* Posts by JerseyDaveC

95 publicly visible posts • joined 1 Oct 2013

Page:

Wait, security courses aren't a requirement to graduate with a computer science degree?

JerseyDaveC

Re: Totally concur that security should be part of any computer oriented curriculum

When I was at uni they taught us Modula-2 in the first year and C from year 2 onwards. At the time, two of my friends were at York Uni doing Comp Sci and they were taught Ada.

JerseyDaveC

Re: A purely theoretical curriculum

My Comp.Sci. degree (graduated 1991) was significantly theoretical. There was loads of maths, formal language theory, architecture (including CPU architectures including VAX and RISC), algorithm complexity, data structures, operations research, you name it. There was some practical stuff too, of course - program design/development, databases, compiler writing - but the theoretical side was big.

I can imagine, therefore, that it's perfectly feasible to do a Comp Sci without touching security. Would I do so if I were starting university right now? Nah, it's so blatantly useful when trying to get a graduate job that you'd have to have a really good reason not to touch security at all. But in principle I can see why it's possible, even if not particularly advisable.

Lock-in to legacy code is a thing. Being locked in by legacy code is another thing entirely

JerseyDaveC

Brings back memories of a colleague a few years ago. Some of the senior IT guys (of which I was one) had 24x7 access to the building, but Dean (not his real name) and his colleagues didn't. You had to swipe in and swipe out of each floor.

Anyhow, the cut-off for non-24x7 cards was 9pm. You couldn't get in after that. And it turned out that you couldn't swipe out after 9pm either, thanks to an oversight of design. He finished up at about 9:45pm, and his swipe card wouldn't let him out. For safety reasons, of course, there was a break-glass button on the door and so he used it to make good his escape.

The next morning all hell broke loose. Poor guy was dragged into a meeting with senior people to receive a major b**locking for using the emergency button. Happily I got wind of this and stuck my nose in and was able to point out that: (a) the third-party security guard was supposed to do a sweep of the building at 9pm prompt and was conspicuous by his absence; and (b) the reason Dean didn't call the security company to be rescued was that there was no signage along the lines of "In the event of a security emergency, call <number>" and he had no idea of what the company was called (and why would he - he wasn't on the extended security list).

Happily he was exonerated and the security company were "asked" to explain what happened to the 9pm sweep.

This can’t be a real bomb threat: You've called a modem, not a phone

JerseyDaveC

I used to work for a defence contractor that made, among other things, high-explosive naval cannon shells. One day we got a call warning us that someone thought there was a bomb on site, to which the wag who answered the phone said: "Yes, we have thousands".

Turned out it was in the garden of a house the other side of the fence, and on police investigation it was in fact a BT engineer's toolbox.

Reverse DNS queries may reveal too much, computer scientists argue

JerseyDaveC

Not exactly a new problem

In reality, reverse DNS tells you something but often not a great deal. Firms generally don't bother with their reverse DNS entries, so if your A record for www.mycompany.com resolves to A.B.C.D, you'll seldom find a PTR entry that tells the world that A.B.C.D reverse-maps to www.mycompany.com.

The university reference made me smile. In the 1990s one establishment (with its own /16 public IP range) assigned static public addresses to students in residences, and religiously added PTR records to reverse-map them to building, room and floor. Until a third-year IT student pointed out that this was a handy way for pervs to track down vulnerable people in their residence rooms. Them were the days before NAT firewalls and extensive use of private addressing.

Clustered Pi Picos made to run original Transputer code

JerseyDaveC

Blimey, this brings back memories!

When I was at uni we had a Meiko Computing Surface, which was a big box of Transputers, both T414s and T800s (one model had a FPU, the other didn't). By the time I got to use it they'd developed the MK083 on-board SPARC workstation and a virtualisation layer that allowed you to program transputers in C, not just Occam.

And the definitive book on Occam was written by Roy Dowsing, who taught us parallel processing in the second year at uni. I still have my copy. :-) https://www.amazon.in/Introduction-Concurrency-Aspects-Information-Technology/dp/0278000592

Help, my IT team has no admin access to their own systems

JerseyDaveC

Been there, loved wearing the t-shirt

I had a similar experience - desperate call from a client of a client of a friend whose SQL Server cluster I'd set up but which had died ... when he did a DIY data centre move. This was 1pm on Sunday, and it had to be up by the wee small hours of Monday.

