Posts by John_Ericsson

Is there a good reason to send people back to the moon?

Seems very risky and drones could do everything (and more) an astronaut could do.

IOC and the "Chinese connection"

https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/

This is crying out for the response of "Don't worry, it's all encrypted!".

Whenever I heard those words I started to worry.

Good on the community. MS users have to reach over to the co-pilot key, Linux users can now use the middle mouse button. 2026 the year of Linux

Last year (2025) a tesco cafe kiosk dropped to the desktop. I didn't need a keyboard as it kindly gave me an one screen touchscreen.

The only thing I did was to check if I had root access, and of course I did. I left a txt document on the desktop with an message commenting on the importance of "least privilege" control. (although no doubt the file would have been wiped on reboot).

At the time I was amused by it running anti-malware, but on reflection "of course it did, and quite rightly".

My younger self would be incredibly disappointed with me, that I made no attempt to hack the system to get unlimited "big breakfasts". That said I am still worried the government with insist I am arrested under the computer misuse act for leaving that text file.

Not my image but ...

https://share.google/zMvNc3cuNDQESvdRs

Over a decade ago several UK universities signed up the the "gender blind" application process. Anything that could indicate gender was removed from the process until interview. The goal was to remove the subconscious (and I guess conscious) bias against females.

(The initiative was not just academy and it was embraced in commercial environments. I recall several stories on Radio 4 about it)

Obviously the HR staff were clapping their hands together in excitement, and to be fair the IT managers at my university were all for it. I too was more than happy to play a part (selecting candidates for interview).

Years later I asked why it was never implemented, and was told it resulted in less women being invited for interview.

I can see why that should be.

The project would have been "upgrade windows 7 desktops to windows10". A project manager would have been assigned and the remit would be "to budget, no excuses" . The Project Manager delivered.

Blame the Project Managers. All they care about is "on time and to budget" (and impressing their managers), this is true no matter what the size of the project. Any governance issues are dismissed with a wave of the hand (which mostly work). I lasted a few months in a NHS trust until I realised their GRC was just pretend and "getting the job done" was legitimate reason to override policy (exception requests were just rubber stamped).

"Keep It Simple", should be hardcoded into security policies.

In my experience it is "IT" that are driving the escalation of complexity of systems and services without considering risk of support and understanding of the services.

It is so easy to screw up SharePoint permissions, it is so easy to unintentionally lose an intuitive ACL structure.

so many organisation employ those with the right skills, and then they leave and then...

"Hmm, can you access it now?, hmm, try again, I don't get it, hmm, once last time. Oh! that's great! I'll close the job"

MS: Hmmmm ...... access control is so flexible,

It was before a lot of your readers were born, but in the late 1990s the US Navy IT procurement "rules" were copy and pasted onto presentations as best practice.

Air gap everything that can be air gapped.

Then

Listen to it security team who role their eyes at the concept of air gapped network and tell you on 2025 and everything is on the internet, but not to worry as they will protect you.

Linus or one of “Jia Tan” sock puppet accounts? What are the rules when engaging with developers?

There will be significant lessons in looking at what they had for a continuity plan, and its failings.

The register final catching up on the news.

I thought GDPR requires the data controller to notify the ICO within 72 hrs of being made aware of a breach. Is oracle the data controller (“owner” of data) or a data processor?

In this context, what is a reseller?

To be fair, we never hear of the thousands of NHS IT projects that are delivered on time and to budget.

I often wonder if an off the shelf trusted and established application, with internal support staff can create a better and MORE FLEXIBLE service. My experience ends in 1997 when the benefit agency brought in consultants to look at the IT services, and they scrapped in house solutions and contracted out. The results were as you would expect. I remember we could not ask for bugs to be fixed because it had been signed off and we could only make a handful of “feature requests” per year

Lots of reasons. However the primary reason is managers not one taking responsibility/accountability by suggesting something they could be blamed for. Once someone has suggested “X” then X it is, and we know who to blame when it al goes wrong. This attitude runs from top to bottom on the management hierarchy. In my experience poor project management is something the UK excels at.

“Suspicion of burglary and criminal damage”. Now the staff at the British Museum know how it feels.

The worst case scenario is going to happen. Both wayland and Xorg are going to have to be installed side by side for decades to come. Wayland is a vanity project. They pride themselves in doing it their way with little regard for real world needs

Hold your horses. You do know that a hack to allow positive discrimination is to declare a diverse workforce as a requirement of the organisation. The organisation (HR) will produce lots of graphs about the financial benefit of diversity. Points will be awarded to select candidates and at interview based on what they can contribute to the companies diversity.

Hopefully those dealing with the DDOS received support from a hotline that had no options related to the issue, and did not have an option to speak to someone.

On second thoughts, for IT staff that care, dealing with attacks is a fairly bad experience, hope that they do get appropriate support

They have ridiculous job titles to sound impressive when they leave. I must admit an application from a " Lead Cyber Security Expert" at GCHQ would go on top of the interview pile.

My young colleagues tell me that "job cat fishing" (or is it phishing) is also a thing, where employers big up the role that does not reflect what you will be doing.

"Penn State abandoned its contract with **government-compliant** cloud host Box in favor of OneDrive, which doesn't meet NIST's CUI security requirements, to save money"

I've been there countless times with UK universities, that get IT to do their Information Governance. IT make a decision without consultation and when it all kicks off when they tell users to move data to the new repository they off the advice "go back to the stakeholder, explain that there is no difference in security". I can guarantee IT would have said "will it be okay if you encrypt the data on one drive?".

Keep an eye out on pen testing companies even those based in the UK.

I have audited companies that have employed a third party pen testing company to do their pen test (fair enough), and while the pen testing company is genuine and none malicious, they are often unable to provide meaningful assurance on the contractors they employ.

So more reason to remove the air gapped networks and have all the sensitive information "on the internet". WSUS requires just two ports to be open, what's the betting that the cloud "alternative" requires a whole host of URLs with ever changing IPs and multitudes of ports for our on prem servers to access them.

I will miss typing "wuauclt /reportnow and /detectnow" (although one of them didn't work, but I can never remember which so I used both.

Further evidence as to what the answer is to "Do they ever stop to think?"

lets jump to v8, with it being like ipv4 just bigger.