* Posts by JamieL

58 publicly visible posts • joined 28 Jun 2010


Multi-day IT systems outage whacks umbrella biz Parasol Group amid fears of a cyber attack


Supply chain resilience?

Given that almost all large fims / govt bodies are supposed to do due diligence on their supply chain and its ability to withstand business disruption, it does look like nobody's thought to push Parasol a bit harder to validate that their own incident plans and processes are up to scratch. My guess is that nobody went one step further along the chain...

There will be more than a few high-value IT programmes where big chunks of the workforce are hacked off and whose minds aren't entirely on the job if this runs on another week.

Guntrader breach perp: I don't think it's a crime to dump 111k people's details online in Google Earth format


Good and bad

I have an account on Guntrader. I logged in to remind myself what data they hold on me. Their website insists I reset my password (good) but when I put my email address in, it then says "we recognise your email address, and have sent a password reminder" - very bad: confirms to bad actor that the email address is indeed active on the platform (although you might argue that's now in the public domain anyway)

The 'DUP' joins El Reg’s illustrious online standards converter


Let's not ask who really benefits from the Union

@LoyalCommentator "....the UK still wants to cling onto the parts of it that it managed to colonise...."

Not entirely sure about that. There are many in the (mainland) UK would happily cut the cord and hand it back, but the vocal (soon to be minority) of DUP-like types would make too much of a fuss

BA IT systems failure: Uninterruptible Power Supply was interrupted


Restore in the wrong direction?

Reminds me of one occasion a few years back. Had installed an active-active firewall pair across two sites with each handling one leg of a 2MB leased-line to the internet (see, I said it was a few years back!) and automatic config hot-synchronized between the pair.

One firewall sends alarms to say fan playing up. No problem, will just power it down, replace with a good unit then bring it back up again. Power down the offending unit, traffic fails seamlessly over to the secondary and all good. Re-cable from dead unit to the new one, power up. Still all good. Give the "re-synch" command and hear someone outside wondering why the internet has stopped working. Upon closer inspection I determine that the re-synch has indeed happened, with the configuration being dutifully copied across - but I now have two units each with a blank config. Heart stopped and blood ran cold as I realise what I've done...

Fortunately it was only a 15 min sprint to the other site where I had a laptop with all the backed up configs. A lesson learned the hard way indeed!

But TBH in BA's case I can't believe that the Friday of a Bank Holiday weekend wasn't considered a change freeze with nobody allowed to do anything other than emergency work in their DCs.

Do we need Windows patch legislation?


a test of contractor liability?

And no doubt many of these trusts buy in IT advice and local support from small, independent contractors who operate as limited companies. Time to test how far their negligence liability insurance will stretch?

74 countries hit by NSA-powered WannaCrypt ransomware backdoor: Emergency fixes emitted by Microsoft for WinXP+


Kill switch

So, the NSA knew there was a "kill switch". They knew the code had been stolen. But they chose not to activate the "kill switch".

Conclusion: the code was still actively working for them, and now some current "operations" will be affected....

Hackers electrocute selves in quest to turn secure doors inside out


Emergency stop buttons - that unstated weakness

Reminds me of a firm I worked for who had installed so much tech in their building that the power supply couldn't handle it. Never mind, get a big container genny in the car park. And, since the tech is more important than kettles and lights and stuff, leave the computer room on the main power and wire the rest of the building into the genny.

All was fine until some kids in the car park one evening wondered what happens when you press the big red button.... genny winds down, all the doors pop open!

More worryingly, how many times have you driven past critical locations (cell towers, office blocks) and seen cooling fans on the outside with that appealing big red button. Press a few and you can be long away before the kit on the other end overheats and services start dropping.

