* Posts by Joe Montana

818 publicly visible posts • joined 12 Mar 2007

TalkTalk CEO admits security fail, says hacker emailed ransom demand

Joe Montana

Lack of PCI compliance?

The ssl checker indicates they are not pci compliant purely because of their cert being sha-1 signed, but many cert authorities still provide such certs for the time being, and there are plenty of old certs out there too.

As for other aspects of the standard, just requiring strong encryption isn't enough, you have to actually be using it properly. Encryption is pointless if the key is held on the same host, and the data cant be used if it cant be decrypted.

Many implementations comply with the standard by encrypting the data, but then provide a way to access it therefore bypassing the encryption... Many of the people who assess PCI compliance are just box tickers and have no understanding of the actual technology, so if you store your data on an encrypted volume thats automounted at boot that will often be sufficient to pass but in reality has not improved your security at all because anyone who compromises the host will be able to access the data anyway.

Self-driving vehicles might be autonomous but insurance pay-outs probably won't be

Joe Montana

Enjoy driving

Perhaps we don't "enjoy" driving in traffic, but many of us prefer it to other forms of transport...

Many people suffer from motion sickness, and generally (at least in my case) you don't feel sick when you're in control of the motion.

Even if i was rich enough to afford a chauffeur to drive me everywhere, i would still choose to drive for this reason... Although i would probably pay a chauffeur to act more like a valet and take care of the car when i'm not driving it.

Microsoft now awfully pushy with Windows 10 on Win 7, 8 PCs – Reg readers hit back

Joe Montana

Critical server?

Just what exactly was someone doing using windows 8.1 home as a critical business server in the first place?

Happy birthday, Amiga: The 'other' home computer turns 30

Joe Montana

Hardware reference manual...

It was the encouragement in the manual to actually learn about the system and experiment with it that started a lot of people's careers off... One of the key things was the instructions showing you how to make copies of your workbench disks, and then telling you to experiment with the copies and if you break it really badly just make a fresh copy.

This is how you need to introduce youngsters to computers, it encourages people to learn and experiment. Nowadays the opposite is true, you have systems which actively discourage learning and experimenting (e.g. hiding system files and giving scary warnings about breaking things)... Introducing the young to systems like this makes them scared of trying anything... We now have a whole generation who stay within the confines of the limited interfaces provided to them, panic when anything goes wrong and have absolutely no understanding about how everything works.

GOOGLE GMAIL ATE MY LINUX: Gobbled email enrages Torvalds

Joe Montana

Unusual content

The kind of mails Linus receives will be relatively unusual compared to the average gmail user, and the filtering is probably based on learning what kind of mails people usually receive and don't mark as spam.

RC4 crypto: Get RID of it already, say boffins

Joe Montana

Slow updates

It's widely used because lots of companies are stuck with obsolete software that doesn't support anything else, or are forced to comply with some kind of standard or certification that hasn't been updated... There's various software out there that has a "FIPS mode" and i've seen a few cases where this basically meant turning off TLS 1.1 or higher.

Account at HSBC? BAD LUCK, no iPhone bonk-banking for you

Joe Montana

Sounds like you want a BT Phonecard!

Someone at Subway is a serious security nerd

Joe Montana

Theatre

The certificate pinning makes a lot of sense, as you really can't trust CAs these days... The anti reverse engineering stuff is just stupid, as the article points out it just slows someone down slightly but doesn't actually prevent them from doing anything.

Knowing how something works doesn't make it insecure unless the design is fundamentally flawed. Everyone has access to the source code for Linux, and yet many highly secure devices are Linux based. And if your application is so flawed that someone who understands how it works can do nasty things then i don't want to be using it at all.

I would much rather fully understand what im using, or at the very least know that i have access to do so should i desire, and that others who's abilities i respect have already looked. I don't want to be using a black box full of security holes just waiting for the first blackhat to find and privately exploit them.

Apple snuggles closer to IPv6

Joe Montana

Re: Workaround for routers?

Most people have routers supplied and configured by their ISPs, if the ISP supplies a router configured for v6 then users will use it without even realising (very common in the US).

The problem is that very few ISPs in the UK support v6 at all, and the few that do are small ones which attract tech savvy customers anyway.

Amongst business it's even worse, virtually everyone simply ignores v6, and those very few that might consider implementing v6 find that they're stuck with ISPs who don't support it anyway.

It's different in the US primarily because the government requires that all government sites are dual stack and that any company supplying the government support and use v6. Without being forced, business users will never bother using it at all.

Brit teen who unleashed 'biggest ever distributed denial-of-service blast' walks free from court

Joe Montana

They're not specific about exactly what "indecent images of children" were, they might have been of very young kids or they might have been of people barely younger than the defendant himself. Keep in mind he was 16 at the time the images were found, and 13 at the time he started committing the crimes he is accused of...

"indecent images of children" could mean images of 15 year olds, who could be less than a year younger than him. It's during their teens that most people first develop an interest in sex, and it's perfectly normal for people to be sexually interested in others within a year or two of their own age. It's also possible he may have collected images of 13 year olds when he himself was 13 etc...

Given the lenient sentencing, it's likely the images were fairly close in age to the defendant and although technically illegal, a 16yr old looking at images of a 15yr old is very different from a 40yr old looking at those same images.

Vodafone hikes prices to 37.5p/min – and lets angry customers flee

Joe Montana

Re: It must be a money winner because

It's possible to play a recorded message (ie one way sound) without answering, this is how the ringing and other error tones are transmitted but it can be used for anything. If they cared about customers it would be done this way...

United Airlines accounts open to mass lock-outs

Joe Montana

Account lockouts

This is an EXTREMELY common problem, because most security manuals say you should lock accounts after several unsuccessful attempts and many commonly available products provide no other options for blocking or alerting on brute force attempts.

This fails for two reasons, not only the deliberate denial of service that can be performed by intentionally entering wrong passwords but also because it completely fails to take into account the methodologies employed by real hackers. In most cases, a specific account is not the target - hackers just want *any* accounts and in some instances, as many accounts as possible... So rather than try thousands of passwords against a single account, they try a small subset of common passwords against many accounts - an attack which would not trigger an account lockout response.

Sysadmins rebel over GUI-free install for Windows Server 2016

Joe Montana

Re: Growing up is tough

"If an SMB doesn' thave the talent internally then if they've got any sense they'll outsource."

This has been one of the biggest problems for years... MS have promoted windows as point and click, simple for someone with no experience to operate... And that's exactly what happened.

Only the marketing is misleading, while someone without experience can get a windows box limping along it will be horribly insecure and unstable, and this is exactly what's happened and is one of the biggest reasons why most companies encounter so many problems.

Joe Montana

The point...

Yes, GUIs don't belong on servers... But MS have been saying the exact opposite of this for years and have managed to convince far too many people that having a GUI on a server should even be mandatory.

EXT4 filesystem can EAT ALL YOUR DATA

Joe Montana

RAID0?

Surely anyone who's using RAID0 doesn't really care about the integrity of their data in the first place?

New Windows 10 Build 10122 aims to fix file association hijacking

Joe Montana

Re: Now if they could just turn display of file extensions back on…

It looks at the file header to determine what it is... Executables for all modern operating systems have standard headers that include information like what architecture the binary is for, what shared libraries it requires etc. Most data file types also include similar headers, and on unix you have a command called "file" which will query this information and determine what a file is based on its contents, entirely independent of its name.

On windows icons can be embedded into executables, but this is not the case on linux. Unless an executable has been explicitly assigned an icon (which wont be the case for something you just downloaded) it will have a generic executable icon. Real documents will also have the standard icon assigned to documents of that type, so you won't be able to download an executable that has a pdf icon and open it by accident.

Another feature on unix is file permissions, where freshly downloaded files won't have the executable permission by default. Windows has file permissions too, but seems to default to giving the execute permission to everything. You can also mount drives with the noexec flag so that execute permissions will be totally ignored (useful for removable media).

GDS monopoly leaves UK.gov at risk of IT cock-ups, warns report

Joe Montana

Bespoke code?

The government's requirements are generally unique, there is only one government per country as opposed to thousands of companies...

Besides that, "building inhouse" is not a bad thing as it ensures the platform is wholly owned and controlled by the government, and not beholden to a third party.

As for the extent to which they build things themselves, it's not like they're building everything from scratch - they will take a collection of existing technologies, integrate them together and apply whatever unique customisations are required for the task at hand.

If they had gone to one of the traditional outsourcing companies they would still have ended up with a bespoke system, but one which they don't own or control and are beholden to the supplier for, plus it would probably build from much more expensive base components and still have very significant customisations on top.

Virgin Media goes TITSUP, RUINS Tuesday evening

Joe Montana

Outage

My cable was down for a couple of hours in the evening, because i work from home and internet access is very important for that i also have an adsl line which remained up so i simply switched to that...

I did however check the virgin status page, which claimed there was no problem with broadband in my area, so the problem here is one of miscommunication. Most people upon seeing there is no problem with the service will assume their own equipment is at fault and waste time trying to troubleshoot it.

What they should have done is updated the status page, and changed the recorded message to indicate there is a problem.

Outages happen, we're not paying for five nines of uptime so most users will understand and wait for it to come back up, and not waste the time of the helpdesk staff who can't actually do anything about it anyway.

Europe could be drowned in 'worthless pop culture' thanks to EU copyright plans

Joe Montana

Languages

If the content is of no interest to someone outside of the local country then it doesn't matter if it's available in those other countries, since noone will buy it anyway.

Polish content is a niche item outside of poland for instance, but what this will do is make it easier for those people who do want niche content to get it, for instance there are many polish in the uk who would want to access polish content.

The idea of artificially limiting distribution is ridiculous, and is just pure greed/arrogance on the part of the distributors. Modern technology makes it trivially easy to distribute content worldwide and i'm glad the EU is making a stand against artificial distribution restrictions.

'Tech' City hasn't got proper broadband and it's like BT doesn't CARE

Joe Montana

Business lines

Basically if you can afford the rent to setup your business in such an area, you should be probably be paying for a business class internet service too and that means dedicated fibre leased lines, not home user oriented FTTC.

There will be very few residential properties in such areas, hence why it's not viable to connect up home user services.

If you want to cheap out on internet access, get a cheaper office too... Infact, if your business is tech oriented you will probably be better off getting a very cheap office and spending the savings on good connectivity.

Ugly Microsoft code NUKED Bing and Yahoo! – report

Joe Montana

Re: Dodgy Microsoft Code

524 days uptime is nothing, 4 figures is not uncommon for non windows boxes (unix, vms, netware, routers etc) and its quite telling that you used a linux box to protect the windows box from attack... your linux box probably had the same or higher uptime than the windows box behind it.

Ofcom mulls selling UK govt's IPv4 cache amid IPv6 rollout flak

Joe Montana

Re: Does anyone actually use IPv6

We use IPv6 at work, and VPN is one of the biggest reasons...

Quite often our internal IPv4 space overlaps with that of customers, peoples home networks or things like public wifi, which can cause quite severe problems when your running VPN links.

Joe Montana

Re: IPv6

Physical line yes, telephone service over that physical line no... Split that out too and let us choose not to have it. "line rental" currently covers not only the physical line.

Joe Montana

Re: IPv6

The ADSL service isn't free, and neither is the POTS service. Separate out the costs of physical line, POTS and ADSL and let users choose which of them they want. I have POTS service with ADSL but i never use it, never have anything connected to it and don't even know what the number is.

Joe Montana

Re: IPv6

Pretty easy actually, ipv6 will allocate a /64 block (or larger) to each customer, so any address within that range is assumed to be that customer...

Tracking home user NAT with v4 works the same way, one ip - many physical users behind it but all assumed to be the same customer.

Higher level NAT on the other hand is harder, you could have hundreds if not thousands of users behind the same ip, which becomes extremely problematic. The ISP now needs to log every single connection in order to track a user back, and third parties have to log both the source and destination ports in an attempt to correlate with the ISPs logs, and all of this requires that the ISP actually does logging and actually co-operates with you. If you've just running a small time service and you want to block abusive users, your pretty screwed and you have no choice but to block the entire isp.

Joe Montana

Re: Oh FFS!

Just require the ISPs to provide a dual stack by default service (which is already the case in most of the US), and for any isp supplied hardware to have it supported and enabled by default.

Wether users choose to make use of the ipv6 portion is up to them, if they are typical home users connecting their recent versions of windows/osx/ilnux/whatever to the isp suplied router then v6 will just work by default.

Support for other devices is down to the vendors of those devices, assuming those devices even need to communicate with the outside world (no reason you cant still use ipv4 on a lan long after the rest of the internet has moved on).

Sony hackers dump more hunks of stolen data, promise another 'Christmas gift'

Joe Montana

Re: Someone is going to prison for a VERY long time

Depends what you mean by gross neglect...

Many places do follow best practices, and yet are still highly vulnerable. Quite often the technology they are using is fundamentally flawed, and securing it is either not possible or horribly impractical.

Most companies have horrendously insecure internal networks, which are hidden from the outside world behind firewalls... But once you get a foothold inside, and there are many ways to do that (eg lure them to a website to exploit their browser, the firewall may block inbound connections but it will usually allow some form of outbound) the whole network is wide open for attack.

So this Saudi Prince calls and asks why he can't watch movies ...

