* Posts by mbiggs

37 posts • joined 23 Apr 2016

Plumspace's Smart SFP TAP can monitor, capture or relay gigabit-speed comms – for legitimate business reasons


......but it's not clear whether the monitored traffic....

1. .....is being routed OVER the wired network (using a separate IP)....

2. .....or whether it's being sent wirelessly to some remote listener.

The USB cable with the built in phone is obviously doing #2. Not so obvious for the Plumspace device(s)....even after reading the documentation!

Now....if BOTH devices were to snoop via wireless.........

US lawmakers want to put NSO Group, 3 other spyware makers out of business with fresh severe sanctions


Is this a step in the right direction....or just more misdirection?

OK.....the NSO product is bad for anyone carrying a smartphone, whether Apple or Android. So far, so good.


But what else is going on in Forte Meade, Cheltenham, and elsewhere in China, and Russia, and Saudi.


I think we should be told!!

Computers cost money. We only make them more expensive by trying to manage them ourselves



Quote: "The cloud has shown us that consumption-based models work."

Quote: "So surely it makes more sense to put the responsibility on someone else..."

Both these quotes imply that users of computing can subcontract some (maybe all) of the responsibility for user activity to someone else.

Ask yourself a couple of questions:

- Who is responsible for data management, data security, backups? Answer -- "the user".

- Who is responsible for application availability? Answer -- "the user".

The ultimate responsibility for the use of an application and its data rests with the end user. In the old days, the user had some sort of face-to-face relationship with an IT organisation, and the subcontracting of specific tasks (availability, data security, backups) to the IT organisation had clearly delineated boundaries. Today, if the user subcontracts these things to a "cloud" supplier, the relationship (and the the technology) is MUCH more "cloudy".

Just look at the MegaUpload farago. Just think for a minute about "cloud": user equipment, network supplier(s), cloud suppliers -- all these have to be reliable for an end user to get a reliable service. If the user chooses "on premises" service, at least there's someone to hold accountable. It's seems clear that this is NOT true in the "cloud".

I'd love to hear stories which show that "cloud" is ALL OF: cheaper, more reliable, more resilient, more flexible, more secure.......than traditional arrangements.

No change control? Without suitable planning, a change can be as good as an arrest


Re: Level 99: Managment actively tries to stop controling changes.


Quote: "....management wanting speed not quality...."


In a financial service company, long ago and far away, the Operations Director told me that "We don't need any f***in' process."


Ah.....now why is is that there are no comments here about "agile", "scrum", "devops".........

.......and other "modern" practices?

Staff and students at Victoria University of Wellington learn the most important lesson of all: Keep your files backed up


No....not 3.....but 4......

Quote: "... three important learning experiences ...."


No there are actually four:

4. Make sure you test backups.....to make sure they WILL ACTUALLY RESTORE WHEN YOU NEED THEM


In my experience, RULE 4 is widely ignored!!!!!

As Uncle Sam continues to clamp down on Big Tech, Apple pelted with more and more complaints from third-party App Store devs


A Suggestion.........

.....which takes some time an some determination.....but gets you well away from the Apple "eco-system".......


1. Buy a consumer grade PC (laptop, workstation.... whatever)....maybe less than £500 compared with £thousands in the "eco-system"

2. Install "elementary OS" -- overwrite that other "eco-system" from Redmond, WA -- and send elementary a few dollars

3. Get used to a LOVELY Ubuntu-based environment -- with an Apple look-and-feel and with LOTS of work-alike applications


There.......Tim Cook can just suck it up. I hope more folk follow this simple three step procedure....and save themselves a LOT of money!!

Why should the UK pensions watchdog be able to spy on your internet activities? Same reason as the Environment Agency and many more


Re: Sunset clauses and jury oversight are needed.


Quote: "....the wider public don't give a crap...."


True. But there's a flip side....the so called "bad guys" DO give a crap. They use burner phones, VPNs, internet cafes, hijacked WiFi, private ciphers.....and who knows what other tools to avoid the STASI.


If you wonder about just how efficient the STASI are TODAY at identifying "bad guys", just recall that almost all the recent terrorist outrages were perpetrated by individuals "already known to the authorities". So much for the power of snooping!!! And the STASI will be LESS efficient under the newly proposed avalanche of new snooping.


So....the public in general are indifferent to STASI snooping and the loss of privacy. At the same time the so called "bad guys" are no doubt looking forward with anticipation to more opportunities to hack all this new STASI information.....while at the same time the STASI have even lower capabilities than today. Unintended consequences!!!!

In deepest darkest Surrey, an on-prem SAP system running 17-year-old software is about to die....


Just wondering....is the SAP software HEAVILY CUSTOMISED?

Once upon a time, in a land far away, a huge retail organisation bought Peoplesoft and then had it HEAVILY MODFIED. For the next ten years, it was almost impossible to apply any patches issued by Peoplesoft. Duh!!

Then -- when the penny dropped -- said huge retail organisation paid a fortune to RE-IMPLEMENT the latest version of Peoplesoft with NO MODIFICATIONS.

Guess what.....huge consultancy bills at the beginning, during the ten year life of the modified sotware, and during the conversion back to "standard".

Why am I not surprised?

New British Army psyops unit fires rebrandogun, smoke clears to reveal... I'm sorry, Dave...



One star -- can't read or write

Two stars -- can either read or write, but not both

Three stars -- gets to talk to journalists


Plus ca change......

Germany mulls giving end-to-end chat app encryption das boot: Law requiring decrypted plain-text is in the works


Re: So encrypted posts to USENET it is ...


Quote: "...general best practices (i.e dont roll your own crypto)..."


But what about the asymmetry for the "good guys" vs. the "bad guys"? Even if the "roll your own" is only passably strong, the "bad guys" communicate in real time, while the "good guys" will have to wait, maybe quite while, to find out what the message said, maybe too long to be useful! See Beale Papers.....one of them secret for over a century!









Data-spewing Spectre chip flaws can't be killed by software alone, Google boffins conclude


Paranoia about the NSA.....

Quote: "We now believe that speculative vulnerabilities on today’s hardware defeat all language-enforced confidentiality with no known comprehensive software mitigations..."

Lots of folk believe that the NSA has weakened public encryption standards. Maybe they have a hand in chip design as well. Just saying!

New era for Japan, familiar problems: Microsoft withdraws crash-tastic patches


Re: Looks like MS cannot actually patch its own code properly any more


Well said.

....but you forgot to mention "fashion". In the past M$ had no excuse for never doing any testing, and leaving the testing to the (paying) users. Well...they are still doing this, but now they have an excuse.


Namely -- "agile", "scrum", "devops", etc etc. Today these fashions mean that there isn't a comprehensive requirements statement AGAINST WHICH TO TEST THE PRODUCT.


Of course, the fashionistas will tell us that they "test the patch". I though that excuse had been thoroughly discredited years ago.....but -- hey ho -- we need to remember what Tallyrand said about the Bourbons all those years ago: "They forgot nothing and learned nothing".

Resident evil: Inside a UEFI rootkit used to spy on govts, made by you-know-who (hi, Russia)


Re: NSA has been subverting encryption since 2006,

Always wonder when I see this sort of comment why no one seems to realize that the bad guys can use some home brewed cipher on top of everything else. The key is speed to crack. The bad guys can message in real time, while plod has to wait, maybe for quite a long time, to read a message. Likely too long. Here's a book code example:















Australia's Snooper's Charter: Experts react, and it ain't pretty


Re: *wince* -- but still not getting the point....

@AC posted earlier under the title "Still Puzzled!".


Alice and Bob only copy enciphered text (say from a thumb drive) when they send their enciphered messages. Plod can undo the end-to-end-encryption, and all they will find is Alice's enciphered message! There never was plain text on the end-point device!


The *wince* is not needed -- the flaw is in the assumption that everyone using public communication services is using their end point device for encipherment AS WELL AS FOR COMMUNICATION. Bad assumption!

Leatherbound analogue password manager: For the hipster who doesn't mind losing everything


Does anyone remember the game called Hangman?

....helped along by a pinch of repetition.


Notebook entry: E _ _ _ _ _ _ _ _ R N _ _ _ _ D

Musical user's password: ELGARELGARNIMROD


Seems pretty secure against a notebook stolen by a random bad guy....especially if the user uses non alpha characters in some patterned manner:

Notebook entry: E _ _ _ _ _ _ _ _ _ R N _ _ _ _ D

Musical user's password: ELGAR-ELGARNIMROD


Notebook entry: M _ _ _ _ _ _ _ _ _ _ _ _ _ _ _L W _ _ _ _ _ _ S

Racing fan's password: MANSELL92MANSELLWILLIAMS


Can this scheme be broken quickly by a random bad actor?

Shared, not stirred: GCHQ chief says Europe needs British spies


EU Partnership - Fleming needs a history lesson

Quote: ""Almost everything that we achieve in GCHQ is dependent on our partners," said Fleming..."


Yup...but not including GCHQ hacking Belgacom:

- https://theintercept.com/2014/12/13/belgacom-hack-gchq-inside-story/

With friends like the folk in Cheltenham, who needs enemies?

'Moore's Revenge' is upon us and will make the world weird


NEWS ROUND UP - June 2020



A toaster has told this newspaper that an attempt was made to toast a bagel by an unauthorised person. The toaster did not recognise the (human) toaster, but was able to identify the person from the public face database. The toaster phoned the police to complain, and then told the human "I'm sorry Dave I can't do that".


Yesterday a toilet cistern at the main station incorrectly identified a customer as a suspected terrorist when it matched the customer's face with police information about wanted persons. The senior toilet cistern immediately locked all toilet seats, all cublicle doors, and the main door to the toilet facility. The facility was fitted with equipment supplied by a major technology company, which refused to accept responsibility, and refused to pay for the clean up. A spokesman told this paper "S**t happens".

Tufts boffins track device location without GPS or towers


Quote: "...their location “relative to each other"...."


Don't understand....even if ALL the devices know their position "relative to each other", at least ONE of them needs an absolute position so that the others can figure out where they are.


Oh, and by the way, there will never be any IOT devices here at Linux Mansions....so no probs here!

Critical infrastructure needs more 21qs6Q#S$, less P@ssw0rd, UK.gov security committee told


Quote One: "Under a government crackdown, national critical infrastructure companies could be liable for a £17m fine if they are found to have inadequately protected themselves from cyber attacks."

Quote 2: In addition, last week the National Cyber Security Centre (NCSC) and the Federal Bureau of Investigation warned that Russian state-sponsored cyber actors are targeting network infrastructure."

[Quote 2] Pure misdirection, hypocrisy and lying. The biggest source of cyber attacks from mainland UK is.....guess...GCHQ, which is spying on the sixty million citizens who are paying for this anti-democratic outrage. GCHQ is also spying on our EU "partners" -- see:

- https://theintercept.com/2014/12/13/belgacom-hack-gchq-inside-story/

....and that's one we know about....there are likely many others.

[Quote 1] "....government crackdown..." is a similar piece of s**t to the over-used "keeping us safe". If the government wants to do something about "cyber attacks", it should start by shutting down GCHQ in Cheltenham...and save billions of pounds which could usefully go elsewhere....say to the NHS!

Time to ditch the front door key? Nest's new wireless smart lock is surprisingly convenient


Then there's users who have configured other IoT tools....

....allowing anyone to shout through the letterbox "Alexa, open the front door".


....and most likely other (more technical) hacks on the IoT infrastructure.


By the way, who (exactly) needs to manage their front door lock from Outer Mongolia?

Twenty years ago today: Windows 98 crashed live on stage with Bill Gates. Let's watch it again...


