Latest posts of: f0dder -
HOME | Blog | Software | Reviews and Features | Forum | Help | Donate
Click here to
donate and join now!
Welcome Guest.   Make a donation to an author on the site April 18, 2015, 02:16:51 AM  *

Please login or register.
Or did you miss your validation email?

Login with username and password (forgot your password?)
Why not become a lifetime supporting member of the site with a one-time donation of any amount? Your donation entitles you to a ton of additional benefits, including access to exclusive discounts and downloads, the ability to enter monthly free software drawings, and a single non-expiring license key for all of our programs.

You must sign up here before you can post and access some areas of the site. Registration is totally free and confidential.
Read the full one-year retrospective report on
  Forum Home Thread Marks Chat! Downloads Search Login Register  
  Show Posts
      View this member's profile 
      donate to someone Donate to this member 
Pages: Prev 1 ... 6 7 8 9 10 [11] 12 13 14 15 16 ... 352 Next
251  Main Area and Open Discussion / Living Room / Re: Gummiboot restructured to allow Linux to work on SecureBoot systems on: February 11, 2013, 10:48:14 AM
40hz: wrt. the bricking, shouldn't you blame Samsung? Or blame the linux kernel driver developer? I can fry my BIOS/UEFI by flashing it with garbage, who should I blame for that? :-)
Right, there's more information on the bug, seems like it's a (Samsung) UEFI firmware bug - so no blame on the Linux kernel developers smiley
252  Main Area and Open Discussion / General Software Discussion / Re: Samsung UEFI/Bricking Bug Update - It's not just Linux on: February 11, 2013, 10:46:24 AM
Mentioned here as well, but not very prominently - and it deserves it's own topic anyway smiley

One has to wonder wtf Samsung have been smoking to get a firmware-bricking bug that (current guesses) seems to be caused by diagnostic logs that are within the official bounds.
253  Main Area and Open Discussion / General Software Discussion / Re: Windows Batchfile can't recognize long file name...!!!! on: February 11, 2013, 10:44:39 AM
If you need to use quote marks, it's possible you may also need to add a widow "title", else Windows can get confused.
How quirky, never bumped into that.

Seems like the first quoted argument is taken as window title, even if preceded by any of the other options, and even if it's the full path to an executable. Quirky! (Also, only seems to take effect for console applications?)
254  Main Area and Open Discussion / General Software Discussion / Re: It's official - Linux Foundation Secure Boot System Released on: February 10, 2013, 05:43:28 PM
So, you're saying we can make up our own key and plug it in?  It can't be that simple, this would have been over by now...
Well, it isn't that simple - for a couple of reasons.

1) there's no guarantee the all UEFIs will provide key management; for Win8 cert it's only a requirement that SecureBoot can be turned off. (Or, well, see the somewhat muddy quote below).
2) there's no guarantee certification for future Windows versions will require this flexibility... although dropping it would probably result in antitrust, even if MS tries to pull a "it's up to the OEMs".
3) UEFI tooling (the bootloaders as well as all the signing stuff) is still very early days - and there's buggy UEFI implementations out there (*cough* Samsung *cough*).

There's a bit more information in this post, including link to the Windows 8 certification requirements.

Quote from: Windows 8 System Requirements
page 121, section 17.a:
It shall be possible for a physically present user to use the Custom Mode firmware setup option to modify the contents of the Secure Boot signature databases and the PK. This may be implemented by simply providing the option to clear all Secure Boot databases (PK, KEK, db, dbx), which puts the system into setup mode.
255  Main Area and Open Discussion / General Software Discussion / Re: It's official - Linux Foundation Secure Boot System Released on: February 10, 2013, 05:24:40 PM
What exactly is Microsoft's role in UEFI? From what I am reading, it sounds like the UEFI has been around for a while and that the standard has been known...
Right, so...

