* Posts by John_Ericsson

46 publicly visible posts • joined 4 Aug 2023

Have I Been Pwned likely to ban resellers from buying subs, citing 'sh*tty behavior' and onerous support requests

John_Ericsson

In this context, what is a reseller?

Already three years late, NHS finance system replacement delayed again

John_Ericsson

To be fair, we never hear of the thousands of NHS IT projects that are delivered on time and to budget.

Oracle finance system at Europe's largest city council still falls short 2.5 years later

John_Ericsson

I often wonder if an off the shelf trusted and established application, with internal support staff can create a better and MORE FLEXIBLE service. My experience ends in 1997 when the benefit agency brought in consultants to look at the IT services, and they scrapped in house solutions and contracted out. The results were as you would expect. I remember we could not ask for bugs to be fixed because it had been signed off and we could only make a handful of “feature requests” per year

Why does the UK keep getting beaten up by IT suppliers?

John_Ericsson

Lots of reasons. However the primary reason is managers not one taking responsibility/accountability by suggesting something they could be blamed for. Once someone has suggested “X” then X it is, and we know who to blame when it al goes wrong. This attitude runs from top to bottom on the management hierarchy. In my experience poor project management is something the UK excels at.

British Museum says ex-contractor 'shut down' IT systems, wreaked havoc

John_Ericsson

“Suspicion of burglary and criminal damage”. Now the staff at the British Museum know how it feels.

Xfce 4.20 is out: Wayland support lands, but some pieces are still missing

John_Ericsson

The worst case scenario is going to happen. Both wayland and Xorg are going to have to be installed side by side for decades to come. Wayland is a vanity project. They pride themselves in doing it their way with little regard for real world needs

Watchdog finds AI tools can be used unlawfully to filter candidates by race, gender

John_Ericsson

Hold your horses. You do know that a hack to allow positive discrimination is to declare a diverse workforce as a requirement of the organisation. The organisation (HR) will produce lots of graphs about the financial benefit of diversity. Points will be awarded to select candidates and at interview based on what they can contribute to the companies diversity.

UK councils bat away DDoS barrage from pro-Russia keyboard warriors

John_Ericsson

Hopefully those dealing with the DDOS received support from a hotline that had no options related to the issue, and did not have an option to speak to someone.

On second thoughts, for IT staff that care, dealing with attacks is a fairly bad experience, hope that they do get appropriate support

Wanted. Top infosec pros willing to defend Britain on shabby salaries

John_Ericsson

They have ridiculous job titles to sound impressive when they leave. I must admit an application from a " Lead Cyber Security Expert" at GCHQ would go on top of the interview pile.

My young colleagues tell me that "job cat fishing" (or is it phishing) is also a thing, where employers big up the role that does not reflect what you will be doing.

Penn State pays DoJ $1.25M to settle cybersecurity compliance case

John_Ericsson

"Penn State abandoned its contract with **government-compliant** cloud host Box in favor of OneDrive, which doesn't meet NIST's CUI security requirements, to save money"

I've been there countless times with UK universities, that get IT to do their Information Governance. IT make a decision without consultation and when it all kicks off when they tell users to move data to the new repository they off the advice "go back to the stakeholder, explain that there is no difference in security". I can guarantee IT would have said "will it be okay if you encrypt the data on one drive?".

UK ponders USB-C as common charging standard

John_Ericsson

Re: Mandating a charging standard is idiotic

"wireless charging replaces it which could be decades away". I smiled.

NIST's security flaw database still backlogged with 17K+ unprocessed bugs. Not great

John_Ericsson

Re: It has been pining for the fjords for a while

The dismal of the CUPS vulnerability by the open source advocates and developers is FAR more worrying than the none authenticated RCE vulnerability itself.

Another OpenAI founder moves to arch-rival Anthropic

John_Ericsson

Re: "the Microsoft-backed AI house"

"Sat 2 Jun 2001".

How to spot a North Korean agent before they get comfy inside payroll

John_Ericsson

Keep an eye out on pen testing companies even those based in the UK.

I have audited companies that have employed a third party pen testing company to do their pen test (fair enough), and while the pen testing company is genuine and none malicious, they are often unable to provide meaningful assurance on the contractors they employ.

Admins using Windows Server Update Services up in arms as Microsoft deprecates feature

John_Ericsson

So more reason to remove the air gapped networks and have all the sensitive information "on the internet". WSUS requires just two ports to be open, what's the betting that the cloud "alternative" requires a whole host of URLs with ever changing IPs and multitudes of ports for our on prem servers to access them.

I will miss typing "wuauclt /reportnow and /detectnow" (although one of them didn't work, but I can never remember which so I used both.

NHS drops another billion on tech in the hope of finally going digital

John_Ericsson

Re: Place your bets...

And when it goes dreadfully wrong the NHS will defend the contractors, consultants etc.

Microsoft on a roll for terrible rebranding with Windows App

John_Ericsson

Further evidence as to what the answer is to "Do they ever stop to think?"

Open source maintainers underpaid, swamped by security, going gray

John_Ericsson

Re: If that's where we have to go . .

This will become more of an issue as companies get to grip with supply chain security. While you are rightly defending FOSS another groups of people are congratulating you for making an excellent point on the lack of assurance with Open Source and hence why it should not be used in a prod environment.

250 million-plus unused IPv4 addresses should be left alone, argues network boffin

John_Ericsson

lets jump to v8, with it being like ipv4 just bigger.

Transport for London confirms 5,000 users' bank data exposed, pulls large chunks of IT infra offline

John_Ericsson

Re: Motorists will pay

The ICO have acknowledged the issues with fining the public sector (and the same issues apply to not for profit orgs undertaking public services), and will use their "discretion" to reduce fines. I have spent the last 5 mins thinking of alternatives and can not think of any,

EV sales hit speed bump as drivers unplug from the electric dream

John_Ericsson

What really grates is he smug anti-EV youtubers were right.

