Posts by Frozit

Systems that are installed and not monitored

When signs blow up, they are of course visible.

But all of these BORKage articles seem to be the low hanging fruit. Like, as IT professionals, are these systems high priority? Or pretty much the lowest priority.

If they fail, the business effect is minimal. To perform maintenance on them can be a pain, they might not even have a remote access connection. So of course they die, eventually.

A system that is not rebooted regularly will eventually experience an outage at an undesired time.

TBH

I have been impressed for the most part in how well the sudden growth in demand has been handled.

If you think about what is actually happening, with everyone at home, it is pretty amazing.

I wonder if we were able to run an experiment of doing this each year in the past, when it would fail. I'm guessing not very far back in time.

SSO is flawed

The concept of SSO in a business environment works fine.

As a personal choice, it fails. The basic flaw is if you link a bunch of external accounts to Facebook, Google, Microsoft or whatever is that if you lose that account for some reason, you have lost all your accounts.

There is a story about someone losing their Google account because they posted a bunch of smiley's in a Youtube comment. Exactly what was posted is up for debate, but the damage caused way outweighs the supposed crime.

How much of this is Specter/Meltdown/etc?

How much of this shortage is caused by the cloud demand for new generation side channel protected CPUs?

Do they truly exist yet?

Not a good idea

TBH, employee representation on the board of a large company is not a good idea. Certainly not within the current legal framework around boards and board membership.

Having been on boards (of small companies) for the last 20 years, there are things that are discussed at the board level that need to stay within that context and not be known outside of it. An employee representative would be under pressure to break that privacy.

This is like putting a union representative on a board. Brilliant. The union now has information on the other side of agreement negotiations. How well would that work?

I expect to to be flamed for this, but the legal reality is that this would only lead to grief.

As the article states, this vulnerability is primarily a shared cloud issue. When the speculative execution engines were designed (circa early 90s), there was no thought or vision that someday we would have the large cloud shared execution hosts that we have today. Once one vulnerability was found, it was pretty clear that there would be others.

To fix this requires a serious redesign of the core CPU engines, which will take years to fully test, then propagate out and replace the existing flawed CPUs.

There was no intentional plan to create this issue, it is mainly a case of changing environments and requirements.

2 years ago it became apparent that my software company didn't understand certs. There was even an internal meme for it.

So, set up an internal CA, ran a couple courses, forced everybody to request certs for their test servers, etc.

It worked, certs are no longer an issue.

Eventually ran into the SAN cert issue with Windows Server 2012 R2 not requesting SAN by default, so ended up making a wild card get out of jail free cert. Which kinda defeated the whole purpose.

However, certs are no longer a meme, or a support issue, so win!

It doesn't really matter. IBM will no longer exist within 10? years. Think of all the other old school tech names that are gone. DEC, Digital, etc. Why should IBM be any different?

Maybe HP will buy them.... (omg)

1 week delay from reporting to software company to publishing the exploit. Where has this EVER been considered standard?

C++ for the win.

C++ for the win. Only language I know of that can cause this many problems.

TBH

This just sounds like they were on the bleeding edge of email systems, and something was going to die, somewhere.

The fact that they couldn't get a load balancer strong enough to handle their volume tells you something was going to give.

An honest attempt was made to address the issues, and it failed. Meh.

Tbh, I've thought "take my money" more than a few times. With no expectation of returns.

So why would someone create this?

Because they had been suffering through miserable presentations. And wanted to improve their own life from Hell to just miserable.

Now, RISC code after full optimization might be harder.... That stuff is strange.

If you have access to the hardware...

Fundamental theory. Security is built on a "trusted" item. Without that item, you can always break in. And pretty much every computer security item is based on a trust in the hardware. Once you have physical access to the device, the rest is just engineering.

Wouldn't the operators notice?

So the botnet operator would have had signs that someone was taking an interest. As in, that the AVs were hitting its installs more and more frequently. Eventually this kind of operation will cause the operators to run before the takedown happens. But that will likely take a while.

If you are working at a large Tech company

and expect to be treated like an employee at a small tech company...

You deserve what you get.

Given that the majority of readers of this forum tend to be sysadmins who enforce rules on users, I find some of the responses to this amusing.

Who says that my password can't be my name, or "password" or... Silly rules getting in my way.

Who says I can't fly my drone into restricted airspace? Silly rules getting in my way.

Quite amusing, tbh.

No 2 factor authentication method will overcome social engineering. There will ALWAYS be a way to admin override the settings and reset them. You know this, you live it every day resetting user passwords.

The Plan

Set up a trust fund.

Set up an AWS server paid from said trust fund.

Set up a database, email, SMS, etc. (Possibly paid from said trust fund.)

Die grinning.

One wonders

I have been watching these IBM announcements, and wondering why one would still work there?

Stuff like this makes people leave. The people who leave first are the highest skill workers who can easily find a new job. This is a sliding scale down to the bottom end who will never leave on their own.

So, what is left at IBM? And why?

How do you end a company like IBM? Does it keep getting smaller and smaller, with less and less effect? Sad.

Still way better than no password manager and reusing human rememberable passwords.

Amusing

We have, as a civilization, built up a set of laws and rules about how things like stock markets, money lending, etc, should work. It is not perfect, but it does work. Without it, life as you know it would not exist.

Some of the commenters here seem to feel that any thing organized is designed to rip them off. And bitcoin and Tor are completely white as driven snow. Because it fits the uncomplicated, unbalanced views they hold dear.

It would be interesting to see how many bitcoin operations are actually criminal in basis. As in, drugs, or things like card skimmers, or ransomware payoffs, and so on. Personally, I suspect a very large percentage of the transactions are related to that.

So the question is, does the nirvana that Tor and bitcoin are supposed to help create actually exist, or is that nirvana really total criminal anarchy? I personally have not seen any of the nirvana created, but I have seen an awful lot of criminal activity.

Bitcoin

The people who support Bitcoin and think its great will defend it to the death, in the face of any logic.

Those of us who look at the world, analyze what is going on, and make decisions based on that, look at bitcoin, look at how it is being used, and put it down on the facts of its behaviour.

Earlier, someone used a "I bought some a while ago, and made a bunch of money off holding it" argument. I agree that you are happy you made some money on it. However, how is that a defence of all the other issues. The reason its value probably went up is because of all the people forced to buy some to pay off their ransomware. So, quite likely, you are enjoying the proceeds of crime, indirectly. Hmm...

What hacker

is dumb enough to interfere with a plane they are flying on?

Consequence 1: Death

Plane crashes...

Consequence 2: No anonymity

Something obvious happens, authorities are called, they go through the list of passengers, and....

The penalties for interfering with a flight like this would be in the terrorist/hijacker category, with SEVERE penalties.

And yes, there are probably a few idiots that stupid...

Why is this port not filtered by the ISP?

Of course, that would imply they knew they had a problem before this.

Filter the port traffic to only be allowed from a small subset of the ISP's management set. Done. Sigh.

Canada, Eh?

You could consider Canada as your Brexit. French and English as national languages. We watch the rest of the world go insane, then go out and shovel the snow off the driveway.

Routers anyone?

Who puts their IOT devices on the open side anyway? Who can afford the IP addresses?

Something says...

Insurance company to me. But I could just be cynical.

So has anyone...

actually seen a non-criminal use of Tor?

You miss the point.

I live in Canada. Regularly, during the winter, the temperature in Southern Ontario reaches -30 C. Other places, it gets even colder. And my car stays outside all winter.

Last year I accidentally left a UPS over winter in cold location. In the spring, it no longer worked.

Then, if you consider the other extreme, how hot does the interior of a car get in a southern climate in the sunshine in the summer. Easily +50C or higher.

Manufacturers use the temperature and other environmental ratings of the components to certify their overall rating. If they don't, they are liable for the repairs and other costs if those components fail.

20 20 hindsight is always best

I am amused. The original article referenced programmers who clearly were broken. However, picking on academic fortran, and other code that was written LONG before today's Software Engineering standards were created, and the glorious hardware that we have that allows effectively infinite memory space is quite amusing.

And most academic programmers are self taught. No one teaches software engineering 101 to Physicists. Even though most of their work is simulations...

Makes perfect sense

Think of all the headers in an email. Source and Destination for one. As the article clearly says, they don't need to read the encrypted text, they just want to know that you and your destination are talking.

As it states. If you are using PGP, Tor, or any of a bunch of other things, you are flagged as a person who is possibly interesting. This reduces the subset of search targets immensely.

And if you are only talking to your gran using PGP, and she only talks to you using PGP, they will pretty much ignore you.