* Posts by Alex Brett

123 posts • joined 11 May 2007


Virginia voter registration website falls over hours before deadline. The Russians? No, a broken fiber line

Alex Brett

No idea if this is the case here, but I've seen a scenario where a properly diverse set of ducts were specified and installed (for connectivity to a university), going different routes around the city etc, and then whoever pulled the fibre in ended up pulling both fibres through one duct, which nobody noticed was the case until the duct was hit somewhere...

NHS COVID-19 app's first weekend: With fundamental testing flaw ironed out, bugs remaining are relatively trivial

Alex Brett

Re: Suggested improvement

So something that has confused a lot of people - checking in somewhere does not mean if a single person tests positive who was there at the same time you'll get notified, it only means if the public health authorities decide there has been a cluster of cases and so it is a hotspot, they can send a notification, that will normally not be a requirement to self-isolate, but a suggestion to be on the lookout for symptoms more than normal - see https://faq.covid19.nhs.uk/article/KA-01312/en-us?parentid=CAT-01031&rootid=CAT-01023 for details...

Alex Brett

Re: no major bugs?

A negative test does *not* remove the legal requirement to self-isolate if instructed to do so due to close contact, because in the early stages of an infection you may test negative - that's why e.g. a test on arrival at the airport isn't sufficient to avoid the 14-day quarantine period...

As I understand it, if you report symptoms, that will start the 10 day self isolation countdown - if you book a test through the app, and subsequently get a negative result, that will automatically remove the 10 day isolation countdown, though if you get a negative result through another test mechanism, you would have to reinstall the app to clear your data from it, which is awkward but not a disaster.

Watch out, everyone, here come the Coronavirus Cops, enjoying their little slice of power way too much

Alex Brett

Re: Cambridge Police are too busy with serious crime

Just FYI the once per day thing is only in the guidance, the law doesn't say it...

Aria Technology loses Court of Appeal bid over £750k VAT dispute

Alex Brett

Er, no they don't - the legal entity registers for VAT. There are certain responsibilities of a director of a Ltd company and you can sometimes have a criminal prosecution against someone, but any VAT liability does not automatically fall against a person...

BBC tells Conservative Party to remove edited Facebook ad featuring its reporters

Alex Brett

> and yet haven't found time for any of the 'minor' parties who *do* have MPs

Sorry to be pedantic, but at the moment there are *no* MPs from any party, as parliament has been dissolved...

The purple SIM of fail: Virgin Mobile punters left in the dark with batch of borked cards

Alex Brett

Re: Am I the only person i nthe world who doesn't have problems with Virgin services?

I have had a remarkably long run without problem with broadband from them - current issue is not their fault (Cityfibre apparently went through their cable when digging up the pavement to put their ducts in), but their response is a bit disappointing - first available date for a 'repull' is a full 23 days after the fault occurred. I can only assume this has been happening a lot and thus the team that do the pulls is really busy.

Fortunately not a disaster for me as I have an FTTC link as well for redundancy, and on the bright side I think I get £8/day compensation...

Unearthed emails could be smoking gun in epic GDPR battle: Google, adtech giants 'know they break Euro privacy law'

Alex Brett

"and target ads at you for stuff you're previously shown an interest in" - not sure if this is just me, but I only ever seem to see ads for things I've just purchased, normally high value items where I'm not going to want another for some years, so they seem rather pointless...

Heads up: Debian's package manager is APT for root-level malware injection... Fix out now to thwart MITM hijacks

Alex Brett

Re: "Supporting HTTP is fine,"

You can try and clone the Debian repos, but you'll be there a *LONG* time (e.g. the amd64 archive is currently 327GB - see https://www.debian.org/mirror/size) - a caching HTTP proxy avoids needing to download such huge amounts of data.

To be fair, you can achieve HTTPS using something like apt-cacher, which is essentially a caching proxy that understands the structure of a repository and can have the upstream repos configured directly into it, so you could talk HTTPS to it from your hosts, and then it could talk HTTPS to the upstream repos, but that's extra infrastructure that I can understand people who already have a caching HTTP proxy may want to avoid.

Junior dev decides to clear space for brewing boss, doesn't know what 'LDF' is, sooo...

Alex Brett

Re: I was also clueless at the time

That may give you a false sense of security, as if the software has an open file handle to it, you may be able to rename it without affecting the software using it (until the software restarts or tries to (re)open the file)...

Revealed: British Airways was in talks with IBM on outsourcing security just before hack

Alex Brett

> An infosec expert with experience in the aviation industry told El Reg: "You don't outsource something that is working well."

Has your expert ever met a beancounter, as that's precisely the sort of thing they do...

Thunderstruck: Azure Back in Black(out) after High Voltage causes Flick of the Switch

Alex Brett

Re: Texas - Europe ?

While business names and addresses are not PII, if you e.g. have your employee's names and contact numbers, that very much *is* PII...

DVLA denies driving licence processing site is a security 'car crash'

Alex Brett

Re: Certificate chain

Most likely because Firefox maintains its own set of trusted certificates, whereas IE and Chrome (for example) use the operating systems. It's quite likely the operating system has (or has at least cached) the intermediate certificates needed to complete the chain...

See that over Heathrow? It's not an airliner – it's a Predator drone

Alex Brett

Re: Echo might be "controlled"

Same problem in class D - while ATC must provide traffic information on VFR flights, they are not required to separate VFR flights from each other, or IFR flights from VFR flights, thus your IFR drone still has to somehow avoid VFR traffic...

El Reg assesses crypto of UK banks: Who gets to wear the dunce cap?

Alex Brett

Re: Not the best of articles.

Yes - while /you/ as the site admin might not be running a site on port 80, the person who attacks the end user can, and there browser will happily connect to it, whereas with HSTS the browser will always go to the HTTPS site and thus as well as MITMing the connection, you have to somehow get the browser to trust the certificate you present as well...

Smart meters: 'Dog's breakfast' that'll only save you 'a tenner' – report

Alex Brett

Re: I want a smart water meter

The water company replaced my original electronic meter (that was wired up to a disc on the outside of the house for them to read it with) as it failed (display went entirely blank etc) - the replacement is a 'smart meter' in the sense that it sends readings to them via GSM or similar, but it has a really annoying loud 'clicking' sound every time significant water runs through it that reverberates through the pipework.

When I first raised this they sent someone out to swap it, but (and to be fair to the guy he warned me beforehand it probably wouldn't solve it but he'd been told to do it so had to) it appears to be part of the design.

Considering getting them to move it outside now in the hope the extra distance reduces the reverberation because at the moment it means I can't e.g. run the washing machine overnight as the noise is too annoying...

Alex Brett

Saving on meter readers?

I suppose there's an argument that not having to send people out to get meter readings (because they're coming in via GSM or whatever) should be a cost saving for the energy companies, though the chances of them passing that saving on to their customers rather than their shareholders seems slim...

Tory-commissioned call centres 'might have bent data protection laws'

Alex Brett

Re: ICO involvement?

Wrong - it's not illegal to campaign on election day in the UK.

There are some restrictions around what can be done near polling stations (i.e. you can't intimidate voters etc), and there are lots of restrictions on what the media can do/say on election day, but nothing to stop a candidate or their campaign doing anything, including making phone calls.

Indeed most candidates will have their teams out knocking up expected voters (either in person or by phone) to ensure they go out and vote etc...

Google caps punch-yourself-in-the-face malicious charger hack

Alex Brett

Don't trust random ports

If I ever use a random USB port to charge my phone I'll use something like http://plugable.com/products/usb-mc1/ (~6 quid from Amazon) in line to ensure i'm only getting power and no data connection is possible...

Boy, 12, gets €100k bill from Google after confusing Adwords with Adsense

Alex Brett

Not true in the UK at least - Direct Debits can be set up entirely online, with no signature required...

BT customers hit by broadband outage ... again

Alex Brett

Re: something doesn't make sense

There are two issues here - firstly there are very few facilities in the Docklands kitted out to a 2n (i.e. having two sets of everything) spec, most are just n+1 (so e.g. if you need 2 UPS units to cover the load, you'll have 3 so can handle one failing). Now n+1 is fine, until a problem either downstream of your redundancy (e.g. a circuit breaker) fails, or something fails in a way your redundancy doesn't expect (e.g. your failed UPS shorting the common bus). With 2n you are in general able to avoid this, as each rack has two supplies fed independently from the grid onwards (the really good ones even have separate substations), but it costs more, and most of the older facilities where the majority of carriers you want to connect to are present in don't have the space etc to actually become 2n.

The second issue is that all the redundancy in the world doesn't help in some situations - e.g. if you have a fire that somehow your extinguishing system can't manage to deal with, the first thing the fire brigade are going to say when they turn up on site is "OK, turn the power off". To a lesser extent you've also got the issue that a faulty bit of kit could trip both supplies, though good design of the breakers and distribution should be able to limit that e.g. to a single rack being affected.

Hacks rebel after bosses secretly install motion sensors under desks

Alex Brett

Excuse perhaps a little poorly thought through?

From what I can see on the OccupEye spec page, the devices only have a PIR, there is no temperature sensor built in.

If that's the case (and it's not just missing from the page), then there was no way these were monitoring the building temperature, the 'best' they could say was they were monitoring how many desks were being used e.g. in advance of a move to hotdesking...

Did North Korea really just detonate a hydrogen bomb? Probably not

Alex Brett

Re: Of course there is the possibility...

AIUI the difficult bit about a thermonuclear device is getting the secondary to go off properly rather than just being a fission explosion, not the basic principle of the thing which is well understood (there's even a diagram on Wikipedia!), so even if it was intended as an H bomb if it didn't perform as such that doesn't necessarily mean they're any closer to one than before...

I survived a head-on crash with driverless cars – and dummies

Alex Brett

In some cars the pedal on the passenger side is not quite imaginary: http://www.bbc.co.uk/news/business-13566999 ;)

The last post: Building your own mail server, part 2

Alex Brett

Smarthost likely required

A lot of large ISPs block any inbound mail from subnets that are believed to be 'end user' IP addresses and thus not expected to be delivering mail - see https://www.spamhaus.org/pbl/ for an example - as such if you do host a mailserver yourself you would be well advised to use e.g. your ISPs mail server (if it will accept mail for non hosted domains) as a smarthost for outbound mail otherwise you'll find quite a few destinations rejecting it.

Also re: dynamic IPs - there is a big risk in using a DDNS service that if your connection goes down, you won't update the DDNS name until it comes back, at which point you might find people delivering mail to someone entirely different who happens to have got your old IP - while in most cases that person won't be running a mailserver, if they are then they can either steal your mail, or if they reject it as an invalid recipient the other end will bounce it back to the sender, which I suspect is not what you want...

SpaceX Dragon crew capsule in 'CHUTE ABORT drama – don't panic, no one died

Alex Brett

If you read 'Riding Rockets' by the astronaut Mike Mullane (an excellent read by the way), he said some astronauts thought if they used the seats in flight they'd probably just end up going through the SRB exhaust, i.e. they were only any good before launch...

BT Home Hub SIP backdoor blunder blamed for VoIP fraud

Alex Brett

This is almost certainly someone's attempt to workaround some of the NAT issues you can experience with SIP - I suspect they've set it up so that when an outbound SIP connection is made outbound, *all* connections to port 5060 are NAT'd back to the host that made the connection so if a reply comes from a different address (which is allowed in the SIP standard) it still gets through, probably combined with an ALG that is translating internal IPs in the SIP message into the external one. Normally you'd expect your NAT device to just accept packets from IPs you'd connected out to (the service provider in this case).

If it's a phone connecting out that's not a big problem, as most phones these days can be (and should be) configured to ignore traffic that's not from the configured server / proxy, and even in the worst case all that happens is they ring - they're not going to end up placing an outbound call.

I can understand smaller installers not thinking to put brute force protection on a PBX that they are not intending to expose to the internet - unless you've seen issues like this and had to deal with the crazyness of ALGs etc you wouldn't expect it.

Frustratingly all these sorts of things (ALGs in particular) actually normally make VoIP less likely to work - any competent ITSP will have a Session Border Controller (SBC), or something carrying out the same functions, at their end, which will just handle the NAT issues (i.e. all signalling will come back from the same IP and where necessary they will proxy the audio etc). However, with an ALG, 9 times out of 10 (at least in my experience) it has 'modified' the SIP messages in such a crazy way that the SBC can't work out what to do, and so you get one way audio or calls cutting off after a short time etc...

Lloyds supplier payments TITSUP: What, you want money from a bank?

Alex Brett

The law says you have 6 years to claim, so you can put the claim for interest / charges through *after* they've actually paid the original invoice...

Alex Brett

I hope all these suppliers will be charging statutory late payment fees - while the fixed charge (£40 - £100 depending on value of invoice) is nothing to Lloyds, the interest at 8.5% for ~£30m of invoices being paid say 2 months late is £419k...

Hackney council leaked thousands of locals' data in FoI blunder

Alex Brett

I wonder what the complexity of this was, I'm guessing it was something to do with Excel's versions functionality, so the question is whether it was exposed as a previous version that just using the UI could get you to, or if you had to do some digging in the raw file to get at it (e.g. as it was data left in space that Excel had marked as reuseable but not yet done so).

If the latter then I have some sympathy as you wouldn't expect it to be there, if the former then that's just not understanding the tools, and only one step up from redacting something by setting the background colour to black rather than actually removing it ;)

Git thee behind me, Git crit security bug!

Alex Brett

Re: Have to agree

GitHub releases some software, but as far as I am aware that bundles the official git client in, and is basically just wrapping it.

There's a pretty good summary on the github blog at https://github.com/blog/1938-git-client-vulnerability-announced - but to answer your question yes it is a flaw in the official git client, that applies when run on a system with a case insensitive filesystem (e.g. NTFS)...

Alex Brett

Why the focus on GitHub?

This article is quite poorly worded - if you only use GitHub you're safe as they've put protection in at the server side (though obviously upgrading anyway would still be recommended), the issue is if you use git (which while it is the client software you use with GitHub, it is not 'their' client software - GitHub came around about 2-3 years later as a collection of repositories with a nice web UI etc) on other untrusted repositories on case insensitive systems where your .git directory can get overwritten...

Can't stop Home Depot-style card pwning, but suppliers will feel PCI regulation pain

Alex Brett

The biggest problem I've found with the standards, is if the business doesn't fit into one of their standard categories stating which sections you can ignore, you have to go through the whole thing, which then entails you writing ream after ream of policy documents, which nobody is ever going to read / comply with in reality.

(See http://www.alexbrett.net/blog/2013/05/open-letter-to-the-pci-ssc/ for more rants about PCI:DSS in general...)

REVEALED: Titsup flight plan mainframe borks UK air traffic control

Alex Brett

The difficulty is you need to know what other aircraft are expected in order to properly plan deconfliction - e.g. the radar for a particular sector might have 3 aircraft all nicely separated vertically / horizontally with no problems, but because you couldn't track what was coming, you suddenly find you have 10 more arrive at once all on course to meet at the same point in the sky - there's a limit to how quickly you can get them all onto different headings / altitudes. If you knew in advance then you can get them sorted in other sectors prior to being handed over.

There's also the problem that if you have to start asking each aircraft where it's going, that's a lot of time on the already busy radio taken up with the back and forth...

BT Infinity ‘working to fix problem’ after three days of outages

Alex Brett

Re: Could be GCHQ that is playing up. Also, it's in Northern Ireland too

The only address the modem has is its management one, the primary connection it provides is via a PPP connection between the customer's router and the ISP's LNS where it is just passing packets.

I see no evidence found by anybody that any traffic was forwarded through the management address, and ultimately it would make absolutely no sense to do it that way when you could do it far easier at either the DSLAM or core network level entirely transparently to the end user and any equipment they might have!

Alex Brett

Re: Could be GCHQ that is playing up. Also, it's in Northern Ireland too

The claims that there were backdoors in the modem for DoD/NSA/GCHQ were thoroughly debunked - see http://www.revk.uk/2013/12/paraniod-ravings.html or http://www.ispreview.co.uk/index.php/2013/12/confusion-alleged-gchq-nsa-backdoor-bt-fttc-modems.html for details...

BYOD: don't let the dream turn into a nightmare

Alex Brett

Surely NAS is the answer?

No I don't mean storage, but a Network Access Server, which is where the 'network' (normally the switch in consultation with a backend service) decides whether to grant you access (normally put you on the right vlan) if you comply with the business requirements around AV etc...

Having said that, in a lot of cases peoples personal machines may be more secure than company laptops which have nothing more than default Windows firewall to protect them when off the network, and the user having no permissions to do anything more stringent...

NeoPost: This is how you DON'T do PIN security

Alex Brett

I'm not sure how the pricing compares (if it's more I don't see any reason for it since presumably the mail is handled in the same way within RM), but there's always Smart Stamp - couple it either with a decent label printer or a printer that can feed envelopes (not sure if such a thing exists?), and that's probably a lot simpler than most franking machines...

eBay slammed for daft post-hack password swap advice

Alex Brett

Shouldn't there be the obligatory reference to http://xkcd.com/936/ somewhere in this article?

Nominet bins Optical Express' appeal against 'It ruined my life' website

Alex Brett

It appears now, however that is likely to be due to a number of news sites linking to it, which wouldn't otherwise have happened and thus not brought its page rank etc up so high...

AT&T and Netflix get into very public spat over net neutrality

Alex Brett

Re: There are plenty .......

Just don't follow the model used by Ofcom in the UK, whereby they accepted BT's proposal to split themselves into three parts (BT retail, BT wholesale, and BT Openreach, with the latter being the 'local loop' part), leading to a sort of corporate schizophrenia and now basically ends up with the different parts blaming each other when something goes wrong, and bouncing the fault backwards and forwards and not actually fixing it (and trying to charge the customer for the privilege with SFI2)...

Satisfy my scroll: El Reg gets claws on Windows 8.1 spring update

Alex Brett

Re: As if this will make people happy!

'WIMP GUIs have always been designed to provide neophytes a way to discover functionality for themselves and learn the keyboard shortcuts as they do so.' - can you explain then why with the Ribbon in Office MS have been actively discouraging the use of keyboard shortcuts?

Chinese Bitcoin exchange disappears, along with £2.5m

Alex Brett

Re: Backups ?

There's a small pub chain that will let you buy beer *directly* with bitcoins: http://www.individualpubs.co.uk/bitcoin.html

IT Pro confession: How I helped in the BIGGEST DDoS OF ALL TIME

Alex Brett

As I understand it this wasn't actually a DNS amplification attack as you described in the article, instead they were sending DNS requests with the source address spoofed to be the target, causing the DNS servers to send its response directly to the target. As the request is quite small it isn't too difficult to send lots of them, and by targetting the request appropriately you can get the response to be quite large, thus causing the DDOS.

This also means that often simply turning recursion off in BIND is not sufficient, as in the default configuration it will likely (depending on which version of BIND) still return the list of root servers as a referral instead of simply refusing the query. The list of root servers is quite a large response on its own, and thus can be used in this attack.

The magic line you need to add is "additional-from-cache no;" - this will stop that behaviour.

Brit firm PinPlus flogs another password 'n' PIN killer

Alex Brett

Possible attack?

They seem to be claiming that from the grid and the entered code you can't work out the pattern - this is true if the grid is a suitably randomised set of numbers with numbers occurring multiple times in different places etc, however surely all a MITM attacker needs to do to get the pattern, is display a grid with numbers set up such that you can identify which ones were selected (with 10 digits and the grid the size they suggest you'd need to do this 2-3 times, but that's probably not a big deal), and then you have the pattern...

Space Shuttle Columbia disaster remembered 10 years on

Alex Brett

Re: Killed by numeric overflow?

I think what he was referring to was the way the same overpressure wave which damaged the TPS also caused a body flap to be deflected beyond the point where damage would have been expected...

Alex Brett

As I understand it they were wearing pressure suits, so they would presumably have survived the decompression of the cabin at least for a short period?

RIPE NCC handing out last European IPv4 addresses

Alex Brett

Sadly the ISPs are looking at CGN

Unfortunately the ISPs see the answer as Carrier Grade NAT (CGN) - while for a fairly large proportion of their customers this will likely work (most *commonly used* protocols don't require you to have a public IP, the only notable exception that comes to mind is BitTorrent, but I'm sure ISPs won't mind causing their users problems there!), the big thing they're missing is that it won't be long before we start having services that are IPv6 only (as the providers can't get any IPv4 addressing for them), at which point CGN doesn't help...


Alex Brett

Re: Speaking of Armstrong

While I'm not denying the Apollo astronauts were very brave to take on such a lot of risk etc, it is worth mentioning that the LLTV was always going to be much more unstable than the real lunar lander, as it was operating in an environment with 6 times the force of gravity than the LEM was going to operate in, so having to bail out of it was unlikely to add any significan worry over the real thing...

Vixie warns: DNS Changer ‘blackouts’ inevitable

Alex Brett

Do it gradually?

Surely the solution here for any competent ISP is to gradually block subsets of customers from accessing these DNS servers in stages, and handle the support calls over time rather than waiting for them all to get blocked in one go and have a deluge of phone calls to deal with...



Biting the hand that feeds IT © 1998–2020