Personally I've very glad I rarely end up doing desktop support these days, since I'm mainly server orientated, but I feel really sorry for the poor buggers who'll have to support this! Effectively we now have two completely different Windows UI's to learn, since some users will be using Metro entirely, while others will be breaking out (well as much as is possible) to the proper Windows desktop, and we'll need to be able to cater for both groups!
I can't help thinking Kevin Turner's never actually MET a real life user. They're going to hate it, it's going to confuse the hell out of them just when they've finally got used to things like the start bar. Geeks might put up with it, learn to use it etc, users won't. They'll moan, complain, and refuse to use it, and that will give IT Support even more of a headacre.
At least with 7 they had the geeks on side, liking the new features and willing to pass on the new benefits to their users, with this, not so much. When asked by users why they need the new version, there'll be less "let me show you the features that will make things easier for you", and more "I dunno, I think it's shit as well but we've been told to upgrade you".
I'm really disappointed by 8, which is a shame since with the new virtualisation tech built into it I was really looking forward to it coming out. Now... not so much.
Part of the problem to my mind is that this seems to be seen as an either or option. Personally I'd prefer not to see either side making policy without the input of the other side. At the end of the day it's governments job to set policy, BUT they should always at least consult those in the know before doing so. There's simply no excuse for setting a policy that fails when the relevant people could have predicted it if they'd simply been asked, but there are occasions where other issues might outweigh the science.
For me I think the key would be having greater transparency in the whole process. Ministers should be able to choose which advice they heed and which they ignore, but where they choose to ignore it they should have good overriding reason for doing so, and that reasoning should be documented publically. If they know that their decision to ignore scientific advice and their reasons behind it are documented and able to be made public, it might help focus their minds to ensure they really do have good reason to decide one way or the other, and aren't simply trying to appease the Daily Mail reading voters.
I agree, I think the biggest issue, and unfortunately it's where the majority of the general public encounter science debate, is on those TV programs which feel a need for a balanced opinion on topics where there is little dissent from the mainstream scientific community. You end up with Prof Jo Bloggs who's worked exclusively in the field for the last 30/40 years having to justify his findings against the views of some random oik they pulled off the street. You end up in a situation where if random oik is better at communicating / hyping up his/her own views then they end up trumping the far more qualified expert, regardless of the validity of their argument. And unfortunately as we're well aware, for many boffins and geeks public speaking in simple language isn't something that comes naturally (major generalisation I know).
If they can't find someone of at least reasonably similar standing in that field to argue against the prof then they should either not bother aiming for balance, or be far more careful how they tread.
Close but no. Time broke because she failed to kill the Teselecta with the Doctor inside, she just didn't know that it wasn’t the Doctor standing in front of her. That was the true fixed point in time, not the actual Doctors death, but obviously no one else knew that. Therefore her kissing the Teselecta at the end restored time to normal. I agree with the rest of it being a bit muddled though. I have to assume Ian Harrison didn't bother actually watching (or paying attention to) the end of the episode.
Yes Hibernation has been around for a long time, but the problem these days is that as powerful computers get more and more memory in them that means more and more data that needs dumping to disk every time. Hiberating an 8GB computer takes quite a long time.
OK, so this isn't revolutionary, but to my mind it is smart evolution. If you can't fix all the problems in one hit, at least fix some of the little things that you can control.
Yeah they changed all that years ago. From memory I believe registrar's are no longer allowed to withhold making changes to a domain for any reason. In any case if you do have issues getting a domain transferred to another registrar you can simply go direct to Nominet, pay them £10 (again going from memory) and they'll do it direct without involving the troublesome registrar.
When I first read this my first thought was that Mozilla were shooting themselves in the foot, but the more I think about it the more I've come to the conclusion that it's not such a bit deal. The key is that one size rarely fits all successfully.
In a corporate environment the key requirements are stability and reliability. You want to know that everything will just work, wizzy new features are all well and good, but since the development / testing cycles take so long it's unlikely any internal apps etc will need the latest and greatest features in the short term. An admin wants control over what users are doing and how they do it, and the certainty that things will work as expected, so they don't end up with those on high yelling at them because something hasn’t behaved as expected. I agree with the comments about "apps should be standards compliant and just work", but in the real world that simply can't be relied upon. Telling the MD that staff can't do their work because the developer didn't follow the correct standards and it's not your fault won't wash.
In a home environment on the other hand most people are more tolerant of stability issues (I know I certainly am), but they want to be able to use the latest and greatest apps etc. Facebook games, streaming videos etc are important at home, not in the work place, so rapid deployment of the latest features is important to them. The raft of add-ons available in Firefox can be great for a home user, but again is a pain for an IT admin.
So, while I wonder if Mozilla are being short sighted in ignoring Enterprise environments, if their aim is to target a specific niche (eg home users) then in that respect this is probably the best way to do it, since MS clearly aren't aiming their efforts in that direction.
Many years ago whilst at Uni I was the main sysadmin for the SU's computing society (TermiSoc for those in the know), which had three linux servers of our very own, stored in one of the Uni building's basement.
There were a few other guys who also had root access, one of whom was very interested in security and spent a lot of time attempting to hack into and then improve our systems.
Now this guy had been reading about the risks of files being owned by root and having execute permission within user accessible folders. He started searching through the filesystem, and discovered that within each users folder there was a . and .. folder with the permissions he'd been looking out for. Now while the exact details are a little fuzzy (it was at least 12 years ago) I know our ever diligent security geek decided to fix this issue. He proceeded to change the permissions on both folders to prevent executing by normal users.
Shortly afterwards he started hearing people in the lab comment that they could no longer login. Of course removing that permission prevents a user from traversing back through the folder structure, and the login process is unable to traverse to the home directory and /etc directories. The only user able to login was root, but we'd already restricted that so remote connections were only allowed by normal users, who could then su to root, so we had no remote access what so ever.
Myself and another sysadmin friend, with resident security geek in tow, had to get someone to let us into the basement so we could get console access to the machine and fix the glitch. A fun day, but I think everyone learnt a valuable lesson, and of course the story continues to be recounted occasionally to this day!
While that might be true for techies, I don't think it is for normal users. As far as they are concerned, they have a computer and it runs Windows. If there is a problem then it's Windows that has crashed, Windows that has lost their work, Windows that is performing slowly. They don't know or care about the rest of it, and most don't even realise that there are differences in quality and performance between seemingly identical components. If a user buys a crappy PC made from really cheap components, they won't blame the computers hardware when things go wrong, they'll blame Windows, and for that reason I completely understand why MS a going down this path.
Now what they haven't said (at least in this article) is if retail / upgrade copies of Windows 8 will no longer be available. As long as they are then I don't see an issue. Techies wanting to build their own spec computer still can, and will have the knowledge to know that issues could be either hardware or software. Normal users buying branded computers will be assured that the computer they buy is properly built and designed to run that version (rather than it simply being shoe horned on like many previous versions have been on old kit), and it will hopefully then be more stable. Of course it might not work, but either way, whether it's a hardware or software problem a user experiences they will blame Windows by default, so MS have little to lose in trying to reduce the number of hardware issues tainting their reputation.
Completely agree, he also seems to miss the fact that many people use PDF's as a way to send an electronic document in a fixed form, eg a quote, invoice, contract etc, so you can be reasonably sure that it hasn't been altered (yes I know there are ways to do it, but most users wouldn't know them). In terms of portrait / landscape I can kind of see where he's coming from, however I think he's missing how people actually read. A column of text is far easier to read and scan through, than a wide long line of text, that's why after all many documents in A4 portrait have two columns.
There may have been more recent updates, but a quick search shows that back in March 2010 the EU demanded that Google delete the unblurred images after 6 months. At the time Google said their policy was to delete them after 12 months. Either way, if this happened (and was photographed) in June 2009, the unblurred pics should have been long gone by November 2010 when this was apparently first raised with Google.
So my guess would be that either a) Google are taking the piss, knowing full well they don't have them any more, or b) if it's possible to recover the data from backups, they want a proper court order (which possibly then allows them to recover the costs), before they make any efforts to recover the image from backup since it's unlikely to be a quick and easy job considering the mass of data they have.
"Named instances provide complete database isolation while allowing consolidation onto the same server. But it is a bitch for back-ups. Each instance must be maintained separately from the other instances on that server"
Have you missed the point named instances entirely? Of course you have to maintain them separately, that's the whole point! Each instance isn't just a isolated session of a single installation of SQL, it's a completely separate installation of SQL. You could have multiple identical instances, or you could have each of them running with a different version, 7, 2000, 2005, 2008, or even different service packs. Server\Instance1 and Server\Instance2 are in no way shape or form connected to one another, other than they both reside on the same server, and as such have to be treated, backed up and patched accordingly.
