Re: TLS Certificates? -- In Depth
Defense in depth: guard the registry, guard the private keys, do vulnerability management, do pen. tests, and all of this in concert with TLS, etc. How is this new?
Posts by GnuTzu
704 publicly visible posts • joined 1 Feb 2015
Insane in the domain: Sea Turtle hackers pwn DNS orgs to dash web surfers on the rocks of phishing pages
Hackers bragged that pretty vanilla breach included FBI watchlist? Well, colour us shocked
Wednesday 17th April 2019 13:44 GMT
Re: Advertisers
In case anyone is unfamiliar with the meme, there is a saying among marketers: "consumers are like cockroaches: they grow immunity and adapt." I find this to be a little more than unsettling, and it makes me despise those who try to ram abusive advertising down people's throats even more. They've got all that marketing data and they still don't know how to treat consumers like human beings. Just what kind of disease has infected the minds of marketers and advertisers?
They did it! US House reps pulled their finger out, voted to restore net neutrality in America!
Friday 12th April 2019 14:06 GMT
Re: I like the boulder analogy...
Careful; if you re-flood it, you'll just have a big mosquito problem that would spread diseases. What we need to do is contain the diseases--the divisive political ones in particular, so that they'll stop infecting peoples minds. The duocracy is a false dichotomy.
Juniper slips out update after hardcoded credentials left in switches
Lazarus Group rises again from the digital grave with Hoplight malware for all
Brit hacker jailed for strapping ransomware to smut site ad networks
Wednesday 10th April 2019 13:37 GMT
Re: Site's Responsibility for Reasonable Service ..........
When I go to buy products, I will be a responsible consumer and make sure that I am both getting products produced by responsible manufacturers and that I am getting that product from a seller that will insure that that I am getting the genuine product unmolested. So, I'm going to also seek out some means of ascertaining the reputation of both. That may be by way of a consumer advocate publication or by way of some manner of certification. So, both Consumer Reports and the Underwriters Laboratories are key resources.
However, things get weird with advertising services, as the consumer doesn't get to scrutinize them directly. Web sites are entering into a business deal with ad services, who in turn are entering into a deal with sellers who want to advertise their products. And, in this brave new world of the Internet, they have to do so in extreme bulk. That has a distinct affect on the lack of motivation to look out for the consumer, so the consumer is left to look out for themselves.
At some point, there will have to arise in the market some manner for dealing with the reputation of these delivery mechanisms. Will it be something that arises naturally, by consumer outrage, by regulation, or some combination thereof? But, I can't believe that anyone involved will be able to reasonably claim they have absolutely no responsibility in this. After all, it's a chain of business agreements and all participants are creating market forces that are a part of the cause of the problem.
Tuesday 9th April 2019 20:03 GMT 
Site's Responsibility for Reasonable Service -- Or, Who Expects Marketing Services to Have a Heart
Isn't it still true that advertisement services still take no responsibility for the content they allow through their service? Aren't lawmakers considering addressing issues of this sort in other arenas, like social networking, search engines and such--some of which may be going to far (EU copyright law), others not far enough (social media data gathering)? Would I be shocking anybody if I made a prediction that this hacker will not be the first of this kind, that ad services will again be the vehicle for other major exploits, and eventually that there will then be regulation--putting some responsibility on the ad services--for not being so callously irresponsible towards consumers--that they actually do something to screen or filter ad content--to reduce the chance that they'll be used to spread malware?
FBI catches heat, HS kids catch a hacking rap, and Albany catches a ransomware infection
Tuesday 9th April 2019 15:06 GMT
Re: New Jersey, New York
I don't know how many picked up on it, but the article hinted at the fact that Albany is the cliche question for knowledge of state capitals, and I was taking a poke at what counts as a meaningful education. I'm a technical person, and those trivia quizzes that check if anybody remembers things requiring wrote memorization from elementary school are not really my thing. So, I to am one of those that only knows a few state capitals, though I do know that large cities are not necessarily state capitals. However, for the sake of keeping up with the news, I did find a nice web site for making a game of knowing where states and countries are, so I'm doing pretty good with those. I don't know if I'll ever bother doing the same for state capitals. If anything, nations' capitals would be next, though I know a few of those as well. In a technical field, trivia is just for conversation and doesn't get the job done.
Blundering London council emails unredacted version of notorious Gangs Matrix to 44 people. Data ends up on Snapchat
Friday 5th April 2019 13:56 GMT
Re: They knew who sent the e-mail - Were they sacked? -- Outlook
Agreed, but insert here the discussion about how email programs could have better highlighting and prompts to warn when an email might be going to the wrong people. Of course, that won't get it 100%, and training and policy enforcement are necessary, but email programs need improvements too.
Of course, if your email program comes from a monopoly (at lease in the business software market where software needs to fully support policy compliance), then you may find it hard to sack the software. Why else have the oh so obvious improvements come so slowly?
Chinese hackers poke the Bayer, but German giant says it withstood attack
Friday 5th April 2019 13:38 GMT
Re: FF as usual -- Monsanto
If the Chinese were to get a hold of the technology Monsanto uses to infect non-GMO farms (allegedly?)--so they can use patent law to, ahem, acquire those farms in the courts, will the Chinese act less ethically than Monsanto in the use of the Franken-seeds?
And, could this be what the Chinese were after? Yes, I'm spinning a dark fantasy, but it's just so much dark fun that I couldn't resist. Anyway, I was very curious to find out exactly what the Bayer/Monsanto targets were. And, could it be that Bayer will end up regretting it's acquisition of Monsanto?
TP-Link 'smart' router proves to be anything but smart – just like its maker: Zero-day vuln dropped after silence
Thursday 28th March 2019 20:28 GMT
No Trust
I tend not to trust products with the word "smart" in it the product name. Or at least, my first question will be "what makes it 'smart'". See today's article on the Huawei router with the UPnP flaw.
"Smart" usually means that the device automates things in a way that inherently creates vulnerabilities--and way too many of them.
Huawei's half-arsed router patching left kit open to botnets: Chinese giant was warned years ago – then bungled it
Thursday 28th March 2019 13:32 GMT
Re: How to secure routers 101
The tragedy of things like UPnP is that its purpose is defeated if it's off by default. And, that means that then only people who won't be vulnerable will be those who are smart enough to disable it (and other things like it, such as weak WiFi settings). And, although the intent was to make things easier for untrained consumers, the unintentional (one would hope) effect is to create a massive swath of vulnerable back doors just waiting to be harvested. Still, one is tempted to entertain the thought of conspiracy theories. After all, there were those who warned that this kind of problem was inevitable, and we expect that the only reason that this ended up being created anyway was just a matter of the way the market works--being the enabler rather than the responsible guardian--again, one would hope.
Yeah, you better, you... you better tell us how you're misusing people's data, privacy, watchdog suggests to US telcos
Wednesday 27th March 2019 13:42 GMT
Re: "you dirty rat!"
Oh yeah, an online grammar checker? As if I would actually run my writing through a thing like that. Seriously, if I'm using a search engine like Duck Duck Go, I'm sure as hell not going to run an entire corpus of my writing through an online grammar checker.
And yet, YouTube keeps throwing the Grammarly ads at me, no matter how many privacy-related videos I watch--or how many times I click that "skip ad" button. They just never seem to learn. But, that's how marketers think. I suppose I could install an ad blocker for YouTube, but I'm actually amused to see how stupid marketers are.
Oh, and those ads that say my video will play in so many seconds, you know, the ones that don't give you a chance to click "skip ad", I just close those windows as quickly as I can--regardless of whether it's for a product that interests me. I won't put up with advertising that I can't down vote. Those are products that I make a point of not buying--again, even if it's a product category that interests me. Use abusive advertising, and I will hate your product to the end of time. Marketers that think they actually gain something by shoving abusive content down down people's throat, which only infuriates people, need a smack up side the head.
Windows Defender ATP is dead. Long live Microsoft Defender ATP
Thursday 21st March 2019 13:25 GMT
The Office 365 Infection
With Office 365 forcing it's way into many organizations by way of Microsoft's monopoly machine, will other end-point security tools be forced out of business?
Also, does this mean that Microsoft's vulnerabilities will get fixed or will they remain to validate the existence of the end-point product?
Swiss electronic voting system like... wait for it, wait for it... Swiss cheese: Hole found amid public source code audit
That marketing email database that exposed 809 million contact records? Maybe make that two-BILLION-plus?
Surprise, surprise, yet another cryptocurrency creator collared, hit with $6 million fraud rap
In the cloud, things aren't always what they SIEM: Microsoft rolls out AI-driven Azure Sentinel
Friday 1st March 2019 14:56 GMT
Re: Just trying to understand -- Priors of Ori
If it's anything like O365, they'll expect you to pipe all that data over the Internet directly without the protection of a web proxy.
And, don't forget, Microsoft sales reps are the like the Priors of Ori; they'll pressure your organization into signing the contract before any feasibility or security studies can be done. Remember, they don't care if you want to define your security policies or perform risk analysis yourself; all your policies become what they dictate. Microsoft is Origin.
Burger chain Wendy's serves up settlement, NeverQuest hacker guilty, cloudy payroll users hacked and more
Where's Zero Cool when you need him? Loose chips sink ships: How hackers could wreck container vessels
Secret mic in Nest gear wasn't supposed to be a secret, says Google, we just forgot to tell anyone
Use an 8-char Windows NTLM password? Don't. Every single one can be cracked in under 2.5hrs
Friday 15th February 2019 14:47 GMT
Re: The Usual Response... -- Grammatically Correct
Note that it's possible to have nonsense phrases that are grammatically valid, which might help with memory, as in: "Colorless green ideas sleep furiously." But, don't use that one, as it's a quote of a certain famous linguist. (And no, I wouldn't include the spaces either.)
US man and Brit teen convict indicted over school bomb threat spree
Network kit biz Phoenix takes heat as flaws may leave industrial control system security in ashes
Leaky child-tracking smartwatch maker hits back at bad PR
Friday 8th February 2019 14:12 GMT
Re: "regular" people wouldn't be able to do it, and if they did, it didn't really matter.
The issue is a matter of pervs who shop the dark web for kiddie pics who will eventually create a market for hackers to sell certain kinds of services. And, don't forget nanny cams have already been hacked and exploited by pervs, so there's no reason to think these products are immune. Finally, anyone who thinks that pervs always work alone is a fool. Think ahead product makers; you are contributing to the creation of a whole new kind of dark and sick market.
Mumsnet data leak: Moaning parents could see other users' privates after cloud migration
Thursday 7th February 2019 20:56 GMT
Future Headline
Futhure headline: Mumsnet reports a sudden and staggering growth of new members. Critics ask how they know whether all those new members are all actually real parents... {Fill in usual disastrous results prediction here.}
Why do I so badly want to see people who fail to protect children raked over the coals, broken glass, and other such materials?
I won't bother hunting and reporting more Sony zero-days, because all I'd get is a lousy t-shirt
Wednesday 6th February 2019 14:10 GMT
Re: A little shortsighted
"It would be as if a mechanic walked up to your car to do an inspection..."
O.K. but, it's by regulation that inspections and emissions tests are mandated (under various circumstances).
And, when (or if) we get self-driving cars, are their going to inspection requirements to make sure the code is appropriately patched to insure that other cars and passengers on the road are not endangered.
The more that we come to depend upon software, the more there will come to be a mandate for safe software that does not endanger others. It will be interesting to see what happens to the bug-hunting market then.
London's Met police confess: We made just one successful collar in latest facial recog trial
Mobile network Three UK's customer details exposed in homepage blunder
You think election meddling is bad now? Buckle up for 2020, US intel chief tells Congress
Wednesday 30th January 2019 16:00 GMT
Re: I'm not quite sure why this is surprising...
Yes, as Eddy Ito says, we are aware that many see us as the "World police", and there are a whole lot of us that are very unhappy about that pejorative view. Yet, we understand where it comes from. Insert concepts like Military Industrial Complex here.
Mozilla security policy cracks down on creepy web trackers, holds supercookies over fire
Tuesday 29th January 2019 14:29 GMT
Re: So.. what's a supercookie?
Generally a combination of techniques to make it so that you can't delete a cookie. But, what that really means is if you delete the cookie, some other mechanism will bring it back, so they might also be called zombie cookies. This includes the use of Flash cookies. Yes, Adobe decided that Flash needed it's own cookies. Wasn't that nice of them :( Sesame Street's Cookie Monster surely does not like these.
Q. What do you call an IT admin for 20-plus young children? A. A teacher
Tuesday 29th January 2019 15:20 GMT
Chipped, Right Hand --> Apocalypse
Yeah, this is where it starts. They'll chip kids in the their writing hand so that all they have to do is wave it over a device. Sorry, this and AI will cause a new evolution in which we plain old humans will go the way of the neanderthals, whether you believe in the Apocalypse or not. Frankly, I'm a skeptic, but I don't need a supernatural explanation for the Apocalypse to know that we will surely either cease to be human or simply cease.
Did you know? Monday was Data Privacy Day. Now it's Tuesday. Back to business as usual!
White-listing Azure cloud connections to grease your Office 365 wheels? About that...
Wednesday 23rd January 2019 14:23 GMT
When Marketing Determines Security Policy
Beware, they've got some kind of secret strategy to get buyers to sign up for their crap--without security reviews, feasibility studies, or risk assessment. And, it seriously sucks when that happens because then you're forced to implement things that you know are just plain wrong.
Got a Drupal-powered website? You may want to get patching now...
Lowjax city: Researchers crack open notorious Fancy Bear rootkit
Yes, you can remotely hack factory, building site cranes. Wait, what?
Poland may consider Huawei ban amid 'spy' arrests – reports
*taps on glass* Hellooo, IRS? Anyone in? Anyone guarding taxpayers' data from crooks? Hellooo?
If you wanna learn from the IT security blunders committed by hacked hospital group, here's some weekend reading
Friday 11th January 2019 16:55 GMT
Not a Fan of Citrix
It's too damn difficult to enable Citrix services over the Internet through a web proxy--without mucking up security, and no one ever seems to have Citrix support to address that garbage--so I'm always having to reverse engineer that crap. No wonder that was part of the problem. Yeah, I'm a proxy admin, and Citrix is a serious thorn in my side, and I wish policy out-and-out forbade it. Time to grow up and get your sh*t in order Citrix.
Biting the hand that feeds IT
