* Posts by sitta_europea

588 posts • joined 29 May 2016

Page:

NSO claims 'more than 5' EU states use Pegasus spyware

sitta_europea

"NSO Group told European lawmakers this week that "under 50" customers use its notorious Pegasus spyware...

In additional, NSO is investigating "over 20" customers that are allegedly misusing the software."

So... the customers are all misusing it?

Europol arrests nine suspected of stealing 'several million' euros via phishing

sitta_europea

"... Companies and individuals spent at least $43.3 billion between June 2016 and December 2022..."

Er...

Indian government issues confidential infosec guidance to staff – who leak it

sitta_europea

Re: "check the popularity of the app and read the user reviews [...]"

"... almost all corporate security policy is pure shelfware. "

Never seen the term "shelfware" before. Love it.

Yodel becomes the latest victim of a cyber 'incident'

sitta_europea

I usually tell suppliers that if they want to use Yodel I'll buy it from someone else.

DeadBolt ransomware takes another shot at QNAP storage

sitta_europea

Re: Can't imagine exposing a QNAP NAS to the web

"... on a separate VLAN ..."

Oh, that's all right then.

Cloudflare says it thwarted record-breaking HTTPS DDoS flood

sitta_europea

I sort of understand requests per second.

I sort of understand terabits per second.

I have no idea how to compare one with the other in the context of this report.

Please help.

Azure issues not adequately fixed for months, complain bug hunters

sitta_europea

It's the same when I tell Microsoft about criminals that are abusing their services.

They just ignore me.

I suppose that's why they're currently listed by Spamhaus as (and I guess I paraphrase here a bit, but not much) the second most criminal friendly ISP on the planet:

https://www.spamhaus.org/statistics/networks/

Symbiote Linux malware spotted – and infections are 'very hard to detect'

sitta_europea

Remote mount?

Chinese 'Aoqin Dragon' gang runs undetected ten-year espionage spree

sitta_europea

When customers' PCs get compromised I get replies to email messages that I sent five years ago.

They're pretty easy to spot.

sitta_europea

[quote]...Aoqin Dragon's method of using malicious Microsoft Word documents also relies on users not doing the right thing and either patching or upgrading their apps to safe editions.[/quote]

Alternatively they can rely on Microsoft not actually fixing the vulnerability...

https://www.theregister.com/2022/06/09/symantec-follina-microsoft/

Fusion won't avert need for climate change 'sacrifice', says nuclear energy expert

sitta_europea

[quote]

Fusion is still a better bet than the "Small Modular Reactors" ...

[/quote]

Haven't you been paying attention?

China’s top court calls for blockchain to record vast number of transactions

sitta_europea

Re: Good luck with that.

[quote]

...not sure they've understood block chain.

[/quote]

It's China. Quite sure they have.

When management went nuclear on an innocent software engineer

sitta_europea

Re: nice story

[quote]There is absolutely no excuse for the amount of fossil fuels we've shoved up power-station chimneys during the whole of my adult life. None. The technology was there to use and to develop during that time. With a sensible approach to deployment we'd have had reactors a few generations more advanced than we have now.[/quote]

True enough.

Forty years ago my day job was working on real reactors. This was in the UK; I only ever tripped one (twice) but it was just the little 100MW job we used to call the AGR.

All of us tried at some stage to explain to politicians (and anyone who might actually listen) why we should be building more nuclear power stations, faster. But despite the clear and obvious science (yes, we knew about global warming in 1980 - the Keeling Curve had been around for twenty years and we were already looking at 340ppm) the politicians decided not to build any more nuclear power stations at all, which left me without a good reason to stay in the employment. It wasn't outstandingly lucrative but at that point it had been my life's ambition for at least a decade and I'd spent a good few years training especially for the job.

Now that I'm retired, it seems for some reason we need to build more nuclear power stations.

Somehow "I told you so" doesn't quite say it...

But hey, you voted for them.

Ex-spymaster and fellow Brexiteers' emails leaked by suspected Russian op

sitta_europea

[quote]

Shane Huntley, director of Google's Threat Analysis Group (TAG), said ...

[/quote]

We just analyse. We don't actually do anything about it.

How else would you be getting Google emails from the United Nations and the World Bank, days after you've reported them to us?

https://www.spamhaus.org/sbl/listings/google.com

About half of popular websites tested found vulnerable to account pre-hijacking

sitta_europea

Single sign-on. I wonder if anybody's calculated how many billions of losses it's caused?

US recovers a record $15m from the 3ve ad-fraud crew

sitta_europea

Re: Fraud is not fixed

I can fix your mail server for you.

Scientists make spin ice breakthrough

sitta_europea

Is it the remnants of my covid-19 infection or did other people have trouble making sense of this article?

Interpol: Policing model needs to change with cybercrime

sitta_europea

Really?

"Interpol: Policing model needs to change with cybercrime"

Have they only just worked that out?

Singapore monetary authority threatens action on bank over widespread phishing scam

sitta_europea

If I get an email that even smells like it's from a bank I report it as a scam.