It all started with EFI, which was Intel's replacement for BIOS for their Itanium systems back in the late nineties. This was later involved into UEFI, and while the EFI spec is owned eclusively by Intel, the UEFI spec is handled by a cartel of the big boys. To give a hint at how important Microsoft is in that group, consider the fact that the executable format chosen is Microsoft Portable Executable (i.e., the format of Windows .exe and .dll files).

It sounds like Microsoft is requiring UEFI be turned on by default to have the "Windows 8 certified" logo applied.
You can do UEFI without Secure Boot; but in order for vendors to get the Win8 certified logo, they have to enable Secure Boot. With Microsoft's master key. The implicaitons of this has been discussed to death in other threads, and there's craploads of FUD around. But even when ignoring the FUD and sticking to facts, this is problematic.

In the end, I think techy users will still be able to do what we do, and regulars users will still be able to do what they do. Is there more to the story that I am missing?
While Win8 cert requires that the end-user can disable Secure Boot (iirc it doesn't require that the UEFI has key management, just that you can turn off SB...), there's no guarantee that this will continue to be a requirement on Win9 or Win10 or a bit further down the road. Good ol' slippery slope... and I honestly don't have a lot of faith in Microsoft. Yes, they'd probably end up with antitrust lawsuits if they tried to pull that stunt, but they could do a lot of damage to the PC ecosystem before those suits are settled.

See what I'm saying? I'm still confused about some of this and I'm not exactly an amateur when it comes to either Linux or Windows. And you would probably blow my doors off on most of this when it comes to the real hardcore tech - yet even you still have questions.
How many "regular users" installs Linux by themselves? I honestly don't see key enrollment as a problem - and it's only necessary if you don't want the current compromise of bootloaders signed by Microsoft (which I do find somewhat problematic, it's too much power in the hands of a non-neutral party).

What I do find problematic is the "tiny little detail" about key management features not being mandatory. Haven't seen any prebuilt "ready for windows 8" systems, so I don't know what the status of their UEFI setups are - can only comment on my own motherboards, which do offer the full key management bonanza. (I think large parts of UEFI implementations are going to be the Intel UEFI Standard Base, so at least key management UI might have some de facto standard smiley).

So there are bigger factors at play behind some of this direction the new PC design is going in... And it's not mere paranoia or "FUD swallowing" should you start noticing it...
Oh, I agree about that - as I've stated multiple times, I'm wary & weary.

I just feel that a fair amount of people on the interwebs either focus on things that are non-issues, or simply spread FUD... which isn't very helpful. And it's kinda silly, since there's enough pretty problematic stuff even if you stick with the facts.
256  Main Area and Open Discussion / General Software Discussion / Re: Best JAVA IDE on: February 10, 2013, 10:54:32 AM
Eclipse, since it's the de facto standard - and I'm more or less forced to use one of those "vendor value-added" (read: lobotomized) Eclipse versions at work. Can't say I'm a big fan of Eclipse, but that's probably because I'm comparing it to Visual Studio... which isn't really fair smiley. It gets the job done (and oh, it would be sweet if I could a recent version of standard Eclipse instead of the Adobe junk!), and that's about it.

Tried to take a look at NetBeans a couple of times, but didn't really see much point to it; didn't seem to be much of a speed difference between it and Eclipse (at least not with smallish test projects), but since there didn't really appear to be any glaring benefits in NetBeans, I always ended up with the familiarity of Eclipse.

