* Posts by John Riddoch

367 posts • joined 12 Jan 2009

Page:

Easyjet hacked: 9 million people's data accessed plus 2,200 folks' credit card details grabbed

John Riddoch
FAIL

Re: Highly sophisticated

Yeah, that's my normal thinking. "Sophisticated" is code word for "they were smarter than we were". Doesn't say at an absolute level how smart either side was... It's spin from the corporate types to avoid making themselves look incompetent.

Dumpster diving to revive a crashing NetWare server? It was acceptable in the '90s

John Riddoch

Re: hot-wiring with office supplies

Then there was the Sun E150 (which was basically an Ultra-1 desktop in a tower case with 12 disks). If you powered it off, you either had to have a Sun keyboard to power it on, or open up the case to hit the power switch which was internal only. Not one of Sun's finest designs...

French pensioner ejected from fighter jet after accidentally grabbing bang seat* handle

John Riddoch

Given that ejection is not a zero-risk manouver at the best of times, very glad to hear everyone survived (and the plane landed safely). If he though the 4G+ ascent was bad enough, the shock of the ejection would have been worse....

Watch out, everyone, here come the Coronavirus Cops, enjoying their little slice of power way too much

John Riddoch
FAIL

"There’s a reason why the UK doesn’t have a mandatory national ID card" - frankly, I've always argued the main reason not to do it is simple. It'll require a government IT project. That alone should doom it to failure from the start as pretty much every government IT project goes over budget, over time and under-delivers.

Like a Virgin, hacked for the very first time... UK broadband ISP spills 900,000 punters' records into wrong hands from insecure database

John Riddoch

Re: "there is a risk you might be targeted for ... nuisance marketing communications"

I get marketing emails from Virgin Media business on my work email address. I have never been in touch with them for anything. I submitted a GDPR data request (what info do you have, where did you get it from and why do you think you have permission to contact me?) and haven't had a response after 30 days. An email to the ICO is the next step.

It’s not true no one wants .uk domains – just look at all these Bulgarians who signed up to nab expired addresses

John Riddoch

Re: Should we just be phasing out .co.uk

ISTR the Christmas Islands started down that route many years ago, selling .cx addresses cheaply at a time *.uk, *.com etc were much more expensive. That broke down the barriers of non-residents buying addresses and has been going on ever since.

What do Brit biz consultants and X-rated cam stars have in common? Wide open... AWS S3 buckets on public internet

John Riddoch

Re: Misconfigured?

Default is no public access, so you have to allow access to applications etc to use the buckets. Issue is lazy admins who find it doesn't work and open it up wide, not realising what they're doing or just doing it "for testing" and not locking down later.

Oracle finally responds to wage discrimination claims… by suing US Department of Labor

John Riddoch

Re: They seem to think this is a bad thing...

As an outsider to this, it's felt like they hate the government meddling in their lives. The term "government overreach" gets bandied about alongside protecting their "freedoms". I get the impression it started after the war for independance as they threw off the oppression on the British rule and it's just become embedded in their culture.

Samsung on fridge cert error: Someone tried to view 'unsavoury content' in middle of John Lewis

John Riddoch

Re: Samwrong

Depends what it's doing. If I send a request to https://dodgysite.com/ which is blocked by the router, it will send some kind of response back which, because it doesn't have the right cert, will generate an ssl error.

There are also proxies which can do inspection by using dodgy root certs on the client browsers so they can decrypt to capture malware, data leak prevention etc.

Need to automatically and securely verify a download is legit? You bet rget this new tool

John Riddoch

Not a panacea

All it takes is someone hacking the server (or intermediary proxy) and deploying a trojanned file and updated hash, that's generally easier than manipulating a download in flight. It's an improvement on a blind download, at least.

He's coming for your floppy: Linus Torvalds is killing off support for legacy disk drive tech

John Riddoch

Haven't used a floppy drive in years. I had a PC ages ago where opening Windows Explorer took ~10 seconds and I eventually tracked it down to the floppy drive (no idea if it was a hardware fault or crap driver) so I unplugged it "temporarily" to make things work better. A year later I realised i hadn't needed to plug it back in and my next PC didn't get built with one (those were the days I used to order parts for my PC and self-build).

I think I still have a floppy drive in a drawer - buried under all the spare IDE cables and SCART leads I also can't quite bear to part with...

I suspect some legacy pieces of kit (15 year old software which still works) will still need a floppy now and again, but I rather suspect they won't run on any modern version of Linux anyway.

Welcome your new ancestor to the Homo family tree; boffins have discovered a new tiny species of human

John Riddoch
Joke

Re: the foot bone connected to the knee bone...

And that whooshing sound is the joke going over your head....