Hacker predicts AMEX card numbers, bypasses chip and PIN


Re: Payments... At Businesses...

on a recent trip to the US I was amazed that no retailers even looked at the card signature. Just as well really because (in an attempt to prevent fraud should my card be stolen) I'd written on my signature strip "NO SIGNATURE PIN ONLY"

Next Mars landing scheduled for Monday, November 26th, 2018


Re: Clearing solar panels

Something like the bimetal strips in old-fashioned thermostats. Goes "pop" one way at night when cold and "pop" the other way in the day when warm - daily flapping for very little extra weight (you need mounting arms anyway) and self-powered.

Isis crisis: Facebook makes Bristol lass an unperson


Sćüňţhorpe anyone?

Often got round by those with malicious intent by using extended character sets.

Wannabe West Midlands gun smuggler jailed for ten months


Just as well for him that they intercepted the parcel before it was delivered. If he'd been lifted with the parts in his grubby mitts then it'd have been a mandatory 5 years inside for firearms possession. Or perhaps more as they're S1 components.

Crims set up fake companies to hoard and sell IPv4 addresses


So the crims are smarter than the corporates - who'd have thunk it?

Bet ARIN are kicking themselves for not doing that: spotting the dormant blocks, tracing them through their ISPs and asking them if they still needed them.

ISS 'nauts to inflate pump-up space podule


Re: Not very inflaty

...or fetch the puncture repair kit and go space walking... - I expect they'll be doing the puncture repair from the inside, as it'll self-seal into the hole

Vodafone posts uptick in Europe but UK still a challenge


Re: Having joined Vodafone recently ......

i don't know... sometimes it's a maze of turny twisty dead or confusing web pages.

123-reg still hasn't restored customers' websites after mass deletion VPS snafu


...which is why it's a good idea for your Business Continuity Plan to involve as much diversity as possible: different suppliers, different infrastructure. And of course it counts for nothing unless you've tested it, and testing means more than "just spin it up" for a quick "hello world". It means use it. For at least one business cycle (even if just on a sub-set of your business e.g. 5% of customers).

Have just been having that discussion with my current employer: explaining that the scenario test we did on a Friday morning between 0800-0850 may tick some boxes but is not comprehensive and gives no guarantee that it'll still be working 5-10 days later.


I worry about firms who are still naively waiting for a restore

I read the article yesterday morning, and had a giggle. Then later in the day got an email from my sons' school apologising for their website being down and referring to a BBC news story about 123-reg and how it wasn't really their fault.

Three things jumped out at me:

1) I pay them a lot of money (yes, it's a fee-paying school and yes it's possible in this industry to earn enough for that) and am disappointed at the corner-cutting to save a few hundred quid a year

2) That they didn't just buy hosting from somewhere else the next day, get their website designer to re-upload, change the DNS and carry on normal jogging. It's clear by now that 123-reg can't be relied upon

3) Bad performance plus good excuse isn't the answer. They're pretty good at drilling that into the children but are still prepared to try it on with the parents

Met police commissioner: Fraud victims should not be refunded by banks


Its the tradeoff between convenience and risk

I'm less bothered about the temporary disappearance of the few quid that went before the bank spotted an unexpected sequence of transactions (the fraudster testing my card first) than having to do without my card for up to a week and having to re-enter my account details to all the websites that stored them.

...wait a mo... perhaps it's all the websites storing my card details that were part of the problem...

JD Wetherspoon: A 'hacker' nicks 650,000 pub-goers' data


Well I'm not surprised

A few months back I went onto their website to book a room. I was on the verge of hitting "submit" when I noticed that the page header was plain old "http://..." and so my card details and address were about to be sent off in the clear.

Being a kind soul I sent a message and screenshot to them via "contact us" to let them know, and in particular draw their attention to their Ts&Cs which said that I was responsible for ensuring the security of my personal details which I clearly couldn't do if I used their website.

Of course I didn't get a response, but then I guess they knew already by then.

Lights, power, action! Smartplugs with a twist


Until there's value in the usage data..

At which point you can imagine Google realising how much they can learn about you and your habits.. then they'll give them away.

And we'll all lap up the gizzits without realising that we've become the product... yet again...

Licence to snoop: Ipso facto, crypto embargo? Draft Investigatory Powers bill lands


How do they know it's "me"?

In my household there are at least four people and getting on for a dozen devices that access the internet through one ISP & IP address.

How the hell will they know which person they are tracking the browsing history for?

It was hard enough trying to control my sons' access through my router even with fixed internal IPs and firewall rules and OpenDNS... once they knew I was doing it they simply took to leaning out of the window and using the free wifi from the pub across the road!

Although I'm thinking it's a good reason not to have a go with IPv6 where the traffic can be more easily traced back to individual devices...

Safe Harbour ruled INVALID: Facebook 'n' pals' data slurp at risk


But will they listen?

I have spent over four years trying to explain to the bosses in our US parent company that telling our UK clients that shipping their data off to the US because it's technically convenient to do so isn't acceptable under EU laws unless the clients (and the respective data subjects) first give us consent to do so.

The standard US response has been "but we're Safe Harbor certified so it's OK". Which bits of "we have to comply with our laws regardless of what you think" don't they understand and will this judgement make any difference? (the answer is of course not - the 'Merkins just don't get and never will get that other countries have their own laws which are preeminent in those countries).

Jog on...

The last post: Building your own mail server, part 2


And take control of your folders

...and if you're into storing mail in folders, set up with IMAP and install POPfile the mail sorting utility. I've had it running for literally years and it sorts all my incoming mail into over 20 folders so I can see at a glance what needs my attention and what can be left until later. One of the best "install and forget" utilities that just gets on with it, learning as it goes.

HORRIFIED Amazon retailers fear GOING BUST after 1p pricing cockup


"E&OE" exists for this very purpose

And if you're foolish to leave those three letters and one symbol out then you deserve all you get

Has Europe cut the UK adrift on data protection?


Let's be clear on definitions and scope of territories

"...if ... UK votes to leave the EU:

The UK will be outside the EEA "

The one does not automatically follow the other. Plenty of countries in the EEA but not the EU, so the rest of the article about the UK therefore no longer able to benefit from the DPA is open to challenge

Mail Migration


Maybe I've missed...

Has anybody explained WHY they want to migrate email? Until you know why, you can't identify the success factors (explicit and implied). And if you don't know what those are, you can almost guarantee that at the end of the project, even if you've met all the technical requirements, the sponsor will be unhappy because you've not met his gut feel about "why it's now better".

Planning to rob a Windows ATM? Ditch the sledgehammer and bring a USB STICK


Re: A simple countermeasure

But perhaps different motivations to protect the devices: in the cable industry if hackers "steal" free movies or TV channels then it's the company's own money being lost. However it seems that banks don't seem to worry about losing "our" money in the same way...

California kids win right to delete digital past


So you're now allowed to ask them take down your own content

But not stuff put up by other people, or presumably hosted anywhere outside California where these laws have no effect. Waste of time.

Autogyro legend Ken Wallis hangs up wings at 97



I was out walking the dog on Sunday morning, heard a buzzing and looked up - there was the first autogyro that I'd seen for years. First thought to myself "ah - a Little Nellie!"

Spooky to read this evening that that was the day he died.

Does the RSPCA have your gun licence or car registration? NOBODY knows


Re: I would guess...

Making two very broad assumptions that:

1) Legitimate firearm/shotgun holders would threaten anyone with a weapon when challenged at their front door

2) People who hold unlicensed weapons (the ones that are used in the vast majority of crimes) don't abuse animals and get visits from the RSPCA

Because after all, if the RSPCA "inspector" in his plot-lookalike uniform turns up at your door without a warrant a simple "sod off" is quite sufficient without resorting to weapons of any sort (legal or otherwise).

James Bond inspires US bill to require smart guns for all


And of course nobody actually wants to use a gun for its intended purpose (say hunting) which requires you to be outdoors in the cold... and wearing gloves!

Google, Amazon, Starbucks are 'immoral' and 'ridiculous' over UK tax


So where do they do their litgation?

If these companies claim their business is outside the UK then whenever they need the services of our courts (IP litigation etc) then perhaps they can take that to Bermuda and see how they get on...

Lords blast UK.gov's fixation on broadband speed over reach


and nobody's truly on the hook for the first mile

In my village we are a fair distance (2-4km) from the exchange, yet the actual speeds achieved vary significantly from house to house, and not in a way that correlates with distance. It also depends a lot on the weather (worse after extended periods of rain) so I suspect that the quality of the copper cables plays a big factor; it's not just contention upstream from the exchange and how your ISP shapes traffic onto the core backbones. I am one of the lucky ones with 5-6mbs but others (some of whom are closer) struggle to get to 2mbs.

But if you try and complain to your ISP that your service is sh*te you just get bounced around and nobody seems to be able to kick BT into actually going out and sorting out the copper so that we all get a consistent "up-to" speed. Even if BT is your ISP you get passed between the various departments and none will take accountability for it.

Natwest, RBS: When will bank glitch be fixed? Probably not today


Re: Phew!

So you've moved to Co-Op.. In which case you've got a year or two there then until their banking platform replacement goes live - start looking for another bank soon!

New satellite will blow your socks off - and spot them from spaaaace


...anywhere within 24 hrs

Better hope it's not cloudy when they get there!

Look back in Ascii: Computing in the 1980s


What's all this "bought" malarkey?

Nah, "proper" hobby computing is when you get the handful of chips (CPU, RAM etc) wire them up with veroboard and wire-wrap to create your own. Not quite an early adopter (early 80s for me) but had to wait until my teens to be allowed to play with such delicate toys.

Write an O/S (hand assembled, natch) then burn onto a EPROM, plug into your machine and see what happens when it powers up.

Kids these days...

Educating Rory: Are BBC reporters unteachable?


Whereas learning Latin and Greek

...which were taught in that sort of way definitely helped me learn to program. When I got to uni the course modules on parsing and computer language design were suddenly blindingly obvious - deja vu indeed. If you can parse a "statement" in Latin to extract the meaning before restoring into English then writing code to parse a line of assembler before outputting in hex became suddenly very straightforward.

PhD pimp's mobe lock screen outwits Feds - Google told to help

Black Helicopters

Lucky he's not in the UK

If he'd been in the UK, then under RIP he'd have had to disclose his passwords or go to jail anyway...

Epic net outage in Africa as FOUR undersea cables chopped


Anchor chain / warp scope

@SteveK - general practice is for the ratio of anchor chain / warp (rope to you landlubbers) should be 5:1 or higher. Hence for 1/8 mile depth you are indeed looking at over 1/2 mile as per @Anomalous Cowturd

Juror jailed for looking up rape defendant on Google

Thumb Up

Contempt does deserve suitable sentences

As a juror, you have the power to influence whether someone's found guilty, and if so they may go down for many years.

Misuse that influence and you deserve all that comes your way. If a juror misbehaved, with the conequence you got put away for many years, you'd be a tad unhappy!

How can family sysadmins make a safe internet playground for kids?


And they have phones too

Don't forget that most kids eventually get phones and most have web browsers on them. You'll have to rely on their network providers to control what they see on those. Not all come with content control in place out of the box (although Vodafone does), I'm amazed how many parents have no idea what kids look at the the playground these days.

I've got a fairly well controlled home network so I know what they're looking at but I know that'll only last until my boys get their first phone... But I'm going to make sure they pay for their own data plans.

Google explains 'why' ads target user's Gmail

Thumb Down

Who owns the "content"

Looking at Google's terms of service, I'm not surprised. It seems that you give away your rights for all content you put in (e.g. emails you write and send) but Google' recognise they have no rights over stuff inbound to you.

Can't use inbound (but if they do it's your problem to notice and act accordingly):

9.4 Other than the limited license set forth in Section 11, Google acknowledges and agrees that it obtains no right, title or interest from you (or your licensors) under these Terms in or to any Content that you submit, post, transmit or display on, or through, the Services, including any intellectual property rights which subsist in that Content (whether those rights happen to be registered or not, and wherever in the world those rights may exist). Unless you have agreed otherwise in writing with Google, you agree that you are responsible for protecting and enforcing those rights and that Google has no obligation to do so on your behalf.

But you give away outbound:

11.1 You retain copyright and any other rights you already hold in Content which you submit, post or display on or through, the Services. By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services. This license is for the sole purpose of enabling Google to display, distribute and promote the Services and may be revoked for certain Services as defined in the Additional Terms of those Services.

So that's why I don't use it!

Hundreds of websites share usernames sans permission


What's a 3rd party?

But you see, these guys aren't "passing your data to a 3rd party". They're using a fulfilment agent who aren't technically a 3rd party from a data protection perspective, they're just doing stuff on their behalf.

Now, if that "3rd party" were to do anything with the data that wasn't strictly on behalf of the requestor, well that _would_ be wrong. Like play.com and the firm that was sending out marketing emails on their behalf who had the list compromised.

So, it's up to you to satisfy yourself that not only the firm you give this data to can look after it themselves, but also that their agents do so as well. But of course it's not something you ask when you sign up is it? And they wouldn't tell you anyway.

Your organization’s security depends on everyone

Thumb Up

Correct, for a week or two...

Fair point. Expecting residents of one country to guess at another country's summer time dates is unreasonable...

GMT/UTC are the only truly international time coordinates. Used by the aviation industry for a reason.



so Harold Camping is a few days out then...

Here is Harold Camping's response from a press conference on Monday 23 May, 2011 at Family Radio headquarters, Oakland, California:

"On May 21, this last weekend, this is where the spiritual aspect of it really comes through. God again brought judgment on the world. We didn't see any difference but God brought Judgment Day to bear upon the whole world. The whole world is under Judgment Day and it will continue right up until Oct. 21, 2011 and by that time the whole world will be destroyed,"

News International mail server password FAIL exposed


Cunning double-bluff?

Of course, if it becomes apparent that their IT security was near-useless, then any actions which migh appear to have been done by one of their personnel on their systems might have been done by someone else?

Sort of like a witness reducing their own credibility such that they can no longer reliably self-incriminate.

Data ownership becomes fuzzy in the cloud

Big Brother

But what about the backups?

But, presumably, even if Officer Dibble comes in and seizes the shared servers, tapes etc, there's nothing to stop your hosting provider reinstating YOUR data and services from a backup.

You did buy the DR service didn'y you? And made sure they tested it? Of course, if you didn't then...

Got a website? Pay attention, Cookie Law will come


Block ICO cookies and the baner goes away

OK, so I try out paranoia settings: tell my browser to delete all cookies and not to accept any more from anyone.

Then visit the ico.gov.uk site. Lo: the banner asking me about cookies has gone, and neither is there any indication that parts of the site won't work any more... Does that mean it now _does_ work?

Judge rules against firm that lost $345k to bank trojan


Only had the engergy to read the first dozen pages of the judgement but...

It feels that the bank have a fairly slippery terms of service but Patco did agree to it after all. As an analogy with old-fashioned banking: if someone looks over your shoulder while you're writing a cheque and then forges your signature that's your problem for letting them do so. Ditto keyloggers.

Moral of the tale: choose your bank carefully, check what security they offer, and who's accountable for what if it goes wrong.

Official: Microsoft buys Skype for $8.5bn

Black Helicopters

Have to register

EddieD: "..and Skype required me to register for access...yep, it still does - name, email, date of birth, gender, birthday..."

Yes, but none of it has to be true - apart from email and even that can be a one-shot freemail which you only use for Skype. They only know stuff about you if you tell them...


Play.com spam points to malware downloads

Thumb Down

So who leaked it then?

Why not tell us who this "3rd party company" is - then we can all be careful not to do business with them. And any other retailers who use them can kick them off their supplier list.