* Posts by mmccul

73 posts • joined 10 Sep 2017


Customers warn Gartner of AWS's high-pressure sales tactics in latest verdict on public cloud providers


Sales pressure

Gartner has a strong reputation for engaging in behavior that if you are feeling exceedingly polite and generous, would be called high pressure sales tactics on companies to be included in their listings as well as "improve" their ratings. For them to warn about another company engaging in high pressure tactics feels more than a little ironic.


Re: Public?

Gartner has credibility still?

The common factor in all your failed job applications: Your CV


Re: CV's top tips

Last time (many years ago) I was interviewing for jobs, I got asked why I wanted a given job, and I told the recruiter they needed to convince me I should take the job, I was interviewing them at least as much as they were interviewing me.

Yes, I was offered the position.

Train operator phlunks phishing test by teasing employees with non-existent COVID bonus


Re: spelling mistakes, a really obviously bad url

Actual phish emails I analyze haven't been typo riddled in a year or more. I get more typos and grammatical mistakes I see in the legitimate emails.

Also, spearphishes are very often crafted quite well, including personal references.

Don't train people on the exact wrong indicators.


Re: spelling mistakes, a really obviously bad url

The standard is any email from outside the corporate email system that is legitimate needs to have at least three business days in advance, a warning from the appropriate group inside the company, warning that the outside email will occur, including a description or mockup of the email to be received. If the emails are going to be regular/common, then state that in the warning email. If there is a response required, then that will be highlighted in the mail system, often with a second path warning of the coming emails that doesn't go through email, such as a notice through the supervisor.

If the email came from the corporate email system, then it was a bad test.

Modern phishing training that is any good does not talk about spelling mistakes or "obviously fake domains". They instead emphasize external sources, artificial sense of urgency and lack of corroborating emails from the official corporate email system.

Yes, I've worked at shops that implemented that rule, and it significantly cut down on the phishing damage.

US declares emergency after ransomware shuts oil pipeline that pumps 100 million gallons a day


Air gap can be hard

Several times, I've heard of supposedly air gapped systems that were connected to a command and control network, legitimately, which was connected to an administrative network, with all the sysadmins knowing that, but that admin network was connected to the ... and eventually, to the public network. Each link seemed appropriate in isolation, but not together, and no one realized the overall chain of links until something happened to demonstrate it.

It's not a new problm, and it doesn't have to be malicious incompetence. Air gapping a single server is easy. Air gapping a network of systems that need to talk to each other to do their primary function is much harder.

Microsoft realises constant meetings stress people out, adds Office 365 settings to cut them short or start them late


Alas, one manager I had was a triathlete. Running for a few hours would not be abnormal for them.

Microsoft president asks Congress to force private-sector orgs to admit when they've been hacked


California has almost this

California's breach notification laws are surprisingly powerful tools. Yes, there is an escape clause if the personal information was encrypted (and yes, it is defined enough that double ROT-13 doesn't count). Yes, it has to impact 500 residents of California, but it's surprisingly powerful, to the point that long before I lived in California, I had to be aware of it routinely. The long arm clauses makes even businesses that don't "exist" in the state still have to notify people of breaches, so reorganizing in Texas or Delaware doesn't protect the business.

As I understand, New York State also has similar laws, though I have not sat down and analyzed them.

I suspect that some of these companies would like to see a single federal standard breach notification law rather than state by state requirements that differ slightly in what constitutes personal information, what protections exist, etc.

Big Tech workers prefer 3 days at home, 2 in the office. We ask Reg readers: What's your home-office balance?


In my experience, your critical coworker is remote, no matter what. They may work in a different city, or even country. Twenty years ago, to deal with precisely this problem, I required a team member who was the only one in that office from my team to stop coming into the office for two weeks. The result was people stopped treating that person as the only person on the team and started working with the team as a whole.

Building socialization methods for those who work in different cities from you is important, precisely so you can have those casual bounce ideas off the wall conversations. Thinking that you can only socialize with or work effectively with those in the same office as you encourages a culture that I never have believed was sustainable.

If you're a WhatsApp user, you'll have to share your personal data with Facebook's empire from next month – or stop using the chat app


Account deleted

Well, that gave me the last bit of incentive I needed to delete my whatsapp account.

