Re: Fail
I'd suggest arbitrarily hiking his sentence by 56x would be appropriate. Because we can.
2212 publicly visible posts • joined 6 Jul 2009
Indeed. Police still check for fingerprints because most criminals don't wear gloves despite knowing about fingerprint evidence.
I was part of a peace group that got arrested trying to break in to a military base, and in the debrief afterwards the organiser again stressed the need to leave mobile phones at home. Just then one of the protestors phones rang, and they took the call. And then the paranoid morons put our arrest down to an infiltrator, rather than the blindingly obvious phone mast in the base.
Some actually do need to access web mail during working hours, and some do need to extract or enter files on removable mediaFair enough, then your employer should provide you with an insulated console for you to browse porn. Or, and this is just a suggestion, why not get internet access in your own home and update your kitty porn videos on your own time.
This is NHS medical testing systems that have been compromised, I totally expect deaths to come from this hack. There is no debate on the rights of the NHS worker to browse the internet at work.
"The hardest conundrum to crack is to balance security with end user requirements i.e. blocking personal email (gmail, yahoo, etc) and blocking all removable media. He did want to implement both restrictions but had received lukewarm support."
I understand the pressure from users but security should trump usability every time. No serious financial institution allows employees work access to the internet or personal emails or removable media. Your boss should treat other peoples most intimate data they way they treat our money. Provide terminals with no soundcards or USB or CDs to access the internet, unconnected to the local network, for people to browse their out of work nonsense.
I've been trying for years to be in charge on my own NHS files, or at least to correct some of the errors within, to no effect. Politicians assume I am mad to suggest such a thing.
The lack of logic in the NHS at every level is worrying. My medical records are so off they are funny and worrying. The time a cat attacked my hand, the senior nurse listed me as a possible heroin addict because I had fifty bloody puncture wounds in my hand - I really don't think that is the way junkies inject.
I was tested for breast cancer one afternoon - I didn't have it but the test is so painful that if you are ever in that situation then I suggest you ask for a second opinion before even having the test. Better than not having the test and actually having it of course. Still, at the start I was asked to fill out a standard NHS form, on of the questions was "Are you still having your periods? [Y] / [N]"
How do you answer that as an Aspergers male?
It's interesting that either by chance or design only certain trusts and practices have been affected so far.
I've got nothing better to do so I'll check on Monday morning if my dentist needs any help. He is my longest relationship with any professional and he does love his new tech without understanding IT. I doubt it is appropriate to offer my local hospitals as their data is more sensitive, but if any of you work for established IT companies with the relevant expertise then perhaps suggest offering your help for free to your local NHS trusts. It's the right thing to do and you can sell it to your boss as great publicity.
All we have is left and right - what about authoritarian and libertarian?
The only way to interact with a SWIFT server is via an internal telephone in their ops centre, giving verbal instructions to an operator. You have to pass through a body-scanner to stop anyone entering or leaving the building with a memory stick or DVD. There is CCTV everywhere. The toilets are analysed for drug use. The servers are setup to NSA standards, then modded to suit the internal SWIFT security group.
I've worked at ATC and the security was nothing like SWIFT. The one thing they shared were the foot of the walls of the buildings were curved, apparently a defence against truck bombs.
EastNets is a third-party umbrella group for banks who don't have their own in-house SWIFT accounts for some reason or other, so it's not SWIFT itself that's been hacked. EastNets have no more access to the SWIFT network than any other client.
I read that when Russia ended serfdom then the peasants refused to convict anyone accused by the corrupt courts, but would then lynch the released prisoners they knew were bad. I'm not suggesting that.
If nothing else then if you want excused from jury duty then just wear a T Shirt saying 'jury nullification' on the first day. Mind you, a year ago I was thrown out a trial for 'wearing my jacket disrespectfully', and I was the accused.
@Adam This is from US law but it still stems from the Magna Carta -
Jury Myths and Misconceptions: Can Jurors Be Punished for Jury Nullification Verdicts?
Each and every one of you has the mettle and moral fiber necessary to claim this power as your own and to wield it for your highest purpose when serving on a jury: upholding justice, including upholding it above law when the two are in conflict. Do not be deterred by people invoking the chimera of punishment for acting in good conscience and doing what is right.
