* Posts by TkH11

523 publicly visible posts • joined 15 Apr 2010

Page:

Transport for London confirms 5,000 users' bank data exposed, pulls large chunks of IT infra offline

TkH11

Re: It's a large workforce

Surely explaining it facilitates understandjng.

You just don't want to explain it because there is no credible explanation, so you need to employ deflection.

TkH11

They know who works for them. They just haven't been maintaining the accounts properly - joiners, mover, leavers. A basic principle of cyber security.

So are forcing all employees to confirm they still need access to the platform(s).

Openreach hits halfway mark in quest to hook up 25M premises with fiber broadband

TkH11

Gigabit broadband 80%

FTTP 60%

What is gigabit broadband if it is not FTTP?

TkH11

Probably because they are not coordinating with the competitor, and why would they?

They are in competition with each other.

TkH11

Re: Copper

They actually are on a mad rush to cease using copper. They have a PSTN switch off plan with a date which means just about everyone migrating from fixed line to VOIP over broadband.

And they are rapidly rolling out FTTP. Although that is going to take a few more years. But I note where I live there is no confirmed year yet for rollout of FTTP.

TkH11

Re: Copper

You are perpetuating a lot of myths about the switch off of the PSTN network.

Firstly, if you want your landline migrated to VOIP to work in a power cut, buy a UPS. And I don't see why the Telco should provide them for free, except in special cases like the disabled and elderly.

Second, all of the VOIP infrastructure will be in data centres with backup power capability. Same applies to the mobile RAN network.

TkH11

Re: It's here

"I've gotten an offer".

Can we ditch these silly American bastardisations of our English language please?

HIV Scotland fined £10,000 for BCC email blunder identifying names of virus-carriers' patient-advocates

TkH11

Re: It's a charity

Doesn't matter if they are a charity, they are not exempt from data protection laws. There had to be some kind of sanction to ensure they don't make the same mistake again. And to encourage others not to make the same mistake.

TkH11

What kind of muppets have never heard of BCC? If you're over 65 then that's reasonable, otherwise not.

China Telecom booted out of USA as Feds worry it could disrupt or spy on local networks

TkH11

Re: Time to mothball SS7

SS7 is being patched by telecoms companies. Some of the vulnerabilities that were exploited in the past cannot be exploited now.

TkH11

Re: Meanwhile.....

Protectionism? Protectionism or security?

On the protectionist side, when have you known Chinese companies recognise intellectual property rights and copyright? Perhaps protectionism is not unreasonable.

Clothes retailer Fatface: Someone's broken in and accessed your personal data, including partial card payment details... Don't tell anyone

TkH11

Re: Strange

But they did give the standard bulls..t response about it being a 'sophisticated' criminal attack to try to reduce the criticism levied at them. "Not my fault guv".

GitHub will no longer present a cookie notification banner – because it's scrapping non-essential cookies

TkH11

Re: GDPR scope

>Of course, if the company has no presence in the EU, it is a bit difficult to apply meaningful sanctions, but the basic point is that processing personal data of EU residents is covered by the GDPR.

if I recall correctly, there is a requirement that they must have a presence in the EU. Now, that doesn't mean they have to have a full blown office with staff in an EU member state, just a presence, ,which I suppose in the simplest and cheapest scenario is an office that can receive mail such that it can be passed onto a representative of the company.

TkH11

Re: GDPR scope

It applies to data held on EU citizens, wherever that data is held in the world.

It's an EU law, but I am not familiar with the mechanism as to how it can be enforced with countries outside of the EU/EEA, but I believe it can be enforced, because we've seen more and more websites based in the USA taking action to be compliant, or where they can't be compliant, they detect where the users http request is coming from and reject it.

TkH11

Re: > I never understood that particular conspiracy theory.

Beam forming for location tracking? Irrelevant. Why? Because 2G, 3G & 4G networks track your every move through geolocation, if your phone signal is picked up by two base stations the network triangulates your position and records it, and much of the cell network is designed to have overlapping cells; and if your signal is only picked up by one base station, they know roughly where you are. The network needs to know to which base station your phone is attached, so it can route phone calls and data traffic to you.

So the beam forming capability in 5G adds little.

Easyjet hacked: 9 million people's data accessed plus 2,200 folks' credit card details grabbed

TkH11

Re: CVV should never be held

Keys were probably held in the database alongside the data being protected by them.

TkH11

I am hoping that does not mean EasyJet and any other company is being let-off their legal responsibilities. I expect the ICO to enforce the law and issue fines at a later date for those GDPR violations which occur during COVID-19, but I fear ICO will go easy on them and they won't be held accountable.

TkH11

Re: Other reports are saying they became aware of this in January

1. It is interesting the ICO won't release details of when they were notified. There is a legal time limit of notifying the ICO upon detection of the breach. This makes me think that EasyJet did not comply with the time limit.

2. There is no legally mandated need or time limit to notify the customers, but if the ICO thinks you should have done, given the potential impact on the customer, and you haven't, the ICO can take that into consideration when determining the size of the fine

If the breach was detected in January and EasyJet didn't notify customers to the beginning of April then the ICO should throw the book at them. But somehow I don't think they will.

TkH11

Re: Never store CC details

Yes it does make a difference as it means a certain attack vector is no longer possible. That reduces the risk of compromise of the card data.

It doesn't completely eliminate the risk as different threat actors may adopt a different attack vector.

But the idea that it's not worth implementing the measure because it doesn't entirely eliminate the risk is flawed.

Year 1 of GDPR: Over 200,000 cases reported, firms fined €56 meeelli... Oh, that's mostly Google

TkH11

I reported a breach of GDPR regarding the illegal way a company was obtaining consent from its customers.

The ICO gave me a case number and done nothing since.

The ICO is useless.

Working Apple-1 retro fossil auctioned off to mystery bidder for $375,000

TkH11

Jobs

Was Steve Jobs capable of soldering?

TkH11

repairing boards

Repair work may involve replacing components. If you don't repair it, then it doesn't work.

So what's the value of the item unworking and compare that to the value working?

Re doing the soldering is unlikely to devalue the board, replacing the odd passive component isn't either.

But if you replace the original 6502 processor chip, which has a date stamp of 1978 (or whatever year it was), with one dated 2005, then I can see that might have an effect on the value.

Fallover Friday: NatWest, RBS and Ulster Bank go TITSUP*

TkH11

Re: Its really not that difficult.

Oh, Dwarf clearly knows all the theory but has little practical experience on large production systems of high complexity.

Often, documentation is missing, it shouldn't be, but that's the real world. And even if the documentation is present, that's not the answer, at the end of the day, it's down to people and what they know about the system, and keeping information in their heads for fast recall. Understanding doesn't always come from reading a document, it comes from real world hands-on practical experience of a system.

One one system on which I work, it has taken literally me several years to build the knowledge and understanding of the system of daily use, such is its complexity.

TkH11

Re: Back now

That's rather naive. I can see you clearly have not worked on large and complex production systems.

TkH11

Re: Back now

Re:

Quote:If they do, then you don't just reverse whatever change you made: you have to fill in a great mass of forms which describe what you're going to do, apply for the access which lets you do what you're going to do, get approval from a bunch of very cautious people many of whom don't understand what you did to break it, how your proposed fix

End Quote

Not really. Because when you book in a change window, that change window should allow for reversion of the system. And the post deployment testing should be conducted within that change window too, so the failure should have been detected within the change window.

There's probably a little huddle of people that occurs to make a decision to revert, but there won't be any more lengthy than that.

TkH11

Re: Back now

>chances are it was tested but someone made a mistake in the final implementation I suppose.

Chances are it was not tested. Why? Because in my experience, test environments usually contain the applications and the logical solution architecture, not the real physical hardware with the firewalls.

The network infrastructure element of the production system is rarely duplicated in a test environment, or duplicated to a sufficient fidelity to reality.

TkH11

Re: Back now

The 5 hours probably wasn't for the reversion of the firewall configuration. It was most likely down to tracking down why the system wasn't working.

Remember, that the guys who make firewall changes rarely understand the system and how it works.

Somebody would have reported that some functionality wasn't working, but if you've just carried out a large deployment, the firewall change is just one small part of that.

TkH11

Re: Back now

Credit for detecting what was wrong and reverting, but the mistake should not have occurred in the first place.

Far too often I have worked on systems which are business critical where there has been an inadequate test environment, because managers wanted to save a few bucks.

TkH11

Re: Back now

It is not hard to write an effective rollback procedure, it really isn't.

London's Gatwick Airport flies back to the future as screens fail

TkH11

Re: Nobody has yet asked the obvious:

From information I have seen elsewhere, Gatwick provides an app for mobile phones but this was affected too.

TkH11

You must be in Manchester then.

TkH11

London Stansted is not in London. It's all a marketing strategy to convince foreigners they are landing in London.

TkH11

Re: "no redundancy in the internet link"

Caching is not the answer to a fundamental failure of resilient network design.

UK privacy watchdog to fine Facebook 18 mins of profit (£500,000) for Cambridge Analytica

TkH11

Re: Missed a trick?

because the law which was in effect at the time they committed the breach/abuse, limits the fine to £500,000. They cannot be fined more than the law permits. That is why.

TkH11

Yes, it is possible the ICO may continue to be toothless and fine lightly.

But consider this.

Any data subject in the EU that wishes to make a complaint about a data abuse or breach, has the power to report the breach to ANY GDPR supervisory authority in the EU, not just the ICO.

The GDPR regulation requires that supervisory authorities across member states share information and work together.

If the ICO develops a reputation for being weak on issuing penalties, UK data subjects can take their complaints to other supervisory authorities outside of the UK.

TkH11

Re: Max Fine

That is probably true for the Data Protection Act, which is now defunct. But GDPR was specifically developed with social media companies in mind, given the way the data was being shared. This was recognised by the EU. Under GDPR, there is no single fixed maximum fine which applies to everybody.

The maximum fine payable by any company is dependent upon their company turnover.

The fine payable, is determined by the ICO, taking many factors in to consideration, including how cooperative the company has been with the ICO, and lies between zero and the upper limit calculated from the company's global turnover.

TkH11

Re: Max Fine

There is a maximum fine under the now defunct Data Protection Act, there is no maximum fine under GDPR. There is an upper limit which is determined by a percentage of the company's turnover, and the fine, in pounds sterling, can be anywhere from 0 to that upper limit, but the higher the company turnover, the higher the upper limit There is no limit to the upper limit.

In Facebook's case the fine they would pay under GDPR would be anywhere from zero to $1.6 billion.

A company with a higher turnover, the upper limit on the fine would be higher.

TkH11

Re: Income Vs Profit

That is true, but under the Data Protection Act £500,000 is the most they can fine.

Under GDPR, fines can be much larger, and in Facebook's case, because their turnover is so high, the maximum fine would be $1.6 billion dollars.

TkH11

Re: Surely this isn't fair on them

It might be a free service but that does not give the company providing that service the right to break the law.

The law sets out everybody's expectations, it's a standard from which everybody works and complies. The public knows what their rights are and the suppliers of services know what they have to provide.

It's completely inappropriate then to say "There is a legal standard which you must follow, but if you're providing a free service, you can totally ignore it". How do customers know what their rights are if the providers of free services are given complete carte blanche to ignore the standard and do whatever they want?

TkH11

Re: Conclusions?

What is particularly worrying about the shadow accounts, is that firstly people didn't consent to Facebook collecting their data on them, and data subjects have no way to request that Facebook cease processing and storing the data.

These are both in themselves breaches of the GDPR regulation.

Dixons Carphone 'fesses to mega-breach: Probes 'attempt to compromise' 5.9m payment cards

TkH11

Re: A fairly basic question...

If the data was unencrypted then they HAVE done a bad job.

TkH11

Re: There's another weasel clause right there

The lawyer is right about law not being applied retrospectively, but there is an interesting legal issue here. That of when they reported the breach. They could have reported the breach under DPA but they left it and reported it under GDPR. So which is relevant, when the breach occurred, or when they detected it, or when they reported it?

TkH11

They have known about a possible data breach since last year. The company's data protection team must be staffed by morons. They could have reported the breach under the Data Protection Act and received a maximum of £500,000 fine, now they have chosen to report the breach under GDPR the fine could theoretically run into the hundreds of millions of £££. Why? Because their turnover is £10billion

Well, that went well: Withings founder buys biz back from Nokia

TkH11

Irish High Court slams Facebook's conduct, smacks down bid to drag out data probe

TkH11

GDPR

It seems to me FB have two issues to contend with: Firstly this court case and secondly compliance with GDPR which they must have in place by 25th May. They can't use this court case as a delaying tactic to comply with GDPR. They have had two years in which to prepare for GDPR.

But nobody can bring a case under GDPR right now, so this case can only be prosecuted under whatever existing data protection legislation Ireland has in place.

Yes, it's kind of moot, or will be in a few weeks, but the claimant is acting under existing legislation and FB need to fight their case based on that legislation. It will be up to the claimant whether he wants to discontinue proceedings feeling that matters have been overtaken by GDPR on 25th May.

I doubt the claimant will be able to change the case and say he wants to progress the case under GDPR law. Need to start new case.

UK.gov demands urgent answers as TSB IT meltdown continues

TkH11

Re: needs to become an official el-reg measure

You're combining two acronyns: SNAFU, FUBAR.

TkH11

Re: I wonder....

Easy to detect fraud. They record details of all transactions and the time and date of when it was performed.

All they have to do is sit back and wait for people to complain money has been stolen from their account. Then when the complaints roll in, investigate those complaints relating to transactions which occurred during the time window of the change.

TkH11

Re: Use of Live Test Data

The problem is always going to be that when you construct test data how realistic is it? I did some work on a system a few weeks ago and I could not obtain a data model of my source database and only in time I discovered problems in the live dataset, which I needed to cater for. Had I constructed test data I would have built it to what I expected the data model to be and my software would have failed.

An employee working with sensitive live data simply has to sign an NDA, now that doesn't guarantee they won't steal the information, so you have to also consider who the people are that are working on that data, and which country they are in. And worst case, you can pseudoanonymise it by tokenisation.

TkH11

Re: Use of Live Test Data

What is the problem with using live/real data in a test system? As long as it is protected in all the usual ways. And as long as you ensure the test system is kept separate and isolated from the production system so you don't inadvertently update the production system with test transactions from the testing?

TkH11

Are you really advocating bringing down the bank? Shame on you....

Page: