Chris Bowdon πŸ‡¬πŸ‡§πŸ‡ͺπŸ‡Ί is a user on mastodon.social. You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.

Chris Bowdon πŸ‡¬πŸ‡§πŸ‡ͺπŸ‡Ί @cbowdon@mastodon.social

Dad stuff, dinosaurs πŸ¦– πŸ¦• Show more

We worked hard, we nearly made it but Microsoft seems to have won this battle.

We, at the NHoS team, worked hard to create an Ubuntu based replacement for Windows for the National Health Service in UK:
theregister.co.uk/2017/06/30/n

But unfortunately it has been used only as an excuse to get a discount from Microsoft:
theregister.co.uk/2018/01/18/n

Talks to get permission to use a brand similar to NHS were there but now they got the discount we are not useful anymore apparently.
We'll fight on.

@cbowdon And if such news articles are read without javascript none of these twitter cards are even visible so text referring to them lacks context.

What happened to just plain old quoting other people's statements in an article?

Journalists should understand that linked and embedded content is not under their control and could change at any time on any (or all) of their reader's computer screens...

I love News, on account of it being the least biased and most reliable. But a couple of trends are worrying me:

1. Experiments with clickbait headlines
2. Embedding tweets in articles as sources

The tweets bother me more, I think the Beeb will grow out of the clickbait stuff. But the tweets are so many bad things:

- lazy reporting
- web page bloat
- anti-privacy (I assume twitter cards are loaded to hell with trackers right)
- making Twitter seem like a public service

Not cool, Beeb

Still slowly working through WAHH. Chapter 11 was on logic flaws, and was basically a collection of interesting anecdotes. Some of the suggestions for preventing logic flaws strike me as unpractical though, such as comments describing all the clients of a piece of code. Comments are one of the first things to get neglected in a living codebase.

It is $CURRENT_YEAR, don't allow your Windows machines to authenticate with NTLM to web proxies and other things. And don't forget to disallow firefox to do so too.

This attack tool listens to DHCPv6 requests that Windows send out unprovoked, sets their DNS to its own IPv6 address, which Windows automatically prioritizes over IPv4, then happily answers requests for web proxy autoconf.

#mitm6

https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/

/via @lobsters https://lobste.rs/s/wyyohz/mitm6_compromising_ipv4_networks_via

Oof this post gets to the very heart of breadth vs depth. I like the idea of a Depth Year πŸ€” raptitude.com/2017/12/go-deepe

Wonder what proportion of this month is going to be spent discussing with people who are happy to leave vulnerabilities in their apps as long as it wasn’t flagged on a pen test, but get all antsy if there’s an OS patch that needs applying.

As an end user, you can mitigate any of this by not running arbitrary JS, but this is somehow an unpopular opinion in the tech mainstream. Only privacy/security nuts (such as most of us here on Mastodon) seem to consider that. πŸ˜•

This is a good read on the inherent security problems of distributing third-party dependencies in your application, i.e. how much you implicitly trust the million packages included with React.

hackernoon.com/im-harvesting-c

The mitigation for the scenario in this blog is a strict CSP but if you’re running untrusted code the attacker has all the cards and will surely think of something else devious to do.

β€œ2016-2017 tax return progress: 1% complete”

Very motivating, thanks HMRC.

Not just in terms of potential flaws in the patches, but the teams implementing patches are surely going to screw up because let’s face it the majority of ops is a shitshow. For all the progress that’s been made at the top end of the spectrum, there’s still a majority of teams that fail to test backups or have a proper staging environment.

One of my colleagues reported getting just 20 minutes warning that Azure was going to restart their VM as part of patching.

I wonder how many and how serious will be the issues that come out of the frantic patching rush?

This diagram is by far one of the most instructive I have seen on this topic of software errors.

πšƒπ™·π™΄ π™΄πšπšπ™Ύπš π™°πš…π™°π™»π™°π™½π™²π™·π™΄

I wish it could gain some currency in the #softwaredevelopment world, and not just DoD systems engineers.

cybre.space/media/Z4V0cwdI3eyY

Welp: theregister.co.uk/2018/01/02/i

> A fundamental design flaw in Intel's processor chips has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug.

> Crucially, these updates to both Linux and Windows will incur a performance hit on Intel products. The effects are still being benchmarked, however we're looking at a ballpark figure of five to 30 per cent slow down.

> A spokesperson for Intel was not available for comment

Weren't they now.

UK TV (Blue Planet) 🌏 Show more

That feeling when you have written a good implementation, but know there’s a more elegant one hiding in there somewhere and you just can’t find it 😬

Whew, that’s over with. Ticked all the Christmas boxes:

βœ… Family argument
βœ… Politics discussion that changes no one’s mind
βœ… Organising people like herding cats
βœ… Non-stop Christmas tunes
βœ… Still a lovely time

On the upside, the ancient rotating-cube virtual desktop switcher still makes me disproportionately happy.