Some of my coworkers praise IntelliJ, but haven't used it myself - and it costs a pretty penny. There's a free Community Edition, though, with a pretty decent feature set.
257  Main Area and Open Discussion / General Software Discussion / Re: It's official - Linux Foundation Secure Boot System Released on: February 10, 2013, 10:35:50 AM
On the GNU/Linux side, secure boot will introduce confusion, and a set of two very bad choices. Choice A: secure boot is good technology from a security standpoint, but if I want to use GNU/Linux without being dependent on a Microsoft-signed key, I have to disable it.
...or enroll your own key in the firmware.
258  Main Area and Open Discussion / Living Room / Re: silly humor - post 'em here! [warning some NSFW and adult content] on: February 10, 2013, 10:27:41 AM
tracert -h 100

try it.
It's pretty cute abuse of technology =)
259  Main Area and Open Discussion / Living Room / Re: Adobe Flash Player - Update/Fix emergency security patch for 2013-02-08 on: February 10, 2013, 01:40:53 AM
Ah, thanks. Sorry for the duplication. Yes, I felt sure I had seen it somewhere in DCF, but I was in a hurry and it didn't appear when I searched for "Adobe Flash Player".
There, fixed that for ya! smiley

Thanks for being alert and wanting to warn the rest of us.
260  Main Area and Open Discussion / General Software Discussion / Re: Windows Batchfile can't recognize long file name...!!!! on: February 10, 2013, 01:25:46 AM
As AndyM says, you need quotes around paths that contain spaces - otherwise, the path C:\Program Files\Bulk Rename Utility will be interpreted as launching the program C:\Program Files\Bulk with the two arguments Rename and Utility. It's pretty easy if you can use the full path in your batch files - simply add quotes around the path.

The following all work:
1) "r:\spacy path\fancy program\passwords.exe"
2) "r:\spacy path\fancy program"\passwords.exe
3) "r:\spacy path"\"fancy program\passwords.exe"
4) "r:\spacy path"\"fancy program"\passwords.exe
5) "r:\spacy path"\"fancy program"\"passwords.exe"

...if you have a common "x:\path with spaces" path, perhaps take a look at environment variables ("set /?" in a command prompt).
261  Main Area and Open Discussion / General Software Discussion / Re: It's official - Linux Foundation Secure Boot System Released on: February 10, 2013, 01:07:56 AM
I'm interested in one that can more easily toggle between than the current ones seem to be set up to do.
Right, you want it as a boot-time hotkey kinda thing, rather than a flip-flop in the firmware configuration?

Dunno about that - doesn't seem too important to me. If you often need to dualboot between a legacy OS and a secureboot OS, you're probably enough of a power user that you don't need SB, so just turn it off... but OK, we might not be able to legacy-boot Windows in the future. OK, that's a valid concern.

So, why not just shim-secureboot the legacy OS? (Or "real-secureboot" it after installing the right keys in your firmware)? You can leave SB enabled, and boot both whatever-restricted Windows as well as whatever other OS you've installed keys for? Sure, it's more work than now, but it's doable.

As long as Microsoft sticks to the things they've promised, and outlined in their current Windows certification documents. And that ___is___ a big if, IMHO - and I don't take that for granted.

Quote from: Jibz
A) Techy people can go through some hoops to continue booting whatever Linux they like on their machine, stopping them complaining
Yup, on x86 anyway - ARM is locked.

And it's not that bad, hoop-wise (for now!). First off, even if you turn off Secure Boot, Win8 will keep booting as happily as it did with SB enabled - you'll just have a bit less system protection. (There's no guarantee that it'll keep behaving this way, though, and one could imagine DRM requiring SB enabled).

Toggling SB on/off depending on booted OS is somewhat annoying if you dualboot and change booted OS a lot. If that's a realy annoyance to you, keep SB enabled, and use a 3rd party SB-signed bootloader (like the Shim I've mentioned a gazillion times by now), and you won't have to disable SB even when booting legacy OSes. You'll be eschewing some safety by not booting a chain of fully trusted drivers, but that's fine with us developer types. And of course there's going to be linuxen around that actually do have a fully verified boot chain.

Quote from: Jibz
B) Non-techy people have little chance to try anything but Windows on their machine, stopping Microsoft worrying
People who are brave enough to attempt installing <whatever> alternative OS - or even booting from a LiveCD - should have no trouble doing the additional tiny step of disabling Secure Boot (or trying a linux distro that has a signed bootloader). I really do not see the problems for this usecase.

