Posts by NBNnigel

Legacy of LanMan?

My long-held theory is that the typical 8 character 'as-complicated-as-you-can-make-it' password policy is a holdover from the days of Lan Manager support in Windows. The problem (there were many) was that LM hashed passwords were split into two 7 byte halves (maximum 14 char password). Meaning a 13 character password could actually be cracked as two separate passwords (of 7 + 6 char length respectively).

And the input string was null padded out to the 14 char max, meaning an attacker could instantly tell if a password was less than 8 characters (because the second half would be entirely null padding). Hence, 8 character passwords. Considering how old LM is, the standard complexity requirements no longer make sense (and never made sense in any remotely 'greenfield' case).

Either there are lots of ultra-legacy windows shops still running, or (more likely) there are lots of cargo-cult sys admins out there. Neither prospect sounds appealing from a security standpoint.

I realise this won't be popular...

... but in some cases, IT are partially to blame. I work in the 'business' side of the organisation (in a government department), but I also understand IT more than your average civilian (particularly on the security side of things). In my experience, sometimes the reason business units do IT procurement "behind IT's back" or run off to cloud-based services is because IT are an unreasonable and inexplicable impediment. This might be unique to government, but I've come across a few IT areas now that manage risk by simply saying 'no' to every request. Unless, of course, it comes from someone in senior management. Then they seem to jump right to it, regardless of how insane it is.

Also, some functions that really should be managed by competent IT folks are instead managed by (as far as I can tell) non-IT folks. Usually 'content management' teams that, for whatever reason, are situated in the IT organisational group. Consequently, regular civilians end up assuming that when IT says 'no' they're just being unreasonable (even in cases when there's a good reason) or that IT simply doesn't know what the f*** it's doing (thanks to previous experiences with 'IT, but not really' content management teams). Examples:

1. I was working on a small project (1 man army) where I needed to write some stuff in python (mostly web scraping and writing custom parsers for weirdly structured HTML). It took me a month to convince IT to install a python interpreter on my machine. Tried to install a library: nope, read-only access to the directory. Over the next couple of weeks tried to convince IT that it was kinda pointless to have a python interpreter installed without being able to install libraries, but they wouldn't have a bar of it. Yes, technically I could have used urllib and regexps. That is, if I wanted the project to take 10 times as long to do. Eventually I had to give up and work from home (partially in my own time).

2. I use a *gasp* cloud-based service for making flow charts (lucidchart). Or I used to. When I tried to access the site from my current workplace I was confronted by the all-too-familiar 'blocked page', courtesy of our wonderful content blocking system (which seems to run on a whitelist basis, and MITMs using a custom CA cert that's that's dangerously insecure thanks to its outdated fingerprint hashing algo, but that's another story). I put in a request for it to be unblocked: nope, cloud-based services are not allowed here. When I ask why, am told it's an information security risk which, in fairness, is a legit issue in government. Everyone who works in my department has a security clearance, and has gone through countless security training courses, why can't they be trusted to not upload sensitive data to some random server? What was the point of the training in the first place? Hasn't that horse already bolted, given we can send emails to external addresses? Actually, isn't that a risk we've always taken given we allow people to walk out of the building without having to endure a bag check and body cavity search? And weirdly, why are Azure and AWS unblocked if this is such an issue? Yes, technically I can use your crappy flow charting software on the "officially approved software" list. But I'd rather use something that doesn't massively hinder my productivity. More working from home for me...

3. My department 'uses' Sharepoint. Yes it's awful, but I have no control over that. And because IT's access control policies don't allow 'business users' to be given any site-level admin permissions, we have to go begging to one of the 'content management teams' if we want to create a new document library. Or a new calendar. Or a new anything... These very simple requests can take 2-3 days to be fulfilled. I'm guessing because the 'sharepoint content managers' don't have a clue what they're doing and go bother 'real IT' whenever one of these requests comes in. Might there be a more sane approach we could take? Apparently not, is the official answer from IT. Now I understand why Sharepoint is only used as a glorified network share drive... Don't even get me started about the time I needed to write some crappy little CLIENT-SIDE Sharepoint app...

And the list goes on. The only good experiences I've had when dealing with IT were when I've been able to figure out where the knowledgeable folks are hiding (tip: they're usually in the 'IT infrastructure' teams, where you actually need to know what you're doing or the lights go out). Maybe none of this applies to any of you highly skilled IT folks. And I don't doubt that 90 percent of the time the problem is the 'business side' not having a clue. But a little introspection probably wouldn't hurt either.

It's worse than the 'privacy expert' thinks...

Actually reading section 202 of the SS Act, there's a nice little note right at the bottom: "In addition to the requirements of this section, information disclosed under this section must be dealt with in accordance with the Australian Privacy Principles." The APPs are part of the Privacy Act. So in this case, it looks like the SS Act is subordinate to the Privacy Act (not the other way around as suggested by the quoted privacy expert).

2 years jail, strict liability offence.

NBN: A one man, one act play

Has it occurred to you Richard that maybe, just maybe, fttp is the only thing pushing up Australia's average speeds, because it's the only thing worth a crap compared to ADSL? And hence its kinda insane to be rolling out a patchwork of different technologies, which top out at 100mbit (at best) in real world conditions? (I'll believe it when I see it, hub architecture HFC and Vectoring VDSL Lab tests). People aren't interested in marginal upgrades that are already close to obsolete.

As for market structure, the biggest issue will always be that wholesale fixed line comms is a natural monopoly due to the market cost structure. It's especially relevant since our genius politicians continue to insist on selling off our wholesale FL Comms to private monopolists. This is official policy of both major parties regarding NBN btw. The other big factor driving RSP consolidation was the ACCC's boneheaded POI decision at the beginning of this whole fiasco. The only public figure who seemed to understand the implications at the time was Simon Hackett, as evidenced by him getting the f*** outta dodge soon after.

There. Some actual substantive issues to discuss. Although please do go on with this one-act psychodrama that brings us audience members along to experience the dizzying highs, and crushing lows, of Richard's buyer's-remorse fueled angst.

High value indeed

Luckily for the Government, the UK has already done the work for them (again). The 2013 Shakespeare Review identified a number of 'core' government datasets, such as the UK company register (rec 4). So I guess Australia will be opening up its compa..... oh... wait... we're privatising that.....

Never mind.

Huh. So this is why HP all of a sudden released a security advisory for their server management interfaces: iLO (and brethren) runs on moxa hardware (http://www8.hp.com/us/en/business-services/it-services/security-vulnerability.html#!&pd1=1_2). Anyone running HP 'Integrity Superdome' should be firmware updating ASAP. Assuming you're not out of warranty. Or you have paid the HP firmware ransom (i.e. you purchased a 'HP care pack'). And assuming you can find the firmware and instructions, cleverly concealed somewhere on the HPE website/monstrosity.

From HP's sec advisory page: "This vulnerability could allow an unauthenticated, remote attacker to perform man-in-the-middle attack (MITM) or redirect outbound traffic to an arbitrary server that can cause disclosure of sensitive information."

So of course it makes perfect sense that HP have marked mitigating firmware as 'entitlement required'. Everyone else running HP server management interfaces (e.g. iLO): HP's suggested 'workaround' is to "disable System Management Homepage".

Good luck and godspeed!

Fools and clowns

If they actually cared one bit about the public interest, they'd be handing the data to the ABS for free (given the ABS have decades of experience and expertise in confidentialising unit record data, and legislation that would see the Chief Statistician thrown in jail if they screwed up).

But evidently they just want to recover part of the $1bn or so that they've wasted due to their utter incompetence when it comes to IT. These clowns just don't get it. If they want to involve the private sector so badly, why not expose some simple APIs with a mandatory user authorisation step (i.e. OAUTH2/OpenID Connect)?

Oh that's right, they screwed that part up too with the abortion known as myGov.

Doublespeak

Hah, I love the way Cisco has worded their explanation to make it seem like the device is still secure. Yes, SSL MITM is an attack on the client. But they've worded it to be misinterpreted as "hard-coded uniform SSH keys & SSL MITM are both attacks on the client." Nope. Wrong.

I assume they made the disclosure because someone other than the NSA obtained the SSH key (yes, the ONE key). And, just a wild guess here, I'm guessing it's the SSH key for root. Which means those routers are wide open; an attacker could do literally anything they wanted to with a root shell into those routers. Like non-HTTP traffic sniffing, exploiting trust relationships, injecting (seemingly) signed code into windows updates etc.

These are just consumer routers right? Not backbone routers? Otherwise I might be staying off the net for a few days...

Many bad tradeoffs

It's not surprising they'd achieve such speeds on a SINGLE strand of pristine copper in lab conditions. Hell, they'd probably achieve that without the fancy g.fast/x.fast/whatever.fast technologies since most of the bandwidth gains come from clever algorithms that neutralise cross-talk between MULTIPLE stands of copper ('vectoring'), so that bandwidth is not eaten up by error correction. While it's very clever technology, it isn't free:

- The nodes will need exponentially increasing processing power as more subscribers are added to a node. It becomes much harder to calculate the correct 'inverted phase' frequencies for each line (to cancel out the cross-talk). So variable costs from adding more and mroe processing power increases in proportion to uptake levels, doubly so because increased computation means higher node electricity consumption (and cooling).

- Additional costs get pushed down to the end consumer. Vectoring only works if ALL modems on the end of the copper run are coordinating with the node; otherwise one 'noisy' strand messes up the inverted phase calculations and error rates jump. This means consumers will be forced to buy modems that have sufficient processing power to implement g.fast. Meaning higher fixed and ongoing costs for consumers, even if it's partially hidden in their quarterly electricity bill.

- Vectoring, effectively fancy noise cancellation, only works when the 'noise' is constant or predictable. It doesn't work when the noise is variable or unpredictable. So when it rains, and Telstra's wonderfully maintained copper pits have water sloshing around in them, you'll start to see drop-outs or significant reductions in bandwidth as increase error correction is required. Or when a bird lands on your copper line. Or when there's a strong gust of wind...

- Bandwidth gains from things like time-division multiplexing come at the cost of increased latency. This is very very bad, and puts Australia at a big competitive disadvantage when it comes to distributed computing, hybrid cloud etc. Simon, ask some of your colleagues who cover 'data centre' and 'networks' why this is bad if this doesn't make sense to you (especially in the context of the cloud computing and financial industries, who are increasingly 'latency sensitive')...

So yes, it does squeeze more bandwidth out of our ageing copper, under certain conditions and with some bad trade-offs (and increased long-term costs). But at some point in the very near future, unless we figure out a way around the laws of physics, we'll hit a hard limit and have to rip out the copper and consumers will have to replace their modems. And in the meantime we'll have hobbled our economic productivity...