* Posts by sitta_europea

1001 publicly visible posts • joined 29 May 2016

Page:

CISA boss: Makers of insecure software are the real cyber villains

sitta_europea Silver badge

Re: What about to OPTIMIZE your code, this will help even more !

"You can see the bloat ..."

I can't upvote this post enough.

As a developer who in the 1970s and 1980s wrote software in M6800 assembler for example for nuclear material security and for data reduction in hospital laboratories I'm constantly staggered by the wastefulness of current software trends. I used to take raw calibration and measurement data and turn it into usable diagnostic numbers, in addition to running the feedback loops which stabilized the gain in the nuclear pulse amplifiers of sixteen measurement devices, all inside four kilobytes of code.

Last year I thought about putting a data compression library into some financial software that I started work on in the mid to late 1980s, and which I still suppport.

My software is mostly written in C, with a smattering of assembler. It's a multi-user system which maintains records for stocks, customers, suppliers, sales, purchases, financial transactions, ... basically everything you need to know where you are in a business which buys and sells things. The executable weighs in at just over 600kBytes.

The data compression library I looked at was five times as big. Half the machines running my systems don't even have that much RAM. I thought of a better way.

The thing is, most people nowadays would think three megabytes is on the small side.

Me, I wonder what on Earth all that code can possibly be doing?

1 in 10 orgs dumping their security vendors after CrowdStrike outage

sitta_europea Silver badge

To say that 8.5 million PCs were "bricked" is I think overstating the case, and poor journalism.

The usual take on "bricked" is that the device is not recoverable by something as painless as one file deletion and a couple of reboots.

Bricked means more like (at a minimum) replacing a component such as a ROM chip to get the thing back on the air.

I'm not saying that this wasn't a complete fuckfest, don't get me wrong, but the devices were temporarily out of service - not bricked.

China claims Starlink signals can reveal stealth aircraft – and what that really means

sitta_europea Silver badge

Re: I have oft wondered...

"... Best regards,

about every experienced ham radio operator."

I was going to mention meteor-spotting but I guess I've been Ninja'd.

73 de MSEG3

The empire of C++ strikes back with Safe C++ blueprint

sitta_europea Silver badge

It seems obvious to me that if you can rewrite the C++ compiler to handle the memory safety issues, and then just recompile a few million projects with it as and when the opportunities present themselves, that *has* to be a better option than rewriting a few million projects in a completely different language - which will not only take millions of times as much effort, but probably also introduce at least as many issues as it fixes.

What's not to like?

China’s quantum* crypto tech may be unhackable, but it's hardly a secret

sitta_europea Silver badge

Re: How to detect interception

" ... You can't make a photon and entangle it with any other photon of your choosing from some other place in the universe."

That's the part that gives me goosebumps. :)

sitta_europea Silver badge

Re: 10/10

"...cynicism at its finest. ..."

And as others might say, "Bullshit".

About that Windows Installer 'make me admin' security hole. Here's how it's exploited

sitta_europea Silver badge

Re: msiscan in github

"A python script that runs on Linux. ..."

Don't worry - it doesn't.

Mind your header! There's nothing refreshing about phishers' latest tactic

sitta_europea Silver badge

"... the FBI's ... report ... roughly 300,000 cases reported last year. ... in the US and only the ones people spotted and bothered to report. ..."

They could have a lot more reports if they'd just make it easier. Like a decent API. I'm convinced they don't want more.

If HDMI screen rips aren't good enough for you pirates, DeCENC is another way to beat web video DRM

sitta_europea Silver badge

*Every* anti-piracy scheme designed to protect movies and the like is doomed because it's more or less trivial to capture the video and sound outputs.

I could do it very easily, but I can't be bothered because I'm not really interested and at six for a pound I could buy vastly more DVDs from the charity shops than I could ever find time to watch.

Even my wife cracks the copy protection on DVDs after she's bought them so that she can compress the data by a factor of five or ten and put a lot more movie files on her 3TB movies disc.

