* Posts by sitta_europea

370 posts • joined 29 May 2016


The reluctant log trawler: The buck stops with the back-end


Share dealing systems again. The company will have to remain nameless but the name begins with B and it's quite big.

I was using their share dealing system in the early 2000s, and they changed their password algorithms.

Amongst other things the new algorithms were supposed to pick some random letters from a password.

Only trouble was, it wasn't random. It was horribly non-random.

I told them.

They said I was wrong.

I told them again.

They said I was wrong again.

This went on for weeks.

So I proved it to them. I won't tell you how I did that.

Not long after that, they fixed it.

Very soon after that, the Chief Executive of this British bank telephoned my place of business to thank me.

Our receptionist thought he must be a scammer, and wouldn't put him through to me...


"Ever found yourself doing some hurried hacking with the "unthinkable" happened? Or been called out to bodge your way around someone else's cock-up? Share you story of unexpected weekend working with an email to On Call. ®"


Well, yes, actually.

This sounds a lot like working (with|for|despite|in utter exasperation of) HMRC, "Making Tax Digital", some REALLY ropey software that I could mention and the HMRCs very nebulous concept of a "Digital Link".

I won't be sending you an email about it, though, because Google will just reject it.

Whenever I send email to The Register, it gets rejected.

The DSN says my Gmail account is disabled.

I *have* mentioned this before.

I've never had a Gmail account.

Digicert will shovel some 50,000 EV HTTPS certificates into the furnace this Saturday after audit bungle


How come the users of certificates let this certificate maintenance thing get so messy?

Shopped recently in a small online store? Check this list to see if it was one of 570 websites infected with card-skimming Magecart


Glad I've been dropping every packet from AS16276 all these years...

/sbin/iptables -A immediate_tarpit -s -m comment --comment "OVH" -j DROP


Re: I won't shop at a small site

"I've had too many friends with funds either frozen for months or outright taken by Paypal to ever trust them."

Yeah, me too. They just took my money and it wasn't enough to make it worth the hassle of getting it back.

Fucking thieves.

It’s happened again: AT&T sued for allegedly transferring victim's number to thieves in $1.9m cryptocoin heist


Re: I have questions...

"...why the hell does anyone trust this crap?"

Good God! I've been sayin' it. I've been sayin' it for ten damn years. Ain't I been sayin' it, Miguel? Yeah, I've been sayin' it.

Nothing fills you with confidence in an IT contractor more than hearing its staff personal records were stolen by ransomware hackers. Right, Cognizant?


Re: It's not 'toxic waste' if you can't be paid without it.

"The employer needs all that info for payroll, pension, medical insurance, reduced-cost loan schemes (bike or car purchase schemes, forex), and all the other interactions between employer and employed. ..."

Yeah, but the employer does NOT need to keep it all on a poorly secured Internet-facing system.

Speaking as an employer, we keep stuff like that in (locked) filing cabinets in the office, and the only things of that sort that we put on the computers are the things that our certifiably insane government insists that we keep on the computers. Which, unluckily, seems to be more and more and more and more, as more and more idiotic ideas keep coming - primarily from HMRC, who couldn find their collective arses with their hands tied behind their backs.

Chrome extensions are 'the new rootkit' say researchers linking surveillance campaign to Israeli registrar Galcomm


I once tried to get both ICANN and Nominet interested enough in the criminal activities which they facilitate to do something about it.

What a waste of time that was.

Kinda goes without saying, but shore up your admin passwords or be borged by this brute-forcing botnet


People still use Wordpress?

Now we know what the P really stands for in PwC: X-rated ads plastered over derelict corner of accountants' website


Re: missing major issues when auditing companies

"... blames a "rogue employee", strikes a deal with a gov, ..."

The UK's National Enterprise Board funded my startup's expansion when it was four people in John's attic in Eynsham and ten thousand turnover, and wanted to take its profits now it was twenty-four people in a rented unit round the back of Tesco's on Cowley Road and a million turnover.

In the heady days of 1981, people were saying that the riskier the project sounded, the more likely a public offering was to succeed on the Denver penny stock market. But I called out my fellow directors for trying to scam investors in our planned flotation. By now I was the only one left of the original four, and the new guys were going to claim in the prospectus that our company was projecting sales of more than twice (what I never tired of telling them was) our production capacity. It wasn't really about what we could make, it was about what components were available on the world market to make the products with. There just wasn't enough of one particular part to make what they were claiming we would make, and ramping up production at the (two) suppliers would take many months, if not a few years, because they were sensible and they weren't about to throw all their eggs in this particular upstart's basket.

I refused to sign up to it. I was the only one who said "No, this isn't right, we can't do this".

I was standing up against seasoned business types in their forties, fifties and sixties (some were flying around on Concorde doing what they called "due dilligence", but in reality just racking up huge expense account bills) and one of the big five accounting firms you've all heard about - the one that surrendered its licenses in 2002, as it happens. I was twenty-eight, and living in a caravan while I was building a house in my spare time. It nearly cost me my sanity.

Eventually, after a showdown, threats against my property, my resignation, and ultimately a front page headline in the Rocky Mountain News about an investigation by the SEC (incidentally that was the first fax that I ever saw), the public offering did not go ahead.

It did cost me my dreams, and a small fortune, but I kept my integrity.

Unrepentant, the guy representing NEB said to me later, "What if it had worked, Ged?"

Nothing, as far as I can tell, has changed since 1981.

Android trojan EventBot abuses accessibility services to clear out bank accounts – fortunately, it's 'in preview'


Re: "The human link is the weakest link in cyber security"


A common mistake is to assume you need access to your bank on your phone when access through a desktop or laptop might be all you really need for monitoring and paying bills.


An even commoner mistake is to have any online access to your bank at all.

IBM == Insecure Business Machines: No-auth remote root exec exploit in Data Risk Manager drops after Big Blue snubs bug report


Re: Hackerone is part of the problem

No repetition of this sentiment is too much for me.

I gave up trying to get any sense out of anyone at hackerone a couple of years ago.

Me: "I've found this problem and it affects three hundred sites that I looked at."

Hackerone: "Thank you for the report, please open three hundred tickets."

Let's authenticate: Beyond Identity pitches app-wrapped certificate authority


Single sign-on?

But I DON'T WANT a single sign-on.

Really I don't.

I want a lot of different sign-ons, so that when one gets compromised the rest are not compromised.

It's called a 'system', and it's what anyone has to have if they want to call themselves 'organized'.

Uncle Sam tells F-35B allies they'll have to fly the things a lot more if they want to help out around South China Sea



The F-35B continues to be the only modern fighter jet capable of operating from Britain's two new aircraft carriers, HMS Queen Elizabeth and HMS Prince of Wales.[/quote]

Is there a white elephant in the room?

Antivirus hid more than 9,000 'cybercrime' reports from UK cops, says watchdog


But even if they manage to fix their anti-virus, they'll still be plonkers.

Would you open an email from one Dr Brian Fisher? GP app staff did – and they got phished


As others have pointed out it seems clear that Dr. Fisher's account was compromised.

I don't know where the MITM thing came from but at first glance it doesn't look to me like anything so technical as that.

If there were almost a million computer misuse crimes last year, Action Fraud is only passing 2% of cases to cops


More like INaction.

A cautionary, Thames Watery tale on how not to look phishy: 'Click here to re-register!'


So I have to re-register so they can send me a bill?

Oh, quick! Where's my, er, where did I put... dammit why can't you find a computer when you really need one?

Some fokken arse has bared the privates of 250,000 users' from Dutch brothel forum


One thing the hackers seem to forget is that they're vulnerable to hacks too....

Remember the FBI's promise it wasn’t abusing the NSA’s data on US peeps? Well, guess what…


The creatures outside looked from pig to man, and from man to pig, and from pig to man again; but already it was impossible to say which was which.

Twitter: No, really, we're very sorry we sold your security info for a boatload of cash


Whenever ANYONE asks for my phone number I tell them to EOn-Off.

£99,999, what's your emergency? Paramedics rush to OAP's aid after shock meter reading


[quote]After finding their best offers required a SMETS meter, I nearly kept my account of 14 years good standing with Eon.[/quote]

My wife put it best. She said "Eon can Foff!"

Thanks to all those tax dollars, humans can now hear the faint sounds of earthquakes on Mars


That's the first time I've ever hear sounds from antoher planet.


"... bang the rocks together, guys!"

Astroboffins spy the most ancient protocluster of galaxies yet found post Big Bang


Very soon we should be able to infer what's beyond the bounds of the visible universe by looking at the motion of things which aren't.

That will be fun.

The D in Systemd is for Directories: Poettering says his creation will phone /home in future


Re: Good encapsulation, Dr S


SystemD is fucking useless.


No, I'm sorry to contradict you but that's just plain wrong.

SystemD is WORSE than fucking useless, it's a fucking liability and I uninstall the fucking thing every chance I get.

