Just fucking google it. There are large numbers of unpatched XP exploits. Microsoft themselves even admit the entire OS is fundamentally insecure and will never be fixed. They even said the same thing about Win 7 as soon as they wanted you to buy Win 8.
The existence of exploits is different from question of which exploits are applicable to XP systems as actually deployed on this ship.
The die-cision to use anything from Microsoft in a mission-critical environment, let alone a 16+ year old OS with a giant list of known exploits goes so far beyond amazingly stupid I can't even find the words.
Can you name a single known exploit that applies to this ships XP systems as deployed?
Indeed. Area 51 aliens? Bigfoot? Time travel? The existence of Trump as president is a death knell to so many conspiracy theories because, you really think he'd be able to keep his mouth shut about that sort of thing?
Don't be too quick to assume the president would ever be told. President Clinton made public statements nobody told him about aliens and president Whitmore was only told *AFTER* aliens invaded earth and starting blowing shit up.
The microservice architecture is about moving things into as small of domain specific functionality -- which should facilitate with code maintainability etc.
This is standard operating principal of meme machines. They say obvious things well known and understood since before most of us were born and then assert themselves as the only best path to achievement.
When picking up a new paradigm
What new paradigm? I dare you to name one new concept.
Virus scanners will have long since been rendered obsolete.
People will demand and have the means of fully controlling their systems entirely by themselves within their own administrative domains. This will have become even easier than today's cyber stalking "cloud based" "IoT" malware "appliances" forcing you to connect to other peoples servers thousands of miles away just to adjust some widget a few feet away from you.
People will have long since gotten over marketing campaigns celebrating gadgetry with pointless complexity and features which provide no coherent value proposition to the end user.
People of the future will look back at present day with disdain and shock corporations were allowed to violate their customers privacy and security as they please with no repercussions in order to maximize profits.
Why? I've got a Galaxy S7 with a non removable 3000 mAh battery, and it's been an awesome phone so far.
Batteries go bad. I've replaced batteries in numerous phones including my current phone which first went on the Market over four years ago. Also own a massive ~9000 mAh aftermarket battery I plop in on long trips which is just awesome. Phones are expensive, batteries are inconsistent and have a shelf life even while left unused. I see no point in rolling the dice when you don't have to.
The OnePlus starts at 64gb and goes up to 128gb, which I think reduces the pressing need for an SD card for most people. If you're storing 128GB of stuff on your phone, that's a little extreme.
My current 128 GB SD card has only 5 GB left and will soon be replaced with 256GB version. Storing total of 150 GB on phone now between SD card and internal storage.
And in that case, you're limiting yourself to very few phones on the market.
Absolutely. At any given time there may be just one or even no current phones on the market that meet my requirements.
But if there is intent to harm AND perceived harm, and both can be reasonably proven (as with assault), why can't we define such a category of speech acts?
You can define whatever you damn well please. It's expecting US government to squander it's monopoly on violence to enforce such drivel that's quite a bit more difficult to achieve.
It's management that won't pay for properly written, properly tested software. That takes time (measured in metric shit-tons), and that makes it too expensive in every case I've ever seen.
Security cannot possibly be the result of dotting every i and crossed every t. It cannot require exhaustive testing, massive expenses, being very careful with critical attention to every detail. Any approach requiring these things for success is almost certainly guaranteed to fail. Security must never require human perfection.
The only realistic way to get to a secure system is by perusing designs which are inherently secure where coders are required to intentionally create a vulnerability or otherwise knowingly break a contract in order for security failures to even become possible. Security must be easy.
..and verify that all time functions everywhere in the os now continue to give correct values....ah, those little things... that nobody that ever spoke like you... knows anything about.... clearly you arent a software developer, and not only that, you dont even fucking know one.
The issue is data types and aliasing not time specific logic. Check out links posted by petermgreen which go into great detail what is necessary.
When you take something that wasn't designed with security in mind and try to expand and adapt it, you have a lot of issues. Better to start with something designed for the purpose it is being used from the start.
If more things were designed without security we would see much better outcomes.
Security where possible should be treated as an aspect and simply punted to subsystems actually dedicated and capable of providing it rather than continuously (poorly) re-implemented.
HTTP is a good example. It was designed as a stateless protocol for transferring text documents with markup. We now rely on it to do stateful transactions for things like shopping carts online and this has lead to tons of security issues since you have to hack on state to a protocol that isn't designed to support it using things like cookies.
HTTP is the wrong layer for security. People have issues because they insist upon entering credentials into adhoc web forms in plaintext over HTTPS instead of authenticating via secure authentication protocol cryptographically bound to encrypted channels. One continues to offer security even when the user attempts to authenticate with an attacker... the other is the clusterfuck we have today.
IP is another great example. There's all kinds of shit in IPv4 that is completely stupid from the perspective of a protocol used on the Internet.
IPv4 and IPv6 are nothing more than an envelope of information with a with globally unique source and destination address. The design is in every way that matters perfect because it only says what is obviously necessary for communication.
Just because old baggage and routing options exist is quite irrelevant if they are effectively disabled and not actually an issue/used in the real world.
Like source routing, where you can specify the routers that a packet must go through,
It's not so much a bad design as it is the wrong layer. Specifying where traffic goes is full time job of traffic engineers. The fictional problem which does not actually exist would be the practice of exposing routing decisions to IP... This is not occurring.
or the fact that you can just claim to be from any IP you want. This is a bad design for a global communications network.
I will go to my grave believing this is a feature to be celebrated although attempts to curb ala BCP 38 and crew are also to be celebrated. I believe it is practically impossible and morally perilous to even try to create a trusted global communications network open to everyone. The best humanity can do is make a network that with some predictable regularity delivers information to where it's supposed to go and let people establish their own end to end trust relationships. All known alternatives suck much worse than what we have now.
However it is that way because IP wasn't designed for a global communications network, it was designed for an ARPA project and it grew. IPv6 fixes a lot of this because it was designed later, around how IP is actually used these days.
While there will always be interesting implementation drama IPv6 is the exact same shit in every way that matters as IPv4. The expanded address space adds some interesting new challenges such as local broadcast spam and places slight damper on others such a tractability of global scans and associated exploit campaigns. High level it really is just 96 more bits of address space.
Also talking about Xwindows is funny because man you wanna talk security risk, X is a huge.
X risks hail from spaghetti code.
Now of course most distros are smart enough to block remote X using the firewall, and you do something like tunnel it over SSH. However that is a hack, it is putting up barriers around something insecure.
This SMB thing reminds me of people arguing over which version of SNMP is better to use. Use version 1... no version 2c that's better... no v3 with passwords and privacy passwords is much safer when the reality is no matter what version you select the outcome is still very much the same: your fucked. The only sane method for securing SNMP is restricting use to secure channels. (e.g. (D)TLS or SSH)
My understanding SMB is no different. Even latest and greatest version 3 with somewhat modern algorithms still provides zilch in terms of offering a rational basis of trust. Trust is generally established from weak challenge response authentication protocols (NTLM/Kerberos) which when unprotected by PKI exposes users of SMB to offline compromise of their credentials.
The only way to use SMB securely is the same as SNMP - restrict use to a secure channel at which point caring about worthless security features included with versions x, y and z is all a rather fruitless exercise.
I should add on multiple occasions I've found myself having to disable SMBv2 due to shady caching and locking semantics that place performance before safety.
At the end of the day I just want shit that works and Microsoft is spectacularly failing to deliver. It's 2017 and they still can't be bothered to implement a secure authentication protocol capable of standing alone.
It boils down to the fact that correctly handling time is complicated. Leap years, seconds, gregorian nonsense,.. the rules just pile up higher and higher. Nobody wants to touch that code and I dont blame them.
I'm sorry this makes no sense. Simply changing a data type does not make this any more or less difficult. You just have to create new system calls and alias them so that new code uses the 64-bit version and old code uses 32-bit.
The problem isn't the operating system. On most computers, time_t is a 64 bit value, even on 32 bit machines.
Not true. If you download 32-bit version of any major Linux distro today in 2017 and write a program that spits out sizeof(time_t) the answer will be 4.
That bug is only an issue if you use Linux. Windows does not have that problem. If you use Windows, this isn't a problem. Linux has, what, maybe 2% of the market share? This isn't a big deal at all.
There is some truth in this.
Somehow Microsoft managed to update their compiler to make time_t 64-bit on 32-bit platforms without the world ending.
At some point Linux ABI was updated to support files exceeding 2^31 bytes while retaining full backwards compatibility so I I'm not buying insurmountable technical justifications other than simple lack of will.
Stance in Linux land as far as I've look into the issue seems to be either switch to a 64-bit platform or bugger off with little to no interest in a solution for 32-bit hardware.
Given time scales systems are supported in the field and presence of any forward looking operations that may need to deal with or perform calculations based on the future this problem will very much end up disproportionately biting Linux users especially those running low end embedded processors that still don't or have only just relatively recently supported 64-bit kernels. Probably already too late regardless.