I really can't understand why people make such a fuss about it, they're just bringing attention to the flaws in the cobbled-together systems.

Healthcare giant to pay $65M settlement after crooks stole and leaked nude patient pics

sitta_europea Silver badge

"....My photos are gonna make some nerd dweebs-in-Mom's-basement GREEN WITH ENVY and the ladies GASP in astonishment! ...."

I was thinking that the ladies will be queueing up outside my door when the photos are published but then I realized that nobody's ever taken any phtos of me naked. :(

Despite cyberattacks, water security standards remain a pipe dream

sitta_europea Silver badge

We always used to have water at our house when there wasn't an Internet. It was never an issue.

And there was never any problem with reading the meter. There wasn't one. We paid a quarterly bill, which as it happens was always very reasonable.

It's only since there's been an Internet, and water meters, that the water supply has been unreliable.

You know why there are domestic water meters?

They'll tell you that it's about responsible use, and shit like that.

Well that's all bollocks. It's about profit. There's more water leaks out of the water companies' unmaintained pipes than goes through all the domestic water meters combined.

We're where we are because of greed.

I don't know why we let them get away with it.

Who owns the water anyway?

Magnetic personalities at Tokamak Energy form separate division

sitta_europea Silver badge

Re: Nuclear Fusion and Superconductivity

"....If this new technology can make superconducting magnets that work at liquid nitrogen temperatures, that's a big win...."

I think you understate significantly. It would be absolutely HUGE.

It's orders of magnitude cheaper both to buy and to use liquid nitrogen than it is to use liquid helium, and there's no risk of nitrogen suddenly being rationed as has happened recently.

Bulk liquid nitrogen is typically 15 cents per litre. Helium will usually be tens of dollars.

You don't normally bother to recycle nitrogen, but unless you're NASA that's a luxury you can't usually afford with helium.

Novel attack on Windows spotted in phishing campaign run from and targeting China

sitta_europea Silver badge

Re: DLL path traversal vulnerability ..

"... A bit of a design fault. ..."

You mean a *huge* security hole?

Check your IP cameras: There's a new Mirai botnet on the rise

sitta_europea Silver badge

[QUOTE]

CISA launches incident reporting portal

In a bid to streamline the often onerous cyber incident reporting process, CISA has launched a new Services Portal website where organizations can report incidents ...

[/QUOTE]

So I tried to create an account.

I got as far as trying to upload photo ID, but instead of the expected selection tool I was unceremoniously dumped back to the account creation start page.

Ooops.

Tired of airport security queues? SQL inject yourself into the cockpit, claim researchers

sitta_europea Silver badge

Re: DiCaprio Deprecated

"Why go to all that bother of forgery, conning a uniform and forking out to the Ladybird Book on Piloting to get to a jump seat?"

Before last night, the first time I saw that movie, and the same day this report came out on elReg, I wouldn't have understood the reference.

The coincidence of timing made the hair on my forearms stand on end.

Halliburton probes 'an issue' disrupting business ops

sitta_europea Silver badge

"... a certain incident when Halliburton Engineering did the physical work, which promptly failed ..."

Please can you give a reference?

SolarWinds left critical hardcoded credentials in its Web Help Desk product

sitta_europea Silver badge

Does anybody else think it's starting to look like SolarWinds is utterly clueless?

Cisco calls for United Nations to revisit cyber-crime convention

sitta_europea Silver badge

At this point in history I think most sane people will think "If Russia wants it, I probably don't", and this looks to me like a pretty good example of "it".

Instead, I'd like to think that Russia could for example be a responsible member of world society, and willing in principle to extradite criminals - rather than giving them carte blanche and a safe haven as long as they don't inconvenience the Russian dictatorship and its cronies.

Unicoin hints at potential data meddling after G-Suite compromise

sitta_europea Silver badge

Sigh.

Mad Liberator extortion crew emerges on the cyber-crook scene

sitta_europea Silver badge

"Anydesk allows remote access by assigning a unique 10-digit address to every device upon which it is installed."

