* Posts by mmccul

54 posts • joined 10 Sep 2017


Too many staff have privileged work accounts for no good reason, reckon IT bods


You've reminded me of a former boss I had when I was a day to day sysadmin.

Near direct quote from said manager of sysadmins:

"If you give me an account on the servers, you get written up. If you give me root to the servers, you're fired."

The manager pointed out, they were the manager, not the sysadmin. They also didn't have the training to be safe as a sysadmin. One of the two best managers I've ever had.


Re: Employ people you trust, trust people you employ

My experience with git repos is that there is a culture in many developers of "give the world access", even to those individuals who have no legitimate reason to access the repo in question. It's a battle I'm currently fighting, that I do not need access to the git repos. My boss agrees with me. But devs repeatedly try and give me access in an effort to make me do their job for them. All because I "might need" access to the repo.


Re: .. all the access they ask for ..

I've been the person who had to explain that no, we are not going to authorize `sudo vi /etc/hosts` for a dev on production or QA (not a made up example) because that gives unrestricted root. You are absolutely correct that many times, the requester does not understand the implications of what they are asking for.

On the other hand, I've also been the person filing an access request. At one client recently, I was appointed the unofficial access requester, because mysteriously, my access requests were always approved. Maybe it was the fact that I spelled out explicitly what the business justification was, and crafted the access request to be the minimum necessary to meet that business justification. It added value to the client, and made them happy, so I was happy to take home the paycheck...

Up from the depths, 864 servers inside, covered in slime, it's Natick!


I guess this means we now have ...

reef computing?

Surprise! Voting app maker roasted by computer boffins for poor security now begs US courts to limit flaw finding


Re: risks been shown with electronic and mass postal voting

Regarding reliable voting, the problem I've seen is not the precinct, but the tallying of multiple precincts for the official reporting of the county results. A little county in Wisconsin had their elected official refuse to allow their Internet connected computer that did all that work to be patched, maintained, or even audited by a 3PAO. (Resulted in a bit of a scandal a decade ago, the individual was an elected official, so couldn't be fired as a result, and argued as an elected official, they were exempt from policies to maintain the security of computers issues by others).

Take all those per precinct numbers, add them up on one little computer, that just quietly rewrites the final results to the desired number. Tallying any individual machine won't reveal any problem, or any significant percentage of votes. Only when you look at the whole county level can you see that something messed up happened, and it only requires attacking one computer and skewing a few percentage points the final sums.

50%+ of our office seats are going remote, say majority of surveyed Register readers. Hi security, bye on-prem


Re: Loss of human contact

Interestingly, I worked on a fully remote team for many years, ending just under a decade ago. Never met any of my peers face to face I worked with for a full fifteen years. Most of the teams in the division (several hundred people) were similar, no more than a couple people per roughly ten person team in the same city, and significant percentages of people working full time remote from home.

The key difference was the recognition among the team that the workplace was not our personal life. I had a more active social life then than I've had ever since. I think those that desire more social interaction will find ways to do so.

As to loyalty? I believe that loyalty comes from how you are treated. When I've had a good manager who treated me well, I've felt more loyal. When I was treated as a replaceable machine cog, I didn't feel overly loyal to the company.

I cannot speak conclusively to your statements on productivity, but even the connectivity of twenty years ago is a radically different situation than the 1960s office. I question if those results are still relevant to the physical office today, or if they instead suggest that smaller focused subteams may be more productive today.

Please stop hard-wiring AWS credentials in your code. Looking at you, uni COVID-19 track-and-test app makers


How many mishandled medical records?

I seem to recall potential criminal liabilities for the mishandling of PHI data written into HIPAA from the training I get evey six months at any company that potentially handles PHI. Yes, there are a few oddities and special cases related to reporting data about COVID more precisely than HIPAA normally allows, but I seriously doubt that the college is exempt from the rules requiring strict proper handling and penalties for mishandling and failure to report such mishandling.

Ed Snowden has raked in $1m+ from speeches – and Uncle Sam wants its cut, specifically, absolutely all of it


Re: Let's make it hypothetical:

You forgot the other item which really firmed up my views. When you have a clearance in the US, if you see something non-public but problematic, or potentially illegal, there is a whole process of "here is how to report it outside the chain of command". That method gets taught as part of the background/introductory training often before the clearance is even issued. From everything I've read, it wasn't even attempted. That lack of attempt at good faith whistleblowing suggests malicious motive.

In another area as an analogy, if someone sees a security vulnerability in a product that stores medical and financial information and reports it discretely, through the company's hackerone account or their security vulnerability reporting system, that's generally seen as a good thing. But, if said individual instead takes that same vulnerability and tells the world and the company about it by dumping personal medical and financial data for the world to see, unredacted, would that individual be celebrated? I would hope not, even if it also exposed illegal practices by the company.

Burn baby burn, infosec inferno: Just 21% of security pros haven't considered quitting their current job


Where to get competent staff?

Since I'm interviewing candidates very regularly for a variety of different infosec roles as a part of my job, I've found that one reason for burnout is the difficulty in finding competent staff. My employer has no incentive to fail to find good candidates, but so few of the candidates sent my way am I able to give a thumbs up for more than a tier-1 secops team staff -- the kind that does nothing but pre-written instructions developed by someone else.

I've seen roles go unfilled for a year or longer just trying to find a competent low to mid level security analyst. Add in any middle to high level skill and expect more of a senior technical security role, and the time can increase even more.

Easier to burn out when people leave and are not replaced, not because management won't let them be replaced, but because no one can find anyone they feel has the skills to be worth the cost of the chair they sit in.

Keep it Together, Microsoft: New mode for vid-chat app Teams reminds everyone why Zoom rules the roost


Re: Audio rules ...

This may sound odd, but I don't want to know what they look like. Not knowing a person's appearance can reduce the risk of accidental unprofessional preconceptions. I don't even post a photo of myself on Teams or similar tools, just an avatar that does not show in any way what I look like. The only time a client objected, I removed all avatars and left it with just the default initials logo.


Re: Keep my Camera on?

Have regular meetings with people in different orgs. The security team members never turn on their cameras. The PMs usually do, until they realize that the security team people on the call won't be silently shamed into turning their camera on, and then the cameras turn off (and performance improves dramatically).

Why would I want to see people who haven't had access to a barber in at least three months and are working from a less than ideal location? I want to hear them and see the app they are sharing with the team, not an image of their face.

When open source isn't enough: Fancy a de-Googled Chromium? How about some Microsoft-free VS Code?


Re: "Replace many web domains in the source code with non-existent alternatives ending in qjz9zk"

.invalid is a better choice since it is explicitly reserved as an invalid top level domain.

Amazon declined to sell a book so Elon Musk called for it to be broken up


Look into the then equivalent publications. Privately published pamphlets and broadsheets handed out on street corners that contained outlandish accusations against political or social enemies. The only real differences are first, cost of publication has gone down for these people. It used to be a moderate expense to reach a few thousand people in a city. Now, that's a lot cheaper. Second, speed is the other difference. It can take minutes for (mis)information to spread across the country rather than days or weeks.

For fun and education, I've read some of the late 1700s pamphlets. It is quite arguable that they played a significant role in the US Revolutionary war, drumming up support, demonizing those who were seen as sympathizing with the UK. I've seen similar pamphlets advertising quack miracle cures for diseases, attacking political straw men, etc.


Re: Tell people what the goddamn guidelines are

Getting any reply at all from a traditional publisher means you probably passed a first pass review.

I'd say getting a generic "rejected" stamp is a positive sign. Someone read it enough to care to stamp and send a reply rather than just tossing it.

Black Helicopters

When I self published a couple fiction novels on Amazon, Amazon had some criteria that I was warned about that could get my book removed. I recall seeing a link to the criteria, but since my next book is nowhere near ready to publish, I'm too lazy to go back and pull it up. As a commercial entity instead of a government, unless the reason falls into a legally protected category, Amazon is free to refuse to do business with someone, and it is merely courtesy to advertise in advance the reasons for such.

As an author, one is not a consumer but a content creator entering into a contract with a distributor. That is a very different situation. There are plenty of other distribution channels one could use and Amazon does not block them even on the Kindle devices.

Google rolls out pro-privacy DNS-over-HTTPS support in Chrome 83... with a handy kill switch for corporate IT


Re: DoH

Just checked current vivaldi (vivaldi://flags) and it is hidden, but doable to ensure the DoH protocol is disabled, at least according to options. Without something like burpsuite, hard to know if it is actually honored (and I'm not yet ready to waste a demo on just this test.)

Now there's nothing stopping the PATRIOT Act allowing the FBI to slurp web-browsing histories without a warrant


Re: "No it won't"

HTTPS does not encrypt the SNI at this time, so a network snoop will still know where you are going.

Stop pushing DNS over HTTPS (a privacy nightmare as others have pointed out) and realize it is actually the worst designed of the options. Literally, DoH results in lower privacy than no encryption at all, because a third party that would never have seen who you are visiting now gets that information in a nice pat log. As I keep reminding people, your ISP knows where you go just from the network traffic -- if they care so much. With that and SNI, they don't need your DNS except for pushing ads.

Microsoft doc formats are the bane of office suites on Linux, SoftMaker's Office 2021 beta may have a solution

IT Angle

Most technical workers I see in IT departments (network administrators, SREs, Windows administrators, etc.) cannot handle even simple markdown formatting correctly. I believe that expecting such individuals and the non-technical business analysts and finance analysts, etc. to use TeX is an unrealistic goal.

It's bad enough getting these supposedly technical people to write four coherent explanatory sentences in a text editor or email. Ask for even elementary formatting like a simple three column table, and I'm regularly asked to write it for them.

UK snubs Apple-Google coronavirus app API, insists on British control of data, promises to protect privacy


Re: "Details" are irrelevant

They don't need to steal data to monetize this. They've built a way of recording who spends time at a booth or in a particular section of a store. Then they can send those people targeted advertisements, "oh, we don't actually record this location data, your phone just calculated that it was near this advert system, and thus pulled the relevant advertisements".

Why does the message have to be just "you may have been exposed to COVID-19" instead of "buy our product"?


Re: Difficult choice

"I see you stopped by our booth on $PRODUCT recently. I realize the framework we are using to contact you was intended to track people who may have been exposed to a dangerous disease, but we decided to leverage this functionality to notify you that we are offering a sale on our product that you already said you were interested in by walking by our systems."

Microsoft decrees that all high-school IT teachers were wrong: Double spaces now flagged as typos in Word


Re: Kerning

MS Word does not change the space size after sentences.


Re: spare disk space

When I learned manuscript format for submitting writing material for possible publication, I found it interesting that the explicit format was "Times New Roman, 12 point font, double spaced, one inch margins on all sides, two spaces after sentences," and failure to follow that format would result in your submission being tossed unread by many journals. Yes, some journals were different, but that was the most common standard, and it wasn't just what the instructor taught, it was demonstrated by the specified submission guide for the various places I looked at. I would not say it is just "because the teachers were taught that."

Word was, and remains, a typographic neophyte. Word uses the same sized space between words as it does between sentences based on my testing in the common fonts (e.g. Arial, Times New Roman, Verdana, Calibri).

Canada's .ca overlord rolls out free privacy-protecting DNS-over-HTTPS service for folks in Great White North


Anti-privacy under privacy name

DNS over HTTPS is a privacy nightmare. Now, one place will see all your DNS queries, even if not intended for them. As many have pointed out, your ISP already knows where you are going just by looking at the IP headers and the unencrypted part of https requests your browser sends that includes little things like the domain name you are requesting (SNI).

I've noticed a lot of anti-privacy initiatives, like DNS over HTTPS, advertised in the name of "enhancing privacy" when really, it's just about encouraging people to log all their activity at yet another data aggregator that isn't normally in a position to capture any of the traffic at all.

The real question is not the confidentiality of DNS requests, but confidentiality of where you go. But the ISP, to route your traffic, has to know where you are going. Until https is rewritten, they always know the domain name you are requesting, even without looking at DNS queries. This is a solution in search of a problem, and considering who has been advocating it (various organizations that often make money by such), I am not convinced their motives are altruistic.

Welcome to life in the Fossa lane: Ubuntu 20.04 let out of cage and Shuttleworth claims Canonical now 'commercially self sustaining'


Re: @ErroneousGiant - I still don't see the purpose of WSL

It allows users like me who routinely need a POSIX *nix user environment for routine tasks, to use Windows instead of a mac. I know people who write Fortran code that they can run for testing inside WSL, but it's a lot more of a nuisance for them to run that in Windows.

Tea tipplers are more likely to live longer, healthier lives than you triple venti pumpkin-syrup soy-milk latte-swilling fiends


Fermentation is not oxidation

The article mixed up how black tea is made (fully oxidized) with how pu-erh tea is made (fermented, in some cases over many years).

(As I finished a cup of loose leaf pu-erh (vs cake or tuo cha form) while reading this article).

LibreOffice 6.4 nearly done as open-source office software project prepares for 10th anniversary


Re: I'm not so sure that options are the answer to why Office is so popular

You missed another key problem with LibreOffice. Track changes. Maybe it's improved, I don't know. But I had to give up on using LibreOffice for any usage involving change tracking. The usage model was bi-directional, I created files and sent to them for them to mark up and send back; they created files that I got, marked up, and sent to them. The changes were not reliably marked, and comments were often not coming through. Those using only Word had no issue. Oddly, docx vs odt didn't seem to make a difference on change tracking. (Sometimes I'd accidentally send them odt, which generated a warning for those using Word, but that was about it.)

I consider Word's change tracking incredibly primitive, but this is a case where it isn't good enough to work with your own product (and I wouldn't consider LibreOffice passing even that low bar on the inserted comments), you have to work with what others around you use.


Re: I think you underestimate it...

$100/year is considered highly competitive for decent automatic backup tools. O365 has more storage than most of the ones I've evaluated, better accessibility, better agent for doing the backups, etc. Oh, and you get access to the office suite as a part of that same cost.

I pay for O365 for the Onedrive storage as a remote backup service. Is it the only copy of my files? No, it's the backup, automatically maintained, and now if a family member deletes a file they didn't mean to, they don't need me to come over and show them the arcane methods to restore that one file. I don't get complaints about their computer being too slow to discover that the backup agent is taking 100% CPU, every other week.

Every remote backup service has similar terms, I just find Microsoft to have the best deal right now.

Hyphens of mass destruction: When a clumsy finger meant the end for hundreds of jobs


Re: One way to prevent accidents

: Invalid function name

I know, bash ignores that restriction that functions start with only specific characters (alphabetic, but may be alphanumeric). This is one of many reasons why you should never write shell scripts to run in bash. Use a scripting shell.

Communication, communication – and politics: Iowa saga of cuffed infosec pros reveals pentest pitfalls


Re: Due diligence

Tell that to Nixon. Couldn't he authorize a breakin in the country of the United States?

County and state are different jurisdictions, and state governments do not own county buildings.

What do you get when you allegedly mix Wireshark, a gumshoe child molester, and a court PC? A judge facing hacking charges


Re: Oh come on...

And most pentesters I've cleaned up after ignore the statement of work and agreed upon scope, definition of critical system assets, rules of engagement and do whatever they feel like anyway.

How bad is Catalina? It's almost Apple Maps bad: MacOS 10.15 pushes Cupertino's low bar for code quality lower still


Re: No problems here!

Actually, iTunes works well for me -- for organizing and listening to music. The grouping feature and shuffle by grouping allows me to organize my multi-movement pieces of music correctly, listen to them in the correct order when I want, or separately when I want, without breaking albums. I have never owned an iPhone, never an iWatch, and my last iPod was discarded over ten years ago.

The mod firing squad: Stack Exchange embroiled in 'he said, she said, they said' row


Re: Is this just an English thing ?

Tell that to Shakespeare who used it in the singular.

Are you a Nim-by? C-ish language, gentler than Go, friendlier than Rust, reaches version 1.0


1977 called

It wants its whitespace sensitive languages back.

Allowlist, not whitelist. Blocklist, not blacklist. Goodbye, wtf. Microsoft scans Chromium code, lops off offensive words


Yes, because there's no such thing as green tea or white tea or yellow tea ... (okay, oolong and pu-erh aren't given color names in English typically).

I'm told that what most call black tea is referred to as red tea in some places, and black tea in those places refers to pu-erh.

Docker made itself popular with devs. Now it has to make itself essential for biz. But how? Ah ha! Pay-as-you-go enterprise features


Re: Yep. Docker Con.

You mean like the containers on mainframes used 40+ years ago?

You like JavaScript! You really like it! Scripting lingo tops dev survey of programming languages


Re: Oh dear! Nothing is perfect

The very reason I find myself willing to work with javascript comes down to two reasons.

First, I recognize it is a purpose built language, not a general purpose language. Just like awk is purpose built to stream process text files. Sure, I can use awk to calculate mathematical problems, but that isn't the design of it. Javascript is similar, in that it is designed to be used for a specific use case.

Second, because I recognized long ago that Javascript is functional first, object oriented a distant third. Even the scoping rules make more sense in that context.

I think if Javascript didn't have those first four letters in its name, no one would care about OO in it or not, except the OO zealots who insist that everything be OO, even if it makes no sense for the problem to be solved.

Encryption? This time it'll be usable, Thunderbird promises


Re: The only reason "everyone" runs Outlook is because "everyone" uses Exchange.

Exchange is, whether people like to admit it or not, one of the top integrated enterprise calendaring tools available. It supports plugins for various web meeting tools (e.g. BlueJeans, WebEx), and a very effective scheduling tool. It even supports managing conference rooms.

Forget the email. It's the calendar that keeps Exchange so popular with managers.


Re: That's nice dear ...

I tried Outlook. It failed the Google Calendar test, unable to display all the calendars shared with me. Thunderbird was the first client on Windows that could work with Exchange, Google, and local calendars. (On macOS, the native calendar worked).

For me, the killer app was calendar, not email. I have to be able to display all my calendars (and those of family members that are delegated to me) in one integrated view. Talking to a few of my peers, they ended up using their mobile phones for such, but given the "we own any android/iOS device that connects to our calendar" trends, that's not very attractive to me.

Mourning Apple's war against sockets? The 2018 Mac mini should be your first port of call


mini TOSLINK gone?

When I looked at it, the specs seem to imply that the combination headphone/microphone/mini-toslink port is now just a headphone/microphone port. That means my only option for digital audio output may be the HDMI port, which is a lot harder to split into two channels to send into both zone A and zone B of my stereo system.

I like several aspects of the unit, but that item does concern me if confirmed.

Of course, my late 2014 mac mini shows no sign of needing replacement any year soon, so by the time I do replace it, Apple may have another unit out, and my (already ten year old) stereo may be ready for a replacement as well.

If you have to simulate a phishing attack on your org, at least try to get something useful from it


Removing the stigma against false positive reporting is important. If you aren't reporting false positives, you aren't reporting real phishing events. Err on the side of reporting. Build that culture of acceptance to presume *any* unanticipated email with links or instructions from the outside is a phish and you'll drop your click rate significantly.

Yes, it's annoying to have to email your team and say "You will receive an email from such'n'such place. It will be about this topic. Please respond to it", but it helps.


What's the metric?

In any effort like this, one of the things a good manager wants to know is how do we measure this so we know if it is effective? What is the method to measure improvement? Number of clicks? Number of repeat clicks? As the article says, someone will always click. In one phishing training I saw, the security team member clicked on the link and was literally typing in their live username and password, "to be helpful".

I argue that the critical missing metric is time based. How long until that first report? How long until that first click? Can we get people trained to report these things quickly, alerting the trained staff fast enough that they could actually respond and block the malicious URL before the first click? It's ambitious, but it gives you a real measure of your window of vulnerability and your ability to contain the damage.

Black hats are baddie hackers, white hats are goodies, grey hats will sell IP to kids in hoodies


Ask black hats how common black hats are...

When I've talked to companies, the executive leadership are so terrified of insider threats, so out of proportion to the actual risk, that often they create a bigger security risk by giving the security team, the very team most likely to go black hat, massive access to every piece of intellectual property in the company, even if they don't actually need that access, because security.

Then I talk to the black hats of security, penetration testers, and they talk about insider threats as the number one source of problems.

Then I sit down and look at the company, and see that the top source of risk isn't a malicious actor at all, and often isn't even adversarial, but structural due to their failure to invest in basic IT. Surveys like this aren't very useful except for fear mongering and encouraging further black hat activities by people with security jobs.

Most staffers expect bosses to snoop on them, say unions


Re: Legal Requirements??

In my experience, keystroke loggers violate the very rules that they claim to enforce because they always end up capturing passwords.

It's nothing but a black hat in a management suit trying to find a way to capture people's login credentials to corporate resources that the person who setup the logger isn't authorized to access.


Location monitoring

With companies sometimes providing corporate phones, or if you use your personal phone, requiring that they load their hooks into it that gives them administrative access to it, one of the most evil monitoring forms is 24/7 location monitoring.

Especially with personal mobile devices where many users are not aware of just how many companies market as a "feature" the ability to know where every person's personal phone is at all times and their location history.

It's mid-year report time, let's see how secure corporate networks are. Spoiler alert: Not at all


Pen testers are not risk assessors

I've had to clean up the mess a pen tester left more than once. They create artificial flags that have nothing to do with the actual valuable data of the corporation, declaring complete success when they get to a resource that is relatively low value (not SOX, not the primary product of the company, not publicly available,...), often engage in dodgy business practices like stepping outside the confines of the test (e.g. engaging in the pen test before they're supposed to start), rarely emulate specific threat actors, often mixing techniques from one threat actor with methods used by other threat actors, completely ignorant of the actual risk profile of the organization, all in an effort to scare people to pay them more money.

In one case, the pen testers required me as a defender to actually not engage in normal defensive actions that were part of my everyday job, like blocking attackers detected through automated reports and systems. Often, pen testers are given these blank check views by requiring the security teams to temporarily disable key defensive systems, at least for the attackers' source IP block.

It's long past time to recognize that a pen test is not a replacement for an actual risk assessment that evaluates all types of risks, adversarial, structural, envrionmental and accidental. Management that I talk to is getting risk fatigue, where they start to see pen testers as chicken little, so the theoretical value of the pen tester, to shock management into paying attention to security, is having the opposite effect, blinding management to a more detailed and strategic view of where the security dollars can be most effectively spent to reduce the overall risk to the company.

Leave it to Beaver: Unity is long gone and you're on your GNOME


GUI is minor

The GUI changes may look big, but they're really a minor thing compared to the systemdos conversion that is rapidly approaching completion.

Gmail is secure. Netflix is secure. Together they're a phishing threat


Except to the RFCs which actually make clear that it is permitted to do such.


Re: Although...

Well, RFC 822 section 6.2.4 seems to disagree with you.


Re: "Google, however, has promoted it as a useful feature"




Biting the hand that feeds IT © 1998–2020