* Posts by Tom Paine

2206 posts • joined 19 Aug 2008

Belgian defence ministry admits attackers accessed its computer network by exploiting Log4j vulnerability

Tom Paine
Facepalm

Concur

This, plus the generally cynical disinterest in security at most orgs*, is one of the main reasons I burned out after 20y in the trade.

* the ones prepared to employ me, anyway; obvious risk of sample bias... tho the list of employer logos branded onto my flesh includes some huge and systemically significant orgs. US mega bank, .org handling thousands of public and private sector megacorps’ data, fin servs big wheels.

Tom Paine

Ggl “red Molotov more complicated”.

Tom Paine

Re: And that would precisely *not* work

When it comes to Infosec, very little works in the modern world.

Tom Paine

Re: And that would precisely *not* work

For some value of “few”.

Tom Paine

Re: Old school.

It’s not the everyday people’s fault; it’s their management and their org’s Board of directors.

Tom Paine

What makes you think there IS a solution?

*clink

*cheersh!

Tom Paine

Agile hasn’t helped security, but don’t kid yourself that finding a new methodology - or reverting to waterfall or wtvr - would solve the problem.

Tom Paine

Old man talking, gather round

Apart from refs to agile, Rust and so on, Every comment above could have been found on a bug related Reg story 20 years ago.

The attack marks the first occasion that a NATO country's defence ministry has fallen victim to the flaws.

Yeah, well, that’s just your opinion, man. And “...as far as we know”.

ION,

NATO have been pwned many, many times before. (Hint: NATO is not, *itself*, a military org. No, really, it’s not. Surprised me, too.)

Veteran vulture Andrew Orlowski is offski after 19 years at The Register

Tom Paine

Thanks

...for forcing me to go read the actual science of climatology so that I /knew/ the denialist BS was BS, rather than merely strongly suspecting it.

I stopped reading El Reg for, what, 5? 6? years because it was so enraging. Delighted to find the new-old-Reg doesn't make me want to take bite out of my coffee mug any more.

PS ...but bring back the "Integrity? We've heard of it" and "YOUR PC is broken and I'VE got a problem?" schwag!

UK Ministry of Justice secures HVAC systems 'protected' by passwordless Wi-Fi after Register tipoff

Tom Paine

Re: This is the fault of whoever installed it

Lowest bid? This is public sector procurement we’re talking about...

What you need to know about Microsoft Windows 11: It will run Android apps

Tom Paine

Re: Windows

I've been up-votong comments like this for what seems like decades. Wait.. it IS decades!

Shit I'm old. Still, it's nice to see CDE living on, in a manner of speaking.

Tom Paine

Re: Windows

How old are they?! AIUI TPM has been mandatory since Vista. Those desktops almost certainly have it; it's just not enabled in the BIOS or whatever the cool kids call it these days.

Facebook CEO puts picture of himself wearing too much sunscreen on new board

Tom Paine

Thats a thing?

Too much salad, I mean sun cream? Whenever I feel lazy and go out without it I remember a bloke down my local with a literal hole in his head (he likes to whip his sunbhat off to show it around) resulting from skin cancer prob due to time in the forces spent in various sunny locales.

Space Force turtle expert uncovers $1.2m Cape Canaveral cocaine haul

Tom Paine

"shouty nose sherbet" - v gd!

"Turtley unaffected" - well over the line; I shall be writing to my MP about this outrage!

NCSC chief: Ransomware is more of a threat to Britain than hostile nations' spies

Tom Paine

Ooh, 512 bit security, where can I buy one of those?

Cuffed: Ukraine police collar six Clop ransomware gang suspects in joint raids with South Korean cops

Tom Paine

So you could say it's a case of...

...Clop clipped?

(I am so very sorry)

Excuse me, what just happened? Resilience is tough when your failure is due to a 'sequence of events that was almost impossible to foresee'

Tom Paine
Mushroom

Good piece, but

...if management have any sense

That's quite a load bearing "if".

Bless you: Yep, it's IBM's new name for tech services spinoff and totally not a hayfever medicine

Tom Paine

A tip of the sombrero

A shout out to anyone who's inherited an AD forest or tree named NEWCO...