I'd be concerned about anyone happy to just role out a patch / service pack to multiple instances at the same time in a production environment, rather than properly installing and testing them individually.
Not sure I follow your logic here. Signing DNS and SSL certificates are two completely different things, and serve completely different purposes.
DNSSEC confirms that the IP address returned when you make a DNS request is the correct one.
SSL confirms that the website you reach is the real one, eg the https:\\secure.foo.com you see really does belong to Foo Corporation, and not Mr B H Hacker who's setup the site on his server and tricked your computer to go to him instead of the real one. It provides authenticity by ensuring that if you want to purchase an SSL certificate for Foo Ltd, you can prove that you really are Foo Ltd (there's quite a few checks done, especially if you're a Ltd or PLC company, hense their justification for the high prices). And finally, and perhaps most importantly, it allows you and the server your connecting to to establish a secure tunnel down which all the communications are sent, thus protecting you from anyone sniffing your connection.
What SSL doesn't do is care about what IP address the site is on. As long as you have the certificate information you can install it on any server at any address. So the two don't cross over at all, to my mind they compliment each other, improving the overall security for viewing normal websites, and improving yet futher the security of secure websites.
Re: Daniel Bennett & Pierre (and a couple of others)
Thanks guys, I was beginning to lose hope of intelligence anywhere in this thread!
Completely agree with the points made about the documents not being editable, however everyone seems to have missed another major reason for not allowing word docs.
When transferring a word document from one machine to another you cannot be certain how it will render. Depending on how the original machine is configured, how the viewing machine is configured, which fonts are loaded on each, the default paper sizes, borders etc, will make a difference on how the document looks on the viewing machine. Assuming at least some of the marks for this work are for presentation, how can the examiner be certain that what they are seeing on their screen is what the student intended to present? If the student creates a document which is well laid out and presented, but it doesn't render properly on the examiners machine, should that student be marked down for it?
One of the main benefits of PDF (other than the difficulty of altering it), is that the way it always renders the same on all machines, so you can be certain that if it looks correct on your machine when you create it, it will still look the same when it is marked.
OK, am I missing something here? Where is the actual consultation? The NDS page doesn't show a link, and neither does the DfT page. Of course I'm assuming there is more to it than what's listed on those two pages, and some way to actually submit feedback on-line rather than having to resort to... *shudder* hard copy!
I would think the only people who'd want this are those who want an E90 on the cheap! It looks like they've taken the basic form factor, and then removed all the good points from it.
Smaller screen and lower res as already mentioned aside, having the phone only able to open to an angle is going to be annoying for anyone wanting to use when it is in their hands rather than on a desk, and seems like they've gone back to the old communicator style! One of the best things with the E90 is being able to use it at an angle on a desk, but also to open it completely when in your hands which makes it so much easier to see the screening while typing.
This is a phone without a market. At the top end people will pay the extra for the quality of an actual E90, and at the low end, there are better, cheaper and more functional smart phones already out there which do the same things better.
Sorry but WTF! You have a vulnerability which is being actively being exploited, so you issue a patch which fixes not only that but four other issues as well!
Why? As a windows admin that would give me serious concern! Taking the DNS patches on their own, I can assess the risk of being attacked against the risk of something breaking, but add in additional patches and you increase the chances of something breaking, which only encourages admins to do more testing, rather than getting a critical fix roled out asap.
This should have been issued on it's own, with perhaps the other updates issued as a separate update... or do Mac's not have a decent Windows Updates / WSUS / SMS capability to help manage this properly?
"So just how are the software distribution (well the team they pass it off on to anyway) team actually meant to push patches out to the desktops?
considering S.W.D cant do it between 7am and 7pm due to stupid rules already put in place by them?"
Well any half clueful server admin would already have this kind of thing centralised and automated. Ever heard of WSUS, SUS & BITS? Updates can downloaded to the PC during working hours without causing disruption (thanks to BITS), and then if the office shuts at 19:00 you can either set all machines to shutdown at say 19:30, while telling your windowsupdate GPO to install updates and then shutdown at 19:00 (so they either shutdown as a result of an update, or where non are required it roles over the timed shutdown).
Any users complaining that they're "in the middle of something" can simply hibernate their machines at the end of the day before they are forcably shut down to maintain the previous days state.
"On the contrary, at least here in the England & Wales, barristers are not allowed to knowingly mislead a court"
That's right. A friend of mine who is a barrister explained it to me when I asked him the difference between him an a solicitor when it comes to trials. Essentially a I understand it, if you're taken to court you get yourself a solicitor and can tell them everything, including that you are guilty. Now I'm not certain about where the split goes, but a lot of the evidence gathering is done by the solicitor who obviously knows the truth, and this is then passed to your barrister to build a case for your defense, with them always assuming your innocense. This way the solicitor can make sure (while knowing your possible guilt) that they have covered the angles which may come up in the trial against you, without the barrister knowingly lying to the judge/jury.
Wow, it's impressive to see how many people clearly have no idea how or what SQL injection is or how it works!
Re: the comments about javascript & html being stored in text fields not being true SQL injection, what exactly do you suggest it is?
As anyone who has read up on the methods used recently to do these attacks can confirm, the method used involving cast() mean that the web server has no way to know what the data is trying to. Unless your app checks the data being passed through it, and rejects anything that falls outside of the expected norm, it will simply pass the data to SQL for it to work out.
The basic query format tends to be /foo.asp?bar=1;declare @s varchar(4000);set @s=CAST(0x1234..<loads more hex>..6789 as varchar(4000));exec(@s);--
though obviously with the spaces escaped out with %20's. In the version I've seen a lot of recently, that code if it manages to get to SQL Server will get it to run through every single varchar field in the current database, and append a html link to a malicious jscript file into each record. That's because the cast statement (which is run by SQL not the web server) converts the innocent looking string of hex into ascii, at which point it turns out to be a lovely malicious block of T-SQL code.
For anyone wondering if they are being probed, I'd definitely recommend grepping your web server logs for '=CAST(' without the quotes and seeing what you can find.
All those who have commented that they hope it'll be awarded to EDS seem to have missed :
"The five will then 'compete in a series of mini-competitions to win specific contracts for the various projects.' "
So the entire project is being carved up and in theory all 5 could end up working on it.
Now considering the previous record with this kind of thing, does anyone REALLY believe it'll be a genuine contest? Maybe I'm paranoid but I have visions of someone from each of the five companies meeting for a coffee to decide how to split it up between them, therefore minimising the amount of profit they'd need to shave off the quote to get the work... but of course that could never happen now could it!
Well Mr MacKellar certainly isn't shy about trying to tar everyone else with the same brush now is he!
"Christians believe"... "Christians accept"... "This is a crucial Christian belief"
Really! I don't ever remember anyone asking my opinion, and I imagine there are plenty of other Christians out there who feel the same as me.
Mr MacKellar, unless you can provide documentary proof showing the majority of Christians agree with you, please don't try dragging the rest of us down into this!
My biggest worry with the radar system is if it properly detects motorcycles as well as cars. If it doesn't detect people, then is it likely to detect a bike which is a similar width when seen front on. I've had enough problems in the past with the detection strips in the road not detecting my bike (an R6 so not exactly small), that I imagine the radar not spotting me either.
It's bad enough with many car drivers not thinking about their blind spots to consider if there is a bike there, but with this system they're more likely to assume that there's nothing in their blind spot because the system says so, and go ahead and pull out regardless.
That said, personally when passing cars on the motorway etc I always work on the assumption that the drive won't check their blind spot anyway, which limits the danger this system poses!
Surely that's simple enough, MS just need to add a function into IE to allow the user to specify a different user agent, and set it to Opera / Firefox! Then any IE specific code in a webpage won't be run, and history will come full circle! :-)
Try reading the actual article! It doesn't say that WoW users are the ones who are having their credit card details stolen, it's saying that stolen credit cards (from anywhere) are being used to pay for WoW subscriptions.
@ Ian
"So what do Halifax do? They stop stolen card payments to Blizzard. What would any sensible company do?
GET BLIZZARD TO REPORT THE FUCKING FRAUDULENT TRANSACTIONS AND THE IP ADDRESS TO THE POLICE SO THEY CAN FUCKING SUBPOENA THE ISP FOR THE PHYSICAL ADDRESS ASSIGNED TO THAT IP WHEN THE CREDIT CARD THEIF CONNECTS TO THE SODDING GAME!"