Two-hour drive to London. Server said "No storage connected". Moved the SCSI connectors for the RAID array from the server's SCSI adaptors to the server's RAID adaptors. Booted, Server said: "Ah, I see you've hooked up some storage, but it's not connected properly". Moved SCSI cable from server A to server B, and from server B to server A. Booted. Server said: "Ah, that looks familiar - would you like me to start up?". Told it "Y". Two-hour drive home. Wrote and emailed four-figure bill. Massively relieved client of a client of a friend paid it promptly and was super-grateful, which was lovely.

Throw away your Ethernet cables* because MediaTek says Wi-Fi 7 will replace them

JerseyDaveC

Re: shared medium

No, it's worse than that. Collisions increase geometrically with the number of devices you connect.

JerseyDaveC

It's fair to say that I think this is the same load of cobblers as I said WiFi 6 was in this piece ... https://www.theregister.com/2021/07/14/will_i_ever_ditch_my_cabled_lan/

Riverbed Technologies files for Chapter 11 bankruptcy protection following pandemic 'headwinds'

JerseyDaveC

Yep, I think you're right. And if you do want high-speed connectivity from your office into the cloud there are services such as MS ExpressRoute that don't cost the earth so long as you shop around.

JerseyDaveC

Re: Numbers don't add up, like with so many startups

With regard to the usefulness of RiverBed, I used to run a fleet of them on my global WAN ten years ago and they were really, really good. In my view Peribit (which was later acquired by Juniper) did it first but RiverBed did it better. They were a long way from cheap, but they maximised the value of my £1m-a-year network.

But I agree that these days it's hard to see the value of such kit. The key word you used was "encrypted": you just don't see the repeated byte streams in encrypted traffic that you do in unencrypted flows, and so they're impossible to compress. Back in the day my main savings were in Windows fileshare (CIFS/SMB) traffic, which compressed by 80% or more in the average case. With today's penchant for encrypting anything that moves (whilst also encrypting when it's not moving!) that use case has gone down the Suwanee.

And with SDWAN (poncey term for VPN) and cloud-based operation growing like mad one assumes there are fewer and fewer companies using private (or pseudo-private) circuit WAN anyway.

Research finds consumer-grade IoT devices showing up... on corporate networks

JerseyDaveC

Re: News at 9....

Yep, I was just having one of those "surely this can't be a surprise to anyone" moments too.

Chiptune to brighten your afternoon: Winning 8-bit throwback music revealed

JerseyDaveC

There was a chap called (I think) Paul Layzell, who did some cool music in the 1980s on the BBC Micro. "Sweet Dreams are Made of This" and the theme from "Hill Street Blues" are the two I remember.

JerseyDaveC

Re: Ron Hubbard?

Yep, definitely Rob and not Ron. He also did "Hunter Patrol", which was very good (but not an 80s anthem like "Thing").

There was some amazing music in the 80s - I remember the Commie 64 version of "Elite", which serenaded you with The Blue Danube while the docking computers docked you. And there was a game that was something to do with a train, which had a rendition of part of Jean-Michel Jarre's "Equinoxe" (I think it was Equinoxe V).

Monitoring is simple enough – green means everything's fine. But getting to that point can be a whole other ball game

JerseyDaveC

Re: Green means everything's fine

Colour vision is something people forget, unless they have colour vision deficiencies (CVDs) themselves! You're absolutely right that indicators need more than just colours - shapes are handy, as are completely separate sections (if you have a box on the screen labelled "BAD STUFF" and put the alerts in there, it can help).

I'm fortunate in having a fairly mild red-green CVD that doesn't really affect me day-to-day, but given that some sources say it's reckoned to affect up to 8 per cent of men of northern European origin, that's a lot of IT guys who have trouble differentiating "good" from "bad" on a monitoring screen, particularly when the blobs/lines are close together. (I can point at something that's red, and I can point at something that's green, but give me an Ishihara plate with them all mixed together I'm doomed).

If you're about to scream "discrimination", red-green CVDs are a male trait - only half a per cent or so of women of similar origin have a red-green CVD. And you may also be interested that green traffic lights aren't green: they're greeny-blue because people who can't tell green from red often can tell the difference between greeny-blue and red because of the blue component.

JerseyDaveC

Re: Enjoy the downvotes

To be honest I'd love a pointer to some magic product: anyone who can sell me this mythical beast will be welcomed with open arms. And as DJV notes, I can assure you that the original author (me) has nothing to sell in this respect - formerly an enterprise networks and database person I'm now a security guy in a financial business, not a purveyor of fine technology.

I kinda see your point that you've read it as "do everything perfectly", but what I was trying to get at is that utopia is "green means everything is working as it should" but also that it's darned hard to get to a level of monitoring that gives you that, and even harder to stay there in the light of all the inevitable change within one's infrastructure. I've seen it done once, and it was really hard work staying good, but heck, it was worth it. Problem is that one false move mucks it all up.

JerseyDaveC

Yep, you're not wrong there. Dependencies are a pain in the backside and it's hard to get a complete dependency map.

You might like to have a look at moogsoft.com in this context, which I say not from a commercial viewpoint (I know Phil and Mike from my journo days back in the 1990s - they were with Micromuse making NetCool when I first knew them) but because their AIOps stuff is quite clever. It's all about dependencies but it does it in a rather novel way by looking at log data from different sources and reasoning that if your app, your database, your server and your SAN are all giving related errors at the same time, they're probably related.

EU to formally probe Nvidia's $54bn takeover over British chip designer Arm – report

JerseyDaveC

Who would be the first dozen or so you would trust? :-)

Fix five days of server failure with this one weird trick

JerseyDaveC

Re: Sun E250

I once had a Sun E450 with Sun's active monitoring (via a very pricey leased line between them and my client). Idea was that if it died, Sun would notice and would: (a) call my client; (b) dispatch the required spares that the diagnostics had indicated were required; and (c) dispatch the engineer, who came from somewhere miles from where the spares came from.

We knew the engineer quite well and gave him a standing order: don't kill yourself getting here. (You could legally drive from his house to my client's middle-of-nowhere office within SLA, but only just and only if it was 3am with nothing on the roads). And we kept getting monitoring fees waived because most of the time the monitoring centre would only notice when the box restarted, not when it had crashed. So the usual sequence of events was: (a) system would die and refuse to reboot because the self-check failed on the broken component; (b) someone in the contact centre would phone to say it was broken; (c) my colleague and I would scoot into the office, pop out the board the POST was complaining about, and bounce the server; (4) the monitoring centre would call to say: "Your system is down" :-)

JerseyDaveC

Back in the 1990s I had a fleet of Mac Plus machines with external SCSI hard drives. Some of the drives would refuse to start up, and on removing the lids they all hard the same make and model of 40MB (yes, really) hard drives. The ones that worked didn't have that make.

Turned out it was "stiction" - the drive lubricant got viscous when cold and prevented the drive from spinning up. Research showed that whacking it with a screwdriver handle fixed the issue, but after a few attempts the drive would die completely. So we introduced a standard approach: whenever a user reported the problem we'd take a spare hard drive, connect it in series with the failed one, boot the machine from a floppy, whack the failed drive into operation, clone the faulty drive to the spare, and then replace the former with the latter. Must have done 30 of those in just a few months.

JerseyDaveC

Re: Power supply on the floor?

That evokes painful memories of SCSI adaptors whose pins seemed to be made out of a metal with a stiffness slightly less than that of runny custard. And of SCSI chains which didn't work when correctly terminated at both ends, but which were perfectly happy once you removed a terminator and basically configured it so it couldn't possibly work.

JerseyDaveC

Re: The "inspector"

At the fledgling Online Media department of a large publisher we had a pair of SGI Indy workstations - one as the staging web server and one as the production one. This was 1995, so we were talking Netscape's web server package and pretty early adoption.

This was before HTTP 1.1 was introduced (and hence no host headers), so if you wanted to have multiple web sites on a server you needed multiple IP addresses. And at the time you could do virtual IPs on the Indy OS and persuade Netscape to run multiple sites, but it was proper messy. We made it work, but feared that the slightest wrong move would suddenly make it decide not to.

Ouch! When the IT equipment is sound, but the setup is hole-y inappropriate

JerseyDaveC

Anyone old enough to remember the BBC MIcro and its proprietary Econet network? We discovered that if you jam an Econet cable into the tape drive port - something of an achievement as the pinout was radically different - it had interesting crashy effects on the network.

Excuse me, what just happened? Resilience is tough when your failure is due to a 'sequence of events that was almost impossible to foresee'

JerseyDaveC

Re: The

Absolutely right. And the thing is, the more you test things, the more comfortable you become with the concept of testing by actually downing stuff. You need to be cautious not to get complacent, of course, and start carelessly skipping steps of the run-book, but you feel a whole lot less trepidatious doing your fifth or sixth monthly test than you did doing the first :-)

One does have to be careful, though, that if you implement a manual trigger the behaviour must be *exactly* identical to what would happen with a real outage. As a former global network manager I've seen link failover tested by administratively downing the router port, when actually killing the physical connection caused different behaviour.

To have one floppy failure is unlucky. To have 20 implies evil magic or a very silly user

JerseyDaveC

Back in the 1990s the Macintosh II range was great for floppy disk loss. They came with one floppy drive, but there was a little blanking plate over a slot where you could install a second. This blanking plate was really easy to push out, so students at the uni where I was the Mac support guy would do so ... and the next person would insert their floppy disk and hear it drop into the guts of the Mac.

AI in the enterprise: Prepare to be disappointed – oversold but under appreciated, it can help... just not too much

JerseyDaveC

Re: Proof that it's AI

Did you ever see Cognos PowerHouse back in the 1990s, a so-called 4GL, or 4th Generation Language? The idea was that you told it in something resembling natural language (yeah, right) and it wrote the 3GL code for you, which was then compiled to a lower level via traditional means.

In real life, it was rubbish and slow. But that was 25 years ago, so I'm a little surprised we've not seen a 21st Century reboot using modern technology and algorithms.

So you locked your backups away for years, huh? Allow me to introduce my colleagues, Brute, Force and Ignorance

JerseyDaveC

Re: Seen in the wild

Yep. The other ones I had were 40MB Sony drives whose lubricant got all gloopy (a phenomenon known as "stiction"): take off the lid, whack the drive with the handle of a screwdriver, hear it spin up, copy off the data, swap the disk.

A short note to say I'm off: Vulture taps claws on Reg keyboard for last time

JerseyDaveC

Farewell, Kat. Don't be a stranger. Or any stranger.

Hell hath no fury like a radar engineer scorned

JerseyDaveC

And was it a deliberate pun?

I'm surely not the only one who smiled to read about a documentary on an aircraft carrier getting "good ratings" ...

:-)

Talk about a ticket to ride... London rail passengers hear pr0n grunts over PA system

JerseyDaveC

Poor passenger etiquette

By all means publish things like this to the Internet, but do please take your feet off the seats ...

Naming your company 101: Probably best not to have the word 'Oracle' anywhere near branding

JerseyDaveC

Re: Hell hath no fury

Reminds me of when "I Can't Believe It's Not Butter" was launched: the advertising rules prevented the makers from advertising on some media (radio was one, I think) because it wasn't butter but had the word "butter" in the name, even though the name made clear they weren't trying to pretend what it was (or wasn't).

Generally Disclosing Pretty Rapidly: GDPR strapped a jet engine on hacked British Airways

JerseyDaveC

Re: Companies about to take security seriously?

Agreed.

A fiver says that they have some internal guidance that has been extensively considered with regard to the variables upon which a fine is based. You can't just slap a maximum fine on someone to make an example of them: if another company is less naughty and gets fined less, an appeal will instantly be forthcoming from the company that got the monetary kicking.

Fines must be proportionate and dissuasive: enough to make it worth taking steps to protect yourself, but not idiotically big.

JerseyDaveC

Re: Companies about to take security seriously?

The concept of a "discount" for reporting promptly is an interesting one. Failure to report on time would be an administrative breach, inviting a fine of 2% of turnover or EUR10m. The data loss itself is a data breach, with a potentially higher penalty of 4% of turnover or EUR20m. Had BA taken too long to report, the ICO would consider a fine for the failure to report (an administrative breach, with a max of 2% of turnover or £10m) AND a fine for the breach (a data breach, with a max of 4%/EUR20m). They wouldn't be added together, though: item 3 of Article 83 states: "... the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement".

Which is interesting, because unless the administrative fine was greater than the data breach fine, it'd effectively be disregarded anyway.

JerseyDaveC

Not going to happen. It's essential for the UK to have its data protection legislation recognised as "adequate" by the EU if UK organisations are to continue seamlessly to exchange information with entities (and about people) in the EU.

Hi-de-Hack! Redcoats red-faced as Butlin's holiday camp admits data breach hit 34,000

JerseyDaveC

Re: Well, that's a coincidence...

Only problem with boycotting Whitbread is whether I can face staying in a Travelodge instead of my usual fleet of Premier Inns ...

TSB meltdown latest: Facepalming reaches critical mass as Brits get strangers' bank letters

JerseyDaveC

Re: Enough blame to go around.

Correct. SIM swap fraud is far from a new thing, and if a phone company doesn't authenticate its customers correctly then it's a very easy thing to do.

Consent, datasets and avoiding a visit from the information commissioner

JerseyDaveC

Re: Commercial relationship?

One of the grounds for lawful processing is that you're doing it in order to satisfy a contract with someone. So yes, it's fine to retain data on sales and the like as long as it's secure. Main consideration is that you shouldn't keep it forever: define a retention/disposal policy and timeline for old stuff and stick to it.