OVH founder says UPS fixed up day before blaze is early suspect as source of data centre destruction

Tom Paine

Re: Fuel

b'dum tish!

Tom Paine

Re: No excuse

"...as safe as they could be, consistent with the provider's business model."

OVH were only starting to become an option last time I looked for hosting, what, a decade or so back but IIRC they were always a budget provider. Low margin business with a huge capital cost equals considerable effort to shave costs where possible. Nothing wrong with that as long as customers are aware that to some extent you get what you pay for.

Tom Paine

At 250mph, it's going to be a struggle to make the turn onto the street outside the showroom...

Tom Paine

Fuel

The bit that slightly puzzles me is that there was enough flammable material to burn, once the source UPS had finished oxidising itself. Presumably the main fuel supply would be the plastic insulation on network and power cables, and obviously a DC will have a lot of both; then there are the little plastic trim panels on the front of servers, the handles of hot-swap PSUs and suchlike... but what else is there? Perhaps there's a tools cabinet with some ABS toolboxes or parts tidies... the wheels and grippy "rubber" mats on trolleys... cyanoacrylic light fittings? Does the material chip packages are formed from burn? Genuinely interested. I guess no-one here's got any personal experience of major DC fires because they seem to be so rare.

Another Windows 10 patch that breaks printers ups ante to full-on Blue Screen of Death

Tom Paine

Re: "in some apps"?

Had a text from my nearly-80 year old Dad yesterday. I'm copying this directly from my phone:

"I have bought an old vcr machinre to watch videos* on but have no leads to connect to the tv. Don't suppose you have any spare ones?"

(I have no idea what TV they have nowadays -- not been able to visit them for almost 3y, long story, but in normal times they visit me en-route for rellies three or four times a year -- and of course he'll have no idea what any of the sockets on the back of either appliance are anyway, so...)

Tom Paine

Re: "in some apps"?

I too have witnessed the terror...

Hacked by SolarWinds backdoor masterminds, Mimecast now lays off staff after profit surge

Tom Paine

Re: "Mimecast not only fell victim to the SolarWinds hackers ..."

We don't know. Why DOES it jump out at you?

Robinhood plays Sheriff of Nottingham as it pauses GameStop, AMC, BlackBerry etc stock sales, gets sued

Tom Paine

Re: It's a Pyramid Scheme

If it's never happened on /r/wallstreetbets before, I'm certain a bunch of people have noticed the precedent and are looking for the next stock vulnerable to such manipulation.

Tom Paine

Re: "the equity required to buy a stock with borrowed funds"

I see. You're advocating for a zero leverage rule? Presumably for all markets, not just equities?

Tom Paine

Re: "the majority of those insurgents are in the process of losing their shirts"

Well, OK, attempted rebellion, yes.

Tom Paine
FAIL

Nope

...an insurgency against the financial establishment and the status quo.

Some of them (most of them, maybe) see it that way, and the general public are buying that line; but the majority of those insurgents are in the process of losing their shirts. It's called "pump and dump" for a reason. The regulators' single most important function is to maintain the operation of orderly markets. This has not been an orderly market. The "ha ha, some hedgies have blown up" angle has left a lot of small investors holding wildly overvalued stock. The next trading day or two are not going to be pretty.

Anyone else here old enough to remember when BBC2's Money Programme ran a fantasy share buying game with four random amateur investors? Before long, whatever they tipped on Sunday night was shooting up on Monday morning, regardless of fundamentals, just because it'd been tipped. The segment was hastily cancelled.

Boss behind 'reset' of delayed, overbudget Emergency Services Network shifts to new 'digital' Cabinet Office role

Tom Paine
FAIL

I can picture the scene...

"The cabinet office is a ratsnest of warring fiefdoms, seething with distrust and mad policy ideas from undersocialised wonks. What could we do to make it even worse?"

"How about... /Digital Cabinet/. Quick, get the Trusted Providers on the phone!"

(With apologies to @SirBonar on Twitter)

Fail, because if it's not already, it soon will be.

US courts system fears SolarWinds snafu could have let state hackers poke about in sealed case documents

Tom Paine
Black Helicopters

Ummm

Could have accessed sealed cases against Russian hackers? Yeah... yeah, there's that, too. From an espionage PoV, cases relating directly to intelligence matters would be another obvious target, ditto those against "politically exposed persons", especially those towards the top of the tree. Less obviously, all sorts of other cases could be useful for an attacker, for all manner of purposes, from blackmail, to getting better knowledge of investigator TTP (and therefore how to escape detection),.. I'm sure there are plenty of other use cases.

Whilst the "surgical strike" type attack is very rare, there's a big pressure to extract metadata ASAP to enable other analysts to ID material to exfiltrate. Trade-off between increased chance of detection if trying to exfiltrate petabytes, vs hanging around so long that they're discovered via other means (ie., the discovery of the SolarWinds trojan.) Must make for interesting discussions in whichever war rooms they have those debates.

United States Congress stormed by violent followers of defeated president, Biden win confirmation halted

Tom Paine

Re: Police Scotland

The results from an image search for "Scotland welcomes Trump" is a heartwarming sight.

Tom Paine

Yes but

I'm not convinced the time's right for a Jamiroquai come-back.

https://ichef.bbci.co.uk/news/976/cpsprodpb/392D/production/_116373641_gettyimages-1294932124.jpg

Tom Paine

Re: I wonder ...

...and the President has the power to pardon the VP for any hypothetical crimes he may accidentally have committed in the previous few years.

Tough call. Rather like Thermonuclear War: the only way to win is not to take part.

Tom Paine

Excellent post

Just to say thanks for not shying away from stuff that splatters, even when there's no obvious IT angle. This is why El Reg is still here whilst a myiad of other attempts at technology news sites have come and gone (or survived as a brand whilst the editorial teams were swept out like a dead mouse left overnight on the kitchen floor by a very proud puss.)

Well, on the bright side, the SolarWinds Sunburst attack will spur the cybersecurity field to evolve all over again

Tom Paine

Stupid question

From the quality of the threat design, the range of techniques used, and the nature of its victims, this was a nation state at work [..]

What is a "threat design"?

Google reveals version control plus not expecting zero as a value caused Gmail to take an inconvenient early holiday

Tom Paine
Trollface

Come on...

We've all been there.

US Government Accountability Office dumps sack of coal on NASA's desk over Moon mission naughtiness

Tom Paine

Re: Infinite loop

Given the unprepared and somewhat unpredictable mechanical properties of the lunar surface and regolith, how long a run on consecutive successful landings would you want to see before you got on one yourself? Obviously if a landing leg pad hits a rock, or they happen to hit an area with soft, loosely compacted topsoil, or.. various other things, and it tips over on landing, it's a TLV,TLC accident.

'Long-standing vulns' in 5G protocols open the door for attacks on smartphone users

Tom Paine
Meh

Astonishing

So the absolute latest and greatest mobile phone network technology, the one that (along with IPv6) was going to allow absolutely ubiquitous embedded systems in anything that moves (and a lot of things that don't move, or don't move after they've been bolted / screwed / nailed / welded into place),.. that technology... has well-known, long-standing weaknesses in the protocols and architecture? You could knock me down with a feather. It's almost as if the designers, architects and research engineers were subconsciously making sure there'd be a need for designers, architects and engineers to develop 6G at some point. Or something.

US nuke agency hacked by suspected Russian SolarWinds spies, Microsoft also installed backdoor

Tom Paine

"full rebuild"

Perhaps they had enough canned lateral movement tools that, although they only had bandwidth to properly turn over (say) a dozen of the 18,000 and exfiltrate crown jewels, they were able to implant stealthy persistence agents elsewhere in those victims' networks. So, does "total rebuild" refer to every server in every customer org? Or "all the things"? (How about switches and routers? How about printers? How about bootkits -- shouldn't they chuck all hardware into skips the day after cutting over to the perfect replica of the entire network to known-good replacements?

And even that won't give assurance; supposing the restore data from backup step includes another downloader stage that's missed from AV?

Sometimes I'm very grateful for being unemployed. First when I wake up at 7:10am and remember I can have another 4h in bed if I want, and second when I remember what hell I'd be going thru rn of I was still at anywhere I worked on the last 8 years.