OK, lets have a reality check shall we? 1) Halifax have direct control over which transactions are and are not paid out. 2) Halifax do NOT have control of Blizzard's servers, so rely on contacting them in each case to get the information that's required. 3) Hiding your IP address is relatively simple these days, so getting the IP address that the fraudster connects from doesn't ensure they can track it to the actual criminal. 4) Every one of these fraudulent transactions gets paid for by Halifax, since the end user claims it back. 5) I dread to think how much money it would cost them in man power and legal fees to track down and presecute every single fraudster individually.
@ Solomon
"If the bank has seen fit to issue me with a card, then they should leave me and my purchases alone. I review my statement each month and if something is wrong I can invoke my buyer protection privileges and the charge will be refunded."
So what you're basically saying is that you want to have your cake and eat it!?! You don't want the bank to stop transactions they feel are dodgy when they are made, yet you expect them to pick up the tab and clear the charge from your card when you find out that they were fraudulent?
I'm certainly not a big fan of many banks, but in this case I have to agree with their actions.
Couldn't agree more. The first thing that went through my head on reading this was that at least it's given them a chance to properly test their procedures, in a way that I doubt they could realistically arrange to do otherwise (at least properly) due to the immense cost involved.
The question now is of course if those in control take the opportunity to learn from this and make adjustments to their procedures, rather than just focus on pointing figures and passing blame.
While certain terrible, I can't help but thinking that the actions of some banks fraud prevention departments beats it hands down.
Don't know if it's all banks, but certainly if you're an HSBC client and they detect what they think is a fraudulent transaction on your credit card you get a phone call. Wonderful, except that firstly they withhold their phone number so you can't use caller ID to confirm who's calling, and secondly before they'll go into any details they expect you to provide your security information to confirm who you are! I mean really, you phoned me, you know who I am but who the hell are you? Amusingly if you mention this to them it seems to go right over their heads! Someone I know refused to give out his info until they proved who they were, suggesting that they confirm the value of the last transaction he'd made. They refused so he declined to speak to them further.
"It really is about time that web-hosting organisations got their acts together and took the security of their clients seriously."
While I certainly agree that many organisations need to look a lot more seriously at how they control the security of their equipment and websites, I think it's somewhat heavy handed to just assume that the fault here was with the sites web hosting company.
From the limited information given about what happened here it sounds very similar to a large number of hacks which were done at the end of last year covering thousands of different web sites, pointing visitors towards malicious .js pages to install malware on their machines. In that case it was actually a SQL injection attack that caused the problem, and I wouldn't be suprised if the same was true here.
Now since in many cases (I'd even hazard to say most) the company that hosts the webserver is not the same as the one who designs and develops the website, perhaps you should be directing your annoyance at the developers who are not preventing the SQL injection, rather than the poor hosting guys who have no control over the website code running on their servers.
"Bell says: "If two things happen at the same time, it doesn't mean one caused the other.""
While I'm sure most of us here already knew it, it's a nice change to see a scientist making this point for once, rather than sticking with the usual line that their conclusion must be fact.
So the article starts off by saying that some people were trying to cheat by hacking the game, and then goes on to tell us about the game itself, but what about the hack itself! What did they do, did it work?
Dammit, you caught my interest then let me down by not providing the info I was expecting! Shame on you reg!
Look forward to the day when I get something like this fitted in my helmet displaying on the visor!
Personally, yes I'm perfectly able to read a map, but in reality that doens't always help with some routes. It's fine when you're going somewhere near to a major junction, but when you're going somewhere in the middle a large city it becomes a problem. There's no way I can memorise that many turns, junctions and roundabouts accurately, and of course map reading on a bike, even when stationary is fiddly due to gloves and the map being in a bag! I tend to have a single headphone in my ear under my helmet, connected to my GPS enabled phone in my pocket so I can hear the directions as I ride, but it's far from ideal.
I think you're missing the point. It's not that the malware author would get you to run both executables. The author produces both files, and then submits the clean file to the AV companies for them to check and add to their whitelist. Then if you get the bad file on your machine your AV software won't pick it up since it will register it as being the good one.
I remember this happening a while ago as well when they lost all comms to one of their DC's, thus taking out their entire DNS infrastructure.
What amazed me then, and still amazes me now is why they haven't bothered to locate their servers in different physical locations, and on different IP networks. For many small companies I could understand it, but come on, 123-reg is owned by Pipex, and they in turn own several other ISP's, who collectively must surely have more than one datacentre to hold their servers. Why the hell hasn't someone there split their core infrastructure servers across these sites to give them all some redundancy, especially following the first time that had problems like this (that I'm aware of) a couple of years ago.
As a private individual, why the hell should I be forced to give out my personal contact details to every muppet on the internet who wants them? Apart from preventing a mass of spam, both electronic and postal, being able to hide my contact details in the WHOIS results of my .co.uk domains helps to prevent fraud. Surely no one here would be stupid enough to go posting their home address and phone number on a website forum somewhere, so why should WHOIS be any different.
For companies it's completely different. The registrant details point generally to a companies head office, probably listing the MD or IT Managers name, but there's no information there that you couldn't find just as easily by checking Companies House. You're not getting the home address and phone number of the MD. Besides, in the UK at least all companies are required to have their company contact details listed on their site(s), so listing them in WHOIS as well makes no difference.
In terms of tracking down dodgy sites, how does WHOIS actually help? Since the information submitted when the domain is registered is never authenticated by the registrar or registry, there's no way to be sure that it is genuine. There's nothing to stop me from registering a domain name with bogus details, hell, if I registered micro5oft.com, and set the registered address as a certain location in Redmond, would that somehow make it legitimately connected with MS?
It sounds to me as if all those people talking against this are just being lazy, and can't be bothered to use the correct tools for the job. If there's an issue with content coming from an IP which a domain points to, it's the ISP responsible for the IP that should be contacted, not the domain owner. In many cases where you're dealing with small companies, contacting the registrant direct would be pointless, especially for something like suspicious network activity, as they wouldn't know what you are talking about. All that would happen is that they would then need to pass on the message to their ISP to deal with, thus taking more time to resolve the issue than if you'd just gone straight to the ISP in the first place.
ICANN should adopt the same method as Nominet, plain and simple. (and while they're at it they should switch to Nominet's method of IPSTAG's which makes far more sense that the alternatives, which require all kinds of domain locks to keep secure!)
"but a man DIED because his attorneys were 20 minutes over the deadline"
No, he died because 1) he was convicted of murder, and 2) he was sentenced to death.
At no point in the story did it mention the appeal being against the death penalty itself, it states that the lawyers were appealing the method which was to be used, eg lethal injection. So unless the story is wrong, what ever happened he was a dead man. At most the appeal would have bought him a little more time, perhaps while the state dusted off the electric chair.
If you read through the article you'll notice that they didn't so much say that no one could read the files, rather that the womans mother couldn't. Since consent was saught from the womans husband as her next of kin, it surely follows that he could have access to them if requested, but for what ever reason he chose not to approve giving permission for his mother-in-law to see them.
Surely an easier option would have been for them to define the ruling as saying that the rights of the patient transfer to the next of kin, which I would have thought would make the ruling more specific to the case, rather than catchall ruling which could effect other areas as well.
What amazes me is that the author of this article at Kablenet obviously hasn't actually read the actual document themselves!
"The ICO urges students never to disclose or write down personal passwords or PINs"
It says not to disclose the information, but nowhere in their document does it say anything about not writing them down. At least I couldn't find anything after looking through it twice!
In fact as several security people have said in recent times, with the primary security risks being on-line, writing down information like passwords is a good idea. That's because it allows you to have different passwords that are good for everything you do, rather than either lots of simple ones you can remember which are easy to guess / crack, or one good one which you use for everything.
I'm suprised the document doesn't include tips of good password use, suggestions for storing them, eg not storing website address, username and password together clearly, or storing your pin number within another longer number like a made up phone number, so in the unlikely event of someone gaining physical access to the information it's not easy for them. Perhaps even suggesting PGP or similar, though perhaps that's a bit too beyond the scope of the document.
How can you possibly include Apache in the list of Linux apps which have "established" their position in the last decade? It is and has been well establish for well over a decade!
In terms of web server, if you check Netcrafts figures (http://news.netcraft.com/archives/web_server_survey.html), which are obviously based on real work data, not just who bought what from a few suppliers, you can see that Apache has in fact dominated the web server market since around 1996, with it maintaining around 60% of the market for most of that time.
OK, so from their stats Apache does seem to be having another dip, and IIS is rising again since last year, but it's still got a way to go before we see IIS taking the top spot.