So the suits swanned off to GDPR events leaving you at the coalface? It's really more IT's problem

JerseyDaveC

Re: B2B vs B2C

This is quite an easy one to answer: no, you don't need the consent of the individuals in this context. Your grounds for processing the personal data will be that you're doing so in order to satisfy a contract.

As the outsourced helpdesk entity you're a processor, and the company you're working for is the controller. Both parties are required by GDPR to ensure that an appropriate contract is in place, and if your customer has any sense he/she will ensure there's a right-to-audit in the contract so they can check up on you from time to time (monitoring of ongoing conformance is essential). As a processor you're bound by the constraints that state that you're only allowed to use the data for the purposes included in the contract. If you're based in a country that doesn't have an adequacy finding from the EU then your customer, as controller, should consider this and ensure that they take all reasonable steps to mitigate this, but again that's not an overly hard thing to do (unless you're based in Russia or somewhere equally dodgy, that is).

Adrift on a sea of data: Architecting for GDPR

JerseyDaveC

Re: Liability not asset

That's an interesting way to put it. I say to people that they should assume they'll be hacked (e.g. by zero-day ransomware) and hence plan to mitigate the intrusion rather than just design a protection regime. Like the idea of considering PII as a liability in the same context.

American upstart seeks hotshot guinea pig for Concorde-a-like airliner

JerseyDaveC

There are similarities but they're basically different. It's worthy of note that although Concorde required re-heat to be engaged to move through the sound barrier, it could then be disengaged for supersonic cruise: I gather that the TU-144 had to retain re-heat whilst supersonic. One would think that if they'd blagged the verbatim blueprints it would have been possible to avoid such a fundamental aerodynamic drawback.

Also, I gather that after relations had calmed down between the US and Russia, the TU-144 was used briefly by NASA for scientific research.

JerseyDaveC

Re: The British Airways LCY to JFK route is just silly.

The feature seems to imply that LCY-JFK is the only BA route from London to New York. Worth noting that there's plenty of BA stuff doing LHR-JFK, using 777s and 747-400s.

Sole Equifax security worker at fault for failed patch, says former CEO

JerseyDaveC

Anyone got their auditor's phone number?

I'd love to be a fly on the wall at their next ISO 27001 audit. Auditor: "You rely on one person for some of your critical patching, and there is globally known evidence that you demonstrably don't have a robust process. That'll be a Major Nonconformity, then ... I'll be back this time next month for you to show me evidence of improvement that convinces me not to take away your accreditation."

Feelin' safe and snug on Linux while the Windows world burns? Stop that

JerseyDaveC

Re: Article smacks of...

For those who are thinking I put the wrong date for CentOS 5 dying off ... you're right, it was a typo. Should get corrected soon.

Does Microsoft have what it takes to topple Google Docs?

JerseyDaveC

Office Online needs beefing up

If you've used the online version of Office you'll know that the feature set is majorly limited. You can't do PivotTables or even some of the more basic formatting, and linked documents are a pain in the butt.

If Microsoft want to attract people away from Google Office (do they need to?) they need to make the online version of Office more feature-rich.

Which is ironic given that in the desktop version many of us moan that there are bazillions of features we never use!

'The internet is slow'... How to keep users happy, get more work done

JerseyDaveC

"We should produce a monthly list of the top ten root causes for calls to the help desk, and allocate some resource to dealing with those problems".

Yup: trouble is, as I suspect you've experienced, a lot of places do the first bit but don't quite manage the second ... :-)

WannaCrypt: Roots, reasons and why scramble patching won't save you now

JerseyDaveC

Re: Remember the Millenium Bug?

Indeed I do remember the Millennium Bug: it did actually get a mention in the first draft of this feature, in pretty much the context you cite, but it didn't make the cut for length reasons :-)

Two Sundays wrecked by boss who couldn't use a calendar

JerseyDaveC

I was once an IT manager on a contract that didn't pay overtime, though the company was pretty laid back when it came to sensible time off if you'd (e.g.) been called out at night and were tired. The company I worked for moved office over a weekend, so we spent many hours (including precisely three hours' kip on the Friday night) shifting stuff across town and getting everything working. All part of the job, and it was actually good fun, we had plenty of external help in order to keep the workload sensible, and nobody minded.

A few days after the move my boss collared me and handed me an envelope as "a little thankyou" for a job well done. My goodwill for the company was noticeably enhanced by the cheque for a thousand pounds that I discovered therein.

Life after Safe Harbour: Avoiding Uncle Sam's data rules gotchas

JerseyDaveC

Re: Tricky HR issue there

"But, Your Honor, the defendant wasn't Chinese at the time" ...

Page: