* Posts by steven_t

45 publicly visible posts • joined 24 Oct 2018

Schneider Electric ransomware crew demands $125k paid in baguettes

steven_t
Coat

$125k in baguettes

That's a lot of bread!

The months and days before and after CrowdStrike's fatal Friday

steven_t

Re: "Operates the way CrowdStrike does"

From what I've read, it affected all Windows hosts (both physical and virtual machines) that had CrowdStrike installed, so a very simple test process would have spotted that. A simple test wouldn't have spotted the dozens of other ways a configuration change can go wrong.

steven_t
WTF?

"Operates the way CrowdStrike does"

Amato said. "This could have happened to literally any organization that operates the way CrowdStrike does."

No organization, let alone one offering endpoint protection for business customers, should operate the way CrowdStrike does.

It releases configuration changes to all of its customers without testing whether the changes achieve their aims. This seems to be its policy - CrowdStrike's explanation of the incident doesn't say anywhere that someone should have tested whether the new channel file/template instance achieved its aims.

Some organisations have a policy of testing changes before rolling them out but, in an emergency, they sometimes reduce or even skip the testing step. That's not what CrowdStrike says happened. Their normal process seem to come up with a new thing they want to monitor, change a configuration file in a way that looks like it should detect that new thing, run it through the validator and unleash it on their customers, without actually testing whether it actually detects that new thing... or detects false positives... or breaks existing functionality... or degrades performance... or crashes the machine.

I appreciate it isn't easy to test whether the change correctly identifies malicious named pipe behaviour because you either need to use a malware sample or a malware simulator program, but it isn't rocket science. I'm sure CrowdStrike could afford to employ someone who knows how to do it. It could also afford to employ a manager who knows how important it is.

CrowdStrike blames a test software bug for that giant global mess it made

steven_t
FAIL

Four main issues

From reading CrowdStrike's explanation, it seems to me there were four main issues:

1) The content interpreter (running on 8.5 million Windows endpoints) can render the machine unusable when it reads invalid data in an IPC Template Instance - this indicates a QA problem in a critical software component and is quite concerning.

2) CrowdStrike's policy is that IPC Template Instances can be rolled out to 8.5 million endpoints without any testing, as long as they pass the checks in the Content Validator. This appears to reveal a staggering degree of complacency by management.

3) The Content Validator contained a bug which allowed invalid IPC Template Instances to pass the tests - this indicates a QA problem in this software component, which wouldn't normally be considered critical, except for the policy of not requiring any other testing.

4) Someone created an invalid IPC Template Instance and submitted it for checking and release. This is an everyday type of mistake which should have been caught by QA processes and tools and, as a last resort, by validation within the content interpreter.

There were other things which could have been done to reduce the impact, such as allowing customers to know what was in each channel file and decide for themselves how they wanted to deploy them but, given that this wasn't part of the business agreement, I think the four points above are the main failings which led to this catastrophe.

I don't have any connection with CrowdStrike, either as an employee/contractor or as a customer/user/victim. I also wasn't significantly inconvenienced by it, as I wasn't planning to use a plane, train, doctor or any of the other services which were affected.

Nasty regreSSHion bug in OpenSSH puts roughly 700K Linux boxes at risk

steven_t
Alert

Mitigation

Canonical/Ubuntu have published the following mitigation, which may be useful if you can apply this change faster than you can install the patch:

"Set LoginGraceTime to 0 in /etc/ssh/sshd_config. This makes sshd vulnerable to a denial of service (the exhaustion of all MaxStartups connections), but it makes it safe from this vulnerability."

Copied from here: https://ubuntu.com/security/CVE-2024-6387

One year on, universities org admits MOVEit attack hit data of 800K people

steven_t
FAIL

12 months from now or 12 months from then?

Victims of the breach have been offered 12 months of credit monitoring.

It was first detected 12 months ago, so the credit monitoring should have started 12 months ago. I'm fairly sure that didn't happen and they are offering monitoring for just the second year that the data was known to be available for misuse.

Britain enters period of mourning as Greggs unable to process payments

steven_t
Headmaster

Re: Pronoun police

I've been corrected about this by a friend whose grammar is much better than mine. He told me that a company (such as Greggs plc) is singular, which made sense once he had explained it.

I generally think of a company as the people who it employs, which is why I often catch myself using the plural, even knowing that my friend would disapprove.