"Barring guidance from the Sponsor with regards to particular devices of interest, Cherry Blossom has attempted to support wireless network devices that are ubiquitous and readily available (at least in the US)."
Why does CIA care what is "ubiquitous" and "readily available" in the United States? Who are they targeting? Why would they waste considerable sums of time and effort developing cracked firmware images based on US market availability? Is the CIA's mission spying on Americans? Isn't this supposed to be "Illegal"?
Can't stand much in the way of local grocery stores.. everything they sell is so tiny I sometimes wonder if their customers are 1ft high miniature people.
Packaging to actual product surface area is outright ridiculous.
People have been speaking in code and enciphering messages since beginning of civilization and will continue to do so as they please regardless of impediments erected by their governments.
From "lets get a pizza" = meet me at 5:00 PM at the square to exchange drugs, weapons and unstable ordinance.
To 6 year old children knowing how to encrypt and decrypt messages over ANY communication medium using a pencil, paper and codebook.
You can't stop it no matter what you do. The only thing anti-encryption and government spying legislation can ever achieve is erosion of legitimacy and corruption of law enforcement.
WTF... No hyperspectral sensors/w fancy ANN fueled expert trained CV?
We want a sentient weed terminators on wheels that works anywhere even if it requires wireless streaming to a desktop computer running fancy CUDA code to figure out what to "delete".
That searches are some kind of deep proxy for what you really think is an advertising slogan intended to make search engines seem more relevant and powerful than they actually are.
Google search results are just as full of worthless noise as they have always been and online store product suggestions are comically wrong. If the ability to know what I'm thinking actually existed it would seem to me to be in Google's direct financial interests to use it.
Incandescent bulbs are huge waste of electricity and have a very dull ugly color.
No, CRI of Incandescent bulbs is 100. Name any commercially available LED lighting system that achieves the same. You of course can't because no such thing currently exists.
Slashdot Mirror
Just fucking google it. There are large numbers of unpatched XP exploits. Microsoft themselves even admit the entire OS is fundamentally insecure and will never be fixed. They even said the same thing about Win 7 as soon as they wanted you to buy Win 8.
The existence of exploits is different from question of which exploits are applicable to XP systems as actually deployed on this ship.
The die-cision to use anything from Microsoft in a mission-critical environment, let alone a 16+ year old OS with a giant list of known exploits goes so far beyond amazingly stupid I can't even find the words.
Can you name a single known exploit that applies to this ships XP systems as deployed?
Indeed. Area 51 aliens? Bigfoot? Time travel? The existence of Trump as president is a death knell to so many conspiracy theories because, you really think he'd be able to keep his mouth shut about that sort of thing?
Don't be too quick to assume the president would ever be told. President Clinton made public statements nobody told him about aliens and president Whitmore was only told *AFTER* aliens invaded earth and starting blowing shit up.
The microservice architecture is about moving things into as small of domain specific functionality -- which should facilitate with code maintainability etc.
This is standard operating principal of meme machines. They say obvious things well known and understood since before most of us were born and then assert themselves as the only best path to achievement.
When picking up a new paradigm
What new paradigm? I dare you to name one new concept.
Data is what actually matters. Everything else is noise.
And examine every packet carefully.
Virus scanners will have long since been rendered obsolete.
People will demand and have the means of fully controlling their systems entirely by themselves within their own administrative domains. This will have become even easier than today's cyber stalking "cloud based" "IoT" malware "appliances" forcing you to connect to other peoples servers thousands of miles away just to adjust some widget a few feet away from you.
People will have long since gotten over marketing campaigns celebrating gadgetry with pointless complexity and features which provide no coherent value proposition to the end user.
People of the future will look back at present day with disdain and shock corporations were allowed to violate their customers privacy and security as they please with no repercussions in order to maximize profits.
Why? I've got a Galaxy S7 with a non removable 3000 mAh battery, and it's been an awesome phone so far.
Batteries go bad. I've replaced batteries in numerous phones including my current phone which first went on the Market over four years ago. Also own a massive ~9000 mAh aftermarket battery I plop in on long trips which is just awesome. Phones are expensive, batteries are inconsistent and have a shelf life even while left unused. I see no point in rolling the dice when you don't have to.
The OnePlus starts at 64gb and goes up to 128gb, which I think reduces the pressing need for an SD card for most people. If you're storing 128GB of stuff on your phone, that's a little extreme.
My current 128 GB SD card has only 5 GB left and will soon be replaced with 256GB version. Storing total of 150 GB on phone now between SD card and internal storage.
And in that case, you're limiting yourself to very few phones on the market.
Absolutely. At any given time there may be just one or even no current phones on the market that meet my requirements.
Stopped reading at "3300 mAh (non-removable)" and no SD card slot.
But if there is intent to harm AND perceived harm, and both can be reasonably proven (as with assault), why can't we define such a category of speech acts?
You can define whatever you damn well please. It's expecting US government to squander it's monopoly on violence to enforce such drivel that's quite a bit more difficult to achieve.
no harm to legitimate speech.
Legitimate speech? What's that?
It's management that won't pay for properly written, properly tested software. That takes time (measured in metric shit-tons), and that makes it too expensive in every case I've ever seen.
Security cannot possibly be the result of dotting every i and crossed every t. It cannot require exhaustive testing, massive expenses, being very careful with critical attention to every detail. Any approach requiring these things for success is almost certainly guaranteed to fail. Security must never require human perfection.
The only realistic way to get to a secure system is by perusing designs which are inherently secure where coders are required to intentionally create a vulnerability or otherwise knowingly break a contract in order for security failures to even become possible. Security must be easy.
..and verify that all time functions everywhere in the os now continue to give correct values. ...ah, those little things... that nobody that ever spoke like you... knows anything about.... clearly you arent a software developer, and not only that, you dont even fucking know one.
The issue is data types and aliasing not time specific logic. Check out links posted by petermgreen which go into great detail what is necessary.
https://sourceware.org/glibc/w...
When you take something that wasn't designed with security in mind and try to expand and adapt it, you have a lot of issues. Better to start with something designed for the purpose it is being used from the start.
If more things were designed without security we would see much better outcomes.
Security where possible should be treated as an aspect and simply punted to subsystems actually dedicated and capable of providing it rather than continuously (poorly) re-implemented.
HTTP is a good example. It was designed as a stateless protocol for transferring text documents with markup. We now rely on it to do stateful transactions for things like shopping carts online and this has lead to tons of security issues since you have to hack on state to a protocol that isn't designed to support it using things like cookies.
HTTP is the wrong layer for security. People have issues because they insist upon entering credentials into adhoc web forms in plaintext over HTTPS instead of authenticating via secure authentication protocol cryptographically bound to encrypted channels. One continues to offer security even when the user attempts to authenticate with an attacker... the other is the clusterfuck we have today.
IP is another great example. There's all kinds of shit in IPv4 that is completely stupid from the perspective of a protocol used on the Internet.
IPv4 and IPv6 are nothing more than an envelope of information with a with globally unique source and destination address. The design is in every way that matters perfect because it only says what is obviously necessary for communication.
Just because old baggage and routing options exist is quite irrelevant if they are effectively disabled and not actually an issue/used in the real world.
Like source routing, where you can specify the routers that a packet must go through,
It's not so much a bad design as it is the wrong layer. Specifying where traffic goes is full time job of traffic engineers. The fictional problem which does not actually exist would be the practice of exposing routing decisions to IP... This is not occurring.
or the fact that you can just claim to be from any IP you want. This is a bad design for a global communications network.
I will go to my grave believing this is a feature to be celebrated although attempts to curb ala BCP 38 and crew are also to be celebrated. I believe it is practically impossible and morally perilous to even try to create a trusted global communications network open to everyone. The best humanity can do is make a network that with some predictable regularity delivers information to where it's supposed to go and let people establish their own end to end trust relationships. All known alternatives suck much worse than what we have now.
However it is that way because IP wasn't designed for a global communications network, it was designed for an ARPA project and it grew. IPv6 fixes a lot of this because it was designed later, around how IP is actually used these days.
While there will always be interesting implementation drama IPv6 is the exact same shit in every way that matters as IPv4. The expanded address space adds some interesting new challenges such as local broadcast spam and places slight damper on others such a tractability of global scans and associated exploit campaigns. High level it really is just 96 more bits of address space.
Also talking about Xwindows is funny because man you wanna talk security risk, X is a huge.
X risks hail from spaghetti code.
Now of course most distros are smart enough to block remote X using the firewall, and you do something like tunnel it over SSH. However that is a hack, it is putting up barriers around something insecure.
It seems to me if you want to control acc
This SMB thing reminds me of people arguing over which version of SNMP is better to use. Use version 1... no version 2c that's better... no v3 with passwords and privacy passwords is much safer when the reality is no matter what version you select the outcome is still very much the same: your fucked. The only sane method for securing SNMP is restricting use to secure channels. (e.g. (D)TLS or SSH)
My understanding SMB is no different. Even latest and greatest version 3 with somewhat modern algorithms still provides zilch in terms of offering a rational basis of trust. Trust is generally established from weak challenge response authentication protocols (NTLM/Kerberos) which when unprotected by PKI exposes users of SMB to offline compromise of their credentials.
The only way to use SMB securely is the same as SNMP - restrict use to a secure channel at which point caring about worthless security features included with versions x, y and z is all a rather fruitless exercise.
I should add on multiple occasions I've found myself having to disable SMBv2 due to shady caching and locking semantics that place performance before safety.
At the end of the day I just want shit that works and Microsoft is spectacularly failing to deliver. It's 2017 and they still can't be bothered to implement a secure authentication protocol capable of standing alone.
Unfortunately lots of people write code like this: int now = time();
I just want to see a path forward that does not involve telling people they are SOL if they use 32-bit Linux.
People doing bad things with time will be punished for their insolence in due course.
It boils down to the fact that correctly handling time is complicated. Leap years, seconds, gregorian nonsense, .. the rules just pile up higher and higher. Nobody wants to touch that code and I dont blame them.
I'm sorry this makes no sense. Simply changing a data type does not make this any more or less difficult. You just have to create new system calls and alias them so that new code uses the 64-bit version and old code uses 32-bit.
The problem isn't the operating system. On most computers, time_t is a 64 bit value, even on 32 bit machines.
Not true. If you download 32-bit version of any major Linux distro today in 2017 and write a program that spits out sizeof(time_t) the answer will be 4.
That bug is only an issue if you use Linux. Windows does not have that problem. If you use Windows, this isn't a problem. Linux has, what, maybe 2% of the market share? This isn't a big deal at all.
There is some truth in this.
Somehow Microsoft managed to update their compiler to make time_t 64-bit on 32-bit platforms without the world ending.
At some point Linux ABI was updated to support files exceeding 2^31 bytes while retaining full backwards compatibility so I I'm not buying insurmountable technical justifications other than simple lack of will.
Stance in Linux land as far as I've look into the issue seems to be either switch to a 64-bit platform or bugger off with little to no interest in a solution for 32-bit hardware.
Given time scales systems are supported in the field and presence of any forward looking operations that may need to deal with or perform calculations based on the future this problem will very much end up disproportionately biting Linux users especially those running low end embedded processors that still don't or have only just relatively recently supported 64-bit kernels. Probably already too late regardless.
Page 24...
"Barring guidance from the Sponsor with regards to particular devices of interest, Cherry Blossom has attempted to support wireless network devices that are ubiquitous and readily available (at least in the US)."
Why does CIA care what is "ubiquitous" and "readily available" in the United States? Who are they targeting? Why would they waste considerable sums of time and effort developing cracked firmware images based on US market availability? Is the CIA's mission spying on Americans? Isn't this supposed to be "Illegal"?
Can't stand much in the way of local grocery stores.. everything they sell is so tiny I sometimes wonder if their customers are 1ft high miniature people.
Packaging to actual product surface area is outright ridiculous.
People have been speaking in code and enciphering messages since beginning of civilization and will continue to do so as they please regardless of impediments erected by their governments.
From "lets get a pizza" = meet me at 5:00 PM at the square to exchange drugs, weapons and unstable ordinance.
To 6 year old children knowing how to encrypt and decrypt messages over ANY communication medium using a pencil, paper and codebook.
You can't stop it no matter what you do. The only thing anti-encryption and government spying legislation can ever achieve is erosion of legitimacy and corruption of law enforcement.
WTF... No hyperspectral sensors /w fancy ANN fueled expert trained CV?
We want a sentient weed terminators on wheels that works anywhere even if it requires wireless streaming to a desktop computer running fancy CUDA code to figure out what to "delete".
This product is a crop out.
That searches are some kind of deep proxy for what you really think is an advertising slogan intended to make search engines seem more relevant and powerful than they actually are.
Google search results are just as full of worthless noise as they have always been and online store product suggestions are comically wrong. If the ability to know what I'm thinking actually existed it would seem to me to be in Google's direct financial interests to use it.
Incandescent bulbs are huge waste of electricity and have a very dull ugly color.
No, CRI of Incandescent bulbs is 100. Name any commercially available LED lighting system that achieves the same. You of course can't because no such thing currently exists.