It doesn't mention whose skull is connected to whose knee, after all.

After last year's sexism shambles, 2019's RSA infosec bash has upped its inclusivity game

John Riddoch
Joke

Re Monica Lewinsky

"hard for many to swallow".... I see what you did there....

Roses are red, we've received about fifty. Google's next trick? Pixels for the thrifty

John Riddoch
Coat

Poetry

Roses are red

Bought from the bazaar

We're gathering your data

Contravening GDPR

Q. What connects the global financial crisis, Ursnif malware, and Coldplay's Viva la Vida?

John Riddoch

Re: Is this a thing still?!

People are stupid - give them enough of a carrot to run untrusted code and they will. It's pretty easy to get macros enabled, usually only a couple of clicks (I've had to do it on legit documents where I need the macros enabled), so not a huge hurdle to get in. If you spam enough people, you'll find a few marks and the cost/benefit ratio soon makes it worthwhile.

Attention all British .eu owners: Buy dotcom domains and prepare to sue, says UK govt

John Riddoch

Re: Wow, it's almost...

That is at least part of the problem there - here we are, 2.5 years after the referendum and no-one can agree on what leaving the EU actually means. We can't even agree what to do with Northern Ireland, let alone what kind of trade, fisheries or agricultural deals we want to have with the rest of the EU. Parliament is split between remain, hard brexit and some kind of deal in the middle and no-one is budging. The general terms of leaving should have been agreed BEFORE the referendum, not 3 months before the end of the article 50 term.

Oregon can't stop people from calling themselves engineers, judge rules in Traffic-Light-Math-Gate

John Riddoch

Re: Incredible

"for the stupidest of reasons" - follow the money. My guess is the Professional Engineer Registration Act was sponsored by someone who coincidentally received "campaign contributions" from someone with a vested interest in licensing engineers.

2018 ain't done yet... Amazon sent Alexa recordings of man and girlfriend to stranger

John Riddoch
Terminator

Re: Be Pure, Be Vigilant, Behave

The computer is your friend. Trust the computer.

Equifax how-it-was-mega-hacked damning dossier lands, in all of its infuriating glory

John Riddoch

The cert was on the security monitoring software, so while service was running fine, it wasn't getting monitored. When they finally upgraded the cert, they had their "ohshit" moment.

Tesla autopilot saves driver after he fell asleep at wheel on the freeway

John Riddoch

"Socially acceptable levels"

And there is the problem - the acceptable levels to the public will be zero casualties, even though that's impossible outside of a controlled environment. Every single incident (regardless of fault) will be interpreted as a failure of self driving vehicles, where what we should be setting the bar at is as good as a human driver.

Sysadmin’s plan to manage system config changes backfires spectacularly

John Riddoch

Re: Automation does have its place

I used to have to do user account creation annually at a university. I'd inherited some (fairly ropy) scripts and an MS Word mail merge template which took a fair bit of manual effort. I reduced it to a couple of Unix scripts which then created a LaTeX file to print out and another output file to create the Novell 4.1 accounts (that probably dates it pretty well). The printouts were handed to the lecturers to distribute to their classes on the first day and get them to log in.

30-up: You know what? Those really weren't the days

John Riddoch

Re: "you were seriously stuck up a gum tree"

Dejanews was the Google of the 90s - all sorts of useful stuff squirreled away in Usenet forums and generally not tainted with the crap you get now. Google covers a lot of things now, but part of the problem is the 100s of ways Linux implementors do things, so you get some instructions for RHEL 6 which don't work on Debian, Ubuntu or, in some cases, RHEL 7.

British Airways hack: Infosec experts finger third-party scripts on payment pages

John Riddoch

Disabling Javascript would have protected you in this instance and against similar hacks. No idea if that would have crippled the site or not, though.

Mozilla accuses FCC of abdicating its role, ignoring comments in net neutrality lawsuit

John Riddoch

Re: Chevron..

They're also predominantly Republicans now, so are more likely to be in favour of anything which benefits big campaign donors, sorry, big companies, hence they'll likely rule in favour of the ISPs.

Oracle: Run, don't walk, to patch this critical Database takeover bug

John Riddoch

Re: What?

I assume it's a terminology thing - for it to be a "remote code exploit flaw", it may need to be an attack vector for non-authenticated users. As you have to be logged into the database, it's not quite as bad as some other flaws, but still needs patched.

Grad sends warning to manager: Be nice to our kit and it'll be nice to you

John Riddoch

Never anthropomorphise computers. They hate that.

Hot US deal! IBM wins $83m from Groupon in e-commerce patent spat

John Riddoch

You're thinking of trademarks. Patents follow different laws/rules, hence you can have a submarine patent - let something become ubiquitous then sue the world because you have a patent on it. Declaring it too soon means people can find a different solution and work around your patent and you don't get royalties.

Y'know... Publishing tech specs may be fair use, says appeals court

John Riddoch

Re: Ok, put it another way...

From close experience - plugging two ovens into a single extension lead blew the fuse on the extension (by design and quite correctly - note that it was someone else who did this, not me). In contrast, I have two extension bars linked together at home serving up a number of low wattage items (mainly around the PC) quite happily because they don't go near the 13 amps permitted by the fuse. It's all about what you plug in, not just the number of items.

The dislike of multiple extension bars dates back to when most items in the house were high wattage and folk would link 2 or more bar heaters, a toaster and an iron into one socket with rather inevitable results. When the blown fuse gets replaced by tin foil or a bolt, the next inevitable results annoy the fire brigade.

Visa fingers 'very rare' data centre switch glitch for payment meltdown

John Riddoch

Yup, partial failures suck. I've seen a fibre path fail just enough to bugger up service but not quite enough for the OS to figure it needed to fail over to the 2nd path. Once we'd figured that out, it was just a matter of disabling the primary path and everything started working normally.

My PC is on fire! Can you back it up really, really fast?

John Riddoch

Re: I recall even my mum (a bit like Dilmom) telling me a fire story

Only real school fire we had was a small one in the woodwork room (I was nowhere near it, so don't know all the details). The rector (head teacher) decided it would be a great opportunity for a fire evacuation test. As we got to the top of the stairs, we could smell the burning smell which had permeated through the corridors - it certainly added a little more urgency to a fire alarm test!

BOFH: Guys? Guys? We need blockchain... can you install blockchain?

John Riddoch

Re: Familiar...

Surely all this needed was some fake status reports on request when the boss wanted updates? By the time he's wondering why nothing has actually been delivered, the next shiny will have appeared on the horizon to take his attention and you can "shut down" the Blockchain project....

Furious gunwoman opens fire at YouTube HQ, three people shot

John Riddoch

Re: Of all places

Is there anything stopping someone legally buying something like an AR-15 (insert over-powered gun of choice instead) in one state then driving to California to use it? I'm assuming there are a bunch of laws against possession of said weapon in CA, but if they're intending to shoot up people with it, those laws aren't really going to stop them....

Another day, another self-flying car pipe dream surfaces

John Riddoch

Re: That's all we need

"There is never any justifiable reason to overtake/undertake on the left"

Wrong. Read your Highway Code. There are at least two viable examples I can recall cited as valid reasons to pass on the left.

Charity accused of leaving sensitive notes behind after office move

John Riddoch

Read the article:

But in this case, the charity and local authority seem to have failed to do so in more ways than one, by allegedly declining the opportunity to pick up the docs.

According to the Evening News, Saunders claimed that neither the charity nor the council helped him when he raised the alarm, which he said prompted him to go to the newspaper.

It should still be reported to the ICO, though, as it's lax security of information.

BT backs down from charging millions in phone book listing fees

John Riddoch

I used to do that. Now I bypass the "sitting on the shelf" bit as any time I need a number, I just look it up online.

Linux's Grsecurity dev team takes blog 'libel' fight to higher court

John Riddoch

Well - from some of the commentary on Wikipedia (I know it's not a great source, but...):

- Grsecurity distribute patches to the kernel, these are governed by GPLv2

- Grsecurity only sell these (not distribute for free), but as well as the GPLv2 license, they attach use conditions, basically saying "if you distribute these as per GPLv2 you don't get any future releases"

Grsecurity claim this means they're abiding by GPLv2, Perens says it breaks GPLv2. I suspect Perens is right, but the IP lawyers will have a bun fight over it in court.

Woo-yay, Meltdown CPU fixes are here. Now, Spectre flaws will haunt tech industry for years

John Riddoch

I think some of the older T-class chips didn't have out of order execution, so they'll probably be safe. They're crap for single threaded workloads, though. I seem to recall POWER 6 didn't have it either, which is how they clocked it so fast (up to 5GHz) without melting.

As for other SPARC/POWER chips? Given that ARM is vulnerable and all of these are based on RISC design concepts, it's entirely plausible they're vulnerable as well. I don't know enough about chips to be able to answer that.

'Please store the internet on this floppy disk'

John Riddoch

Re: Stolen Focus

Similar issue - the target window has focus, but it's in a Citrix session in another monitor; the citrix session doesn't have focus... "Real" focus is actually another window in another monitor on my local PC....

