* Posts by charlie-charlie-tango-alpha

89 publicly visible posts • joined 28 Jun 2011


Locked up: UK's Labour Party data 'rendered inaccessible' on third-party systems after cyber attack


Re: My partner used to be a member

And so did I until I became completely and utterly cheesed off with Corbyn.

I had to laugh though when I received my copy of the email telling me of the "cyber" attack and warning me that some unspecified "information provided to the Party by its members, registered and affiliated supporters, and other individuals who have provided their information to the Party" had been compromised because when I first tried to resign I received a wonderful email from the party saying:

"I am very sorry that you are thinking about resigning your membership.

Unfortunately based on the information from your email we are unable to find you on our records."

So they can't have lost much about me.

UK reveals new 'National Cyber Force', announces Space Command and mysterious AI agency

Black Helicopters

Shiny new battefield?

Has anyone else noticed the disjoint between this announcement and Ciaran Martin's excellent speech to Kings College London (https://www.theregister.com/2020/11/11/ciaran_martin_speech_cyber_policy/) ?

Maybe that's why he left.

Fed-up graphic design outfit dangles cash to anyone who can free infosec of hoodie pics


Re: A more realistic image...

This is what hackers look like.



OK Google, why was your web traffic hijacked and routed through China, Russia today?


Re: What about the UK

It's much worse than that. Gsuite is used by UK Central Governent departments as well. I have never understood why. It's bad enough that Google knows all about your private email, it now also has full access to some HMG mail, documents, Hangouts discussions etc. FFS why give that kind of advantage to a US commercial company?

Back in the day when I ran Gov IT systems we insisted the data was all on local boxes we could actually touch. GSI (version 1) changed some of that by moving mail through a commercial (but UK based) system. Later versions further watered down the local storage and processing paradigm. We now seem to be so enamoured of all the "cloud" bollocks that we are prepared to give away most of the crown jewels.

Face palm for obvious reasons.

30 spies dead after Iran cracked CIA comms network with, er, Google search – new claim


"The CIA did not respond to a request for comment."

And you are surprised?

UK.gov asks biz for ideas on how to 'overcome' data privacy concerns in NHS


Re: Keep it local

"You die of a reaction to the medicine, because nobody could get clearance to view your medical records in time."

Ummm You could do what I do. I carry a warning card (written in English, French, Spanish and German) stating in big red letters that I am severely allergic to medicine X. Anyone attempting to identify me from the contents of my wallet would find it.

30-up: You know what? Those really weren't the days


Re Stob Note

Around about 1993 or so I was the proud owner of a "Verity Stob has not got a big bottom" T Shirt. I think I may still have it somewhere - though it might now be a rather tight fit.


Re: Stob Note

Around about 1993 or so I was the proud owner of a "Verity Stob has not got a big bottom" T Shirt. I think I may still have it somewhere - though it might now be a rather tight fit.

Amazon warns you have 30 days before Music Storage files bloodbath


Re: It's a whooping

I don't get it. I really don't get it. I have over 16.000 tracks of music stored locally. The original FLAC storage is on my X10, I have two (separate) local backup copies of the FLAC files and an additional two (separate) copies of the FLACs re-encoded to MP3 (so that I can use them on my portable MP3 player and in my car).

Now why on earth would I store any of that in any thrird party's storage facility. let alone one owned by Bezos?

People, I just don't understand them.

Punctual as ever, Equifax starts snail-mailing affected Brits about mega-breach


Don't bother 'phoning

I got one of these missives, as did my wife. I've tried calling the "helpline" (largely to vent my spleen rather than in the hope of any real action) only to be met with the usual robotic: "Thank you for calling Equifax, please choose from one of the following three options". Option 1 is the one you need if you are calling about their "data breach service" (nice name, sounds like a new product). Pressing that number reults in the repetition of the same message. As does pressing any other bloody number.

So they can't even get a fucking answer system robot to function correctly.

Open source sets sights on killing WhatsApp and Slack

Thumb Up

Re: Not too sure about this...

+1 and I agree entirely

As I read the artcle I thought, oh hell, why pick Dovecot? The configuration files are a nightmare. XMPP makes perfect sense as a messaging protocol, just don't, please don't tack it onto Dovecot.

Patch your WordPress plugins: Scum are right now hijacking blogs


Re: Oh Joy?

It's worse than that. Try example.com/wp-json/ or wp-json/wp/v2 etc.

This is best blocked by installing the "disable REST API" plugin. See:


Red panic: Best Buy yanks Kaspersky antivirus from shelves


Re: @Amos1

That reminds me of the (possibly apocryphal) story that during the early days of the "space race" the Americans spent millions trying to perfect a ballpoint pen which would work in zero gravity.

The Russians used pencils.

If you love your email standards, SMTP your feet: 35 years later


Re: RFC 2549 et al

My favourite April RFC is Steve Bellovin's "The Security Flag in the IPv4 Header" (RFC 3514) from 2003.

Police anti-ransomware warning is hotlinked to 'ransomware.pdf'


This stupid sidebar is stil there



Sometimes I wonder.

Then sometimes I just weep.

You can't make it up.

Apache OpenOffice: Not dead yet, you'll just have to wait until mid-May for mystery security fixes


Re: Use Googles office suite online equivalent to Office

"Free, usable on windows and linux. What't not to like?"

Oh jeeeeez.

Fine, if you are happy for Google to own one more bit of your data. A BIG bit of your data, to go with all your email and all your search data.

I despair. Why do people care so little for their privacy?

Cisco's WebEx Chrome plugin will execute evil code, install malware via secret 'magic URL'


Re: An Adobe Wannbe?

"If that's what they do with things like a browser plug in, what's their router source code like?!"

You don't want to know. You really don't want to know.

Sneaky chat app Signal deploys decoy domains to deny despots

Black Helicopters

Re: Buyer beware

"PS: If you want proper secure IM from a known and honest developer, take a look at Conversations.im (no, I have no connection to the developer and his software does not rock my boat so I don't use it myself)."

Or do what I do and set up your own XMPP server (there are plenty of options available) on a VM somewhere you trust with a provider you trust, and then use the conversations app to communicate with that server. In my case I use my own X500 certicate on the XMPP sever for TLS protected comms and OTR for end to end encryption between parties.

It works. It's cheap. I manage it. I trust it.

Investigatory Powers Act signed into UK law by Queen


Re: Could someone recommend a VPN?


Set up your own on a rented VPS somewhere outside the UK/US (and not owned by a UK/US company).

It should cost you between £3.25 and £5.00 pcm

Make sure you don't keep logs.

Better yet, use Tor.

Blighty's National Cyber Security Centre cyber-reveals cyber-blueprints


Plus ca change....

GCHQ always hated the fact that NISCC reported to the DG of the Security Service. So, NCSC re-invents NISCC but reporting to GCHQ. I see nothing here that NISCC wasn't already doing, and more openly, years ago.

Whoop de do.

For fsck's SAKKE: GCHQ-built phone voice encryption has massive backdoor – researcher

Black Helicopters

of course it will work

Anyone remember PGP for HMG? Now that went down well.

Half of UK financial institutions vulnerable to well-known crypto flaws


"Not having a CISSP badge doesn't mean not qualified."

On the contrary, it can mean the actor actually takes security seriously rather than being impressed by post nominal "qualifications"

Cough "MBCS" Cough "CITP"

Painfully insecure GDS spaffs £21,000 on online narcissism tool


Re: Can anyone answer this?

"Suggest you either tweet the questions or send the letters via your MP."

I'd go for the letter to your MP as the most effective route if you want a Minister to actually see your complaint - whether that Minister actually does anything as a result is of course a moot point.

Letters from the public to HMG Ministers are treated in one of two ways. If the letter is direct to the Minister (or his office or an official in the Department) then the Minister never actually gets to see it. It is handled only by officials (this is known as "treat official"). If, however, the same letter is sent to an MP and is then forwarded by that MP to a responsible Minister for reply, then the Minister will get it in his red box along with a draft reply (from the same official who would have replied directly as before). The Minister then signs the reply to the MP and encloses the constituent's original letter with the reply. Said constituent then gets back the official line trotted out by the Department with a nice letter from both his or her MP as well.

In my experience however, this is a largely futile exerccise unless you happen to like collecting letters from Ministers and MPs.

Yet another Android app security bug: This time 'everything is affected'


Re: In God's name

+1 to that

But regardless of whether or not there is any remotely exploitable vulnerability, trusting a bloody phone for sensitve transactions is just loopy. The damned things get lost and stolen.


Facebook flings PGP-encrypted email at world+dog. Don't lose your private key


"a lot better than ROT13"

Personally I prefer ROT26 - 'cos, you know, double encryption has got to be better.

UK.gov crackpots: Let's build vapourware-based sharing economy CITIES


Re: Subversive

+1 and have an upvote.

When I read that I thought "Fuck me, a thinking Tory. Whatever next."

Paranoid Android Kaymera smartmobe takes on Blackphone

Black Helicopters

Re: brilliant solutions for gangstas, bankstas, terrorists and others in search of ultimate privacy

+1 to that. Anyone who trusts any Israeli "security" company deserves all they get.

Black helicopter - for obvious reasons.

Google, Amazon 'n' pals fork out for AdBlock Plus 'unblock' – report


Re: You can add your own filters....

Yes. Dan Pollock has a very good site at http://someonewhocares.org/hosts/. I uses his hosts file, appended to my own local hosts file on my home DNS server (which runs DNSmasq). DNSMasq reads the local hosts file before consulting a downstream DNS server. Dan's host file listing points all unwanted domains at local loopback.

Take that you malicious ad-serving bastards.

Switch it off and on again: How peers failed to sneak Snoopers' Charter into terror bill


Re: Here's your problem Lord B

"Better yet, send them an email (using AES-256 encryption) that explains how it all works."

Ummm. In order to send an MP an encrypted email you would need that MP's public key (assuming a PKI type system). My MP barely copes with email in clear. He certainly doesn't have a GPG key. And even if he did, GCHQ would never allow encrypted email in through the Parliamentary email gateway.

UK.gov SLASHES ICT frameworks by more than HALF


Re: CCS is very badly resourced.....

and back in the day, CCTA, one of CCS's predecessor organisations, had precisely 1.

I weep.

What a pity: Rollout of hated UK smart meters delayed again


Re: Pointless and dangerous fads

One of the /really/ cool things about these devices is that they can be used (remotely) to switch off supply. Guess how they need to be reset? Yes, that's rght - manually.

Now imagine finding the resource to reset 20 million domestic units which have been remotely terminated in an attack.

WTF we are still even contemplating this madness is beyond me. Especially with Crapita in the driving seat.

London cops cuff 20-year-old man for unblocking blocked websites


Re: Short term memory loss

"Using either WILL get you under the baleful eye of various spooks"

Using ANY form of encryption will draw attention.

The question is, do you care?

(And I agree with a later poster, the FACT poodles - COLP have massively over reached here. I sincerely hope they try to take it to court).

Lawyer reviewing terror laws and special powers: Definition of 'terrorism' is too broad

Black Helicopters

Re: I have argued for many years

6... any of the old chemistry books I possess (from the days when they included details of explosives, or "hazards in the chemical laboratory").

7. Copies of strong anonymising software such as tails or whonix.

8. Copies of privacy enhancing software such as GPG.

9. Provision or maintenance of privacy enhancing tools such as Tor....


Use Tor or 'extremist' Tails Linux? Congrats, you're on an NSA list

Black Helicopters

Re: And if I actually USE Linux..........

"One of the problems with Linux is it's probably a hell of a lot harder to insert spyware, if you're any sort of a halfway decent admin."

Ummm - no actually it isn't. Where did you get your distro? How do you update it? Which repos do you use? Are you /certain/ that last update was completely free of any /deliberate/ trojan? Are you /certain/ that last update didn't contain any remotely exploitable vulnerability?

"If you look at the Windows processes list, you have no idea what half that shit is. They could probably run xkeyscore.exe and I sure as hell wouldn't find it."

Thay just says that you are not a windows admin. It does not mean that no-one else understands the windows process listing. But see the argument above. The same applies (but worse because the software is proprietary.)

"However, on my Linux box I know what every single process in pstree is doing and why it is there. I also know what's going on in the network activity bar of xosview and the netstat listing. Anything reporting back to NSA HQ would have to be pretty subtle."

No you don't. You just think you do. And even if you did, your pstree could be tojaned and not show processes it wanted to hide. So could netstat, or wireshark. That cupsd may not be just listening for print commands you know.

The point is, unless you have an external monitor (say a /known/ /provably/ clean network monitor running on a /known/ /provably/ clean OS) sitting on the wire between you and your ISP you have no guarantee whatosever that what is going in or out of you nice safe secure linux box is all it should be.

And even if you have, you could still be stuffed unless you /really/ understand network protocols in depth (Ever hear of DNS being used as a wrapper for file exfiltration? Or long time based UDP to call home?)

Don't be complacent. The only secure computer is one not switched on, not connected to anything and buried in a lead lined box in concrete.

And even then I'd worry in case it was exhumed and disk forensics run on it......

Microsoft: NSA security fallout 'getting worse' ... 'not blowing over'


Re: Cloud security

Well, I had to make it 50.......

Crypto-guru slams 'NSA-proof' tech, says today's crypto is strong enough


Re: NSA seal-of-approval

or as XKCD would have it - why attack the crypto when there are easier targets?


Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ

Big Brother

it could have been worse

They could have chosen Charles Farr.

Running OpenSSL? Patch now to fix CRITICAL bug


Re: And this is why you cannot trust open source

Words fail me.

Yes, we certainly need a troll icon.

Crack CERT warriors arrive to save UK from grid-crippling hack attacks


Re: What's that sound ?

Actually I doubt that they will be paid very much. UK Public servants rarely get rich.

Rule of law: Turkish court nixes government Twitter ban ... for now


"Everyone is getting Turkey's Twitter block wrong"

There is a very good post over at https://medium.com/technology-and-society/cb596ce5f27 by Zeynep Tufecki. She argues that Turkey is not really intending to block Twitter per se, because the Turkish Administration knows that to be largely futile (and it pushes the populace towarrds using avoiding technologies such as VPNs and Tor to bypass the problem). Rather, she says that Erdogan is attempting to "poison the well" of social media by painting it as a threat to family values in Turkey. She notes that Erdogan has talked about social media's disruption of privacy, and how the foreign companies do not obey Turkish court orders but obey US and European courts.

Well worth reading.

BT finally admits its Home Hub router scuppers some VPN connections


Take a look at Andrews and Arnold (aaisp.net).

No-one, but no-one should use BT.

Fine, you can mock us: NSA spies back down in T-shirt ridicule brouhaha


re: where's the GCHQ version?

I got mine from the Guardian offers page at http://entertainment.guardianoffers.co.uk/i-aa-rm001699/g-c-h-q-always-listening-to-our-customers/. My wife bought me the NSA version for Christmas.

Unfortunately, the GCHQ version does actually not feature their logo - more a generic HMG "crown". As another poster has said though, GCHQ's site specifically states that the logo may not be used "inappropriately".

No sense of humour.

Getting documents all too easy for Snowden



Journalistic licence. And in my view, not unreasonable. When I read the original article last night, my immediate conclusion was "wget".

But whatever the tool, the principle remains the same. An NSA insider, and a contractor to boot, was able to recursively scan and download a bucketload of highly classified documents, including documents from a Five Eyes partner, without any effective alarms going off.

That says an awful lot about the effectiveness of the NSA's security practices (for both technical and personnel security). No wonder they are pissed off.


Re: wget - The hackers friend

I have deleted all copies of wget from all my systems.



Re: It's a people problem

Plus 1 for that.

In the UK, the police call the "high vis jacket" the "cloak of invisibility". Wear one and no-one looks at you.

Hipster SDN firewalls can gentrify hypervisor slums


"Aside from the orchestration capability, it also removes the most troublesome parts of running a cloud - network engineers."

Great. I'm really looking forward to hosting a bunch of applications with a "cloud" provider which employs no network engineers. I feel safer already.

UK picks Open Document Format for all government files


Re: Seen it before

Yep. Back in September 2002 OGC published "Open Source Software: Guidance on implementing UK Government Policy." I wrote it.

And if you look very carefully at the cover of that document you will notice that it includes a picture of a laptop running the (then) popular X11 game called "kill bill".

Nobody, but nobody, in the publication QA process spotted it.

WHEW! OpenBSD won't CloseBSD (for now) after $100,000 cash windfall


Re: Volenteers != free

"Mind you, the picture at the foot of their home page makes it look like their test servers are in someone's garage!"

They probably are. I understand that TDR runs the build and test servers himself.

BT network-level STOCKINGs-n-suspenders KILLER arrives in time for Xmas

Big Brother

Re: "strict", "moderate" and "light".

"All I want for Christmas is a VPN connection outside of blighty."

Try openvpn. You can rent a really cheap VPS (less than 5.00 USD per month) in a variety of places other than dear old blighty. With your own VPN to that VPS (running on say, port 443) you are good to go.

Linux Voice journos hit crowdfunding target


Oh yes indeed. Because taking a tablet into the bog with you looks a little, shall we say, suspect.......