Posts by Lotaresco 1316 posts • joined 24 Sep 2007
"Not sure what more help would be required?"
For government IT an explanation of what GitHub is, £900,000 in consultancy fees to write a report that says that GitHub is used by Chinese hackers therefore unsafe. Another £150,000 to re-write the report at a level that could be understood by an MP, followed by a Cabinet Office edict to state that GIThub is to be blocked on all government networks.
" I use a pfsense firewall with DNS which then points to a pihole."
I'm wondering why you do that. PfblockerNG does everything that a pihole does and it integrates with DNS resolver. It also logs natively on your pfsense firewall so that you can see what's going on and get alerts via the web interface. It even uses the same blocklists as pihole.
"Yes but I thought "Macs don't get viruses"?"
I think you may be thinking about claims made about Chromebooks. They even feature in advertising for the Chromebook.
The first Mac virus I recall seeing was nVir in 1987. Then John Norstadt's Disinfectant appeared as the first anti-Malware software that I had seen. Graham Cluley has documented the history of Mac malware. It's worth a read. I haven't seen anyone other than the terminally clueless state that Macs don't get viruses. Although with OSX the scope for viruses to propagate has been severely curtailed and proofs of concept often require a lot of user compliance to give the virus the permissions it needs to infect system files.
As someone else has said, malware that runs in userspace is more of an issue. Ransomware, crypto-currency miners, Trojans etc only need user permissions to do their stuff. If you can execute code on your computer then malware can execute on your computer. The only effective way to stop it is to make it a pain to use your computer.
I heard the announcement on Radio 4's "Today" programme. I say in slack-jawed yokel mode listening to it, thinking "What the actual..?" This was because I know "quite a bit" about OneWeb and know that key team members were dismissed at the time that OneWeb filed for Chapter 11. The concept is (was) a good one, the technical performance was excellent and at one point the launch schedule and satellite manufacture were ahead of Elon Musk's Starlink. The problem was that as soon as it was obvious that Covid-19 would result in an economic downturn the investors got cold feet and refused to pay for the next tranche of work.
The reason that I was boggled by the government announcement was that it's obvious to anyone who understands the technology that a LEO satellite communications system depending on microsatellites cannot function as a positioning system. Also modifying the existing satellite design is unlikely. The satellite launcher is a dispenser design, closely matched to the size of the satellites. Change the satellite design and the dispenser may also need a redesign.
If the intention is to operate this network for military comms then the locations of the ground stations becomes an issue. Some of them are in countries that won't permit military use. Some of them in countries that UK government would not choose for the location of a military comms hub.
There are many issues to solve and the stated reasons for the purchase don't look credible, there would, as ever with government projects, be hidden costs and cost over runs. I can't even see how they could attract the OneWeb staff back, they are people whose skills are in demand and I think most of them are now settled elsewhere.
"They've been called Skynet since the sixties."
The copyright holder - that may have been Skydance Media - sent a cease and desist notice to Paradigm/Airbus demanding that they stop using the "Skynet" name. Apparently a bit shocked to be told that they were infringing the MOD's intellectual property. I'm just sad that MOD didn't then sue them or issue a DMCA takedown for the entire Terminator franchise.
"Council services are still NOT centralised"
This is a failure of central government which washes its hands of supporting local government effectively. It would be reasonable to expect HMG to provide a SaaS solution that would permit local governments simply to configure for their own "branding" and geographical location. It is, after all, what many local authorities already do for organisations within their boundaries. Parish councils, town councils etc are often consuming a service provided by the County council. Sadly government is always very big about talking about reduction of inefficiency, joined-up services, "supporting our communities" etc. and very bad at actually doing something to achieve those goals.
That when the FBI want to pursue an investigation they are able to do the complicated and time-consuming job of collecting and collating information from numerous messaging systems, accounts, mobile devices etc. Yet when it comes to investigating political chicanery the same diligence and technical capability appears to be absent. Presumably the team(s) that investigate commercial and personal wrongdoing are much, much better at their jobs than the ones that investigate political corruption, bullying, harassment and downright treachery. I mean there, couldn't possibly be another explanation, could there?
"Apple has a pretty poor track record of backwards compatibility,"
Not in my experience. I've weathered the changes from Motorola to Power to Intel without any problems or loss of software. During the same time with Microsoft mostly on Intel I've had the experience of the worst backward compatibility I can recall, as even relatively minor OS version changes have resulted in software that stops working. By the time Apple has dropped support for a previous version of software the manufacturers have released native versions as part of the upgrade process.