SolarWinds: Hey, only as many as 18,000 customers installed backdoored software linked to US govt hacks

Tom Paine
Headmaster

Pedant's corner

"..hackers, had penetrated FireEye's servers and made off with its crown jewels: the tools it uses to test other companies’ defenses. Armed with those penetration tools, hackers could potentially identify which of their methods will pass FireEye's gaze undetected."

No. The tools will be things like scanners, exploit frameworks and standalone exploits for vulnerabilities, which they use to find and exploit those vulns in their pentest customers' networks. They don't have anything (directly) to do with FireEye spotting other attackers in action.

45 million medical scans from hospitals all over the world left exposed online for anyone to view – some servers were laced with malware

Tom Paine

Re: Who is at fault?

I may be reading too much between the lines, but these don't sound like leaks from the mainstream NHS.

CentOS project changes focus, no more rebuild of Red Hat Enterprise Linux – you'll have to flow with the Stream

Tom Paine

Well WHO could have seen THAT coming?

How tediously predictable, and how poitnlessly short-sighted for anyone in the IBM / RH command structure that wants to gow a sustainable long-term business. 2020's least surprsing development.

Crooks posing as COVID-19 'cold chain' company phished EU for vaccine intel, says IBM

Tom Paine

Off the top of my head:

- nicking email or other docs that can be selectively leaked to give the impression the vaccine's unsafe, or was stolen from Russia, or contains Bill Gates' famous microchips or whatever.

- straightforward industrial espionage

- blackmail attacks

- to compromise part of the pharmaceutical industry via the supply chain for the same motives as anyone else attacks pharma targets (fraud, theft, blackmail etc); nothing to do with SARS-Cov-2 per se, it just happens to be what's going on RN so that's the angle they're using

- straightforward financial fraud or theft ("Hi this is China FreezerCo Inc, pls remit payment for latest deliveries in bitcoin to: ... ")

No doubt experts can suggest several others

Tom Paine

Re: Crooks phishing for COVID vaccine intel

Depending who's doing it, they may be motivated by patriotism, or by fear of the state (China in particular likes acquiring cheap cyber talent by nicking crooks and offering them the choice of a labour camp or Unit 17xyz.)

Tom Paine
Black Helicopters

"Unusual"

...it would be unusual for an attack impersonating a Chinese company to originate in the West.

If you were planning a false flag op, wouldn't you twamt to pick an org least likely to be suspected to be a front? Nothing particularly secure about Chinese commercial IT ops, in terms of security. You'd need to know the language and some of the culture, of course...

*strokes chin, steeples fingers, reaches for the metaphorical bong

IBM warns staff across the business of fresh 45-day redundancy consultations

Tom Paine

Re: Last one out

My thought was surprise that they still have enough employees left that they can afford to sack several hundred more. Anyone got the numbers on that?

Yes, it's down again: Microsoft's Office 365 takes yet another mid-week tumble, Azure also unwell

Tom Paine
Coffee/keyboard

Round and round we go...

This may be a good time to note that Microsoft is planning to deliver an offline-capable version of Office toward the end of next year.

It's with astonishing innovation like this that Microsoft keeps driving technology forward to hithertoo undreamed-of heights. Next they'll be planning an AD that is physically located **in your actual offices!** Imagine how cool that will be!

NHS COVID-19 launch: Risk-scoring algorithm criticised, the downloads, plus public told to 'upgrade their phones'

Tom Paine

Two questions

1. Why does the Android version, at least, refuse to run without location services running? I leave GPS, WiFi triangulation and whatever other skullduggery is available for apps that want to know where I am. It shouldn't need location. How come? And why has that not been mentioned before? As I'm definitely a bit of a weirdo for turning it off, presumably 99.9% of Android users don't realise it's happening. What is the data used for? Does it ever leave my device? Why should I trust the a seers, in these circs?

Damn, that's six questions already.

2. What defences does it have against griefer attacks? Eg kids loitering near their school staff room, then falsely telling the app they have tested positove. There are probably others.

It's IPO week and one of Wall Street's own is raising the spectre of a stock market crash

Tom Paine

Tool and trouble

US equities have been insanely overvalued for years. It's little consolation that various people who've ignored my warnings of imminent soon since 2014 have made small fortunes doing so....

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2022