* Posts by Pier Reviewer

115 posts • joined 15 Feb 2018


Ethical power supplier People's Energy hacked, 250,000 customers' personal info accessed

Pier Reviewer

Re: Thought exercise

The main problem you have with this kind of thing is that if you can compromise the app you can access an data/systems the app can access. If the app needs to show you your details, it needs access to them.

One option is to encrypt at rest, but then you have the key management problem - the app needs access to the key, so an attacker that compromises the app can get the key.

You can (partially) solve this using a HSM - the encryption key is itself encrypted using a HSM. When the app needs the key it passes the encrypted key to the HSM and asks it to decrypt it. There are still issues with this (performance vs security, eg do you use a single key, one per user etc). However it means at the very least the attacker either needs to extract the key as well as the DB, or individually exfil every record. If you have a blue team the idea is they spot this behaviour before too much damage is done. If you don’t, the you(r customers) are boned either way.

Neither HSMs nor blue teams are particularly cheap. Guess what businesses value most when asked to choose between definitely spending a wad of cash to protect someone else’s data, or pocketing larger dividends with a risk they *might* get popped?...

Cyberup campaign: 80% of infosec pros fear they might fall foul of UK's outdated Computer Misuse Act

Pier Reviewer

Re: Those laws are still perfectly good

If you’re relying on the law “figuring it out” it’s a bad piece of legislation. The comments here are reminiscent of the Daily Mail, and basically boil down to “I think you should have permission/a warrant so the law is fine”. Pity that’s not all the CMA criminalises. s3A(2) is particularly egregious -

“A person is guilty of an offence if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence under section 1,3 or 3ZA”

Releasing I proof of concept tool (even a non-weaponised one) is likely to assist attackers. Guilty. Releasing a scanner to help ppl test if their servers are affected by a vulnerability is also an offence. Release a patch to fix the vuln? Yeah sorry - criminals diff patches to determine what they fix then write exploits for the bug. You likely assisted an offence.

I’ll say it again - if you’re reliant on someone saying “oh but he didn’t *mean* anything bad” you are taking an enormous risk on. You could just as easily be thrown under the bus by a future regime that doesn’t like what you say/the colour of your skin etc. That’s bad law.

It also puts the U.K. at a massive disadvantage. Those risks don’t exist in many other countries. Businesses as a rule don’t enjoy risk. They avoid it. It’s therefore likely that the UK gets left behind in this field, or they simply move their operations overseas.

Nobody sane is saying it should be the Wild West. They’re saying the wording of the law needs clarifying so that it’s eminently clear what is permitted and what is criminal. At the moment there’s too much scope for abuse.

Windows kernel vulnerability disclosed by Google's Project Zero after bug exploited in the wild by hackers

Pier Reviewer

“... I would say the medical profession is probably the worst for it though.”

Telco. You can have a 90 minute meeting where around a dozen actual words are spoken - the rest is just letters :/ It’s horrendous.

Top 5 billionaires find that global pandemics are good for business – and their wallets

Pier Reviewer

Re: Zuck Nuggets

I think I’ve just become vegetarian.

Southern Water customers could view others' personal data by tweaking URL parameters

Pier Reviewer

Re: Legality?

Client and server side request forgery (CSRF and SSRF) aren’t really forgery per se. It’s more a case of social engineering the browser/server. “Hey, hand this card to the cashier over there will you?”. Cashier recognised the person handing over the card and acts on the instructions therein.

Vulnerability taxonomy can be pretty hazy, and I personally would describe this as an unsecure direct object reference (IDOR). However I think we can all agree it was an appalling weakness that should never have made it past the design phase never mind to production.

Using turds like S***point, SAP etc as some kind of framework is getting more common. The problem is it appears ppl pick their crap, overpriced middleware based on what they’ve used before rather than what is appropriate. Then you get stuff like this - “we need it to do X to keep the data secure”. “Sorry, it doesn’t support X”

Epic move: Judge says Apple can't revoke Unreal Engine dev tools, asks 'Where does the 30 per cent come from?'

