* Posts by Blacklight

179 publicly visible posts • joined 6 May 2008


Google Drive misplaces months' worth of customer files


When did it start?

Do we know?

I have GDrive synched to my server, and backed up to Backblaze with a version of each file retained for at least 12 months. If we know when this started I can at least get anything "vanished" since that date.

Scripted shortcut caused double-click disaster of sysadmin's own making


Re: Is there anyone

PROMPT $P$G was/is really useful :)

No more feature updates for Windows 10 – current version is final


Yup, I recently opted to buy an old workstation. HP Z840. More cores than I know what to do with, 192GB RAM, plays almost any game in Ultra settings with an old Quadro card, has TPM 2.0 and Secure Boot. But CPU fails the check. Oh well, I'll live.

Hey Siri, use this ultrasound attack to disarm a smart-home system


Re: Simple but effective defence

Not even that.

Don't allow anything other than a physical code entry or token to disarm an alarm.

For password protection, dump LastPass for open source Bitwarden


In addition to haveibeenpwned - have a look at https://leakpeek.com/ - that lets you stick in a username, email address etc, and it will show you partially redacted passwords it has for you....

It doesn't show (that I've seen) the source, but it certainly helped me confirm which passwords were nobbled and then by proxy, what the source was.

When we asked how you crashed the system we wanted an explanation not a demonstration


Well it's clearly working as designed....

I upset a German bank a long time ago, by replicating 'an error'.

For a while I lived in deepest darkest south Germany (so south it is technically Switzerland, but the German's nicked it), and returned some years later for a holiday - and attempted to use my NatWest Switch card (that dates it doesn't it?) in a Sparkasse ATM.

Removed card from wallet, inserted card into machine, machine immediately reboots itself.

Once rebooted, of course, there is no sign of my card...and the bank was closed - and the phone numbers went to answer services services.

Next morning, waited outside the bank until they opened, and explained (in halting German) that their pesky machine had b0rked and could I have my card back please?

The attendant's response was (gesturing at the machines) "all the machines are working, if your card has been taken, it's because your bank has reported it stolen". I protested.

Eventually, someone checked the machine, and found the card. I could see them looking at it, but still refusing to give it back. I protested a bit more, saying I'd been using it happily in other places and it was fine, and offered to ring my bank to have them explain.

After a few minutes I was handed my card back, and asked to show them what I did.

So I put the card back in the same machine. And it rebooted again.

They apologised, retrieved my card again, and I toddled over the Deutsche Bank and I withdrew some cash from their machines quite happily.

No idea what combination of info was on the magstripe that clearly b0rked Sparkasse machines, but it did tend to mean I used "larger" banks after that :)

'Last man standing in the floppy disk business' reckons his company has 4 years left


Many flops....

At one point I was happy to have a PC that could read 5.25" 1.2MB, and a 3.5" that could read up to LS120. And an IoMega drive that could take ZIP100 and ZiP250. And a multitude of storage cards (yay, MagicGate).

But the LS120 drive and Zip drives both died clickety deaths.

And the cards are now nearly all microSD (with an SD or USB adaptor).

It's like the BBC Domesday. Great until you can't read it.

And a shame, as kit typically still works. My car has a PCMCIA slot. My PC has a ln LTO3, except I killed it and now can't read some tapes. Yay for cloud etc.

'I wonder what this cable does': How to tell thicknet from a thickhead


Re: colour me sceptical

Paging bigclive and electroboom :)


Re: Non-VOIP, POTS payphones

I love the fact that POTS had it's own redundant power supply. I've maintained (probably at great cost to myself, although VM tell me I'll pay more if I remove it) a POTS landline for the entire time I've had this house - although I know it's soon to be going away.

It's like analogue radio and the push to digitise - yes you can cram more in to the same space, but the KISS principle should remain for anything that might be needed as an emergency comms medium.....

Zero Trust: What does it actually mean – and why would you want it?



It's all about the layers. APIs & inter-app comms are probably an afterthought for most.

The 'tightest' place I've encountered had:

a) Windows desktop & server firewall controlled by AD policy

b) Cisco ISE operating on all switch ports (assigning VLANs etc) with MAC and 802.1x back to AD

c) Switch port policies applied to ports based on the VLAN or ISE assignment

d) Site level firewalls (Palo Alto) governing intersite and internet access

e) SD-WAN (Silverpeak)

f) Regional firewalls for internet (and any failover between intersite if SDWAN routing went awry)

g) VPN with device and user authentication, and policies applied dynamically based on both

h) WAFs and NSGs running on the Azure side of things (if you made it that far)

i) AD ACL and SEC groups, applied thoroughly on actual servers, shares & resource groups

But, as outlined in the article, if (or once) you were 'in', you were generally able to 'get around' - but that was also partly due to a hangover from a prior set of circumstances where they were no proper firewall policies previously, and there was still reasonable paranoia as to restricting things further.