Joe Montana

People frequently seem to lose their common sense when it comes to computers, and lose the ability to solve problems that they would solve easily if there was not a computer involved...

This is generally down to fear of technology, a fear that is perpetrated by systems that are excessively complex and more importantly, filled with warnings which scare users...

People who started out on systems which encouraged experimentation and were hard to break like the C64 or Spectrum are generally not afraid of technology and can use common sense to troubleshoot, those who start with windows which is filled with "dont look here, these are system files and you can break everything" warnings generally become paranoid of breaking something.

So what we need, is systems for end users which aren't horribly fragile and full of scary warnings.

Patch Windows boxes NOW – unless you want to be owned by a web page or network packet

Joe Montana

No way to force?

"In all cases, however, an attacker would have no way to force users to visit such websites."

What about compromised sites?

What about sites with flaws like cross site scripting that allow insertion of code or redirects to other sites etc?

There's plenty of ways an attacker can get their exploit code to your browser...

Microsoft has Windows Server running on ARM: report

Joe Montana

Apps?

A windows version for arm will be just like windows for alpha, ppc, mips and ia64... Absolutely useless because there will be little or no native software for it.

Most applications for windows are closed source and will be compiled for x86, so you won't get them running on arm.

You would probably be able to get open source server software running on windows/arm without too much difficulty, but virtually all such software also runs on linux and has already been built for linux/arm.

Linux/arm is also tried and tested, whereas windows/arm is new, and you also have no guarantee it wont suffer the same fate as the other non x86 versions of windows and get abandoned in short order.

Redmond top man Satya Nadella: 'Microsoft LOVES Linux'

Joe Montana

Re: Microsoft embracing Linux?

But what are the percentages for amazon and google? I would imagine most people intending to deploy linux based servers would specifically avoid azure, so it should have a much lower percentage than other providers.

Lumia rebrand begins: Nokia's new UK web home is Microsoft.com

Joe Montana

Re: Is it so confusing?

The windows brand and the false idea of a "unified platform" was poisonous for the old windows mobile (and windows ce)... I knew many people who bought them under the false belief they would be able to run the same programs as their windows desktop as thats what much of the advertising implied. Needless to say they were severely disappointed.

Nadella: Apps must run on ALL WINDOWS – PCs, slabs and mobes

Joe Montana

Cloud first

Well if everything is in the cloud, it doesn't matter what your client device is... Thus a cheaper client device running Linux is a no brainer.

32,000 motherboards spit passwords in CLEARTEXT!

Joe Montana

Re: Eh?

Aside from that, many hosting providers charge per port so having lights out on a separate nic would increase hosting costs.

Most IPMI controllers let you tag the traffic to put it on another VLAN, but again that depends on the hosting provider to configure their switches accordingly and in that case the host itself can still access the VLAN in question so if you compromise one box you can start attacking all the other IPMI devices (which are likely to be even more badly configured on the assumption they cant be directly reached from the internet).

Also if you have a box hosted far away from your physical location, having lights out is absolutely essential incase anything goes wrong... Most hosting providers offer a remote hands service but they are expensive and often not very capable.

Linux distros fix kernel terminal root-hole bug

Joe Montana

Re: Don't forget the design

The problem is that a complex permissions system means that many people don't know how to use it, and most of those that do can't be bothered to do so.

For most use cases the standard unix permissions are not only more than adequate, they are also easy to understand and easy to manage. There's a reason that very few people enable the more advanced ACLs.

Joe Montana

Re: Don't forget the design

Even if you remove the "gui", your just removing the frontend management programs, the actual graphics stack is all still there and used to display a command prompt in a movable resizable window. Your not truly running without a gui, your just running with a crippled one. It would be like running X11 on linux with a basic window manager and then only using it to run xterm.

How Brit computer maker beat IBM's S/360 - and Soviet spies

Joe Montana

Re: Sorry: Not impressed with aircraft industry rants

One word...

Concorde.

Hardwired crypto certificate FAIL bricks Juniper router kit

Joe Montana

Licence enforcement code

Another example of where licence enforcement code causes a denial of service to paying customers... All of this licence enforcement crap is basically companies distrusting and screwing their own customers, these functions provide no benefit whatsoever to the actual customers and they don't harm the pirates who will simply apply a crack to remove them.

The fact that companies will go to significant extra effort to implement functions purely for their own benefit and to the detriment of their paying customers is ridiculous. If only they spent that time fixing bugs instead.

British trolls to face 'tougher penalties' over online abuse

Joe Montana

Toughen up?

