Dodgy Sandbox eh? Well don't Pen test, without a good one or you get malware.
64 posts • joined 9 Sep 2016
Thunder, thunder, thunder... Thunderclap: Feel the magic, hear the roar, macOS, Windows pwnage tools are loose
Re: Other angles
100% reciprocal arrangement - "Err....Mr Smith, would you mind keeping an eye on this gentleman"..."Why certainly Mr Peeters, we've certainly had some concerns about that gentleman in Sint-Jans-Molenbeek for a while"..."Why James, thank you, these National Laws on surveillance are so tedious".."Don't worry old chap, we are on the ball".
Re: Wack a Mole
You know you don't have to encrypt your posts mate. I had to re-read this about 4 times and I'm still not sure if you've made a Typo - or that's what you meant to say.
"That completely ignores the issues that the doing of cryptographic engineering isn't something that pretty much the whole damned planet isn't able to pull off, and that's speaking as someone who works in that field."
If you are trying to say "It's technically not feasible to do what the 5 eyes Governments want us to" - I agree 100%.
Until the Police get some horsepower behind Cyber and it is seen for the threat it is...Senior Officers will stick to Anti-terrorism and other operationally focused roles, and so all Chief Constables in the UK will barely understand how to use Microsoft Excel to balance their Budgets.
Specialist roles will be for dead-end Inspectors seeing out their time, before retirement, and the unloved unwanted awkward officers will make up the Cyber-teams.
You need driven, motivated and highly technically competent individuals to fight this, until talented Senior Officers make the case, get the investment and drive home real change...Nothing will change, and the Criminal Safe Spaces will continue and we will be told to "report it to "ACTION FRAUD" ...Which should be prosecuted under the Trade Descriptions Act, and renamed "IN-ACTION FRAUD"".
It's a Risk equation for the banks, and the legal defence against them doing this, is a terribly dated legislation...The 1990 Computer Misuse Act. Context is everything the 1990 Computer Misuse Act - It's massively out of date and irrelevant...So 28 years ago, lets just see what the cutting edge Computer systems were of 1990.
March 1990 - Macintosh IIfx
June 1990 - Commodore releases the Amiga 3000,
Nov 1990 - 1st ever Microsoft Office release
The internet was Embryonic - with the Archie FTP search engine.
The WORLD WIDE WEB - Didn't appear until 1991!!!!
Former BT manager talks about MONOPOLIES? Pot-kettle-black
So a former senior management guy from British Telecom / is now advocating "breaking monopolies"...
When his previous work at BT, whose subsidary "that is functionally separate" BT OPENREACH are responsible UNDER LAW and ACT OF PARLIAMENT, to be the only entity authorised to connect residences and businesses to the Telco network even if you buy through a third party Telco.
"Openreach is responsible for installing and maintaining the UK’s main telecoms network used by all telecoms providers, including BT's retail divisions. This means that Openreach does not sell phone, broadband or TV services direct to retail customers. Instead, it works on behalf of service providers (such as Sky, TalkTalk and BT) to maintain the local access network that covers retail customers."
This guy has zero credibility, but it's ok, he's no doubt on 6 figure sum.
He's not a SPOOK whatever that is...SPOOK is a US term for a SPY....HE ISN'T A SPY!!!!!
GCHQ really isn't a SPY shop, it's an ELINT / SIGINT aka British signals intelligence agency - Yes that feeds the Intel picture, but they aren't an Field Operational Intelligence gathering unit with Spy's that go to foreign fields to gather it. This endless conflation has to stop.
MI5 is not SIS (aka MI6). Neither is GCHQ the same as MI5 or SIS (MI6).
Same as...The FBI is not the CIA....The NSA is not the CIA.
Different roles, responsibilities and remits. It's fundamentally very basic, but almost no-one in the media gets it right, and so the public spout this crap.
The term Spook was obviously heard, by a writer of the series and adopted as the UK title for a series on UK Intelligence Agents. Spook is an Americanism, chiefly from the CIA for people completely off the books, no records, so not even officially recognized as an Intelligence Officer.
Maybe Europe should invest in it's own capabilities? It's always giving NATO the snub nose and not meeting it's treaty obligations and investment in military capabilities (happy for the US to bank-roll the defence of Europe). Then wants an EU ARMY, i'm not sure what the logic is behind that, maybe that more Administration means more capability (though I rather suspect that left leaning Europe doesn't like the US, and it's dominance in NATO makes it wince!).
British Intel is superb, the US love it, it's always after it, it's one of the reasons 5 EYES was setup - none of them are EU Countries. If Europe want to freeze us out...oh well their loss.
Hackerville is in Romania (Râmnicu Vâlcea)....Romania is in the EU since 1 January 2007....EU does nothing. ITALY in the EU, NAPLES run by the Comorra, anything done? NO. Breakaway secessionist elements in Catalan...err...lets just sit this one out. Hungary ordered to open border to let refugees to germany despite EU rules saying they must be processed in the 1st EU Country they arrive in.
This conflation that the EU is good at Law enforcement or provides security is utter bollocks at every level. The Belgian Police would be comical, if it wasn't for how tragic all of the cases in and around Brussels have been. I respect the French Police, they are serious and capable, but they are also (like Britain) somewhat circumspect with rules, and do what they want as they see fit (which is fair enough).
"We the geeks and nerds ran things, we were like gods. The world and his wife all bought a PC or a Mac and they had no idea what to do with any of this kit. We strode the world like colossi"
Albeit like slightly pedantic, gauche and "on the spectrum" deities ...The hubris in the above is palpable.
More on topic, Security has improved vastly, but the world has moved on even quicker. Relatively we are still behind, but we are still massively ahead collectively on where we were in the year 2000.
I'd be personally more worried, about the number of long term pieces of kit (like MRI scanners) that are operating on WINDOWS XP machines, or VISTA and are no longer supported.
Kit like MRI scanners are not replaced often, neither are the attached peripherals updated often with new firmware or Drivers.
It's the same with most industrial equipment, with a 20 year life (like automated car production plants), using SCADA or PLC type implementations. You need micro-segmentation and other mitigations (IPSec) to try to protect this vulnerable but valuable kit, it's perfectly do-able - its just the best Infrastructure guys work in finance / defence where the money is....Not the local Hospital.
Seems to me, you can do what you like and leak what you like in the US and they aren't bothered so long as you are part of the D.C elite. So Snowdon gets hounded around the world, Hillary gets nothing, and Comey gets nothing, not to mention the endless D.C leaks at the tail end of Obama's presidency and the beginning of Trumps.
I would respect the US Government a little more, if they consistently applied the law, and help the peoples representatives and Federal Agency Senior Leadership to the same values. Until then, it will be back to blaming "Chelsea" Manning, Edwards Snowden transgressions as outside of the law, and ignoring Hillary Clinton and James Comey legal transgressions under the 18 U.S. Code § 641 - Public money, property or records .
The US really needs an Official Secrets Act....All this leaking is making the US laughing stock.
*At the Crisis Management meeting deep inside the corporate headquarters*
"So as CEO, the next move is yours, what option should be we do...
Option A, Blame old legacy systems , but discretely draw a veil around the fact we didn't invest.
Option B, Blame it on a Nation State / APT, because no one can stop a sophisticated threat, right?
Option C, Say nothing play for time, hope it all blows over.
Option D, Pretend we are trying to fix it, and down play the impact even though we aren't sure what's been taken or how?
Option E, give a PR statement that you haven't taken this seriously and that's why you are in this position, announce a root-cause-analysis, fall on your sword, give up your pay and bonus, apologies to customers.
Option F, come clean, admit you didn't even know what a cyber attack was until the start of this meeting.
So what's your decision?
CEO - "Blame the Autistic kids in IT, go with Option A, and absolve me from any responsibility. Also sack a manager in IT while you are at it, should satisfy the Plebs and get the media off our back.
I dunno...By the time it's delivered and production finished, maybe 1 Bitcoin?
On a more serious level, the supposed 37Billion hole in MoD funding will have to be met and the whole programmes will get shelved, cut, hollowed out.
When I joined the UK Military, there were 22,000 Civil Servants, when I left 88,000. The Numbers in the Armed forces plummeted from 300,000 vs 22,000 to 200,000 vs 88,000. So the Ratio of Civvies to Service personnel went from 7 / 100 to 11/25 ....Tells a story in itself.
Nope the problem is one of integrity...Bitcoins are legitimate, the fact they are used for illegitimate purposes does not or should not invalidate them.
For example with CASH, if someone steals £1000, and then spends some of it, and then I walk into the same shop an hour later, and get some change, I might end up with a £10 that was stolen. It's still legitimate currency, there is no way to tell? So as it is a "Proper" £10 note it must be honoured, or else all currency issued is illegitimate. Look at a £10, It's a promissory note - "I promise to the pay the Bearer £10 sterling".
With Bitcoin you actually can trace the currency via the Ledger, so can trace it....But the problem is, it's legitimate currency too, like Cash. So if you accept payment via Bitcoin, then the currency gets "FORKED" your legitimate currency just disappeared......
Imagine if you with-drew £30 and then one of your £10 notes, just faded into nothingness leaving £20.
This is the issue with forking Crypto-currency - its an ethical problem, if you restore the currency from the theft, you destroy the integrity of the currency system. That said, Bitcoin is a commodity, so go figure...
Re: Spoiler alert
It's also a massive risk, at least with gilts you can tie it back to a Country and it's Tax base, politics, stability and relative risk, there is an accountable authority that issues the currency.
What have you got with BitCoin? No clarity at all, Satoshi Nakamoto, no one can even ID this entity, in any verifiable way? Is the person even alive, did they even exist? Is it a group or collective group, who can move the Genesis block and provide the proof? Is it a giant honey pot, to track and monitor nefarious activity on the Dark Net? For christ's sake it came off the back of "Magic; the Gathering Online Exchange" MTGOX - Nothing about Bitcoin makes any sense from a investment standpoint, and even banks are reticent to use it when you explain it to them, they just look at you slightly befuddled. Believe me, I've presented Bitcoin to C-Levels execs, they get the CBC side, but they are literally are like "Why would you allow something of no intrinsic value, with no guarantor on the back of it, to be a medium of exchange where we could end up wearing the losses of an eco-system, that nobody really understands how or why it was built?"
I wouldn't trust anything with such a nebulous and obfuscated past.
Re: Russian planes
Inherent right of self defence - You don't phone the PM to give you permission to defend yourself.
If an aircraft is not on Airguard, not got a Mode Charlie IFF response, flying outside of Airlanes, flying an attack profile, and carrying weapons, transmitting on Fire-control radars etc and breaks our Terroritorial limits. I guarantee, that aircraft will be taken out.
As a pilot if you stand on, with any 3 of these, you are likely to be shot down - More than 3, you better have your hand on your ejector seat handle, because your ass is about to be blown out of the sky.
Re: But.... Does it actually work?
Why would JPALS be running off Civilian GPS? The whole purpose of Military GPS with P-code and (Y) encryption is to reduce susceptibility to Jamming (it's not a complete solution but it helps). But even if it did run off civilian Differential GPS, so what, it can use any base station for correction as the Ship itself can transmit it's own DGPS reference signal as a station Baseline HD, which can correct for the local MSL variance on the Geodetic. Non-issue.
Re: But.... Does it actually work?
You need to evidence/ reference that because The P-Code - Precision Code is fundamentally part of the carrier signal for military GPS - as it utilizes P(Y) where (Y) is the encryption. Commercial GPS satellites cannot use/ are not authorised to use the P(Y)-code, as this was fundamentally designed as a military only precision.
Re: But.... Does it actually work?
Not true for several reasons, you need to read up on Differential GPS. Remember that "jitter" is injected into Civilian GPS, and without specific encryption e.g the P-code you won't get accuracy above a few meters. The Military, has P-code encryption so gets very accurate GPS circa 10cm.
JPALS works off.....wait for it.... real-time differential correction of the Global Positioning System (GPS) signal specifically SRGPS (Shipboard Relative GPS). But clearly you know more about it than Raytheon, which has only been testing this system since 2001 and the ship board version since 2013 http://aviationweek.com/defense/us-navy-completes-another-round-jpals-testing
But the more significant issue is that GPS can be jammed and in any conflict zone of any moderately advanced country (read third world and above) GPS jamming will be a thing. Hopefully there are electronic steerable antenna's on the system to combat jamming.
Re: Stop trying to re-write history
That is interesting....You are saying that the IRA killing Soldiers is legitimate? But if a Soldier kills a member of the IRA is that a civilian death? Because they aren't a privileged combatant? I think you need to look at the term Combatant and how it's defined under the Laws of Armed Combat (LOAC).
Your entire position. is wrong, Loyalists committing terrorism, are as guilty as Republicans committing Terrorism. Some members of the RUC were guilty in colluding with Loyalist terrorists (Stevens Inquiries) and should be rightfully prosecuted.
But you cannot lump British Army in with with Loyalist Terrorists. One is state authorised, and accountable under Law, the other are Terrorists. Criminal Violence, is Criminal Violence.
I find this "Large list of people, difficult to monitor all of them" trope is very like when a business suffers a cyber attack and says "Nation state, nothing we can do to stop it" trope.
The reality is often different, it seems increasingly so to me, that it's a convenient position to take when awkward questions you'd rather not honestly answer come up.
I'm old and cynical, but that GCHQ/ Police Intelligence Trope does come to the fore after major Terrorist incidents, and the whole "SOCIAL MEDIA" monitoring kicks in and breaking or access to encryption usually follows...
Re: "I am prepared to trust the security forces."
If you've ever worked in Government of LEA, you'd soon realise that cock-ups happen alot...and its not uncommon to arrest, or even raid the wrong addresses and take people into custody and then go...."Yeah Sorry wrong John Smith, search warrant was wrong, you need to claim a new front door from your insurance".
I heard a great one from an LEA where they raided the wrong address when someone nearby had compromised a home WiFi connection....Nice.
Geographic based Policing in the age of the Internet is a joke....For everything else there's ACTION - FRAUD xD
Re: Book stores.
Whilst this is certainly true, any nefarious sort will just use other systems or open source stuff, the net result will be nefarious types will continue to use under the radar tech and carry-on using technology and encryption - The rest of us, Citizens, will have our own security compromised, as the Government wants a "Skeleton Key" to everything we do, from Banking, social media, to internet searches, to looking at porn or anything else. So the net result is we don't get safer, but we all suffer more predictive data analytics based on all the data being hoovered up on us (just like Facebook or Google but with a Government spin). We won't need YouGov or ComRes you will know what people will vote for in polls, the analytics will tell you to 98% accuracy.
Re: > After all you paid more for it.
I'd love to get some people who think this, to actually do some of the jobs these people do and then judge. My CISO does 90hrs a week, and literally reads 300pages a night...then goes to meetings about that 300pages, goes all over the place working on X and Y and grapples with massive problems (like PSD2 implementation, GDPR etc), which if they are wrong could end up with 1500 of us losing our jobs, and 2 million customers not being served. He still does all the other stuff, recruitment etc, and his working day does start until after 16;00 when he can get work done rather than goto meetings. He's on 200k a year, great you think, what if I told you everytime you are on annual leave you get recalled, and you haven't had more than 3 days off in 18months? It's easy to focus on the money, but not focus on what they do...and the sacrifices, i earn a good crust 1/3 what he does, i can take leave when i want, never get recalled, am responsible for a small chunk not the whole...i work hard, but no where near his level, I'm in by 08:00 home by 18:00, no extra reading, no logging on in the evening for an extra 3 hrs.
Screen scraping is Lazy banks not addressing Legacy Technology head-on. Throwing in Middleware or trying to bolt on an API to be PSD2 compliant is not sustainable, sensible or without risk.
Banks have got to Front up the cash, and sort out the problem, get it to a high level of maturity before rolling it out. The days of bolt-on, bolt-on,bolt-on, patch, botch-it, pseudo-support it, it's not a burning platform don't worry, are long, long gone.
All that said, the EU needs to be more realistic on timeframes - It also needs to acknowledge it's muddled and wrong headed thinking. The idea that they would address Legacy, by forcing companies to adopt API's and would therefore buy new platforms, is akin to the idea that someone would move house if they didn't have Double Glazing....They don't move house, they just install it. Same with Banks, they don't move or migrate to a new platform, they install, botch or bodgy an API over the top.....
Re: Comfortable illusions about computer security
Certificates aren't the be all and end all of security, or repudiation, I wouldn't advocate one technology as the only solution to one thing, it introduces single points of technological failure, it's akin to Darwinian evolution, diversity is actually good despite it's inefficiencies, we want an Anti-fragile approach to our vast interconnected data networks, not fragile ones where the risk as it crystallizes and then exponentialises the harm as a single point of failure cascades through the system.
This ex-FBI dude is right on the money....Sharing isn't caring, partnership doesn't work beyond a certain point, Government/ politics will shaft commerce for it's own ends. Never share more with Law enforcement beyond what they ask for, never give your enemies ammunition to use against you and never share anything you may end up liable for. Don't trust government agencies not to share the data between other agencies. Liability is everything.
Whoa there Horsey!...."Its stinginess that breeds the necessity for this type of crime." It's a fine line between understanding motivations, and condoning criminal actions. Crime is not a necessity, it's a choice.
I would say that there is no justification, the perceived injustices / moral position being legitimate or not, are no justification in any way for Criminal activities.
Re: How long...
You really think Governments in the 20 years won't control VPN access for the average citizen? Large institutions/ Businesses will still be able to utilise it, but I can rapidly see the point where Governments legislate and control VPN.Commercial entities are already lobbying for it to be heavily controlled, Sky, Amazon, Netflix and others are losing out to KODI. Whether you like it or not, the Internet is about to fracture along the lines that the Internet Society.org highlighted a fair few years back. It's depressing, but inevitable the "Wild West" years of the Internet is over and increasing governance and control, monetisation of the internet is being exerted. Governments are learning, and if you cannot change the habits of the user, then they will shift the controls to the ISP. To be clear I'm neutral in this argument, but I can see that Governments will not stand idly by, and the ISP's are easiest to regulate and cut individuals off. http://www.ispreview.co.uk/index.php/2016/11/uk-isps-send-internet-piracy-warning-letters-early-2017.html
Re: This just got "interesting"....
Whether I want it or not, it's out of my hands isn't it? That's how the system works...jury of your peers, in an idealism fashion. But this devotion of "Better 10 guilty men go free, than 1 innocent man be convicted" holds no water with the US conviction rate.
"In the U.S. federal court system, the conviction rose from approximately 75 percent to approximately 85% between 1972 and 1992. For 2012, the US Department of Justice reported a 93% conviction rate. The conviction rate is also high in U.S. state courts." United States Attorneys' Annual Statistical Report for Fiscal Year 2012.
The key here seems to be if you go in front of the Court, there is a 93% chance (in 2012) you will be convicted. I do not believe that US Law enforcement is that much better than anyone else. So this whole "All presumptive evidence of felony should be admitted cautiously; for the law holds it better that ten guilty persons escape, than that one innocent party suffer" ideal that many US citizens cling to doesn't seem to hold much water in the light of such a high conviction rate.
The Key problem with this subject, is that people start spouting "Well because Quantum Computers can break all encryption, therefore the following holds true....." que some logical and straight-forward reasoning that is fundamentally wrong as the initial premise is wrong.
Quantum computers are best suited for Optimization problems, classic examples being the "Travelling Salesman Problem" or TSP. Public-Private Key is likely to be problematic and not suitable in the age of the Quantum Computer, but currently it's looking likely that Symmetric keys can provide some protection and even developments like Grovers algorithm can be defeated by increasing Key-size.
Post-quantum Cryptography will only advance, if we as a community actually learn about the subject and stop using "pseudo-intellectual" rules of thumb, and general positions like "ALL ENCRYPTION IS DOOMED IN THE AGE OF QUANTUM COMPUTING". It's sensationalist, and fundamentally wrong.
Re: Banks can only do so much...
@ ANON - "Allow the user to authenticate it self in a really secure way into the device (fingerprint + some password)," that's kind of nonsense as you aren't appreciating that a Fingerprint is nothing but an Electronic signature, or a method of generating one. If there are flaws in it's implementation, or ill-considered design or imperfect code (and there always is) then there is always the risk it can be tampered with, bypassed, replayed, usurped or injected.
Equally "The only thing people expect from the banks is: only give my money to other or to me, when I request/ authorize that explicitly! Simple." That's exactly what happens, other people get inside the authorisation loop, whether it's forging Cheques, or stealing passwords / PIN numbers, or passing IDV on the Phone. It's the integrity and authentication of the transactions that is key.
As a reality check, security does not exist, at best it's a simple adjective for talking about the concept of RISK. Financial Institutions deal in risk, e.g for a Certain amount of Profit, X amount of fraud exists, consider it like waste in manufacturing. You need to factor in how much you will tolerate, and how much you will not, as by going too draconian, you throw good money after bad e.g Why prosecute a £500 fraud, if it will cost you £250,000. Equally if it's too much the other way, you make huge losses or go out of Business.
The most interesting development is the Cipher-Block-Chaining / Public ledger architecture of BitCoin and things like Ethereum, which will make possible transactions with considerable levels of integrity built into the transactional system. Equally, utilising the future possible use of Quantum Key Encryption, means that Key's will rotate if view by a 3rd party (e.g Man-in-the-middle-attack) and rotate and therefore make it clear to party B, that party A's transaction has been intercepted. Really Cool Stuff IBM is working on....http://www.research.ibm.com/quantum/
If it's systemic then, its the Bank's fault/ liability, if they have failed to conduct their business with due regard and diligence...If it's the customer giving out their Pin or Password then it's their fault.
Otherwise, we are in that space when someone leaves their front door unlocked, the Insurance company will be forced to pay out for the customers lack of due regard / Gross negligence.
If you leave your car unlocked and it gets stolen, it's on you. The problem with Cyber / e-crime etc, is that it takes a Generation for the message to hit home.
Look at Drink Driving, wearing seat belts in Car etc. It takes 30 years plus to make common knowledge common...Cyber crime is the same, there is no such thing as a NEW SCAM, just a new way of implementing an old scam.
Re: Job title....
No "Admiral of the Yellow" was the worst...
But in truth, the Royal Navy lacks critical mass.
If a Type 45 has a Navigational Accident, 16% of the UK Air Defence Destroyers are not available. Also add in the rule of 5, e.g One Ship on deployment, One in work up, one in pieces in Refit, and another getting ready for refit and another on it's last legs and needs a refit.
You can quickly see, that 20 FF/DD's gives you 4 on deployment, 4 in work up/ FOST, 4 in light refit, 4 completely decommissioned and in deep refit, and the other 4 returned from Ops / on specific duties like Fleet Ready Escort etc.
It qives you a Surge capacity of about 8-9 ships, as others deployed on the farside of the world may not get to the Area of Operations, or may have to maintain current tasking.
So any navigational issue that takes another Hull out of commission means there are severe consequences down stream. It's not great, the Royal Navy is "fragile" and could not stand up to the kind of losses sustained in the Falklands, where 11 ships were damaged or sunk.
The Royal Navy is first rate, but it's becoming a bit of a Glass Cannon, in that it can hit hard, but cannot take much of a hit back.