* Posts by sitta_europea

370 posts • joined 29 May 2016

Page:

The reluctant log trawler: The buck stops with the back-end

sitta_europea

Share dealing systems again. The company will have to remain nameless but the name begins with B and it's quite big.

I was using their share dealing system in the early 2000s, and they changed their password algorithms.

Amongst other things the new algorithms were supposed to pick some random letters from a password.

Only trouble was, it wasn't random. It was horribly non-random.

I told them.

They said I was wrong.

I told them again.

They said I was wrong again.

This went on for weeks.

So I proved it to them. I won't tell you how I did that.

Not long after that, they fixed it.

Very soon after that, the Chief Executive of this British bank telephoned my place of business to thank me.

Our receptionist thought he must be a scammer, and wouldn't put him through to me...

sitta_europea

"Ever found yourself doing some hurried hacking with the "unthinkable" happened? Or been called out to bodge your way around someone else's cock-up? Share you story of unexpected weekend working with an email to On Call. ®"

s/with/when/;

Well, yes, actually.

This sounds a lot like working (with|for|despite|in utter exasperation of) HMRC, "Making Tax Digital", some REALLY ropey software that I could mention and the HMRCs very nebulous concept of a "Digital Link".

I won't be sending you an email about it, though, because Google will just reject it.

Whenever I send email to The Register, it gets rejected.

The DSN says my Gmail account is disabled.

I *have* mentioned this before.

I've never had a Gmail account.

Digicert will shovel some 50,000 EV HTTPS certificates into the furnace this Saturday after audit bungle

sitta_europea

How come the users of certificates let this certificate maintenance thing get so messy?

Shopped recently in a small online store? Check this list to see if it was one of 570 websites infected with card-skimming Magecart

sitta_europea

Glad I've been dropping every packet from AS16276 all these years...

/sbin/iptables -A immediate_tarpit -s 5.135.0.0/16 -m comment --comment "OVH" -j DROP

sitta_europea

Re: I won't shop at a small site

"I've had too many friends with funds either frozen for months or outright taken by Paypal to ever trust them."

Yeah, me too. They just took my money and it wasn't enough to make it worth the hassle of getting it back.

Fucking thieves.

It’s happened again: AT&T sued for allegedly transferring victim's number to thieves in $1.9m cryptocoin heist

sitta_europea

Re: I have questions...

"...why the hell does anyone trust this crap?"

Good God! I've been sayin' it. I've been sayin' it for ten damn years. Ain't I been sayin' it, Miguel? Yeah, I've been sayin' it.

Nothing fills you with confidence in an IT contractor more than hearing its staff personal records were stolen by ransomware hackers. Right, Cognizant?

sitta_europea

Re: It's not 'toxic waste' if you can't be paid without it.

"The employer needs all that info for payroll, pension, medical insurance, reduced-cost loan schemes (bike or car purchase schemes, forex), and all the other interactions between employer and employed. ..."

Yeah, but the employer does NOT need to keep it all on a poorly secured Internet-facing system.

Speaking as an employer, we keep stuff like that in (locked) filing cabinets in the office, and the only things of that sort that we put on the computers are the things that our certifiably insane government insists that we keep on the computers. Which, unluckily, seems to be more and more and more and more, as more and more idiotic ideas keep coming - primarily from HMRC, who couldn find their collective arses with their hands tied behind their backs.

Chrome extensions are 'the new rootkit' say researchers linking surveillance campaign to Israeli registrar Galcomm

sitta_europea

I once tried to get both ICANN and Nominet interested enough in the criminal activities which they facilitate to do something about it.

What a waste of time that was.

Kinda goes without saying, but shore up your admin passwords or be borged by this brute-forcing botnet

sitta_europea

People still use Wordpress?

Now we know what the P really stands for in PwC: X-rated ads plastered over derelict corner of accountants' website

sitta_europea

Re: missing major issues when auditing companies

"... blames a "rogue employee", strikes a deal with a gov, ..."

The UK's National Enterprise Board funded my startup's expansion when it was four people in John's attic in Eynsham and ten thousand turnover, and wanted to take its profits now it was twenty-four people in a rented unit round the back of Tesco's on Cowley Road and a million turnover.

In the heady days of 1981, people were saying that the riskier the project sounded, the more likely a public offering was to succeed on the Denver penny stock market. But I called out my fellow directors for trying to scam investors in our planned flotation. By now I was the only one left of the original four, and the new guys were going to claim in the prospectus that our company was projecting sales of more than twice (what I never tired of telling them was) our production capacity. It wasn't really about what we could make, it was about what components were available on the world market to make the products with. There just wasn't enough of one particular part to make what they were claiming we would make, and ramping up production at the (two) suppliers would take many months, if not a few years, because they were sensible and they weren't about to throw all their eggs in this particular upstart's basket.

I refused to sign up to it. I was the only one who said "No, this isn't right, we can't do this".

I was standing up against seasoned business types in their forties, fifties and sixties (some were flying around on Concorde doing what they called "due dilligence", but in reality just racking up huge expense account bills) and one of the big five accounting firms you've all heard about - the one that surrendered its licenses in 2002, as it happens. I was twenty-eight, and living in a caravan while I was building a house in my spare time. It nearly cost me my sanity.

Eventually, after a showdown, threats against my property, my resignation, and ultimately a front page headline in the Rocky Mountain News about an investigation by the SEC (incidentally that was the first fax that I ever saw), the public offering did not go ahead.

It did cost me my dreams, and a small fortune, but I kept my integrity.

Unrepentant, the guy representing NEB said to me later, "What if it had worked, Ged?"

Nothing, as far as I can tell, has changed since 1981.

Android trojan EventBot abuses accessibility services to clear out bank accounts – fortunately, it's 'in preview'

sitta_europea

Re: "The human link is the weakest link in cyber security"

[quote]

A common mistake is to assume you need access to your bank on your phone when access through a desktop or laptop might be all you really need for monitoring and paying bills.

[/quote]

An even commoner mistake is to have any online access to your bank at all.

IBM == Insecure Business Machines: No-auth remote root exec exploit in Data Risk Manager drops after Big Blue snubs bug report

sitta_europea

Re: Hackerone is part of the problem

No repetition of this sentiment is too much for me.

I gave up trying to get any sense out of anyone at hackerone a couple of years ago.

Me: "I've found this problem and it affects three hundred sites that I looked at."

Hackerone: "Thank you for the report, please open three hundred tickets."

Let's authenticate: Beyond Identity pitches app-wrapped certificate authority

sitta_europea

Single sign-on?

But I DON'T WANT a single sign-on.

Really I don't.

I want a lot of different sign-ons, so that when one gets compromised the rest are not compromised.

It's called a 'system', and it's what anyone has to have if they want to call themselves 'organized'.

Uncle Sam tells F-35B allies they'll have to fly the things a lot more if they want to help out around South China Sea

sitta_europea

[quote]

The F-35B continues to be the only modern fighter jet capable of operating from Britain's two new aircraft carriers, HMS Queen Elizabeth and HMS Prince of Wales.[/quote]

Is there a white elephant in the room?

Antivirus hid more than 9,000 'cybercrime' reports from UK cops, says watchdog

sitta_europea

But even if they manage to fix their anti-virus, they'll still be plonkers.

Would you open an email from one Dr Brian Fisher? GP app staff did – and they got phished

sitta_europea

As others have pointed out it seems clear that Dr. Fisher's account was compromised.

I don't know where the MITM thing came from but at first glance it doesn't look to me like anything so technical as that.

If there were almost a million computer misuse crimes last year, Action Fraud is only passing 2% of cases to cops

sitta_europea

More like INaction.

A cautionary, Thames Watery tale on how not to look phishy: 'Click here to re-register!'

sitta_europea

So I have to re-register so they can send me a bill?

Oh, quick! Where's my, er, where did I put... dammit why can't you find a computer when you really need one?

Some fokken arse has bared the privates of 250,000 users' from Dutch brothel forum

sitta_europea

One thing the hackers seem to forget is that they're vulnerable to hacks too....

Remember the FBI's promise it wasn’t abusing the NSA’s data on US peeps? Well, guess what…

sitta_europea

The creatures outside looked from pig to man, and from man to pig, and from pig to man again; but already it was impossible to say which was which.

Twitter: No, really, we're very sorry we sold your security info for a boatload of cash

sitta_europea

Whenever ANYONE asks for my phone number I tell them to EOn-Off.

£99,999, what's your emergency? Paramedics rush to OAP's aid after shock meter reading

sitta_europea

[quote]After finding their best offers required a SMETS meter, I nearly kept my account of 14 years good standing with Eon.[/quote]

My wife put it best. She said "Eon can Foff!"

Thanks to all those tax dollars, humans can now hear the faint sounds of earthquakes on Mars

sitta_europea

That's the first time I've ever hear sounds from antoher planet.

Awesome.

"... bang the rocks together, guys!"

Astroboffins spy the most ancient protocluster of galaxies yet found post Big Bang

sitta_europea

Very soon we should be able to infer what's beyond the bounds of the visible universe by looking at the motion of things which aren't.

That will be fun.

The D in Systemd is for Directories: Poettering says his creation will phone /home in future

sitta_europea

Re: Good encapsulation, Dr S

[quote]

SystemD is fucking useless.

[/quote]

No, I'm sorry to contradict you but that's just plain wrong.

SystemD is WORSE than fucking useless, it's a fucking liability and I uninstall the fucking thing every chance I get.

Several months after the fact, CafePress finally acknowledges huge data theft to its customers

sitta_europea

If you're worried that your personal details have been compromised, here's a link to the Equifax Website...

How much pass could LastPass pass if LastPass passed last pass? Login-leaking security hole fixed

sitta_europea

What fuckin' idiot had the idea of using fancy software to secure passwords anyway?

D-Link, Comba network gear leave passwords open for potentially whole world to see

sitta_europea

You can buy good kit from crap suppliers.

You can even buy crap kit from good suppliers.

But do not buy crap kit from crap suppliers.

India's Chandrayaan-2 and Vikram lander split amicably above Moon, SpaceX hops over Texas

sitta_europea

[quote]

Can someone explain these numbers to me? This looks like a distance being recorded as an area. What am I missing?

[/quote]

Basically all orbits are ellipses.

https://en.wikipedia.org/wiki/Elliptic_orbit

Clutching at its Perl 6, developer community ponders language name with less baggage

sitta_europea

If you've had any exposure to Perl, you've probably heard of Tom Christiansen.

Twenty years ago, I wrote the letter below to him. He was kind enough to suggest that I write more.

Well I'm still coding in Perl now, more or less all day every day.

I'm not sure that was what he meant. :)

8<-------------------------------------------------------------------------

Date: Thu, 18 Nov 1999 23:46:19 +0000 (GMT)

From: "G.W. Haywood" <xxxxxxx@xxxxxxxxxxxxx>

To: Tom Christiansen <xxxxxxx@xxxxxxxxxxxxx>

Subject: Re: using function prototypes w/ mod_perl.

Hi there,

If pressed, I'd admit I'm a C programmer.

I probably speak C as well as I speak English, having been at it since it was invented.

Yes, I'll admit I'm over 40. Well over.

C has got better over the years. To start with the compilers were a bit dodgy and the linkers didn't know about type.

Now that's all sorted out you can write code knowing that if you pass a string to a function that's expecting a double you'll never get it past `make'.

As a result, some of my programmes have been running for over a decade without stopping.

Some of my code sits monitoring nuclear reactors and patients in hospital laboratories.

My financial well-being is tied to my proficiency in C because my software currently sends out invoices for any of the 120,000 products that I now sell to a sizeable portion of my 18,000 customers, daily.

It tells me who owes me money, how much, since when, and where I must go if necessary to get it from them.

Sometimes it's necessary.

It has to work. If I need a program that's bullet-proof, that will take absolutely anything that's thrown at it, then I will pull out my trusty old C libraries and get coding.

When it's finished, a hyperactive kitten jumping on the keyboard will result in nothing more sinister than a couple of bleeps.

Such extreme duress might possibly cause an invoice to be printed that should not have been printed, (although it wouldn't make it out of the door), but it definitely wouldn't put an entry in the error log.

In short, I believe in C because I've been at it for 25 years.

Well, I'm new to perl. About 18 months now. You'd think I'd hate it because it's such a completely different thing from C, but, I don't.

I love it. I can do things in perl in twenty minutes that would take hours in C, if it were realistic even to consider coding them that way.

What will it be like when I get to be competent?

When I talk to that absolutely fantastic interpreter it talks back to me, telling me where I made silly mistakes, sometimes showing me a better way to do it, holding my hand as I stumble along.

At 400MHz, it's quick enough.

Would I convert any of my hardcore financial stuff to perl?

Would I put perl in a diagnostics laboratory? On a reactor?

Never.

But would I mess about with C to get something running on our Website? Why bother?

There are so many things waiting to go wrong between the user's browser (which is probably a M1croS0ft product so it will almost certainly crash within the next ten minutes or so)

and my servers (which probably will not survive even the most ham-fisted of attempts by a second-rate undergraduate to gain illegal access) that the idea of my writing a Robust Piece Of Code to do something as mundane as serving pages is simply laughable.

The Web is moving so fast I'm sure that if I try to do what I need to do in a language like C, I'll never catch it. So I say let's get it done, make a few bob, and on to the next job.

Tell your C programming friends that function prototypes are for people in air-traffic control and petrochemicals.

If they're really fussy, tell them they should be looking at RTL/2 anyway. Tell them what the p in perl stands for. It doesn't stand for `prototypes'.

Kind regards,

Ged.

8<-------------------------------------------------------------------------

Behind time and way over budget, but the James Webb Space Telescope has finally been put together

sitta_europea

Well, all that's left to do now is sit the fucking thing on top of five hundred tons of explosives, and set light to it...

GIMP open source image editor forked to fix 'problematic' name

sitta_europea

Re: Eh?

"mutt, git, grub, and there are surely many more self-deprecating names. It's a bit of a tradition. ..."

Then of course there's "Windows".

I guess by now you'll have noticed which one was the most successful...

Disgruntled bug-hunter drops Steam zero-day to get back at Valve for refusing him a bounty

sitta_europea

I thought steam was the stuff that came out of my kettle when it's ready to make my tea.

Canonical adds ZFS on root as experimental install option in Ubuntu

sitta_europea

Re: Running ZFS on Linux and Mac for years without problems

"We've happily based our data storage (but not root filesystems) on ZFS since 2016 [detail snipped]"

That was very useful. Thank you.

HTTP/2, Brute! Then fall, server. Admin! Ops! The server is dead

sitta_europea

[QUOTE]

But... but... Google designed HTTP/2 to be secure!

[/QUOTE]

Given the list of CVEs I'm not sure that there can even have been a requirements specification.

Seems to me that some^H^H^H^Heverybody in the design department needs to go back to school.

US still 'not prepared' in event of a serious cyber attack and Congress can't help if it happens

sitta_europea

They always come out with this same old crap at these conferences.

I don't care what they say at the conferences, they aren't listening.

I've been banging on about specific, easily fixed issues for YEARS and the same, specific, easily fixed issues are STILL THERE.

Xbox daddy bakes bread with 4,000-year-old Egyptian yeast

sitta_europea

Re: Eh?

"There is no discernible difference ... except that gawd/ess-awful monster of a plug you lot are inexplicably in lust with ... "

It's not inexplicable, but I won't bore you.

Chap uncovers privilege escalation vuln in Steam only to be told by Valve that bug 'not applicable'

sitta_europea

I tried talking to hackerone.

Waste of time.

How powerful are Russian hackers? One new law could transform global crime operations

sitta_europea

What they gonna do 'bout the root nameservers?

Transport for London Oyster system pulled offline after credential-stuffing crooks board customers' accounts

sitta_europea

Nah, I believe everything they say.

LAPD loses job applicant details, Project Zero pokes holes in iOS, AWS S3 whack-a-mole continues, and more

sitta_europea

"Even if you pay for a service (say office 365), your data is still being stored, analyzed and sold."

And if you DON'T pay for the service, probably the only reason for it to exist is to sell your data.

Last month I signed up to a free Excel forum. Within a couple of days I was getting spam from domains at the hosting company that hosts the forum, and in a couple more days from elsewhere on the planet -- all to the spamtrap that I'd set up for it. }:-)

https://www.mrexcel.com/forum/excel-questions/1104708-cannot-run-macro-add-post5317833.html#post5317833

Our hero returns home £500 richer thanks to senior dev's appalling security hygiene

sitta_europea

I have some interesting tidbits for Oncall. One of them is even about The Register.

But I can't relate them, because Google rejects all the mail I send to The Register with

"The account [sender email address] is disabled."

Of course I've never had an account [sender email address] with Google, so that might, er, account for it.

Pi in the sky as ESA starts testing encrypted comms on International Space Station

sitta_europea

If it works when you keep the keys on the ground, why not, er, keep the keys on the ground?

Outraged Virgin slaps IP trolls over dirty movie download data demands

sitta_europea

Anyone who actually reads the judgement will see that neither side's lawyers exactly covered themselves in glory.

In particular it is quite wrong to say that Virgin's lawyers saw anybody off. If anybody did that, it was Counsel for the Applicant.

The judge presented a (characteristically) clear judgement. It's unarguable.

This must have been a pretty expensive waste of everybody's time.

Don't you just love the Internet?

Fix LibreOffice now to thwart silent macro viruses – and here's how to pwn those who haven't

sitta_europea

Debian user here - still on version 5.

He's coming for your floppy: Linus Torvalds is killing off support for legacy disk drive tech

sitta_europea

I had to use a 3.5" floppy at the weekend to load DOS onto a machine that had just died.

I still have brand new 5.25" and 8" floppies in stock if anybody wants some.

City-obliterating asteroid screamed past Earth the other night – and boffins only clocked it just 26 hours beforehand

sitta_europea

Let's try to put this into some sort of perspective.

For billions of years it's been Out There, taking its careful aim at us.

It's going 88,500 km per hour, and it missed us by 72,000 km [*].

So it missed us by just under 49 minutes.

Speaking astronomically, that was definitely a bit too close for comfort.

[*]https://en.wikipedia.org/wiki/2019_OK

Backdoors won't weaken your encryption, wails FBI boss. And he's right. They won't – they'll fscking torpedo it

sitta_europea

The quality of politicians in the UK and the US has dropped off a cliff in the past 35 years or so.

You took the words right out of my pocket.

Low Barr: Don't give me that crap about security, just put the backdoors in the encryption, roars US Attorney General

sitta_europea

Do these people think that a terrorist will continue to use a service when he knows that the service has been compromised?

If they do, then the terrorist threat is a lot less scary than the fact that they're in office.

Brussels changes its mind AGAIN on .EU domains: Euro citizens in post-Brexit Britain can keep them after all

sitta_europea

For the last couple of years, every IP which tries to send me mail from .eu domains get dropped into my TARPIT.

Page:

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2020