"So, then, how come Microsoft IIS, which runs less than 1/4 of all the world's web sites, gets about 20 times more exploits than Apache, which runs over 2/3 of all the world's web sites? That certainly isn't because IIS is the most widely used web server."
What you fail to consider is what proportion of the worlds servers which are maintained by untrained staff, with little or no knowledge of security, patching or good practices run on Windows v Linux. If I was to make a bet, I'd say that the vast majority of people maintaining a server without the required knowledge will be doing so with Windows, therefore that alone makes Windows a better target for the bad guys. After all, logically doesn't it makes sense to target those users / servers which are most likely to have not been properly secured?
I'll admit to not being up to date on the number of Apache exploits out recently, but I do know that there have been very few for IIS in ages. Most patches for some time now have been primarily relevant to client usage, not server. I can only think of a few patches this entire year which have actually been a risk to a properly maintained IIS server.
"The officer falsely claimed not to be running Winny in an internal audit prior to the leak."
What kind of internal audit are they running there? He "claimed" not to running the software! Surely they should have actually checked, rather than just ask. Sounds a nice and easy audit to me, gather everyone into a room, "Right, raise your hand if you're running anything you shouldn't be on your work computer"... "no one, fantastic, that's the audit for this year done"
Well I'm glad I held off approving the updates for a couple of days!
What worries the most is that with all the Microsoft security mailing lists, and RSS feeds to keep people like us up to date, I heard about this first on thereg! I've checked through my e-mails and RSS feed items and there doesn't seem to be anything from them alerting users to potential problems (perhaps they sent alerts via a list I haven't managed to find yet!).
Out of interest, what mailing lists / feeds / whatever do people use these days to keep up to date with issues like this? ntbugtraq used to be my favourite but that seems to have gone to the wall, as I haven't seen anything from there in ages.
I agree with Nick, how is this supposed to be an MS problem? IE receives a request which needs to be handled by a 3rd party app, it doesn't understand it, can't do anything with it (and obviously isn't vulnerable from it), so passes it on to the app which can process it.
It's all very well saying that IE should block it, but imagine the outcry there would be if IE started blocking all requests to 3rd party apps which it didn't know how to handle! People would then complain that MS was stopping 3rd parties from developing new things since they'd be beholden on MS to update IE to understand their new tech. It's a no win situation for them.
Looking at it slightly differently, what would happen if there was a bug in a 3rd party app which wasn't a browser? Say Adobe Acrobat had a vulnerability relating to opening online PDF's? IE doesn't know about the internals of a pdf, it just knows that they should be passed to Acrobat. Should it block the request because it doesn't understand it, or should the onus be on Acrobat to make any required checks when it is passed the file to open?
Good to see one of their server admins had a sense of humour! :-)
Though if they're going to fake the platform they're running on, why not also fake the server software response as well! Maybe they should report themselves as running an early version of NetSite. Of course maybe they already have faked it, and their servers are actually running IIS!
"There is a good reason that we elect people to parliament - the general public, by definition, can't understand all the finer points of every potential government policy, that is why we vote based on the general policies of a party. (I for one don't understand the finer points of European Macro economics, but I believe that the party I choose to support does.)"
Go back say 20 years and I'd agree with this sentiment, but these days what real choice is there? 20 years ago there were clear differences between the top 3/4 parties, you had real choices between the conservatives on the right, labour on the left, libdems/liberals/sdlp around the middle, their views were clearly different and you could pick the party which met those views the closest. These days where is the difference? They all have very similar policies which don't really set them apart, and from history you can see they rarely stick with those policies once in power. Hell just think of labour, for years the supposed champion of the workers, connected with all the unions etc, once in power they suddenly become just like the conservatives!
I'm just disappointed we never seem to get a Raving Looney candidate in our constituancy!
What I don't understand is why it always seems to be assumed that all these new things need to be TLD's! Surely to be useful on a global scale, and useful for everyone to use, there should be some granulatity to the domains.
I mean we already have the subsets of .uk which seem to work well, you can easily see that .co.uk is a company in the UK, .ac.uk is an academic organisation in the UK etc.
As Aubry said, city domain names should sit underneath their respective cctld's, just like any other address, thus avoiding the obvious problems of multiple countries having cities with the same name. If people want domains for regions, cultures or languages then that's fine, but they don't all need their own tld. Just create a few tld's for them to sit under, say .region, .culture and .lang, then you can have as many subdomains within that as you like!
Switch all the other registries over to the Nominet system!
Maybe it's just me, but IMHO the Nominet method works SO much better than the others, most notably with domain transfers. Firstly, unlike the system with the GTLD domains like .com etc, where to transfer the domain the receiving registrar has to request the domain, and then the holding one has to accept the transfer, use a Tag system, so the holding registrar passes the tag to the new registrar. That disposes of all the faff they've had to put in place with domain locks etc to stop people poaching domains.
Secondly, allow the registrant to go direct to the registry when the registrar fails to act on a request to transfer the domain.
We've had loads of clients who have wanted to transfer domains to us, but have registered their domains with people unwilling or unable to action the request. With .uk's it's simple, just get them to go direct Nominet, who will then (once due dilligence checks have been made to confirm ownership) transfer the domain for them, circumventing the unresponsive registrar. Yes they charge a fair amount for the priviledge, but in a situation like that it's a small price to pay.
With GTLD domains there's little or no way to transfer the domain if the registrar fails to respond to the request. If you try contacting the registry you're simply told to contact the registrar (well duh! tried that already!) as the registry doesn't speak to registrants direct.
The upshot is that you can safely register a .uk domain name with any registrar, safe in the knowledge that if they turn out to be dodgy there is an escape route available. With any other domain name you better have done your research before hand, because if not you're screwed if they go under or just decide to prevent you from leaving.
Well there is encryption on tapes available out there, but considering how Backup Exec has only just gained that functionality in the most recent version, and NetBackup only got it a little while ago (not sure about other vendors but I think it's the same deal with them), it's unlike they have it available on their setup unless they're very up to date with their software which seems unlikely.
As for off-site tapes, I wouldn't make a sweeping statement that taking tapes home is always bad but agree in this case it's rediculous. For a small company it's a reasonable approach, since paying an off-site storage company may not be viable, so keeping tapes at home can provide a measure of security in case of disaster, hell we've done it where I've worked before. But for a state to do it is just wrong. After all it's not even like they have to pay for it! You can't tell me a state only has one site after all, in which case why aren't they simply storing their tapes at another one of their locations. Plenty of other multiple location companies do it already after all, each site storing their tapes at another office in a different town/city. Nuke one location and the other still has the backup tapes to recover.
While the article says that the drives were OEM, at no point does it state that they were sold as such. Yes if you take the chance of buying a cheaper OEM version of something then it's on your head to look after it, but in this case people were buying what they thought were standard branded drives, with their stated 5 year warranty.
Just because you decide to upgrade the HDD in your computer does not make you an OEM!
Re: Re: Impoverished West End theatre owners and producers???
Also consider the knock on effect that theaters have on other industries, trains/planes/cars traveling there, restaurants providing food for the visitors, hotels providing accommodation, pubs providing refreshments, other attractions being visited during the peoples visit... all of which bring money into the economy, and in turn generate taxes to feed back into the pubic coffers.
It's no different to the tourist trade in the south west! Everyone comes for the beaches, but they themselves don't generate any money at all. What they do have is a knock on effect with all the other things which people do while visiting them, which help the economy thrive in that area during the summer months.
Depends on the type of keyboard, with some of the old membrane keyboards used with some terminals coffee just eats through the circuitry. One place I worked for a few months while I college had two incidents of people spilling coffee on their keyboards. The first one called support immediately, and I was able to simply wash it off under the tape, let it dry completely and it worked perfectly. Unfortunately the second one was done on a Friday, and the user decided that since it still worked she wouldn't both calling us. On Monday morning she discovered it no longer worked. By that time no amount of cleaning was going to help it was already dead, and I had to tell her she'd have to tell her line manager to approve a new one... being an old terminal semi-intelligent keyboard they cost a few hundred quid each!
Register
64 posts • joined Thursday 8th March 2007 21:44 GMT
Page:
Re: I don't want to work harder.
Personally I've very glad I rarely end up doing desktop support these days, since I'm mainly server orientated, but I feel really sorry for the poor buggers who'll have to support this! Effectively we now have two completely different Windows UI's to learn, since some users will be using Metro entirely, while others will be breaking out (well as much as is possible) to the proper Windows desktop, and we'll need to be able to cater for both groups!
I can't help thinking Kevin Turner's never actually MET a real life user. They're going to hate it, it's going to confuse the hell out of them just when they've finally got used to things like the start bar. Geeks might put up with it, learn to use it etc, users won't. They'll moan, complain, and refuse to use it, and that will give IT Support even more of a headacre.
At least with 7 they had the geeks on side, liking the new features and willing to pass on the new benefits to their users, with this, not so much. When asked by users why they need the new version, there'll be less "let me show you the features that will make things easier for you", and more "I dunno, I think it's shit as well but we've been told to upgrade you".
I'm really disappointed by 8, which is a shame since with the new virtualisation tech built into it I was really looking forward to it coming out. Now... not so much.
Re: Education does not equate to Knowledge
Part of the problem to my mind is that this seems to be seen as an either or option. Personally I'd prefer not to see either side making policy without the input of the other side. At the end of the day it's governments job to set policy, BUT they should always at least consult those in the know before doing so. There's simply no excuse for setting a policy that fails when the relevant people could have predicted it if they'd simply been asked, but there are occasions where other issues might outweigh the science.
For me I think the key would be having greater transparency in the whole process. Ministers should be able to choose which advice they heed and which they ignore, but where they choose to ignore it they should have good overriding reason for doing so, and that reasoning should be documented publically. If they know that their decision to ignore scientific advice and their reasons behind it are documented and able to be made public, it might help focus their minds to ensure they really do have good reason to decide one way or the other, and aren't simply trying to appease the Daily Mail reading voters.
I agree, I think the biggest issue, and unfortunately it's where the majority of the general public encounter science debate, is on those TV programs which feel a need for a balanced opinion on topics where there is little dissent from the mainstream scientific community. You end up with Prof Jo Bloggs who's worked exclusively in the field for the last 30/40 years having to justify his findings against the views of some random oik they pulled off the street. You end up in a situation where if random oik is better at communicating / hyping up his/her own views then they end up trumping the far more qualified expert, regardless of the validity of their argument. And unfortunately as we're well aware, for many boffins and geeks public speaking in simple language isn't something that comes naturally (major generalisation I know).
If they can't find someone of at least reasonably similar standing in that field to argue against the prof then they should either not bother aiming for balance, or be far more careful how they tread.
don't think that's quite right
Close but no. Time broke because she failed to kill the Teselecta with the Doctor inside, she just didn't know that it wasn’t the Doctor standing in front of her. That was the true fixed point in time, not the actual Doctors death, but obviously no one else knew that. Therefore her kissing the Teselecta at the end restored time to normal. I agree with the rest of it being a bit muddled though. I have to assume Ian Harrison didn't bother actually watching (or paying attention to) the end of the episode.
Yes Hibernation has been around for a long time, but the problem these days is that as powerful computers get more and more memory in them that means more and more data that needs dumping to disk every time. Hiberating an 8GB computer takes quite a long time.
OK, so this isn't revolutionary, but to my mind it is smart evolution. If you can't fix all the problems in one hit, at least fix some of the little things that you can control.
Re: Nominet
Yeah they changed all that years ago. From memory I believe registrar's are no longer allowed to withhold making changes to a domain for any reason. In any case if you do have issues getting a domain transferred to another registrar you can simply go direct to Nominet, pay them £10 (again going from memory) and they'll do it direct without involving the troublesome registrar.
One size doesn't fit all
When I first read this my first thought was that Mozilla were shooting themselves in the foot, but the more I think about it the more I've come to the conclusion that it's not such a bit deal. The key is that one size rarely fits all successfully.
In a corporate environment the key requirements are stability and reliability. You want to know that everything will just work, wizzy new features are all well and good, but since the development / testing cycles take so long it's unlikely any internal apps etc will need the latest and greatest features in the short term. An admin wants control over what users are doing and how they do it, and the certainty that things will work as expected, so they don't end up with those on high yelling at them because something hasn’t behaved as expected. I agree with the comments about "apps should be standards compliant and just work", but in the real world that simply can't be relied upon. Telling the MD that staff can't do their work because the developer didn't follow the correct standards and it's not your fault won't wash.
In a home environment on the other hand most people are more tolerant of stability issues (I know I certainly am), but they want to be able to use the latest and greatest apps etc. Facebook games, streaming videos etc are important at home, not in the work place, so rapid deployment of the latest features is important to them. The raft of add-ons available in Firefox can be great for a home user, but again is a pain for an IT admin.
So, while I wonder if Mozilla are being short sighted in ignoring Enterprise environments, if their aim is to target a specific niche (eg home users) then in that respect this is probably the best way to do it, since MS clearly aren't aiming their efforts in that direction.
A little knowledge can be a dangerous thing
Many years ago whilst at Uni I was the main sysadmin for the SU's computing society (TermiSoc for those in the know), which had three linux servers of our very own, stored in one of the Uni building's basement.
There were a few other guys who also had root access, one of whom was very interested in security and spent a lot of time attempting to hack into and then improve our systems.
Now this guy had been reading about the risks of files being owned by root and having execute permission within user accessible folders. He started searching through the filesystem, and discovered that within each users folder there was a . and .. folder with the permissions he'd been looking out for. Now while the exact details are a little fuzzy (it was at least 12 years ago) I know our ever diligent security geek decided to fix this issue. He proceeded to change the permissions on both folders to prevent executing by normal users.
Shortly afterwards he started hearing people in the lab comment that they could no longer login. Of course removing that permission prevents a user from traversing back through the folder structure, and the login process is unable to traverse to the home directory and /etc directories. The only user able to login was root, but we'd already restricted that so remote connections were only allowed by normal users, who could then su to root, so we had no remote access what so ever.
Myself and another sysadmin friend, with resident security geek in tow, had to get someone to let us into the basement so we could get console access to the machine and fix the glitch. A fun day, but I think everyone learnt a valuable lesson, and of course the story continues to be recounted occasionally to this day!
I think you overestimate normal users
While that might be true for techies, I don't think it is for normal users. As far as they are concerned, they have a computer and it runs Windows. If there is a problem then it's Windows that has crashed, Windows that has lost their work, Windows that is performing slowly. They don't know or care about the rest of it, and most don't even realise that there are differences in quality and performance between seemingly identical components. If a user buys a crappy PC made from really cheap components, they won't blame the computers hardware when things go wrong, they'll blame Windows, and for that reason I completely understand why MS a going down this path.
Now what they haven't said (at least in this article) is if retail / upgrade copies of Windows 8 will no longer be available. As long as they are then I don't see an issue. Techies wanting to build their own spec computer still can, and will have the knowledge to know that issues could be either hardware or software. Normal users buying branded computers will be assured that the computer they buy is properly built and designed to run that version (rather than it simply being shoe horned on like many previous versions have been on old kit), and it will hopefully then be more stable. Of course it might not work, but either way, whether it's a hardware or software problem a user experiences they will blame Windows by default, so MS have little to lose in trying to reduce the number of hardware issues tainting their reputation.
What about how people ACTUALLY read?
Completely agree, he also seems to miss the fact that many people use PDF's as a way to send an electronic document in a fixed form, eg a quote, invoice, contract etc, so you can be reasonably sure that it hasn't been altered (yes I know there are ways to do it, but most users wouldn't know them). In terms of portrait / landscape I can kind of see where he's coming from, however I think he's missing how people actually read. A column of text is far easier to read and scan through, than a wide long line of text, that's why after all many documents in A4 portrait have two columns.
Yeah that's what I thought
There may have been more recent updates, but a quick search shows that back in March 2010 the EU demanded that Google delete the unblurred images after 6 months. At the time Google said their policy was to delete them after 12 months. Either way, if this happened (and was photographed) in June 2009, the unblurred pics should have been long gone by November 2010 when this was apparently first raised with Google.
So my guess would be that either a) Google are taking the piss, knowing full well they don't have them any more, or b) if it's possible to recover the data from backups, they want a proper court order (which possibly then allows them to recover the costs), before they make any efforts to recover the image from backup since it's unlikely to be a quick and easy job considering the mass of data they have.
Understanding of Named Instances
"Named instances provide complete database isolation while allowing consolidation onto the same server. But it is a bitch for back-ups. Each instance must be maintained separately from the other instances on that server"
Have you missed the point named instances entirely? Of course you have to maintain them separately, that's the whole point! Each instance isn't just a isolated session of a single installation of SQL, it's a completely separate installation of SQL. You could have multiple identical instances, or you could have each of them running with a different version, 7, 2000, 2005, 2008, or even different service packs. Server\Instance1 and Server\Instance2 are in no way shape or form connected to one another, other than they both reside on the same server, and as such have to be treated, backed up and patched accordingly.
I'd be concerned about anyone happy to just role out a patch / service pack to multiple instances at the same time in a production environment, rather than properly installing and testing them individually.
@Hugh McIntyre
Not sure I follow your logic here. Signing DNS and SSL certificates are two completely different things, and serve completely different purposes.
DNSSEC confirms that the IP address returned when you make a DNS request is the correct one.
SSL confirms that the website you reach is the real one, eg the https:\\secure.foo.com you see really does belong to Foo Corporation, and not Mr B H Hacker who's setup the site on his server and tricked your computer to go to him instead of the real one. It provides authenticity by ensuring that if you want to purchase an SSL certificate for Foo Ltd, you can prove that you really are Foo Ltd (there's quite a few checks done, especially if you're a Ltd or PLC company, hense their justification for the high prices). And finally, and perhaps most importantly, it allows you and the server your connecting to to establish a secure tunnel down which all the communications are sent, thus protecting you from anyone sniffing your connection.
What SSL doesn't do is care about what IP address the site is on. As long as you have the certificate information you can install it on any server at any address. So the two don't cross over at all, to my mind they compliment each other, improving the overall security for viewing normal websites, and improving yet futher the security of secure websites.
Re: Daniel Bennett & Pierre (and a couple of others)
Thanks guys, I was beginning to lose hope of intelligence anywhere in this thread!
Completely agree with the points made about the documents not being editable, however everyone seems to have missed another major reason for not allowing word docs.
When transferring a word document from one machine to another you cannot be certain how it will render. Depending on how the original machine is configured, how the viewing machine is configured, which fonts are loaded on each, the default paper sizes, borders etc, will make a difference on how the document looks on the viewing machine. Assuming at least some of the marks for this work are for presentation, how can the examiner be certain that what they are seeing on their screen is what the student intended to present? If the student creates a document which is well laid out and presented, but it doesn't render properly on the examiners machine, should that student be marked down for it?
One of the main benefits of PDF (other than the difficulty of altering it), is that the way it always renders the same on all machines, so you can be certain that if it looks correct on your machine when you create it, it will still look the same when it is marked.
So where is it?
OK, am I missing something here? Where is the actual consultation? The NDS page doesn't show a link, and neither does the DfT page. Of course I'm assuming there is more to it than what's listed on those two pages, and some way to actually submit feedback on-line rather than having to resort to... *shudder* hard copy!
E90 competitor that doesn't compete
I would think the only people who'd want this are those who want an E90 on the cheap! It looks like they've taken the basic form factor, and then removed all the good points from it.
Smaller screen and lower res as already mentioned aside, having the phone only able to open to an angle is going to be annoying for anyone wanting to use when it is in their hands rather than on a desk, and seems like they've gone back to the old communicator style! One of the best things with the E90 is being able to use it at an angle on a desk, but also to open it completely when in your hands which makes it so much easier to see the screening while typing.
This is a phone without a market. At the top end people will pay the extra for the quality of an actual E90, and at the low end, there are better, cheaper and more functional smart phones already out there which do the same things better.
Multiple fixes in one update!
Sorry but WTF! You have a vulnerability which is being actively being exploited, so you issue a patch which fixes not only that but four other issues as well!
Why? As a windows admin that would give me serious concern! Taking the DNS patches on their own, I can assess the risk of being attacked against the risk of something breaking, but add in additional patches and you increase the chances of something breaking, which only encourages admins to do more testing, rather than getting a critical fix roled out asap.
This should have been issued on it's own, with perhaps the other updates issued as a separate update... or do Mac's not have a decent Windows Updates / WSUS / SMS capability to help manage this properly?
Software distribution
"So just how are the software distribution (well the team they pass it off on to anyway) team actually meant to push patches out to the desktops?
considering S.W.D cant do it between 7am and 7pm due to stupid rules already put in place by them?"
Well any half clueful server admin would already have this kind of thing centralised and automated. Ever heard of WSUS, SUS & BITS? Updates can downloaded to the PC during working hours without causing disruption (thanks to BITS), and then if the office shuts at 19:00 you can either set all machines to shutdown at say 19:30, while telling your windowsupdate GPO to install updates and then shutdown at 19:00 (so they either shutdown as a result of an update, or where non are required it roles over the timed shutdown).
Any users complaining that they're "in the middle of something" can simply hibernate their machines at the end of the day before they are forcably shut down to maintain the previous days state.
@Thomas
"On the contrary, at least here in the England & Wales, barristers are not allowed to knowingly mislead a court"
That's right. A friend of mine who is a barrister explained it to me when I asked him the difference between him an a solicitor when it comes to trials. Essentially a I understand it, if you're taken to court you get yourself a solicitor and can tell them everything, including that you are guilty. Now I'm not certain about where the split goes, but a lot of the evidence gathering is done by the solicitor who obviously knows the truth, and this is then passed to your barrister to build a case for your defense, with them always assuming your innocense. This way the solicitor can make sure (while knowing your possible guilt) that they have covered the angles which may come up in the trial against you, without the barrister knowingly lying to the judge/jury.
javascript & html
Wow, it's impressive to see how many people clearly have no idea how or what SQL injection is or how it works!
Re: the comments about javascript & html being stored in text fields not being true SQL injection, what exactly do you suggest it is?
As anyone who has read up on the methods used recently to do these attacks can confirm, the method used involving cast() mean that the web server has no way to know what the data is trying to. Unless your app checks the data being passed through it, and rejects anything that falls outside of the expected norm, it will simply pass the data to SQL for it to work out.
The basic query format tends to be /foo.asp?bar=1;declare @s varchar(4000);set @s=CAST(0x1234..<loads more hex>..6789 as varchar(4000));exec(@s);--
though obviously with the spaces escaped out with %20's. In the version I've seen a lot of recently, that code if it manages to get to SQL Server will get it to run through every single varchar field in the current database, and append a html link to a malicious jscript file into each record. That's because the cast statement (which is run by SQL not the web server) converts the innocent looking string of hex into ascii, at which point it turns out to be a lovely malicious block of T-SQL code.
For anyone wondering if they are being probed, I'd definitely recommend grepping your web server logs for '=CAST(' without the quotes and seeing what you can find.
splitting the wealth
All those who have commented that they hope it'll be awarded to EDS seem to have missed :
"The five will then 'compete in a series of mini-competitions to win specific contracts for the various projects.' "
So the entire project is being carved up and in theory all 5 could end up working on it.
Now considering the previous record with this kind of thing, does anyone REALLY believe it'll be a genuine contest? Maybe I'm paranoid but I have visions of someone from each of the five companies meeting for a coffee to decide how to split it up between them, therefore minimising the amount of profit they'd need to shave off the quote to get the work... but of course that could never happen now could it!
Christians believe...
Well Mr MacKellar certainly isn't shy about trying to tar everyone else with the same brush now is he!
"Christians believe"... "Christians accept"... "This is a crucial Christian belief"
Really! I don't ever remember anyone asking my opinion, and I imagine there are plenty of other Christians out there who feel the same as me.
Mr MacKellar, unless you can provide documentary proof showing the majority of Christians agree with you, please don't try dragging the rest of us down into this!
Detecting motorcycles
My biggest worry with the radar system is if it properly detects motorcycles as well as cars. If it doesn't detect people, then is it likely to detect a bike which is a similar width when seen front on. I've had enough problems in the past with the detection strips in the road not detecting my bike (an R6 so not exactly small), that I imagine the radar not spotting me either.
It's bad enough with many car drivers not thinking about their blind spots to consider if there is a bike there, but with this system they're more likely to assume that there's nothing in their blind spot because the system says so, and go ahead and pull out regardless.
That said, personally when passing cars on the motorway etc I always work on the assumption that the drive won't check their blind spot anyway, which limits the danger this system poses!
Getting old sites to work in IE
Surely that's simple enough, MS just need to add a function into IE to allow the user to specify a different user agent, and set it to Opera / Firefox! Then any IE specific code in a webpage won't be run, and history will come full circle! :-)
@Hans, Ian and Solomon
@ Hans Mustermann
Try reading the actual article! It doesn't say that WoW users are the ones who are having their credit card details stolen, it's saying that stolen credit cards (from anywhere) are being used to pay for WoW subscriptions.
@ Ian
"So what do Halifax do? They stop stolen card payments to Blizzard. What would any sensible company do?
GET BLIZZARD TO REPORT THE FUCKING FRAUDULENT TRANSACTIONS AND THE IP ADDRESS TO THE POLICE SO THEY CAN FUCKING SUBPOENA THE ISP FOR THE PHYSICAL ADDRESS ASSIGNED TO THAT IP WHEN THE CREDIT CARD THEIF CONNECTS TO THE SODDING GAME!"
OK, lets have a reality check shall we? 1) Halifax have direct control over which transactions are and are not paid out. 2) Halifax do NOT have control of Blizzard's servers, so rely on contacting them in each case to get the information that's required. 3) Hiding your IP address is relatively simple these days, so getting the IP address that the fraudster connects from doesn't ensure they can track it to the actual criminal. 4) Every one of these fraudulent transactions gets paid for by Halifax, since the end user claims it back. 5) I dread to think how much money it would cost them in man power and legal fees to track down and presecute every single fraudster individually.
@ Solomon
"If the bank has seen fit to issue me with a card, then they should leave me and my purchases alone. I review my statement each month and if something is wrong I can invoke my buyer protection privileges and the charge will be refunded."
So what you're basically saying is that you want to have your cake and eat it!?! You don't want the bank to stop transactions they feel are dodgy when they are made, yet you expect them to pick up the tab and clear the charge from your card when you find out that they were fraudulent?
I'm certainly not a big fan of many banks, but in this case I have to agree with their actions.
@Highlander
Couldn't agree more. The first thing that went through my head on reading this was that at least it's given them a chance to properly test their procedures, in a way that I doubt they could realistically arrange to do otherwise (at least properly) due to the immense cost involved.
The question now is of course if those in control take the opportunity to learn from this and make adjustments to their procedures, rather than just focus on pointing figures and passing blame.
Bank fraud prevention department
While certain terrible, I can't help but thinking that the actions of some banks fraud prevention departments beats it hands down.
Don't know if it's all banks, but certainly if you're an HSBC client and they detect what they think is a fraudulent transaction on your credit card you get a phone call. Wonderful, except that firstly they withhold their phone number so you can't use caller ID to confirm who's calling, and secondly before they'll go into any details they expect you to provide your security information to confirm who you are! I mean really, you phoned me, you know who I am but who the hell are you? Amusingly if you mention this to them it seems to go right over their heads! Someone I know refused to give out his info until they proved who they were, suggesting that they confirm the value of the last transaction he'd made. They refused so he declined to speak to them further.
Re: Here We Go Again...
"It really is about time that web-hosting organisations got their acts together and took the security of their clients seriously."
While I certainly agree that many organisations need to look a lot more seriously at how they control the security of their equipment and websites, I think it's somewhat heavy handed to just assume that the fault here was with the sites web hosting company.
From the limited information given about what happened here it sounds very similar to a large number of hacks which were done at the end of last year covering thousands of different web sites, pointing visitors towards malicious .js pages to install malware on their machines. In that case it was actually a SQL injection attack that caused the problem, and I wouldn't be suprised if the same was true here.
Now since in many cases (I'd even hazard to say most) the company that hosts the webserver is not the same as the one who designs and develops the website, perhaps you should be directing your annoyance at the developers who are not preventing the SQL injection, rather than the poor hosting guys who have no control over the website code running on their servers.
Honesty for once
"Bell says: "If two things happen at the same time, it doesn't mean one caused the other.""
While I'm sure most of us here already knew it, it's a nice change to see a scientist making this point for once, rather than sticking with the usual line that their conclusion must be fact.
But what about the hacking?
So the article starts off by saying that some people were trying to cheat by hacking the game, and then goes on to tell us about the game itself, but what about the hack itself! What did they do, did it work?
Dammit, you caught my interest then let me down by not providing the info I was expecting! Shame on you reg!
Helmet visors & map reading
Look forward to the day when I get something like this fitted in my helmet displaying on the visor!
Personally, yes I'm perfectly able to read a map, but in reality that doens't always help with some routes. It's fine when you're going somewhere near to a major junction, but when you're going somewhere in the middle a large city it becomes a problem. There's no way I can memorise that many turns, junctions and roundabouts accurately, and of course map reading on a bike, even when stationary is fiddly due to gloves and the map being in a bag! I tend to have a single headphone in my ear under my helmet, connected to my GPS enabled phone in my pocket so I can hear the directions as I ride, but it's far from ideal.
@Ken Hagan: @AC: @Daniel
I think you're missing the point. It's not that the malware author would get you to run both executables. The author produces both files, and then submits the clean file to the AV companies for them to check and add to their whitelist. Then if you get the bad file on your machine your AV software won't pick it up since it will register it as being the good one.
Multiple locations
I remember this happening a while ago as well when they lost all comms to one of their DC's, thus taking out their entire DNS infrastructure.
What amazed me then, and still amazes me now is why they haven't bothered to locate their servers in different physical locations, and on different IP networks. For many small companies I could understand it, but come on, 123-reg is owned by Pipex, and they in turn own several other ISP's, who collectively must surely have more than one datacentre to hold their servers. Why the hell hasn't someone there split their core infrastructure servers across these sites to give them all some redundancy, especially following the first time that had problems like this (that I'm aware of) a couple of years ago.
Privacy & lazy admins
As a private individual, why the hell should I be forced to give out my personal contact details to every muppet on the internet who wants them? Apart from preventing a mass of spam, both electronic and postal, being able to hide my contact details in the WHOIS results of my .co.uk domains helps to prevent fraud. Surely no one here would be stupid enough to go posting their home address and phone number on a website forum somewhere, so why should WHOIS be any different.
For companies it's completely different. The registrant details point generally to a companies head office, probably listing the MD or IT Managers name, but there's no information there that you couldn't find just as easily by checking Companies House. You're not getting the home address and phone number of the MD. Besides, in the UK at least all companies are required to have their company contact details listed on their site(s), so listing them in WHOIS as well makes no difference.
In terms of tracking down dodgy sites, how does WHOIS actually help? Since the information submitted when the domain is registered is never authenticated by the registrar or registry, there's no way to be sure that it is genuine. There's nothing to stop me from registering a domain name with bogus details, hell, if I registered micro5oft.com, and set the registered address as a certain location in Redmond, would that somehow make it legitimately connected with MS?
It sounds to me as if all those people talking against this are just being lazy, and can't be bothered to use the correct tools for the job. If there's an issue with content coming from an IP which a domain points to, it's the ISP responsible for the IP that should be contacted, not the domain owner. In many cases where you're dealing with small companies, contacting the registrant direct would be pointless, especially for something like suspicious network activity, as they wouldn't know what you are talking about. All that would happen is that they would then need to pass on the message to their ISP to deal with, thus taking more time to resolve the issue than if you'd just gone straight to the ISP in the first place.
ICANN should adopt the same method as Nominet, plain and simple. (and while they're at it they should switch to Nominet's method of IPSTAG's which makes far more sense that the alternatives, which require all kinds of domain locks to keep secure!)
@Daniel + many others
"but a man DIED because his attorneys were 20 minutes over the deadline"
No, he died because 1) he was convicted of murder, and 2) he was sentenced to death.
At no point in the story did it mention the appeal being against the death penalty itself, it states that the lawyers were appealing the method which was to be used, eg lethal injection. So unless the story is wrong, what ever happened he was a dead man. At most the appeal would have bought him a little more time, perhaps while the state dusted off the electric chair.
Re: So who *can* read these records?
If you read through the article you'll notice that they didn't so much say that no one could read the files, rather that the womans mother couldn't. Since consent was saught from the womans husband as her next of kin, it surely follows that he could have access to them if requested, but for what ever reason he chose not to approve giving permission for his mother-in-law to see them.
Surely an easier option would have been for them to define the ruling as saying that the rights of the patient transfer to the next of kin, which I would have thought would make the ruling more specific to the case, rather than catchall ruling which could effect other areas as well.
Writing down passwords
What amazes me is that the author of this article at Kablenet obviously hasn't actually read the actual document themselves!
"The ICO urges students never to disclose or write down personal passwords or PINs"
It says not to disclose the information, but nowhere in their document does it say anything about not writing them down. At least I couldn't find anything after looking through it twice!
In fact as several security people have said in recent times, with the primary security risks being on-line, writing down information like passwords is a good idea. That's because it allows you to have different passwords that are good for everything you do, rather than either lots of simple ones you can remember which are easy to guess / crack, or one good one which you use for everything.
I'm suprised the document doesn't include tips of good password use, suggestions for storing them, eg not storing website address, username and password together clearly, or storing your pin number within another longer number like a made up phone number, so in the unlikely event of someone gaining physical access to the information it's not easy for them. Perhaps even suggesting PGP or similar, though perhaps that's a bit too beyond the scope of the document.
Gradual establishment of Apache?
How can you possibly include Apache in the list of Linux apps which have "established" their position in the last decade? It is and has been well establish for well over a decade!
