* Posts by David Eddleman

217 publicly visible posts • joined 20 Jun 2007

Page:

Webhost denies poor passwords led to catastrophic hack

David Eddleman
Boffin

Not necessarily untrue

In my last job at a hosting company, this is actually largely true. There were a lot of duplicate passwords, many of them having slight changes depending on the server, and a few key 'master' passwords.

When you have logins for the billing system, inventory/management, key authentication (for control panels etc.), KVM/IPs, and more, what are you going to do? Make obtusely different passwords for each section? And then do what, have a master password sheet you pass around? Nah, make it easy for the employees. It sounds insecure as hell, and it really is, and even as the most security-anal person there, I understood just why. Some of my coworkers used password vaults for easy access.

While I'm not familiar with how HyperVM manages file systems for virtualized containers, I know that in Virtuozzo it's very easy to fuck with a VPS from the hardware node itself -- just go into /vz/private and have fun. You can just nuke /vz and you've destroyed the files for every VPS in there except the config files (stored in /etc/vz/conf).

Billing system as well...most hosting companies, aside from small ones or immensely huge (ie, GoDaddy) ones use standardized billing platforms like WHMCS or billing software provided by their control panel provider (Plesk Billing, ClientExec, etc.). So as long as you know the database structure (and most use something similar), you can get in there and harvest away by dumping tables to an external file then using a few basic commands to make the output into an easily-readable file.

I still have no doubt that these are script kiddies, their behavior and actions speak volumes of it. But the attack itself sounds highly probable.

Rumor mill coughs up $99 4GB iPhone

David Eddleman
Stop

zomg

Now we have to deal with all the Apple fanboys furiously wanking over a new iProduct. Joy.

US military shows off hack-by-numbers battlefield gadget

David Eddleman

Huh?

This sounds like a device with Metasploit installed...and perhaps a handy script to automatically run nikto on the host, select a vulnerability, payload and target in one go.

Archaeologists unearth oldest known 3D pornography

David Eddleman
Boffin

Sex and religion

These idols were pretty common back then, it's a common tie between early religion and sexuality. The two key common factors between all Venus figurines (that's what they're called) are large breasts and wide hips, signs of fertility and good breeding. Most anthropologists believe that these idols were carried or owned by members of that culture as a sort of 'good luck charm' -- remember, in those times, it was not exactly uncommon for either woman and/or child to die during childbirth!

T-Mobile lays ground for embedded SIMs

David Eddleman
Pirate

Glad I ditched

Shitty service and now this backstabbing plan? Glad I ditched T-Mobile for Verizon months ago. Good riddance.

GeoCities demolished

David Eddleman

Mixed feelings

Part of me is glad to see Geocities go, especially knowing what it harbors, but part of me is also saddened. It was a major player in the early web days, where you could get some simple space to host a webpage + files when hosting accounts back then would have you pay through the nose. I had a few sites on Geocities before I quickly forgot about them and didn't care anymore...

Turks hijack Kiwi MSN via DNS cracks

David Eddleman
Stop

What?

Maybe El Reg's reporting team didn't write this one well out, but it seems to me like the DNS server was well-validated, just exploited through an outside-facing application for direct interaction. In which case, wouldn't this be under the guise of Ye Olde SQL Injection Attack, rather than any route poisoning attacks as Kaminsky et al talked about?

One third of workers open to bribes for data theft

David Eddleman

Truth

"firms should be more wary of their workers".

Pay us more and we'll be happy. Don't overwork us and expect us to get by on a pittance. If a person is comfortable where they are, and satisfied with what they do for what they earn, the probability that they betray is MUCH lower than someone who's either underpaid or overworked.

Me? Not so sure that I'd do it.

Public rejects Time Warner metered-bandwidth tests

David Eddleman

Hell no

The moment that Time Warner starts limiting bandwidth like that is the moment that I sign up for Verizon's wireless internet. I'm already extremely happy with their mobile service, and the only thing keeping me from using their FIOS service is that it's not available in my area yet!

