* Posts by Claptrap314

2323 posts • joined 23 Jan 2015

Survey of astronomers and geophysicists shines a light on 'bleak' systemic bullying

Claptrap314 Silver badge

Your presumption about the aftermath is at least as uninformed as his. Shout all you want, you're displaying a truly amazing level of mind reading.

Never mind the trolls, Discord hosts 'significant volumes of malware' in its CDN

Claptrap314 Silver badge

Are you hosting a website where the general public can sign up?

Can they post arbitrary content?

Then you have malware. And, as folks here constantly point out, signature files are not going to do a great job of finding it.

China pushes back against Exchange attack sponsorship claims

Claptrap314 Silver badge
Trollface

Re: Hmm.

He's saying 53%, so it's probably at least 15 apples...

Google Cloud's Intrusion Detection Service attempts to make security 'invisible' but cost will be the big giveaway

Claptrap314 Silver badge

Re: Detection only...?

In the days of BYOD, how exactly do you prevent patient 0?

Claptrap314 Silver badge

Security as a Service?

On the one hand, there can be a lot of expertise brought to bear. On the other, security is one of those places where diversity is _really_ important--as we seem to see here on almost a weekly basis of late.

Given that the industry is suffering badly with far too few people considering security to be part of their job already, it's not at all clear that, even conceptually, this is a step in the right direction.

Ably blog claims company doesn't need Kubernetes to scale, surge in traffic takes down entire website

Claptrap314 Silver badge

On the surface, K8s has some...disturbing features

Like default networking policy of "allow all". Like "secrets" being entered in base64. And so on. Things like this suggest that there are likely to be very serious problems deep in the system.

In the end, it still feels like it's intended to be used by people whose job is something other than "software engineer". I expect that many, many companies are likely to improve their situation by moving to it. I expect that the bulk of them would do better to have a real software engineer come in and design and build a system for service management.

I'm reminded of a project I owned at IBM. The build requirements were so complex that I was directed to file a software patent for the makefile. By the time that patent went through, I had abandoned make and moved to custom scripts. I see the same kind of thing happening here.

Everyone cites that 'bugs are 100x more expensive to fix in production' research, but the study might not even exist

Claptrap314 Silver badge

Re: Equally unattributed, but different...

The emphasis on self, of course...

NSO Group 'will no longer be responding to inquiries' about misuse of its software

Claptrap314 Silver badge

NSO is a weapons manufacturer

The law needs to require them to behave just like Raytheon or any of the others.

AWS gave Parler a chance, won't say if it talked to NSO before axing spyware biz's backend systems

Claptrap314 Silver badge

NSO is a weapons manufacturer

They need to be treated the same way as a foreign Raytheon or any other such company. From what anecdotal evidence I have, I'm betting that AWS doesn't have processes in place for handling such things. Oh well.

Of course, technology is moving a lot faster than the law, and it's pretty clear that they are turning a rather blind eye to just what their customers are doing with the arms they are receiving. Given who they are and what they are doing, I would be disappointed if this "Shocked, shocked!" moment by Amazon had a noticeable effect on their operations for fifteen minutes. It's entirely possible that it had none at all.

Honestly, it's a bit disappointing that Amazon was even able to identify which accounts they are using. Oh well. Lessons learned, and all that. I expect that there will be a Swiss LLC (or equivalent) created before the end of this week that just happens to handle traffic that has rather... similar characteristics to what was previously attributed to the NSO.

Claptrap314 Silver badge

Confused

Does the Register think that AWS was too slow to take down Parler or to quick to take down NSO?

Claims that whataboutism are exclusive to conservatives are wearing quite thin.

Claptrap314 Silver badge

Re: A thought when I was reading thru the details from Amnesty

Do some reading about spycraft. Your ideas are those of a babe in the woods.

Mountains on neutron stars are not even a millimetre tall due to extreme gravity

Claptrap314 Silver badge

Re: No!

You know that to an astrophysicist, lithium is a "metal"? As is argon? And let's not even mention what they mean by "young", "nearby", or "neighborhood".

And folks say mathematicians are weird just because we understand that anything greater than one is "large".

Claptrap314 Silver badge

Re: "extreme gravitational fields"

Nah, landing is easy. Having a camera left afterwards, however....

Claptrap314 Silver badge

Re: "extreme gravitational fields"

Except that you can see not just the other side, but the back of your own head!

Fun times...

UK and chums call out Chinese Ministry of State Security for Hafnium Microsoft Exchange Server attacks

Claptrap314 Silver badge

You might have claimed the same about Russia prior to WWII.

Times change, and the military buildup of China today can be compared to what Japan did post-Perry.

Their hypersonic torpedoes are a major threat to our carriers. They are trying, and to a significant extent succeeding, in buying up the best & brightest for military AI.

And once you can get an AI close to a human in an F-15, you redesign the thing to routinely pull 8-10gs--and dance rings around anything that cares about the human cargo.

As for computers, who cares who is doing the design? What percent of global manufacturing of components is currently happening there?

Moreover, their research in biowarfare and human genetic engineering proceeds at full steam while we have almost none.

Remember, war is only something you do if you cannot achieve the changes you want on the ground without it.

They are using the openness of our society to fund chunks of pro-China activity in our major universities--and social media, to include the comments here.

Losing generals are well known for fighting the last war. The next one looks scarier by the year.

Claptrap314 Silver badge

When I was at IBM in the early 2000, I took to referring to us as "rope sellers". For the kids out there, it's a reference to a quote by Karl Marx, "When it comes time to hang the capitalists, one of them will sell us the rope."

Claptrap314 Silver badge

Those are called "freedom of navigation" exercises, and we do.

But it's only one small piece of what is needed.

Amnesty International and French media protection org claim massive misuse of NSO spyware

Claptrap314 Silver badge

Ever hear of "won't fix"? How about "bug bankruptcy"?

There is precisely one company selling securable phones--RIM. They don't have a retail sales channel.

How to keep your enterprise up to date by deploying the very latest malware

Claptrap314 Silver badge
Trollface

Re: Hands Where We Can See Them

It was obviously a honey pot.

You'll want to shut down the Windows Print Spooler service (yes, again): Another privilege escalation bug found

Claptrap314 Silver badge
FAIL

Wasn't it earlier this week

I was downvoted to **** for saying that it is simply irresponsible to put a print spooler on your domain controller?

If your SMB cannot support separate systems, then your problems go far beyond computers.

Today's arms race is all about AI and it's China vs America, says US defense secretary

Claptrap314 Silver badge

Re: Athens vs. Sparta

They don't need either of those. What they need is to squash any dangerous ideas by their people that freedom is desirable.

This page has been deliberately left blank

Claptrap314 Silver badge

Re: Oops

I don't think it's all that subtle. I'm trying to figure out which way it goes...

Google demonstrates impractical improvement in quantum error correction – but it does work

Claptrap314 Silver badge
Trollface

What's the difference?

So nice of China to put all of its network zero-day vulns in one giant database no one will think to break into

Claptrap314 Silver badge

Re: Do they have

Oh, bother!

NortonLifeLock sniffs around Avast, announces 'advanced discussions' for acquisition

Claptrap314 Silver badge
Devil

Sounds like

They deserve each other.

But that's none of my business.

Regulating facial recognition technology? It's the 'Wild West out there,' says US law boffin

Claptrap314 Silver badge

Re: FRT - never ready for prime time

I'm not at all happy with our de-facto surveillance state, but your getting quite a bit wrong here.

You don't need to be "in the lab"--just get permission to pull the video from some convenience store in advance, send subjects in front of the camera, and you've got HIGHLY representative data to work with.

Moreover, while I've not worked with AI myself (well, there was that one program on my TRS-80, but I don't think it should count), from what I've seen, FRT is focused on the geometries of the subject--distance between features, primarily. That data survives a lot of fuzzying pretty well.

The core issue looks to be overconfidence, and especially the presumption that these systems can do more than narrow the list of people who might be on camera. "Matching" a photograph should not, by itself, be probable cause. Not now, and not for a very long time.

This is the data watchdog! Surrender your Matt Hancock smoochy-kiss pics right now!

Claptrap314 Silver badge

Re: Would they have bothered ...

Some "people" are more equal than others...

It had to happen: Microsoft's cloudy Windows 365 desktops are due to land next month

Claptrap314 Silver badge

No infrastructure... VD, then?

Claptrap314 Silver badge
Angel

So now

the next major Windows security violation won't be a virus, it will be a compromise of their core servers that will compromise EVERY new Windows system? Nice! The power & convenience of the cloud is finally fully realized!

What is GitOps? This is the technical introduction you've been looking for

Claptrap314 Silver badge

Yes but...

1) DevOps was NEVER about eliminating the distinction between devs and operations. NEVER. It was about relieving the explosion of operational load that was triggered by the move from waterfall to Agile. That mostly involved a lot of education of the devs as to what actually happened after they "threw it over the wall." In particular, defining "MVP" to include a hard requirement that it not force the ops guys out of bed every other night to fix what just broke.

2) Single source of truth was NEVER about a single source of all truth, but of any particular truth. If, as this article seems to imply, the ultimate source of truth is external to your systems, that does not change anything other than the particulars about how the updates occur.

3) Access control within a repo is a solved problem--with Perforce at Google, at least. I'm pretty sure IBM had it solved decades earlier with whatever system they were using. Git doesn't directly support access control at all, but layering it is isn't really that big of a deal. Not that Github supports it.

4) The distinction between desired state and actual state isn't really as hard to get as the article implies. In order for processes to be meaningful, they need to be expressed a datapoints in the same space. In order for the processes to be successful, you need to have a clear method to conform the later to the former. There is nothing new here, but lots of folks do get this wrong, somehow.

And finally:

If you cannot reduce your entire desired state to a series of bits in some dataspace, then you don't really understand your desired state. Once so realized, it becomes natural to take those bits and manipulate them as bits rather than the things those bits represent. GitOps is nothing more and nothing less than a exploitation of these facts.

REvil ransomware gang's websites vanish soon after Kaseya fiasco, Uncle Sam threatens retaliation

Claptrap314 Silver badge

Re: Crossed the hallway

I spent a decade playing at the level of assembly language. I ocassionaly poked my head into what the compiler guys are up to.

Almost all of the artifacts that I have seen published regarding the identification of these groups beyond native language strike me as being pretty easy to fake at the compiler level. The only question is if these teams have anyone with the current skills to do so.

Of course, if they're not stripping the symbol table, they're just being lazy.

My point is that I'm pretty sure that a team with the skills one would expect of a (more or less) major state actor can reskin more easily than their counterparts can reattribute.

Google fined €500m for not paying French publishers after using their words on web

Claptrap314 Silver badge

Yep. 1MEU/day is probably more that they are making in France on ads. Probably.

It will be interesting. They won the war with Spain, but times seem to be changing.

What follows Patch Tuesday? Exploit Wednesday. Grab this bumper batch of security updates from Microsoft

Claptrap314 Silver badge

Re: Maybe (but probably not)

When the customer gets fed up with non-performing products, or $1000 devices that won't be usable next Christmas, that is when we will see reliable systems--and not before.

To quote the CEO of IBM (in 2000), "One of these days, the customer is going to say 'E-nough!' But until he does, it's e-everything."

The other route is regulation. That worked for seat belts. This is a much tougher environment, however.

Cybercriminals took advantage of WFH to target financial services companies, say financial bods

Claptrap314 Silver badge
Paris Hilton

In other news..

Water is wet. The sky is blue. The Pope is Catholic, and Willie Sutton robs banks because that is where the money is.

Is there ANYTHING of interest in this report?

Kaseya restores SaaS, then 'performance issues' force a do-over

Claptrap314 Silver badge

Re: “With the large number of users coming back online in a short window"

Yep. Looks like they need the help of someone with real SRE experience.

I'm available, but I'm going to need my money up front...

Microsoft to beef up security portfolio with reported half-billion-dollar RiskIQ buyout

Claptrap314 Silver badge
Trollface

m$ curse

RiskIQ major outages starting in 3...2...1..

SolarWinds issues software update – one it wrote for a change – to patch hole exploited in the wild

Claptrap314 Silver badge

Re: A modest proposal

I know, but it's a start. I'll keep your additional points in mind. I'm still quite junior when it comes to real ops knowledge.

Claptrap314 Silver badge
Paris Hilton

A modest proposal

Maybe, and just hear me out, but maybe it would be a good idea to geoblock access to your admin panels to any nation that your admins aren't actually living in or likely to travel to?

Kaseya claims SaaS restoration going swimmingly

Claptrap314 Silver badge

I would wrestle this guy's shovel away from him...

but I'm too busy enjoying my popcorn.

At this point, the CEO is clearly failing at his #1 job: not looking like a complete idiot in public.

Beijing further tightens its grip on local web giants with 'Network Security Review Measures'

Claptrap314 Silver badge

Re: Numbers

"We pretend to tell the truth, and they pretend to believe us."

-- Ancient USSR saying

Linux Mint 20.2 is a bit more insistent about updating but not as annoying as Windows or Mac, team promises

Claptrap314 Silver badge

All I know

Is that Mint 19 seems quite a bit slower than 18. Yes, I'm running 10 year out hardware. This _is_ Linux, after all.

Kaseya delays SaaS restore to Sunday, CEO says ‘this sucks’ but decision was his alone

Claptrap314 Silver badge

His career, hopefully.

Security warning deluge from 'npm audit' is driving developers to distraction

Claptrap314 Silver badge

Fix symptoms, not problems

As mentioned, the issue is the sheer number transitive dependencies. (And as a rubyist, I'm looking at YOU, DHH.) The idea that getting code out the door NOW is functionally the most important thing is what is driving this.

But, as I keep harping, in the end, the customer is king.

Someone posted a mention of James Dean's seatbelt. For those who do know know (such as myself, an hour ago), James Dean died in an automobile accident. Investigators determined that if he had been belted in, he would have survived. At the time, however, very few cars even had an option for seat belts. The article goes on to trace the history of seat belt usage, crediting this incident as getting the ball rolling. I was about 18 when the laws were being passed. I contemplated stopping wearing in protest of the blatantly unconstitutional process by which those laws came about.

I'm afraid that the solution is going to involve legislation. Insurance looks like it is going to fail. (The costs are too high, companies will just ignore the risks.) Liability for directors/board members seems the most likely. The situation with Kaseya is a pretty good demonstration of why.

IBM insiders say CEO Arvind Krishna downplayed impact of email troubles, asked for a week to sort things out

Claptrap314 Silver badge

And, just like IBM was twenty years ago, they are ashamed of it.

Kepler spots four rogue Earth-mass exoplanets floating in space, unbound to any star

Claptrap314 Silver badge

Re: "reason to expect that they did"

No. We had plenty of evidence that stars form from nebula. We had an example that planets could form along side a star. We had models of nebula evolution & star formation that naturally evolved planets.

In other words: we had a well-grounded theory, and an example where it actually happened.

That's not "speculation" any more than the finding of Neptune was based on "speculation".

Claptrap314 Silver badge

Not really. We had no reason to expect that they did not exist, and every reason to expect that they did.

Sexy space babes, though...that was speculation. ;)

White hats reported key Kaseya VSA flaw months ago. Ransomware outran the patch

Claptrap314 Silver badge

Just No

As mentioned above, this case highlights the major failure mode of "responsible disclosure". Kaseya had a major problem. They knew they had a major problem. They refused to do anything to protect their customers that might have damaged their reputation. Now this.

The motto of SRE at Google is "spes consilium non est". Kaseya better hope that they don't get sued by each and every end user whose system was compromised because they knowingly, willingly, left them twisting in the wind.

After 15 years and $500m, the US Navy decides it doesn't need shipboard railguns after all

Claptrap314 Silver badge
Trollface

ERMahGeRd

I may have found the problem...

Pentagon scraps $10bn JEDI winner-takes-all cloud contract

Claptrap314 Silver badge

Re: Spin

That's because AWSers were writing the spec, remember?

Claptrap314 Silver badge

Re: Obligatory B5 misquote

That scene had the potential to be perhaps the best ever. Unfortunately, the multi-season gap between the setup and delivery meant that the director felt compelled to add the flashback. I mean, I get it from a marketing/pr perspective, but it destroyed the art of that moment.

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2021