Am I the only one who thinks that's not a lot of digits, even if they're hexadecimal digits?

Over 40 million Kakao Pay users' data somehow ended up with Alipay

sitta_europea Silver badge

And this surprises anybody?

SpaceX tries to wash away Texas pollution allegations

sitta_europea Silver badge

It could just have been that, when all those engines lit up and everybody started yelling, somebody lost a filling.

About eighteen months ago I lost one. It had been there for more than fifty years, and then one day it just fell out.

At my next checkup I gave it to the dentist to dispose of.

Orion SA says scammers conned company out of $60 million

sitta_europea Silver badge

Every day my businesses usually get at least three or four of these kinds of scam emails.

But there are two important differences between my businesses and multi-billion dollar businesses like the subject of this article:

1. The amounts of money my businesses handle are much smaller.

2. In the final analysis, it's all my money.

So I guess that's why nobody's ever scammed my businesses out of anything.

Unless you count the Tax Man, who has unjustifiably enriched himself at my expense on more than one occasion, but with amounts too small to spend the rest of my life chasing.

Oh, and the energy companies, who routinely steal money directly from my bank accounts on the pretext of "estimated use" despite the fact that they know perfectly well that the use will be nothing like as high as their "estimates".

Oh, except for Scottish Power - who have been threatening me with legal action ever since I fired them in December 2021. I said "Please go ahead, I'll make you look very silly in Court". So instead of suing me, they keep selling their imaginary "debt" to different debt collection companies (I suppose it's easier than actually doing something worth-while for a living) who get the same response from me.

What I'm saying is that scammers are everyfuckingwhere, it isn't always obvious who they are, and you need eyes in the back of your head. I'd flog them.

Attacker steals personal data of 200K+ people with links to Arizona tech school

sitta_europea Silver badge

Re: That is a Chinese level of data monitoring.

Yeah, I like that bit about holding individuals to account.

They just hide behind limited corporate liability.

Pro-Iran groups lay groundwork for 'chaos and violence' as US election meddling attempts intensify

sitta_europea Silver badge

Re: Where's Cilla?

"Enjoy: https://youtu.be/TtdR-qo910k"

It said "Please update your browser".

sitta_europea Silver badge

"...opioid-pilled elephant in the MAGA china shop..."

Nothing like mixing your metaphors.

And that's note really very much like it.

It's 2024 and we're just getting round to stopping browsers insecurely accessing 0.0.0.0

sitta_europea Silver badge

Re: What about 127.0.0.1?

Test it yourself. I routinely use that address, and also 'localhost', in the location bar. CUPS for example is localhost:631. None of the browsers here make any fuss about it.

This is I think why at least the Mozilla foundation is wary of changing the behaviour of their browser.

I also routinely see attackers from outside my LAN trying to con my services into believing that the connecting host's name is 'localhost.localdomain' or that its IP address is '0.0.0.0', '127.0.0.1', '10.pick.3.numbers' or some such nonsense. None of that will succeed here at least.

Small CSS tweaks can help nasty emails slip through Outlook's anti-phishing net

sitta_europea Silver badge

At least half of the HTML email spam I see uses tricks similar to this to try to defeat my anti-spam measures.

It all fails.

Why do I see the spam, you ask? So that I can confirm that it's reported correctly.

sitta_europea Silver badge

Re: Email is for text

I *only* read emails in plain text. Even the ones sent in HTML (if I can be bothered - usually I can't).

Billion-dollar bust as international op shutters Cryptonator wallet

sitta_europea Silver badge

So.... what's happened to Roman? Has he been arrested? Has he fled back to Russia? What?

MDM vendor Mobile Guardian attacked, leading to remote wiping of 13,000 devices

sitta_europea Silver badge

There was a time when you could show your understanding of a subject by making marks on a bit of paper with a pencil.

Doing things this way had, as far as I can remember, absolutely no privacy or crime issues although it was, relatively speaking, hard work for all concerned.

Curiously enough, when I was doing the said hard work (on my way to a first class honours degree), people used to tell me that hard work was a Good Thing.

Despite what my sixth form maths teacher said (in front of the entire class he threw my homework in the bin, so I never did any more for him) I agreed with them.

And I kinda still believe that, but then I've worked hard all my life. At least all my life since leaving Mr. Plackett's tender care.

There are sooooo many easy fixes nowadays.

But it should be blindingly obvious to anybody who thinks about it for five minutes that there are NO easy fixes.

Until you've learned that, I believe that you have very little chance of educating others.

DARPA suggests turning old C code automatically into Rust – using AI, of course

sitta_europea Silver badge

Re: I hope there's a complete C preprocessor included in the AI too....

"The C preproceesor is of course legendary for the ways it can be abused..."

First time I ever saw somebody (ab)use the C preprocessor the guy had this comment right at the top of his code:

/* PREPROCESSOR ABUSE IS NEAT! */

I guess that was around 1977.

sitta_europea Silver badge

More than three decades ago I developed a business system using dBaseII.

A few years later I wrote some code to convert it into C. Mostly because dBaseII was very slow, and dBaseIII was slower *and* riddled.

I'd expected it would probably work out around 80/20 automatic to manual conversion, but as it happened it worked out way better than that - I'd guess around 95/5.

The resulting system worked extremely well, and I continued to develop it.

But I always worried about memory safety, so I wrote a few memory-safe routines which I used instead of some of the standard library functions - in particular l wrote a protected version of malloc().

After a period of - ahem - improving my code, system halts because of things like out of bounds memory accesses simply stopped happening.

Thirty years later my code is still running businesses, and it's that long since it last halted for a memory problem. It's never been compromised.

If you want memory safety, from my experience I honestly don't think you need to do a lot more than code a few new library routines. Call it 'safelibc' or something like that.

Turning to AI for this reminds me of that old chestnut about the guy who decided to solve his problem using regexes... now he has two problems.

UK plans to revamp national cyber defense tools are already in motion

sitta_europea Silver badge

Re: "ideas" -- "hypotheses" -- "experiments".............

"Yup.... plenty of "ideas" , "hypotheses" , "experiments".................................

.............but, in the mean time, millions of citizens are getting their personal lives f**ked by bad guys who walk away with oodles of cash!!!"

Came here to say something similar but you beat me to it.

Nobody but me will protect me. The idea that something the government runs will help is downright laughable.

You might as well call ActionFraud (I'm sure the Fraud there is that they're claiming there'll be some Action). I've tried a few times but the telephone operators seem to have been trained to talk you out of making a report. "It could be just a mistake." Fercryinoutloud they're selling stolen property but it could be just a mistake. What a complete waste of space.

If I were running the show, for starters I have a list of millions of IPs here right now and I'd be dropping *every single packet* from *all* those IPs the instant it reached these shores.

Anyone who wants the list is welcome to it, it's right here in an impressively small Postgres database which runs on a Pi4B to protect us from scum, mostly in Latvia and eastwards.

You'd have thought our law enforcement could run to a Pi and a few routers. It isn't rocket science.

Ideas. Hypotheses. Experiments.

Give me strength.

'Error' in Microsoft's DDoS defenses amplified 8-hour Azure outage

sitta_europea Silver badge

Anyone can have a bad day. Sorry, week.

It is 60 years since a US spacecraft first took a close-up of the Moon

sitta_europea Silver badge

Re: My first thought was

"And only 15 years after the invention of the transistor..."

When you look at it this way, yes, the pace has been staggering.

Just before my final year at university I went to work at AERE Harwell for a year - it was called a "thick sandwich" course - and I went back there after my final year. My first posting was to Electronics and Applied Physics Division. The building where I worked had been converted from RAF barracks. It had metal framed, single-glazed windows, a corrugated asbestos roof, and it was catchily named "347.3". There were free bus services from nearby towns such as Reading, where I rented a flat. The bus dropped us off on what had been RAF Harwell's runway, about half a mile from the building where I worked. Most of the people I worked with were much older than me - some of them had been there in the RAF in wartime - and they liked to tell stories. One of the stories was that a few years before I got there, the first transistor made in the UK was made in that laboratory, actually in the room where I was working.

Amongst my first projects was working on the first charge-coupled devices made in the UK. These CCDs cost a small fortune, and they had one row of eight elements, and they had absolutely horrible characteristics. With their serious limitations we struggled to figure out how to make use of them. That was in 1973. Now, there must be a dozen megapixel-sized CCDs within ten feet of me and they probably all cost less than a fiver to make. We have gigapixel CCDs in space, and if I feel the need I can see the images which they've taken of the first stars to illuminate the cosmos.

Unfortunately for the history buffs, 347.3 and its sister buildings were demolished many years ago. Not so unfortunate for the people who work at Harwell now though. I remember my time there as being uncomfortably cold in winter and very uncomfortably hot in summer. But I'm very glad to have experienced a tiny part of history in the making.

UK Electoral Commission slapped for basic cybersecurity fails

sitta_europea Silver badge

Government IT. Couldn't find its arse with both hands tied behind its back.

DigiCert gives unlucky folks 24 hours to replace doomed certificates after code blunder

sitta_europea Silver badge

"...how CAs behaved before the CAB Forum rules existed."

Very good point.

"...the market punishing the CA vendor for not following the rules."

Financial punishment. The only kind that they understand, the only kind that will have any effect.

And it isn't just CA vendors. It's the whole steaming pile.

Proofpoint phishing palaver plagues millions with 'perfectly spoofed' emails from IBM, Nike, Disney, others

sitta_europea Silver badge

Re: Email spoof protection spoofed :o

"... Why aren't such protections baked into the email protocol."

Because the protocol was developed by a bunch of university nerds in the 1970s. They actually wanted to use it for serious communication.

Unfortunately, being wide-eyed innocents, they had no idea that as soon as their creation became popular with the masses it was going to get taken over by criminals.

There are some bolt-on goodies like the Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) but they're very complicated. SPF is in principle relatively easy but it's still totally beyond the average Joe in the street. About the best you can hope for is that somebody will say "My SPF must be fine because my mail gets delivered", which I've had government people say to me. This puts the whole thing on its head, because SPF is not about delivering mail - it's about rejecting it - and you can get mail delivered to most recipients if you don't implement SPF at all. And even if you're clued in about these things, if you get bozos like Proofpoint and Microsoft conspiring to forge mail from criminals then you're still going to struggle to filter them out automatically. You need to start being as cute as the criminals which isn't necessarily very easy as some of them are really, really, cute. It stands to reason because they're professionals, they make money from it, so some of them are regrettably rather good.

MicroDoze hasn't helped by screwing up everything it touches, *especially* when it relates to SPF, which for years it tried to replace by its own fatally flawed attempt to outflank it - and after that failed, it just basically screwed up everything it could. To me it looks deliberate, out of nothing but spite, but I admit my own personal bias and it's probably just staggering incompetence.

As far as I'm concerned the Internet is at about the stage that the Wild West was in the 1800s. In years to come there will probably be several series about in on television, or whatever entertainment medium is popular by then.

sitta_europea Silver badge

Re: "The root cause is [..] Microsoft 365"

"... What could possibly go wrong ?"

It's Microsoft. Everything can go wrong, and usually - the latest figure I've seen is three-quarters of the time - it does.

It beggars belief that so many people will put up with it.

Maybe for software we should have the concepts of fitness for purpose, and merchantability.

You know, like real products.

Post-CrowdStrike, Microsoft to discourage use of kernel drivers by security tools

sitta_europea Silver badge

"... By how many orders of magnitude?"

More or less what I thought.

sitta_europea Silver badge

[quote]

I would theorize:

A critical vulnerability patch is released. The recommendation is to apply it ASAP.

1. You apply the patch ASAP, and risk bringing your systems down with a bad patch.

OR

2. You wait until your next patching cycle. In the meantime, your organization is hacked. Your business is compromised. You have to report it. You have to fix it. You may get a hefty fine.

All down to risk management. ...

[/quote]

Weeeeell... sort of, but the thing is I haven't yet seen a figure for the probablilty that - even when it's working as designed - this CrowdThink software is any better than any of the other packages which aim to detect malware. And the best I've seen still only manages to detect about 85% of the threats even on a good day.

So this kind of argument falls a bit flat. If you're relying entirely on a product like this then in the long run you haven't got a prayer.

My point is that there's really no excuse. For any of them.

Intruders at HealthEquity rifled through storage, stole 4.3M people's data

sitta_europea Silver badge

So, you give my data to criminals and then by way of apology, you give it to... Equifax??

Silicon, stars, and sulfur make Apollo's unlikely legacy

sitta_europea Silver badge

"These will be seen as legendary times for humanity's knowledge."

Well said. Fine article.

For many years I've had the habit of saying that we're living in the dark ages.

The more we realize how much we don't know - and this article points out a lot of that - the more I feel justified.

And the more angry I feel with boneheaded chumps like Putin and his cronies who know nothing, and never will know anything, who (we allow to) cause such hardship for so many of the rest of us.

The months and days before and after CrowdStrike's fatal Friday

sitta_europea Silver badge

Re: Just bad luck?!

The confusion here, that Quality Assurance and pre-release testing are even remotely the same thing, is why disasters like this happen.

QA is about making sure that the product can't be supplied in a broken state by designing the processes which produce the said product.

*Any* product.

You can't inspect quality into a product after you've produced it.

You have to design quality into the production process from the very beginning.

It seems clear that nobody with any clout at Crowdstrike has any idea what Quality means.

It wasn't just bad luck. It was inevitable.

Security biz KnowBe4 hired fake North Korean techie, who got straight to work ... on evil

sitta_europea Silver badge

"...If it can happen to a security awareness company, it can happen to anyone."

I take issue with that.

I would never hire anybody I hadn't met in person.

For a security company to do it is just plain crazy.

Don't tell me you can't get the staff when what you mean is you don't want to pay them the going rate.

CrowdStrike blames a test software bug for that giant global mess it made

sitta_europea Silver badge

Has anybody else noticed that "Safe Mode" presumably means the other mode - the one you normally use on Windows - must be "Unsafe Mode"?

Do you think the techies in 1995 ran the name past marketing first?

Philippines wipes out its legit online gambling industry to take down scammers

sitta_europea Silver badge

Oh, come on, *some* people make a fortune out of it...

https://en.wikipedia.org/wiki/Denise_Coates

https://en.wikipedia.org/wiki/Bet365#Regulatory_Non-Compliance

https://en.wikipedia.org/wiki/Bet365#Refusal_to_Pay

https://en.wikipedia.org/wiki/Betfair#Winning_bets_voided

https://en.wikipedia.org/wiki/Betfair#Illegal_dividends

https://en.wikipedia.org/wiki/Betfred#Regulatory_action

EU gave CrowdStrike the keys to the Windows kernel, claims Microsoft

sitta_europea Silver badge

It's always seemed a bit strange to me to want to run protection software on the systems that you're trying to protect.

Twenty years ago, for consumer stuff, where basically you only had the one system to make money from (sorry - to work with), I could sort of understand it.

But for serious users (agriculture, banking, construction, defence, energy, food, government, health, ... you name it) nowadays it makes no sense to me.

CrowdStrike's Falcon Sensor also linked to Linux kernel panics and crashes

sitta_europea Silver badge

"Former Microsoft operating system developer David Plummer has shared his dissection of the flawed CrowdStrike update HERE."

[My emphasis.]

"Please update your browser."

[Emphasis hardly necessary.]

Page: