* Posts by dwm

3 publicly visible posts • joined 10 Jul 2013

Uni sysadmins, don't relax. Cybercrooks are still after your crown jewels, warns NCSC


Multi-factor authentication is no panacea

Phishing is highly effective against most organisations, not just universities. Email tools are notoriously difficult to operate safely, and MFA is not a panacea—if an attacker can lure a user to a fake login page under their control, they can MITM most MFA options and still gain access to the user's accounts.

Hardware tokens such as Yubikeys can be proof against such things, but procuring tens of thousands of these is hideously expensive, and has historically presented compatibility problems with common end-user devices.

Universal Credit? Universal DISCREDIT, more like, say insiders



I'm biased, I've met a couple of the people working on the project. That said, that's not been my experience.

Their search tools seem to be well-developed; a query for 'mod' swiftly showed a raft of pertinent pages, with a link to the top-level MOD page right at the top: https://www.gov.uk/government/organisations/ministry-of-defence

That's a URL that's meant to be found, not meant to be typed — but I'm not sure that's a critical failing in a world with history-based auto-complete and powerful, functional search tools. (Also, trimming elements from that URL produces index pages that actually appear to be useful.)


https://www.uk.gov/ seems to have gone astonishingly well.

I am increasingly of the opinion that Valve's assertion that, "HIring people is the most important thing you do" is correct, and that the success of this particular IT project is down to the fact that UK.gov recruited much better, much more effective people to undertake the work.