Posts by Anteaus

Solar panels on the moon? They seem to have overlooked the fact that it rotates once a month, therefore a 14x greater night backup problem than here on Earth. I don't say that solar panels are economic anywhere, but in space at a distance where sunlight isn't obscured would be the sensible option.

Teach a man to fish..

Learning basic HTML skills ain't that hard, and once you understand the way it works it's much easier to handcode and get a predictable result, than to try to get past all the weird formatting quirks in online editors.

Or, you could use a 'Web builder' which supposedly makes this process simple, but actually takes longer to learn your way around than HTML, and is far more restrictive.

Or you could take the CMS approach of uploading 100MB of vulnerability-riddled php and SQL code, just to display a one kilobyte page.

Then, have to update to an new CMS version because of critical vulns in the old one, and (big surprise) find that the updated CMS is incompatible with content from the previous one, so it's start again from scratch time. Six months later, repeat process. Ad nauseam.

Wrong angle on security, anyway.

Any system coded in a language which allows buffer over-runs, is vulnerable to any trivial oversight by the coder. But, tell any coder to stop using C or its derivatives, and you might as well tell them to give up coffee.

Any Web backend whose database allows injection of commands into data, is insecure by design and should be ditched. Any chance of a replacement for SQL, minus this vuln, anytime soon? Nope. Thought not.

Any OS or browser which continually hits the user with update-reminder popups is wide open to update spoofing by malicious sites. Better no updates than continual popups, some of which may lead to a malware download.

Any software which encourages users to post email addresses on webpages is a crass piece of idiocy. The result will be harvesting, and spammed links to sites hosting malware. Yet, the majority of website software authors stick their heads in a bucket of sand and pretend that address harvesting isn't real.

These are the real security issues in IT. Funny, but the industry, instead of fixing the actual causes, makes a lucrative trade out of selling symptom-treatment products. I guess there is money in this, but no money in fixing the root of the problems.

Meanwhile, TPM will address precisely... zero of these issues.

Mainframe yes.. Website no.

SQL may have been a brilliant innovation for mainframes crunching large amounts of data in a secure room, but it is a diabolically bad choice for Internet use, since it allows malicious commands to be injected into the data stream, which is especially dangerous in data entered from online forms. From what I've briefly read about it, it's not too clear if NoSQL is any more secure in that respect.

Scraping websites for malware: Ethics of misreporting?

Recently my hosting company was sent a takedown notice from a German firm named csyscon SIRT. Seems they reckoned they'd found malware on one of the sites we maintain. As a result all of our sites on that host were offline for several hours.

Turned out the file they had targeted was a zip download containing an executable compressed with UPX. Now, any coder familiar with UPX will know that it is somewhat prone to false malware alerts. Which in fact is why we don't use it anymore. The download was an old version, retained only in case anyone still needed it. The online file checked-out as byte identical to our archived version. Unsurprisingly, the alert was a complete false alarm.

Since the file was an archived version linked only from an obscure page, I think we can assume that it was found by way of a deep scrape of the site.

A while later, got a notice from Google that my Adwords account had been suspended 'due to malicious content' on an advertised site. The report was very unspecific. I had to grill the Google staff to find out exactly what the report was about. I had expected it to be the same UPX-compacted excutable, but no. When I finally got the lowdown it referred to a different site anyway, and the alleged malware included one javascript file, one gif image, and one stylesheet. The javascript file was exhaustively tested and found clean. As for the other two, the chances of those filetypes containing malware are, as far as I know, extremely slim. (If anyone knows of a way in which a stylesheet can be infected, that would be an interesting separate topic. I daresay it might be possible but it seems extremely unlikely)

I pointed out that all of the files checked out as clean, but a Google rep inisisted that they have 'a specialist internal system' which is so good that it can find malware where no other detection system can. Hmmph.

Judging by other reports, this kind of uninvited scraping of websites for malware seems to be spreading. Companies have sprung up which specialise in it. I think it may be assumed that the scanning is done by bots, and that few if any human checks are performed to catch false positives.

We've had heated discussions on ElReg before about whether it is ethically OK to scrape third-party websites looking for security flaws such as harvesting risks. However, in that case the objective was purely to inform the site's owner of the vuln, a comparatively harmless response. Even so, some commenters did not think it was acceptable to scrape sites for any reason.

Here, the objective is entirely more controversial; scraping sites with the aim of sending a takedown notice to the hosting company, or to searchengines to have the site blocked or de-ranked. I would have thought that such activity would be considered malpractice even were the scraping and detection system one hundred percent reliable. What we have seen, though, is that quality control is nonexistent, that false positives abound, and those blunders lead to loss of revenue and costs for the victims of the misreporting.

Perhaps this could be a subject for a Reg article.

Why no ergonomics for longhorn?

Interesting that Allchin says they spent a lot of effort on the ergonomics of WinXP. It shows, and it's the reason it's still the preferrred desktop OS today. Meanwhile the Longhorn team must've been left out of those discusssiions, I guess, because Vista was totally devoid of ergonomics, and Win7 ain't that much better. By the looks of things, Win8 won't change anything in that respect, either.

As for the iPod, styling and fashion-accessory status was its main selling-point. Why should I pay a premium price for an Mp3 player which doesn't work on any computer OTHER than one with iTunes installed? That isn't an advantage, it's a serious handicap. My first Mp3 player cost half the iPod price, and did work on any XP or Linux computer. It also doubled as USB memory.

Like most people I use my phone for mobile music these days, and I was careful to choose one which doesn't require invasive software on the computer. Plug it in, copy files.

Overcomplexity...

Overcomplexity is often at the root of IT security issues. As systems become more complex, a point is reached where it would be very hard to determine IF a security hole exists, or not.

This issue affects the small business sector more than others, where maximally-complex installations are often deployed to meet very simple requirements, and yet the IT resources to manage the security of such installations simply do not exist, or are too costly.

Not scared of change...

Just sick and tired of change being forced on us by coders with new 'wonder ideas' who mostly don't even know what the word 'ergonomics' means.

Y'know those supermarkets which move all the shelves around about once a week? So every time you go in you have to search the entire store for one or two items. Theory seems to be that if people have to search instead of going straight to the product, they buy other things they don't actually need while they're searching. Practice is that after one or two lengthy, aggravating searches, customers vote with their feet and find another store which doesn't do that.

With IT, you have the added issue that each paradigm change brings with it a fresh crop of bugs. Thus the more frequent the changes, the less likely it is that we'll ever see a reliable IT platform. The NT/2000/XP product line got where it did because it was a logical progression of development instead of a series of paradigm shifts, and remained in the market long enough for it to become a mature product.

Unfortunately, in some respects Linux seems to be following suit these days. KDE4 has been compared with Vista for its bugginess, and the extent of pointless change from a system which previously worked OK.

HTML5 is another product in this category, where new technologies could be an advantage but are offset by the problems caused by needless, pointless changes to code that has worked perfectly well for decades.

Personally if I'm going to upgrade, I want the upgrade to give me something which improves on what I had before, not just YET another willy-nilly paradigm change and fresh crop of bugs.

Largely irrelevant result anyway.

By far the most common exploit is social engineering. Put-up a notice telling the user to upgrade their Flash plugin, and users will reflexively click Yes. No clever exploits needed, just a simple layered javascript popup.

Problem here is computers which constantly hammer the user with upgrade requests, and browsers which allow system dialogs to be simulated, even to the extent of simulating 'screen dimming' UAE prompts.

Simple but effective ideas...

Talking of simple flight-stabilisation ideas, the early Sidewinder used rollerons - A notched wheel was spun to high RPM by the the airflow, and if the rocket rotated the wheel's precession force turned a tailfin the right way to cancel the rotation. Worked a treat and (in pre-IC days) saved a bulky lump of electronics.

SInce the rolleron relied on airflow it wouldn't work in vacuo as designed, but a similar idea with a wheel spun-up by the rocket exhaust and turning a steering vane or gimbal might work.

Though, I'm inclined to think that either spinning the vehicle up before launch, or else a non-spinning vehicle with 3-axis solid-state gyros and thrust vectoring are the approaches most likely to work. Gyros are more complex and need a lot more setting-up but they do allow you to determine, within a reasonable degree of precision, where the thing goes. They also allow for self-correction, up to a point, of a bad launch attitude.

In principle a horizontal launch could be used if the vehicle is gyro-controlled, it being commanded to go into a climb after a few tens of feet of travel. This overcomes the issues of clearing the balloon. Though, the toroidal balloon idea is interesting, and could be a simpler solution than developing the necessary trajectory-control software for a horizontal launch.

Time-honoured principle..

Whatever happened to the principle that once a scientist had been caught-out massaging figures, no-one ever listened to them again?

While that might sound harsh, the principle is/was that since it is often difficult to detect falsification by specialists working in fields which only they fully understand, the punishment for dishonesty had to be severe enough to ensure that no respectable scientist engaged in it. Otherwise, no data could ever be trusted and the whole of scientific research would fall into disrepute.

The UEA had clearly been 'adjusting' data to make their argument look more convincing.

Leading-edge designs = High operating costs

I think part of the cost problem with the Shuttle is down to using very complex components which were designed to achieve the highest possible efficiency, but which proved to be very costly to maintain. This probably made more difference than any comparison between re-useable and throwaway vehicles.

The main engines are a case in point. Compare the plumbing on a SSME with that on a Russian RD-180, and you see what I mean. The RD-180 is a clever design with a number of innovations, but it's also an exercise in efficient use of materials and labour. For example, while the three SSME nozzles require no less than twelve pumps between them, the RD-180 has a single turboshaft doing the pumping for two nozzles. Plus, the SSME has all the additional safety issues created by using hydrogen fuel. Which, is partly responsible for high expendable tankage costs owing to its low density and consequent very large tank size, plus the need for fuel tank insulation. The RD-180 sticks to traditional kerosene, somewhat less efficient but simpler to handle and safer.

SpaceX have evidently looked-at this cost/complexity aspect too, as their designs use extremely conservative technology. Yet so far have been very successful.

The question is, could a reuseable craft operate economically if its systems were designed around less-costly, less leading-edge principles?

Engineered to fail?

DRM is one thing, it's quite another when data you've paid for is deleted remotely. That is dangerously close to selling engineered-to-fail products.

Besides, I reckon the media companies have finally started to wise-up to the fact that DRM is what's inhibiting online sales, not piracy.

DRM is a solution sold by programmers to the media companies, a solution to a problem which doesn't actually exist, and a solution which actually causes the problem it claims to prevent. Sony corp got their fingers badly burned with that one, when DRM coders surreptitiously sold them a rootkit.

Attacking problem from wrong end...

SPF is easy to implement but fails badly with redirected or forwarded messages. DKIM is too complex for small sites to implement. But, IP-based filtering is attacking the problem from the wrong end, anyway. It's giving symptom-treatment priority over finding a cure for the disease.

As Barry says, Email protocols were indeed created in the days of implicit trust, where spam wasn't a problem. The mailto: protocol is desperately out of date, and urgently needs to be deprecated in favour of a protocol which doesn't expose the email address to any passing robot. This indeed the very root of the problem, and in principle it's far simpler to take measures to stop spammers harvesting email addresses than it is to block botnets from spamming you.

Pity they didn't take mailto: out of HTML5, at least that would steer webdesigners in the direction of using safer alternatives.

If (say) 80% of webmasters implemented anti-harvesting measures, then the paucity of addresses to spam might well make the masmarketers decide that spamming is no longer profitable, in which case spam would virtually cease.

The other approach which warrants some thought is that of hosting companies implementing a webserver module which blocks the publication of any page containing vulnerable mailtos, or alternatively which automatically munges any mailtos found in a page. Since such an add-on would drastically reduce the spam that the host receives via its own servers, I could forsee a rapid uptake by hosting companies once the idea has been proven.

-Any Apache/IIS coders interested in taking the idea further?