I was working on the stack back in 1998, and shrinking it to fit in the bios for Phoenix Tech (Guildford UK office, now closed). Phoenix almost bought the stack and the browser. I even spent a few days in Bury Saint Edmunds, doing code reviews. Can't remember the stack version... But I was emailing patches or on the phone a couple of times a week, trying to convince people that stuff was wrong. The most flagrant one was something in the vein of if (blabla) {
blabla;
free(x); }... x->blabla...
The stack was using cunning OO implemented in C with structs and ptrs, it was reasonably modular. I got it down to 45K uncompressed with the telnet server. But it was too unstable, trying to be too nifty for its own good.
This Article on Radius has a section on vulnerabilities.
And it does seem pretty weak against snooping during the authentication phase.
Somebody mentioned tunneling via SSL. Right on dude.
--
jpa
Did you know that MS has been poking around the UK for mobile-phone related companies?
Last century, MS bought STNC which makes mobile phone software (web-browser, tcp/ip stack...)
Here's a dusty article...
Microsoft acquires Symbian partner STNC
--
jpa
PS: I actually helped those guys debug their tcp stack... and what a piece of crap.
Abstract: A method including creating an executable program in accordance with a Windows Control Panel Language (CPL) format; storing the executable program in a first non-volatile memory; transferring the executable program from the first non-volatile memory to a second non-volatile memory; and, configuring an operating system to start-up the executable program after the operating system has completed booting.
MUHAHAHAHAHAHA! MUHAHAHAHAHAHA! The curse is unleashed! MUHAHAHAHAHAHA! MUHAHAHAHAHAHA!
> Assuming they could get past all the potential technical hurdles
They have gotten past those hurdles 3 years ago with phoenixnet (or ebetween)
previous post
> I'd like to see this system in place.
Same as above, it has been in place for a long time.
A bit like Treponema pallidum (syphilis), once it in the system, it takes years for anybody to notice.
evil lol... evil lol...
How about they go online every 24H or every boot which ever comes 1st.
And see my previous post.
" The technology for this is not new.... it was just under the radar for 3 years.
http://news.com.com/2010-1080-281524.html http: //www.sysopt.com/forum/Forum5/HTML/006707.htm l "
So it would seem that Phoenix has thought this out. 1000 hits per sec, each hit taking less that 1s to process. It only needs 5 servers running Apache @200 con/s. And 10 million uuids (16 bytes each+1byte for the kill flag) that would only require a 170MB database (which can be chached in ram on each of the servers)...
The technology for this is not new.... it was just under the radar for 3 years.
http://news.com.com/2010-1080-281524.html http: //www.sysopt.com/forum/Forum5/HTML/006707.htm l
* For those of you that said: "replace the bios"... you win... well, if the cpu+chipset are not working with the bios. There is no protection against physical access. (I worked in a company that designed smart cards, and the EE guys had to design silicium with fake gates and fake logic to foil (...um... delay...) the guy with the microscope and a whole protective layer to avoid probing. Still beatable with chemicals and electromagnetic imaging. But that becomes an expensive hack).
* For those that said fdisk or dd. You might not win if the disk is encrypted using ATA-3 features. http://www.e-smart.com.hk/veridicom/pro ducts/vbx.h tm
You would have to find the key by tracing the bios. Which can be very time consuming if the bios gets help from the cpu+chipset for parts of the key.
* For those that said replace the mother board... ever tried replacing a laptop motherboard?
This technology will deal with most thefts: a company laptop with sensitive data that the thief did not specifically attempt to acquire.
Also look at Europe's working contract model. The trickier the job, the longer the leave-notice period. Normally people have 30days leave notice for most technical jobs. Engineers have 90days. If the job requires more hand-over time, then make it required in the contract. If he wants to quit but does not help the new guy during those 90 days, then he becomes sueable.
I hope this teaches all you "at-will"-contract-touting companies a lesson.
Totally agree except for the point where you hope that ATI hw+sw combo will work better for you. Come to the force... get an nVidia.
ATI might be faster, but IT sure can't take curves as nicely as an nVidia. It is like owning a dragster, you can do 1/4 mile realy fast, but that is about it.
I owned a voodoo, voodoo3, GeForce3, and then ATI all-in-wonder Radeon 9700 pro. I have retruned my 9700, and am waiting for my FX5800.
I did try realy hard to get it to work. But ATIs support, even with the evidence in front of them was: upgrade everything and re-install. They did not even bother reading what versions of drivers I had.
Apparently, if you don't want to be hooked up to an electric company anymore (because you have your own generator, or solar power, or you just got rid of all your MS servers,...), you will have to pay up also. Search "exit fees" here: http://www.ifmaenergynet.org/ca_update/cali_news_a rch.cfm
The new trend is pretty cool: "I pay for a monthly service (not some multi-year contract), and when I don't want it anymore, I have to pay for not having the service."
They could have used a timed key (valid only for a couple of weeks). All the machines in that company that leaked the key would have had to be installed (no user prompting, but still requiring internet connection) within the timeout period.
If somebody stole the timed key, and re-adjusted their computer time just to get by the install, it would fail, as the computer would still need to connect to a MS-owned server with its own notion of time.
For something this easy (other companies like Symantec provide timed keys) not to be implemented
can only be a sign of deliberate action.
"I'll give out (oops! I meant leak out) this free OS. Once people get used to it, then I'll charge a huge amount for all these other softwares and services. And I'll give major parties (i.e. sueable) a chance to get back on the right track by purchasing a valid license."
Slashdot Mirror
I was working on the stack back in 1998, and shrinking it to fit in the bios for Phoenix Tech (Guildford UK office, now closed). Phoenix almost bought the stack and the browser. ... x->blabla ...
I even spent a few days in Bury Saint Edmunds, doing code reviews.
Can't remember the stack version...
But I was emailing patches or on the phone a couple of times a week, trying to convince people that stuff was wrong.
The most flagrant one was something in the vein of
if (blabla) {
blabla;
free(x);
}
The stack was using cunning OO implemented in C with structs and ptrs, it was reasonably modular. I got it down to 45K uncompressed with the telnet server. But it was too unstable, trying to be too nifty for its own good.
--
jpa
PS: reply to my email (now enabled).
At least, it makes for realy cool movie dialogue:
... too late... they have detected us."
"Sir, I can't hold up this hack for long! I'm starting to loose quantum state! The photon stream is disrupting!
More seriously... At least it removes the snooping factor that plagues some authentication schemes.
--
jpa
This Article on Radius has a section on vulnerabilities.
And it does seem pretty weak against snooping during the authentication phase.
Somebody mentioned tunneling via SSL. Right on dude.
--
jpa
Did you know that MS has been poking around the UK for mobile-phone related companies? ...
Microsoft acquires Symbian partner STNC
Last century, MS bought STNC which makes mobile phone software (web-browser, tcp/ip stack...)
Here's a dusty article
-- jpa
PS: I actually helped those guys debug their tcp stack... and what a piece of crap.
No.
Way more cunning.
1999-06-18 US1999000336108
Abstract: A method including creating an executable program in accordance with a Windows Control Panel Language (CPL) format; storing the executable program in a first non-volatile memory; transferring the executable program from the first non-volatile memory to a second non-volatile memory; and, configuring an operating system to start-up the executable program after the operating system has completed booting.
MUHAHAHAHAHAHA! MUHAHAHAHAHAHA!
The curse is unleashed!
MUHAHAHAHAHAHA! MUHAHAHAHAHAHA!
> Assuming they could get past all the potential technical hurdles ... evil lol ...
They have gotten past those hurdles 3 years ago with phoenixnet (or ebetween) previous post
> I'd like to see this system in place.
Same as above, it has been in place for a long time. A bit like Treponema pallidum (syphilis), once it in the system, it takes years for anybody to notice.
evil lol
How about they go online every 24H or every boot which ever comes 1st.
....
: //www.sysopt.com/forum/Forum5/HTML/006707.htm l
And see my previous post.
"
The technology for this is not new
it was just under the radar for 3 years.
http://news.com.com/2010-1080-281524.html
http
"
So it would seem that Phoenix has thought this out.
1000 hits per sec, each hit taking less that 1s to process. It only needs 5 servers running Apache @200 con/s.
And 10 million uuids (16 bytes each+1byte for the kill flag) that would only require a 170MB database (which can be chached in ram on each of the servers)...
--
jpa
http://news.com.com/2010-1080-281524.htmlm l
h tm
http://www.sysopt.com/forum/Forum5/HTML/006707.ht
http://www.e-smart.com.hk/veridicom/products/vbx.
--
jpa
The technology for this is not new ....
: //www.sysopt.com/forum/Forum5/HTML/006707.htm l
o ducts/vbx.h tm
it was just under the radar for 3 years.
http://news.com.com/2010-1080-281524.html
http
* For those of you that said: "replace the bios"... you win... well, if the cpu+chipset are not working with the bios.
There is no protection against physical access.
(I worked in a company that designed smart cards, and the EE guys had to design silicium with fake gates and fake logic to foil (...um... delay...) the guy with the microscope and a whole protective layer to avoid probing. Still beatable with chemicals and electromagnetic imaging. But that becomes an expensive hack).
* For those that said fdisk or dd.
You might not win if the disk is encrypted using ATA-3 features.
http://www.e-smart.com.hk/veridicom/pr
You would have to find the key by tracing the bios. Which can be very time consuming if the bios gets help from the cpu+chipset for parts of the key.
* For those that said replace the mother board...
ever tried replacing a laptop motherboard?
This technology will deal with most thefts:
a company laptop with sensitive data that the thief did not specifically attempt to acquire.
--
jpa
Also look at Europe's working contract model.
The trickier the job, the longer the leave-notice period.
Normally people have 30days leave notice for most technical jobs. Engineers have 90days.
If the job requires more hand-over time, then make it required in the contract.
If he wants to quit but does not help the new guy during those 90 days, then he becomes sueable.
I hope this teaches all you "at-will"-contract-touting companies a lesson.
--
jpa
Totally agree except for the point where you hope that ATI hw+sw combo will work better for you.
Come to the force... get an nVidia.
ATI might be faster, but IT sure can't take curves as nicely as an nVidia.
It is like owning a dragster, you can do 1/4 mile realy fast, but that is about it.
I owned a voodoo, voodoo3, GeForce3, and then ATI all-in-wonder Radeon 9700 pro.
I have retruned my 9700, and am waiting for my FX5800.
I did try realy hard to get it to work. But ATIs support, even with the evidence in front of them was: upgrade everything and re-install. They did not even bother reading what versions of drivers I had.
Here is the tale of the Radeon 9700 pro nightmare.
--
jpa
Apparently, if you don't want to be hooked up to an electric company anymore (because you have your own generator, or solar power, or you just got rid of all your MS servers, ...), you will have to pay up also.a rch.cfm
Search "exit fees" here: http://www.ifmaenergynet.org/ca_update/cali_news_
The new trend is pretty cool: "I pay for a monthly service (not some multi-year contract), and when I don't want it anymore, I have to pay for not having the service."
Bloody Bastards.
They could have used a timed key (valid only for a couple of weeks). All the machines in that company that leaked the key would have had to be installed (no user prompting, but still requiring internet connection) within the timeout period. If somebody stole the timed key, and re-adjusted their computer time just to get by the install, it would fail, as the computer would still need to connect to a MS-owned server with its own notion of time.
For something this easy (other companies like Symantec provide timed keys) not to be implemented can only be a sign of deliberate action.
"I'll give out (oops! I meant leak out) this free OS. Once people get used to it, then I'll charge a huge amount for all these other softwares and services. And I'll give major parties (i.e. sueable) a chance to get back on the right track by purchasing a valid license."