application layer security as well according to the NYTimes article (They want it to include "Developers of software that enables peer-to-peer communication must redesign their service to allow interception."). If that is the case, then this is a direct assault on the right to privacy for all US citizens. Even worse is that it is being touted as a way to catch the bad guys instead of a means to obtain the right to spy on the general population. Any self respecting bad guy will use application layer encryption (i.e. PGP etc.) that works independent of the transport encryption. Do you really think bad guys are going to use software that plays by the rules this law creates?
If this law also goes after application layer security - in other words, it tries to make it illegal to make/use software to enforce your own privacy - then this is a HUGE problem and we all need to act to help inform those around us who don't understand the repercussions of such a law. Right now we have the right to make/use software that protects our privacy. Do you want to live in a country that has removed this right in the name of protecting its citizenry from the evil doers?
That's why I recommended Dovecot - it uses indexes which make searching 20 years of emails very possible.
I did not assert it was a format. As far as the format, I recommend Maildir++, which when coupled with Dovecot (the IMAP server I recommended) does exactly what you wrote "You could opt for MIME messages in a directory structure and use some fulltext index software (Google desktop, Apache Lucene etc.) You can probably find software that creates index lists (like by sender / subject / date)"
If this is really important to you, and you want it all to work across multiple workstations/OSes, your best bet will be to store it all in IMAP. If you have the means and motivation to run this yourself, I would recommend Dovecot. If you don't have the means and motivation, then you can use a service like Gmail to run your IMAP although you give up certain freedoms in doing so. For example, I use Dovecot coupled with Maildir++ as the physical storage format - as a result I can (if I wanted to) change to any email client I wish very quickly, use different email clients at the same time, etc.
This is a linux distro report based on real usage - not search trends. You can even drill down to specific distro versions.
This report ranks customer service amongst popular companies/services. Obviously it is not apples to apples since many of these services require payment to render customer service, but I'd say it seems to reiterate the main point of this thread.
I am not real familiar with ceph and after going through the pain to learn more about glusterfs (http://www.gluster.org/) only to learn that gluster was not quite ready for primetime (this was about 6 month ago - may have changed), I am a bit skeptical. Anyone know the main differences between ceph and glusterfs (besides that glusterfs can run in userspace)?
This report is updated monthly and displays linux distro market share stats. However, it mostly reports on desktop usage - not server usage.
Comparing this report (which shows flash plugin usage within chrome users) to this report (which shows general flash plugin usage) - it seems only 2% of chrome users have no flash plugin compared to 3.9% across all browsers.
Depending on how you look at it, this is either a sign chrome users don't need additional help getting flash installed or that google is simply catering to their users who have a special affinity for the flash plugin - you decide.
My guess would be this is some special strategic bond between Adobe and Google to further push flash since silverlight is by far the fastest growing plugin technology - but that growth is partially tied to the growth of Windows 7 which comes with silverlight.
In case anyone is curious here is the google gears version usage breakdown.
A while back I got tired of everybody tracking me online so I cracked down on permanent browser storage. I ended up getting rid of all cookies on browser close and ran these commands:
rm -rf ~/.macromedia/Flash_Player/*
rm -rf ~/.adobe/Flash_Player/*
With sudo: /home/user/.macromedia /home/user/.adobe/Flash_Player/ /home/user/.macromedia /home/user/.adobe/Flash_Player/
chown -R root.root
chmod -R 0600
The flash cookie problem was solved and I have not noticed anything has changed. Of course, I don't really see much flash other than flash ads - so it might break some things I am unaware of.
On windows the same directories are stored elsewhere - but the same overall technique should work fine I would think.
Makes me wonder how much if this is due to people switching from Google vs just buying a new PC (at least when I set up my Dad's PC it did). Bing market share growth follows a very similar trend to Windows 7 market share growth.
Based on this growth trend, I'd say Silverlight has a future still.
SVG adoption needs Microsoft to gain critical mass. 66.43% SVG figure is based on December StatOwl.com figures.
According to StatOwl.com, Bing has around 4% market share. However, it should be noted that they measure traffic driven to actual sites as a result of using search engines for their metrics. So if we assume both ComScore and StatOwl are correct in their reported data. Then around 6% of the new Bing traffic can't seem to find what they are looking for with Bing.
what exactly does "upgrade movement" mean?
That means that it would appear shockwave users do not frequently upgrade. They probably had to install the plugin to view something and then they forget about it. In this case, this may leave more people open to attack.
This graph shows market share trends for relevant browser versions. Of course, I REALLY wish it was "in the single digits".