* Posts by Sebastian P.

13 publicly visible posts • joined 26 May 2017

Tech team trapped in data centre as hypoxic gas flooded in. Again

Sebastian P.

Never do this

No. Never. Unless you have received proper professional training, have the right equipment (including breathing apparatus), and it's explicitly in your job description to fight fires.

The only exception from that rule is if you need to do that to save another person. Otherwise, just get away and sound the alarm. No equipment is worth more than your health or your life.

if dev == woman then dont_be(asshole): Stack Overflow tries again to be more friendly to non-male non-pasty coders

Sebastian P.

Never do this

I still believe they're asking the wrong questions. They shouldn't be hunting for people who are disrespectful towards women. They should be hunting for people who are disrespectful towards other people, period.

Oh, you mean you assumed that only women get offended? That there are no other genders who will refrain from participating in a platform when they see that it's populated by bullies?

As I keep saying, this is not a gender problem. It's a (lack of) proper behaviour problem. Today the bullies chose women as targets, tomorrow it will be redheads, next people who wear glasses. You need to go after the root problem.

How do you make those darn code monkeys do what you want? Just give 'em a little nudge

Sebastian P.

Never do this

> "We started asking developers to think about things like monitoring and resilience"

> Yep, devs are idiots and never think about such things.

Actually, asking developers to think about such things is a very smart thing to do. Not because devs are idiots. But because devs take the requests from the requestors, e.g. The Business, whom are not always cognizant about putting in requests about monitoring, resilience or security.

By explicitly telling the devs to think about such things, you put those on the requirements lists, and the devs can now work their magic to flash out what exactly is needed to be implemented.

When requirements are not specificified, that's when things go bad: requestors will assume that those are "built in" by default and they don't have to bother mentioning them; devs will assume that if something was not mentioned, then it's not needed. Assumptions all around, which we all know how well they work out...

Uber: Ah yeah, we pay women drivers less than men. We can explain!

Sebastian P.

Do you have numbers to back that up? Because if you only go anecdotally, a more aggressive driving style is more conductive to having more accidents. And is also more annoying for the other participants in the traffic - a societal cost not factored in yet.

Destroying the city to save the robocar

Sebastian P.

Never do this

"Cold and rainy pretty much describes the weather in the Netherlands between October and October". There, I fixed it for you.

Fully agree with the rest, though I must say that one needs the Dutchies' upbringing in order to adopt the all-weather cycling mentality.

The NAKED truth: Why flashing us your nude pics is a good idea – by Facebook's safety boss

Sebastian P.

Now, let's ignore for a moment the limitations of the system itself (only applies to Facebook ecosystem, seems trivial to bypass, only works if the potential victim has advanced knowledge that someone wants to post picture of them etc.).

The system will increase the risk for everyone else, by introducing new threat vectors. How long do you think it will be until we see phishing emails and fake FB "upload your nudes here" sites? How many abusive partners (or just pranksters) will make their partners think they have nude photos of them, just to make them go through the indignity of photographing themselves nudes and uploading their pictures.

Furthermore, don't forget that the victims will have to take their pictures with their phones or cameras. Which often sync said pictures with PCs, NAS, clouds etc. - sometimes even without their owners realizing. So you end up with a lot more attack points from which the nude pictures can be leaked or stolen.

You solve the potential problem of some, by creating a bigger problem for more people. I'm not seeing this as an improvement.

Risk Transfer is an acceptable risk mitigation strategy only if the parties to which you're transferring the risk to are cognizant of it, and able to accept it.

Logitech: We're gonna brick your Harmony Link gizmos next year

Sebastian P.

Re: Isn't that obvious?

Well, there is one reason: for the controller to download IR codes from the centralized database (as opposed to having to manually learn them from other remotes, which is a pain).

Of course, not saying that that's the ONLY reason for which they are using the connection.

Sebastian P.

Never do this

That could be an interesting solution. Do you want to obsolete your product earlier than, let's say, 5 or 10 years? Fine, you can do that, but you're obligated to make available ALL source code and tooling for compiling and installing the software on the device, so that customers can keep using and updating their devices. And no, "intellectual property" cannot be a reason for not releasing the code.

So a simple choice for vendors: you either support the products long-term, or release the code (and IP).

Seems fair to me.

Deloitte is a sitting duck: Key systems with RDP open, VPN and proxy 'login details leaked'

Sebastian P.

As it is often the case nowadays, consulting companies are not always practicing what they're preaching. Which doesn't mean that what they're preaching is wrong, it only means that practicing it is more complex, difficult and costly in real life than what the consultants are telling you.

Or, to put it differently: managers of consultant organizations are quick to charge their customers for security services, but not as quick to pay themselves the security fees.

WannaCry vanquisher Marcus Hutchins pleads not guilty to flogging banking trojan Kronos

Sebastian P.

Never do this

One thing I don't get. If USA and UK are such great friends, with such great collaboration between law enforcement agencies, why was it necessary to have him arrested and trialed in USA? The malware he's supposed to have written had an Internet-wide effect. FBI could have passed all the necessary information to their UK colleagues, and the trial could have been held in UK.

Don't the Americans have confidence in the UK justice system? Or was it more important for "bragging rights" to arrest Marcus in US, to remind the world how badass the Americans are?

Sysadmin finds insecure printer, remotely prints 'Fix Me!' notice

Sebastian P.

Re: Take it further and don't say shit - ever.

Indeed. Good intentions and good advice can get you in trouble just as quickly (and sometimes quicker) than bad ones.

Like on The Register: post a comment with good advice, and there will be someone to criticize you (duck!) ;)

But seriously: "good" and "bad" are really a matter of perspective, and in situations like this, the perspective that matters is the system owner's one.

Sebastian P.

Re: Never do this

The analogy is that you pick up (take control) of the wallet, even if just for a while. You still took it without permission, even if you return it.

And even if you just slip the paper in without taking the wallet, it's still someone else's wallet. You don't have permission neither to take anything from it, nor to put something in it.

It's not your wallet.

Sebastian P.

Never do this

Seriously, don't. I work in IT Security and I can tell you: if you don't have a clear mandate (written request) from the system's owner, don't touch that system.

It doesn't matter if you had the best of intentions. You still broke the law. All it takes is one determined prosecutor. You don't want to roll that dice.

You want to be a hero? Fine. There are plenty of authorized bug bounty programs where you actually get paid if you find security holes.

And if you do happen to notice by accident a (potentially) vulnerable system that's not part of your scope of work, just contact directly the respective company and let them know what you observed. But don't dig into the matter any further without written permission.

To give you an analogy: if you notice someone's bag is open with a visible wallet inside, it's OK to tell them that they left the bag open and that you advise them to close it. But it's not OK to take the wallet yourself just to prove the point.