SlimPay fined €180k after 12 million customers' bank data publicly accessible for 5 years

sitta_europea

"Please note as well that in 2021, we acquired a level 1 PCI DSS (Payment Card Industry Data Security Standard) certification, the highest level, in terms of banking details."

I suppose this tells you most of what you need to know about the Payment Card Industry Data Security Standard.

Did you look up? New Year's Day boom over Pittsburgh was exploding meteor, says NASA

sitta_europea

"... (or 0.002 Little Boys)"

Please don't do that.

AI surveillance software increasingly used to make sure contract lawyers are doing their jobs at home

sitta_europea

Time was when nobody would have called anything "GPT" because in French it means "I have farted".

US distrust of Huawei linked in part to malicious software update in 2012

sitta_europea

This secret spy-chip stuff is pretty scary but it takes a lot of people to make a secret spy-chip, and a lot of people to build it into a system, and a lot of people to actually build and deploy code to use the things, and a lot of people who actually spend their working lives looking for it not to notice the unusual traffic.

If there was really a problem, then by now I'd have expected to see [b]somebody[/b] say in the Register's comments on the stories to have said "Yeah, I did this and that for them." or "I saw that, then, in these."

I've installed a lot of Supermicro systems, and I've seen a lot of unusual traffic sending keystrokes to China. But all of that traffic has been easily attributable to compromised Windows boxes - which are much easier to communicate with, and, I dare say, more numerous and accessible than any secret spy-chip. Plus you don't have to compromise any harware, all you have to do is wait until the MD starts the WiFi connection wizard on his new laptop.

Colour me unpersuaded until we see some real evidence.

Canadian charged with running ransomware attack on US state of Alaska

sitta_europea

Re: On or about April 28, 2018

"...why is this s a news story now over a year later."

Read the article.

"A federal indictment against Matthew Philbert, 31, of Ottawa, was unsealed yesterday,"

Co-Operative Bank today 'terminated' Capita's outsourcing contract years before it was due to expire

sitta_europea

You have accountants to thank for all this.

New UK product security law won't be undercut by rogue traders upping and vanishing, government boasts

sitta_europea

A long time ago I had extended correspondence with my MP and the Minister responsible for Trade and Industry about the problems I faced from Phoenixing.

For some years I was suing about one company per week for non-payment of bills issued by my small (partnership) business and I thought that this ought to be stopped - the directors of these fly-by-night companies never had the personal liability that I, as a partner in a firm, had for business debts.

The Minister was clear in his arguments that there was nothing wrong with the existing legal system and nothing needed to be done about it.

He might have had a point, because a year or two later he was sent to prison.

Computers cost money. We only make them more expensive by trying to manage them ourselves

sitta_europea

This sounds familiar.

[quote]

Employees who worked with company assets were told in 2000 that Jeff Skilling believed that business assets were an outdated means of company worth, and instead he wanted to build a company based on "intellectual assets".

[/quote]

In case you can't be bothered, the company in question was called 'Enron'.

Nuclear fusion firm Pulsar fires up a UK-built hybrid rocket engine

sitta_europea

Mass * Temperature => thrust.

Chemical processes => tens of thousands of degrees K at best.

Nuclear processes => tens of millions of degrees K minimum.

Kinda obvious what to do when you look at it like that.

ChaosDB: Infosec bods could pull anyone's plaintext Azure Cosmos DB keys at will from Microsoft admin tools

sitta_europea

Re: And yet STILL ...

"The MoD, the Judiciary, the DWP, HMRC, Police, British Rail ..."

You forgot Parliament.

That's where the rot started.

James Webb Space Telescope completes its voyage to French Guiana

sitta_europea

"....Even getting a crewed spacecraft to the JWST's final location would be a challenge in itself."

If it were my money, I'd have be getting the first of those missions ready for some years now. And not with NASA.

Big tech proud as punch about cameos in Joe Biden's security theatre

sitta_europea

Dear Joe,

You're talking to Big Businesses about security?

All you'll get from that bunch of shysters is what their accountants tell them to tell you will make them more money.

Mostly that will involve selling more and more toys and bandwidth to more an more punters who haven't a clue what they're doing.

That will mean more and more attacks bounced off more and more compromised installations. Think of it as the Kessler effect on the Internet.

For what all will agree are obvious reasons everyone's safety we don't let people fly - nor even drive - without a licence, and very probably insurance too.

If you want safety on the Internet, then at a minimum you need to introduce an Internet Licence.

You heard it here first.

Solar System's fastest-orbiting asteroid spotted, flies closer to the Sun than Mercury

sitta_europea

The claim that this is one of the fastest asteroids yet discovered seems unsubstantiated, although the period of its orbit around the sun is indeed short.

By my calculations its average speed around the path of its orbit is in the region of 31km/s - about the same as that of the earth - and well short of that of many bodies in the solar system. Mercury for example clocks in at 48km/s, and sun-grazing comets can reach over 500km/s at perihelion.

Relative to the cosmic microwave background, the solar system toddles along at a sedate 600km/s.

Razer ponders how to fix installer that grants admin powers if you plug in a mouse

sitta_europea

"The bug finder said they had no luck in getting Razer's attention when trying to report these flaws, and after they put a zero-day exploit for the Powershell hole on Twitter, the manufacturer got in touch..."

About par for the course.

UK's Surveillance Camera Commissioner grills Hikvision on China human rights abuses

sitta_europea

When did you stop beating your wife?

After reportedly dragging its feet, BlackBerry admits, yes, QNX in cars, equipment suffers from BadAlloc bug

sitta_europea

Been writing stuff in C since the late 1970s.

Never used calloc().

sitta_europea

I've worked with instrumentation, computers, computer-controlled machinery and networks - designing, building, using, maintaining, protecting and (lately) defending the bloomin' things - for more than forty years in all sorts of settings.

I know what they're good, and what (and where) they're not so good. I know what the risks are.

In my car (and worse - on my motorcycles, three of which can comfortably exceed twice the highest speed limit on our public roads, and one of which can on a good day exceed three times that limit) I am going to be in situations which, if something goes seriously wrong with the vehicle, will be at least very seriously embarrassing and, in the case of the faster motorcycles, quite likely fatal to the driver.

The car and the motorcycles are all around twenty years old.

I can live with the electronics, but I really do NOT want computers in them, thank you very much, and that is *why* they're all around twenty years old.

China orders annual security reviews for all critical information infrastructure operators

sitta_europea

Re: Mandatory Security Teams

"... China is clearly leading the way."

Indeed. My own personal experience tells me that China also led the way in offensive intrusions into computer systems in industry and commerce all over the planet. I can only surmise that this latest move by the Chinese government must be a response to the fact that the rest of the planet is catching up with their offensive capabilities.

Remote code execution flaws lurk in countless routers, IoT gear, cameras using Realtek Wi-Fi module SDKs

sitta_europea

Any chance of a list of the affected product?

In Search of Lost Time: GNU Grep 3.7 released with fix for 'extreme performance degradation'

sitta_europea

Thanks!

Until I read this article I didn't even know what version I was using. I probably use grep at least a hundred times a day but I'm still only on versions 2.27 (Debian Buster) to 3.3 (Raspbian).

GitHub picks Friday 13th to kill off password-based Git authentication

sitta_europea

People still use Exchange Server?

$600m in cryptocurrencies swiped from Poly Network

sitta_europea

I'd be terrified if I thought there was even the slightest suspicion that I'd stolen that amount of money from that many criminals.

All your DNS were belong to us: AWS and Google Cloud shut down spying vulnerability

sitta_europea

Re: ISP Routers

"...So set-up becomes ISP's router at the incoming pipe with second router behind it. Hello Pi...."

Been doing it that way for decades now. Not a Pi though, ALIX etc. are more reliable.

Got a cheap Cisco router in your home office? If it's one of these, there's an exposed RCE hole you need to plug

sitta_europea

And I thought electric windows was a silly idea....

8 years ago another billionaire ploughed millions into space to harvest solar power and beam it back down to Earth

sitta_europea

Re: Quick maths

* 1 satellite yields 1 gigawatt

* ...

* transmission beam is 60 feet wide, so we'll assume that's a diameter on a cylindrical beam

If I've got the sums right that's about 350kW per square foot.

I don't think that's going to fly.

Google: Linux kernel and its toolchains are underinvested by at least 100 engineers

sitta_europea

Well we can upgrade the running kernel without rebooting now.

All we need is to be able to downbrade it afterwards.

If it's still running...

sitta_europea

I have a hard time believing that re-coding ten to thirty million lines of C into Rust (or anything else) won't generate more problems, faster, than it fixes.

There are many simple ways to make a lot of C usage much safer, with overhead no worse than, and sometimes much better than, the overhead of mitigating SPECTRE etc. attacks. More than thirty years ago I wrote tiny functions to prevent out-of-bounds and use-after-free accesses in my accounting suite, and the re-coding which I did (in about 100,000 lines of C at the time) was largely automated. There are very similar functions (or macros) in things like Sendmail and in any case there are available safer versions of some of the standard library functions which are either drop-in replacements or very nearly so.

To make a serious contribution to security using these techniques wouldn't take a hundred coders (they're rarely what I'd call engineers) but it would need the will to get it done.

OTOH better documentation could probably make a much bigger contribution.

Don't rush to adopt QUIC – it's a slog to make it faster than TCP

sitta_europea

It's taking us long enough to get a handle on where TCP breaks - or can be broken - and we're still working it.

I don't believe that throwing another lump of scented soap into the bathwater will help this baby at all.

Nuisance call-blocking firm fined £170,000 for making almost 200,000 nuisance calls

sitta_europea

I'll be very suprprised if the fine is paid.

More likely all that will happen is that another insolvency will be posted at Companies House, and another company will start up with the same assets. Again.

Sysadmins: Why not simply verify there's no backdoor in every program you install, and thus avoid any cyber-drama?

sitta_europea

You mean, like, Windows?

Biden warns 'real shooting war' will be sparked by severe cyber attack

sitta_europea

Isn't Biden a Democrat?

Page:

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2022