My plan was to get an EV when I could charge from home. While that happened this year, I had already witnessed friends describing it as their biggest financial mistake (apart from getting married).One friend waited six months for a "part" before being told they could not source the part and they would buy the car back of her for .... 20% of the purchase price (after two years). This is NOT "eco"!

There is to much kid-ology going on and we all need to admit we were duped (like with 3d TVs)

The Windows Control Panel joins the ranks of the undead

John_Ericsson

The windows Control Panel is one of the few things the Linux users can't get enough of. Why did MS even consider getting rid.

US sues Georgia Tech over alleged cybersecurity failings as a Pentagon contractor

John_Ericsson

Re: anti-malware?

Hmmm, to me the actions of the organisations demonstrate why tick boxes are necessary.

As for putting antimalware on each server, there is often scope to "risk assess" it, but in my experience I would want to see some controls on each and every device.

I was auditing a UK university that did not put anti-malware on its compute as "data was always uploaded to a fileserver which is scanned". Good reasoning but they also allowed users to download python packages direct from external repositories. we were called in when there annual pentest revealed they were riddled with malware from pypi.

SolarWinds left critical hardcoded credentials in its Web Help Desk product

John_Ericsson

Re: Security software blunders and the State Security Apparatus

"Never attribute to malice that which is adequately explained by stupidity."

This uni thought it would be a good idea to do a phishing test with a fake Ebola scare

John_Ericsson

Not so many years ago at a university in the UK did our first phishing exercise. I can't remember the text but it would have been along the lines of "funding issue with your fees". The following day HR raised complaints at the highest level and were demanding discipline be considered. Time and time again they were telling us that "lying to students is totally unacceptable" and how the damage done will take many many years to repair. No further exercises were ever run.

Deadbeat dad faked his own death by hacking government databases

John_Ericsson

Re: Is it hacking?

For it to be hacking the perpetrator must use a green screen with the brightness so intense that the text reflects off your face. (I think)

School gets an F for using facial recognition on kids in canteen

John_Ericsson

The briefest of research (google), would have shown the school failed on the most basic data protection requirements.

Additionally I would argue that consent in these circumstances can not be freely given.

Angry admins share the CrowdStrike outage experience

John_Ericsson

We have evidence that some organisations can not get to their bit lockers keys because they are on a server that is bitlockered (including backup servers). I would be kind to anyone responsible for this and give them the opportunity to resign,

Life, interrupted: How CrowdStrike's patch failure is messing up the world

John_Ericsson

So where do we go from here?

What is going to be the flavor of the day for next years auditors when they prod our resilience policies. What are they going to be looking for?

RIP: WordPerfect co-founder Bruce Bastian dies at 76

John_Ericsson

I had a (very) successful career in IT all thanks to WordPerfect. As an office junior for a company of 10,000 users I wrote some automation process (macros?) on WP and shared them amongst other staff. Six months later various people came into the office looking for me, and asking "show me what you did". They went away with a "hmmmmm" . A week later the CEO said "we are creating a PC dept and we need someone who knows about computers". (and yes they did ask me to create their web page, it had music and a flashing banner, it was a site to behold.)

DPD chatbot blasts courier company, swears, and dabbles in awful poetry

John_Ericsson

Surely it is only right and proper to give the chatbot a right to reply on this article. Has it been approached?

Manchester's finest drowning in paperwork as Freedom of Information requests pile up

John_Ericsson

Why is the SIRO replying?

UK will be HQ for high-flying next-gen fighter jet treaty with Italy, Japan

John_Ericsson

"Sir, what were trains like when you were a child?"

"What? Steam trains? Well let me take up half the lesson with my reminiscences and opinions"

NASA engineers scratch heads as Voyager 1 starts spouting cosmic gibberish

John_Ericsson

"Patch Tuesday" broke our outlook. Probably the same thing.

Rhysida ransomware gang: We attacked the British Library

John_Ericsson

If it does not need to be on the internet it should not be on the internet.

Inside Denmark’s hell week as critical infrastructure orgs faced cyberattacks

John_Ericsson

"Danish critical infrastructure ..... Some were forced to enter island mode operation, where they had to disconnect from the internet"

DareI suggest critical infrastructure should remain isolated?

Cybersecurity snafu sends British Library back to the Dark Ages

John_Ericsson

I hope the spokesperson said it in a whisper.

Microsoft: China stole secret key that unlocked US govt email from crash debug dump

John_Ericsson

While I don't deny such circumstances could occur, there is something that does not ring true. Pass me the Sodium Chloride.

We all scream for ice cream – so why are McDonald's machines always broken?

John_Ericsson

Re: No sh!t Sherlock

In the 1980s I fixed ice machines in pubs. I soon found out why pub staff never had ice in their drinks. We are only talking water/ice production , but when I removed the cover I would see a dollops of organic slime all along the chiller. McDonalds needs assurance their equipment is safe/clean. They can not get this if local staff are ringing up repair men (not matter how well qualified) to "have a look" at the dodgy machine. Also who can be blamed if a safety part is removed/by passed and several companies have looked at it?

UK air traffic woes caused by 'invalid flight plan data'

John_Ericsson

Can we have a sweepstake on how many years and how much over budget the replacement system will be? How about we all meet up here every 5 years until we know the answer.

Sextortion suspects on trial after teen victim dies from a self-inflicted gunshot wound

John_Ericsson

Can we start using the term "child abuse images" rather then "porn".

Brit healthcare body rapped for WhatsApp chat sharing patient data

John_Ericsson

As ever the IT guys in the comments demonstrate they don't know what Information Governance is, but speak as if they do.