"Which raises the question: how do they reward the author who's died in the meantime?"
The author's estate inherits the copyright and collects the royalties, which is where things often go badly wrong. The inheritors don't often have much or even anything invested in the creative work and simply look for maximum return. They often have unreasonable expectations and peevish responses. I have seen the estates of authors demand huge increases in royalties for books that have limited readership, for example. The estate will also permit uses of the copyright work that the creator had avoided all their life, just to squeeze a bit more blood from the stone.
I have been in the position of giving advice to UKGOV about the security implications of their interactions with the public. They even have copious documentation on the subject such as the 2012 Requirements for secure delivery of online public services. Although the focus there is more about how the government sets out to avoid being scammed by the public. Yet repeatedly when there's a "government initiative" they fall flat on their face and constantly try to engage the public in ways that look like phishing, smishing etc. I had an invitation to an InfoSec conference that I ignored because it had all the paw prints of spear phishing on it, sent from a non-UK hosted domain using a no-reply From: address, poor grammar and spelling, talked in vague and inaccurate terms about security, asked for advance registration through a poorly designed http-only site with a long questionnaire about personal details and also requests for the applicant to state their security clearance(s) and provide the details of a referee from a client.
It turned out to be genuine and from NCSC who had farmed the work of taking bookings out to a particularly clueless contractor.
The financial industry is better at providing contact details and extra information to verify that a communication is genuine. The Government Communications Service exists with the mission statement "Supporting ministers’ priorities, enabling effective operation of public services and improving people’s lives." Either it's not very good at its job or it's not consulted for these mass-communication efforts.
Ryanair had apparently agreed to buy several of the 737 Max. It will be interesting to see if they fly them and possibly slightly terrifying to think that the alternatives will be extending the life of the current 737 fleet, some of those aircraft are looking "tired" these days, or taking a flight on a Max.
If you get an answer that starts with "committed to creating an experience", you know that:
A) it's written by an marketing droid, not a technical person
B) it's going to be useless.
B) They are fucking you over, twice.
C) You're not even getting a kiss. 8^7
B) They are going in dry from behind.
C) You're not even getting the courtesy of a reach around.
"printed with the lower half of someones face."
One Clarkson, J. Held a photo of Bill Oddie in front of his face when encountering speed cameras in Japan. This was, probably, a spoof. But I'm sure someone will now try it with a mask to avoid speeding fines from camera vans. That and false plates, naturally.
"We're reviewing this complaint."
Organisations often say this. It's difficult to see what a "review" will achieve other than putting the embarrassing incident on the back burner for a time. Usually instances of discrimination are obvious and the complainant usually obviously correct. A manager with a spine could make a decision in a few minutes.
I've worked in the past for HP and HPES. Despite the separation there's no difference between the two when you are inside either one. Their "get rid of the greyhairs" policy was in operation a decade ago. Sadly the ones who wanted to go were the good ones and we got left with a lot of people whose skills had atrophied.
"I can see that some people living in a single story home where all ground floor windows might be seen as a possible point of entry b y a criminal might go for a system like that."
I live in a three storey house. It still has ground floor windows. Do criminals just give up with trying to get in through a ground floor window if the house isn't a bungalow?
"But they are wholly responsible for allowing it to happen in the first place and not having protocols to prevent and detect abuse of their system, for that alone they should burn."
Is the correct answer. This is evidence of shocking levels of not caring about security by ADT. It's negligence. As to "How would ADT monitor logs? " raised by someone else. That's what a SIEM is for, although monitoring logs is hardly a taxing task. Config changes should be reported to ADT/the customer.
This incident is evidence that ADT was saving cash by skimping responsibility.
"we're all just smiling and floating down a river of shite"
This is a description of the west these days. There's a "Land of the Lotus Eaters" feel about the west as people become more interested in hedonism that actually doing anything. In social media today anyone who dares to suggest that things may not be as wonderful as portrayed tends to get a good shouting down. THX1138 anyone? "You are a true believer, blessings of the State, blessings of the masses. Work hard, increase production, prevent accidents and be happy."
Long before SARS-CoV-2 raised its receptor sites above the parapet we had an annual "music festival" within hearing range of home. Admittedly that hearing range is six miles, but the noise is loud enough to prevent sleep. Which is no problem at all if you're attending, woo! We're not teenagers, we're adults and we can stay up to 4AM with banging choons, man! More of a problem if like most of the people in the rural area your working day starts at 5AM.
The great news is that thanks to the virus the event is cancelled.
SARS-CoV-2, I love you man, you're like rilly, rilly my best friend.
I would guess that most spies already know which pubs to hang around. I'd also guess even relatively inept "Four Lions" style wannabee terrorists could work out the same. it doesn't take long in London to work out which pubs are which or to overhear drunk people getting a bit loud about what they do.
" It's clearly someone 'avin a larf."
It clearly is. But it's like coming home to discover that your "friends" have entered your home, shaved the cat and decorated the kitchen with condoms. Hilarious[1] as it may be, it should not have been possible because the joker has achieved something that a criminal would also like to do.
[1] FSVO "Hilarious"
"Are there really so many people poking around these things just for the hell of it?"
Yes, astonishing as it may seem a lot of the attempts to get past firewalls are people poking around for the hell of it. If you install a firewall on your home network, you will be surprised at how much of the traffic blocked by the firewall is down to nosy individuals probing your IP address for vulnerabilities. In fact it's why you should have a firewall (pfsense is a cheap way to do it) because otherwise you live in blissful ignorance about who is trying to hack you, and often succeeding. It's not that evil wicked gummint you need to worry about it's those social justice warriors and plain old nosey parkers. Add pfblocker to your firewall and update its blocklists and you will see even more IPs blocked by reputation.
I worked on a huge payroll system. We had a user who cost us a lot of time and money because he was phished with an Excel sheet that contained a macro virus. So security insisted on the introduction of code signing. Which was good. Within an hour an angry user appeared in my office screaming that I had "ruined" that weeks payroll run. I couldn't get much sense out of him so followed him to his desk where many excitable payroll people yelled at me, at lot.
It turned out that there was an issue with how the payroll system presented dates. To work around this the shouter-in-chief had designed his own Excel spreadsheet with a macro to change the date format and prepare a CSV file that was exported to the secure print system to print out the payslips. He'd then insisted that his minions use his spreadsheet. Only now it didn't work because his greyware had never been tested or approved by anyone and he sure as heck couldn't get his code signed.
I pointed out that it would take one of our DB people about, oh, fifteen seconds to change the database to display dates in the format they wanted and probably half a day maximum to get that through QA. But since it would be a trivial change that I could authorise the use of the code now and QA could follow on at their own pace. Not good enough for Mr Shouty. He wanted his code running *now* and wasn't prepared to accept that someone whose job it was to make changes could do a better job than him.
He took it to the CEO. I lost, in the worst way possible. I was told to revert to permitting unsigned macros to be run because that way Mr Shouty could continue to "Add value to the business" with his homebrew. I think they still use the cobbled together mess.
Unfortunately I'm trapped in the UK at the moment, and have been since the end of February. When I do finally get to go home to Italy the good news for me is that our local microbrewery swapped to a home delivery service. The brewery is run by a group of young people who constantly come up with new ideas and fortunately for me they are within staggering walking distance of home, even though we live way out in the sticks with the nearest house being about a 10 minute walk away.
"Why on earth didn't British publicans do the same, leaving pints on the doorstep until the allegedly short-lived beer ran out ? I'm sure there'd be enough customers."
Beer at home means Davenports, apparently. Which proves there are very few ideas that people can come up with that haven't been thought of/tried before. Apparently Davenports have started up their home delivery service again.
"My suspicion is that you have just made it all up for effect."
My suspicion is that you have never provided security support for small business in the Legal/Financial sector.
The simple answer to how do we know what they do at home is that we ask them. It's part of our job to assess current security risks before giving advice. Checking the arrangements made for home working is part of that assessment.
For example:
Do you work at home?
How do you do that, do you use IT provided by the practice or do you use your own?
How do you move data between home and work?
Is the system you use connected to the Internet?
Do you have any form of security appliance at home?
Does anyone else use your home system?
etc. etc...
You can even download the checklists for free from some sources, although you are going to have to pay to get copies of ISO27001. It also helps to have been trained and preferably to have passed assessments of your capabilities as an ISO27001 auditor but in theory the client could do it themselves. Except of course that IT geeks get paid less than the partners in a Legal business, so it makes sense for them to outsource the work.
Seminars. And the attitude was exactly like yours...
We don't use seminars for selling. We also do freebies at BILETA or rather we used to. I've given up because it was obvious to me that the lawyers simply wanted consultancy for free. One of my colleagues who is the lawyer on the team still attends. What you are asking for is provided by BILETA. Not that anyone will be doing conferences for a while.