Chunks of deorbiting ESA satellite are expected to reach the ground

steven_t

1 in 13 per year

The actual statement on the website is "The annual risk of an individual human being injured by space debris is under 1 in 100 billion."

So it is about a 1 in 13 chance per year that someone will get injured (or maybe a bit less, as multiple people can get hit in the same year).

I don't know where they got the figures from, but they've found some reassuring generic figures, rather than work out the chances of being injured by these particular two tonnes of junk.

Most of us here on earth are far more likely to be injured by a two tonne machine on wheels than one falling from the sky, partly because there are far more of them about.

UK flights disrupted by 'technical issue' with air traffic computer system

steven_t

Re: At 1515 the organization said that it had "identified and remedied" the technical issue

The sysadmin was probably going on holiday, sitting on the plane, waiting for it to take off.

Japan's digital minister surrenders salary to say sorry for data leaks

steven_t
WTF?

The UK is the opposite

Here in the UK, a bungling minister who is sacked or resigns is given an EXTRA 3 months of pay. Many of them get rehired a few weeks later and get to keep the payout.

It's almost as if the system is. Designed. To Reward. Incompetence.

Musk's X tries to win advertisers back with discounts

steven_t
Coat

er

Isn't it half way through the rebrand and currently called "er"?

Ex-Uber CSO gets probation for covering up theft of data on millions of people

steven_t

Hookers and blow

> That alone is a big step forward for the US legal system where normally these sorts of crimes end with the company raiding the CEO's hookers and blow petty cash box to pay the fine and that's the end of it.

That's trickle-down economics in action. If there are fines, it is the poor hookers and dealers who suffer :-)

> His community service should be having to work for some credit monitoring outfit or something that is largely related to what he was convicted of...

Work that gives access to more personal data? I'm not sure the data subjects would approve of that, especially since most of them only have credit monitoring in the first place because their data was leaked by some careless company.

Coca-Cola probes pro-Kremlin gang's claims of 161GB data theft

steven_t
Joke

161GB

That's quite a big slurp!

Vital UK customs system outage contributes to travel chaos at its borders

steven_t
WTF?

Stable???

"... the department responsible for GVMS, told the paper its IT systems were stable ..."

I suppose being down is stable, in a sense. That's a hell of a way to put a positive spin on it!

Driver in Uber's self-driving car death goes on trial, says she feels 'betrayed'

steven_t

What year is it?

It says, "... March 2018. Now nearly three years later ..."

The past few years have been very disorientating and I'm not sure the months in lockdown really count but technically, about four years have passed since March 2018.

Tesla to disable 'self-driving' feature that allowed vehicles to roll past stop signs at junctions

steven_t
Trollface

Full Self-Driving

Not sure what all the fuss is about this feature. I've been self-driving cars for decades :-)

Because that's what it means, isn't it? The alternative would mean the car drives itself, which it clearly doesn't. If the car drove itself, the people in the car would all be passengers.

'Extraordinary' pigs step in to protect Schiphol airport from marauding geese

steven_t
WTF?

Sounds like a solution inspired by Angry Birds

In what other universe are pigs the natural enemy of birds?

Now everyone can take in the sights and smells of a London tram station shut for 70 years

steven_t

Also in the Goon Show

As well as the Avengers movie, the Kingsway Tram Subway also appeared in an episode of the Goon Show, although it was in the dark (and on the radio).

https://www.youtube.com/watch?v=zW8NNSqBjFU

I was fired for telling ICO of Serco track and trace data breach, claims sacked worker

steven_t

Director resident in the Philippines

The sole director of Jackpotcomics Ltd is listed as being resident in the Philippines.

https://find-and-update.company-information.service.gov.uk/company/11963186/officers

The referenced BBC investigation uncovered how tens of thousands of companies were set up, recruiting people in the Philippines to be registered as their directors. I assume they did this because when HMRC realise the arrangement is dodgy, the directors are out of their reach.

I'm sure there are legitimate UK companies with Filipino directors, but this looks very much like the tax dodge identified by the BBC.

FYI: There's a human-less, AI robot Mayflower ship sailing from the UK to US right now

steven_t

Re: Units

Given the likely audience, it should have been expressed as equivalent to 521 adult badgers or three skateboarding rhinoceri.

See The Reg online standards converter:

https://www.theregister.com/Design/page/reg-standards-converter.html

Apple ditches support for pre-2015 MacBook Air, Pro laptops with macOS Monterey

steven_t
Headmaster

Re: iPhone 6 and iPhone 6s are different things

That's a good point and I didn't realise they were still getting security updates.

Outside the subheading, the article doesn't mention the iPhone 6, let alone explain that it gets security updates, so I still think it should say iPhone 6s.

steven_t
Headmaster

iPhone 6 and iPhone 6s are different things

The subheading "But it seems the iPhone 6 and SE will be looked after until the end of time" isn't right - the iPhone 6 was dropped in 2019.

The iPhone 6s is a different thing.

Even that is unlikely to be looked after until the end of time, but that's a different matter :-)

UK's BT starts trials of new hollow-core optical fibre networks

steven_t

Latency not speed

The article says BT believes it could achieve a 50 per cent reduction in latency, which isn't the same as a 50% increase in speed. Unless I've misunderstood how they think it is possible, it would require a 100% increase in speed.

The speed of light in a vacuum is pretty fast but it comes a distant second to the speed of light in a marketing pitch.

Uncle Sam wants 'ethical hackers' to crack its planetary defenses, but don't expect a pay-day from this bug bounty

steven_t
Coat

Why does the Pentagon spend more on seafood than bug bounties?

Because they're shellfish.

Atheists warn followers of unholy data leak, hint dark deeds may have tried to make it go away

steven_t
Joke

The Atheist Alliance International?

Splitters!

How good are you at scoring security vulnerabilities, really? Boffins seek infosec pros to take rating skill survey

steven_t

Bucket effect

The bucket effect is expected. The scoring system is designed to be an assessment the severity of an issue so, obviously, different types of issues with similar severities ought to end up with the same score.

I don't generally use the CVSS score on its own. It is worked out from other metrics, such as Access Vector and Confidentiality Impact, and I find these really useful for deciding what the potential risk is to our systems.

We once had a security audit from a firm that ranked their results as Critical, High, Medium and Low with absolutely no consistency as to how they chose the severity. They ranked nearly everything, even things with no actual security impact, as Critical or High, and would not justify that decision. CVSS is far, far better than that arbitrary system. It isn't perfect, however, as the article explains.

Scotch eggs ascend to the 'substantial meal' pantheon as means to pop to pub for a pint during pernicious pandemic

steven_t

11pm and cornflakes

The article says everyone should be out by 10. I'm fairly sure the new rule is 11, although they have to make their last orders by 10.

The regulations themselves don't actually contain the phrase "substantial meal" and I reckon you can get away with serving cornflakes.

The Health Protection (Coronavirus, Restrictions) (All Tiers) (England) Regulations 2020 say that the meal must be "such as might be expected to be served as breakfast, the main midday or main evening meal, or as a main course at such a meal."

They're here:

https://www.legislation.gov.uk/uksi/2020/1374/made

Hackers hack Hackney: Local government cries 'cyberattack' while UK infosec officials rush to figure out what happened

steven_t
Coat

Re: Where's Fatima

She's the prime suspect!

Safety driver at the wheel of self-driving Uber car that killed a pedestrian is charged with negligent homicide

steven_t

Re: You had one job...

Not a film: it has been reported that she was watching The Voice, which is inexcusable.

Dunkin' Donuts drops some dough to glaze over lawsuit accusing it of covering up customer account hacks

steven_t
Coat

Security Hole

It seems that their security processes, like their products, had big holes in them

Like a Virgin, hacked for the very first time... UK broadband ISP spills 900,000 punters' records into wrong hands from insecure database

steven_t

Re: Easier?

And "found out they have"

As in: "Maybe it would be easier to just list the carriers that haven't yet found out they have had personal information hacked."

If it's Goodenough for me, it's Goodenough for you: Canuck utility biz goes all in on solid-state glass battery boffinry

steven_t

Re: "Critics have been understandably sceptical"

According to Wikipedia, his middle name is Bannister, which means he can legitimately call himself Johnny B Goodenough.

Researchers reckon 500k PCs infested with malware after dodgy downloads install even more nasties from Bitbucket

steven_t
Big Brother

exfiltrating so many different types of data

Just a thought... did they check whether the malware-ridden versions exfiltrate more data than the genuine products, or less?

In your face short sellers! Tesla goes two quarters in a row without losing money

steven_t

Re: Real profit or phony profit

Most businesses, when starting, get cash from investors and use it to pay for losses until they start to make a profit. Tesla has done this on a grand scale, having received 6.618 billion USD from investors (as of 31st December 19, unaudited). If you include investments received by its subsidiaries, it is 8.11 Billion.

At this point, it is hard to know whether Tesla will be successful in the business of selling electric cars. It has already proved to be very successful in the business of selling that dream to investors.

Windows takes a tumble in the land of the Big Mac and Bacon Double Cheeseburger

steven_t

Re: Possible use of audio

I think COKE (and by extension, Coke) IS a registered trade mark.

In the EU, registered mark EU002091940 protects the name from being used for the relevant class of goods:

Class 32 Beers; mineral and aerated waters and other non-alcoholic drinks; fruit drinks and fruit juices; syrups and other preparations for making beverages.

It also protects the name from being used in a wide range of less obvious products, including edible birds' nests. If you try selling "Coke" birds nest soup, you can expect a letter from their lawyers.

https://trademarks.ipo.gov.uk/ipo-tmcase/page/Results/4/EU002091940

There are other registrations for the same name, presumably covering even more obscure product classes.

Intel server chip shortages continue to bite: HPE warns of Xeon processor supply drought for the whole of 2020

steven_t

iX shortage

In December, I ordered some Intel NUCs, only for our supplier to cancel the order in January due to an unexpected chip shortage. They couldn't source the i5 or i7 parts, so I had to settle for i3s.

Maybe our supplier is to blame for accepting an order they couldn't fill, but it demonstrates that the shortage is affecting the iX family, as the article suggests.

It's your walkie-talkie Teams mate, over. 'You don't have to say Over, over'. Copy that. Stop making the static noise, over and out

steven_t

Re: "Over and out"

I heard that "Over and out" gives the other party the last word, leaving no opportunity to reply. The accepted response is supposed to be "The drinks are on you. Out."

Email blackmail brouhaha tears UKIP apart as High Court refuses computer seizure attempt

steven_t

Such cruelty!

That would put the RSPCA in a real quandary. It would have to act against such cruel treatment of lions and corgis but, on the other hand, the Queen is its patron.

Alphabet, Apple, Dell, Tesla, Microsoft exploit child labor to mine cobalt for batteries, human-rights warriors claim

steven_t

How much cobalt per car?

That's a really interesting post, but could I just query one aspect of it?

You seem to be implying that each Tesla S3 uses 10 - 15 tonnes of cobalt. That can't be right, can it?

123-Reg is at it again: Registrar charges chap for domains he didn’t order – and didn't want

steven_t

Re: Did these people actually READ their own statement?

No, I think it means: "We didn't rip off this customer, but that was an oversight - we did it to everyone else"

'Don’t be so concerned with your image'... US prosecutor lets rip on Uber for hack cover-up as pair plead guilty

steven_t

I think he was talking about Uber.

Traffic lights worldwide set to change after Swedish engineer saw red over getting a ticket

steven_t
Stop

Why you need a longer warning if you are turning

I read the article and then it took me a while to figure out why you need more time on amber if you are turning. It has nothing to do with coming out the other side of the junction.

It is because, after a split second of reaction time, you need to make a decision about whether to go or stop. If you are going straight, you have the choice of proceeding at full speed, or stopping. The formula is designed so if you are the critical distance away, you have time to either stop at the line, or pass it at the expected speed. If you are further away, you have to stop. If you are nearer, you have to continue.

If you are going to turn at the junction, you have the choice between stopping, or decelerating to make the turn. If you are decelerating, it will take longer to reach the stop line than it would at full speed, so you need extra time.

Brit hosting provider tsoHost takes needleful of 'unauthorized code' to the servers, suffers week of outages

steven_t
FAIL

Lemonrock was affected by this

"Tsohost - our hosting company - disconnected our Lemonrock server from the Internet early on Monday 10th June 2019. They did this without warning, and later claimed that they had suffered a cyber-attack."

Their full explanation is here:

https://www.lemonrock.com/newhost.php

To members of Pizza Hut's loyalty scheme: You really knead to stop reusing your passwords

steven_t
Coat

New pizza base, only available via the loyalty scheme

Credential stuffed crust

It only took Oz govt transformation bods 6 months and $700k to report that blockchain ain't worth the effort

steven_t

Re: Just 'Unnecessary'? What about 'Wouldn't Work'?

The only thing about this I disagree with is the manner of the unravelling. Chocolate teapots tend to melt or, if dropped before use, shatter. I think it unravels more like a toilet roll in a tumble drier.