The principle of jury nullification basically means a jury decides what is legal, not a judge. A jury can refuse to convict even when told they have to - although nobody will tell a jury this.
In 1958 even missionary was illegal in Britain - by definition you had to go to the colonies to do that. We used to reproduce asexually, by sharing a cup of tea then sitting on a toilet seat your spouse had just sat on. However until 1986 spanking leaving a mark wasn't just legal, it was mandatory,
General Petraeus, by then Director of the CIA. It's not in the Wikipedia page but seemingly the investigators faced fewer legal hurdles due to the fact the communication was in a shared folder rather than emailed communications.
A British citzen committing a crime on British soil should be charged in the UK under English or Scottish law and if found guilty imprisoned here close to their family, in this case under the Computer Misuse Act 1990 with a maximum 10 year sentence. Anything less is a betrayal of soveriegnty.
If the yanks don't like that then they shouldn't keep their sensitive military systems easily available online from the UK.
I've met Love near Glasgow, he is not that technical. There must be dozens of less naive hackers still in those systems undetected.
The Simpsons. His entire career was simply an apprenticeship for his greatest role as Walter Hotenhoffer.
Grandpa Simpson - What did you do during the war?
Walter Hotenhoffer - WWII? I wasn't born yet.
Grandpa Simpson - Funny how many Germans say that these days.
I block ad's on some of the sites I like and would like to support because the adverts creep me out by mining my posts. Targetted advertising is just scary and almost always incorrect. For my favourite sites I'd be happy to fill out a form saying, 'there are the things I actually buy, or may be interested in adverts about, don't send me any others and don't personalise any of them".
CCTV supposedly used to cut violent crime is already used to police parking violations. Councils and DWP little hitlers already do this too to cu down on dog poo, school admissions, rubbish bin abuses.
I was recently charged (wrongly) with a Breach of the Peace, over twenty months and with three days in jail, about fifteen court appearances, and several police raids/visits to my parents house. I realised fairly early on the police were going to their address soon after I'd arrived out of convenience, and must have been tracking my phone to save themselves a fifteen mile drive to my home. Later one of the officers interrogating me confirmed that inadvertently.
My case is utterly petty and minor but Police Scotland have also been doing the same stuff to journalists and other police officers. I got to talk candidly to a senior police officer about this sort of quasi-legal behaviour once and he was perfectly frank and unembarrassed, "What we can do, we will do". Meaning they will do anything they think they personally will not be prosecuted for.
And that is fair enough if they'd focus on serious criminals and terrorists, but they don't and they don't intend to.
At one point it was part of my job to read log files to spot hacks. I must confess I am not sure I did it very well. My boss was better at it, but he always did it after the event. Once you know something has happened then it is relatively simple to look back for tell-tale signs. It was complicated by the fact we never got to choose what was logged, some invisible developer decided that months before without our input. So spotting it in real time requires pattern recognition skills that I doubt even Assange has. You stare at logs over and over and you can, sometimes, tell if something looks a bit different. If you are well slept and and not on 24 hour call out, and you didn't just have an argument with your girlfriend.
I used to be stuck between a yearly battle between Belgian and Dutch hacking conventions. These genius idiots weren't actual criminals as such, but they were trying their best to take us down for lolz. It was bloody annoying, and I had the best of support. As soon as they jabbed us, we'd get a direct patch from MS or whoever and have to install it organisation wide. You know how Space Invaders gets annoying after an hour or four? It was very tempting just to leave work, go to the convention and spike their drinks with LSD.
Snowden used a CD marked "Lady Gaga"
That was Manning.
If you can get remote access to everything on a server then you can likely ammend the log files too. Various crypto gurus are already recommending we look to a post-cypto future where you assume you are hacked and concentrate on blocking exfiltration, either by DVD as you said or straight over the network.
Culpepper. Aye, and I had a Virginian boss in the Netherlands who never liked the locals, and who in turn wasn't liked. That made him a bit paranoid too. I never met a single Indian there but I met many, many nationalities among my colleagues. Mostly western, mostly white, mostly male.
Half the money that passes hands each day is transferred across the SWIFT network. You are quite correct that actual money doesn't travel across their network, only messages, but duh! A physical £50 note is only a message too.
SWIFT do provide secure communications to their users, in the same way the Bank of England/ Bank of Scotland RBS and Clydesbank provide secure £50 notes to their users. If you get mugged walking down the street or accept obviously fake £50 notes then you can't blame the currency. The weak point is the banks, aka between the chair and the keyboard.
First, neither Linux or Windows is used on the main network.
Second, why on earth is SWIFTs self-signed root PKI cert a 'dodgy security practice'? It's entirely their network so outsourcing trust would be a vulnerability. Banks trust SWIFT for a good reason, they are unhackable. Other root certifiers are not.
I'm guessing you were working at the Begian HQ. In the OPs centres there aren't any contractors and the canteen food is, well,not exceptionally good. Security though is tighter than anywhere else I've ever seen, certainly far, far tighter than banks which just aren't comparable. I take it you were a developer, you wouldn't have got within sniffing distance of the actual networks.
As 2nd line support (only four managerial levels lower than Schrank since they only have four levels) I wasn't allowed to touch the active machines I was supporting. I'd have to talk an operator in a secure area through it.
I've just experienced 20 months of being charged with Breach of the Peace Section 38 ("a domestic"), only for the charges to be dropped earlier this week during the trial without me being allowed to say anything in court except "Not guilty". I've had to attend court at least 12 times, I eventually lost count. I've spent three days in jail on two occassions, my family suffered three police 'visits', I've chosen not to work or claim benefits during that period, and it's been hellish.
I will write it up and may post it here or at least link to it here because there are a few tech angles. First though I've got complaints to the police, the laywers and the prosecutors to write, in the hope of improving their awful performance rather than wanting vengeful disciplinary action.
I would've preferred a trial rather than a dismissal even though I had been told there was a good chance of being found guilty. I would far preferred if the prosecutors had accepted my initial offer to discuss the matter on record.
One of the things that came out of this is I asked and got to read my medical records, and they are appalling inaccurate and worringly demeaning. It's inhibited me from seeking medical help again, and I urge everyone here to ask to read through their own medical notes. Unrelated to my case I found suggestions that I was a heroin user when I attended hospital with cat bites - wtf?
As IT guys we recognise and laugh at our own professions incompetence, but in my experience we are far better at our jobs and more open about our failings than doctors or the judiciary who form 'closed ranks'.
By nature I don't have much sympathy for this guy the way he has conducted himself and has been portrayed in the media. Through bitter experience I'll hold my judgement on anyone I haven't shared a cell with.
Why automate while child labour works?
We appreciate your expression of willingness to participate. Unfortunately, the claims in this case had to be filed by 4 December 2015. The reason is that the Investigatory Powers Tribunal found that unlawful GCHQ surveillance, on which these claims are based, became lawful as of 5 December 2014. Once a claim is filed, the Tribunal will only search GCHQ’s records for unlawful activity during the year before the claim was submitted. What this means is that a claim submitted on 14 September 2015 would lead to records being searched for the time period between 14 September 2014 and 5 December 2014. Claims submitted after 4 December 2015 would address surveillance by GCHQ that was deemed lawful by the Tribunal and therefore not subject to a search.
It's even more of a con than the article conveyed! Apologies to PI but no apologies to the IPT:
"If Sir Jimmy abused you in the you before you first complained, then we would certainly consider accepting your proof".
I'm not one of the 663 but have strong and deep evidence I was spied upon, including but not limited to emails from a since exposed police infiltrator. I never applied to PI as I had no faith it would be taken seriously, but if it's being dismissed in this flippant manner then I perhaps should (reluctantly hold up my hand, sigh, and mumble "I'm Spartacus").
However, I'm still put off submitting a complaint as they are limiting it to the first ten cases, instead of the strongest ten, and I'm not sure if those ten have to be part of the six hundred and sixty three. Do you know if that is the case?
SWIFT originally refused to cut-off Iranian banks so the US threatened to arrest all it's employees and management. SWIFT complained to the Belgian government who shrugged. So how can an organisation follow Belgian national laws without the support of the Belgian government?
As for monitoring terrorist funding, can you name one organisation with an operations centre in the US that doesn't comply with a legal request from US authorities to track terrorists?
Your impression was incorrect. I'm working class, never went to Uni, and many of my colleagues were the same. It's probably the most meritocratic employer I've worked for, far better than any British employer. Only four seniority levels from bottom to top. There were a lot of white males, but no more so than other European IT organisations.
If you were competent for the role then you were maybe deemed a security risk, their background checking is a lot more in-depth than they you'd know.
You have an inadvertent 'Swift' in there. They are a car company, a delivery company, and a sausage company, unrelated to SWIFT.
My first week at SWIFT. First day I noticed the building had curved edges, same as Air Traffic - to deflect truck-bombs. Everyone gets a full body scan to enter and leave, to make sure nothing as big as a CD or memory stick gets in or out. There is CCTV everywhere. There is an ashtray placed on your desk, because they know in advance you smoke. You are allowed to smoke everywhere, including certain server rooms, because there is a constant updraft of ventilation that Dyson must've designed. You are not allowed anywhere near the servers you support, you have to talk operations staff through whatever minor or vital thing you want to do. Your colleagues at lunch joke that they analyse your piss and shit in the toilet for drugs. Except they aren't joking, although out of hours cannabis is permitted. You find your flat has been broken into overnight, fairly often, just to check. The mice have fingerprint readers. You are told security is everyone's prime responsibility, but when you actually check on security, you are questioned by an internal security team about your motives. There is no internet access, but the intranet tells you stuff about your hometown that you never knew. You are repeatedly warned about all the ingenious Mafia phishing and more serious threats. Your colleagues are introduced to you as 'John, from British security' and 'Paul, from French security', and these are actual state officers seconded to the role doing coding and tech support. When you have a tech support question yourself, your call goes directly to one of the world's experts - millionaires are your help-desk. They try to imprison their staff with high wages, and give you a weekly back massage.
Outside of GCHQ and the NSA, it is the tightest security in the world. Of course their end terminals are the weakest link, that's not their responsibility. They tell an anecdote about when Saddam invaded Kuwait they dodged a bullet because the terminal there was in an unopened cupboard.
But blaming SWIFT for end point attacks is like blaming BT for phishing scams. They are tighter than a sheep's behind at an Aberdeen game.
I have read every tale of woe here, and though I am always amused I can always beat them from my own history of incompetence. I could write a short novel of comedic failures. The time I fixed a six month BT lease-line problem. The time I drove over my bag full of replacement video cards, and had to install them anyway. The obligatory rm -rf anecdote. The time I replaced a blind man's VDU without understanding why, only to stick my hand out excepting him to shake it.
In retrospect, most of my career was comedic. I once had a MS vice-president as my first line tech support though. You know you've made it when you have a millionaire at your beck and call.
"the less people knew about me the better"
Just over a decade ago you could search the internet for "Secret Project" + CV and get all the main engineers involved. They'd boast about it online, perhaps inadvertently through recruitment agencies.
In 2003 I found the main engineer behind the UK's '4 minute warning' of a nuclear attack. Brian Dreary. I wanted to trigger the warning, at least for high ranking officials, but I was persuaded by a wiser soul that was irresponsible and potentially dangerous.
For the record, at that time at least, the 'four minute warning' consisted of a pre-recorded telephone call to every British land-line, telling you Armageddon was imminent but not to panic. Guess whose voice they used to reassure us? Joanna Lumley!
Good choice. My plan was to either steal the recording or hire a voice impersonator, and call all the key folk just to panic them into heart attacks. I was talked out of that but I sort of wish I had.
Since you are now monitoring this website, how about you explain your "We didn't do it, but if if we did do it, this is how we did it" OJ Simpson defence?
While you are at it, do you want to explain why council-tax payers money is used to promote and fund the singing career of one Rena Gertz?
"He who fights with monsters should look to it that he himself does not become a monster. And if you gaze long into an abyss, the abyss also gazes into you."