Posts by Doug 105 publicly visible posts • joined 24 Mar 2007
How do you actually get 'infected', is there a working demo online where I can get infected by clicking on a URL ?
> "Before the infection, a default installation of Firefox 3.6.10 would prompt the user after the user clicks the Log In button on a Web page, asking whether he or she wants to save the password," Webroot researcher Andrew Brandt explains. "After the infection, the browser simply saves all login credentials locally, and doesn’t prompt the user."
> Only jailbroken iPhones with default passwords have ever been infected with malware and even then only by a handful of high-profile worms, such as the Rickrolling worm in Australia and the D'oh bank credential stealing worm in the Netherlands, which both spread last November ..
Like, how did the Rickrolling and D'oh worms get onto the machines without using jailbroken iPhones and default passwords, and without any user action ?
> Sadly, Cartmel admitted the satire went completely unnoticed. He said: "Critics, media pundits and politicians certainly didn't pick up on what we were doing. If we had generated controversy and become a cause célèbre we would have got a few more viewers but, sadly, nobody really noticed or cared."
That's not strictly true, one of the best things about the series was the intelligent scripts aimed at the more mature audience. 'The Sun Makers' being another good example, where the entire solar system is privatised by the company. If the politicians didn't get it, we most certainly did.
The Collector of taxes being a sentient poisonous fungus type creature from the planet Usurius., Usurious, Usery .. get it .. eh ??
http://www.dailymotion.com/video/x9e91e_the-sun-makers-part-2_shortfilms
http://www.drwhoguide.com/who_4w.htm
"Security researchers have turned their attention to femtocells, and have discovered that gaining root on the tiny mobile base stations isn't as hard as one might hope"
Whoever designed these devices should be sent back to computer school. An authentication device that can be bypassed is a contradiction in terms. Or as some pen pusher would put it in a report: an unantipicate security excursion. Did not anyone check these devices for security vulnerabilities. What are they teaching them in college nowadays ?
"Uh you've reached stewie and brian, we're not here right now, uh and if this is mom, uh send money because we're college students and we need money for books...and highlighters...and.... ramen noodles...and condoms, for sexual relations with our classmates"
"A spokeswoman for Demon said the company had changed the passwords which were sent out and was in the process of changing user names too"
What were they doing storing passwords in the clear in the first place. What were they doing emailing this document around the company.
This ..
"Microsoft has placed a clutch of Silicon Graphics patents in the hands of those trying to defend Linux and open-source against trolls"
Does not equate to this ..
"Microsoft didn't directly approach the OIN - one of the industry's largest buyers of patents - and went through the AST instead"
And there is no evidence that MS intended the patents to end up in the hands of the OIN
"Flaws in the program are routinely exploited by criminals to install keyloggers and other malicious software on end-user machines"
Shouldn't that be flaws in the underlying platform allow for the installation of malicious software. That platform invariably being the WinTEL one. The one with the built-in buffer overflow feeture ?
"After all the lost data from government departments WTF was the counsel employee doing with a USB stick in the first place", John G Imrie
Look, the presence or absence of a USB drive does nothing what-so-ever to increase/decrease security. If I can get you to visit a certain web site or open a certain attachment, I can own your computer ...
"What next, i4i suing anybody else who dares infringe their loosely-worded "patent"? Guess that'll be bye-bye Apple, Linux and anything else that allows data to be used in multiple applications...", not.known@this.address
According to Groklaw ..
"No need for analysts' opinions and such. OpenOffice.org is clean, according to the i4i folks, and it's their patent. As for ODF, it doesn't use CustomXML, and it had no plans to do so, despite what you've been reading in the fuddy papers"
http://www.groklaw.net/articlebasic.php?story=20090817235436439
| headline corrected |
'When a file infected with W32/Induc-A runs, it looks to see if it can find a Delphi installation on the current machine. If it finds one, it tries to write malicious code to SysConst.pas'
Does the original W32/Induc-A require administrator rights to infect the machine. Is SysConst.pas normally required to be writable by administrator. Notice how they managed to not one mention Windows in the body of that 'report'.
<insert payload>
"W32/Induc-A virus being spread by Delphi software houses"
"If you believe that you may be using software written in Delphi you would be very wise to ensure that your anti-virus software is updated. Actually, regardless of whether you use Delphi-written apps that's a good idea"
</insert payload>
I used to be an Open SuSE enthusiast but dropped out because of the very low activity on the forum. That, and they barred me for asking questions about the covenant with Microsoft. The one that says you can't even work on OpenSUSE in your own companies time. And you don't own your own code contributions. Now, I'm a Ubuntu enthusiast.
<a href ="http://i25.tinypic.com/2prisyg.jpg">Slashdot Advert</a>
"The spirit of the GPL, and its purpose, were pretty straightforward and in my view honourable. But beware - it's more than it looks. Large companies can use it to harrass small ones. Small ones can use it to harrass large ones", David Coveney
The 'spirit' of the GPL is hardly the issue as the terms have been explicidly laid down in the actual text of the license. What large/small companies harrass other small/large companies. Please point out where actual harrass took place rather than the requirement that the terms of the GPL be adhered to. GPL 3 was specifically designed to prevent anyone coming after you for patent royalties ..
http://www.gnu.org/copyleft/gpl.html
http://www.gnu.org/licenses/gpl-2.0.html
"Until someone can come up with a way to stop employees from working against their companies, just so they can spend their working days goofing around on Facebook and Twitter"
You're kidding, since when were people allowed to twitter on NHS patent record systems. Any evidence to the contrary?
" I work for a company that works very closely with the NHS .. A patient faking illness just pops it in lets the malware off " SNORT !!!
> The idea of a desktop running a thin OS served by the cloud is fine - until you want to do image processing, or make music or videos .. Linux is a fine OS until you get to the applications - ah, yes... GIMP - and integration with the real-world,doing stuff your Mum needs to do.
Your Mum must be way cleverer than mine if she can do image processing, or make music videos videos. For most people the browser is the PC and a quick perusal of the specs tells us that Chrome OS does a lot more. Given that a number of hardware manufacturers have climbed on board, Chrome OS will make the desktop obsolete.
> Linux is a fine OS until you get to the applications - ah, yes... GIMP
Andrew, what planet have you been living on up to recently. Here are some Linux systems sophisticated enough for even your Mom to find interesting.
http://www.youtube.com/watch?v=Yx9FgLr9oTk
http://www.youtube.com/watch?v=Cz_2vKq5cZk&
http://www.youtube.com/watch?v=JQgPt0NsPJ4
"if you have something that by its very nature...is very complex with many roles and the way you configure it...then you need open source to have many instances of it because no one will be able to do an independent implementation of it"
They speak a different language out there in Redmond, microspeak, where 'open source' and publically documented standards mean the exact opposite.
"Doing that general purpose operating system is a nightmare, and you lose your shirt on it," Smith explains. "At the end of the day, you have to do something that puts rice in the bowl", Jordan Smith Xandros
It isn't about the desktop, it never was, it was always about getting control of the customer experience. The battle for the desktop was fought and won, by Microsoft, a long time ago. MS, always late to the party, recognizes this, which is why it is moving to services based round the xbox and 'the cloud'. They realize that if you don't control the total stack, from the desktop to the server, then you're just the delivery people. Which is why Apple making money out of the iTunes on Windows is total anathema at Redmond. How dare Apple make a buck out of the Microsoft Desktop without paying the MS tax.
Digital Video Recorders, set-top boxes, subscription services and 'other tiny computing devices' will sell, but the real money is in subscription services. As long as the consumers are using your devices, else you're just the delivery people.
"The hacks are troubling in that they appear to have rendered useless supposedly sophisticated Defense Department tools and procedures designed to prevent such breaches. The department and its branches spend millions of dollars each year on pricey security and antivirus software and employ legions of experts to deploy and manage the tools"
No amount of tacked-on 'security' will secure 'webservers'. What is needed is embedded hardware providing a secure VPN and PKI infrastructure. That way you only have a single set of nodes to watch instead of multiple/differing Windows configurations. That way if a 'webservers' is vulnerable to an 'SQL injection attack', the hackers won't see it. Else you expend energy in futile solution such as above.
I hadn't heard the term before, and I do try and keep up. Are there any actual examples of 'pool overruns', in the public domain, that can be successfully run on OS X and Linux
"Independent Security Evaluators has successfully exploited weaknesses in Windows, OS X and Linux. "I think they're trying to stay ahead of the curve"
“This simple check blocks the most common exploit technique for pool overruns,”
http://www.ditii.com/2009/05/28/microsoft-fortified-windows-7-kernel-with-safe-unlinking-overrun-buster/
Like, where and how did MS come out with a fix so quickly and why not design a MMU that isn't vulnerable to 'pool overruns' rather than havign to check for them, after the fact.
"It doesn't mean pool overruns are impossible to exploit, but it significantly increases the work for an attacker."
> Griffin writes that the "BNP website [was] taken offline in largest cyber attack in recorded history" .. The email .. claims that the assault originated from "eastern Europe and Russia" and was also directed against Clear Channel, a firm which reportedly provides billboard advertising to the BNP, as well as the party website.
I would have thought that the ex-commies would be pro-BNP as they would tend to undermine the current blair-bushite regime. Besides can we really believe him. A borked upgrade over the weekend being more likely.
I have personal knowledge of two such incidents. One was blamed on some fascist regime far-far-away. The other caused free long distance mobile calls for the entire weekend. They were both down to a flakey system, failed upgrades and incompetent staff.
This is good, now I would like the tab menu to disappear until I move the mouse to the left of the screen ..
-------
"I use tree style tabs, It changes the tab layout to a tree style (hence the name), very good for using loads of tabs on a widescreen monitor"
By Anonymous Coward Posted Saturday 16th May 2009 06:59 GMT
I don't use tabs because I like a clean uncluttered interface. Currently I have FF open, at the top I have three 'bars', the title bar, displaying the name of the current web site (TheRegister), second bar contains the menus, File, Edit etc, the third contains the URL address bar and the back/forward buttons. At the bottom is a status line that says 'Done' and has the noscript menu tab. When I search, the 'Find' bar pops up above the status line.
All in all a bit of a waste of space. How about a single bar at the top containing the menu/address bar and a single status line at the bottom that duplicates as a search bar.
If you select 'new window' (ctrl N) any URLs clicked on become part of a group as if you selected new tab. A single item in the menu bar allows you to jump between tabbed groups. So you ctrl N, open a number of URLS, ctrl N again, click on a number of URLs and you now have to groups of tabbed files. A popdown menu on the top right allows you to jump between groups. The status line at the bottom indicated the number of groups, instead of cluttering up the screen with multiple tabs.
"The Safe C Library provides bound checking memory and string functions per ISO/IEC TR24731. These functions are alternative functions to the existing Standard C Library"
See safe_lib.h .. of Dr. Dobbs Feb 2009
http://www.ddj.com/cpp/214502214
This reminds me of when Microsoft patented SUDO ..
http://taint.org/2004/08/20/024522a.html
"SCOPE .. was scrapped last year for undisclosed reasons"
Conflicker Worm Invades Hospital Instruments
http://crackerboy.us/2009/04/30/conflicker-worm-invades-hospital-instruments/
"Various Royal Navy warships and Royal Navy submarines, and hospitals across the city of Sheffield turned to be down under Conflicker’s attack"
http://downadups.wordpress.com/
"ATM virus that steals money from banks"
http://www.zeenews.com/news518262.html
Create a network of VPN nodes with multiple redundan routes, that utilize end-to-end encryption and authentication and connect your 'computers' to that. Now don't tell how/why it can't be done, tell me how it can be !
"when hackers took control of Federal Aviation Administration computers in Alaska. By exploiting the administration's interconnected networks"
"Two separate attacks in 2006 hit the FAA's remote maintenance monitoring system and its air traffic control systems. The latter forced the FAA to shut down a portion of ATC systems in Alaska"
"The report went on to fault the FAA for employing woefully inadequate IDS, or intrusion detection systems. .. none of the IDS sensors monitor mission critical ATC operation systems"
"One would think that a setup like this would run up its generators every few days to check all was well with the engine, alternator and transformers etc. and note if the damn thing works properly", rhydian
One would be more accurate to speculate that the maintenece was outsourced to a company that hired another company that outsourced to another company that hired on cheap east european contract labor. At least that's the way they do it round here.
"I have no idea why a software company would buy a hardware company. We don't want to buy any hardware companies,"
Because they get to control the total stack. A good move for the new Sun division would be to partner with media and telecoms companies and sell a total solution for the next wave of online rich content. Sell the server hardware and software to the content providers and sell a high end multimedia computer to the consumer for the living room. They would make their money back on subscriptions.
"A set of recently discovered security holes in Mac and Linux platforms reminds those over-confident in their superior protection that no one is immune to vulnerabilities"
The flaw does seem to be have already addressed (at least since 1999) and relies giving USER write access to /dev/mem. And is specifically referred to in comments in the paper.
"only root has acces to /dev/mem ?", Sep 1999
http://lkml.indiana.edu/hypermail/linux/kernel/9909.1/1016.html
"If this option is disabled you allow userspace (root) access to all of memory, including kernel and userspace memory"
http://www.dtors.org/papers/malicious-code-injection-via-dev-mem.pdf
"I'm having difficulty dumping the memory from a Ubuntu 6.10 PC. When I try and run it (yes both using sudo and as root) I get: dd: reading '/dev/mem': Operation not permitted"
http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=1453
"Unsurprisingly, we are one of the 83% that will be going straight to Windows 7", Ash Chapman
"A poll of 1,100 Windows customers has found 84 per cent won't be adopting the successor to Windows Vista during the next twelve months"
Ash: what did you see. I read it as saying 84% won't be going straight to Windows 7 ..
'Steven Martin leaked details about the project last week, and complained about being “disappointed by the lack of openness in the development of the Cloud Manifesto”'
If the doc wasn't open, then how did Steven Martin get hold of a copy. And the writers do say this:
"is meant to start a conversation around standards and help clients ask the right questions about cloud interoperability. This document is not a contract with vendors or a position on what standards should be'
Now that the document is out; ather than attack the manner of it's aetology, what exactly does Steven Martin have to say about the contents. .
'self-confessed UFO evidence hunter turned US military hacker son over to the US'
For the umpteemed time, he logged in to Windows NT computers that all used the same passwordless admin account and installed a remote desktop application and sent msgs to the supervisors screen via wordpad ..
http://www.guardian.co.uk/weekend/story/0,,1523143,00.html
http://news.zdnet.co.uk/security/0,1000000189,39208862,00.htm
http://www.guardian.co.uk/weekend/story/0,,1523143,00.html
"I for one can't see why they should be obliged to ignore IP violation (if that is genuinely what has occurred here) simply because the other party *chose* to use Linux", anonymous coward
Tom Tom uses third party and GPL software in its products. Neither of which are owned by Microsoft. Therefore it owes nothing, nada, zilch to Redmond ..
Hey, I hate M$ as much as the next guy but come on.", Anonymous Coward
I don't understand how someone can hate a company. It's just a device for converting base matter into shiny objects .. :)
"Tom Tom is using an M$ patent that they have not licensed. What does this have to do with open source or linux?", Anonymous Coward
Tom Tom isn't using a M$ patent, Tom Tom is using third party and GPL software. The real question is what does an old long-file-names-for-fat patent got to do with Open Source. And since neither Tom Tom, the third party company or the Linux kernel team would have ever read this M$ patent, what has Microsoft got to do with Open Source.
"And since when was Tom Tom distributing linux anyway? If they didn't want to use a proprietary filesystem, they should have used a non-proprietary filesystem", Anonymous Coward
They used a mixed Linux kernel third party solution. Redmond is appariently upset that peopel are selling GPS devices without paying them for the 'innovation'.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