I gave up talking to lawyers about IT security some time ago. They would not even attend free seminars on basic IT security because it detracted from the time they could bill to clients. While spending time with lawyers (various) I have seen appalling practices such as walking out of the office leaving their PC on and unlocked, leaving filing cabinets unlocked, using unencrypted media regularly to take work home which they then copy on to the same PC that their kids use that is connected to the internet without a firewall and doesn't have AV installed. All of our observations as a security consultancy have been dismissed by law firms who asked us in to talk to them about getting ISO27001 or cyber essentials because one of their clients insisted on it. In short if it involves spending money on security law firms for the most part are not interested. The ones that are tend to be niche. Accountants are much more switched on about IT security. I wish some of that would rub off on lawyers.
"Great Twarkon!"
"Yes Minister Fnool."
"The earthlings are apparently unaware of our message."
"What? What?? How can they be unaware that we have been sending them signs for thousands of years? The rings, I mean the rings are they not obvious?"
"Obvious Great Twarkon, but the Earthlings even though they have calculated that these are ephemeral structures seem unable to draw the inference that they are therefore artificial."
"What about the Hexagon? I mean that's obvious isn't it? Nature abhors straight lines. The existence of six of them at the North Pole must a bit of a giveaway even to the most obtuse of species."
"Sadly not great one, they appear to be clue resistant."
"Well if they can't detect an emergency evacuation signal they just deserve to perish."
"Even so Great Twarkon."
It was definitely overkill for the purpose, but I can remember playing Zork and other games on the Manchester CDC Cyber 170-720 supercomputer between 1981-1984. Years later I met (meatspace) the guy who ported many of the games to the Cyber, obviously done for this own amusement. We still keep in touch from time to time over various nertnet systems.
"Unless you are sending a lightsail "ark" full of settlers to Alpha Centauri, what is the point of this trip? You've just spent billions of $ to build your spaceship, sail and lasers, and you aren't getting anything back."
We have already spent huge amounts of cash (multi-billions) to send things into space that we will never get back. Almost everything that we have thrown up there with very few exceptions was on a one-way trip.
Perhaps we could send oh, say an unmanned device to explore another star system with a means of communicating those results back to Earth? After all, 4 - 5 years to receive a transmission is acceptable given that it was nine years before the New Horizons team saw images of Pluto. Yes, it's going to take a lot longer to get to another star system than the trip to Pluto but it's not an unthinkable time if we can hit a low fraction of c. About 0.05c has been estimated as possible which gives about a century to the nearest stars.
Two decades ago a customer decided to interrupt my holiday, insisting that I had fouled up their client's document storage system with "unauthorised changes". Since I had made no unauthorised change, I was sceptical. The manager in question tried to insist that I drop my holiday and return to the UK at my own expense and "fix the mess you made". I declined pointing out that I was 2,900 metres up a mountain and implying that I was bravely clinging to a cliff to answer the call at severe risk to my own life. I was actually enjoying the apres-ski in a nice warm bar but, I didn't actually lie about it, just a bit economical with the truth. I then removed the battery from my phone and didn't use the phone again until I got home.
At work the same manager shouted himself hoarse at me, insisting that I had failed, his company would sue me for every penny of the costs (etc.) I checked the system it was failing as the end client had observed. The search engine couldn't find several documents by keyword or content. I checked the source documents and superficially they looked OK, but the timestamps all dated from about two days after my holiday started and the metadata had all gone. Hence keyword search not working.
I looked carefully at one document that I knew well and found that the phrase "non-blocking inputs" that had been in the original was now "non-lo10cking inputs". All of the documents that I checked had similar errors. This was why some searches for body text were failing.
I found the manager and asked why the entire document set had been replaced with OCRed copies. He called me names and called me a liar and hen threatened to get me thrown off site with a "You'll never work again!" threat. I documented what I had seen and mailed copies of my report to him, his boss and the end client. The end client investigated and discovered that the manager in question had been "playing with the system" and had deleted all the originals with a classic rm -rf /docdir when what he intended to do was to delete the cache and free up some disk space. He'd then tried to restore from the R/W optical drive "backup" and had managed to overwrite that data with an empty directory by getting his arguments the wrong way round. Fortunately all logged by the system. He'd then forced his staff to work all weekend OCRing the paper copies to cover up his blunder but they had no time to fix the errors.
He was escorted from the premises, my contract was reinstated. Victory of a sort.
The Register - Independent news and views for the tech community. Part of Situation Publishing
Biting the hand that feeds IT © 1998–2020
