Rule 34 (IoT)
Strange... my thoughts went there as well ;p
Internet of Trash...
142 publicly visible posts • joined 28 Apr 2011
Yeah, the "fun" from Osi and even Jay Bell gets olld really fast - like within the first minute.
The BBC coverage REALLY SUX. Way too much time spent listening to drivel from their "celebs", Way too much time spent on analsis that the play by play and color (sorry - they are USA commentators) ALREADY did a good job explaining... and WAY too little actual football. Also: way too much time given overly simplified explainations of rules and calls: all that needs to be in a "beginners show" not in the ONLY coverage we get to watch.
And don't get me started on featuring the same games in both broadcasts - WTAF? Half-hearted coverage at best.
Next year I'm buying Game-Pass and putting up two fingers to Auntie.
" I'd also like to see suicide removed form the stats as if you want to do that you'll find a different way. "
I can agree that there is an issue with including suicide, but actually most "other" forms of attempted terminal self harm:
- need a LOT more time between the thought and the action
- may require planning or things that are not immediately to hand
- are hard to complete when falling down drunk/under the influence/severely depressed
- typically seem more unpleaseant as they might involve "pain"
- have WAY better survival rates
As a consequence, the relative "ease" of terminal self harm by firearm increases the risk of actual follow through with the intent. Availability of firearms does seem to increase the likelihood of someone actually attempting suicide, so skews the figures - but sadly a proportion of suicide by firearm is directly responsible to availability of method.
The "article" seem to mix up Enterpirse, SME, and SoHo terms, concerns, concepts and costs/wages at random, and the only point universal value was talking about the Cyber Essentials/Plus programme which is a reasonable starting point... but only to a point (I have issues with CE+ in an enterprise making rulings about how/what/when we should patch...).
Knowing Cyber is an issue: great start.
Making someone interal responsible: bare minimum.
Getting a competent assessment: Contract it out unless you have lots of in-house cyber sec skills
Fixing the holes you found: pick the best way you can afford
Ongoing: Make *sure* it's being maintained - internal/external/mix doesn't matter, but do re-assess regularly.
... would usually be plenty.
In this case, 30 weeks would not be enough, and I suspect that most of these "thinglets" will never ever be patched/upgraded, and will become a zombie army for someone/thing.
Dearly hope that "we" can identify and block traffic from them in the future, or this is how the Internet will die :(
Obviously Elites... except, D'Oh
How any org (that deals with secure information) can think not training staff in Information Security is a good idea these days beggars belief.
The REAL eyeopener was the ICO having a complete lack of interest in the "marked" files: WTF? Guess they assume that HMG / Police / GCQH will pick up the slack... ?
I do wonder if a head rolled.
Your comment on Strong Denial Standard is interesting as "They" ALL did deny strongly very fast. No waiting, no "we'll get back to you", absolutely not "no comment".
Unequivocal, immediate, clear, unprecedented denials.... and therefore rarer than rocking horse shit.
Colour me worried / intrigued by turn about...
"As an Insider, it pains me. Beyond belief. — Abby Jane Hicks (@AbbyJaneHicks64"
Whilst I have tremendous respect for all those willing to put their main systems in the line of fire by working exclusively on the Insiders ring, I think Abby is not representing the majority of Insider Contributors well:
We were told to expect that StrangeEffects will be a regular occurrence.
We are clearly warned that BadThings might happen.
We are absolutely encouraged to keep backups.
At the same time I have a LOT of sympathy for Steven who has obviously backed out of Insider (as have I). Not sure about ninja and cats, but the lack of follow through is one of the reasons why my main machine and backup have been switched, and my input to the programme has been zero for some considerable time.
"Take it to the Edge"
"The Edge browser <...> nag screen at the start, suggesting users link their browser to their mobile device is, however, a bit less pleasant."
Dear heavens - "less pleasant" is FAR too light a roast for that nonsense!
I'd suggest "a step too far"...
Arbor <...> spokesperson said. "At this time, we do not believe that this has impacted any customers or partners,
No shit Sherlock? I think that's entirely the point - you won't know... and neither will the affected parties.
*THIS* is why I have trust issues: the AV companies have chosen not to flag it. For corporate compliance, the AV tools should flag EVERYTHING suspicious, and allow the Corporate administrator get to tick a box that says "We note and accept that install in our environment because..." NOT just ignore things that could be FAR from benign.
...shows why allowing senior positions to be filled by appointment might not the best idea in the world.
Nepotism is bad enough, but from the outside (not based in Americas) these two appointments and the subsequent "works" look like deliberate sabotage - Pai seems to be working against the remit of his organisation? Certainly as his predecessors saw it!
But then I'd suggest that the whole "Presidential appointments..." routine/circus needs an overhaul!
This is absolutely the future, and our like/dislike is probably irrelevant to the beancounters who *like* a predictable service cost they can scale at will... and a lack of Capital expenditure/sunk costs. Obvious ones anyway.
I manage a reasonable size infrastructure. and am *just* dragging along the project to transition from Win7 to Win10. Not because I want to - I'm in print more than once on that subject - but because I cannot afford to pay for support after 2020, and need best part of two years to plan/architect/build/rollout.
Although Win10 is - probably - the Last MS Desktop OS, managing local infrastructure is getting to be a pain filled exercise in futility, and MS are not helping with the configuration and upgrades on Win10. On a 1000+ machine estate, it's getting to be an exercise in choosing the right compromises for all involved, and compromise always sucks for some. Or all.
I've been talking for years about how "the phone in your pocket WILL BE your computer". THIS SERVICE OFFERING WILL FINALLY MAKE THAT REAL - once it's mature. Generic bluetooth screen & keyboard, dock your phone on corner, and connect to the Virtual desktop... mobile applications are obvious.
This, finally, will be the "Cloud" that the pundits have been talking about... and I'll be retiring right about stability/consumer price point. Five years I'm guessing!
Expiring NDAs all around...
Comparing against their O365 offering which apparently offer the "most productive and most secure Office experience -with the lowest total cost of ownership for deployment and management," I'm torn.
O19 demands no further Infrastructure or Information Management changes to implement - O365 want oodles more bandwidth, and give a whole pile of new headaches to information management... but looks like it's (finally) going to be price competitive.
Thankfully the first complication is a simple one of "pays money and takes choice" - and the latter is SEP (someone else's problem), so I've asked the users which they want...
The answers are not fitting on a postcard...
Crypto needs math literacy to understand. SERIOUS math. Not high/grade school, but University Major type math.
Without that background, (assumption - probably safe) politicians have to rely on "experts" to advise them, and they get to not only pick the experts who may not have the required math (assumption - reasonably safe), but the politicians will keep asking until they find an expert who supports what they want to hear (assumption - proven).
So there's no way to tell them it's impossible that they will listen to - they think those that are telling them "Not possible" are either i) hiding something, ii) have vested interests, iii) are being paid by the opposition, iv) are terrorists and shouldn't be listened to anyway as that's who they want to spy on...
I know I shouldn't, but I can't help myself...
I actually, sadly, REALLY hope that this ends up as an object lesson in WHY IT WAS A BAD IDEA due to all the possible hacks being used wherever and however possible. With luck that will give results that have been OBVIOUSLY tampered with (preferably by millions of "extra" votes for an unlikely candidate) and rather than the rest of the world pointing and sniggering quietly, REAL ACTION results.
Also: not gonna hold my breath - they'll probably believe and defend the result whatever happens.
Worst was realising at around midnight that my first application test run of my pride and joy - selecting jurors from electoral roll - had a fundamental flaw... and would keep selecting jurors forever as the test (have I reached EOF and do I have 20 jurors) was too specific. I leave that exercise...
Jumped in my car, drove 40 miles to office, pounded on random windows for 20 minutes until someone heard... and was told by the scary night shift operator that she'd assumed I'd made a balls up after it asked for the tape the third time and had killed it, and that she'd "deal with you in the morning".
Phew... sort of.
...so all the stats are rubbish then!
If you can assert that 94% went to prison, then that's of KNOWN bad actors.
Since it is impossible to quantify what you do not know, ALL these stats are snakeoil.
As seems to be usual course in the land of the free - we don't want you to realise what's really going on so we'll Blind You With Stats that will get quoted out of context and make things seem safe...
Pretty Much Every USA Election Campaign?
Sadly we all know that whatever we say, realistically, nothing will change.
This change? Hate it with a passion - as been said, too many stock pictures, too much whitespace, and why put the classification and reporter on the "listing" - especially making so much of it.
WE ARE TECHIES - WE WANT INFORMATION, EFFICIENTLY.
I think it was wasted cash and cannot WAIT for text only/text rich version to come along.
Probably be ready just in time for my retirement then...
Be able to ditch the desktop, and take a laptop on holiday... and then stay away without withdrawal symptoms while still enjoying the many (so, so many) games in my Steam and Origin Libraries without the heft of a tower case, 30"UHD, secondard screen, mechanical keyboard, gaming mouse, HOTAS set, custom switchbox, Streampad, surround sound.. Oh. Wait.
Yeah,maybe not complete lack of withdrawal as I huddle over a small screen clicklet kb and compact mouse. But I'll be somewhere sunny. That counts for a lot - and keeps the Mrs on-side too. Vital!
I can hope anyway.
2000 days and counting...
Having just been stunned by a trivial cross domain spoofing gotcha pointed out during a penetration test, we secured *our* domain vulnerability with SPF, but once we understood the mechanism could scarcely believe how trivial email spoofing is if you control DNS/RDNS.
Currently email servers take the message being received as "the truth". I suspect it would be better if rather than the message being delivered, a notification was delivered, and servers then had to decide if they were going to retrieved the message from the email server of record for the domain... but that's a whole new ball game. I suspect the folks that conceived email and the standards around it would be/are shaking their heads at the way things have gone.
No point holding my breath for a "fix" tho
There is no way to win - either way we lose.
- If it (sort of, in any way) works, then we'll all lose ALL privacy on-line because you can guarantee that other categories of "sites/information" will be added and there'll be no way to be legally counter-culture (anonymously)
- If it fails, then they'll think up something worse, because they're "thinking of the children".
- the children who "stumble" on on-line depravity will still stumble on the badly behaved site: no improvement
- the teenagers WILL find those sites that don't follow the rules, and THAT is where the predators will find them
- Mr Moderate Joe Public will discover TOR, VPN, and annonymizers, and suddenly GCHQ will have the devils own job sorting the real subversives from the heaps of end to end encoded smut...
Never have bought a bundle...
...and all phones bar my first (a Nokia 3210) have been bought from either China direct, or via Amazon box shifters bulk reselling Chinese phones. Oh, and one via CEX (Huawei - still Chinese).
Had some amazing value, some great bargins, and some really dodgy batteries (still have to buy one a year for my early 8core android... that is still on Marshmallow). Saved a blind fortune comparatively.
Obviously not a phone snob :D
Not only turns ON things you explicitly turned off, but REINSTALLS a whole pile of sh*t that I'd uninstalled, either directly (where allowed) or via powershell where not obvious.
I do not want crap "games", XBOX, Groove and other crap taking over my boot disk thank you.
I use https://www.passwordcard.org/en for (some) of my passwords.
I have an algorithm based on domain name (one letter and number of characters gives me a start point) that lets me work out/replicate where the password starts, which direction it goes (one of the 8 cardinal directions based on TLD) and how long it should be.
Do not need to use on my devices as I have my KeePass db, and don't use for all websites, but does let me access "throwaway" sites with a strong password, and access to my secondary email account which will allow (indirectly) access to primary email (and thence my KeePass backup) when I'm out and about/abroad/etc.
I have several copies... and don't care if other people see!
We ran a server 2003 instance until very recently, and I constantly got criticised for the "gross security risk" that represented.
This is WRONG for *some* use cases.
On a well designed infrastructure, it is more than possible to design the network operations in such a way that an older, but still critical, application can run on unsupported Hardware/OS/Application framework and etc. safely - if it is only used internally, and cannot reach/see the internet.
It takes effort and planning to ensure that it cannot be reached except as required to provide the "service" it exists to provide, and is only accessible by the clients and methods essential to that service... but that's why internal DNS, subnetting, VLANS, Reverse Proxies and Firewalls exist: to mitigate, control and contain risk.
So MUCH of my staff's time is wasted responding to FOI requests that are just used to sell my details to marketing droids... that I don't want to hear from (and no I don't want your white paper, didn't give you permission to store my details, so GDPR them off your contacts system, please, thank you and goodbye).
I won't allow patching without testing... except very occassionally on Internet connected devices/servers.
Everything else gets a test cycle.
That can be 1 day, more usually two weeks, sometimes longer.
We have a LOT of legacy systems and applications that really rely on a cobbled together patchwork - and that means some patches do get rejected.
About to find out what that means for Cyber Essential Plus - but whatever the outcome, business operation trumps potential risk.
I'm not for changing!
If you follow some of the twitter and facebok posts on this conf, there are a LOT of stories from DefCon contributors basically saying unless you bring your own additional security hardware, anything mounted to the door is bypassable from ourside, or can be pushed out by 100lb weaklings.
I've been exposed to a whole new Amazon marketplace... of "essential" door security doodads!