Pier Reviewer

" consumers could choose when deciding to buy an Android device or an iPhone "

That is one dangerous argument for Apple! Can’t believe they used it to be honest. They must not have anything else that might have a chance of being accepted. I think they just walked into Epic’s trap.

Yeah you can go to Android. And pay 30% commission there too. Two providers? Same high fees? Sounds awfully like a cartel...

C++ still rules the Chromium roost though Rust has caught our eye, say browser devs

Pier Reviewer

Re: Rust, Rust, Rust

The things you mention are good practice for avoiding out of bounds access, however that’s already one of the less common CWEs. Use after free and type confusion are much more common, and very much a C++ problem. Rust prevents them at compile time.

You’re right that many issues can be avoided by using C++ properly. The problem is the compiler doesn’t enforce that. As a result people make mistakes that make it into the build, and in a 100 million line code base are hard to find. Rust simply says “no” and refuses to build, ensuring that such issues are dealt with ASAP.

First rule of Ransomware Club is do not pay the ransom, but it looks like Carlson Wagonlit Travel didn't get the memo

Pier Reviewer

“Stop using Windows...”

Won’t make you any more secure against this type of attack. It was a targeted attack using a VM (i.e. they can deploy it on anything a VM can run on). They simply phish users, gain network access then deploy the VM.

Using Win10 actually makes you less likely to be hit by this particular attack if you enable Hyper-V as any fool know.

We give up, Progressive Web Apps can track you, says W3C: After 5 years, it decides privacy is too much bother

Pier Reviewer

Banning query parameters (the stuff after the “?”) doesn’t fix the problem sadly. A site operator could provide a start_url value like https://pwa.acme.com/start/123456 where 123456 is a unique number for each user. Voila, you can be uniquely identified.

Whilst the article appears to bemoan the fact that the issue is being left to browser makers to fix, I don’t see a reasonable and effective alternative. The solution needs to be where it’s most effective. Letting site operators like Facebook et al decide how to prevent tracking is laughable. The problem of course is that Google intentionally broke the Chinese wall by releasing a browser. The only practical solution to avoiding tracking in this instance is to have the browser makers fix the problem and keep away from Chrome.

What the duck? Bloke keeps getting sent bathtime toys in the post – and Amazon won't say who's responsible

Pier Reviewer

Re: Review stuffing

Yeah. Poacher checks on hen house. Looks good gov’...

Pier Reviewer

Review stuffing

It’s a known scam. Buy a load of cheap tat, giving a fake address. Get 100% buyer feedback. Convert account to a seller. Now you’ve got a seller account with loads of positive feedback. Totally trustworthy right?...

Indian conglomerate Reliance Industries says it's built its own 5G kit and hopes to sell to all comers

Pier Reviewer

Re: Home buying

Cost. Living expenses are higher in the UK, so wages are higher too by necessity.

There’s little detail here - 5G was designed to move away from hardware and towards software as far as is reasonably practical. You can deploy a 5G core (SA or NSA) without owning any hardware (granted, your Azure/AWS bills will be something to behold!). It’s only the RAN side where you need specialist equipment. The radio tech for 5G is crazy. Even then, a significant portion of the RAN functions can be performed in software.

These folk may well be talking about a software only core offering. If that’s the case I don’t see how the UK could ever hope to compete. India has a large number of STEM graduates in a culture that values education, and significantly lower wages than the UK. The UK *could* produce a product, but it wouldn’t sell.

Rust code in Linux kernel looks more likely as language team lead promises support

Pier Reviewer

Re: Is there a reason we need YAPL?

“...zero advantage over C”

Well the first and obvious advantage is that you only need to worry about memory corruption vulnerabilities in the subset of code that you marked with the unsafe keyword, rather than the entire codebase (27 million LoC says hi). As a result you can spend all of your effort on a much smaller area and have much more confidence that it is safe.

