* Posts by Claptrap314

3215 publicly visible posts • joined 23 Jan 2015

Ransomware scum have put a target on the no man's land between IT and operations

Claptrap314 Silver badge

It's not rocket surgery...

Again, again, and again: get critical infrastructure off the public internet & keep it off.

That is NOT a 100% fix. It IS a way to make it much, much harder to get in where it matters.

Colonial pipeline is particularly obnoxious to me because they ALREADY have a physical network in place. I strongly doubt that it would be particularly difficult to run an IT network though the interior of their pipelines.

Go ahead and ignore Patch Tuesday – it might improve your security

Claptrap314 Silver badge

Remember LogMeIn?

Yeah. First off, the initial patch flat did not work in many cases. Second, since we were on Jenkins, I had already implemented firewalls to block access to all but the IP addresses of the sub-handful of users who needed access.

I wrote also our vulnerability & exploit response times to clarify security patches are proposals to be evaluated as one of an array of possible responses. Since we were in a regulated industry, that array included taking everything offline to protect customers.

Türkiye-linked spy crew exploited a messaging app zero-day to snoop on Kurdish army in Iraq

Claptrap314 Silver badge

"Türkiye oposes Kurdish"

Hey, El' Reg! You little explainer glosses over the fact that Turkish treatment of the Kurds is what led to the coinage of the term "genocide". This isn't a "sovereignty movement" comparable to Catalonia, or various crazy ideas in the US to carve out new states. These people have seen entire districts depopulated at a matter of official government policy.

Sudo-rs make me a sandwich, hold the buffer overflows

Claptrap314 Silver badge

It blows my mind that after almost 50 years, we STILL don't have ready access to the C & O bits. Just add +?, -?, *?, /?, <<? already and be done with it. Oh, I know. Coercion makes that a <em>little<\em> complicated. Tough. You want it. You make it work.

Google Cloud’s so-called uninterruptible power supplies caused a six-hour interruption

Claptrap314 Silver badge
Stop

Resilience

Related to Nate Amsden's post, understand that individual DCs at Google weren't designed for HA when there was no GCP, just Google. They found it cheaper to have about 90% uptime per DC & build all of their services with that in mind. It's been close to a decade, but AIR, each DC had a semi-annual two week planned outage. Everything was built to N+2, so the week that we had an emergency maintenance on a second DC that we were in, we got a bunch of alarms, but the customer never saw a thing.

In the two weeks at the end of the year, the we entered a "config slush". No changes were permitted except to deal with an active problem. OMG rate dropped 80%. Every year.

Near the end of my time there, there were two interesting developments. The first was to try to reduce the amount of toil involved in managing a service by having code handling the detailed config changes. The project appeared to take a lot longer that I would have guessed. The second was to try to improved the availability of the individual DCs by adding various forms of redundancy. We SREs were more than a bit skeptical. My PM told me, "It is in Google's best interest that you pretend to believe these numbers."

I get, from standpoint of a general service provider, that very few GCP customers have the chops to actually manage multi-DC redundancy. Therefore, the market is going to demand that individual DC reliability be "good enough". But when you start doing the math, I have a really, REALLY hard time seeing how you can get bet-the-company certainty of three 9's out of a large datacenter. Certainly, it's been almost 30 years since the electrical grid for the Eastern US was down for four hours, but that sort of thing really can happen.

If you aren't hosted both in US East & US West, you're not very much there from a reliability standpoint.

Pentagon declares war on 'outdated' software buying, opens fire on open source

Claptrap314 Silver badge

That would be all of the flag ranks for quite some time, at least.

Healthcare group Ascension discloses second cyberattack on patients' data

Claptrap314 Silver badge

Surprise? I. Think. NOT.

At my last job, based on my interaction with approximately 100 health care organizations over the last three years, approximately 0 implemented current NIST password management recommendations. At all.

The State of Open Source in 2025? Honestly, it's a mess but you knew that already

Claptrap314 Silver badge

Some places are running more than one of these.

Open source text editor poisoned with malware to target Uyghur users

Claptrap314 Silver badge

Re: Who could possibly be behind this ...

You've missed the part where the Agency is a much of a bureaucratic **** up as any other part of our government...

How to survive as a CISO aka 'chief scapegoat officer'

Claptrap314 Silver badge

Documenting email?

I've always wondered about this. That email is fully under company control. If you make a copy, in any form, and remove it from company control, then you are almost certainly in violation of your employment agreement, and very likely the law.

And it's been more than twenty years since I was at IBM when they implemented a 99-day auto-delete policy expressly to avoid discovery.

I'm not saying that there is no value in documenting email--it can certainly buy you a few more months standing on the plank. But actually getting the documents to court? Sounds much more difficult.

Cybersecurity CEO accused of running malware on hospital PC blabs about it on LinkedIn

Claptrap314 Silver badge
Mushroom

I worked in health care for two different orgs. In one, I dealt with over 100 partners. I've seen things you people would not believe.

Who needs phishing when your login's already in the wild?

Claptrap314 Silver badge

This (and the fact that my job-hunting email address is on the domain) is why I still pay for my own personal domain. I have ALL the email addresses @mydomain.

Developer scored huge own goal by deleting almost every football fan in Europe

Claptrap314 Silver badge

Re: Once you’ve gone the prod route…

Well, if you are paranoid enough to do EVERYTHING inside a transaction or creating backup tables (MySQL 5 did not support transactions for DDL statements), "fessing up" can amount to, "If you didn't have to get involved, it didn't happen, right?"

Microsoft rated this bug as low exploitability. Miscreants weaponized it in just 8 days

Claptrap314 Silver badge

Re: %appdata%

In 1995 or 1996, I decided to use a separate partition for Program Files. I set the appropriate registry entry & proceeded with the install. Guess which was the ONE AND ONLY vendor to ignore the registry entry?

It doesn't matter what kind of "standard" M$ spews out if they themselves refuse to follow it.

Daddy of a mistake by GoDaddy took Zoom offline for about 90 minutes

Claptrap314 Silver badge
FAIL

A second source of truth...

I continue to be confused by this. I understand--in general, it is a whole lot easier to rely on DNS even for accesses inside your own domain, but it remains that the DNS record is a second source of truth. Critically, it is a source of truth that relies on a complex infrastructure outside your organization.

Why, oh why, should not primary DNS resolution for systems in your organization for your organization not be an IP address in your organization? It is that important to have SPoFs on the outside?

Brit soldiers tune radio waves to fry drone swarms for pennies

Claptrap314 Silver badge

Re: A one hit wonder

We generally call them "HARM"s, and yes, this would be a beacon for one. Although I'm pretty certain that this is mounted to do shoot & scoots just for that reason. Or, you could trust your counter-missile capabilities...

But wait! I'm just getting started!

Claptrap314 Silver badge

Re: A one hit wonder

That's cost per shot, not cost to purchase, train, transport or set up.

Claptrap314 Silver badge

Re: Marketing

In theory, yes. In practice, you would need something like 10000x power to have a chance. (Planes are MUCH better shielded around the relevant parts, and moving much, MUCH faster.)

Windows Recovery Environment update fails successfully, says Microsoft

Claptrap314 Silver badge

Re: It's like deja vu all over again.

The more things change...

New SSL/TLS certs to each live no longer than 47 days by 2029

Claptrap314 Silver badge

Firewalls? Who needs them?

Let's walk through what was happening at my previous job.

1) We have servers that we want web access to, but not for the entire internet.

2) LE only works if you are open to the internet.

3) ???

What I did when I came in was open the servers up to the internet long enough for LE to do its thing.

We were on Amazon, however, so I figured out how to switch over to their certs.

But suppose we weren't.

---

Yes, in theory cert compromise is a fundamental problem. But in practice, I don't think we've had ten articles about it happening here in the last 20 years.

In the mean time, EVERY one of the bigs pushing this has had more bugs than that every year--most every month.

Try fighting fires that are actually burning.

To avoid disaster-recovery disasters, learn from Reg readers' experiences

Claptrap314 Silver badge
Boffin

Disturbingly easy to surprise people

At my last job, I got handed a significant chunk of our compliance work.

It was bemusing to receive a questionnaire that assumed that backups were not immediately tested.

I don't know what you call an untested bunch of bits supposedly written somewhere without being restore tested, but it ain't "backup".

'Once in a lifetime' IT outage at city council hit datacenter, but no files lost

Claptrap314 Silver badge

Points of opinion

It is incredibly hard (if not impossible) to remove all single points of failure from a complex system. (And sometimes that SPoF is a human)

Last point first: If your SPoF is a human, you have a substantially broken process. I've seen positions created (by the demand of the board) to fix this.

As for the first, note that it is often much easier to fix this in software than hardware. Ten years ago, at least, Google did not use RAID in their data centers, as the RAID controllers themselves failed too often. Data resilience was handled completely by software.

Likewise, there was not a lot of redundancy within an individual data center. Their policy was, "Outages occur (planned and unplanned). Design your service so that it is not a problem when they both happen at the same time." The week that happened to my service had a lot of noisy pages, but the users never saw a thing.

Efforts to improve data center uptime by adding various redundancies were met with great skepticism, leading to my favorite business quote, "It is in Google's best interest that you pretend to believe these numbers." (Early results were underwhelming.)

Of course the entire reason that DNS can respond with multiple IP addresses for the same service is specifically to remove a class of SPoFs.

----

You had to conduct a risk assessment to determine whether it was safe to have a meeting in a room where the lights weren't working, but had a big window that let light in?

Well...yes. You conduct a risk assessment on every room as it relates to a power outage. That assessment comes back, "The room in question is on the first floor, and therefore accessible without resorting to elevators or stairs. It is also on an outside wall. Therefore, during hours of full sun, use of this room for meetings presents minimal risk." The DR plan can then use this room for business-hour meetings during a power outage without adding safety measures such as flashlights ("torches") or glow tape.

It is precisely this sort of comically-dry detail that goes into proper DR planning.

But why does the PR include such detail? That's standup fodder. I don't fault them for doing proper DR planning. I fault them for putting that kind of detail in the PR. "We are implementing our DR plan" But someone on the board was just so self-important that they had to be shown meeting in this dark room. And then explaining why. <shakes head sadly>

GitHub supply chain attack spills secrets from 23,000 projects

Claptrap314 Silver badge
Megaphone

This is unfixable

Git uses SHA-1, which is fine if you are not being attacked. The system relying on SHA-1 for protection, however clearly is broken. This is a BIG DEAL.

China announces plan to label all AI-generated content with watermarks and metadata

Claptrap314 Silver badge

Re: In the long run, this is the wrong way around

You basic proposal seems pretty good here, but there are some adjustments I would make.

First off, the camera has four settings: No metadata, raw image checksum, originating device id, and rich data.

The raw image checksum produces a quantum-resistant checksum of the image. No providence, however, this checksum can be published as proof of age, and the path of publishing is a weak claim of creation.

Originating device id includes this information in the checksum in a standard format. The device ID proper is held in the hardware, and thus strongly tamper resistant. Publishing this checksum creates a strong claim of creation.

Rich metadata includes timestamp and geolocation. Unfortunately these are fundamentally easier to tamper with. If the device is connected, a signed attestation might be doable, but you would need an entire infrastructure to make it tamper resistant.

This is the FBI, open up. China's Volt Typhoon is on your network

Claptrap314 Silver badge

Re: The FBI ...

I've had the (in)security department of a bank call me up & try to get me to prove who I was. I let them have it. Then I called the number on the back of my card.

Claptrap314 Silver badge

Gah!! I keep getting it wrong. Mea Culpa

Claptrap314 Silver badge

"We don't have any access to large critical infrastructure. We don't own transmission. We're a distribution company. Yes, we're part of the overall grid, but the impact of taking out Littleton is small. You would never think that would be a target of any type of attack," Lawler told The Register.

You know, unless you had heard about L0ft's testimony to the US Congress in...1998?

Okay, so it's not the job of the GM to be a cybersecurity expert. But you are designated as critical infrastructure. Somebody in the US government that you support so much thinks you matter. You have to wait for a personal contact that you done f***ed up to believe it?

Okay, so I can appreciate, very much, this part "It sounded like one of those Microsoft scams," Lawler said. He told the agent: "Go f-yourself, I'm not going to click on a link, you must think I'm an idiot. What is your name again?" Personally, as this was from the FBI, I would have gone with, "You ever hear of Frank Abernathy? I'm doing what he told me in this situation." And hung up. Yeah, you call the FBI up after that, since you are the GM of designated national critical infrastructure. Otherwise??? Yeah, that's a seriously unprofessional contact.

Worry not. China's on the line saying AGI still a long way off

Claptrap314 Silver badge
FAIL

Explain that to the regulatory agencies. Please.

No new engineer hires this year as AI coding tools boost productivity, says Salesforce

Claptrap314 Silver badge
Flame

As if Tableau and Heroku support weren't already #$*!(@#&

Not sure that anything more needs to be said...

Feds want devs to stop coding 'unforgivable' buffer overflow vulnerabilities

Claptrap314 Silver badge

Re: Offence

No, it is mathematics. Specifically, the claim, "The following code, when compiled, linked and executed on perfect systems, does exactly what it is supposed to do" is a mathematical theorem.

And I'm not talking about the "theorems" we glossed you with in calculus. I mean the real stuff that you only get to in graduate school.

Yeah, I got into the PhD program in Austin. That's about the minimum requirement, by the way.

Tiny Linux kernel tweak could cut datacenter power use by 30%, boffins say

Claptrap314 Silver badge

Re: "It's just some legacy scientific programs not worth re-writing that has kept Fortran alive."

If you bring people in with the equivalent education of the ones who did the original work, this really shouldn't be that bad. In fact, a lot of old Fortran predates IEEE-754, which means that a lot of algos can be rewritten to take advantage of the guarantees.

Sure, I wouldn't trust this unless someone was a mathematician with a background in floating point, but I cannot be the only one....

British Museum says ex-contractor 'shut down' IT systems, wreaked havoc

Claptrap314 Silver badge

Re: lax procedures

One night around 0200, we found the daylock (three digits on a five-button lock) changed. I informed our lead that I could go through it. "Go ahead." "Is that an order?" (Grinning) "Yes". Once I got started, I would say I ran about 2 tries/second.

Asus lets processor security fix slip out early, AMD confirms patch in progress

Claptrap314 Silver badge
Facepalm

Re: Doesn't look like a vulnerability

AMD 64 had unencrypted microcode updates? Uggh. That was my time, but I didn't know about that. What a mess.

While I can than fully appreciate the desire of hackers to role back the hood and tinker (I actually brought up the idea of exposing the microcode on the K5 to designers), supporting such a feature would just be too expensive.

But what you really, really don't want is an attacker gaining access at that level. Really, really, really.

Developers feared large chaps carrying baseball bats could come to kneecap their ... test account?

Claptrap314 Silver badge
Angel

Re: Their mistake was...

If you're going that route, go with 10 Downing Street, London, SW1A 2AA or Buckingham Palace London SW1A 1AA

Biden signs sweeping cybersecurity order, just in time for Trump to gut it

Claptrap314 Silver badge

Perfect!

"To address these issues, the cybersecurity directive mandates that software companies which sell to the government must submit proof to CISA that they are following secure software development practices." So, no Microsoft then.

And nothing based on Linux, or BSD, either. Check those licenses, people.

Yep, this is a bunch of sound & fury, signifying nothing except "We're the ones serious about security, not the Orange Man."

Ransomware crew abuses AWS native encryption, sets data-destruct timer for 7 days

Claptrap314 Silver badge
Pint

Re: Ignorant Old F**t Here....

Have another for "old man yells at cloud"... ---------------------------------------------------------------------------->

After China's Salt Typhoon, the reconstruction starts now

Claptrap314 Silver badge
FAIL

Re: This isn’t a security incident

There were literal tons of chemical weapons found at multiple locations. A fact that was not terribly hard to confirm on the web for a few years, notably a major British newspaper condemned the US for exposing troops to it, but every time I point this out, it gets harder to find.

Funny.

Claptrap314 Silver badge

Let me know when you find one..

"We suggest finding an industry that has indulged its gargantuan appetite on the benefits of digital infrastructure while not investing in its security"

Claptrap314 Silver badge

If you make the owner of the site liable for what ever they send in response to a query, that would clean things up in a hurry, no?

Encryption backdoor debate 'done and dusted,' former White House tech advisor says

Claptrap314 Silver badge

In other news

The FBI as agreed that the world is round.

Let's hope is sticks.

FCC net neutrality rules dead again as appeals court sides with Big Telco

Claptrap314 Silver badge
Boffin

Such shallow coverage, El Reg

For the first 2/3rds of the article, El Reg carries on as this this is a decade-old issue. Only near the bottom do we see that the matter goes back to the 90's. But the stage was being set before that.

In the late seventies and into the eighties, cable was expanding in the US, but the last mile is/was EXPENSIVE. Cable companies sought concessions from local governments to protect their investments, and this resulted in the cable monopolies we have to this day. When the internet came to consumers, it was over the telephone at first.

It was one of those timing things--copyright-destroying (user-to-user sharing--Winamp?) took off just as cable internet was getting started, and was tremendously enabled by it. Big Content was apoplectic, which is understandable, and demanded that these apps be blocked. It did not help that each one of these apps declared that is was so special that it did not need to use exponential back-off--until just the traffic from that on app was enough to congest itself. These new apps were a legal threat, in that the ISPs were enabling the violation of copyright, and a technical threat, in that they were pumping out far, far, more traffic than the switches could handle. The cable companies were already cutting deals regarding content on their networks, so they were ready to do so with the internet they were providing as well.

Which threatened to kill new apps entirely on the Internet.

Up until this point, (late in Bush II era) the US government had taken a very hands-off policy regarding the internet, but this was seen as a crisis. Net neutrality began as a slightly-left-of-center effort to block the ISPs, especially cable companies, from ruining the Internet. When Big Content jumped in, however, we should have realized where this was going.

The fight is almost entirely between Big Content and the ISPs regarding contract clauses. Don't think it is anything else. Breaking up the local cable monopolies would be a good thing for several reasons, but it would mean that Big Content would have way too much power relative to the ISPs. I don't like the implications of trying to redress that imbalance. It may be that the best we can do for consumers is to leave the cable monopolies in place (with more (uggh) regulation) plus NN.

Critical security hole in Apache Struts under exploit

Claptrap314 Silver badge

Re: Honeypot

Please check with you local & national TLA before proceeding. Government hate when you horn in on their racket.

Crooks stole AWS credentials from misconfigured sites then kept them in open S3 bucket

Claptrap314 Silver badge
Boffin

I don't know what you're smoking, but S3 buckets have been private by default for a long time. Moreover, if you try to make them public, you get a very noisy "Are you sure?" popup.

There are many valid complaints against AWS. This is not one of them.

British boffins build diamond battery capable of working for a millennium or five

Claptrap314 Silver badge

Re: Noted

African or EuropeanIndian?

T-Mobile US CSO: Spies jumped from one telco to another in a way 'I've not seen in my career'

Claptrap314 Silver badge
Angel

Another case

of it being easier to get forgiveness than permission, friend...

Zabbix urges upgrades after critical SQL injection bug disclosure

Claptrap314 Silver badge
Boffin

Re: Little Johnny tables...

You know, it doesn't take that long to read all of XKCD. Please do your due diligence. https://xkcd.com/327/

Musk agrees with fan that worries over orbital Starlink traffic a 'silly narrative'

Claptrap314 Silver badge
Boffin

Re: When does Kessler kick in?

There have been computations. As mentioned elsewhere, it is the job of the various agencies to do the calculations. What you missed in my earlier comment is that if Kessler were at all imminent, the computations demonstrating such would be in the article. They are not, so it is safe to assume that the agencies are doing their job, and that we are not on the edge of such a disaster.

Claptrap314 Silver badge

When does Kessler kick in?

While it is true that a Kessler cascade will happen eventually, it is extremely noteworthy to me that, for instance, the wiki page has 0 information regarding computations of when it is likely to kick in. The simple answer is: "not soon". That said, if we do eventually get there, the cleanup will likewise be some orders of magnitude greater than what is currently envisioned. (For instance: the 550 km orbit is 43500 km long--so the "Musk orbit" is going to be populated with 42000 satellites--that's 1/km)

Mega US healthcare payments network restores system 9 months after ransomware attack

Claptrap314 Silver badge
Flame

Meanwhile...

https://stockanalysis.com/stocks/unh/history/

Nvidia's latest Blackwell boards pack 4 GPUs, 2 Grace CPUs, and suck down 5.4 kW

Claptrap314 Silver badge
Flame

Remember when

Intel was mocked because the Pentium used 100W? It's too bad I cannot search the archives deep enough to pull up the "to fry an egg" comments here...

The icon isn't because I'm mad. More like the poor power lines...