* Posts by Alex Brett

137 publicly visible posts • joined 11 May 2007


Ubiquiti blunder let some folks view others' security cameras, accounts

Alex Brett

Re: "Cloud" Misconfiguration?

The common cause for things like this is that you try to move authentication/session handling to a load balancer, but get it wrong so the LB uses a backend connection with someone else's user identity and thus the backend server thinks you're someone else and serves up their info...

Lufthansa flights grounded by major IT snafu, 'construction work' blamed

Alex Brett

Indeed, even when redundant ducts are installed, often the contractors who then get tasked with pulling the fibre into them end up taking the lazy approach and pull both into the same duct and leave one empty.

The other classic one is you have redundant ducts properly taking geographically diverse routes to a facility, but they then come together where they enter the building presenting a lovely target for a JCB...

Server installer fails to spot STOP button – because he wasn't an archaeologist

Alex Brett

Hearing a 'click'

Not quite the same, but in terms of clicks, whilst I was at school (probably aged about 11), I managed to accidentally set off the school fire alarm and everybody had to evacuate - we'd been lined up in a corridor to go out to games, slowly moving down it (I seem to remember they were inspecting football boots or something to make sure the studs were safe). Whilst queueing I'd been gently rocking my head back and forth for no particular reason.

Unfortunately, little did I know they'd managed to install a fire alarm break glass call point at perfect height for my head, and as I shuffled down, I ended up directly in front of it - I rocked my head back, heard a 'click', followed immediately by the fire alarm bell sounding...

Fortunately I didn't get in to trouble for it (I did own up and explain), and I think afterwards that particular call point had a plastic cover added that had to be lifted up before it could be set to avoid a repeat ;)

Victims of IT scandal in UK postal service will get fresh compensation

Alex Brett

Re: Bring manglement to book

DFS can't pursue a criminal prosecution against you, only a civil case (i.e. they can't push a case in a criminal court where you could get sent to prison for not paying for your sofa, only get a civil court judgement and then try to enforce it etc)...

Two thirds of DNS queries for IPv6 hosts sent to Chinese resolvers fail, researchers find

Alex Brett

What does failed mean?

How are they defining fail - e.g. any hostname that only has an IPv4 address, the AAAA query (which any IPv6 enabled client will typically send first) will fail, and the client will then fall back to an A query for a v4 address - is that counted in their statistics, as if so then it's just modelling the IPv6 takeup rather than any issues with the resolution infrastructure etc...

Pentester pops open Tesla Model 3 using low-cost Bluetooth module

Alex Brett

Re: defeated by simply cutting the latency of the relay process.

No, to pair a new key (physical or phone key) you need one of the existing actual RFID keycards to authorise it, so it's 'safe' from that point of view.

It's also the case that once you park up and walk away, you will then be unable to get in and drive the car again without redoing the attack, which coupled with the fact the car will be reporting its GPS position to Tesla and the owner via the app means overall this is of pretty limited value for anything more than a one-off joyride.

Pin to drive also defeats it, such that the only thing it allows you to do is get into the vehicle, which as others have said can be done with the use of a brick or similar anyway...

VMware walks back ban on booting vSphere from SD cards or thumb drives

Alex Brett

I presume what's being pushed back against is the option for vendors to supply systems with an *internal* USB/SD card to boot from, rather than trying to get vendors to block booting from removable storage in the BIOS/UEFI firmware, which would be a very strange thing to do...

Foxconn factories near Shanghai cease operations over COVID-19 cases

Alex Brett

One of the big problems China has is its vaccine take-up, particularly amongst the groups most likely to have a more severe reaction to COVID (the elderly, those with pre-existing conditions etc) is very low. A lot of its vaccines have also been of a type which doesn't protect as well against Omicron.

Many other countries now have vaccination rolled out sufficiently that the hospitalisations coming from Omicron are (mostly) manageable, so reducing/removing controls isn't overwhelming the health services - unless China can get its vaccination mix and take up improved, it will really struggle if it were to 'let it rip' as it were...

IT advice fuelled by beer is the best IT advice of all, right?

Alex Brett

It could also be that as well as the pacemaker they had an external device that interfaced with it to monitor it or similar, which could well be emitting stronger signals etc...

To err is human. To really screw things up requires a wayward screwdriver

Alex Brett

Those are actually really quite dangerous, the only thing preventing you getting a shock is a tiny resistor, that could quite easily fail short circuit, plus if you haven't got a particularly good connection to ground yourself (e.g. well insulated shoes or flooring) they may not light up when there's voltage present and make you think something is safe when it isn't).

What you really want is a GS38 approved voltage tester, or failing that a multimeter and the knowledge of how to use one is still better than one of those screwdrivers...

Less than PEACH-y: UK's plant export IT system only works with Internet Explorer

Alex Brett

Backend security?

What worries me more is if this tool dates from the days of IE6 or 7, has anybody actually reviewed the backend code for security issues (e.g. SQL injection, XSS etc) since it was built?

A lightbulb moment comes too late to save a mainframe engineer's blushes

Alex Brett

It sounds like it would be a boring read, but on this front "The Checklist Manifesto" by Atul Gawande is a great read, and actually improved my approach to various tasks after reading it, as it helped me understand what sort of mistakes we commonly make as humans and how to avoid them...

Facebook, WhatsApp, Instagram deplatform themselves: Services down globally

Alex Brett

I suspect that is going to be users erroneously reporting Three as down when actually it's Facebook/WhatsApp/Instagram that has the problem...

Global Fastly outage takes down many on the wibbly web – but El Reg remains standing

Alex Brett


I think you mean reports started at 09:58 UTC, or 10:58 BST (10:58 UTC is 9 minutes in the future as I write this)...

Oops, says Manchester City Council after thousands of number plates exposed in parking ticket spreadsheet

Alex Brett

It's worse than that for aircraft - anyone can, for free, look up the owner of a UK-registered aircraft from its registration, and there is no mechanism (other than having it owned by e.g. a limited company) for owners to have their details hidden - see https://siteapps.caa.co.uk/g-info/

Virginia voter registration website falls over hours before deadline. The Russians? No, a broken fiber line

Alex Brett

No idea if this is the case here, but I've seen a scenario where a properly diverse set of ducts were specified and installed (for connectivity to a university), going different routes around the city etc, and then whoever pulled the fibre in ended up pulling both fibres through one duct, which nobody noticed was the case until the duct was hit somewhere...

NHS COVID-19 app's first weekend: With fundamental testing flaw ironed out, bugs remaining are relatively trivial

Alex Brett

Re: Suggested improvement

So something that has confused a lot of people - checking in somewhere does not mean if a single person tests positive who was there at the same time you'll get notified, it only means if the public health authorities decide there has been a cluster of cases and so it is a hotspot, they can send a notification, that will normally not be a requirement to self-isolate, but a suggestion to be on the lookout for symptoms more than normal - see https://faq.covid19.nhs.uk/article/KA-01312/en-us?parentid=CAT-01031&rootid=CAT-01023 for details...

Alex Brett

Re: no major bugs?

A negative test does *not* remove the legal requirement to self-isolate if instructed to do so due to close contact, because in the early stages of an infection you may test negative - that's why e.g. a test on arrival at the airport isn't sufficient to avoid the 14-day quarantine period...

As I understand it, if you report symptoms, that will start the 10 day self isolation countdown - if you book a test through the app, and subsequently get a negative result, that will automatically remove the 10 day isolation countdown, though if you get a negative result through another test mechanism, you would have to reinstall the app to clear your data from it, which is awkward but not a disaster.

Watch out, everyone, here come the Coronavirus Cops, enjoying their little slice of power way too much

Alex Brett

Re: Cambridge Police are too busy with serious crime

Just FYI the once per day thing is only in the guidance, the law doesn't say it...

Aria Technology loses Court of Appeal bid over £750k VAT dispute

Alex Brett

Er, no they don't - the legal entity registers for VAT. There are certain responsibilities of a director of a Ltd company and you can sometimes have a criminal prosecution against someone, but any VAT liability does not automatically fall against a person...

BBC tells Conservative Party to remove edited Facebook ad featuring its reporters

Alex Brett

> and yet haven't found time for any of the 'minor' parties who *do* have MPs

Sorry to be pedantic, but at the moment there are *no* MPs from any party, as parliament has been dissolved...

The purple SIM of fail: Virgin Mobile punters left in the dark with batch of borked cards

Alex Brett

Re: Am I the only person i nthe world who doesn't have problems with Virgin services?

I have had a remarkably long run without problem with broadband from them - current issue is not their fault (Cityfibre apparently went through their cable when digging up the pavement to put their ducts in), but their response is a bit disappointing - first available date for a 'repull' is a full 23 days after the fault occurred. I can only assume this has been happening a lot and thus the team that do the pulls is really busy.

Fortunately not a disaster for me as I have an FTTC link as well for redundancy, and on the bright side I think I get £8/day compensation...

Unearthed emails could be smoking gun in epic GDPR battle: Google, adtech giants 'know they break Euro privacy law'

Alex Brett

"and target ads at you for stuff you're previously shown an interest in" - not sure if this is just me, but I only ever seem to see ads for things I've just purchased, normally high value items where I'm not going to want another for some years, so they seem rather pointless...

Heads up: Debian's package manager is APT for root-level malware injection... Fix out now to thwart MITM hijacks

Alex Brett

Re: "Supporting HTTP is fine,"

You can try and clone the Debian repos, but you'll be there a *LONG* time (e.g. the amd64 archive is currently 327GB - see https://www.debian.org/mirror/size) - a caching HTTP proxy avoids needing to download such huge amounts of data.

To be fair, you can achieve HTTPS using something like apt-cacher, which is essentially a caching proxy that understands the structure of a repository and can have the upstream repos configured directly into it, so you could talk HTTPS to it from your hosts, and then it could talk HTTPS to the upstream repos, but that's extra infrastructure that I can understand people who already have a caching HTTP proxy may want to avoid.

Junior dev decides to clear space for brewing boss, doesn't know what 'LDF' is, sooo...

Alex Brett

Re: I was also clueless at the time

That may give you a false sense of security, as if the software has an open file handle to it, you may be able to rename it without affecting the software using it (until the software restarts or tries to (re)open the file)...

Revealed: British Airways was in talks with IBM on outsourcing security just before hack

Alex Brett

> An infosec expert with experience in the aviation industry told El Reg: "You don't outsource something that is working well."

Has your expert ever met a beancounter, as that's precisely the sort of thing they do...

Thunderstruck: Azure Back in Black(out) after High Voltage causes Flick of the Switch

Alex Brett

Re: Texas - Europe ?

While business names and addresses are not PII, if you e.g. have your employee's names and contact numbers, that very much *is* PII...

DVLA denies driving licence processing site is a security 'car crash'

Alex Brett

Re: Certificate chain

Most likely because Firefox maintains its own set of trusted certificates, whereas IE and Chrome (for example) use the operating systems. It's quite likely the operating system has (or has at least cached) the intermediate certificates needed to complete the chain...

See that over Heathrow? It's not an airliner – it's a Predator drone

Alex Brett

Re: Echo might be "controlled"

Same problem in class D - while ATC must provide traffic information on VFR flights, they are not required to separate VFR flights from each other, or IFR flights from VFR flights, thus your IFR drone still has to somehow avoid VFR traffic...

El Reg assesses crypto of UK banks: Who gets to wear the dunce cap?

Alex Brett

Re: Not the best of articles.

Yes - while /you/ as the site admin might not be running a site on port 80, the person who attacks the end user can, and there browser will happily connect to it, whereas with HSTS the browser will always go to the HTTPS site and thus as well as MITMing the connection, you have to somehow get the browser to trust the certificate you present as well...

Smart meters: 'Dog's breakfast' that'll only save you 'a tenner' – report

Alex Brett

Re: I want a smart water meter

The water company replaced my original electronic meter (that was wired up to a disc on the outside of the house for them to read it with) as it failed (display went entirely blank etc) - the replacement is a 'smart meter' in the sense that it sends readings to them via GSM or similar, but it has a really annoying loud 'clicking' sound every time significant water runs through it that reverberates through the pipework.

When I first raised this they sent someone out to swap it, but (and to be fair to the guy he warned me beforehand it probably wouldn't solve it but he'd been told to do it so had to) it appears to be part of the design.

Considering getting them to move it outside now in the hope the extra distance reduces the reverberation because at the moment it means I can't e.g. run the washing machine overnight as the noise is too annoying...

Alex Brett

Saving on meter readers?

I suppose there's an argument that not having to send people out to get meter readings (because they're coming in via GSM or whatever) should be a cost saving for the energy companies, though the chances of them passing that saving on to their customers rather than their shareholders seems slim...

Tory-commissioned call centres 'might have bent data protection laws'

Alex Brett

Re: ICO involvement?

Wrong - it's not illegal to campaign on election day in the UK.

There are some restrictions around what can be done near polling stations (i.e. you can't intimidate voters etc), and there are lots of restrictions on what the media can do/say on election day, but nothing to stop a candidate or their campaign doing anything, including making phone calls.

Indeed most candidates will have their teams out knocking up expected voters (either in person or by phone) to ensure they go out and vote etc...

Google caps punch-yourself-in-the-face malicious charger hack

Alex Brett

Don't trust random ports

If I ever use a random USB port to charge my phone I'll use something like http://plugable.com/products/usb-mc1/ (~6 quid from Amazon) in line to ensure i'm only getting power and no data connection is possible...

Boy, 12, gets €100k bill from Google after confusing Adwords with Adsense

Alex Brett

Not true in the UK at least - Direct Debits can be set up entirely online, with no signature required...

BT customers hit by broadband outage ... again

Alex Brett

Re: something doesn't make sense

There are two issues here - firstly there are very few facilities in the Docklands kitted out to a 2n (i.e. having two sets of everything) spec, most are just n+1 (so e.g. if you need 2 UPS units to cover the load, you'll have 3 so can handle one failing). Now n+1 is fine, until a problem either downstream of your redundancy (e.g. a circuit breaker) fails, or something fails in a way your redundancy doesn't expect (e.g. your failed UPS shorting the common bus). With 2n you are in general able to avoid this, as each rack has two supplies fed independently from the grid onwards (the really good ones even have separate substations), but it costs more, and most of the older facilities where the majority of carriers you want to connect to are present in don't have the space etc to actually become 2n.

The second issue is that all the redundancy in the world doesn't help in some situations - e.g. if you have a fire that somehow your extinguishing system can't manage to deal with, the first thing the fire brigade are going to say when they turn up on site is "OK, turn the power off". To a lesser extent you've also got the issue that a faulty bit of kit could trip both supplies, though good design of the breakers and distribution should be able to limit that e.g. to a single rack being affected.

Hacks rebel after bosses secretly install motion sensors under desks

Alex Brett

Excuse perhaps a little poorly thought through?

From what I can see on the OccupEye spec page, the devices only have a PIR, there is no temperature sensor built in.

If that's the case (and it's not just missing from the page), then there was no way these were monitoring the building temperature, the 'best' they could say was they were monitoring how many desks were being used e.g. in advance of a move to hotdesking...

Did North Korea really just detonate a hydrogen bomb? Probably not

Alex Brett

Re: Of course there is the possibility...

AIUI the difficult bit about a thermonuclear device is getting the secondary to go off properly rather than just being a fission explosion, not the basic principle of the thing which is well understood (there's even a diagram on Wikipedia!), so even if it was intended as an H bomb if it didn't perform as such that doesn't necessarily mean they're any closer to one than before...

I survived a head-on crash with driverless cars – and dummies

Alex Brett

In some cars the pedal on the passenger side is not quite imaginary: http://www.bbc.co.uk/news/business-13566999 ;)

The last post: Building your own mail server, part 2

Alex Brett

Smarthost likely required

A lot of large ISPs block any inbound mail from subnets that are believed to be 'end user' IP addresses and thus not expected to be delivering mail - see https://www.spamhaus.org/pbl/ for an example - as such if you do host a mailserver yourself you would be well advised to use e.g. your ISPs mail server (if it will accept mail for non hosted domains) as a smarthost for outbound mail otherwise you'll find quite a few destinations rejecting it.

Also re: dynamic IPs - there is a big risk in using a DDNS service that if your connection goes down, you won't update the DDNS name until it comes back, at which point you might find people delivering mail to someone entirely different who happens to have got your old IP - while in most cases that person won't be running a mailserver, if they are then they can either steal your mail, or if they reject it as an invalid recipient the other end will bounce it back to the sender, which I suspect is not what you want...

SpaceX Dragon crew capsule in 'CHUTE ABORT drama – don't panic, no one died

Alex Brett

If you read 'Riding Rockets' by the astronaut Mike Mullane (an excellent read by the way), he said some astronauts thought if they used the seats in flight they'd probably just end up going through the SRB exhaust, i.e. they were only any good before launch...

BT Home Hub SIP backdoor blunder blamed for VoIP fraud

Alex Brett

This is almost certainly someone's attempt to workaround some of the NAT issues you can experience with SIP - I suspect they've set it up so that when an outbound SIP connection is made outbound, *all* connections to port 5060 are NAT'd back to the host that made the connection so if a reply comes from a different address (which is allowed in the SIP standard) it still gets through, probably combined with an ALG that is translating internal IPs in the SIP message into the external one. Normally you'd expect your NAT device to just accept packets from IPs you'd connected out to (the service provider in this case).

If it's a phone connecting out that's not a big problem, as most phones these days can be (and should be) configured to ignore traffic that's not from the configured server / proxy, and even in the worst case all that happens is they ring - they're not going to end up placing an outbound call.

I can understand smaller installers not thinking to put brute force protection on a PBX that they are not intending to expose to the internet - unless you've seen issues like this and had to deal with the crazyness of ALGs etc you wouldn't expect it.

Frustratingly all these sorts of things (ALGs in particular) actually normally make VoIP less likely to work - any competent ITSP will have a Session Border Controller (SBC), or something carrying out the same functions, at their end, which will just handle the NAT issues (i.e. all signalling will come back from the same IP and where necessary they will proxy the audio etc). However, with an ALG, 9 times out of 10 (at least in my experience) it has 'modified' the SIP messages in such a crazy way that the SBC can't work out what to do, and so you get one way audio or calls cutting off after a short time etc...

Lloyds supplier payments TITSUP: What, you want money from a bank?

Alex Brett

The law says you have 6 years to claim, so you can put the claim for interest / charges through *after* they've actually paid the original invoice...

Alex Brett

I hope all these suppliers will be charging statutory late payment fees - while the fixed charge (£40 - £100 depending on value of invoice) is nothing to Lloyds, the interest at 8.5% for ~£30m of invoices being paid say 2 months late is £419k...

Hackney council leaked thousands of locals' data in FoI blunder

Alex Brett

I wonder what the complexity of this was, I'm guessing it was something to do with Excel's versions functionality, so the question is whether it was exposed as a previous version that just using the UI could get you to, or if you had to do some digging in the raw file to get at it (e.g. as it was data left in space that Excel had marked as reuseable but not yet done so).

If the latter then I have some sympathy as you wouldn't expect it to be there, if the former then that's just not understanding the tools, and only one step up from redacting something by setting the background colour to black rather than actually removing it ;)

Git thee behind me, Git crit security bug!

Alex Brett

Re: Have to agree

GitHub releases some software, but as far as I am aware that bundles the official git client in, and is basically just wrapping it.

There's a pretty good summary on the github blog at https://github.com/blog/1938-git-client-vulnerability-announced - but to answer your question yes it is a flaw in the official git client, that applies when run on a system with a case insensitive filesystem (e.g. NTFS)...

Alex Brett

Why the focus on GitHub?

This article is quite poorly worded - if you only use GitHub you're safe as they've put protection in at the server side (though obviously upgrading anyway would still be recommended), the issue is if you use git (which while it is the client software you use with GitHub, it is not 'their' client software - GitHub came around about 2-3 years later as a collection of repositories with a nice web UI etc) on other untrusted repositories on case insensitive systems where your .git directory can get overwritten...

Can't stop Home Depot-style card pwning, but suppliers will feel PCI regulation pain

Alex Brett

The biggest problem I've found with the standards, is if the business doesn't fit into one of their standard categories stating which sections you can ignore, you have to go through the whole thing, which then entails you writing ream after ream of policy documents, which nobody is ever going to read / comply with in reality.

(See http://www.alexbrett.net/blog/2013/05/open-letter-to-the-pci-ssc/ for more rants about PCI:DSS in general...)

REVEALED: Titsup flight plan mainframe borks UK air traffic control

Alex Brett

The difficulty is you need to know what other aircraft are expected in order to properly plan deconfliction - e.g. the radar for a particular sector might have 3 aircraft all nicely separated vertically / horizontally with no problems, but because you couldn't track what was coming, you suddenly find you have 10 more arrive at once all on course to meet at the same point in the sky - there's a limit to how quickly you can get them all onto different headings / altitudes. If you knew in advance then you can get them sorted in other sectors prior to being handed over.

There's also the problem that if you have to start asking each aircraft where it's going, that's a lot of time on the already busy radio taken up with the back and forth...

BT Infinity ‘working to fix problem’ after three days of outages

Alex Brett

Re: Could be GCHQ that is playing up. Also, it's in Northern Ireland too

The only address the modem has is its management one, the primary connection it provides is via a PPP connection between the customer's router and the ISP's LNS where it is just passing packets.

I see no evidence found by anybody that any traffic was forwarded through the management address, and ultimately it would make absolutely no sense to do it that way when you could do it far easier at either the DSLAM or core network level entirely transparently to the end user and any equipment they might have!