Declassified and released: More secret files on US govt's emergency doomsday powers


Re: Might is right, in other words

Read it? They made a film of it to make it really sink in.

Seriously, you do not want to make that cable your earth



My secondary school had a lovely BBC Econet setup, with a variety of BBC-B and Master machines (ah, CUB monitors), across the whole school site (some fun cabling runs, mostly external). One night, there was a storm, and some well aimed lightning hit the Econet cable.

I remember the IT teacher spending the next few days soldering many, many poorly BBC computers.....

Creator of SSLPing, a free service to check SSL certs, downs tools


Re: I feel for the guy, but..

It also depends on how Docker was being used.

Building containers (each time) from Dockerfiles may result in the underlying modules and things in the Dockerfile getting updated. Having anything which runs apt-get/apt-update in the scripts can also b0rk things. Doing a simple thing as "just pulling an image" can wreck you if you are pointing at #latest and weren't paying attention (and/or a maintainer removes prior versions).

The 'safe' (ish) way is to build an image, and export that image and keep it somewhere very safe, or (if you can) ensure the Dockerfile points to static versions of things - but that's not a guarantee....

Case in point, I *really* should update one of my container Dockerfiles to use a specific (i.e. buster) version of Debian, else I will probably find my stuff breaks eventually!

Help, my IT team has no admin access to their own systems


Does your CMDB extend to password stores & credit cards?

Similar thing at "an/other" financial organisation, where Azure was setup with a credit card. A personal one. Something got productionised, and then the card holder left the company. Some payment reminders presumably went to an inbox which was no longer serviced (or more likely in existence).

Not long after, an Azure subscription magically vanished. Which was nice.

Password storage (actually secure) *was* a thing. Checking how it was funded, less so....

Freezing in Newcastle? You're not alone: For one lonesome creature, the world stopped on 31 Dec 2020


The reset card

In the early 2000s I put a NatWest card into a German Sparkasse ATM.

It reset, and ate my card.

The next morning I had about an hour of joy convincing the bank to return my card from the bowels of the machine (and they were adamant the machine was fine) - until we got them to let me put it in again, and lo, it reset (again). They gave me the card back, and I used it in another bank across the street....

So yeah, something in a (foreign) magstripe took out an ATM - which was nice.

Pure frustration: What happens when someone uses your email address to sign up for PayPal, car hire, doctors, security systems and more




So much this. And lazy arse people.

I have a firstname.surname AT gmail.com account, and I use the dot. You don't need to use the dot.

I also have a few people with "my name" who have "similar" accounts, i.e. firstname.initial.surname@gmail.com - and do they use the initial?


Do I get the emails?


I've had someone's flight tickets to Australia (STA did sod all - I considered actually pitching up for a free holiday) - emails from the police on a crime, from Westminster on a political topic, pictures of someone's family, home extension details, washing machine repair info, invites to a stag do, photo print order etc - and various other crap.

I've also (maybe helpfully) clicked the "Not me" links (when provided) and/or logged in and "closed" the account. So far, none of the accounts have contained any information beyond the name & email address. I then setup a FB group and invited people with "my name" to it, to try and nail a few down - but most have buggered off since. Ah well.

The other joy is that I share a name with a couple of IT professionals, and I've had agencies call me thinking I'm one of the others, and they spill plenty of info before I shut them up....(I'm assuming they search for a name in whatever CRM they use (Excel?!) and ignore multiple results...)

Google rolls out pro-privacy DNS-over-HTTPS support in Chrome 83... with a handy kill switch for corporate IT



I have a setup I like, that does what I want.

I don't want errant things burrowing holes to get DNS via other methods.

Go away.

Three things in life are certain: Death, taxes, and cloud-based IoT gear bricked by vendors. Looking at you, Belkin


It's not all bad.

Hue and Lightwave kit work without cloud,locally or with VPN.

But I have many baskets, and all of them work standalone :)

Hey bud – how the heck does that stay in your ear? Google emits latest Pixel Buds, plus extra bloatware if you have the matching phone



Not available from the UK store (yet)

So you locked your backups away for years, huh? Allow me to introduce my colleagues, Brute, Force and Ignorance



Our old 8088 and then 8086 used to have a batch file we ran to "park" the heads on the disks prior to shutdown. But we started with a 20MB "hardcard" (and a Hercules b&w graphics card, along with DOS 2.11...)

But later we had a dead hard drive, that we could restart with a pencil in the drive spindle, releasing it. We did back it up then

Voyager suffers a power wobble as boffins start the final countdown for Spitzer


Godspeed V'ger

It might come back, you never know ;)

Uncle Sam challenged in court for slurping social media info on 'millions' of visa applicants



My social media of choice is beer.

My social media account is my bar tab.

Please discuss with the landlord. Kthxbai!

It's back: The mercifully normal-looking Moto 360 smartwatch


Re: V3...


NFC confirmed. And from the pics, the straps use the same locking mechanism, so if they are the same size, the older watch straps/bands can be used! Wireless charging, not so much :\



I have a 2nd gen 360, bought from new when Moto did a father's Day offer. Totally black with black metal strap. That pic in the article looks like the straps may be transferred from old units.

Moto were awesome and swapped my battery well outside warranty, as the various updates oiled the battery (Google that, it wasn't fun) and whilst I don't wear it much it still provides time functions by the bed. The main drawback is its a bit slow now.

If the new one has NFC, a speaker and wireless charging, I may be in.

HMRC's HTTPS howler: Childcare payments site cert expired at 1am on Sunday, down for hours



Remove the domain/site in question, proceed.

Granted that's not for t'average punter - but it does work in a pinch (like when my webserver doesn't restart and LetsEncrypt has rolled over a cert....)

Backup your files with CrashPlan! Except this file type. No, not that one either. Try again...


Received this morning:

"Dear Valued Customer,

On May 6, 2019, our technical services team rolled out a number of changes to the CrashPlan for Small Business data protection service. These changes were intended to make restoring files and machines more efficient by eliminating unnecessary files from your backup sets. Unfortunately, we made two mistakes during this change process.

The first mistake relates to our email notifications sent to you regarding the changes to CrashPlan. Our initial email sent in early April was classified incorrectly as a marketing communication and did not reach customers who opted out of marketing communications. We resent the notification to all customers on May 17, but this did not give enough advance notice to some of our customers. We apologize for this mistake and we can assure you that we have since changed our processes to ensure better communications in the future.

The second mistake involves the actual file changes that we made. As part of this update, we stopped archiving 32 file types and directories. The email notification included a link to an updated list of files that are excluded from CrashPlan backups. One of the file types we began excluding from backups is the .sparseimage file format. We believed that this file format was obsolete because in 2007 Apple introduced a new format called .sparsebundle, which we thought replaced .sparseimage for the use case we track. After we implemented the changes in May, some of our customers made it clear they still have valid use cases for .sparseimage. We now believe we made an error in excluding .sparseimage, and we have since added it back to the list of files we support via backup.

If you use .sparseimage files, there is no action you need to take. The change will automatically be pushed to your client and .sparseimage files will once again be backed up in CrashPlan. This process will take several days as these devices connect to our service. You can see a full list of excluded files here.

We regret the inconveniences that these two mistakes may have caused you. Our priority is to provide a great product that protects your important small business data. We appreciate your feedback and ongoing partnership. Should you have any questions or need assistance, please contact our Support Team.

Thank you for your support and trusting us with your most important information.


Joe Payne

President and CEO



Re: BackBlaze

Or you use Backblaze B2 with a tool like Duplicati and Backblaze sees nothing and you back up everything :)


Re: Duplicacy FTW

Or Duplicati!


Re: Ex-loyal customer here

My plan was to take the cheap first year, and then investigate where to go.

This has just expedited that - which I suspect has to be their plan.

But on the business side - do they seriously think business' wouldn't want to back up vmdk and other files?!


Re: Whatever happened to three copies ?

My data is held locally, protected by RAID and was backed up to Crashplan, which until now had been flawless. I also periodically ran an LTO (yes, that old tape) backup.

Most of my data was also only on the server when it was shunted off the original device, so I had 3 copies for a point, then typically two.

The point being that whilst I know a Cloud provider may be ephemeral and your data may go poof, the management of this implementation leaves a "lot" to be desired. Like "management", decent comms etc - I can't believe they just looked at the potential disk size reduction and went "What could go wrong?"....


My OMV setup backed up everything from /srv - which was blocked.

All my Linux configuration folders were deemed a "Operating System" and blocked.

Adding mountpoints got around the folder block, but the extension piece was very annoying.

I've cancelled and have gone elsewhere.


Re: Just change the filenames ?

The mount/folder change can be worked around, but extensions less so unless you zip first.

All archived files are encrypted at upload (mine was with private key) but that was via the UI and thus it saw the extensions anyway...

You got a smart speaker but you're worried about privacy. First off, why'd you buy one? Secondly, check out Project Alias


"but how do you deafen the smart speaker by making noises too quiet for human ears to hear?"

High frequencies dear boy. We can't hear them, but the little cyber ears can.


Um, I'm not that Gary, American man tells Ryanair after being sent other Gary's flight itinerary


I've had this, for a similar named person to me, and their flights.

And someone else crime report, with number (direct from the police)

And something from HM Government.

And home building plans, and insurance.

Normally I do get a "sorry" in most cases, but STA (re: the flights) took a LONG time to sort it, and I did consider cancelling the flight....

A year after Logitech screwed over Harmony users, it, um, screws over Harmony users: Device API killed off



Anyone who has enough nouse to play with APIs, can do the following...

Get a Raspberry Pi, an enclosure, and install OpenRemote on it.

Yes, there is a cloud UI to set things up, but once you've got the config on the Pi, you can cut it off from t'interweb and it will still control anything in your house/network that you can make it talk to (from HTTP/JSON to raw TCP/UDP).

Mine runs on a NAS rather than a Pi, but talks to Philips Hue (which runs when no cloud is available), Lightwave (same), and direct to other devices on the LAN. It is a bit of effort to get going, but it's so worth it when you hear of crap like this!

Rookie almost wipes customer's entire inventory – unbeknownst to sysadmin


Re: .cobol

My SMB box has a .recycle

Granted I have to enable it, but it's there - and on every family share "just in case" :)

Amazon warns you have 30 days before Music Storage files bloodbath


Sir has seen M-Disc, no?

That kind of appeals - although I've not had cause (or time) to test it!

If it's true, the drives will be the sods, ala Domesday...

Android P will hear no evil, see no evil, support evil notches

Black Helicopters


For sweet, sweet omniscient surveillance....

Intel gives Broadwells and Haswells their Meltdown medicine


I recently played with amending AMI type BIOS, as I wanted a new Intel BIOS for RST, and it worked. Hopefully if they drop the microcode in useful formats, people can try rolling their own (if they are suitably equipped).

At least my Gigabyte motherboard has Dual-BIOS, so I can't *totally* kill it...

Intel’s Meltdown fix freaked out some Broadwells, Haswells



Since putting the latest MS patches on my (Sandy Bridge based) PC, I've had two unexplained crashes - which is annoying when working remotely as while the Intel RST on my machine recovers correctly, it doesn't then reboot, so just sits waiting for someone to reset it. Maybe time invest a remote power switch....

Also quite annoying as my Sandy Bridge (i7 2700K) DOES support PCID, but not, apparently INVPCID...

So, on a Sandy Bridge i7 2700K (released Oct 2011 I believe) running Win 10 Pro, the results of "Get-SpeculationControlSettings" are:

Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: False

Windows OS support for branch target injection mitigation is present: True

Windows OS support for branch target injection mitigation is enabled: False

Windows OS support for branch target injection mitigation is disabled by system policy: False

Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: True

Windows OS support for kernel VA shadow is present: True

Windows OS support for kernel VA shadow is enabled: True

Windows OS support for PCID performance optimization is enabled: False [not required for security]

Suggested actions

* Install BIOS/firmware update provided by your device OEM that enables hardware support for the branch target injection mitigation.

BTIHardwarePresent : False

BTIWindowsSupportPresent : True

BTIWindowsSupportEnabled : False

BTIDisabledBySystemPolicy : False

BTIDisabledByNoHardwareSupport : True

KVAShadowRequired : True

KVAShadowWindowsSupportPresent : True

KVAShadowWindowsSupportEnabled : True

KVAShadowPcidEnabled : False

1980s sci-fi movies: The thrill of being not quite terrified on mum's floral sofa


I think the pic used in the article is actually Automan, not Tron :)


Lovely lovely Sci-Fi.

Tripods, Chocky, Children of the Dog Star, "Benji, Zax & the Alien Prince", The Tomorrow People, all squarely aimed at kids, and in some cases quite dark (Chocky, I'm looking at you...). Knights of God was my first proper Dystopia, and the bastards never released it officially....

But then we got some proper trippy stuff. Manimal. Automan (not at *all* trying to be Tron). And the action sets (Airwolf, Knight Rider, Street Hawk). And big budget sci-fi, like "V", in all its latex goodness. It even had Freddy Kruger hiding in it.

What I want to see (properly restored) is "The Highwayman". That was proper, classic, dystopian cheese (with added Jane Badler, of V fame)....

Hells door-bells! Ring pieces paralyzed in horror during Halloween trick-or-treat rush


Le sigh...

"Let's all think of the clever, and not think of the function...."

Yes, it might put up a bit of cost, but how hard is it to also incorporate a remote sounder, like most wireless doorbells? Or even some local (encrypted) storage, so it can take/store pics of people who did come to the door?

If your internet backhaul is down, isn't the result going to be the same? At least Hue & Lightwave etc continue working with whatever settings they have been given, if the cloud goes down. My home automation system uses a cloud UI to configure, but once it's got it's config. it doesn't need the internet.

Failover modes people, failover modes....

Boffins blast beats to bury secret sonar in your 'smart' home


Re: yet another reason...

Depends on a variety of things :)

Your phone mobile is permanently wired, it can't be disconnected. As to wether it's "active" is down to software, listening to the input channel.

The various assistants (Siri etc) can be configured to either "listen all the time" (keyword activation) or after a button press (Siri). But do you trust that's what they're actually doing? :)

If you've got a Smartphone, and you can't take the battery out, you can't be 100% certain that it's not listening, That's the basic fact. Assuming you haven't run some third party apps with access to microphones, or granted access to those apps, then you should be "as safe as your assistant settings" are configured.

Virgin Media router security flap follows weak password expose



I may be wrong (probably am!) but is the other issue resolved?

i.e the one whereby when the router powers up, for 7 seconds or so, there is no encryption set on the WiFi? o_O

Thus, if you are quick enough, you can get onto the WLAN - and then (again, if quick enough) - either use the default web admin password to find a WLAN password (even if it's been changed), so you can then reconnect shortly after, or do a quick network probe? Granted that's a tight window of opportunity, but still!

[EDIT] Ah yes - a powershell to reboot a SuperHub - if you know the password. Assume it's default, and a bit of cross site jiggery-pokery with a form post/social engineering - and away you go, router reboots, WLAN available briefly...[/EDIT]

Personally, opt for "SACM" (standalone cable modem) mode and use my own WiFi. I'd still be using 802.1x EAP too if the firmware I use was updated to not break RADIUS :( (choice of stick with RADIUS but keep other vulns active, or upgrade and lose RADIUS)

If you don't have your own router, change the WiFi AND admin passwords - which should be standard OpSec anyway. It wouldn't be that hard for device manufacturers to trap all web traffic when the thing is in "default" mode and force passwords to change, before letting it go fully operational....


Re: Where are the instructions?


Also search a bit and you can see where to change the admin password....

Faking incontinence and other ways to scare off tech support scammers



I've just installed Lenny onto our PABX as a handy extension. Now I'll probably get no calls...

I also love that other default message (with the correct English pack) that says "All members of the household are currently assisting other telemarkers. Your call will be answered in the order it was received"...(and then dumps them on permanent hold music)

Leaked: The UK's secret blueprint with telcos for mass spying on internet, phones – and backdoors


Re: Encryption is not made "illegal"

Again, it's the over the top services that will be the "fun".

MPLS/BGP/TCP et al can be inspected, as it's a known protocol. If the packet's going up/down said wires turn out to contain encrypted stuff, that's WAY beyond the OpCo's wires, and the Telco's will simply go "meh" as it's not in their domain to control, unless they start doing DPI and being ordered to block anything they can't decode.

In which case we'll see digital steganography of another kind. Stuff will look like/be valid traffic, and just be nonsense, with anything relevant buried in some way that'll be harder to spot.


Re: So where is the problem here ?

"Are end users going to be forced to install ISP root certificates ( to allow HTTPS MITM attacks ) before they are allowed to use an ISP's services ? I can't see this. That would require touching every endpoint connected to the ISP, it would be a nightmare for the ISP's, and pinning complicates even this."

Erm, not quite. A nice nudge to Google & MS and hey-presto, your next s/w or OS update contains new certs.

Chrome already overrides machine level certs, as I found out when I was using a CA it opted to distrust (warnings ahoy, even though the root CA was trusted).

Unless you keep tabs on EVERY cert in your machine, with fingerprints, something could merrily install and opt to use one.

Pinning also only works if the apps respect it (or are allowed to)...

I'm sure someone will be along shortly to insert an obvious comment about not using Windows, or Google, or <other large well known app> - but for the masses, it's not going to be that hard to do...