As to having to use “raw memory” - Rust *does* access “raw memory”. It compiles to assembly language just like C. However the Rust compiler has a significant number of compile-time checks to ensure memory access will be safe at run time. Ergo it is basically as fast as C, and has far fewer vulnerabilities because you’ve just wiped out half a dozen classes of vulnerability at compile time.

Believe me - I hate doing vuln research on Rust code bases because 95% of the cheap RCE wins just don’t exist compared to C :( There are some crazy things that can happen in C that even experienced programmers make mistakes with, and where the language is broken (floats leaking memory content for example). Even stuff as innocuous as this can get you RCE -

size_t len = userSuppliedNumber;

unsigned char buf[len];

I love C but Rust is a great language, and I can see that because I bothered my arse to look into it. Linus’ concerns re: the compiler are valid, although gcc isn’t exactly covered in glory when it comes to “interesting” side effects and behaviour. Anyone wanting to work in systems programming would do well to look at both C and Rust, as it makes more of the jobs market available to you.

Pier Reviewer

Re: Rust and kernel

Rust doesn’t require any kind of library support any more than C does. Both have a standard library (libc and libstd respectively) and should you delete those from your system you will find it becomes rather less useful. However, neither language *needs* those libs - they merely save you a lot of typing.

I’m secure code reviewing a few million lines of each (C/C++ and Rust) as we “speak”. The client is moving to Rust in a field that requires extraordinarily fast and reliable code. Not only is the Rust output able to match performance, it’s not a shitshow of buffer overflows, stack underflows, format strings etc. We’ll see a lot more Rust going forwards because it’s a good language.

At least use the language before commenting on its weaknesses rather than simply parroting what Dave said down the Nags Head (who likewise heard it third hand from someone scared that their skill set will be outdated and they won’t find much work in the future).

July? British government could decide to boot Chinese giant Huawei from the UK's networks by this month

Pier Reviewer

Alas it’s not necessarily that simple. Huawei aren’t publicly listed - the (Chinese*) employees own the shares. I would be extremely surprised to see them list publicly as it risks western involvement in the board.


* non-Chinese employees are plentiful, but not entitled to own shares.

Consumer orgs ask world's competition watchdogs: Are you really going to let Google walk off with all Fitbit's data?

Pier Reviewer

Re: Isn't it time for Google to face the Anti-trust strongarm squad?

Ahh, so they’re protecting us from from the reds under the bed? Thanks for pointing out who we need to be scared of. I’m glad corporate America can protect us from those scary reds.

Out of interest, what extra harm would a Chinese company having all this information cause vs the status quo?

Yes, Prime Minister, rewrite the Computer Misuse Act: Brit infosec outfits urge reform

Pier Reviewer

Re: The law is fine and doesn't need changing

No, it’s not fine. It would help if people bothered themselves to read the act (as amended) to see what it actually criminalises rather than thinking “hacking bad, so law good”.

The entire thing is so widely drafted it’s ripe for abuse. However the truly awful provision is s.3A - http://www.legislation.gov.uk/ukpga/1990/18/section/3A.

Creating, sharing or possessing a tool that *could* assist in an offence under s.1 etc is an offence. So, you want to test how many of your servers are vulnerable to a recent zero day? You write a script to scan your own estate. Bad news. You just committed an offence. You want to share it with your contacts in your suppliers etc so they don’t get popped? Again, criminal. Share it with the wider community to help as many ppl as possible? Same.

Okay, so you put a disclaimer on it (“must not use without permission of network owner”). Bad news. That’s not a defence - that’s evidence the CPS will use against you to show you knew it could assist in the commission of an offence.

How about you want to make a product like Nessus, Qualys etc? Yeah no - criminal in the UK.

But those ppl won’t get prosecuted you say. That there is the problem - you have a law that basically makes using a networked computer criminal, and leaves the decision to prosecute to a bunch of people who may or may not have the best interests of society as their priority. Pissed off the wrong ppl? Criminal record says hi!

There’s a reason there is a paucity of security research in the UK - it’s grotesquely high risk even as a white hat, and a criminal record basically ends your career. If you report an issue to someone who simply wants it to go away the CMA will do that nicely.

The CMA is a bad law with a good purpose. It needs to be changed. It could create highly skilled jobs in the UK if done right, but Ofc nothing will change as MPs have no knowledge of the field and no desire to learn.

ZFS co-creator boots 'slave' out of OpenZFS codebase, says 'casual use' of term is 'unnecessary reference to a painful experience'

Pier Reviewer

Re: My first thought:

It’s a stupid idea. The only ppl it benefits are white guys who don’t want to be reminded what their race/nation did in the past and might be in some way linked to them. Yeah, let’s bury references to slavery. That’ll help ppl currently subjected to racism.

The term slave in this context has nothing to do with slavery, racism etc. A poster above considers the use of “directed” in its stead. Directed also has more than one meaning. c.f. a directed graph. Is the graph taking instruction? Turns out words can have more than one meaning.

Finally, the entire argument “well if it stops one person being unhappy surely it’s good?” is childish. It fails to understand and accept that there will always be ppl unhappy about the status quo, whatever that be. Take democracy for example. The unhappiness of a significant portion of the population is a mandated feature of democracy. It’s about the will of most ppl, not all.

I’d be happy to make the bet that you can’t find a single thing that at least one person doesn’t find offensive. And that there is the issue with the childish argument - the grownups can and will game it for their own benefit.

Can we stop with the ridiculous “I’m offended on behalf of X” bollocks please, and actually think like adults. There are so many things that we can do to help make racism etc a thing of the past. Changing the word slave in your codebase is not one of them. It is however the least effort you could humanly make...

Twitter, Reddit and pals super unhappy US visa hopefuls have to declare their online handles to Uncle Sam

Pier Reviewer

Question (not a Merkin)

Does the Constitution extend rights to people that aren’t American citizens? If I’m applying for a visa I’m not a US citizen - do I benefit from US constitutional rights at that stage?

Forget BYOD, this is BYOVM: Ransomware tries to evade antivirus by hiding in a virtual machine on infected systems

Pier Reviewer

If you don’t care about security, the bad guys care about you

Internet facing RDP... Jesus. I love it when you find it on jobs. It’s an easy win. It’s insane that people don’t put it behind a VPN (that requires MFA).

Ofc that alone isn’t a fix for ransomware. There is no single fix, which is why companies keep getting reamed. They’d evidently rather risk paying millions than definitely spend money avoiding the risk, even if it basically guarantees they won’t be badly affected. It’s 100% the board’s fault. They could force a change, but costs reduce their dividends. Better to risk it and make secret payments to the criminals if you get hit rather than reduce your take home pay innit?

The fix? Nothing new or exciting. Regular, tested off-site backups, maintain a register of installed software and audit it regularly, patch regularly, MFA for all sensitive services and accounts etc.

I've seen things you people wouldn't believe. Spacecraft with graphene sails powered by starlight and lasers

Pier Reviewer

Re: Calling Isaac Newton...

Re: using the destination star to slow down travel.

The problem is it tends to defeat the purpose of the idea (to get from A to B within a human lifespan). By decelerating from about the halfway point you take about 42% longer to get there (sqrt of 2, on the assumption the target star will decelerate your craft at 1ms-2).

Anyway, I’ve seen Star Wars. And whilst that *is* a moon, I’m not wholly comfortable with an 8GW laser array on it.

Pier Reviewer

Re: Calling Isaac Newton...

The problem is that the closer you get to another star the more pressure it exerts on your sail in the wrong direction. That’s why you need the laser. However you need to focus your laser on a 14m2 area at a distance of ~4 LY. Not exactly a trivial design requirement.

Then there’s the second issue - you arrive in the Alpha Centauri system at ~15% c. You need some way to slow down or you’ll just barrel straight through. If you’re spending that much time, money and effort getting to another star system you probably want to get some data back. You’ll have trouble getting through the submission phase if you’re basically proposing throwing billions of <currency> at a star using a giant **** off laser.

That’s the biggest issue with any kind of fast travel. You need to slow down without turning your payload to jam/dust. Consider the difference between going from 70mph to 0mph in a controlled fashion vs stopping fairly instantaneously through the help of a bridge support.

The point of containers is they aren't VMs, yet Microsoft licenses SQL Server in containers as if they were VMs

Pier Reviewer

Re: What next...?

You’re not buying it... It’s closer to the car PCP model. You rent it. You stop paying rent it goes back to the dealer/MS. You drive the car lots? You pay more to the dealer. You use SQLS lots? You pay more to MS.

I’m not a fan of MS’s licensing model to be fair for various reasons (complexity being high up on the list) but what you describe already exists, and for a physical object, not just software.

Uber, Lyft struck by sue-ball, no, sue-meteorite in California after insisting their apps' drivers aren't employees

Pier Reviewer

Re: Contracting...

The Cali law has some similar features to IR35 in Blighty. The differences in how the two are perceived is a little surprising tbh.

Lords: New IR35 off-payroll tax rules 'riddled with problems, unfairnesses, unintended consequences'

Pier Reviewer

Re: How to make it go away

Easy for MPs to show they’re outside IR35. They spend some (I won’t say most) of their time doing their job as an MP rather than consulting for one firm. They also tend to consult for multiple companies rather than just one.

Keen to go _ExtInt? LLVM Clang compiler adds support for custom width integers

Pier Reviewer

Re: Sounds like a good idea

You’ve basically described how security arise. Make assumption. Assumption is invalidated. Shit happens.

It’s also why we (should) unit test for such things before pushing to prod. But hey, testing is boring so we don’t do it right?

As to using unused bits - plenty of tech still does that. The Deflate also, ASN.1 PER etc. It’s not going away.

Something a bit phishy in your inbox? You can now email suspected frauds straight to Blighty's web takedown cops

Pier Reviewer

If only the NCSC has ppl capable of performing threat modelling and risk assessment before they rolled this out!... Luckily the commentards can pick up the slack, and the NCSC can hopefully fix this terrible oversight -.-

Zoom vows to spend next 90 days thinking hard about its security and privacy after rough week, meeting ID war-dialing tool emerges

Pier Reviewer

Re: Its much worse than that... Complete Infosec fail?

Whilst the encryption isn’t what they claim it’s still pretty decent. According to Bruce it’s AES-128-ECB (not CBC). The key and block sizes make it infeasible to brute force the key or abuse SWEET32.

ECB is commonly considered to be weaker than CBC, but it has a simpler implementation and thus less room for catastrophic error (POODLE says hi, and ECB mode isn’t vulnerable to SWEET32 either, whereas CBC mode is). The thing with crypto is the crypto nerds get hyper excited about theoretical attacks like breaking 3 rounds of cipher X, or having utterly impractical requirements. It’s great to publish those findings as they can be built upon to create more powerful attacks, but the media (social included) tend to run ridiculous headlines as a result.

The Chinese server involvement is certainly worthy of investigation, but would it be any better if that server were hosted in the US/Europe but rented by a shell company operated by Chinese sigint? Geolocation counts for shit.

Amazon says it fired a guy for breaking pandemic rules. Same guy who organized a staff protest over a lack of coronavirus protection

Pier Reviewer

Re: Unions

“ Unions have their place, but the guy leading the charge is being paid to be somewhere else, and he isn't doing what he was being paid to do, then the guy doesn't deserve a job.”

You’ve misunderstood Amazon’s reasoning. It’s cheaper for them to pay one guy to stay home and stop rocking the boat, than to implement effective measures to protect the rest of their employees. They basically wanted to pay him off ( as cheaply as possible). It has similarities to Weinstein. “Shut up and take the money”.

FYI: You can trick image-recog AI into, say, mixing up cats and dogs – by abusing scaling code to poison training data

Pier Reviewer

Re: how they want some attention...

It’s not a bug. It’s intentional. When you’re scaling an image to a smaller size you lose data, as you are only able to represent a fraction of the original data. You need to decide which parts of the data are more important and which can be thrown away.

The side effect of this is that in this very particular use case, the classifier can be tricked into classifying an input incorrectly, and human auditing is less likely to detect it (“hey, who flagged this cat as a traffic light?!”).

Yes, it has limited use at the moment, but when ppl start selling data sets on a larger scale, and for sensitive use cases, it could be a more significant issue.

Austrian foreign ministry: 'State actor' hack on government IT systems is over

Pier Reviewer

Re: Source article interesting, kind of

The good guys (as in competent, not white hat) don’t use random outbound ports. They use 443/tcp to a cloud host along with domain fronting to avoid TLS interception. All the victim sees is a request to a Microsoft.com domain or whatever.

If you think detecting decent, custom, memory resident malware is easy you should go work as a front line SOC analyst and see just how easy it is to detect that kind of thing in amongst the network noise. Generally threat actors will compromise the network (maldoc, cred spraying, 0-day), quickly obtain persistence then lie low for a while. If you don’t manage to detect the initial compromise (often the riskiest phase as it’s noisy/prone to failure) you are flat out stuffed.

I know what you’re thinking - don’t open random email attachments. Competent attackers don’t use random email addresses. They cred spray/phish your organisation then send emails/instant messages using your own infrastructure. Got a spreadsheet from Alice in Accounts? Must be safe to open, right?...

You're always a day Huawei: UK to decide whether to ban Chinese firm's kit from 5G networks tomorrow

Pier Reviewer

Re: Treasury Notes

“ If Huawei is allowed into western teleco networks, the governments will have to cover the purchase of this equipment by issuing treasury notes.”

Wtf are you smoking? The gear will be purchased by EE, O2, Voda etc using their own cash, not the UK government bonds. They are private companies, and the money Huawei receives is kept by Huawei, which is owned by its (Chinese) employees, not the state. Ffs stop reading Breitbart propaganda and get some kind of clue as to how business works.

Boris celebrates taking back control of Brexit Britain's immigration – with unlimited immigration program

Pier Reviewer

Re: Good, good.

“ Well done Boris and Priti for delivering on your promise.”

Can you point to what’s actually been delivered? It’s just talk at the moment. The visa changes cannot apply until 2021 at the earliest, so best hold onto your thanks until then. It might not work out quite as you’d hoped.

Saying you want the best engineers etc to come to the UK is one thing. Convincing them to accept your kind invitation is quite another.

It will be interesting to see how the hostile environment policy pans out with all these foreign engineers on our shores. I rather suspect that more than one poor soul will find that a PhD, full work history, and Nobel Prize will count for nought when the Home Office comes a-knocking :(

This episode of Black Mirror sucks: London cops boast that facial-recog creepycams will be on the streets this year

Pier Reviewer

Numbers game

It’s a numbers game. This guy’s number was 100k - https://www.bbc.co.uk/news/uk-scotland-south-scotland-51255287 :) I hope the Met have deep pockets!

Protestors in Los Angeles force ICANN board out of hiding over .org sale – for a brief moment, at least

Pier Reviewer


“ The day after it became clear ICANN was going to approve lifting price caps, former ICANN CEO Fadi Chehade registered EthosCapital.com – yes, .com, not .org – and within months Ethos had persuaded ISOC to sell its main asset for a lump sum.”

Rofl. I know the Reg has to be a bit careful about what it prints, but do we honestly think ISOC was persuaded to sell *after* the price caps were lifted? Haha haha!

Whoa, whoa... Tesla slams brakes on allegations of 'unintended acceleration' bug: 'Completely false and was brought by a short-seller'

Pier Reviewer

Re: Sure, deny it and point to the evidence that supports your position...

*Some* short sellers are indeed unethical. However, randomly spaffing lies on Facespace only gets you so far. Look at who holds the majority of Tesla shares. It ain’t mom and pop. It’s institutional investors. They’re in it to make money, and are far less easily swayed by such behaviour.

Musk has very thin skin. I agree with many on here that this issue is far more likely to be “fat feet” rather than software. However the shouts of “short sellers!” are just Musk’s reaction to *any* negative press. If a Tesla’s going to kill you it won’t be random acceleration, it’ll be randomly ignoring large objects in the road (I guess I must be shorting TSLA yo)

And we now go live to Apple v Corellium, where the iTitan is still lobbing copyright fireballs at the virtual iPhone upstart

Pier Reviewer

Two wrongs...

They’re both bad. Apple are upset that it’s easier to find bugs, Corellium are plainly ripping off Apple’s software.

I’m very wary of using their offering tbh. The fact it’s aimed at security researchers and runs in the cloud makes it easy for them to monitor and sell on any vulnerabilities.

EU wouldn't! Uncle Sam brandishes 'up to 100%' tariffs over France's Digital Services Tax

Pier Reviewer

Re: Wrong argument

“> If I give a second house to my son, I am charged CGT as if I sold it at market rate.

No you're not. You can gift him whatever you like completely free of tax provided you survive for 7 years after the gift is given.”

You missed the important word in the OPs example. “Second”. The 7 year period only applies if you have lived in the house for the entire period you owned it. Rented it out for 6 months 25 years ago? You owe CGT. Second home? CGT.

The simple fact is IP transference used by Starbucks et al is tax avoidance. I know what you’re thinking - tax *avoidance* is legit. I’ve got two words for you - “loan charge”. Yet again the smaller guy gets shafted, whilst the big guys are free to avoid tax at will.

VCs find exciting new way to blow $1m: Wire it directly to hackers after getting spoofed

Pier Reviewer

“ yet again proving that the real hackers go after people - Social Engineering 101”

Rarely a truer word said. 99% of external infrastructure engagements we do result in breach (ie access to the internal network). The other 1% refuse to include O365, S4B, Outlook Web Access, VPN endpoints etc in the scope :)

Its not about 0-days. It’s a numbers game. Someone in your organisation has a $#!% password. Just a matter of finding who. A bit of OSINT, a bit of time (usually a few hours, occasionally a day or two) and you’ve got shell. Bit slower if you care about not being detected.

Plenty of talk of encryption etc to fix this problem, when mandating MFA and a half decent password policy + training will make the attacker’s job hundreds of times more difficult.

Atlassian scrambles to fix zero-day security hole accidentally disclosed on Twitter

Pier Reviewer

Re: Grab the private key?

Many more offenders? You’re not kidding! This is very common behaviour. A large player in the gambling industry does this. I make a point of collecting such domains. Can be useful for exploiting SSRF ;)

Why can't passport biometrics see through my cunning disguise?

Pier Reviewer

The wearing of glasses in your passport photo is permitted. The wearing of glasses when standing in front of the retarded “eGate” *is* forbidden. Makes it pretty hard when you can’t see past the end of your nose sans specs - I’d the machine shows a message not only can I not read it, chances are I don’t even know it’s there :/

Been through far too many of those things this week. The ones on the continent seemed better. The UK one coming back was awful.

Intel! China! Sliding enterprise spending! Dell cuts forecasts by $1.2bn to $2bn for fiscal '20

Pier Reviewer


I’m confused. What’s it got to do with Yahoo?

Not to Nokia, but someone's seeking a third Huawei: Openreach hunts supplier number 3 for UK's FTTP network

Pier Reviewer

HCSEC was the price of doing business in the UK for Huawei. It was probably worth it for them. Plus it helps them improve their products.

Cisco already well into the UK. They’ll never pony up their code as they don’t need to and can’t be forced to.

Morrisons is to blame for 100k payroll theft and leak, say 9,000 workers

Pier Reviewer

Not exactly rocket science this one. Morrison’s be screwed. Can’t blame them for arguing the case, but they won’t win it. Schedule 1 Data Protection Act 1998 provides :

“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

Appears the only reason he had the data was to pass it on to the external auditors. Should have been encrypted at rest so he could pass on the data, but couldn’t access it himself. Morrison’s failed to take appropriate measures. Yet another case of security controls being bypassed or not deployed because it makes life a bit more difficult. As a result control of 100k people’s data is lost.

The only good news for Morrison’s is it pre-dates GDPR.

Here we go again: US govt tells Facebook to kill end-to-end encryption for the sake of the children

Pier Reviewer

Re: "Outside the digital world, none of us would accept the proposition that"

“but you'd plenty of time to flush your drugs and reset the phone you use for crime to defaults and restore the innocuous backup”

The coppers got wise to flushing a long whiles back. They already prep contingencies for that :) Your “best” bet is to swallow them with a shit ton* of Imodium and hope the 24 hour detention expires before the Imodium (or you if the bag breaks - lol).

Phone resets aren’t necessarily 100% copper proof. As you say, it depends how high up the pyramid you are. For a big enough target DFIR might be used to pull old data from the phone. For a grunt tho chances are the phone goes into a massive black hole (not the same one the drugs went in).

As for not hearing the armed cops - prolly fine if you’re white. It carries additional risk of things getting loud for other ethnicities...


* pun not entirely intended

Google sounds the alarm over Android flaw being exploited in the wild, possibly by NSO

Pier Reviewer

Re: re: Google Play Store

Sorry, my browser didn’t render your comment properly so I missed the bit where you pointed to the slew of malware on Apple’s App Store...

Oh wait, no, you tries the “well so’s your face” argument. The App Store has many flaws (like needing to buy overpriced Apple gear to write and test apps) but malware is very much a Google problem.

The funny part is that Google couldn’t fix it if they wanted to. Deleting 40% of the crapps on Play Store would look bad, and even with Google image > security.

Pier Reviewer

Re: Years Old Bug...

It’s a regression. The bug was patched. Then they reintroduced it. It can happen, but it’s sloppy.

Also, lol at a 0-day being dropped for Android. Not good for end users sadly, but hopefully it might give PZ some pause for thought re: their politically driven disclosure policy.

IR35 blame game: Barclays to halt off-payroll contractors, goes directly to PAYE

Pier Reviewer

Re: Personal Service Companies

I love how everyone fell into the trap. It’s now a contractors vs permies war, which is what the Government wanted. It keeps people distracted and stops them asking “why not just change the tax rate on dividends?”.

Anyway... Tax is used to incentivise and disincentivise certain behaviour. Think Council tax on empty property. It can increase to 200% because empty property is to be avoided.

If you remove corporation tax you incentivise hoarding. That means less cash in circulation, which holds back growth. That is bad for pretty much everyone except the guys holding a shit ton of cash.

Your idea also raises various questions such as “what does withdrawn from the company mean?”. They pay tax when they pay my salary? When they buy parts? When they service debt? When they invest in something?

If not, do you think there might be some loopholes there? It looks like your idea is focused on personal service companies, but it would also apply to Tesco, JLR, BT etc. It’s not simple to make tax simple whilst still being reasonably effective.

Google security crew sheds light on long-running super-stealthy iOS spyware operation

Pier Reviewer

Re: Entire populations: State sponsored?

So the US isn’t even in contention?...

Hong Kong ISPs beg Chinese govt not to impose Great Firewall on them

Pier Reviewer

Re: As If anything else would happen here...

Sold them out? They leased it. The lease expired. Are you saying the UK Gov could, and should have kept it unlawfully?



Biting the hand that feeds IT © 1998–2021