John Riddoch

Re: I'm not sure what's worse

"screenshot in a word document"

Older version of MS Paint would default to saving in bitmap format - for a large monitor and 24/32 bit graphics, that would be a large file to attach to an email. Saving in word would compress it so you'd have a much smaller email. It's a poor solution, but for a non-savvy person, it can be quicker & easier.

Nowadays, paint seems to default to PNG format which is much better, so there shouldn't be any need to revert to Word.

Oh, the weather outside is frightful, but the data centre temp's delightful

John Riddoch
Flame

I've been in our conservatory when it's been over 40 degrees. I was lucky enough to not have to spend more than a minute or two there, getting some doors open, I'd hate to have had to work in that kind of heat....

Hot chips crashed servers, but were still delicious

John Riddoch

Re: Power Cables...

Yup, had one when I was at uni. One of the students reported a PC wasn't working, so I followed her to the room. Sure enough, it wouldn't turn on. Went to check power socket, the plug was slightly out. Pushed it in, powered on the machine gave her a bit of a look as she was looking sheepish and wandered out without saying another word.

Hardware has never been better, but it isn't a licence for code bloat

John Riddoch

Prices

It's now cheaper to throw an octo-core 3GHz CPU with 32GB of RAM at a problem than pay a programmer to code it on a single core 1GHz CPU with 2GB of RAM. It's perfectly plausible in many cases to do the latter, but why pay your expensive developer to do that when you can get a bigger server relatively cheaply?

HPE server firmware update permanently bricks network adapters

John Riddoch

Re: The good news...

In the "old days", firmwares were much smaller, simpler and less prone to requiring patching. Most of the "brains" was in silicon so there wasn't the need to drop firmware as much. These days, the custom silicon is expensive, coding firmware is cheap so bugs creep out and updates are required.

Add in scaling issues - if all you had was a single large Unix server, flipping the jumper is relatively trivial. With 1000+ servers in VMWare farms/private clouds, flipping all the jumpers becomes time consuming.

To be fair, there probably are jumpers, they're just set to allow updates for the reasons above.

There's a way to dodge Fasthosts' up-to-160% domain renewal hike but you're not gonna like it

John Riddoch

Re: Price gouging.

Probably because the owners of .clinic are charging more to domain resellers.

You forgot that you hired me and now you're saying it's my fault?

John Riddoch

Re: Ah, memories.

I remember using OHPs and going really high tech with a fancy display unit which would hook up to a PC and display your screen via said OHP. It wasn't a brilliant image IIRC, but it did work and was better than having to print out onto acetates or write stuff onto them.

Sysadmin tells user CSI-style password guessing never w– wait WTF?! It's 'PASSWORD1'!

John Riddoch

Re: Conficker

For a lot of my POC stuff (mainly on VMs on my laptop) where I don't care about security but can't be bothered fixing the complexity rules, I use "Passw0rd" which meets the necessary complexity requirements. "Password1" will generally get past most rulesets as well.

From the Dept of the Bleedin' Obvious... yes, drones hurt when they hit you in the head

John Riddoch

Yup, we need a view on the risks profiles and where the cut-off weight is between "acceptable risk" and "unacceptable risk". Without this study, some random number would be plucked out of the air and made law and argued about for years. With this study, the lawmakers can say "under these rules there is only an x% chance of serious injury".

Itching to stuff iOS 11 on your iPhone? You may want to hold off for a bit

John Riddoch

To be fair to Apple

"Apple always screws up the first iteration" - never use a .0 release of anything is a common mantra in computing, that's not limited to Apple. Of course the new code is going to have bugs and the .1 release will fix most of them (and introduce some new ones, no doubt...). In general, wait a couple of days for the early adopters to find the issues, figure out what they are and figure out if the new features are worth the hassle of the new issues.

HPE slices and dices globo org chart

John Riddoch
Devil

Bloody management speak:

"we’re going to right-size end-to-end cost structures of HPE to ensure we deliver on our financial architecture”

Translation:

"jobs cuts incoming!"

Web crash and pricing errors hit Argos

John Riddoch

Re: Not necessarily

Per contract law, advertising a good at price X is considered an "invitation to treat". When you try to buy at that price, it's officially an "offer" which is generally accepted by the vendor. Where something is advertised at the wrong price, they can reject the offer to buy, the trick with online buying is at what point the offer is accepted and what conditions may be applied to the acceptance of that offer. I suspect all online traders now have something in the terms and conditions (which we all accept and never read) giving them the option of cancelling the accepted offer for a variety of reasons, thus giving themselves the weasel room to avoid sending you a 42" TV for £1.

There's a secondary issue around false advertising (bait and switch) if you intentionally advertise at price X but will only sell at price Y, but screwing up your website wouldn't be covered by that.

Page:

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2020