US Supremes flatline Virginia's hardline anti-spam law

David Eddleman

Makes sense

I can't fault the supreme court for throwing the case out due to infringing the 1st amendment rights. Set a precedent for abolishing free speech and other cases can draw on it. But letting that twat go...nuh-uh.

Microsoft dumped after India PM's emails go AWOL

David Eddleman
Stop

For those of you who haven't used Squirrelmail

It's worse than Outlook. Seriously. Our old-ass Ensim servers use it and it's bloody horrid.

BBC zombie caper slammed by security pros

David Eddleman
Thumb Up

Eugene has a good point

The problem with trying to do a demo or simulation is that it's just that -- a demo or simulation.

From a scientific viewpoint, a demo or simulation is just as good as an actual experiment. From an average person's viewpoint, this is not the case. A demo/sim has a certain underlying tone from a normal person's stance: IT'S NOT REAL!!11. Despite it looking really good, it's not real and therefore it must be treated with a healthy measure of distrust. And this is natural.

Showing what an actual botnet can do is scary. It adds a certain element of reality into the presentation that no sim can. Even when I watched the video, and I have a healthy amount of direct experience with botnets, I was a bit taken aback.

I remember giving a report in college about botnets and the massive amount of firepower it can wield (ironically enough I was using the supposed figures of acidstorm's botnet at the time). I remember seeing my audience giving blank/bored looks as I showed the terrabytes/sec of bandwidth that could be used. If I had actually pulled out a small botnet and actively demonstrated the power it can use, I'm certain that no one would be uninterested in the room.

If this presentation removes 1 out of every 10 compromised Windows machines out there, the guys at BBC need to be given a Porsche/let loose in an all-girls Catholic school/knighted or given some kind of just reward.

Is what they did unethical? Perhaps. Unlawful? Maybe. Wrong? Bloody hell no.

Firefox went ton up in bugs in 2008

David Eddleman

No surprise

Not to bash on Firefox (love it & use it), but the more popular something becomes the more it gets targeted by attackers. See: Windows.

...waitaminute, didn't I say this before about the iPhone? I think I did.

http://www.theregister.co.uk/2007/07/28/comments/

Yep, I did. There must be a trend here.

Phishers automate attacks using 'Google hacking'

David Eddleman

Truth

As someone who works in the web hosting biz, I can say this is true. I've seen lots of websites running insecure CMSes and the like get exploited to host phishing sites. Chances are it's easier than signing up for a free hosting service. ;D

World of Warcraft: 'The crack cocaine of the computer world'

David Eddleman
Joke

oWoW

That's the proper title. It's kinda like advertising yourself as open for bum rape -- unpleasant and painful for nothing gained.

Teen sacked for 'boring' job Facebook comment

David Eddleman
Black Helicopters

Unfair dismissal

See, I know where I live that the state laws would constitute this as an unfair dismissal and there would be retribution. What she did was off the job site, non-slandering and non-libelous, and non-defamatory. I don't know the laws of the area, but there *has* to be something protecting against unfair dismissal, right?

My boss found my Facebook page, simply because I list where I work in there (though don't use my real name). What did he do? He laughed and gave me some ribbing (as is par the course for where I work).

Texting: Good for kids after all?

David Eddleman

No.

Better reading -- maybe.

Better grasp of key English concepts and spelling -- hell no.

(I say 'English' because presumably it's what we're all familiar with. But it's happening in other languages. I've seen plenty of Arab youngsters greet each other with 'slm' -- shorthand of 'salam'.)

Miley Cyrus hacker in MySpace spam ringtone scam

David Eddleman

Free Trainreq

And lynch the dumbass admin who fell for this.

Dominican lad suffers six-day stiffy

David Eddleman
Joke

Bootnote

Anyone else find this a bit odd?

"Free whitepaper – Best practices in SOX compliance"

A use of a sock, repeatedly, could have the right help...

A-dur-hurr.