It's the so called "victims" that need to toughen up...

What ever happened to "sticks and stones may break my bones but words can never hurt me". We were always taught to ignore verbal/written taunting in school as it was harmless, and the same with anything said online - someone insults you, insult them back or ignore them. It's not worth expending any effort, if the most someone can do is write something offensive about you from behind a computer screen then they really are utterly harmless.

The plot to kill Google cloud: We'll rename Windows Azure to MICROSOFT Azure

Joe Montana

Makes sense..

For most people, the "windows" branding is toxic, it brings up associations with an unfashionable, boring and unreliable product that is only really tolerated because most people are unaware that anything else exists in its core market.

Straight to 8: London's Met Police hatches Win XP escape plan

Joe Montana

Re: How about ....

This is mostly what's happening, gradually...

Most new applications are browser (or at least java) based these days, and will usually run on linux even if they don't officially support doing so.

Once you have cross platform apps, the client lock-in is gone and you can choose the client devices which provide the best value on a level playing field - there is very little if any reason to choose windows in this situation.

Mastercard, Syniverse target holiday payment security with mobile verification system

Joe Montana

?

Phones are reported stolen more quickly because they are used more frequently... You only look at your card when you come to use it, which could be several days apart depending on how busy you are.

And ofcourse with a system like this, the thieves can just steal your phone and wallet at the same time (which many probably do already if they can).

Top UK e-commerce sites fail to protect 'password' password-havers from selves

Joe Montana

Lockouts?

Account lockouts are a bad thing, if you implement them then you open yourself up to malicious parties who will intentionally try to get all your users locked out - causing an absolute nightmare for support.

And account lockouts will be ineffective at stopping account compromises... As pointed out, lots of users have very common passwords like "password", so rather than try thousands of passwords against 1 account a hacker is going to try "password" against thousands of accounts and in doing so won't trigger any account lockouts because he only makes 1 attempt per account.

BT's IPv6 EXPIRED security certificate left to rot on its website

Joe Montana

V6 pioneers..

BT were one of the pioneers of ipv6, they even used to run a free ipv6 tunnel service a few years ago... I wonder what's happened since those days.

Triple-headed NHS privacy scare after hospital data reach marketers, Google

Joe Montana

Access to data

"no Google staff would be able to access the data"

WTF? of course they would! how naive are people?

Just because no member of google staff would have an account on the frontend application that's typically used to access the data, doesn't mean they don't have administrative access to the underlying server on which the data is stored or even physical access to the servers/drives its stored on.

It is obvious that any number of google staff could gain access to the data if they wanted to, and to claim otherwise is ridiculous.

Chicago man lobs class-action sueball at MtGox

Joe Montana

Re: Eh?

Any gains he made might have occurred in the most recent tax year for which he hasn't filed yet... And even if he does, he would also be able to offset the losses against anything he made, so he might even be down overall and thus not liable to pay any tax.

Ford to dump Microsoft's 'aggravating' in-car tech for ... BlackBerry?

Joe Montana

Re: How???

Because MS always seem to get a free pass...

Any other vendor with such onerous licensing terms, poor security and dangerous level of lock-in would be excluded from any remotely sensible tendering process.

Various security standards have over the years been relaxed to accommodate MS, and in some cases actually require non-ms systems to comply with a much higher standard.

Object to #YearOfCode? You're a misogynist and a snob, says the BBC

Joe Montana

Re: Interest

Kids will learn better when they are motivated, and are learning about something they are genuinely interested in...

That said, learning the basics of coding is really just an extension of maths and language.. And while the majority of people will never use these skills once they leave school, the same is true of many other subjects.

On the other hand IT related teaching is badly in need of reform... Teaching kids how to use specific versions of mundane applications is extremely counter productive. By the time they leave school the software they have learnt will no longer be in use having been replaced by newer versions or even by something else entirely (when i was in school we were taught wordperfect for dos).

What's needed is to teach general concepts in a multitude of different applications, so that people can easily adapt to different applications.

Friends don't do tech support for friends running Windows XP

Joe Montana

Re: ...they can be persuaded to switch to a Mac

Simple tasks like writing an occasional letter is all 99% of people ever do, why would they waste 300 for msoffice when libreoffice does the job for free?

Getting documents all too easy for Snowden

Joe Montana

Vulnerable behind the firewall

Most organisations are like this, they use the firewall as their one and only line of defence against external attack, and do absolutely nothing about internal threats. Once you're behind the firewall at 99% of organisations you can rip through the network trivially.