* Posts by Marco van Beek

88 publicly visible posts • joined 15 May 2008


Microsoft stumps loyal fans by making OneDrive handle Outlook attachments

Marco van Beek

Free <> Right to complain

What is it about people who rant about how much a free service is costing them?

If a free service looses you business, it is your fault, not theirs. If it costs you time and money as a result of something they change, that’s just the cost of building a business on a free service.

Don’t blame them, you’re the problem, mot them

Marco van Beek

Re: Stick to IMAP, move to local every so often


I have work emails going back to when I started my current business 25 years ago. And yes, I do need to keep them as I have many, many long term clients and sometimes we both need to remind ourselves of what we agreed a decade earlier.

Microsoft trumps Google for 2021-22 bug bounty payouts

Marco van Beek

It’s not a bug if it is by design

Microsoft said that the Outlook Autodiscover I found was “by design” and denied it was a bug, hence no payout.

Intel ships mystery quantum hardware to national lab

Marco van Beek

Re: It's not clear what the equipment is,

Brings a whole new meaning to “dead on arrival”. “But that’s what you ordered, sir…”.

I wonder you place the order after it arrives…

A tale of two dishwashers: Buy one, buy it again, and again

Marco van Beek

Re: Can confirm...

Not only am I somewhat gobsmacked that Anazon actually sell three phase isolation transformers, but that there are people on El Reg who might be tempted buy them.

Infosec chap: I found a way to hijack your web accounts, turn on your webcam from Safari – and Apple gave me $100k

Marco van Beek

Nice to see Apple pays out

Microsoft doesn’t, even when you find a major hole in Outlook autodiscover that leaks every single corporate credential in plain text, and even have them confirm it in writing that you are right.

LAN traffic can be wirelessly sniffed from cables with $30 setup, says researcher

Marco van Beek

Re: Not exactly rocket science..

Or make it look like a POE injector box, and then you can get away with powering it as well.

The key bit is getting the data you want, and not the cable to the coffee pot monitoring device.

Enough broad spectrum noise and any useful signal is swamped.

Maybe set up a welding station in the server room just in case…

Marco van Beek

Not exactly rocket science..

Not sure why this is news. The MI5 building has special window tinting to prevent electronic snooping and grounded copper piping so that the water cannot be used to rebroadcast signals.

Point is we should be using transport level encryption everywhere already.

On a second note, while an Ethernet cable with nothing plugged in to to it does make an excellent aerial, any decent switch should have turned the port off so while you might get some low level noise leaking on to it, there is unlikely to be much readable traffic.

As far as sticking something around a cable, you do it behind the patch panel, right by where the shielding has been cut short. That way you can wrap it around just the cable you want. I personally would build a device with two inductive loops, one for transmit and one for receive. You also only stick it around one of the cables of the loop as otherwise the signal will be largely cancelled out.

Story of the creds-leaking Exchange Autodiscover flaw – the one Microsoft wouldn't fix even after 5 years

Marco van Beek

Re: Maybe they now could cough up the bug bounty they avoided then?

I can confirm the b%##ers never paid up.

Marco van Beek

Re: Hold on...

Actually, the problem IS the protocol. The sequence of host names is completely wrong. Why have the option of a DNS or SRV record if you don’t check it first? Why write a protocol that assumes the host name of the Exchange server is on the root of the domain when it is highly unlikely to ever be so?

And lastly, why not have some sort of handshake in the protocol before just handing over the password. I don’t think people appreciate how big a deal this really is. Every CyberSecurity person will tell you to keep public and private systems separate. But Microsoft designed a protocol that BY DESIGN leaves the safe corporate environment FIRST?

Marco van Beek

Re: Hold on...

Most of the above.

Microsoft (I guess the Exchnage team) designed the AutoDiscover mechanism, decided the sequence, and then publicised how to use the protocol. Everybody who wanted an email client that could talk to Exchange then coded up their own version of what that protocol document, including the MS Outlook coders.

So the original error is in the protocol, further compounded by no coders along the way going "WTF - This looks wrong". Even BlackBerry, those supposed to be the gods of hardened mobiles didn't see a problem with this protocol.

So the ONLY thing it isn't of the above is a Windows thing. Yes, in the original response to me, they did say that there needed to be a malicious presence along the way or at the web server. Hello? We are talking about the Internet, aren't we?

Microsoft Exchange Autodiscover protocol found leaking hundreds of thousands of credentials

Marco van Beek

Not new. I found the basic issue 7 years ago almost to the day.

Microsoft told me it wasn't their problem:


So I’ve scripted a life-saving routine. Pah. What really matters is the icon I give it

Marco van Beek

On a complete tangent…

I worked for Johnny on his 1984 residency in Le Zenith. The motorbike he rode on to stage “wasn't loud enough” so the sound guys gaffer-taped a radio mic to the side of the exhaust pipe.

After the residency we went on a world tour of France and Belgium. :-)

The quality of his voice is open to debate, especially after a long run of shows, but that guy had stage presence. He could rock an audience.

Tesco parking app hauled offline after exposing 10s of millions of Automatic Number Plate Recognition images

Marco van Beek

Pretty sure most cars already have a unique RFID tag

I remember reading an article years ago (early 90’s maybe) about the new Nissan Primera about how they had to decide which part was the “first” part of a car, so that they could stick the RFID tag on it. Just In Time suppliers stuck their own sensors along the assembly line so that they got the correct amount of warning for each car and linked it to the Nissan database to determine which option that car needed, be it seat fabric, paint colour or whatever.

If I remember correctly it was on the main member of the front subframe, chose because it was the biggest bit of the first assembly.

End of an era for ULA as the last Delta IV Medium rocket leaves launch pad

Marco van Beek

Re: If I recall...

Pretty sure I read in one of the many Vulcan books that the deal to allow the RAF to use the runway was for “peaceful” missions only and the USAF turned a blind eye to the three (I think it was three) bombers hiding in plain view amongst the 22 or so Victor tankers.

Interesting side fact: Much was made of the bombing raids being the longest ever at the time, but back in 1945 the SOE in SE Asia used stripped out Liberator bombers doing 24 hour round trips, no refuelling, no GPS, no radio beacons, to drop agents and RAPWI teams in Enemy held territory.

There's a reason why my cat doesn't need two-factor authentication

Marco van Beek

Re: Simple

Now we are getting somewhere. Cartoon Authentication Technology, or DOG for short... Maybe we should investigate X-Factor Authentication where in order to get in you have to correctly identify contestants from prior series. Of course, we do all need to upgrade to BGT encryption as exports of AGT have been restricted.

Thank you, I’m here all week. :-)

Pre-checked cookie boxes don't count as valid consent, says adviser to top EU court

Marco van Beek

Tracking already done by the time the popup is displayed

Cookies aren’t really the problem these days. It is the plethora of code included from third party sites including, but not limited to, Facebook icons, Google analytics and javascript / css libraries. All of these sites can, and do, track me without any consent being asked of me, let alone agreed. While they may claim to not be able to track me ‘personally’, we all know that eventually the dots form a large enough picture for me to be uniquely identified, and they do not need to know my name for this to fall under the GDPR, just the fact that I am unique.

Ever feel like all your prayers go unheard? The Catholic Church has an app for that

Marco van Beek

Re: Prayers by iPhone...

And how did Terry Pratchett not see this one coming?

Decoding the Chinese Super Micro super spy-chip super-scandal: What do we know – and who is telling the truth?

Marco van Beek

Right at the end of the Businessweek article it says "In the three years since the briefing in McLean, no commercially viable way to detect attacks like the one on Supermicro’s motherboards has emerged—or has looked likely to emerge"

Even based on the little we do know, that is bollocks. Elsewhere in the article they say "the implanted chips were designed to ping anonymous computers on the internet for further instructions, operatives could hack those computers to identify others who’d been affected". So there is a commercially viable way of detecting the chips. Good old-fashioned traffic monitoring.

Sounds more like all those old chain emails that used to go around about viruses that "nobody could detect", encouraging you to forward the email on to as many people as you could to warn them. GCHQ and NSA probably have enough taps on enough lines to do this for us.

Microsoft snubs alert over Exchange hole

Marco van Beek

Re: So, in simple terms

And not to forget that all of the Exchange clients I have seen don't check the certificate name either. That list is currently:

• RIM-Q5-SQR100-2/

• Mac OS X/10.10.4 (14E46); ExchangeWebServices/5.0 (213); Mail/8.2 (2102)

• Android-SAMSUNG-SM-G900F/101.500

• Mac OS X/10.10.5 (14F27); ExchangeWebServices/5.0 (213);

AddressBookSourceSync/9.0 (1579)

• motorola-XT907/1.0

• MacOutlook/ (Intel Mac OS X 10.9.5)

• MacOutlook/ (Intel Mac OS X Version 10.11.3 (Build 15D21))

• MacOutlook/ (Intel Mac OS X Version 10.11.3 (Build 15D21))

• MacOutlook/f.16.0.160506 (Intel Mac OS X Version 10.11.4 (Build 15E65))

• Microsoft.Outlook.15

• MacOutlook/ (Intel Mac OS X Version 10.11.5 (Build 15F34))

• Mac OS X/10.10.3 (14D136); ExchangeWebServices/5.0 (213); Mail/8.2 (2098)


• Mac OS X/10.10.5 (14F27); ExchangeWebServices/5.0 (213); Mail/8.2 (2104)

• HTC-EAS-HTCOnedualsim

• Apple-iPhone7C2/1306.69

• Apple-iPhone6C2/1304.15

Marco van Beek

Re: So, in simple terms

"It sounds like MS expect you to control your domain and secure it. To me that doesn't sound massively unreasonable."

Not quite. It relies on HTTPS, not HTTP, so you might have a perfectly secure non-HTTPS website on a shared server (or even behind a firewall with port forwarding) and HTTPS is pointed at a control panel which you do not manage, or have any real sort of access. That's how I found it. We installed fail2ban on our shared web servers and one of our our clients got banned from their own website because someone was setting up a new iPhone and fail2ban was picking up failed login attempts on the control panel.

Marco van Beek

Re: It's not about Microsoft WANTING to fix it ..

" log files anyone ?"

Complete proof of concept and also verified by Microsoft themselves. May have found one version of Outlook (v15 on PC) that doesn't send credentials, but Outlook 15 on Mac does, and I have also seen iPhones, Blackberries and Android devices all display the behaviour.

There are two things that Microsoft should do immediately. 1) Change the order that autodiscover is supposed to use to check DNS first for a SRV record, then for autodiscover.<domain> and then the root domain, and 2) To issue a warning to all Exchange client developers to check the SSL certificate for a valid name and chain, along with the revised protocol.

Euro privacy warriors: You've got until January to fix safe harbor mess – or we unleash hell

Marco van Beek

It's all arse about tit

We are looking at the whole privacy thing the wrong way round. There are three main reasons for people wanting to know about me: Sales, theft and security. I believe that we should establish a theoretical value to private data, and every time my details are passed on to a third party without my explicit consent, the guilty company has to pay that fee, plus a share of any fines, to me. That in turn, may help me to cover some of the unrecoverable costs when my details reach the netherworld and somebody steals something from me. As to security, we already sold our souls decades ago. We are not going to get a refund now.

Streaming tears of laughter as Jay-Z (Tidal) waves goodbye to $56m

Marco van Beek

Re: Alan Dower Blumlein

Really? You slag off an article about someone who contributed to everything you listen to, with that excuse?

Tell me? Hired and female sound engineers recently?

Reg Oz chaps plot deep desert comms upgrade

Marco van Beek

Silly question, maybe?

If you have a satelitte connection, why is it coming back down in Australia at all? Why not use a service with a downlink in a country with a decent connection to the rest of the world, as well as A few spare IP4 addresses for local businesses to use for remote access?

Norks' internet goes TITSUP in possible DDoS attack

Marco van Beek

Maybe it is the other way around?

In a sort of "storm in channel, Europe cut off" kinda way. Maybe, just maybe, they are denying us access to their world famous cookery site.

WTF is Net Neutrality, anyway? And how can we make everything better?

Marco van Beek

We need an alternative charging paradigm

I have long thought that the only fair way to charge for the Internet is for everybody to pay for the data they send. If I visit a web site I have not idea how many graphics are on that page until it has loaded, so if the website has to pay for the sending of the data, they have the option of put less images on their pages, and so on. If my server gets hacked and user for a ddos attack, I pay for my servers part in it, so I might be a bit more inclined to protect it better. Since legitimate streaming companies like Netflix are charging for access to their content, they have the revenue to pay for the data transfer.

On phone systems we are used to the idea that the initiator pays for the call, because it is the initiator's decision to dial the number, but on the Internet, I don't know what I am getting until I ask for it, and the other end can simply ignore or decline my request very easily, so if has to work the other way around.

I can't think of any other way that is both fair in monetary terms and in net neutrality terms.

CERN team uses GPUs to discover if antimatter falls up, not down

Marco van Beek

Woooo flying cars at last!

Or not. It did occur to me that if I had a pair of anti-gravity boots made of antimatter, and assuming my socks stop my feet from disappearimg in a puff of smoke, not only would they have to have a greater mass than my body does to work, I would also wind up upside down. Hmmm. Back to the drawing board.

Microsoft: Let's be clear, WE won't read your email – but the cops will

Marco van Beek

Re: I'm slow to notice things

Only the word is new. Frankly most things called Cloud are all 10 to 20 years old. Those that aren't are 30 to 40 years old.

Yes, why invent something new when you can just rebadge the old stuff with a shiny new name.

Not sure if you're STILL running Windows XP? AmIRunningXP.com to the rescue!

Marco van Beek

Re: Sigh

And there was me thinking that Windows 8 had been coded by web designers....

How Britain could have invented the iPhone: And how the Quangocracy cocked it up

Marco van Beek
Thumb Up

Re: funding for Startups

Yes I have, and I would agree. Those with spare money to invest have no imagination and no vision. If I had a pound for every time a VC wanted yet another variation on a business plan I wouldn't need their stupid money. They have no concept of the value of someone else's time.

Marco van Beek
Black Helicopters

Why did he wait so long?

<Copyright Notice>Anyone from the British Government reading this is, if you read past this point you will have agreed to pay me the sum of £10M sterling for each reading. (I will even pay tax on it, or at least I will once I have paid for my coffee beans from Switzerland...)</Copyright Notice>

What I don't get is why did he wait so long for any sort of response? It doesn't seem like he was tied into them until the contract was sorted, which took the best part of a year. I would have been long gone by then, taking my work with me, and keeping all the IP myself.

There is a lovely bit in Richard Noble's book about Thrust 2 and Thrust SSC, where he approached the DTI and asked if they would be interested in sponsoring the project. Flying the flag and all that. They asked him how many he thought they would build in their first year of production... It's not the lawyers who should be first against the wall...

OK, so we paid a bill late, but did BT have to do this?

Marco van Beek

Bastard Tossers

I have a couple of clients who have had their http access cut off for non payment when they didn't actually owe any money. Email, ssh, etc was fine. Problem was that if you do not use BT's DNS (or maybe their router, not sure) you don't get the notice so it just seems to be a very weird broadband problem. Wasted hours on that one the first time it happened.

And yes, Openreach will always bill, and the ISP will always make you go through hoops to avoid sending an engineer out, even when you are happy to pay because some arse in the workshop has cut a cable somewhere...

US intelligence: Snowden's latest leaks 'road map' for adversaries

Marco van Beek

Re: Americans safe from... What?

I am sure there must be a equation that links the amount of money spent today on anti-terrorist operations and the increase in terrorism / freedom fighting in the future. After all, the OSS giving the North Vietnamese a few guns during the Second World War worked out really well for the US. Admittly the main problem there was supporting an oppressive and corrupt regime a few years later. Now that I think about it, that didn't work so well in Iran in the 70's. Or Iraq in the 80's.

There seems to be a tendency by inteligence agencies to believe that my enemies' enemy is my friend, when they rarely are. I suspect they cal it something fancy like Real Politik, but all they are doing is storing up problems for the future, which, let's face it, is good job security.

I often wonder if we would be better off as a society to take the money we invest in cameras and tapping equipment and surveillance satellites and used the money to pay 25% of the population to spy on the other 75%, like East Germany use to. We would have 100% employment, and we might actually have real criminals being caught in the act rather than the current trend of more and more of us being criminalised for minor offences like parking and box junctions as we are the easier target for a bit of extra revenue.

Given a real choice, I would rather not be spied on at all, but since that doesn't seem to be a choice any more, so the option of a few million nosy neighbours might actually be an acceptable alternative.

Looking more and more like not only was George Orwell right, but he wasn't that far off with the date either.

Nice of El Reg to have an icon for a typical surveillance operative...

Marco van Beek

Re: Any doubts?

"if you keep making the same mistake over and over and over". It's only madness if you expect a different outcome!

Microsoft warns of post-April zero day hack bonanza on Windows XP

Marco van Beek

Re: It was fun while it lasted

Right with you on this. Microsoft's blunder with Vista meant that we no longer blindly believed that newer was better. And with Windows 8 they have done it again. I have clients still running DOS applications because the amount of time and effort they invested in data entry cannot be replicated due to cost.

Personally I believe that it is well past time to have a CE mark for software like we do for hardware. All software would have to comply fully with all declared standards or the vendor\manufacturer would be required to fix the problem at their own cost, just like if the brakes don't work on your car. Software is so central to the survival of businesses that it is about time they got better protection than just "Caveat Emptor".

OWN GOAL! 100s of websites blocked after UK Premier League drops ball

Marco van Beek

Redirection site?

Am I the only person here wondering why anyone would use a redirection service? Have they never heard of rewrite rules? Or ServerAlias?

Beam me up? Not in the life of this universe

Marco van Beek

Re: obHHG2TG ref

"It's unpleasantly like being drunk" "what's unpleasant about being drunk?" "Ask a glass of water". Damn, the man was good.

Sysadmins: Keep YOUR data away from NSA spooks

Marco van Beek

Is it just me?

Or are the Emperor's clothes starting to look a bit see-through?

Yes, the Cloud is great for some things but it is not the answer to every single IT question. This is just another question that should have been asked first by every single business, rather than believing the hype. If you really, absolutely have to use a cloud service run by a third party, and data sovereignty is an issue, use servers based in Switzerland. At least for the moment they require a legal paper trail that cannot be gagged.

Have a look at Peter Houpermans' article on this very site on the subject from a few months ago.

I also have to say that expecting your average IT person to understand complex legal issues that confabulate the best legal minds in the world is expecting a bit much. The average lawyer charges a whole lot more than the average IT person, so I would suggest the next time someone asks if their data is safe in the cloud, tell them to ask their lawyer to read all the EULA's before letting you install any new software or connect them to any new service.

Tux because at least she understands me....

Why I'm sick of the new 'digital divide' between SMEs and the big boys

Marco van Beek

You have to laugh when...

Some virtual server solution salesman gets you on the phone and tries to explain the benefits of virtualising all a client's servers after finding out they only have one!

Paul Allen buys lovingly restored vintage V-2 Nazi ballistic missile

Marco van Beek

First V2 to hit London

Landed, if that is this the right term, in Chiswick, near the bottom end of Staveley rd, which runs down the side of the grounds of Chiswick House. There is a small plaque next to an electricity transformer. It mortally wounded one person. Not the best ROI for a weapon of mass destruction.

Drilling into 3D printing: Gimmick, revolution or spooks' nightmare?

Marco van Beek

Re: Part of the process

Yes, already done. I have seen various ones on YouTube. It prints the sand mould layer by layer into a box, so can be far more intricate than a traditional wooden pattern, and you do not need to split the mould to remove it.

From stage to stream: The unseen tech at the BRIT Awards 2013

Marco van Beek

Nice to see the vidiots haven't caught up with the lampies yet

When I did the BRITS in 1987, the bit of the lighting rig I operated (the vari*lites) were run by a 6 processor control console. When I did the show in 1988 (Adele has nothing to complain about, Rick Astley never even made the stage for his award that year, and even then the Who ran into the News by at least a minute) every single one of our lights had a 68000 processor in them. It was a fully distributed control system capable of controlling 1000 moving head units. These days almost every piece of lighting equipment plugs directly into an Ethernet network, So the fact that the video industry is only 10 years behind is newsworthy?

The coat's for Mick Kluczynski, who went to advance the Big Gig in 2008.

PS A BRIT is an award given out by the British Phonographic Industry Aka BPI. As well as the BRIT Awards, the is also a BRIT Trust and a BRIT School.

Curiosity photographs mysterious metal object on Martian rock

Marco van Beek

It's life, Jim

But not as we know it... How much would we all freak out if it wasn't there the next time they looked?

Is this possibly the worst broadband in the world?

Marco van Beek
Black Helicopters

Re: Live in the sticks but have fibre running past my door. BT "no plans"

Ever thought of going down the dark fibre route? You just need to find a local ISP small enough to be helpful but big enough to have an open reach account. Unfortunately mine isn't quite there yet.

Marco van Beek

Test, test and then test some more....

I have a client in Bedfordshire, 5.9km from the exchange (according the the BT engineer's box of tricks), and I managed to get them up to 600kbit/s download and 400kbit/s upload. They had an old kilo stream line (256k/s) and to upgrade it to anything else was going to cost 75k of trench digging for a new fibre. For the same reason they still have an analogue phone system running with 12 analogue trunk lines. Our next step was going to be bonded adsl (up to four lines with the right ISP) but they found a company willing to sort out an 8km wireless link to Bedford, and now have 30Mb/s, at least when it isn't too windy...

Want to borrow my £500 adsl tester and do some real science? Cost you a pint...

Trust the cloud with my PRECIOUS? You gotta be joking

Marco van Beek
Thumb Up

Re: Already had my close call with the cloud

My only complaint about Unison is that it seems to need both ends to be running exactly the same version to run, and I have found that I really don't want my server running the same bleeding edge I am happy to run on my desktop. They could do with a bit of backwards compatibility, unless I am missing a trick somewhere.

Anyway, I have best of both worlds. We run small Linux servers for our clients, on our client's sites, which we back up to own own servers in a co-location farm. Mind you, I don't back up the 1TB (and growing) list of stuff I haven't yet watched on my MythTV box!

European Commission: Cloud will save us from economic doom

Marco van Beek

New Jobs?

"2.5 million new jobs". What about the 3+ million old jobs that will get lost at the local level? This stuff doesn't create new jobs. If there wasn't a saving, nobody would do use, and the cheapest way of saving money is to save jobs. If we still used manual double-entry ledgers instead of accounts programs, there would be lots of jobs in accounting. But everything would cost a lot more, but then there would be lots more taxes raised so we wouldn't have to hand over so much, so would we actually notice the higher prices if our pockets still had the same cash in them at the end of the day?

People-powered Olympic shopping mall: A sign of utter tech illiteracy

Marco van Beek

"As Joules are very small people..."

Am I the only one who had to read this twice? I was starting to imagine lots of little people running around inside conductors carrying individual electrons....

LOHAN's flying truss: One orb or two?

Marco van Beek

Re: OK, probably stupid but.....

Just a thought. If you use three balloons, and assuming they are all the same size and tethered equally, there would probably be a gap between them that might be big enough to allow a vertical launch from a platform underneath.