* Posts by Kientha

43 posts • joined 17 Jan 2018

National Crime Agency says Brit teen accused of Twitter hack has not been arrested

Kientha

Re: Walk in to a zoom meeting just like that?

It's been a very easy to stop thing since late April when the issue first got media attention. There's no excuse for the court not implementing the restrictions

Doctor, doctor, got some sad news, there's been a bad case of hacking you: UK govt investigates email fail

Kientha

Re: If the Tories General Election pledge was to NOT sell of the NHS

Well the problem is the entire system is underpinned by the principle that you vote for an individual to represent you at the national level. That individual may belong to a party, or they may be an independent and whoever can form the largest group of MPs is the government. The system isn't designed for the public to vote for a party or for the policies of a party. The disconnect is in how voters treat the system where they vote for a party rather than a person, or in recent years vote for the PM rather than the individual MP or party. Simply making manifesto pledges binding would not address the underlying issue and would itself be contradictory. Instead, you would need a system akin to proportional representation with binding pledges with an independent body to assess this which has it's own downsides.

Kientha

Re: If the Tories General Election pledge was to NOT sell of the NHS

No because manifesto pledges aren't binding

Digicert will shovel some 50,000 EV HTTPS certificates into the furnace this Saturday after audit bungle

Kientha

If you click on the certificate details (click on the padlock) an EV certificate will say issued to: *Company name*

Remember when we warned in February Apple will crack down on long-life HTTPS certs? It's happening: Chrome, Firefox ready to join in, too

Kientha

Re: Is there any advantage left by using commercial certs?

Also, even when they did show up differently when was that remotely useful to the end user? Especially when many sites had a different name in their EV certificate than their website was actually called

Adobe about to pull the plug on Creative Cloud freebie 'at-home' access for students

Kientha

Re: Are Adobe products the only ones ...

Serif's Affinity suite is an affordable non-subscription alternative to Photoshop. It offers most of the functionality you get out of Photoshop but you then don't have the extensive range of add-ons Photoshop gives you access to and there are a few more niche features not in Affinity Photo

Windows Server to require TPM2.0 and Secure boot by default in future release

Kientha

Re: Well now....

Even PLCs that can be controlled remotely rarely work as well as having the local control and that's ignoring the huge security risk that adds to your prod environment (which the manufacturers just wave away as your problem anyways)

Legal complaint lodged with UK data watchdog over claims coronavirus Test and Trace programme flouts GDPR

Kientha

Re: GDPR?

Also, the UK government had committed to retaining GDPR or something functionally identical to it despite Brexit

To test its security mid-pandemic, GitLab tried phishing its own work-from-home staff. 1 in 5 fell for it

Kientha

Anyone can have a bad day and click on something they shouldn't have especially if under pressure or a phishing email looks like something they were expecting. It also doesn't help that a lot of organisations have legitimate emails that really look like phishing and contain most of the traits you're told to keep an eye out for. One of our vendor partners sent me a meeting invite last week that I was convinced must be phishing but it was legitimate. Bad spelling, suspicious link, not from their usual domain, emotive language.

SAP proves, yet again, that Excel is utterly unkillable

Kientha

Re: Excel excels

Some of the spreadsheets many of the PMO people I know have to use are insane and take forever to load because a network stored ridiculously sized spreadsheet has grown out of something once thrown together quickly to centrally store data from emails in. Some of them are also so complicated that no one knows how to fix them when they break because the person who made and hotfixed it has since moved on.

Attorney General: We didn't need Apple to crack terrorist's iPhones – tho we still want iGiant to do it in future

Kientha

Re: "no thanks to Apple"

It's like talking to a brick wall because the key policy makers can often barely use technology let alone understand it. I'm sure most of us have had to deal with similar issues either at work or with family where they can't understand why the magic box can't just do everything they want it to!

Netflix says subscriptions just boomed but tells investors it's no money heist and they should expect stranger things

Kientha

Re: How long before familes feel the pinch

Initially, private landlords were excluded from getting a mortgage holiday but that was quickly updated so that landlords with a tenant who was unable to pay rent due to COVID-19 was able to get a mortgage holiday.

Google's OpenSK lets you BYOSK – burn your own security key

Kientha

To the oscilloscope!

Not call, dude: UK govt says guaranteed surcharge-free EU roaming will end after Brexit transition period. Brits left at the mercy of networks

Kientha

Re: 3 ....

That's because they bought the least of the 4G spectrum of any of the providers (there was a lot of controversy about the process and the merger of T-Mobile and Orange giving them a ridiculous amount of the spectrum) but they've bought more of the 5G spectrum than any operator so they'll have much better coverage once the 5G roll out speeds up (and you have a 5G enabled device)

Difficult season: Antivirus-flinger Avast decides to 'wind down' Jumpshot

Kientha

Czech company, headquartered in Prague. All I can think is that they're listed on the London Stock Exchange

Unlocking news: We decrypt those cryptic headlines about Scottish cops bypassing smartphone encryption

Kientha

Re: Let me get this right

2016. I believe it was only the case for Android 6.0+ which was still quite new at the time

Kientha

Re: Let me get this right

When I did my XRY cert (one of the other less worrisome mobile forensic tools since you need the passcode for the device for it to work) it could do an extraction from an iPhone without changing any data (except what is changed by the device itself in the normal operation) but Android devices had to change data on the device to extract data from it.

The legal side of this is done with the documentation of the steps taken and the impact that has on the device. As long as you're following a good process, they'll accept the changing of the device data as a consequence. The way XRY and other tools work prevent investigators from being able to write anything to the device while it was plugged in to the XRY box. The rest of your assurance is from the process with exact time stamps of where the device was etc. The police guidelines are not fit for purpose but they're usable. XRY is also idiot proof whereas the other Mobile Forensic Tools are not. As long as you can follow very simple instructions, you can use XRY.

Google scolded for depriving the poor of privacy as Chinese malware bundled on phones for hard-up Americans

Kientha

Google could refuse to allow Google Play Services to manufacturers that bundle this software with the phone in an unremovable way. The theory is that this would kill the market viability of these phones forcing them to change it and prevent other manufacturers doing the same thing in future. Just going after the manufacturer allows another one to start doing the same thing and then you're playing whackamole.

Kientha

Re: I feel fortunate

Those apps aren't actually installed. They're just links to install in your start menu and you can most definitely remove them. It's only when you actually click on them that they are installed on your device. You can even remove them using group policy so that the user never even sees them! I'd rather they were not there at all but it's something completely different than what is happening with Android devices

Hold my Bose, we can do premium: Sennheiser chucks pricey wireless cans at travellers

Kientha

Get the original PXC 550. They're very similar, still very good and can be found for half the price. The II only has very minor changes and Alexa added

Kientha

Having used both, these are significantly better than the HD4.50. The noise cancelling works better, the microphone is actually usable for calls (I have a fairly soft voice and the HD4.50 mic just didn't work for me for business calls), they are a lot more comfortable and one of the features I make use of is that when plugged in via USB, these headphones act as their own sound card which makes work calls a lot simpler

Kientha

Re: Does the noise-cancelling work without a source?

Yes. Some noise will still get through but they make things significantly quieter without needing to be connected to a source. There's a switch on the back of the cup that can be set to Off, Device Controlled or On for the noise cancelling. Device Controlled will set it to whatever you set the noise cancelling to in software the last time it was connected to a phone and On will just have the noise cancelling on full whenever the headphones are turned on

Kientha

They will stay on and connected. There's an optional (by default off) smart pause feature that will pause music if you take the headphones off which works fine when you're sat down but not great if you're moving quickly. To actually turn the headphones off, you need to rotate the cups.

VMware warning, OpenBSD gimme-root hole again, telco hit with GDPR fine, Ring camera hijackings, and more

Kientha

Re: Ring is just the latest in a long line...

Ring support 2FA (albeit SMS only) but rely on end users to activate it. Mandating it on end users isn't a great option currently and if they forced you to provide a phone number, you would get a number of people complaining about that instead!

Kientha

Ring is just the latest in a long line...

I do feel a bit bad for Ring here. It seems every few months a company is hurt by widespread media coverage due to credential stuffing that isn't really their fault. Spotify comes to mind as one who regularly gets reported as being "hacked" when really it's just reused leaked passwords. But because the media don't understand security, Ring gets a load of bad press in a period I'm sure they were relying on sales in because of end user error. Yes what these idiots have done is horrible but that doesn't mean Ring is to blame (for once)

Try as they might, ransomware crooks can't hide their tells when playing hands

Kientha

100% this. If you haven't looked at the changes to Endpoint Protection over the past couple years, it's something I'd seriously recommend. The market has shifted (and is still shifting) quite significantly with the big players changing around and Microsoft ATP really shaking things up. Then you have newer players like Elastic (Previously Endgame) offering very different solutions both in pricing and offering that didn't even exist a couple years ago but have a real chance of knocking the long time players off the top spots in the market!

UK Info Commish quietly urged court to swat away 100k Morrisons data breach sueball

Kientha

He wasn't a contractor. He was an employee and the process mandated by KPMG involved Skelton copying the data to and from USB keys

Kientha

His job was not to analyse it. His job was to prepare it to send onward to the external auditors (KPMG). Their (KPMG mandated) process required the data to be put on a USB. Skelton copying the data to a USB wouldn't have raised alarm bells even if they had detected it because it was a component of his job

Morrisons is to blame for 100k payroll theft and leak, say 9,000 workers

Kientha

Re: If only...

And would have been able to attempt to reclaim that money from Skelton along with the costs of retrieving the money from him. Legally, the case is really interesting on the second element more than the first. If someone commits a criminal act that has a significant relation to their job role but is clearly not a function of their job, can their employer be held vicariously liable for that act? Does that count as the one continuous act required for vicarious liability?

Kientha

Morrisons were following the guidelines they were told they had to implement by KPMG. The ICO said the only other thing they could have done was have tools in place that would have alerted them that Skelton had copied the data on to an unencrypted USB which, because of the job he held, would not have raised alarm bells quick enough to prevent the leakage of the data. Skelton's entire job was handling sensitive data. They did not do anything worth being fined for under DPA or GDPR

Kientha

Re: Resistance is futile

Yep it was Skelton's job to send the financial data to KPMG. He had a business need to process that data. The process that KPMG told Morrisons to use involved putting that data on an encrypted USB. If they are held accountable for the actions of an employee breaking the law entirely out of a want to damage his employer for punishing him when he broke the rules, that has significant negative implications for all UK businesses and is giving Skelton exactly what he wants!

Trend Micro: Our super-duper security software will keep you safe from everyone – except our staff who go rogue

Kientha

Re: AV and similar software just increases your attack surface...

Also, no matter how well trained or intelligent someone is, they can have an off day where they slip up and click on something they shouldn't. Endpoint software is so much more than just an AV provision so that when someone does slip up, and they will, the right action can be taken and the company protected as well as they can be

Yes, TfL asked people to write down their Oyster passwords – but don't worry, they didn't inhale

Kientha

Re: Badly designed system

It's the process when you go to a ticket office rather than at an underground top up point. They don't have direct access to the Oyster system as it's managed by TfL so their work around requires a password because they need to log in to the TfL account or create a new TfL account as a part of the process. All the guidance on how to apply the discount to your Oyster says to go to a person at an underground station which doesn't require the password.

Biz forked out $115k to tout 'Time AI' crypto at Black Hat. Now it sues organizers because hackers heckled it

Kientha

Re: Openly and fairly...

Eh most business people know of Blackhat at least as a vague understanding. I doubt the idea was ever to sell it to anyone at Blackhat but to just be able to say they presented there to some purchasing managers who don't know better to get them to pay up. I doubt they expected the level of backlash hence the suit to try and reclaim the narrative. It's just a grift to pretend they have a cutting edge product to earn quick cash from companies who want to just buy a product rather than do any real work for security

Kientha

Re: If only...

There really needs to be a federal anti-SLAPP law at this point. You're getting more and more baseless defamation suits fighting to be heard in states without anti-SLAPP legislation like Depp. The fact they're trying this in California is incredibly laughable but you do see it still as a way to silence critics knowing that they can either eat the penalty or that the threat of a lengthy suit is more than most critics are willing to deal with

Kientha

Re: If only...

Freedom of Speech in this context means that the government cannot censor you or penalize you for speaking and sharing ideas. It has limitations and is not absolute but it in general applies to the government rather than other individuals.

Ever used an airport lounge printer? You probably don't know how blabby they can be

Kientha

Usability > Security

As already mentioned, anyone using an airport printer shouldn't be expecting any privacy of what they print. Surely this is just a classic example of how the system working and being accessible is more important than the system being secure. Even if you made the connection completely secure, what's to stop someone just grabbing it off the printer before you get there? Some printers allow you to reprint stuff stored in memory. You can't know the printer isn't capable of doing that. Anyone who prints sensitive stuff on these printers should be banned from printing things ever. Especially with how easy it is now to get machines with pens for annotating stuff as cheap as a couple hundred quid.

UK ruling party's conference app editable by world+dog, blabs members' digits

Kientha

Hi James, you seem to be confusing the Data Protection Act 1998 (replaced by GDPR) with the Computer Misuse Act 1990 which is still in effect. GDPR regards the protection of personal data aimed at any organisation that processes personal data. Computer Misuse Act is the overarching "hacking" legislation of the UK

Kientha

It's not a flaw! It's a feature!

If you look at the website of the people who they bought the app from, you'll notice that passwords are an extra £399 for all but the top tier. I'm betting they either didn't purchase passwords or didn't enable them. The fact the app is available without passwords is utterly insane but not surprising.

Kientha

They could use a defence along the lines of "it wasn't me someone else sent me the screen grabs" and unless they could prove beyond reasonable doubt that wasn't the case... But I agree with your interpretation of the CMA. Doesn't matter how you accessed it, if you didn't have permission or a reasonable belief of permission and changed data that's the third tier.

Revealed: British Airways was in talks with IBM on outsourcing security just before hack

Kientha

Re: "You don't outsource something that is working well."

The "Let's mark it as done because it's the deadline and we don't get paid otherwise" is everywhere in the IT sphere at the moment and in my experience results in a massive headache further down the line after that person moves on and no one realises it hasn't been done until way too late. Then you get the confused senior managers going "But it's marked as done! Why are we spending money on it if it's done! No if it says it is done it must be done."

Kientha

Re: BT was going to outsource security says leaked memo.

Playing buzzword bingo was the only thing that made corporate meetings bearable. There's only so many times you can say "That's not how it works" before you just give up and know they won't be able to work out you've done things differently. I still shudder whenever someone talks about the cloud or AI. I blame the salespeople.

Wanna motivate staff to be more secure? Don't bother bribing 'em

Kientha

Re: Implement security properly

At work we have 2fa in order to access the corporate side on our work machines. This times out after 15 minutes of inactivity so you end up having to put it in 7/8 times a day. It's a serious pain in the a**

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2020