Pirate Bay prosecutors get jiggy with charge sheet - again

David Eddleman
Stop

Bad phrasing

changed to “provide the ability to others to upload and store torrent files to the service”

And surely that's not illegal. Because torrent files contain no actual copyrighted material. And trying to ban torrent files is like trying to ban flour or talcum powder because some drug dealers use it to cut up their cocaine -- ain't gonna happen, no way.

On another note, why haven't they tried going after, say, Rapidshare, someone who actually hosts illegal files?

Feds forge gold standard for cybersecurity

David Eddleman
Stop

No

"The list resembles the guideline drawn up by the credit card industry for adherence to the PCI DSS"

Then it's shite and needs to be thrown out.

Seriously. If you've ever been involved in making a box PCI compliant, you know what kinds of asinine bollocks they make you do.

State bill would turn RFID researchers into felons

David Eddleman

Re: loony

Imagine how much shit the owners of hotels & casinos will give them if large events like Defcon and the Black Hat Conference move to another state due to this law.

Romeo 419ers take Canadian women for $300k

David Eddleman

Happened to me too

Get these all the time. I like to make it interesting by asking them to do really bizzare stuff. Stuff that requires mindbleach. Gotta have fun with 'em, hey? If you're desperate enough to try and scam someone, be prepared to deal with the mental scars it might bring. =)

(And no, I never gave them any money. I like to string 'em along by promising money, gets them really worked up.)

Beta-blocker 'erases' unpleasant memories

David Eddleman

No

"The reaction to unpleasant situations is part of the learning experience"

Err, so what you're trying to say is that people who were rape victims, or suffering from PTSD or from any myriad number of disorders should not be allowed to seek treatment from an event that by all accounts should not have happened to them?

Hackers: BitDefender site exposes private data (yet again)

David Eddleman

Glad I don't use BitDefender

Really, if they can't protect themselves from a simple SQL injection attack, how can I trust them to safeguard my data?

Win 7 and smartphones targeted in Pwn2own challenge

David Eddleman
Joke

iPhone

$5 says it's the first one broken into above all others.

Hackintosh maker leaves web doors unlocked

David Eddleman

This is what companies get

...for using publically-available CMSes (like Magento, featured). When you do this, you're vulnerable to their bugs. Not a good deal for a company that does ecommerce.

Brits and Yanks struck with embarasment embarrassment

David Eddleman
Stop

Education

"a more simplified, phonetic system"

No, what we need is to stop with the touchy-feely crap and tell people that if they can't be arsed to spell then they can get left behind. I have no problems spelling and I went through a rather standard grade-level education followed by university (but I could spell just fine before university). Maybe a ban on text-speak and AOLese should be enacted. Eh?

Man arrested in Indymedia animal extremism probe

David Eddleman

Not smart

"Indymedia responded that it had configured its Apache server software not to log IP addresses in order to protect its users' privacy."

Yeah, because that certainly makes you look *not* guilty in the eyes of law enforcement.

US Navy spends $12m on electric hypercannon

David Eddleman

Fire/explosive?

Why is the projectile being shot on fire and exploding when it hits things? I was under the impression that railguns only shot metal slugs/sabot rounds?

Rogue sysadmin sues SF for $3m

David Eddleman
Alert

Re: Neil

No, suing for wrongful arrest can get a case disbarred before it's completed. It all depends on how much the courts drag their heels. If the man was wrongfully arrested they can't charge him with much since the entire case was made over false pretenses.

Mike makes a good point. The question is, does anyone outside of the city council (ie, those watching the news) know what their security policy is? Where I work, the root passwords for the servers are freely shared amongst coworkers (then again, every employee here is supposed to have root access...).

'Spam-friendly' domain registrars named and shamed

David Eddleman

eNom

Does support a fair number of spammers. They resell to a lot of people due to the cheap domain names they have. Our dime hosting sister company uses them and I've seen plenty of registrations that were obviously meant for spammers.

Harry Potter Lexicon published after judgment-guided edit

David Eddleman
Joke

Why

Does she care? Honestly, someone writing a piece that details like an encyclopedia of a world you create. As long as the guy's not trying to make something non-canon canon (writers hate this -- look at Games Workshop), it's not a big deal. She will be getting money off of it no doubt, as the Harry Potter series is copyrighted to hell and back and royalties will be paid out.

For that matter, why are we caring? It's not like it's a book about an actual *good* fictional series. A book about a magical raccoon with an afro named Squiggles who shoots pixie dust out of his bunghole is more interesting. (Kudos if you get the reference.)

Gordo's mobe interrupts economic summit

David Eddleman
Thumb Up

Glad I have a Palm

Where I can know instantly if it's on bloody 'vibrate only'. :)

'Anonymous' pwns Digital Camera Mag website

David Eddleman
Dead Vulture

Why is this being reported?

Seriously, who the fuck cares about a bunch of 4chan idiots running around? Why is anyone giving them media coverage anyways? The whole lot of script kiddies and dumbasses need to be castrated so they do not further contaminate the gene pool.

Spam volumes increase to pre-McColo takedown levels

David Eddleman
Stop

No...

"As a result, "the spammers themselves aren’t getting the replies or even the bounces to the spammed messages they sent," writes Mary Ermitano, an anti-spam research engineer at Trend Micro."

Er. Spammers don't want replies. They forge the from: header (protip: this is known as spoofing). They don't care about bounces -- if it's spam, they'll have a link on a page (or embedded HTML) to know if an e-mail is valid or not. If it's phishing, they'll have an e-mail to reach them back at. This is elementary stuff.

US Army working on 'exploding marmalade' missile tech

David Eddleman
Coat

Gel?

Err, surely they didn't think of napalm did they? (Yes, yes, for those of you in the peanut gallery I know that napalm is not a fuel, it is a slow-burn substance). What happens if the container leaks or ruptures and sprays gel fuel everywhere? Will it be easy to put out and not stick to everything?

ISPs slam CEOP bid to rewrite RIPA

David Eddleman
Stop

Costs

"The Regulation of Investigatory Powers Act (RIPA) entitles ISPs to charge police reasonable costs for data retrieval."

Yes, because I can tell you first-hand (I work at a webhosting company) that data retrieval from backups is a time-consuming process and takes money to do. We charge fees to any customers who want to use our backups, from the basic restore to a regular backup service.

I don't think the ISPs should be turning a profit in this scenario, but paying to cover base expenses seems reasonable, doesn't it?

Kentucky reverses 141-site net casino land grab

David Eddleman

Good to see

...that someone, SOMEWHERE has some common damn sense about things on the internet. I agree with David's assessment of Wingate, that man needs to have the boots put to him, medium-style.

And whoever at ICANN approved this needs to be yanked. Seriously, isn't ICANN an international organization? They may be incorporated by US law. And doesn't this action violate their bylaws as seen here: http://www.icann.org/en/about/ ?

Cops taser JCB thief in 'slowest police chase ever'

David Eddleman

Eh?

"Smith, who boasts 11 previous convictions for 19 offences"

Why the hell wasn't this guy locked up already? Seriously?

Simon: There's Bobcats (we have 'em here in Southern California), Caterpillars, and more.

ASA rules on 'USB Fornication Optimiser'

David Eddleman

Hmm

I know that if they're going to a complete 'me, too!' by resulting to such an unfunny 'joke' as "Rickrolling" (seriously -- who the fuck finds this amusing?) then they've certainly not got my business.

Microsoft disables automatic IE 8 downloads

David Eddleman

No, Microsoft

"Some major web sites, meanwhile, have not heeded Microsoft's advice to test they work with IE8"

They shouldn't HAVE to test if Microsoft would just bloody well use the W3C standard rather than their own broken standard.

I have this feeling that MS and Apple are going to do a one-upmanship war in which they roll out their own standards to avoid being perceived as a "me, too" standard. Lovely. Doesn't this sound like a return to the 'good ol' days' of IBM/Xerox?

Apple unveils 17in MacBook, iLife tweaks, Tony Bennett

David Eddleman
IT Angle

Sorry, no dice

"To be fair, iLife '09, iWork '09, and the new 17-inch MacBook Pro are solid - if not earth-shattering - upgrades"

Sorry, have you got ahold of some brand-spanking-new non-publically released versions of those softwares that were just shown (vis a vis video) at the expo? No? Then kindly retire to the peanut gallery and wait until they come out before exploding in an iGasm and showering us with iSplooge.

Christ. What IS it with Mac fans and taking everything as gospel truth even though it isn't always true?

Google picks up third spot in spam-friendly shame list

David Eddleman
Boffin

Errors

"Taiwanese telco Sistemnet"

Funny how the domain listed on Spamhaus is "sistemnet.com.tr". I was under the impression that .tr was Turkey, and Taiwan was .tw.

I love Google's spam filters as well, but the issue is that they're hosting tons of fraudsters -- that's why they're listed.

Yes, yes, they're not an ISP.

Daft list names Firefox, Adobe and VMWare as top threats

David Eddleman
Thumb Down

Some accuracy, some not

# Mozilla Firefox

Nope, sorry. Firefox has had vulnerabilities but 80+% of those affected almost all browsers, including IE.

# Adobe Flash & Acrobat

Yes, this one's good. Flash & Acrobat have had tons of security vulnerabilities in the last year alone. It's one of the reasons why I stopped using Acrobat Reader and switched to Foxit (the other being that Acrobat is bloated as feck).

# EMC VMware Player, Workstation and other products

VMware's had some bugs, but nothing really damning as security issues. Anyone remember that bit of dodgy code that was left over that prevented VEs from booting after a particular date?

# Sun Java Runtime Environment (JRE)

Yes, but not that bad. Sun's been getting a lot better about patching.

# Apple QuickTime, Safari & iTunes

Yes, yes, yes. Apple's had tons of security issues with just QuickTime and Safari in the last 6 months alone.

# Symantec

No real "security" issues but there's serious issues with stability, resource management and performance. I would call it more of a security inconvenience than a threat.

# Trend Micro

Anyone take these guys seriously anymore?

# Citrix Products

# Aurigma, Lycos

I haven't heard of either of these in so long, dunno how they were scraped onto this list.

# Skype

Skype has the /capability/ to be a security risk but there's no outstanding vulnerabilities for it.

# Yahoo! Assistant

Possibly.

# Microsoft Windows Live (MSN) Messenger

Yes, any IM program is a security risk in a corporate environment (unless you only allow for corporate IM). All it takes is for one pud to click a spammed link and release a worm into the network.

Firefox plug-in Trojan harvests logins

David Eddleman

Something more substantial might be required

Like the name of the malicious plugin, or what it's being punted as doing.

London Hospital back online after computer virus shutdown

David Eddleman
Thumb Up

Stable work

As long as this sort of sh*t happens, people like me will have jobs.

This reminds me of my high school's computer network when I was in my senior year (year 12 for the Brits). Announcement over the PA: "All staff, please turn off your computers, there is a virus loose in the network."

PC virus forces three London hospitals into computer shutdown

David Eddleman
Thumb Up

Re: Peter Jones

Gee, didn't *I* say the same thing about the iPhone before it came out? Hyped and hyped and hyped...and HOLY SH*T IT'S BEEN HACKED.

If you're going to deliberately do damage, you're going to cluster-bomb, not make surgical strikes.

PETA cooks up gory game in Cooking Mama protest

David Eddleman
Stop

Oh dear, more petards...

http://www.youtube.com/watch?v=l9ijLulwUTY

I think it says it all nicely.

AVG slaps Trojan label on Adobe Flash

David Eddleman
Stop

Well...

I've always been a big supporter and fan of AVG -- always used them, recommended them to other people, and installed it on every client's PC. But this latest rash of screw-ups is really making me worried. I might just bite the bullet and move to NOD32 if I don't see much improvement from Grisoft.

Page: