Puts penetration testing in a new light?
Posts by nonpc
47 publicly visible posts • joined 4 Oct 2011
Feeld dating app's security too open-minded as private data swings into public view
The future of AI/ML depends on the reality of today – and it's not pretty
Palo Alto Networks execs apologize for 'hostesses' dressed as lamps at Black Hat booth
Facebook prank sent techie straight to Excel hell
Our variation (on a VAX VMS system to give an indication of age) was am email admitting irrestable urges of undying love for to prettiest (or not) programmer (stage 1), or to the next level female, or a 100 line email of 'I must not leave my unlocked terminal unattended' to their immediate manager.
I found myself with an autorun message of 'No!' and a logoff when I made the same mistake and trying to log back in. I learnt a lot in trying to find how to circumvent it without help from those responsible or who would hold me to ridicule.
Microsoft's Azure networking takes a worldwide tumble
Angry admins share the CrowdStrike outage experience
Azure VMs ruined by CrowdStrike patchpocalypse? Microsoft has recovery tips
CrowdStrike file update bricks Windows machines around the world
Reply Icon Why on Earth do people roll out everything in production without testing it? I was once told to never do that...
This was an antivirus update and because of zero day exploits it has become the habit (or indeed the default setting from most providers) for these to be applied automatically, invisibly and 'seamlessly'. Before I retired from IT I always used a sacrificial goat (my PC, test servers) for any Windows updates with a roll-back/bare metal restore option if needed. Day to day AV updates were just applied automatically - major releases treated as Windows updates.
I couldn't find the origin of my quote on testing above, but it could have been addressed at Crowdstrike. The issue there is one that Microsoft are familiar with - almost infinite variants of installations and thrid party addons which could interact. Mind you, this sounds to be a major sector affected, so a definite testing failure.
Former Fujitsu engineer apologizes for role in Post Office IT scandal
For the record: You just ordered me to cause a very expensive outage
Fragile Agile development model is a symptom, not a source, of project failure
Re: "the right tool for the job"
In my (now completed) testing/QA career I often stated if you want it tested for bugs and correct function, then I'm your man. However, if you want it tested for immediate release or to a fixed timeframe... My mantra for upgrades was 'is it better or worse than what is currently in place, and can we live with the new bugs introduced?'
UK Surface owners can now take misbehaving laptops to Currys
Warranty sellers
My experiences of Dixons then Curries etc was that they were primarily sellers of enhanced warranties, and you had to be very hardheaded to make it out of the shop without succumbing. I took issue once where they would not let me take the warranty details home to read before purchasing...
Half of polled infosec pros say their degree was less than useful for real-world work
I'm old school/uni. When I got to university and gained my degree late '70's, I was therefore one of the top 10% of the population. In those days to get a good job you needed both qualifications and experience, and it was usually impossible to gain both simultaneously. A degree proved you had brains and could learn, experience showed you knew how to apply both.
My holiday job (needed to backfill my overdraft, spent mainly on beer rather than books) gave me a job after I left uni - and my (physics/science) degree was not actually a requirement for it (I had already proved myself). My tutor despaired, but I did scrape though my degree by ability rather than hard work and diligent application.
Once I had both experience and degree, doors were open, and I had the ability to make the most of whatever job and level I entered and could prove my worth and ability. I've now retired after starting my electronics/hardware/software/IT/security career before the advent of the IBM PC.
Nowadays if student fails, it is the fault of the course/teachers. Everyman and his dog now has the right to go to uni, whether they have the ability, application or intelligence for it.
Those of my friends and collegues who weren't academic did the apprentice/experience/vocational training route, which is no longer available as everything is now a uni. We all succeeded in our own ways, to the best of our abilities, and made the most of what we had.
After uni I did a Computer Studies evening class A level, got an A and I and another student working in IT taught the teacher and updated them as the syllabus was already (in the '80s) 2 years behind the industry. Programming was self-taught (Basic, Fortran, machine code). An OCD desire to refuse to let a piece of ironmongery beat me as I tried to bend it to my will stood me in good stead (and still keeps me amused).
COVID-19 infection surge detected in wastewater, signals potential new wave
Re: Uses RT/PCR test so just more worthless "data"..its that bad
I had the opposite problem. I was good at maths and would love to have done some biological science to add to my chemistry and physics, but due to timetable scheduling constraints at school the two subjects were mutually exclusive. Maybe based on subject success stats? btw I hated statistics!
To BCC or not to BCC – that is the question data watchdog wants answered
Watt's the worst thing you can do to a datacenter? Failing to RTFM, electrically
The physics lab was also used as a hobby electronics lab, shared by two teachers, one good (who ran the electronics lab) and one bar steward.
The report and bullet-like motion of the casing of a small transistor that had been wired across the mains on a timer switch was impressive.
This was on a par with the wag who painted the floor of the chemistry lab with nitrogen tri-iodide. The teacher had been pleasantly suprised that we had politely waited for him to enter the lab first...
Re: Check the power supply
That's when I gave up buying hifi mags. The concrete bunker speaker installations for 'rock' solid bass I could just about believe, but the necessity of soldering every mains joint in the house wiring to reduce noise pickup and distortion escaped me.Presumably this quantum fuse fitted snugly into a standard cheap plastic mains plug...
UK admits 'spy clause' can't be used for scanning encrypted chat – it's not 'feasible'
UK voter data within reach of miscreants who hacked Electoral Commission
Re: How was this made possible?
Do tell - how is the data protected when you are processing it? What steps to you take to prevent unwanted remote access to your PC and any LAN connection. In a commercial environment industrial-grade precautions (better than the Electoral Commission, one hopes) would be employed. From my decades in IT security, the weakest link is usually the human element when they bypass all the carefully crafted protections... Just sayin'
The number’s up for 999. And 911. And 000. And 111
JP Morgan accidentally deletes evidence in multi-million record retention screwup
Amazon Ring, Alexa accused of every nightmare IoT security fail you can imagine
Botched migration resulted in a great deal: One for the price of two
Re: Nokia 6310
I went into my elderly parents' house and found my father outside the (closed) kitchen door with the telephone to his ear, apparently talking to my mother who was the other side of the door. I thought that they had finally lost it, but they explained that they were using the intercom function on the DECT handsets to test the hearing aid mode for my hard-of-hearing father...
In a similar vein, my wife said to me 'You haven't listened to a word I said!'. 'That's a funny way to start a conversation' I said...
Programming error created billion-dollar mistake that made the coder ... a hero?
Re: Explosive demonstration
I recall that tale - as a gap year job I started my computing experience at Harwell, and, as an early morning arrival, along with switching on the kettle, I had to turn on the vertical winchester disk as it took 20 mins(?) to get up to speed, before I loaded the paper tape system bootstrap. I was told to run like hell if the disk started making noises...
Loathsome eighties ladder-climber levelled by a custom DOS prompt
It's official: UK telcos legally obligated to remove Huawei kit
Dev's code manages to topple Microsoft's mighty SharePoint
Re: Bug Finder
Similar to me - I could break anything (and still can, though retired). If you wanted something (major)bug-free, let me loose. Don't let me anywhere near a time-critical release that has been tested to death - by others. I'll find the showstopper.
It's a b****r when I actually want something to work for me...
Not to dis your diskette, but there are some unexpected sector holes
Govt suggests Brits should hand passports to social media companies
Re: they already try to do this...
Years back, as an IT manager/security officer I created a Facebook ID to assess the risks of my users accessing it at work. The first thing it wanted to do was leech my contacts, which I declined. I implemented and enforced a 'no Facebook on company PCs' strategy.
I tried sometime later to access this account. In order to do so, I then needed to supply more personal information, which I declined to do, in order to unlock the account. I then tried to delete the account, which I could not do unless I provided more personal information, and no, I could not contact anyone without authenticating myself with - more personal information... That was a few less years back. Now I'm retired I might have enough time to tweak the tiger's tail, but I doubt I'd get anywhere.
A personal bete noire is the use of personal information (mother's maiden name, 1st pets name, school attended etc) as security questions - in order to protect your personal information! The simple solution is to allow you to create a unique security question which will trigger you (and you only) to know what the answer is, and is meaningless to others. Instead we get inanities like 'a significant date' where you have no idea as to what significant date you stated when you set the thing up.
On one of my past financial cards, transactions had a buried reference of 'fuckknows' because I got presented with a request to enter something... This was apparently unchangeable, and I never was asked for it again!
No - I see no future in requests for passport information. Perhaps when a full digital ID system has been built and perfected, and run but a reputable and incorruptible authority(!) that may be the answer.
To err is human. To really screw things up requires a wayward screwdriver
Two events spring to mind - one computing related, one not.
The first was where a Newbury Labs terminal engineer used snipe-nosed pliers to slide sleeving over a mains transformer terminal - with the PSU connected to the mains and switched on. He attempted to claim for replacing his glasses which had a sputtered metallic coating... This was declined, but he was let off the cost of replacing his now snub-nosed pliers.
The second was an Irishman who dropped his metal mallet into the uncovered, ceramic fusebox in the roadway in Covent Garden. Each 'bang' relaunched the mallet into the air again, accompanied with what sounded like 'Feck'. There were many iterations, and people scattering in all directions.
Fisher Price's Bluetooth reboot of pre-school play phone has adult privacy flaw
In the words of Monty Python (OK late boomer credentials): "Luxury! We had cocoa tins and string...etc.etc.". The fun with technology in those days was (and indeed still is) in trying to make it do what you want it to do instead of what its provider thinks you should want it to do (Thank you Bill G!). To quote Douglas Adams 'Very nearly almost but not quite like...'
Japanese bloke collared after using AI software to uncensor smut and flogging it
It's time to delete that hunter2 password from your Microsoft account, says IT giant
Coercive theives are ahead of the game
I saw a news article very recently that the modern equivalent of marching the vulnerable to the cash point and forcing them to withdraw cash can now be done from the comfort of their home or elsewhere and forcing them to share the authenication codes to allow bank transfers to the criminals interim accounts. Finger scans can be physically forced (although recognition is so variable there can be enforced lockout delays incurred even with normal use).
What is needed is an emergency authentication pin as well as the normal one, but this one alerts the system that this is an enforced criminal act, appear to allow the transactions through but activates tracking etc, hopefully letting the victim off the hook but catching the bigger fish (or phish)...
Pi calculated to '62.8 trillion digits' with a pair of 32-core AMD Epyc chips, 1TB RAM, 510TB disk space
Scalpel! Superglue! This mouse won't fix its own ball
Thar she blows: Strava heat map shows folk on shipwreck packed with 1,500 tonnes of bombs
UK government resists pressure to hold statutory inquiry into Post Office Horizon scandal
Re: Accountability?
Surely the normal process for such events were there was a discrepancy that was challenged would be for the auditors to go through with a fine 'human' toothcomb (yes, I do subscribe to the Terry Pratchett view on Death's auditors, but do have a software test/QA/audit background myself. If I haven't found a fault, I haven't looked hard enough...). There should have been transaction logs that would have shown that something was amiss. These have presumably been long deleted, or were never adequately implemented in the first case. All financially mined software that I have been involved with has been almost crippled with the requirements for detailed audit logs and reconciliation of the same. The fact that such a prevalence of queries and cases passed without comment is unbelievable, but reminds me of the phantom ATM withdrawals in the '80s...
Australian police suggests app to record consent to sexual activity
Did I or did I not ask you to double-check that the socket was on? Now I've driven 15 miles, what have we found?
BT bitchslapped for misleading 'Join now' Infinity ad
Infinity updates
Condidering I'd registered my interest in Infinity, an email would have been expected when the 'available' date moved last week from 30th Sept to 31st Dec... Yes, delays happen, but a comms company ought to be able to communicate to manage expectations!
Also the plethora of broadband deals makes it impossible to work out if it is worth switching to BT now and getting and automatic (ho ho!) upgrade to Infinity when it is available. The online web support chat seems to suggest that that would be a change in contract which negates any deals...
I'll stick with my 6Mb Be offering, I think.