Search history can calculate better credit ratings than pay slips, says International Monetary Fund

Thumb Up

The above is one of the most best explanations of how real world traffic analysis is done I've seen in years. Throw in some well known network security tools that have been around for many years and one can even automate #4. The larger the ISP, the fewer original requests they have to make because they can build up a profile for comparison.

US Treasury, Dept of Commerce hacks linked to SolarWinds IT monitoring software supply-chain attack


Could be scarier than one might expect

Where I've seen Solarwinds implemented, the tool was often given administrative credentials to not just the networking gear to pull credentials (and restore them if they change without authorization), but also to perform discovery on Linux systems. Despite having well documented "these are the only sudo permissions needed on Linux", I see many shops just gave it full root.

Often, I was asking admins to choke down the access and there was surprise that the tool worked with less than full root.

So, yes, this is a very scary thing to me.

Cybersecurity giant FireEye says it was hacked by govt-backed spies who stole its crown-jewels hacking tools


Re: Freely available hacking tools

Nation state actors are not one skill level. I typically divide them into three teams (A, B, C) based on my experiences observing such. The C team was nothing more than script kiddies running straight from well traceable IPs. The B team was moderate sophistication, but still detectable, nothing a high end defensive tool couldn't detect and deal with as long as my team (I was on the security team that saw the alerts an tuned the tools) was on its game.

Even targeting was distinct between them. C team was pure targets of opportunity, acting often like your normal Internet vandals in targets, distinguished by source IP and a couple other details. The B team engaged in moderate targeting, picking an choosing.

Yes, this is a simplification, but a useful one.

CentOS project changes focus, no more rebuild of Red Hat Enterprise Linux – you'll have to flow with the Stream


Re: To the surprise of no one

Outside GNOME, which I have negative interest in for a server, I haven't found anything that actually likes systemd. None of my daemons enjoy it and many don't work as well, because systemd is so hard to work with.

Oblivious DoH, OPAQUE passwords, Encrypted Client Hello: Cloudflare's protocol proposals to protect privacy


Re: Why DoH?

This is nothing but a grab for your data. I think anyone who believes otherwise is being naive. The new proposal sounds good on the surface, but I strongly suspect all that will happen is a request identifier will start being entered into the query to uniquely and persistently identify most users all the way to the end server. (And source IP is hardly the only way to build such a profile).

Outside this forum, I see no one asking for DoH. Certainly no nontechnical people, and no one who works corporate, IT or security or development. It's a bunch of web advertising companies and CDNs who want to get that valuable DNS query information from you rather than let the ISP have it.

AWS admits to 'severely impaired' services in US-EAST-1, can't even post updates to Service Health Dashboard


Re: I learned SRE at Google

Having seen what is required to reliably provide a legally mandated five-9s service, I believe that no cloud, even multi-region, multi-cloud I've looked at comes close. I've said for years that AWS delivers about 99.7% uptime, year over year. A service that needs five nines, meaning only 5 minutes of downtime (planned or not) per year? That takes a very different mindset about processes like change management, redundancy, etc.

Smaller services are more likely to deliver higher reported uptimes because there are fewer moving parts that can cause widespread failures, but *any* issue impacting the overall service impacts your availability numbers. I don't give credit for "planned" service downtime.

The rule of thumb I still teach is every nine after the first one adds a zero to your cost estimate.

Some day, I'd love a discussion/briefing on what it takes to deliver the six-nines service level.

Thought the M3 roadworks took a while? Five years on, Vivaldi opens up a technical preview of its email client


Re: Fantastic

Using Thunderbird 78, I've just done this for a while.

In the search bar (^K), type in the email address of the person I'm looking for, after a few characters, it suggests the person, click on that, it brings up the filter screen of all emails involving that person. No need to create a custom smart filter temporarily if you just want emails involving an individual. Being able to quick filter in my various IMAP folders is nice as well.

End-to-end encryption? In Android's default messaging app? Don't worry, nobody else noticed either


I had to give up on Signal when messages to a group chat were sent at one time, received by a second phone within two minutes, but the third phone did not get the message until literally the next day, even though the phone in question was in use. It was just far too unreliable.

Apple now Arm'd to the teeth: MacBook Air and Pro, Mac mini to be powered by custom M1 chips rather than Intel


Re: Side note

Coming up on 25 years ago, I was doing sysadmin at a CAD shop using SDRC I-Deas Master Series (super-expensive mechanical CAD software) on HP-UX workstations (C-series was what we were moving to by the time I left, which I admit places this in time pretty well). Windows NT and AutoCAD was "for those who weren't doing serious work", but many of your points about the advantages of cloud CAD were solved way back then because every part had to be checked into a central server library. People would check out a part, work on it, and then using the software's built in version control, check it back in. I don't recall what the underlying VCS was, but it had the concept of formal checkout to lock a part so two engineers (as in mechanical) didn't accidentally work on the same part at the same time. The real reason we needed super-large horsepower was at that time, the CPU and GPU requirements for the serious work were prohibitive for an intel based desktop to get.

Part of my job there was to retrain the engineers to actually check in their components every day and make sure they understood that any changes they failed to check in each day, they should presume that their workstation hard drives would both crash and they would lose all their work.

Too many staff have privileged work accounts for no good reason, reckon IT bods


You've reminded me of a former boss I had when I was a day to day sysadmin.

Near direct quote from said manager of sysadmins:

"If you give me an account on the servers, you get written up. If you give me root to the servers, you're fired."

The manager pointed out, they were the manager, not the sysadmin. They also didn't have the training to be safe as a sysadmin. One of the two best managers I've ever had.


Re: Employ people you trust, trust people you employ

My experience with git repos is that there is a culture in many developers of "give the world access", even to those individuals who have no legitimate reason to access the repo in question. It's a battle I'm currently fighting, that I do not need access to the git repos. My boss agrees with me. But devs repeatedly try and give me access in an effort to make me do their job for them. All because I "might need" access to the repo.


Re: .. all the access they ask for ..

I've been the person who had to explain that no, we are not going to authorize `sudo vi /etc/hosts` for a dev on production or QA (not a made up example) because that gives unrestricted root. You are absolutely correct that many times, the requester does not understand the implications of what they are asking for.

On the other hand, I've also been the person filing an access request. At one client recently, I was appointed the unofficial access requester, because mysteriously, my access requests were always approved. Maybe it was the fact that I spelled out explicitly what the business justification was, and crafted the access request to be the minimum necessary to meet that business justification. It added value to the client, and made them happy, so I was happy to take home the paycheck...

Up from the depths, 864 servers inside, covered in slime, it's Natick!


I guess this means we now have ...

reef computing?

Surprise! Voting app maker roasted by computer boffins for poor security now begs US courts to limit flaw finding


Re: risks been shown with electronic and mass postal voting

Regarding reliable voting, the problem I've seen is not the precinct, but the tallying of multiple precincts for the official reporting of the county results. A little county in Wisconsin had their elected official refuse to allow their Internet connected computer that did all that work to be patched, maintained, or even audited by a 3PAO. (Resulted in a bit of a scandal a decade ago, the individual was an elected official, so couldn't be fired as a result, and argued as an elected official, they were exempt from policies to maintain the security of computers issues by others).

Take all those per precinct numbers, add them up on one little computer, that just quietly rewrites the final results to the desired number. Tallying any individual machine won't reveal any problem, or any significant percentage of votes. Only when you look at the whole county level can you see that something messed up happened, and it only requires attacking one computer and skewing a few percentage points the final sums.

50%+ of our office seats are going remote, say majority of surveyed Register readers. Hi security, bye on-prem


Re: Loss of human contact

Interestingly, I worked on a fully remote team for many years, ending just under a decade ago. Never met any of my peers face to face I worked with for a full fifteen years. Most of the teams in the division (several hundred people) were similar, no more than a couple people per roughly ten person team in the same city, and significant percentages of people working full time remote from home.

The key difference was the recognition among the team that the workplace was not our personal life. I had a more active social life then than I've had ever since. I think those that desire more social interaction will find ways to do so.

As to loyalty? I believe that loyalty comes from how you are treated. When I've had a good manager who treated me well, I've felt more loyal. When I was treated as a replaceable machine cog, I didn't feel overly loyal to the company.

I cannot speak conclusively to your statements on productivity, but even the connectivity of twenty years ago is a radically different situation than the 1960s office. I question if those results are still relevant to the physical office today, or if they instead suggest that smaller focused subteams may be more productive today.

Please stop hard-wiring AWS credentials in your code. Looking at you, uni COVID-19 track-and-test app makers


How many mishandled medical records?

I seem to recall potential criminal liabilities for the mishandling of PHI data written into HIPAA from the training I get evey six months at any company that potentially handles PHI. Yes, there are a few oddities and special cases related to reporting data about COVID more precisely than HIPAA normally allows, but I seriously doubt that the college is exempt from the rules requiring strict proper handling and penalties for mishandling and failure to report such mishandling.

Ed Snowden has raked in $1m+ from speeches – and Uncle Sam wants its cut, specifically, absolutely all of it


Re: Let's make it hypothetical:

You forgot the other item which really firmed up my views. When you have a clearance in the US, if you see something non-public but problematic, or potentially illegal, there is a whole process of "here is how to report it outside the chain of command". That method gets taught as part of the background/introductory training often before the clearance is even issued. From everything I've read, it wasn't even attempted. That lack of attempt at good faith whistleblowing suggests malicious motive.

In another area as an analogy, if someone sees a security vulnerability in a product that stores medical and financial information and reports it discretely, through the company's hackerone account or their security vulnerability reporting system, that's generally seen as a good thing. But, if said individual instead takes that same vulnerability and tells the world and the company about it by dumping personal medical and financial data for the world to see, unredacted, would that individual be celebrated? I would hope not, even if it also exposed illegal practices by the company.

Burn baby burn, infosec inferno: Just 21% of security pros haven't considered quitting their current job


Where to get competent staff?

Since I'm interviewing candidates very regularly for a variety of different infosec roles as a part of my job, I've found that one reason for burnout is the difficulty in finding competent staff. My employer has no incentive to fail to find good candidates, but so few of the candidates sent my way am I able to give a thumbs up for more than a tier-1 secops team staff -- the kind that does nothing but pre-written instructions developed by someone else.

I've seen roles go unfilled for a year or longer just trying to find a competent low to mid level security analyst. Add in any middle to high level skill and expect more of a senior technical security role, and the time can increase even more.

Easier to burn out when people leave and are not replaced, not because management won't let them be replaced, but because no one can find anyone they feel has the skills to be worth the cost of the chair they sit in.

Keep it Together, Microsoft: New mode for vid-chat app Teams reminds everyone why Zoom rules the roost


Re: Audio rules ...

This may sound odd, but I don't want to know what they look like. Not knowing a person's appearance can reduce the risk of accidental unprofessional preconceptions. I don't even post a photo of myself on Teams or similar tools, just an avatar that does not show in any way what I look like. The only time a client objected, I removed all avatars and left it with just the default initials logo.


Re: Keep my Camera on?

Have regular meetings with people in different orgs. The security team members never turn on their cameras. The PMs usually do, until they realize that the security team people on the call won't be silently shamed into turning their camera on, and then the cameras turn off (and performance improves dramatically).

Why would I want to see people who haven't had access to a barber in at least three months and are working from a less than ideal location? I want to hear them and see the app they are sharing with the team, not an image of their face.

When open source isn't enough: Fancy a de-Googled Chromium? How about some Microsoft-free VS Code?


Re: "Replace many web domains in the source code with non-existent alternatives ending in qjz9zk"

.invalid is a better choice since it is explicitly reserved as an invalid top level domain.

Amazon declined to sell a book so Elon Musk called for it to be broken up


Look into the then equivalent publications. Privately published pamphlets and broadsheets handed out on street corners that contained outlandish accusations against political or social enemies. The only real differences are first, cost of publication has gone down for these people. It used to be a moderate expense to reach a few thousand people in a city. Now, that's a lot cheaper. Second, speed is the other difference. It can take minutes for (mis)information to spread across the country rather than days or weeks.

For fun and education, I've read some of the late 1700s pamphlets. It is quite arguable that they played a significant role in the US Revolutionary war, drumming up support, demonizing those who were seen as sympathizing with the UK. I've seen similar pamphlets advertising quack miracle cures for diseases, attacking political straw men, etc.


Re: Tell people what the goddamn guidelines are

Getting any reply at all from a traditional publisher means you probably passed a first pass review.

I'd say getting a generic "rejected" stamp is a positive sign. Someone read it enough to care to stamp and send a reply rather than just tossing it.

Black Helicopters

When I self published a couple fiction novels on Amazon, Amazon had some criteria that I was warned about that could get my book removed. I recall seeing a link to the criteria, but since my next book is nowhere near ready to publish, I'm too lazy to go back and pull it up. As a commercial entity instead of a government, unless the reason falls into a legally protected category, Amazon is free to refuse to do business with someone, and it is merely courtesy to advertise in advance the reasons for such.

As an author, one is not a consumer but a content creator entering into a contract with a distributor. That is a very different situation. There are plenty of other distribution channels one could use and Amazon does not block them even on the Kindle devices.

Google rolls out pro-privacy DNS-over-HTTPS support in Chrome 83... with a handy kill switch for corporate IT


Re: DoH

Just checked current vivaldi (vivaldi://flags) and it is hidden, but doable to ensure the DoH protocol is disabled, at least according to options. Without something like burpsuite, hard to know if it is actually honored (and I'm not yet ready to waste a demo on just this test.)

Now there's nothing stopping the PATRIOT Act allowing the FBI to slurp web-browsing histories without a warrant


Re: "No it won't"

HTTPS does not encrypt the SNI at this time, so a network snoop will still know where you are going.

Stop pushing DNS over HTTPS (a privacy nightmare as others have pointed out) and realize it is actually the worst designed of the options. Literally, DoH results in lower privacy than no encryption at all, because a third party that would never have seen who you are visiting now gets that information in a nice pat log. As I keep reminding people, your ISP knows where you go just from the network traffic -- if they care so much. With that and SNI, they don't need your DNS except for pushing ads.

Microsoft doc formats are the bane of office suites on Linux, SoftMaker's Office 2021 beta may have a solution

IT Angle

Most technical workers I see in IT departments (network administrators, SREs, Windows administrators, etc.) cannot handle even simple markdown formatting correctly. I believe that expecting such individuals and the non-technical business analysts and finance analysts, etc. to use TeX is an unrealistic goal.

It's bad enough getting these supposedly technical people to write four coherent explanatory sentences in a text editor or email. Ask for even elementary formatting like a simple three column table, and I'm regularly asked to write it for them.

UK snubs Apple-Google coronavirus app API, insists on British control of data, promises to protect privacy


Re: "Details" are irrelevant

They don't need to steal data to monetize this. They've built a way of recording who spends time at a booth or in a particular section of a store. Then they can send those people targeted advertisements, "oh, we don't actually record this location data, your phone just calculated that it was near this advert system, and thus pulled the relevant advertisements".

Why does the message have to be just "you may have been exposed to COVID-19" instead of "buy our product"?


Re: Difficult choice

"I see you stopped by our booth on $PRODUCT recently. I realize the framework we are using to contact you was intended to track people who may have been exposed to a dangerous disease, but we decided to leverage this functionality to notify you that we are offering a sale on our product that you already said you were interested in by walking by our systems."

Microsoft decrees that all high-school IT teachers were wrong: Double spaces now flagged as typos in Word


Re: Kerning

MS Word does not change the space size after sentences.


Re: spare disk space

When I learned manuscript format for submitting writing material for possible publication, I found it interesting that the explicit format was "Times New Roman, 12 point font, double spaced, one inch margins on all sides, two spaces after sentences," and failure to follow that format would result in your submission being tossed unread by many journals. Yes, some journals were different, but that was the most common standard, and it wasn't just what the instructor taught, it was demonstrated by the specified submission guide for the various places I looked at. I would not say it is just "because the teachers were taught that."

Word was, and remains, a typographic neophyte. Word uses the same sized space between words as it does between sentences based on my testing in the common fonts (e.g. Arial, Times New Roman, Verdana, Calibri).

Canada's .ca overlord rolls out free privacy-protecting DNS-over-HTTPS service for folks in Great White North


Anti-privacy under privacy name

DNS over HTTPS is a privacy nightmare. Now, one place will see all your DNS queries, even if not intended for them. As many have pointed out, your ISP already knows where you are going just by looking at the IP headers and the unencrypted part of https requests your browser sends that includes little things like the domain name you are requesting (SNI).

I've noticed a lot of anti-privacy initiatives, like DNS over HTTPS, advertised in the name of "enhancing privacy" when really, it's just about encouraging people to log all their activity at yet another data aggregator that isn't normally in a position to capture any of the traffic at all.

The real question is not the confidentiality of DNS requests, but confidentiality of where you go. But the ISP, to route your traffic, has to know where you are going. Until https is rewritten, they always know the domain name you are requesting, even without looking at DNS queries. This is a solution in search of a problem, and considering who has been advocating it (various organizations that often make money by such), I am not convinced their motives are altruistic.

Welcome to life in the Fossa lane: Ubuntu 20.04 let out of cage and Shuttleworth claims Canonical now 'commercially self sustaining'


Re: @ErroneousGiant - I still don't see the purpose of WSL

It allows users like me who routinely need a POSIX *nix user environment for routine tasks, to use Windows instead of a mac. I know people who write Fortran code that they can run for testing inside WSL, but it's a lot more of a nuisance for them to run that in Windows.

Tea tipplers are more likely to live longer, healthier lives than you triple venti pumpkin-syrup soy-milk latte-swilling fiends


Fermentation is not oxidation

The article mixed up how black tea is made (fully oxidized) with how pu-erh tea is made (fermented, in some cases over many years).

(As I finished a cup of loose leaf pu-erh (vs cake or tuo cha form) while reading this article).

LibreOffice 6.4 nearly done as open-source office software project prepares for 10th anniversary


Re: I'm not so sure that options are the answer to why Office is so popular

You missed another key problem with LibreOffice. Track changes. Maybe it's improved, I don't know. But I had to give up on using LibreOffice for any usage involving change tracking. The usage model was bi-directional, I created files and sent to them for them to mark up and send back; they created files that I got, marked up, and sent to them. The changes were not reliably marked, and comments were often not coming through. Those using only Word had no issue. Oddly, docx vs odt didn't seem to make a difference on change tracking. (Sometimes I'd accidentally send them odt, which generated a warning for those using Word, but that was about it.)

I consider Word's change tracking incredibly primitive, but this is a case where it isn't good enough to work with your own product (and I wouldn't consider LibreOffice passing even that low bar on the inserted comments), you have to work with what others around you use.


Re: I think you underestimate it...

$100/year is considered highly competitive for decent automatic backup tools. O365 has more storage than most of the ones I've evaluated, better accessibility, better agent for doing the backups, etc. Oh, and you get access to the office suite as a part of that same cost.

I pay for O365 for the Onedrive storage as a remote backup service. Is it the only copy of my files? No, it's the backup, automatically maintained, and now if a family member deletes a file they didn't mean to, they don't need me to come over and show them the arcane methods to restore that one file. I don't get complaints about their computer being too slow to discover that the backup agent is taking 100% CPU, every other week.

Every remote backup service has similar terms, I just find Microsoft to have the best deal right now.

Hyphens of mass destruction: When a clumsy finger meant the end for hundreds of jobs


Re: One way to prevent accidents

: Invalid function name

I know, bash ignores that restriction that functions start with only specific characters (alphabetic, but may be alphanumeric). This is one of many reasons why you should never write shell scripts to run in bash. Use a scripting shell.

Communication, communication – and politics: Iowa saga of cuffed infosec pros reveals pentest pitfalls


Re: Due diligence

Tell that to Nixon. Couldn't he authorize a breakin in the country of the United States?

County and state are different jurisdictions, and state governments do not own county buildings.

What do you get when you allegedly mix Wireshark, a gumshoe child molester, and a court PC? A judge facing hacking charges


Re: Oh come on...

And most pentesters I've cleaned up after ignore the statement of work and agreed upon scope, definition of critical system assets, rules of engagement and do whatever they feel like anyway.



Biting the hand that feeds IT © 1998–2021