Re: Bill Gates and QDOS

....or the people from Stac Electronics who had their technology stolen by M$.

Latest F-35 flight tests finish – and US stops accepting new jets


Billions for an "aircraft carrier"....

.....with no aircraft! An aircraft carrier, which even when the aircraft turn up (when?), doesn't have enough support vessels to form a decent "carrier group".


All this would be fine if the UK had billions to spare after we've paid for unimportant things -- like the NHS!


So (exactly) what sort of austerity is it we're living through? Philip Hammond may know....but he's in a minority of one.

Accenture, Capgemini, Deloitte creating app to register 3m EU nationals living in Brexit Britain


Ah...Scrum of Scrums, Agile, DevOps.....

Quote: "The groups running the programme will work in small scrum teams together..."


...a recipe for an "app" which will perform differently every day....the "App of a Thousand Days"!


God help the three million users!

F-35B Block 4 software upgrades will cost Britain £345m


F-35B Block 4 Software.....

It's worse than that. The combat pilot hears the F-35 telling him(or her):

- "I'm sorry Dave (or Davida)....I can't do that!"

Intel adopts Orwellian irony with call for fast Meltdown-Spectre action after slow patch delivery


Re: Fit for what purpose?

So......a computer company doesn't have simulation capabilities to model their own products????


Or perhaps they DO have the appropriate simulation capabilities....and didn't bother because as a monopolist, they don't really give a toss about quality.

FBI tells Jo(e) Sixpack to become an expert in IoT security


Re: Rules of IoT


Yup.....let's rewrite the Phil Knight/NIKE advertising slogan:









IoT gateways get a benchmark from the TPC


Ah...a standard written by....

...the NSA and GCHQ....making spying on the world's population even easier.


And of course, because this standard setting is an anorak activity, no one will notice. Cute!

Google will let cloud customers use plain-old-Internet links


...and then there's the NSA to consider....

.....but they already monitor "Premium"....so no diff!!!

Firmware update blunder bricks hundreds of home 'smart' locks


Re: Lovely

I recently bought a Linksys EA7500 WiFi access point/router. The only easy way to set up this device is to subscribe to the Linksys "cloud" so that ALL CONFIGURATION is done via the Linksys cloud account.


This is so that "you can manage your router using your smart phone from anywhere on the planet".


So your home LAN is open to hacking from "anywhere on the planet"......REALLY?


It took a day and a lot of research to find out how to configure the device in the old fashioned way -- using a laptop and a CAT5 cable (and NO INTERNET ACCESS).


In the future it may be impossible to manage a computer-based device without "the cloud" -- if idiots like Linksys have their way.



Australian govt promises to push Five Eyes nations to break encryption


Why the focus on point-to-point communications?

So Alice and Bob (and their circle) develop their own cipher. Suppose that the cipher is a book cipher. Any message sent will be encrypted twice -- once in their private cipher, and once in some backdoored public cipher. How does the backdoor help the government (or anyone else who is listening)? The metadata in this case says Bob is messaging Alice...but so what? And in the case that Bob simply posts the message on The Register -- then the recipient(s) are likely completely unknown!!


For example, here's a (real) book cipher message. What does it say?


sforzato pharyngo- woadman mecometer semihysterical veratrize fiercenesses Ranquel lepidotic Kawaguchi eyeservice fringiness half-plane piligerous saskatoon straddle-fashion sharecroppers colibertus bilobular unsacrilegiousness Gallicolae snake-eyed hydrophorous rain-soaked entoplasm eschewing brulyiement Erastianize acetphenetid recheat hout alada superaffiuence sweet-scented Altingiaceae researchful unegregiously unregenerately blighted Marlette nonbeauties Ossetian perversite artcraft Staley physiognomonic keawe kentallenite acroataxia yodles Rhabdomonas mournfulness VC loose-lived self-purifying tornadoesque uroo slopmaking annalists undeferrable ammonitic WAN pokable limbs Composaline gasified Chibcha elephantiases guerdonless orchestras whoop-de-doo commercialised periclean half-reclined naturata haemonchosis bug-juice theorically demonstrant premarrying honduras knickknack Adrianople -aceous inductees counter-faller cervicorn yowe adenomata kutch jardon eradicable nonfervidly cribriformity totoaba Marduk Muscadine mangrate Californian Mignonette Stroessner fisherpeople So. gibble-gabble cayuses Wallinga squab-pie fancywork niftiness


Mozilla to Thunderbird: You can stay here and we may give you cash, but as a couple, it's over


Re: Thunderbird users?

In the early Nineties, corporate email systems existed on internal networks, and users were using, for example, cc:Mail over Novell Netware.


I'm continually amazed that there are people who think that it was the stone age before the Internet became pervasive....not so!

Sorry, Dave, I can't code that: AI's prejudice problem


Who decides?

Here are a few concepts where human beings can't agree on a definition:

- "rich"

- "beautiful"

- "fair" (as in even-handed between cases)

So if the humans can't agree about reasonable definitions, why should we believe that computer programmers and computers can assess these concepts "correctly"?

US Air Force networks F-15 and F-22 fighters – in flight!



The next "improvement" will be nuclear armed aircraft as part of the ever expanding "internet of things". So now we can adjust the temperature at home, close the garage door, and drop bombs -- all at the same time.

Brexit means Brexit: What the heck does that mean...


Re: Codification of existing practice?

@Norman Nescio Quote: "...the Snoopers' Charter is 'simply' codification of an existing practice..."

This is, at best, naive. Who knows what the "existing practice" actually is at places like GCHQ or the NSA? I for one am pretty certain that the hacking and snooping going on for years now has paid absolutely no attention to the law. I'd point out that Theresa May as Home Secretary wanted to abandon the European Convention on Human Rights -- I wonder why. I'd also point out that in the last few days Philip Hammond has announced another 1.9 billion pounds for the GCHQ budget -- a sum which almost certainly buys a huge amount of snooping into the legitimate activities of 60 million UK citizens.

In summary, "existing practice" is almost certainly illegal, and is absolutely certainly damaging to personal privacy and to the democratic rights of citizens. The STASI is here, and no one cares.

Software bug costs Citigroup $7m after legit transactions mistaken for test data for 15 years


Re: Plus ca change...

Yup...also been there, this time during an AS/400 upgrade. We needed some stuff off a recent backup. It turned out that the backup was corrupt. It also turned out that no one had ever tested the restore process, and that all the carefully taken backups were unusable!!

Lesson: Do the backups....but test the restore process too.

Don't doubt it, Privacy Shield is going to be challenged in court


.....but before we discuss Safe Harbour or Privacy Shield......

......why has no one commented about the fact that no one actually knows what information is held about them and by whom!!!!

Personally, I don't want to know anything about the data held concerning anyone else, but I would like to know:

- a list of all the organizations who keep records about me

- for each of these organizations, exactly what information they keep about me

I'd also like to see copies of all these records about me, so that:

- I can demand deletions for records no longer relevant

- I can correct all the mistakes in what is left

But all this is moot:

- I don't have any legal right to know

- Many of the organisations will never have had a direct relationship with me, so I would never guess that they had relevant records

- Many of the organisations who have records about me (say, perhaps GCHQ) would either deny having the records, or would deny any access outright

.......so worrying about Safe Harbour or Privacy Shield seems to me to miss other, much more fundamental issues.

MoD contractor hacked, 831 members of defence community exposed


Re: Yawn. . . .


Quote: "I have faith that UK Gov can produce a truly catastrophic blunder if they try"

1. Absolutely correct....but how do you know that there have not been MULTIPLE "catastrophic blunders" already????

2. And as for Theresa May....well....she is clearly determined to re-build the STASI, but in the UK and in 2016 -- and she and her colleagues in government and in the so called civil service are clearly determined to keep us all in the dark about what's going on (see item 1).


Biting the hand that feeds IT © 1998–2022