Posts by Doctor Syntax 40471 publicly visible posts • joined 16 Jun 2014
Who would fancy the job of going to the beancounters to tell them they have to budget for replacing a fleet of PCs in good shape and working well before the H/W hits physical EoL just because Microsoft says so? Or alternatively explaining that paying Microsoft a subscription for extended support isn't really blackmail?
From what I can remember of reading the earlier version of the instructions the last two commands of your step 3 are dependent on some attribute of the recovery partition that you had to make a note of before you nuked it.
And all this CLI stuff to install a patch on an OS that's promoted as being GUI-friendly.
If the password is salted and hashed that should deal with the risk of holding that. The problem sites aren't really those who realise the risk - they could mitigae it. It's the sites who don't or don't care who hold the entire database in clear and don't hold it securely enough.
"Identifiers are not secret -- they're commonly public knowledge"
Why? They don't have to be. Sites insist on using an email address as an identifier. They shouldn't, even if they collect an email as necessary contact information. All that happens is that the general public has been trained to accept that they don't have to remember/record unique ID/password combinations. If the site issues a user ID, maybe three random words, then even if the user always uses the same password the unique, secret identifier means that the combination is unique and secret.
Agreed, and the other downside is "access to my phone as I always have it on me" along with the unspoken "and it's always charged" and the OP's "most people". It creates a lot of cases where some people are permanently disenfranchised unless they get a phone they don't want or can't afford and others, including me, are often temporarily disenfranchised.
a list of email/passwords from some site and then re-uses those to login to a bunch of other sites because most people aren't going to bother with the whole "use a different password everywhere" thing
Don't require email as a login ID. Preferably have some other site issue a login ID. Unless the attacker can work out what ID a site might have issued that entire site list is useless for other sites. Collect an email address if needed to communicate with the user but don't use it as a login ID. Collect real names if needed but don't use them as a login ID. Set up a user handle if needed (e.g. on el Reg) but don't use it as a login ID. If that were normal practice we almost certainly wouldn't be having this discussion every year.
"or I suppose using 2FA with SMS which isn't that hard to defeat.
...
As mentioned above, even if you don't back anything up you can recover your passkeys one site at a time using the 2FA method you enrolled when you created it."
So you can recover a passkey site-by-site using a 2FA which may not be hard to defeat. That doesn't seem to add to security at all. And if you do have a protected backup you still need to preserve a means outside of the passkey mechanism - another easily defeated 2FA job> - to recover it.
"Someone in Kosovo is making many calls all over Europe everyday and this goes unnoticed."
Presumably there are "legitimate" call centres making marketing spam calls and possibly really legitimate call-centres making bona fide outbound calls. Without a legal requirement to do so it wouldn't be the Telcos role to police this nor would they have the incentive to do so voluntarily.
I've previously suggested a means to incentivise them. Enable the subscribers to report a recently received call by dialling a specific code. The originating number, as opposed to the faked number would be traced. If that were a subscriber of the same telco the caller would be charged a fee on the recipient's behalf to be credited to the recipient's account plus the telco's handling charge. The fee would naturally be higher for a recipient on a scheme such as TPS. If the call originated outside of the final telco's control the charges would be passed back to the telco who had forwarded it. They could then pass it on with their own handling charge until it arrived as a charge on either the caller's account or with a telco which had been insufficiently concerned to keep logs. Naturally some statistical work would be involved to set a minimum number of reports from different recipients to prevent someone trying to make money out of legitimate calls.
On one level it would be to reimburse recipients of junk calls but would also help trace fraudulent calls. On another it would kill the whole call centre scam by making it unprofitable if the charges were paid which in turn would ensure telcos' credit control would make it much harder to set up anything other than bona fide call centres.
On another level it would involve telcos making investments needed to implement it with the knowledge that by stopping the calls they'd never get their investment back in handling charges.
On the real level bringing such a scheme forward as a serious proposal would very likely lead to telcos, ever anxious to help the authorities discovering some much simpler, cheaper and hitherto overlooked means to block what they adgreed was this disgraceful abuse of telecommunication systems.
"Block claimed that's not uncommon after reviews of complex systems, and that hiring an independent review team shows that it takes compliance seriously."
The time to take compliance seriously is when the systems are being designed, not after they've gone live and become available for exploitation.
This is a bit puzzling in the article. How did he come to have the same bucket name as that of the unnamed tool? Alternatively how did the tool work before there was an actual bucket set up with the name it uses? It looks as if obfuscation of the original report has succeeded to the point of incomprehensibility.
Most businesses don't have any of these things. The owner/user's PC sits on the desk, not in a server room. If the power goes off the whole business shuts down anyway, or at least reverts to whatever can be done without any powered machinery or even lighting. It seems to be an assumption in these parts that a business automatically has a server, a number of clients and an online presence.
Once upon a time it was perfectly feasible for a small business to have someone freelance set up a server with a simple backup arrangement - put in a tape, run a script at end of day and store off-site (i,e, the business owner took the tape home). As needed for tweaks the freelancer could come in for a day or so as required to make changes.
But then, once upon a time the government of the day decided to kill as much of the IT freelance segment as it could.
The common key element missing from your descriptions of those alternatives is planning.
You'll probably find there are two types of business, or departments within a business. Those which being IT into their project plans early because they expect IT will be helpful and efficient and those who don't because they think it's a waste of time as they don't expect IT to be able to do what they need. Oddly enough, both types find their expectations are usually met.
This applies not to IT but to a wide variety of service provision.
"Because that information is valuable."
Those who thought it was are now discovering that the correct word is "toxic".
This is why Europe has customer protection protection regulations some commentard recently described as "Stalinist". This is what happens when you don't have them or don't follow them.
1. The bill is for the sole purpose of making good the victims ASAP. Do you really want to delay it by loading it up with extraneous stuff?
2. There is ample provision in existing criminal law for prosecuting those responsible.
3. Determining who is responsible is a task for the courts, not for Parliament. Catch-all wording suchas "all those responsible" in a Bill would undoubtedly tie the courts up for years on points of interpretation and naming specific individuals in the Bill would require investigation that would hold it back for years (see point 1) and set a horrendous precedent for imprisonment by government fiat.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
