* Posts by GloomyTrousers

30 publicly visible posts • joined 30 Jun 2009

Another security calamity for Capita: An unsecured AWS bucket


Re: "No bank details" - Whoopee fucking do

It's the standard response, a bit of misdirection to make it seem better. As if bank details are the only thing that matters if there's a data breach.

Techie fired for inventing an acronym – and accidentally applying it to the boss


Keyboard driver error

Surprised this one hasn't been mentioned yet. Nice plausible deniability, but if you know, you know.

Irish privacy watchdog sticks GDPR probe into Facebook after that online giveaway of 533 million profiles


Re: data slurp

> WhatsApp will refuse to work if you don't give it access to your address book

Are you sure about that? I was forced to install it for... reasons... but never granted it access to my address book and it works fine. This is on Android.

There was hope Samsung had turned a corner in repairability, but the Galaxy S21 Ultra is a step backwards


upgreade cycle "elongated dramatically"

...to 2.5-2.8 years. That's just shocking - what's wrong with you(*) all? Money to burn?

Currently running a 7 year old phone here (S5 + LineageOS) which was second-hand when I bought it. Currently on at least its third battery(**) and otherwise fully functional, although just starting to feel like it's struggling as apps gradually bloat over time.

(*) doubtless there are exceptions around here

(**) last of the Samsungs to have a removable battery

I built a shed once. How hard can a data centre be?


Re: I got paid for xmas overtime.

Thanks, that was a great story and worth an On Call article by itself!

Happy New Year, all.

Who knew that hosing a table with copious amounts of cubic metres would trip adult filters?


I'll refer you all to https://en.m.wikipedia.org/wiki/Gropecunt_Lane - commonly now renamed as Grape Lane in various English towns and cities.

BBC makes switch to AWS, serverless for new website architecture, observers grumble about the HTML


Re: "Instead, the BBC team devised a new architecture based on serverless computing."

The UK government will be part of Amazon soon.


As we stand on the precipice of science fiction into science fact, people say: Hell yeah, I want to augment my eyesight!


Re: "testing the limits of what's possible"

You pedant.

...of which I wholeheartedly approve (as my kids will attest). Top marks, have one on me ->

C'mon SPARCky, it's just an admin utility update. What could possibly go wrong?



rm does, now, protect you from recursive deletes of your root FS. You have to pass it "--no-preserve-root" in order for total destruction.


I wonder how many stressed-sysadmin-hours that feature has saved :-)

Microsoft's Teams goes to bat for the other team with preview on Linux



I recently discovered rclone, which has the ability to connect to onedrive, and can mount it as a filesystem. It can also stack a caching layer on top of your mount so it is tolerant of intermittent network issues e.g.on train Wi-Fi. So now I have my work onedrive mounted at ~/onedrive and can read and write files (more or less) as if they were local. Worth a look!

No happy ending for the 93,000 Kazakh domains that got nixed instead of massage parlour's site


Re: Tilda and the Barbarians

Hostname is also sent in the clear, even in HTTPS connections. Look up "SNI".

Our hero returns home £500 richer thanks to senior dev's appalling security hygiene


Re: Password must be politally correct

> Complaining is in their job title.

And, counting the downvotes, I see there's three of them (currently) who have been here.

Google now minus Google Plus: Social mini-network faces axe in data leak bug drama


Re: Linux kernel devs

Speaking of federated social networks... from what I've seen, a lot of people from G+ are heading to Diaspora - specifically, https://pluspora.com/.

OK, Google: Why does Chromecast clobber Wi-Fi connections?


Re: My Kids also have Google Bug

I've looked into replicating your bug; alas I was unable to reproduce.


Defend yourself against ISP tracking in an Trump-era free-for-all

Big Brother

Re: What is metadata, exactly?

"the rest of the connection info, including the requested URI, is encrypted." - not quite true: SNI (Server Name Indication) leaks the hostname you're requesting as part of the TLS (HTTPS) handshake. As you say they can also infer it via the DNS lookup, but in practice they probably wouldn't do it that way.

China staggering under WannaCrypt outbreak


Re: Nervous criminals

Up to $64k now. See https://twitter.com/actual_ransom.

Still, for the time it took to write, the risk, and the fact that they don't dare actually extract the cash, the miscreants aren't gonna see a very good ROI :-)

Greater Manchester cops fined after victim interview vids lost in post


Taxpayer loss

Not that I am excusing the situation, but presumably the resulting fine goes back into the public purse, so net loss to the taxpayer is nil. Actually it isn't quite nil, there'll be some transmission loss in the process (fees to lawyers, mainly), but still...

PC survived lightning strike thanks to a good kicking


In my last (small) company we had a couple of dozen Vaios over a few years, various models, and I recall almost all of them stopped working less than a year after warranty expiry. That is some quality manufacturing to achieve that kind of engineered-in failure rate! However, one of them was obviously sub-standard as it failed a few days *before* its warranty lapsed - took weeks for them to fix it though.

Defence in Depth: A 'layered' strategy can repel cold attackers


Re: Analogies

Actually the military analogy is apt. A determined attacker won't just hit the second layer of your onion and give up, they'll keep poking until they find a way though that layer. Against this form of attack, detection and response (counter-attack) are necessary. Static defences fail eventually.

To use another analogy, on your office block on a quiet industrial estate, locked doors at night aren't enough. Burglar Bill will break the window to get in. At this point your burglar alarm goes off, police respond, and all being well nothing much gets nicked (and they may even catch him). Without the detection and response, contents of locked rooms, the safe, etc. (more layers of your onion) can be breached - your entire business could vanish in the back of a transit van over a bank holiday weekend.

Oi! Linux users! Want some really insecure closed-source software?


Re: Spinning metal hedgehog

Have an upvote, on the basis of that last sentence alone. Top stuff, sir.

Experts to Congress: You must act on IoT security. Congress: Encourage industry to develop best practices, you say?


Re: Standards in the US would also affect china, due to dev costs

> So what happens when two regions give conflicting mandates

Bit of a straw man here. It *could* happen, occasionally - but do you really think it'll be the norm?

Mercedes answers autonomous car moral dilemma: Yeah, we'll just run over pedestrians


It's the cyclists

@Doctor Syntax: so by your highly scientific survey, pedestrians and drivers are flawless, and only some cyclists are not? I'll hazard a guess that those individuals of which you speak are dangerous/inconsiderate/oblivious more than the average, regardless of their current mode of transport, and you just notice them more when they're cycling due to your own inherent biases.

You should probably check actual statistics, which would show you that in (say) car vs. cyclist accidents the car driver is found at fault in the majority of cases.

Come in HTTP, your time is up: Google Chrome to shame leaky non-HTTPS sites from January


Silly question...

...but how are they going to reliably determine that a site is asking for a credit card number? Am I missing summat? Asking for logins, I suppose you could look for <input type="password"... /> and flag on that basis, but I can't think of a reliable method for credit cards.

BT customers hit by broadband outage ... again


Not just BT/Plusnet

Apparently this is the root cause of an outage for some Zen customers too. Tech support say they think this is affecting other ISPs as well.

Which keys should I press to enable the CockUp feature?


Re: Photo Theives

"Photo By ShutterStock"

Plusnet customers SWAMPED by spam but BT-owned ISP dismisses data breach claims


user+identifier@mydomain.com not reliable

Problem with the user+identifier@mydomain.com thing: it's a commonly known pattern, so the identifier is trivially removed or spoofed by anyone seeking to obfuscate the source of their list, or direct your attention elsewhere. So you can't really rely on it to identify the source of a leak.

Zeus botnets suffer mighty blow after ISP taken offline



"...properly lubricate all objects prior to spammer insertion."

A suitable lubricant can be obtained by mixing superglue, broken glass and rusty nails. Apply liberally to object before using on spammer.

Verified by Visa bitchslapped by Cambridge researchers



If I remember correctly, way back in the early noughties when I was writing ecommerce sites and the 3-digit CVV was introduced, the instruction was that it was never to be stored anywhere in your DB, on pain of some kind of nastiness to your merchant account. I presume (but don't know) it's also not stored in a machine-readable format on the card.

Thus, the extra level of security this provides is not to turn a 16-digit number into a 19-digit one, but to guard against your card number being usable if a database where it's stored is compromised (quite likely at the time, having seen the sort of shoddy code being rushed out back then) or your card is skimmed.

So, in theory, if a card number is presented with CVV it is more likely that the person presenting it has (access to) the physical card, and less likely that they're using a card number stolen from somewhere.

I do recall having to tell coders who hadn't read the documentation that the CVV wasn't to be stored in the DB, so I'm assuming that there are various implementations out there that do store it and thus neuter it as a security measure - it's a slightly brittle solution in that respect.

Monty's 'Save MySQL' mudsling gets 15,000 backers


Spam from Monty

I recently received an email invite from Monty to sign this petition - quite obviously a bulk mailshot. Not sure why, as the only time I recall providing my e-mail address for anything MySQL-related would be many years ago in a comment on the documentation, so presumably I have a mysql.com "account".

I was pretty pissed off TBH - if Monty is no longer part of MySQL, how is he able to get hold of this data? No unsubscribe info, unsolicited, bulk, so in my book it ticks all the boxes for being spam.

Not a great way to go about garnering support...

Masked passwords must go

Big Brother

Stop watching my fingers!

The asterisks stop shoulder-surfing from people reading your screen... but not watching your fingers on your keyboard. If passwords were displayed as typed, it wouldn't take long before people started looking around a little more carefully at who's watching before typing their password, instead of being lulled into a false sense of security by the fact that their password can't be seen on screen, and ignoring the fact that watching fingers is pretty easy (see AC's 70WPM comment).

However, as in many things, there is no 'one size fits all' answer. In some cases, I can see this improving security (and, as seems to have been somewhat forgotten as one of the original points of the article, usability), although in many cases it will of course not do so.