Several months after the fact, CafePress finally acknowledges huge data theft to its customers


If you're worried that your personal details have been compromised, here's a link to the Equifax Website...

How much pass could LastPass pass if LastPass passed last pass? Login-leaking security hole fixed


What fuckin' idiot had the idea of using fancy software to secure passwords anyway?

D-Link, Comba network gear leave passwords open for potentially whole world to see


You can buy good kit from crap suppliers.

You can even buy crap kit from good suppliers.

But do not buy crap kit from crap suppliers.

India's Chandrayaan-2 and Vikram lander split amicably above Moon, SpaceX hops over Texas



Can someone explain these numbers to me? This looks like a distance being recorded as an area. What am I missing?


Basically all orbits are ellipses.


Clutching at its Perl 6, developer community ponders language name with less baggage


If you've had any exposure to Perl, you've probably heard of Tom Christiansen.

Twenty years ago, I wrote the letter below to him. He was kind enough to suggest that I write more.

Well I'm still coding in Perl now, more or less all day every day.

I'm not sure that was what he meant. :)


Date: Thu, 18 Nov 1999 23:46:19 +0000 (GMT)

From: "G.W. Haywood" <xxxxxxx@xxxxxxxxxxxxx>

To: Tom Christiansen <xxxxxxx@xxxxxxxxxxxxx>

Subject: Re: using function prototypes w/ mod_perl.

Hi there,

If pressed, I'd admit I'm a C programmer.

I probably speak C as well as I speak English, having been at it since it was invented.

Yes, I'll admit I'm over 40. Well over.

C has got better over the years. To start with the compilers were a bit dodgy and the linkers didn't know about type.

Now that's all sorted out you can write code knowing that if you pass a string to a function that's expecting a double you'll never get it past `make'.

As a result, some of my programmes have been running for over a decade without stopping.

Some of my code sits monitoring nuclear reactors and patients in hospital laboratories.

My financial well-being is tied to my proficiency in C because my software currently sends out invoices for any of the 120,000 products that I now sell to a sizeable portion of my 18,000 customers, daily.

It tells me who owes me money, how much, since when, and where I must go if necessary to get it from them.

Sometimes it's necessary.

It has to work. If I need a program that's bullet-proof, that will take absolutely anything that's thrown at it, then I will pull out my trusty old C libraries and get coding.

When it's finished, a hyperactive kitten jumping on the keyboard will result in nothing more sinister than a couple of bleeps.

Such extreme duress might possibly cause an invoice to be printed that should not have been printed, (although it wouldn't make it out of the door), but it definitely wouldn't put an entry in the error log.

In short, I believe in C because I've been at it for 25 years.

Well, I'm new to perl. About 18 months now. You'd think I'd hate it because it's such a completely different thing from C, but, I don't.

I love it. I can do things in perl in twenty minutes that would take hours in C, if it were realistic even to consider coding them that way.

What will it be like when I get to be competent?

When I talk to that absolutely fantastic interpreter it talks back to me, telling me where I made silly mistakes, sometimes showing me a better way to do it, holding my hand as I stumble along.

At 400MHz, it's quick enough.

Would I convert any of my hardcore financial stuff to perl?

Would I put perl in a diagnostics laboratory? On a reactor?


But would I mess about with C to get something running on our Website? Why bother?

There are so many things waiting to go wrong between the user's browser (which is probably a M1croS0ft product so it will almost certainly crash within the next ten minutes or so)

and my servers (which probably will not survive even the most ham-fisted of attempts by a second-rate undergraduate to gain illegal access) that the idea of my writing a Robust Piece Of Code to do something as mundane as serving pages is simply laughable.

The Web is moving so fast I'm sure that if I try to do what I need to do in a language like C, I'll never catch it. So I say let's get it done, make a few bob, and on to the next job.

Tell your C programming friends that function prototypes are for people in air-traffic control and petrochemicals.

If they're really fussy, tell them they should be looking at RTL/2 anyway. Tell them what the p in perl stands for. It doesn't stand for `prototypes'.

Kind regards,



Behind time and way over budget, but the James Webb Space Telescope has finally been put together


Well, all that's left to do now is sit the fucking thing on top of five hundred tons of explosives, and set light to it...

GIMP open source image editor forked to fix 'problematic' name


Re: Eh?

"mutt, git, grub, and there are surely many more self-deprecating names. It's a bit of a tradition. ..."

Then of course there's "Windows".

I guess by now you'll have noticed which one was the most successful...

Disgruntled bug-hunter drops Steam zero-day to get back at Valve for refusing him a bounty


I thought steam was the stuff that came out of my kettle when it's ready to make my tea.

Canonical adds ZFS on root as experimental install option in Ubuntu


Re: Running ZFS on Linux and Mac for years without problems

"We've happily based our data storage (but not root filesystems) on ZFS since 2016 [detail snipped]"

That was very useful. Thank you.

HTTP/2, Brute! Then fall, server. Admin! Ops! The server is dead



But... but... Google designed HTTP/2 to be secure!


Given the list of CVEs I'm not sure that there can even have been a requirements specification.

Seems to me that some^H^H^H^Heverybody in the design department needs to go back to school.

US still 'not prepared' in event of a serious cyber attack and Congress can't help if it happens


They always come out with this same old crap at these conferences.

I don't care what they say at the conferences, they aren't listening.

I've been banging on about specific, easily fixed issues for YEARS and the same, specific, easily fixed issues are STILL THERE.

Xbox daddy bakes bread with 4,000-year-old Egyptian yeast


Re: Eh?

"There is no discernible difference ... except that gawd/ess-awful monster of a plug you lot are inexplicably in lust with ... "

It's not inexplicable, but I won't bore you.

Chap uncovers privilege escalation vuln in Steam only to be told by Valve that bug 'not applicable'


I tried talking to hackerone.

Waste of time.

How powerful are Russian hackers? One new law could transform global crime operations


What they gonna do 'bout the root nameservers?

Transport for London Oyster system pulled offline after credential-stuffing crooks board customers' accounts


Nah, I believe everything they say.

LAPD loses job applicant details, Project Zero pokes holes in iOS, AWS S3 whack-a-mole continues, and more


"Even if you pay for a service (say office 365), your data is still being stored, analyzed and sold."

And if you DON'T pay for the service, probably the only reason for it to exist is to sell your data.

Last month I signed up to a free Excel forum. Within a couple of days I was getting spam from domains at the hosting company that hosts the forum, and in a couple more days from elsewhere on the planet -- all to the spamtrap that I'd set up for it. }:-)


Our hero returns home £500 richer thanks to senior dev's appalling security hygiene


I have some interesting tidbits for Oncall. One of them is even about The Register.

But I can't relate them, because Google rejects all the mail I send to The Register with

"The account [sender email address] is disabled."

Of course I've never had an account [sender email address] with Google, so that might, er, account for it.

Pi in the sky as ESA starts testing encrypted comms on International Space Station


If it works when you keep the keys on the ground, why not, er, keep the keys on the ground?

Outraged Virgin slaps IP trolls over dirty movie download data demands


Anyone who actually reads the judgement will see that neither side's lawyers exactly covered themselves in glory.

In particular it is quite wrong to say that Virgin's lawyers saw anybody off. If anybody did that, it was Counsel for the Applicant.

The judge presented a (characteristically) clear judgement. It's unarguable.

This must have been a pretty expensive waste of everybody's time.

Don't you just love the Internet?

Fix LibreOffice now to thwart silent macro viruses – and here's how to pwn those who haven't


Debian user here - still on version 5.

He's coming for your floppy: Linus Torvalds is killing off support for legacy disk drive tech


I had to use a 3.5" floppy at the weekend to load DOS onto a machine that had just died.

I still have brand new 5.25" and 8" floppies in stock if anybody wants some.

City-obliterating asteroid screamed past Earth the other night – and boffins only clocked it just 26 hours beforehand


Let's try to put this into some sort of perspective.

For billions of years it's been Out There, taking its careful aim at us.

It's going 88,500 km per hour, and it missed us by 72,000 km [*].

So it missed us by just under 49 minutes.

Speaking astronomically, that was definitely a bit too close for comfort.


Backdoors won't weaken your encryption, wails FBI boss. And he's right. They won't – they'll fscking torpedo it


The quality of politicians in the UK and the US has dropped off a cliff in the past 35 years or so.

You took the words right out of my pocket.

Low Barr: Don't give me that crap about security, just put the backdoors in the encryption, roars US Attorney General


Do these people think that a terrorist will continue to use a service when he knows that the service has been compromised?

If they do, then the terrorist threat is a lot less scary than the fact that they're in office.

Brussels changes its mind AGAIN on .EU domains: Euro citizens in post-Brexit Britain can keep them after all


For the last couple of years, every IP which tries to send me mail from .eu domains get dropped into my TARPIT.



Biting the hand that feeds IT © 1998–2020