In terms of web server, if you check Netcrafts figures (http://news.netcraft.com/archives/web_server_survey.html), which are obviously based on real work data, not just who bought what from a few suppliers, you can see that Apache has in fact dominated the web server market since around 1996, with it maintaining around 60% of the market for most of that time.
OK, so from their stats Apache does seem to be having another dip, and IIS is rising again since last year, but it's still got a way to go before we see IIS taking the top spot.
@ A J Stiles
"So, then, how come Microsoft IIS, which runs less than 1/4 of all the world's web sites, gets about 20 times more exploits than Apache, which runs over 2/3 of all the world's web sites? That certainly isn't because IIS is the most widely used web server."
What you fail to consider is what proportion of the worlds servers which are maintained by untrained staff, with little or no knowledge of security, patching or good practices run on Windows v Linux. If I was to make a bet, I'd say that the vast majority of people maintaining a server without the required knowledge will be doing so with Windows, therefore that alone makes Windows a better target for the bad guys. After all, logically doesn't it makes sense to target those users / servers which are most likely to have not been properly secured?
I'll admit to not being up to date on the number of Apache exploits out recently, but I do know that there have been very few for IIS in ages. Most patches for some time now have been primarily relevant to client usage, not server. I can only think of a few patches this entire year which have actually been a risk to a properly maintained IIS server.
Internal audit?
"The officer falsely claimed not to be running Winny in an internal audit prior to the leak."
What kind of internal audit are they running there? He "claimed" not to running the software! Surely they should have actually checked, rather than just ask. Sounds a nice and easy audit to me, gather everyone into a room, "Right, raise your hand if you're running anything you shouldn't be on your work computer"... "no one, fantastic, that's the audit for this year done"
Lack of updates from MS
Well I'm glad I held off approving the updates for a couple of days!
What worries the most is that with all the Microsoft security mailing lists, and RSS feeds to keep people like us up to date, I heard about this first on thereg! I've checked through my e-mails and RSS feed items and there doesn't seem to be anything from them alerting users to potential problems (perhaps they sent alerts via a list I haven't managed to find yet!).
Out of interest, what mailing lists / feeds / whatever do people use these days to keep up to date with issues like this? ntbugtraq used to be my favourite but that seems to have gone to the wall, as I haven't seen anything from there in ages.
Custom handler
I agree with Nick, how is this supposed to be an MS problem? IE receives a request which needs to be handled by a 3rd party app, it doesn't understand it, can't do anything with it (and obviously isn't vulnerable from it), so passes it on to the app which can process it.
It's all very well saying that IE should block it, but imagine the outcry there would be if IE started blocking all requests to 3rd party apps which it didn't know how to handle! People would then complain that MS was stopping 3rd parties from developing new things since they'd be beholden on MS to update IE to understand their new tech. It's a no win situation for them.
Looking at it slightly differently, what would happen if there was a bug in a 3rd party app which wasn't a browser? Say Adobe Acrobat had a vulnerability relating to opening online PDF's? IE doesn't know about the internals of a pdf, it just knows that they should be passed to Acrobat. Should it block the request because it doesn't understand it, or should the onus be on Acrobat to make any required checks when it is passed the file to open?
What about the web server software?
Good to see one of their server admins had a sense of humour! :-)
Though if they're going to fake the platform they're running on, why not also fake the server software response as well! Maybe they should report themselves as running an early version of NetSite. Of course maybe they already have faked it, and their servers are actually running IIS!
Voting choice
"There is a good reason that we elect people to parliament - the general public, by definition, can't understand all the finer points of every potential government policy, that is why we vote based on the general policies of a party. (I for one don't understand the finer points of European Macro economics, but I believe that the party I choose to support does.)"
Go back say 20 years and I'd agree with this sentiment, but these days what real choice is there? 20 years ago there were clear differences between the top 3/4 parties, you had real choices between the conservatives on the right, labour on the left, libdems/liberals/sdlp around the middle, their views were clearly different and you could pick the party which met those views the closest. These days where is the difference? They all have very similar policies which don't really set them apart, and from history you can see they rarely stick with those policies once in power. Hell just think of labour, for years the supposed champion of the workers, connected with all the unions etc, once in power they suddenly become just like the conservatives!
I'm just disappointed we never seem to get a Raving Looney candidate in our constituancy!
Why do they need to be TLD's?
What I don't understand is why it always seems to be assumed that all these new things need to be TLD's! Surely to be useful on a global scale, and useful for everyone to use, there should be some granulatity to the domains.
I mean we already have the subsets of .uk which seem to work well, you can easily see that .co.uk is a company in the UK, .ac.uk is an academic organisation in the UK etc.
As Aubry said, city domain names should sit underneath their respective cctld's, just like any other address, thus avoiding the obvious problems of multiple countries having cities with the same name. If people want domains for regions, cultures or languages then that's fine, but they don't all need their own tld. Just create a few tld's for them to sit under, say .region, .culture and .lang, then you can have as many subdomains within that as you like!
Simple solution
Switch all the other registries over to the Nominet system!
Maybe it's just me, but IMHO the Nominet method works SO much better than the others, most notably with domain transfers. Firstly, unlike the system with the GTLD domains like .com etc, where to transfer the domain the receiving registrar has to request the domain, and then the holding one has to accept the transfer, use a Tag system, so the holding registrar passes the tag to the new registrar. That disposes of all the faff they've had to put in place with domain locks etc to stop people poaching domains.
Secondly, allow the registrant to go direct to the registry when the registrar fails to act on a request to transfer the domain.
We've had loads of clients who have wanted to transfer domains to us, but have registered their domains with people unwilling or unable to action the request. With .uk's it's simple, just get them to go direct Nominet, who will then (once due dilligence checks have been made to confirm ownership) transfer the domain for them, circumventing the unresponsive registrar. Yes they charge a fair amount for the priviledge, but in a situation like that it's a small price to pay.
With GTLD domains there's little or no way to transfer the domain if the registrar fails to respond to the request. If you try contacting the registry you're simply told to contact the registrar (well duh! tried that already!) as the registry doesn't speak to registrants direct.
The upshot is that you can safely register a .uk domain name with any registrar, safe in the knowledge that if they turn out to be dodgy there is an escape route available. With any other domain name you better have done your research before hand, because if not you're screwed if they go under or just decide to prevent you from leaving.
Encryption & off-site storage
Well there is encryption on tapes available out there, but considering how Backup Exec has only just gained that functionality in the most recent version, and NetBackup only got it a little while ago (not sure about other vendors but I think it's the same deal with them), it's unlike they have it available on their setup unless they're very up to date with their software which seems unlikely.
As for off-site tapes, I wouldn't make a sweeping statement that taking tapes home is always bad but agree in this case it's rediculous. For a small company it's a reasonable approach, since paying an off-site storage company may not be viable, so keeping tapes at home can provide a measure of security in case of disaster, hell we've done it where I've worked before. But for a state to do it is just wrong. After all it's not even like they have to pay for it! You can't tell me a state only has one site after all, in which case why aren't they simply storing their tapes at another one of their locations. Plenty of other multiple location companies do it already after all, each site storing their tapes at another office in a different town/city. Nuke one location and the other still has the backup tapes to recover.
Where does it say they were listed as OEM?
While the article says that the drives were OEM, at no point does it state that they were sold as such. Yes if you take the chance of buying a cheaper OEM version of something then it's on your head to look after it, but in this case people were buying what they thought were standard branded drives, with their stated 5 year warranty.
Just because you decide to upgrade the HDD in your computer does not make you an OEM!
Re: Re: Impoverished West End theatre owners and producers???
Also consider the knock on effect that theaters have on other industries, trains/planes/cars traveling there, restaurants providing food for the visitors, hotels providing accommodation, pubs providing refreshments, other attractions being visited during the peoples visit... all of which bring money into the economy, and in turn generate taxes to feed back into the pubic coffers.
It's no different to the tourist trade in the south west! Everyone comes for the beaches, but they themselves don't generate any money at all. What they do have is a knock on effect with all the other things which people do while visiting them, which help the economy thrive in that area during the summer months.
Re: There are other fluids...
Depends on the type of keyboard, with some of the old membrane keyboards used with some terminals coffee just eats through the circuitry. One place I worked for a few months while I college had two incidents of people spilling coffee on their keyboards. The first one called support immediately, and I was able to simply wash it off under the tape, let it dry completely and it worked perfectly. Unfortunately the second one was done on a Friday, and the user decided that since it still worked she wouldn't both calling us. On Monday morning she discovered it no longer worked. By that time no amount of cleaning was going to help it was already dead, and I had to tell her she'd have to tell her line manager to approve a new one... being an old terminal semi-intelligent keyboard they cost a few hundred quid each!
Page: