* Posts by Tom Paine

2193 posts • joined 19 Aug 2008

Space Force turtle expert uncovers $1.2m Cape Canaveral cocaine haul

Tom Paine

"shouty nose sherbet" - v gd!

"Turtley unaffected" - well over the line; I shall be writing to my MP about this outrage!

NCSC chief: Ransomware is more of a threat to Britain than hostile nations' spies

Tom Paine

Ooh, 512 bit security, where can I buy one of those?

Cuffed: Ukraine police collar six Clop ransomware gang suspects in joint raids with South Korean cops

Tom Paine

So you could say it's a case of...

...Clop clipped?

(I am so very sorry)

Excuse me, what just happened? Resilience is tough when your failure is due to a 'sequence of events that was almost impossible to foresee'

Tom Paine

Good piece, but

...if management have any sense

That's quite a load bearing "if".

Bless you: Yep, it's IBM's new name for tech services spinoff and totally not a hayfever medicine

Tom Paine

A tip of the sombrero

A shout out to anyone who's inherited an AD forest or tree named NEWCO...

OVH founder says UPS fixed up day before blaze is early suspect as source of data centre destruction

Tom Paine

Re: Fuel

b'dum tish!

Tom Paine

Re: No excuse

"...as safe as they could be, consistent with the provider's business model."

OVH were only starting to become an option last time I looked for hosting, what, a decade or so back but IIRC they were always a budget provider. Low margin business with a huge capital cost equals considerable effort to shave costs where possible. Nothing wrong with that as long as customers are aware that to some extent you get what you pay for.

Tom Paine

At 250mph, it's going to be a struggle to make the turn onto the street outside the showroom...

Tom Paine


The bit that slightly puzzles me is that there was enough flammable material to burn, once the source UPS had finished oxidising itself. Presumably the main fuel supply would be the plastic insulation on network and power cables, and obviously a DC will have a lot of both; then there are the little plastic trim panels on the front of servers, the handles of hot-swap PSUs and suchlike... but what else is there? Perhaps there's a tools cabinet with some ABS toolboxes or parts tidies... the wheels and grippy "rubber" mats on trolleys... cyanoacrylic light fittings? Does the material chip packages are formed from burn? Genuinely interested. I guess no-one here's got any personal experience of major DC fires because they seem to be so rare.

Another Windows 10 patch that breaks printers ups ante to full-on Blue Screen of Death

Tom Paine

Re: "in some apps"?

Had a text from my nearly-80 year old Dad yesterday. I'm copying this directly from my phone:

"I have bought an old vcr machinre to watch videos* on but have no leads to connect to the tv. Don't suppose you have any spare ones?"

(I have no idea what TV they have nowadays -- not been able to visit them for almost 3y, long story, but in normal times they visit me en-route for rellies three or four times a year -- and of course he'll have no idea what any of the sockets on the back of either appliance are anyway, so...)

Tom Paine

Re: "in some apps"?

I too have witnessed the terror...

Hacked by SolarWinds backdoor masterminds, Mimecast now lays off staff after profit surge

Tom Paine

Re: "Mimecast not only fell victim to the SolarWinds hackers ..."

We don't know. Why DOES it jump out at you?

Robinhood plays Sheriff of Nottingham as it pauses GameStop, AMC, BlackBerry etc stock sales, gets sued

Tom Paine

Re: It's a Pyramid Scheme

If it's never happened on /r/wallstreetbets before, I'm certain a bunch of people have noticed the precedent and are looking for the next stock vulnerable to such manipulation.

Tom Paine

Re: "the equity required to buy a stock with borrowed funds"

I see. You're advocating for a zero leverage rule? Presumably for all markets, not just equities?

Tom Paine

Re: "the majority of those insurgents are in the process of losing their shirts"

Well, OK, attempted rebellion, yes.

Tom Paine


...an insurgency against the financial establishment and the status quo.

Some of them (most of them, maybe) see it that way, and the general public are buying that line; but the majority of those insurgents are in the process of losing their shirts. It's called "pump and dump" for a reason. The regulators' single most important function is to maintain the operation of orderly markets. This has not been an orderly market. The "ha ha, some hedgies have blown up" angle has left a lot of small investors holding wildly overvalued stock. The next trading day or two are not going to be pretty.

Anyone else here old enough to remember when BBC2's Money Programme ran a fantasy share buying game with four random amateur investors? Before long, whatever they tipped on Sunday night was shooting up on Monday morning, regardless of fundamentals, just because it'd been tipped. The segment was hastily cancelled.

Boss behind 'reset' of delayed, overbudget Emergency Services Network shifts to new 'digital' Cabinet Office role

Tom Paine

I can picture the scene...

"The cabinet office is a ratsnest of warring fiefdoms, seething with distrust and mad policy ideas from undersocialised wonks. What could we do to make it even worse?"

"How about... /Digital Cabinet/. Quick, get the Trusted Providers on the phone!"

(With apologies to @SirBonar on Twitter)

Fail, because if it's not already, it soon will be.

US courts system fears SolarWinds snafu could have let state hackers poke about in sealed case documents

Tom Paine
Black Helicopters


Could have accessed sealed cases against Russian hackers? Yeah... yeah, there's that, too. From an espionage PoV, cases relating directly to intelligence matters would be another obvious target, ditto those against "politically exposed persons", especially those towards the top of the tree. Less obviously, all sorts of other cases could be useful for an attacker, for all manner of purposes, from blackmail, to getting better knowledge of investigator TTP (and therefore how to escape detection),.. I'm sure there are plenty of other use cases.

Whilst the "surgical strike" type attack is very rare, there's a big pressure to extract metadata ASAP to enable other analysts to ID material to exfiltrate. Trade-off between increased chance of detection if trying to exfiltrate petabytes, vs hanging around so long that they're discovered via other means (ie., the discovery of the SolarWinds trojan.) Must make for interesting discussions in whichever war rooms they have those debates.

United States Congress stormed by violent followers of defeated president, Biden win confirmation halted

Tom Paine

Re: Police Scotland

The results from an image search for "Scotland welcomes Trump" is a heartwarming sight.

Tom Paine

Yes but

I'm not convinced the time's right for a Jamiroquai come-back.


Tom Paine

Re: I wonder ...

...and the President has the power to pardon the VP for any hypothetical crimes he may accidentally have committed in the previous few years.

Tough call. Rather like Thermonuclear War: the only way to win is not to take part.

Tom Paine

Excellent post

Just to say thanks for not shying away from stuff that splatters, even when there's no obvious IT angle. This is why El Reg is still here whilst a myiad of other attempts at technology news sites have come and gone (or survived as a brand whilst the editorial teams were swept out like a dead mouse left overnight on the kitchen floor by a very proud puss.)

Well, on the bright side, the SolarWinds Sunburst attack will spur the cybersecurity field to evolve all over again

Tom Paine

Stupid question

From the quality of the threat design, the range of techniques used, and the nature of its victims, this was a nation state at work [..]

What is a "threat design"?

Google reveals version control plus not expecting zero as a value caused Gmail to take an inconvenient early holiday

Tom Paine

Come on...

We've all been there.

US Government Accountability Office dumps sack of coal on NASA's desk over Moon mission naughtiness

Tom Paine

Re: Infinite loop

Given the unprepared and somewhat unpredictable mechanical properties of the lunar surface and regolith, how long a run on consecutive successful landings would you want to see before you got on one yourself? Obviously if a landing leg pad hits a rock, or they happen to hit an area with soft, loosely compacted topsoil, or.. various other things, and it tips over on landing, it's a TLV,TLC accident.

'Long-standing vulns' in 5G protocols open the door for attacks on smartphone users

Tom Paine


So the absolute latest and greatest mobile phone network technology, the one that (along with IPv6) was going to allow absolutely ubiquitous embedded systems in anything that moves (and a lot of things that don't move, or don't move after they've been bolted / screwed / nailed / welded into place),.. that technology... has well-known, long-standing weaknesses in the protocols and architecture? You could knock me down with a feather. It's almost as if the designers, architects and research engineers were subconsciously making sure there'd be a need for designers, architects and engineers to develop 6G at some point. Or something.

US nuke agency hacked by suspected Russian SolarWinds spies, Microsoft also installed backdoor

Tom Paine

"full rebuild"

Perhaps they had enough canned lateral movement tools that, although they only had bandwidth to properly turn over (say) a dozen of the 18,000 and exfiltrate crown jewels, they were able to implant stealthy persistence agents elsewhere in those victims' networks. So, does "total rebuild" refer to every server in every customer org? Or "all the things"? (How about switches and routers? How about printers? How about bootkits -- shouldn't they chuck all hardware into skips the day after cutting over to the perfect replica of the entire network to known-good replacements?

And even that won't give assurance; supposing the restore data from backup step includes another downloader stage that's missed from AV?

Sometimes I'm very grateful for being unemployed. First when I wake up at 7:10am and remember I can have another 4h in bed if I want, and second when I remember what hell I'd be going thru rn of I was still at anywhere I worked on the last 8 years.

SolarWinds: Hey, only as many as 18,000 customers installed backdoored software linked to US govt hacks

Tom Paine

Pedant's corner

"..hackers, had penetrated FireEye's servers and made off with its crown jewels: the tools it uses to test other companies’ defenses. Armed with those penetration tools, hackers could potentially identify which of their methods will pass FireEye's gaze undetected."

No. The tools will be things like scanners, exploit frameworks and standalone exploits for vulnerabilities, which they use to find and exploit those vulns in their pentest customers' networks. They don't have anything (directly) to do with FireEye spotting other attackers in action.

45 million medical scans from hospitals all over the world left exposed online for anyone to view – some servers were laced with malware

Tom Paine

Re: Who is at fault?

I may be reading too much between the lines, but these don't sound like leaks from the mainstream NHS.

CentOS project changes focus, no more rebuild of Red Hat Enterprise Linux – you'll have to flow with the Stream

Tom Paine

Well WHO could have seen THAT coming?

How tediously predictable, and how poitnlessly short-sighted for anyone in the IBM / RH command structure that wants to gow a sustainable long-term business. 2020's least surprsing development.

Crooks posing as COVID-19 'cold chain' company phished EU for vaccine intel, says IBM

Tom Paine

Off the top of my head:

- nicking email or other docs that can be selectively leaked to give the impression the vaccine's unsafe, or was stolen from Russia, or contains Bill Gates' famous microchips or whatever.

- straightforward industrial espionage

- blackmail attacks

- to compromise part of the pharmaceutical industry via the supply chain for the same motives as anyone else attacks pharma targets (fraud, theft, blackmail etc); nothing to do with SARS-Cov-2 per se, it just happens to be what's going on RN so that's the angle they're using

- straightforward financial fraud or theft ("Hi this is China FreezerCo Inc, pls remit payment for latest deliveries in bitcoin to: ... ")

No doubt experts can suggest several others

Tom Paine

Re: Crooks phishing for COVID vaccine intel

Depending who's doing it, they may be motivated by patriotism, or by fear of the state (China in particular likes acquiring cheap cyber talent by nicking crooks and offering them the choice of a labour camp or Unit 17xyz.)

Tom Paine
Black Helicopters


...it would be unusual for an attack impersonating a Chinese company to originate in the West.

If you were planning a false flag op, wouldn't you twamt to pick an org least likely to be suspected to be a front? Nothing particularly secure about Chinese commercial IT ops, in terms of security. You'd need to know the language and some of the culture, of course...

*strokes chin, steeples fingers, reaches for the metaphorical bong

IBM warns staff across the business of fresh 45-day redundancy consultations

Tom Paine

Re: Last one out

My thought was surprise that they still have enough employees left that they can afford to sack several hundred more. Anyone got the numbers on that?

Yes, it's down again: Microsoft's Office 365 takes yet another mid-week tumble, Azure also unwell

Tom Paine

Round and round we go...

This may be a good time to note that Microsoft is planning to deliver an offline-capable version of Office toward the end of next year.

It's with astonishing innovation like this that Microsoft keeps driving technology forward to hithertoo undreamed-of heights. Next they'll be planning an AD that is physically located **in your actual offices!** Imagine how cool that will be!

NHS COVID-19 launch: Risk-scoring algorithm criticised, the downloads, plus public told to 'upgrade their phones'

Tom Paine

Two questions

1. Why does the Android version, at least, refuse to run without location services running? I leave GPS, WiFi triangulation and whatever other skullduggery is available for apps that want to know where I am. It shouldn't need location. How come? And why has that not been mentioned before? As I'm definitely a bit of a weirdo for turning it off, presumably 99.9% of Android users don't realise it's happening. What is the data used for? Does it ever leave my device? Why should I trust the a seers, in these circs?

Damn, that's six questions already.

2. What defences does it have against griefer attacks? Eg kids loitering near their school staff room, then falsely telling the app they have tested positove. There are probably others.

It's IPO week and one of Wall Street's own is raising the spectre of a stock market crash

Tom Paine

Tool and trouble

US equities have been insanely overvalued for years. It's little consolation that various people who've ignored my warnings of imminent soon since 2014 have made small fortunes doing so....

Here comes an AI that can predict hurricane strength. Don't worry, NASA made it so it probably actually works

Tom Paine

"AI"? What Reg said

(when Brian asked of he was on the JPF)

A lot of very clever meteorologists and modellers have spent a huge amount of time on the major models (and indeed the kinornones); ECMWF, GFS, UKMet, HWRF and the others that do a bit less well. The idea that ""AI"" will provide the magic pixie dust that can accurately predict RI 60h ahead or get track error down to 50 miles at 120 hours is ... Fantasy.


As Amazon pulls union-buster job ads, workers describe a 'Mad Max' atmosphere – unsafe, bullying, abusive

Tom Paine

The best thing about boycotting Amazon and buying direct is that you'll usually get quicker service and better customer service. (For me that's mostly tools and consumables from the likes of Screwfix, ToolStation, IronmongeryDirect and such, but I've bought direct from eg. Evolution (compound mitre saw for £150? Yes please! And when I buggered up assembly through my own stupidity, the phone support from Yorkshire was *outstanding*) ...

Amazon are the C word, plural.

Global network controlled by erratic billionaire Qracks down on Qanon Qranks

Tom Paine


This should have died two years ago.


You wait ages for a mid-air collision spoofing attack and along come two at once: More boffins take a crack at hoodwinking TCAS

Tom Paine

Sounds rather like what Bruce Schneier used to call "movie plot threats".

One does not simply repurpose an entire internet constellation for sat-nav, but UK might have a go anyway

Tom Paine

Re: Full-blown kakistocracy

£96m on a REPORT? Shurely shome mishtake.

They've only gone and bloody done it! NASA, SpaceX send two fellas off to the International Space Station

Tom Paine


Whoosh. Off they go. I'll leave it at that because I'm too old to be burning karma

Windows Terminal hits the big 1.0: Fit for production?

Tom Paine

1993 called...

The list of utilities has continued to grow, having begun with a slightly flaky FancyZones Windows manager and shortcut guide before growing to include File Explorer previewers and a Renaming tool.

Wow. I can't wait. Such exciting new innovations.

Microsoft announces official Windows package manager. 'Not a package manager' users snap back

Tom Paine

"Still to come..."

the current preview is limited to installation; it does not even have a remove option for packages. It does not auto-update packages or even have any mechanism to update them, and there is no specific dependency management.

Oh, come ON, Microsoft - pulling this sort of nonsense, presumably in the name of agile, is getting silly now. This is pre-alpha. "As a Windows users, I need to be able to update packages". A package maager that can't update or uninstall isn't a usable package manager, any more than an aeroplane that can take off but can't land except in a ball of flames isn't really ready to fly. Neither is this.

To test its security mid-pandemic, GitLab tried phishing its own work-from-home staff. 1 in 5 fell for it

Tom Paine

Not bad

20% is a pretty good hit rate for a first-pass phishing test (I've run a couple in my time, using commercial services.) The first place we did it started with something like 45% click thru, from memory. Got it down below 10% after a year. Of course, there'll always be someone, sooner or later, which is why it doesn't matter if they give away a password, because they're all using hardware token 2fa. Right kids?

EDIT: Mildly surprised they were able to send realistic looking phish from a fake domain via GApps

TensorBlow? Data boffins struggle with GPU shortage in Google Cloud, opposition offers to help out coders

Tom Paine

So... the cloud...

...it's just someone else's not-computer?

We dunno what's more wild: This vid of Japan's probe bouncing off an asteroid to collect a sample – or that the rock was sun-burnt

Tom Paine

That's no asteroid

The shadow of the spacecraft looks strangely familiar...

20 years deep into a '2-year' mission: How ESA keeps Cluster flying

Tom Paine

Inspiring stuff

...although there are more than a few legacy systems on the ground which have been nursed along with patches, bodges and hacks that should have been put out of our misery years ago!

Second-wave dotcom Uber-investor Softbank forecasts gargantuan losses as world economy faces slump

Tom Paine

Prospects for the global economy

"...the worst recession since the 1930s will hit the global economy, which could shrink by 3 per cent during 2020..."

The OBR's -35% scenario for the UK economy looks much more likely to be typical of the impact worldwide. Bear in mind the UK is able to borrow at a scale unavailable to many other European countries, let alone the RotW, which theoretically enables otherwise bust UK firms to keep the lights on until the bright new dawn of tomorrow when they can call back all their furloughed staff and call all their old customers to let them know the firm's back in business.)

The Return Of The World As We Knew It is now scheduled for early 2022, according to the vaccine-monger on PM this evening. Actually -- she spoke enthusiastically of being able to produce "hundreds of millions of doses" by "the end of next year", but (with everyone needing at least two shots, and it being by definition a worldwide problem and all) that's an order of magnitude less than will be needed. Let's be generous and assume they can churn out 10x the doses three months later, so "normality" returns around Q2-22.


Biting the hand that feeds IT © 1998–2021