* Posts by Tom Paine

2255 publicly visible posts • joined 19 Aug 2008

So, you're 'ISO 27001 accredited', huh? Just saying so doesn't cut it

Tom Paine

Re: Standards are biased towards large companies

if you're a startup of two people you don't need ISO 27001. Obviously.

For "simple basic security standard that every org should be able to meet", you want IASME / CyberEssentials.

https://www.iasme.co.uk/

New satellites could cause catastrophic space junk collisions

Tom Paine

The boffin quoted in the final par seems to be under the impression commercial satellites are a new phenomena...

And the claim that there might be 50% more collisions is pretty unexciting when you remember there's only ever beena single incident of two satellites colliding (afaik?)

Prisoners built two PCs from parts, hid them in ceiling, connected to the state's network and did cybershenanigans

Tom Paine
Devil

"As far back as I could remember, I always wanted ta be a sysadmin."

Payday lender Wonga admits to data breach

Tom Paine

Re: Cheap labour

It - or They -- can't eviscerate GDPR after Brexit, as they won't be able to collect PII data from EU citizens without it.

All e-commerce sites collect PII, in order to village you and deliver the product or service. No GDPR, no trade with Europe more advanced than bartering cockleshells for potatoes.

Tom Paine

Re: Cheap labour

now if this had come a year later when GDPR is in effect and the maximum fine ramps up to the greater of £20m or 4% of turnover, it may have been different...

Don't worry -- it will be...

Tom Paine

Re: Cheap labour

That's quite an idea, there, though it sounds like what everyone says after this sort of thing for the last 15 years. Stuff mandatory ISMS frameworks and regulatory compliance... Just levy massive fines on any firm that gets hacked. Say, £10 per account. (Of course it would be bad to put firms out of business... it should be possible for them to pay on an installment basis. With appropriate interest charges *evil grin* ). Naturally we'd also need a mandatory disclosure law, with very severe penalties for non-compliance.

Put down your coffee and admire the sheer amount of data Windows 10 Creators Update will slurp from your PC

Tom Paine
Facepalm

Re: Soft target?

: I have a phone where you can power networking off separately and independently:

a) all dataconnections including gprs

b) wifi

c) bluetooth

And all of those are in a quick-access menu, literally one swipe and a tap to turn on/off.

Not doing it that way in google-phone is a choice made by Google, nothing else.

Again, "eh?" It's one swipe and a tap on my Android phone to turn off all the radios, or to toggle wifi off/on. Or one swipe, one tap, and a bit more scrolling and tapping in the general prefs app to turn the other radios on/off.

Tom Paine

Re: Soft target?

Google, for "unknown" reasons,

Eh? I don't think it's a surprise Google are an advertising firm who make money by targeting ads according to their analysis of your usage of their services. It was well known when Gmail was launched in 2004...

Tom Paine

Maybe you missed the memo, but ISPs have to store your full browsing history for a year in case the government want it. They don't need to bother MS if they decide they DO need it, they just clikitty-clickitty on the extranet into your SP, and done.

Obviously very few people will have that happen to them, because human analysts (even on the pitiful GCHQ salaries) are expensive and a few hundred people can't read that many peoples' mail.

Germany gives social networks 24 hours to delete criminal content

Tom Paine

Re: Deutschland über alles. I think we have heard that before!

I suspect you meant "for the win", not "for the world"...?

Tom Paine
Facepalm

Re: This will be interesting and maybe nasty

So looks like using TOR will become mandatory for posting anything potentially controversial in Germany...

Yeah, right. I'll believe it when I see it, which is to say, never.

Tom Paine

Re: This will be interesting and maybe nasty

Taking CCNs from customers, even if they don't charge them, to verify identity - or any other method - would go down like a slurry-filled lead balloon with the social media providers, for obvious reasons. You can expect them to make that the very, very last resort. I imagine they'd try blocking access entirely from any country that tried to implement such a law, rather than comply (or just stop operating their business in that territory, in which case the whole thing's irrelevant.)

Tom Paine

Re: Enforcement?

It's relatively easy for a website to serve content based on IP address, which would allow them to serve content accordingly

The first part of your statement is correct. The second part... not so much. (Hint: my employer's EMEA net blocks are SWIP'd to our London HQ... )

Tom Paine

Insults??

“insults, libel, slander, public prosecutions, crimes, and threats.”

Insults? INSULTS?! So posting "Merkel's policies are so bad, she must be a complete idiot" would get my account deleted?

Interesting..

I certainly can't imagine any unintended consequences arising from this, no sir... *doubtful look

Twitter sues US govt to protect 'Department of Immigration employee' who doesn't like Trump

Tom Paine

AIUI: it's not illegal for you to publish a blog post about how your employer is a bunch of crooks churning out crap products that shit on your carpet and defrost your fridge. You can't be prosecuted for it; it's not a crime. However your employer's at liberty to fire you if they find out you've been slagging them off. Your anonymity may or may not be protected, depending on the Ts & Cs of the publishing platform you use and their propensity to roll over when presented with demands from a lawyer.

Outsourcers blamed for cocking up programmes at one in three big firms

Tom Paine

Re: Outsourcing only works...

Or maybe we're all just talk and no action.

I once had this brilliant business idea; a product I could prototype myself in the metaphorical garage, with what seemed to me like a pretty good marketing, sorry, "go-to-market" story about what it was and why you'd want to pay lots of money for one. I spent six months or so of spare time working on this idea and getting quite over-enthusiastic. Anyway, during this period I heard a round table discussion of some sort ("Bottom Line" on BBC R4, perhaps?) that included a guy from Google who made what seemed to me an astute observation:

Any fool can have an idea. It's all about the excution.

Needless to say I realised I was in the "any fool" category, rather than the "future Dyson, Curry or Zuckerberg" category.

Maybe I'm not the only one here that could say that...

Tom Paine

"talent models"??

"In the current [Brexit] climate, some [companies] will be focussing on issues such as [...] assessing talent models"

What the planet of hell is a "talent model"?

Anyone care to guess?

I assume "talent" means "employees"...?

Reg lecture exposes the radicals intent on remaking your society

Tom Paine
Pint

appropriate tributes

A pint (appropriately) for the Jazz Butcher!

Everything's fine, says Cylance, as workers given the boot

Tom Paine

Hint from me to you chasing those stock options is not worth the shit management roulette which is exactly what you just got done playing if they are missing targets by that much for the size of the company. If you have or are thinking of starting a family anytime soon avoid anything sexy when it comes to business.

Hint from me to you: punctuation is useful. Use it.

<P>

ION, chasing stock options CAN be worth it if you luck out. I personally have had the experience of witnessing almost everyone around me getting the "excited to announce we're being acquired" email that meant they just cleared their mortgage and got to go buy a silly car. Sadly I was six months too late for the stock-option confetti, which was a bit of a choker, but some people definitely did hit the jackpot.

That said, it didn't really affect how hard I worked - I carried on doing 60h weeks without overtime, as you do, because... well, because you do. (Right, kids?)

*shrug*

Tom Paine

Re: "a 2 month demo"....

Large enterprise CISO's are too smart to fall for these tricks.

Would that it were so! Unfortunately if you survey the security marketplace, and especially look at the young, startuppy crowd who're spending a lot on marketing and publicity-generating activity like having researchers who might get press for a whitepaper now and then, there's an awful lot of snake oil being sold by firms nominally valued in the $50-$250m range. A lot of the founders of these places will time their exit nicely and walk away with a couple of houses, a Ferrari and a couple of million in their pension, leaving a steaming pile of nothing in the hands of one of the large well established firms who buy them to put them out of business. They're all leveraging the power of large numbers of non-technical general managers who've been put in charge of security without knowing much about it, but who know convincing marketing when they see it. In short, there are plenty of CSOs and CTOs who, whilst not being idiots, just don't know enough to distinguish BS from real security, and who need the warm fuzzy feeling of having "invested" a lot of money in security.

China-based hacking crew pokes holes in UK firms and drains data

Tom Paine

Re: Useless

The IOCs are in the Kaspersky report, if you click through:

https://securelist.com/files/2017/04/Lazarus_Under_The_Hood_PDF_final.pdf

Andreesen Horowitz tips $10m into American AI drone upstart

Tom Paine

Couple of things...

(1) presumably if your drone gets suddenly hurled against a wall and telemetrty drops out, presumably you know you've located the adversary even if the drone's cameras don't glmpse them. Doesn't give you much other tactical data,granted

(2) Frogstar Scout Robot, Class C?

Steppe thugs pacified by the love of stone age women

Tom Paine

Re: Dont Tell UKIP or Britain First

Obligatory Get Back In The Sea!: https://www.youtube.com/watch?v=HmiQgwME6oE

Tom Paine

a culture where breaking through the defences of another village to claim a wife was part of becoming an adult. This helped to ensure genetic mixing at a time when the vast majority of the population otherwise wouldn't travel more than a few miles from their birthplace.

First I've heard of it, got a source?

'No deal better than bad deal' approach to Brexit 'unsubstantiated'

Tom Paine

Re: Unforseen consequences of Brexit, number 93

I wonder what Dr Stabismus has to say about it.

Tom Paine

"It must be fun being a European leader at the moment."

Not something Theresa May will know about for very much longer.

Eh? The Tories have a historically huge lead over Labour unseen since May 1983 (Labour were sevn or eight points above where they are today in early 1983, even after the Falklands effect, believe it or not.) May is also the darling of the sewer press at the moment -- unless they're preparing a reverse ferret over this morning's bombshell that freedom of movement & rights to work & residency are likely to remain well past 2020 -- so at the moment she's in about as solid a position as any British PM's been in my lifetime.

Now, by 2020, I personally am of the opinion that the wheels will have completely come off the Brexit bandwagon and everyone will be looking around for someone to blame for coming up with the crazy idea in the first place. My prediction is that the Lib Dems will make a massive resurgence in 2020, due to deserting Tory voters who would never vote for a Corbyn Lab party in a million years. I've been wrong before, I'll be there again, etc etc., but... well, we'll see.

The big boys made us do it: US used German spooks to snoop on EU defence industry

Tom Paine

What evidence is there to support that claim?

(Spoiler alert: "none whatsoever".)

It's bog standard industrial / geopolitical espionage. We all do it. You may remember that awkwardness about Airbus vs Boeing, a few years ago? (eg http://www.glimpsefromtheglobe.com/topics/economics/explaining-airbus-boeing-rivalry/ )

US ATM fraud surges despite EMV

Tom Paine

Imprinters

the US has A LOT of rural areas where you would be amazed to find they still use imprinters...

What's an "imprinter"??

clickitty clickitty...

https://www.google.co.uk/search?q=credit+card+imprinter&safe=strict&source=lnms&tbm=isch

OMFG! 8o I haven't seen one of those since, what,.. the early 1980s? The US really is going down the pan :S

Tom Paine

Re: What you don't know

* Jaw hanging open...

That really is astonishingly dysfunctional. Something about the operation of market forces in the US is broken in a very fundamental way.

Tom Paine

Re: The larger problem in the US

Wow, if you're having that much aggravation getting retailed to adopt Chip & PIN, gods know what they'll make of contactless... but by the sound of it you'll have 20 years to prepare for it.

So my ISP can now sell my browsing history – what can I do?

Tom Paine
Unhappy

Re: simples

Just turn off all wifi security on your access point and change the SSID to "Free WiFi".

All fun and games until the Federales knock on your door asking about all this child porn you've been downloading...

Tom Paine

Fundamental problem

"The irony is that if you had proper competition, with six or seven ISPs to choose from, then all these problems with privacy and net neutrality would wither and die," Jaspers opined. "Companies could differentiate and the market could shake down the best solutions for people."

Exactly, and this is my problem with Net Neutrality as well. It's a bandaid workaround for a broken market. Fix the market, need for NN goes away.

yeah yeah, I know, easier said than done.

US Customs sued for information about border phone searches

Tom Paine

"If y'all could stop spreading terrible travel opsec advice... "

The Grugq, who knows whereof he speaks: "Stop fabricating travel security advice. Advice that includes lying to federal officers is worse than useless" :

https://medium.com/@thegrugq/stop-fabricating-travel-security-advice-35259bf0e869

Tom Paine

Re: Been happening for years.

https://cdn-images-1.medium.com/max/800/1*P_S9uL56-W1n-h8pLwb0iA.png

https://medium.com/@thegrugq/stop-fabricating-travel-security-advice-35259bf0e869

See subseeuqnt Grugq posts for rather better advice about crossing the US border.

Tom Paine

Re: Been happening for years.

I would have been more offended if I had not (a) had nothing of value on the machine anyway,

All-time favourite opsec fail: misjudging the value of your data (or system, account creds,.. whatever) to attackers.

This used to be a thing when people refused to run AV because "I've got nothing worth hacking". Nowadays apart from banking and CC data, most people have some sort of idea that their bandwidth and processor cycles may have a value to an attacker.

Hertfordshire primary school girls prepare for World Robotics Champs

Tom Paine

Re: Would love to donate

You CAN just Paypal it. Read the page again

'Clearance sale' shows Apple's iPad is over. It's done

Tom Paine

Ofcom's Communications Market survey last year showed 5 per cent more households owned a tablet than in 2015, at 59 per cent. Laptop penetration is 64 per cent. We can surmise that everyone who wants computing at home already has one.

That's quite a non sequitur, if you don't mind me saying so. I'm 100% certain that a significant chunk of that 35% of the population who don't have a laptop in the household would rather like one, but can't afford it. (I myself have only a £200 quid Happy Shopper craptop at home, which just about suffices for basic web, multimedia and Office usage, whilst enabling me to practice controlling my temper and developing a zen-like tranquility whilst waiting for Twitter, Facebook and other bloated script-framework heavy sites to start reacting. (Remember the good old days when web sites just used a browser's native implementation of standard FORM elements to interact with the user, rather than recreating everything from scratch with Javascript? And when having to reload a page to see it change was, well, just what you had to do? And you could write a website in Notepad... uphill, both ways... *sigh* ... )

Dishwasher has directory traversal bug

Tom Paine

Directory traversal attacks let miscreants access directories other than those needed by a web server. And once they're in those directories, it's party time because they can insert their own code and tell the web server to execute it.

* Reads it again... no, still wrong.

Directory traversal typically means read-only access. You need something very different to be broken or misconfigured before exteranl users can connect and upload arbitrary files which they can then execute. (If it's properly set up, the attacker can only execute code as the 'nobody' or 'apache' user, or similar restricted access / unprivileged account. Preferably in a chroot, jail, or similar segregated fake environment.

UK Home Sec: Give us a snoop-around for WhatApp encryption. Don't worry, we won't go into the cloud

Tom Paine

Re: Colour me surprised

No, no, no. [Good] encryption (by definition) cannot be compromised. The security of the system, through, can be easily compromised by circumventing the crypto.

I've had reason in the last few days to memorise this: it's Shamir's Third Law of crypto.

Astroboffins stunned by biggest brown dwarf ever seen – just a hop and a skip away (750 ly)

Tom Paine

Re: It's quite a small object

The correct response the missing mass problem would be to develop a new hypothesis that fits the observable universe, rather than assuming that there is invisible, unmeasurable mass so that the existing hypothesis can be maintained.

And no doubt a lot of doctoral students are wracking their brains to do just that; but in the meantime, the Standard Model plus the bolt-on of dark matter describes everything observable from CERN scales up to the CMB. It doesn't have to be true as long as it works, and providing we don't stop bothering to look for a deeper description.

No?

After London attack, UK gov lays into Facebook, Google for not killing extremist terror pages

Tom Paine

Re: Google is an index

It's almost as if the Daily Mail Group (DMG) and the rest of the scumsuckers had some sort of conflict of interest -- say, for instance, some sort of financial incentive to want to do them down.

But that's ridiculous. Everyone knows Dacretrash is the epirome of the hard-bitten newshound, relentlessly pursuing the truth wherever it may lead. (Except for his proprietor being a French-resident tax exile and Dacre himself pocketing millions in EU farm subsidies, of course, because they don't count.)

OH WAIT!!!!

https://www.theguardian.com/media/2016/may/26/dmgt-print-ads-daily-mail-mail-online-metro

Tom Paine

Re: Daily Mail - Hypocritical?

Ads syndicated by Goolge,, yes, and using Google Analytics (the web tracking bugs and whatnot. Fire up Wireshark one day and check out how much crap from third party sites a typical Fail page contains.

Tom Paine

Re: They would solve three problems at once

Perhaps because you haven't studied Government and Politics or similar subjects?

Tom Paine

Re: They would solve three problems at once

1 - they reduce the help to terrorists (the question there is where to draw the line - would Breitbart still be allowed?)

No, the problem isn't Breitbart -- as they've been implicated in inciting and encouraging terrorism on multiple occasions, so it's obvious they should be blocked. No, the real problem is the Daily Mail, Express, Sun and Telegraph. Really hard to write a law banning race or religious-based hate and incitement that wouldn't also catch those particularly repulsive turds in the sewer of the British press...

Tom Paine

If you couldn't figure out half a dozen instant showstoppers with your movie plot threat scenario in the time it took you to compose your post, you must be a very, very fast typist.

Tom Paine
Mushroom

Cui bono?

What a remarkable coincidence that the sewer press should turn their flamethrowers of bourgeois ignorance and knee-jerk moral control-freakery on the very organisations that are putting them out of business by taking all their advertising revenue!

Funny old world, isn't it?

Amazing new WikiLeaks CIA bombshell: Agents can install software on Apple Macs, iPhones right in front of them

Tom Paine

Re: Beware strangers bearing gifts

What makes you think it would be a stranger?

Tom Paine

The main goal

...debunking specific claims and misrepresentations made by WL, though useful and interesting, misses the point of the whole exercise, which is to install the firm idea in Westerners that their governments are just as Russia's, that every email or IM we send is pored over by a human analyst tasked with keeping our files up to date, and so on and so forth. As such it seems to have been a roaring success.

(The other function of course has been to act as a cutout for the FSB/GRU to release stuff like the Podesta emails.)

USA can afford golf for Trump. Can't afford .com for FBI infosec service

Tom Paine

Re: Golfing harms nearly no-one

Wise words in the general case, but in this specific instance I don't think there's much to worry about. He's stayed at a Trump branded resort / golf club every single weekend since taking office.

Boffins crowdsource hunt for 'Planet 9'

Tom Paine

Exactly what I was going to say (dammit!|) --

The Register asked Tucker to flesh out why the search isn't using artificial intelligence.

The answer is "for the same reason they're not using carbon nanofibres or genetic engineering", ie., it's the wrong tool for the job. Image recognition to hunt for unexpected moving objects (automated blink comparison) was likely one of the first things astronomers used computers for once digital imaging became the default.