Once again, however, I'll have to add the disclaimer that this is how things are looking right now, with the current Win8 logo certification guidelines, et cetera ad nauseam. We should all be weary and wary - but at the same time, we should stick to facts.

262  Main Area and Open Discussion / General Software Discussion / Re: It's official - Linux Foundation Secure Boot System Released on: February 09, 2013, 01:49:39 PM
Hmm...Wonder how long it's going to be before somebody innovative (like Gigabyte) introduces a true dual-boot mobo that you can soft switch to boot either via UEFI or traditional BIOS.
"Legacy boot" == BIOS.

They're already there - I doubt you're going to find a retail motherboard without that functionality.
263  Main Area and Open Discussion / General Software Discussion / Re: It's official - Linux Foundation Secure Boot System Released on: February 09, 2013, 09:22:48 AM
but I shouldn't even be allowed to buy a UEFI-enabled motherboard when building my own system.
264  Main Area and Open Discussion / Living Room / Re: Stop Using Internet Explorer Until Patched on: February 09, 2013, 09:21:26 AM
users of Internet Explorer should jump ship for the next few days as all versions of the browser are at risk of malware attacks.
Or just add IE to EMET.
EMET isn't a catch-all!

It's an additional layer of mitigation, not a security product. In the face of known vulnerabilities, Tinman's advice to STOP USING IE is pretty reasonable.
265  Main Area and Open Discussion / Living Room / Re: Flash Under Attack, Emergency Patch Issued on: February 09, 2013, 09:08:32 AM
Remember, kids: if you're not paranoid to fully block (or uninstall) plugins, at least activate "click2play" in your browser.

Also, for searchability: Adobe Flash Player Plugin (once again proves to be a steaming pile of manure).
266  Main Area and Open Discussion / General Software Discussion / Re: Avast Installs Chrome on: February 08, 2013, 09:16:30 AM
which make me wonder what incentives Google is offering to software authors that this is now happening.
It makes me wonder whether Google tolerates this behavior - that'd be piss-poor of them, and be a pretty damn clear violation of "do no evil".
267  Other Software / Developer's Corner / Re: Jeff Artwood, from StackOverflow/coding horror, tries to fix forum software on: February 08, 2013, 09:10:22 AM
- Tech stack is better; Rails + ember.js
You can't be serious - RoR better than ASP.Net? Now that's the best laugh I've had today cheesy cheesy cheesy cheesy cheesy cheesy cheesy cheesy cheesy cheesy cheesy cheesy cheesy cheesy cheesy

- The team really understands communication, having made a big product in the area
They understand how to make a Q&A site work - and work extremely well. That's no guarantee they'll be as successful with forum software, it's quite a different goal.
268  Other Software / Developer's Corner / Re: Discourse - A discussion platform by StackExchange's Jeff Atwood on: February 08, 2013, 09:09:04 AM
I only mention the above because I think Discourse's proposed $19-$99/mo "small business" hosting price is a little on the steep side. Especially considering how I don't see that much else being put on the table that the current incarnation of Discourse has a sufficient enough USP to charge premium prices.
OTOH, that's a one-off price for hosting, whereas the $10 is per individual user on the Well?

Also, given that Discourse is open source, you can choose to host it yourself if you don't mind the hassle, and think you can do it cheaper?
269  Main Area and Open Discussion / Living Room / Re: Payphones - Thoughts? on: February 07, 2013, 07:31:55 AM
Anyone have any thoughts/memories about payphones?
Apart from sometimes finding forgotten change in them, and making prank calls to the police during lunch breaks? Nope.

Oh, and back in the late 70es, some nutjob planted pipe bombs in the phoneboots in Copenhagen - this resulted in the doors being removed from the phone boxes (this is the fun part of the story - the doors weren't numbered, and for whatever reasons there were differences from booth to booth, so eventually all the phoneboots had to be replaced cheesy).

Dunno if there's any English resources (lazyquick googling didn't turn up anything), but there's a Danish wikipedia article: Bombemanden fra Gladsaxe.

PS: does the "wiki" bb-tag support linking to different languages?
270  Other Software / Developer's Corner / Re: Discourse - A discussion platform by StackExchange's Jeff Atwood on: February 07, 2013, 07:23:05 AM
Looked at it yesterday and chitchatted a bit with mouser on IRC about it - but haven't looked at it enough to have any super well-formed opinion. Some ideas seem nifty, others perhaps less so. Not sure what to think of it being pageless - the idea that your "reading progress" is saved is nifty, but for really long threads you're going to have a veeeery tiny drag-selector on the scrollbar. OTOH, it's nice not having to do a page refresh (and losing contents of your edit box...) to read more - but that could be accomplished with AJAX in a paged environment as well.

Guess I'll have to play with it a bit more, and see what happens as it gets more polish. My initial impression is that it could work well for some sites, but I don't think it'd suit DoCo.

I also can't help but wonder how well it will scale because it's written using ROR.
I was pretty puzzled when I saw it was built on ROR, considering how well ASP.Net has worked for the StackExchange platform. But I guess it's a combination of only parts of the ASP.Net stack being open, and (perhaps more important) not being able to run ASP.Net gratis (you really do need to run it on Windows, MONO is not quite there yet).

Fans of Ruby often argue it's not Ruby itself that's the problem (as in sloooooow) - but the way people (who don't understand it well enough) code it.

Ruby itself is damn slow and doesn't support multithreading (there's projects like JRuby, but meh), and while Ruby is a sorta-kinda-OK language it's not really that special in and by itself... if it wasn't for Rails, it would still be a niche language most people hadn't heard about. And Rails is a big effin' rats nest of vulnerabilities - stay clear!

Ruby follows the old crappy UNIX notion of "let's spawn a process per request! Processes are cheap! cheesy cheesy cheesy", so to get any kind of decent speed, you need a load balancer that dishes work off the one of several spawned Ruby processes (which need to be restarted every now and then because of memory leaks). There are hacks to reduce the impact of this, but... meh.

I really don't get why one chooses to do anything but prototypes in Ruby/Rails, really. You've already moved beyond the "Runs on every cheap-ass host" PHP and into the domain of having to pay at least a bit for the hosting, so why Ruby?

Go Scala - and if you need fast turnaround, go Play around (despite the name, it's ready for production use).
271  Main Area and Open Discussion / Living Room / Re: Legitimate app breaks popular encryption - EFS, BitLocker, TrueCrypt ... on: February 07, 2013, 07:03:10 AM
Oh deer... I left my laptop at the ___. What ever shall we do... Not to worry! It's [cue the super hero background music] Encryptified! Yeah!!!
Well, as long as you either don't use hibernation, or you use full-disk/system-partition encryption (and don't have firewire ports), you're safe. (OK, I'm not 100% sure about pagefile, but the key should be kept in unpagable memory).
272  Main Area and Open Discussion / Living Room / Re: Mp3 File Format Issue Split From Silly Humor Thread on: February 07, 2013, 06:57:34 AM
Fresh clean unmodified copy, with both .wav and .mp3 file extensions, loaded into the latest version of Trout.
That's pretty weird! But you can clearly see that it hasn't been able to parse the file as MP3, since bitrate, samplerate and channels are wrong. Perhaps it just directly feeds the file to a 3rd-party library, which then correctly parses the data as WAVE nonetheless?

Your FFmpeg screenshot mentions the file being created with GoldWave, which is not the sndrec.exe which shipped with Win95 that Tinman says he created the file in. I am guessing it was an older version of this app that he used.
Indeed - shouldn't really make much of a difference, though, any WAVE editor that supports the codecs available on the system would produce more or less the same output.

  Gee, I didn't mean to start such an ordeal over one lousy wav file.  Anyhow, I'm uploading the original (I do believe) codec that I installed.  This is a self-installing zip file, but you need to rename it back to .exe. (see attachment in previous post)
smiley - well, unless somebody has played tricks on you, that codec isn't the codec used to compress the Define.wav. That file is clearly TrueSpeech and not mp3-encoded... just tested on a clean XP VM, installing the l3codec above still doesn't enable me to open the file.

It also seems that the codec is decode-only (unless Audacity isn't able to use system codecs) - which is fine and well, since the compression-enabled codec iirc was commercial smiley

Meh, file formats and compression are just some of those fun things!  Kiss
Indeed - this was a fun bit of detective work smiley
273  Main Area and Open Discussion / Living Room / Re: Legitimate app breaks popular encryption - EFS, BitLocker, TrueCrypt ... on: February 07, 2013, 06:56:27 AM
Yup. Nothing new here. Although I'm guessing some wannabe hackboys just might end up with their wallets or Paypal accounts being  $300 lighter if they don't do their homework before reaching for their plastic.
To be fair, the product is probably more targeted at government agencies - those tend to like high pricetags and support and all that kinda stuff smiley
274  Main Area and Open Discussion / Living Room / Re: Legitimate app breaks popular encryption - EFS, BitLocker, TrueCrypt ... on: February 07, 2013, 06:36:06 AM
Yeah, nothing to see here, really.

This has been doable for quite a while, and even outside Sekrit Forensikz, there's freely available tools to do it. The Elcomsoft program just makes it a bit more convenient (even the Firewire-DMA attack that can be used on a computer that has been locked isn't new).

Also note that this doesn't recover your passphrase - it recovers the raw encryption key. That is obviously enough to get at your data, but in no way leads to disclosure of the passphrase itself smiley
275  Main Area and Open Discussion / Living Room / Re: Gummiboot restructured to allow Linux to work on SecureBoot systems on: February 07, 2013, 06:32:02 AM
So I guess my question really is, can the chip the UEFI software resides on be flashed, so as to POSSIBLY bypass a UEFI that does not allow turning SecureBoot off, or as a bonus, utilize the benefits of UEFI while not needing Microsoft-signed keys to get around SecureBoot?
Dunno if the UEFI standard says anything about where the code resides etc., but it'd be weird if it wasn't in flash-rom; after all, it "might need upgrading". The systems I've seen have had normal flash-rom.

Of course flashing could be locked down to require updates to be cryptographically signed, but we're not there yet. However, it's probably almost defacto impossible to flash something else due to the level of complexity of modern systems, and the vendors not being keen on releasing full chipset specs. (I havent' followed tianocore or coreboot/linuxbios, but was under the impression hardware support is relatively thin?).

Oh, btw, there are some systems where parts of firmware aren't stored in flash-rom but a harddisk partitions or the like. Mostly non-x86 systems I guess, haven't really come upon them myself. But iirc there's also been a few x86 vendors doing this in the dark & dirty past - perhaps Olivetti or COMPAQ? Dead harddrive, good luck getting that machine booting again.

Ya think? Or maybe just...
This is, arguably, insane, but so is the entirety of EFI so that's ok then.

Big grin smiley - if I understood that part correctly, though, it was a rant on the Linux kernel (using BIOS-specific E820 memory map as runtime rather than boottime data structure)?

Don't know enough about UEFI to comment on whether it's "insane", but it is big-corporation committee work, so... *rolleyes*. Idea of replacing BIOS with something more modern was good, though.
Pages: Prev 1 ... 6 7 8 9 10 [11] 12 13 14 15 16 ... 352 Next | About Us Forum | Powered by SMF
[ Page time: 0.057s | Server load: 0.1 ]

Share on Facebook
submit to reddit