* Posts by vulture65537

73 publicly visible posts • joined 3 Jan 2019

Page:

Abstract, theoretical computing qualifications are turning teens off

vulture65537

Re: WYF!

6502 assembly could be programmed from the BASIC UI.

vulture65537

Re: WYF!

It was in the ladybird book.

US Army turns to 'Scylla' AI to protect depot

vulture65537

Will it be available to the secret service?

Wanted. Top infosec pros willing to defend Britain on shabby salaries

vulture65537

Re: Pay grades

renumeration

And dodgy spelling/typing.

vulture65537

My pension record shows salary £42,750 in April 2005.

And nobody ever took any notice of my reports and advice - even managers with no first hand knowledge denying my own observations.

Revamped UK cybersecurity bill couldn't come soon enough, but details are patchy

vulture65537

>. idea is that if more organizations have to keep their security controls in line with government-set standards,...

When I worked in the private sector to government standards about 10 years ago they weren't all that sensible.

systemd 256.1: Now slightly less likely to delete /home

vulture65537

Saltzer & Schroeder gave principles in the 1970s including

Safe Defaults

Proving yet again that people will put more work into making a mess than into finding out what's good to do.

'Little weirdo' shoulder surfer teaches UK cabinet minister a lesson in cybersecurity

vulture65537

I saw a commuter on the tube carrying a pack of paper in a transparent case. In the front of the pack was a letter reading Dear $name, ...

I spoke to her by name (great shock) and suggested the transparent case in public was a bad idea.

Bad vibrations left techie shaken up during overnight database rebuild

vulture65537

Canary Wharf workers near a pile driver have had to explain in their conference call with other sites what is going on.

Three-year-old Apache Flink flaw under active attack

vulture65537

Managers are divided between those who refuse to believe a bug exists even when it was discovered years earlier by a member of their own team - that the manager has spoken to but insists that he knows better than technical staff

Or the kind that believes bug reports such as red hat rpc still contains a flaw fixed in 1998 just because the version number shown over the network is still 1.2 .

Neither one is curious enough to ask about the truth or be any more satisfied with better conditions than you get by doing nothing. This ensures that nothing will be done except useless things because something must be done

These are real examples from work and people with names omitted.

Will Flatpak and Snap replace desktop Linux native apps?

vulture65537

Re: One thing you've missed

Disconnect from network then do your volume or filesystem snapshots. Reconnect to network to copy them to other storage.

vulture65537

Re: Performance isn't free...

Mark Bannister (of Jane Street) documented one on Linkedin a few years ago while I still had an account on it.

Your security failure was so bad we have to close the company … NOT!

vulture65537

Re: Would you believe...

Don't tell me this was at a greeting card company.

Forgotten motherboard driver turns out to be perfect for slipping Windows ransomware past antivirus checks

vulture65537

Re: Driver Signing

What about refusing to downgrade to a lower version (after the new version has been in use for a day)?

Who needs the A-Team or MacGyver when there's a techie with an SCSI cable?

vulture65537

Re: HOWTO Move Your Server

At Uni I was reading a book which covered three-phase power (it turns out to be important for X-ray machines) and found in the book a warning that if the fuse blows you must not replace it with a nail.

vulture65537

Long ago somewhere in this galaxy there may have been someone who tinkered with the inside of a PC so much he got to leaving the screws undone and the case open a few centimetres. Then there was contact from a near neighbour (who had not seen indoors at this place) complaining "You're running a PC with the case off which interferes with TV signal and is illegal". The case went back on and there was no more complaint.

Wake me up before you go Go: Devs say they'll learn Google-backed lang next. Plus: Perl pays best, Java still in demand

vulture65537

Re: If you want to do Low-Latency properly ...

No - you walk one string and compare to the other buffer that might not contain a string at all (and if it does may not indicate the buffer size).

School's out as ransomware attack downs IT systems at Scotland's Dundee and Angus College

vulture65537

"because nobody knows anything"

This graduate from 13 miles south suspects that's the usual condition.

Anatomy of OpenBSD's OpenSMTPD hijack hole: How a malicious sender address can lead to remote pwnage

vulture65537

Re: With great power...

You mean it's time someone invented smrsh - the sendmail restricted shell?

https://www.linuxtopia.org/online_books/linux_system_administration/securing_and_optimizing_linux/chap22sec182.html

vulture65537

Re: How?

too right, and common knowledge since at least 1994

http://sunmanagers.mrbill.net/1994/0509.html

Go on, eat your fibre, new build contractors. It's free! OpenReach lowers limit for free FTTP connections

vulture65537

Higher upload speeds would help a lot with backups to cloud.

Wave goodbye: DigitalOcean decimates workforce as co-founder reveals lack of profitability, leadership turmoil

vulture65537

Re: Impressed with the service but........

I used to report port scans and intrusion attempts ... even cataloged the preferred contact method (email/web form * groups/single items) for a bunch of ISPs and automated the reports (with a rate limit).

The most annoying was my own ISP since they couldn't reliably read logs (bsd pf logs in tcpdump format) and often contacted me claiming I was the source of the scans I'd complained about.

A Notepad nightmare leaves sysadmin with something totally unprintable

vulture65537

Re: Support ticket

I had a luser claim that my s/w changed his Solaris hostname to "-a". Puzzled by this since I'd been running it on Solaris for a long time and knew it never changed the hostname, I invited him to look in root's shell history for "hostname -a" where perhaps "uname -a" was intended.

I never heard back.

Brit banking sector hasn't gone a single day of 2020 without something breaking

vulture65537

If El Reg wants to reproduce user content on topical issues isn't it possible to pick items with better adherence to the 3rd commandment?

The time PC Tools spared an aerospace techie the blushes

vulture65537

Re: The scariest word in IT....

I (and Kevin) had to deal with a situation in the early 1990s where the culprit (Carl) had been the last person to leave on Friday (and by the time we arrived on Monday was abroad on leave). He'd left some sort of unfinished reformat and reinstall job without so much as a note about how far he'd got and what was left to do.

During his holiday someone phoned for him and when I said he was away they asked "Oh! How do you manage without him?".

vulture65537

Re: Try 'rm -rf some_directory /*'

I might have done something similarly dumb by starting a directory name #with-a-hash-making-a-comment .

Also GNU rm interprets -r -f etc if it sees them later in the argument list which might be unexpected.

Five years in the clink for super-crook who scammed Google, Facebook out of $120m with fake tech invoices

vulture65537

Re: Good accounting

> phony invoices that each of the tech giants thought were for real purchases

Years ago I worked at a place that tried to pay invoices whether they were due or not. The drone I spoke to on one of these occasions was panicking that "they might sue us" while I was telling him the cancellation I had in the correspondence file would keep us safe if they did.

Remember the Dutch kid who stuck his finger in a dam to save the village? Here's the IT equivalent

vulture65537

Re: Once upon a time in Brighton...

I found a situation where a password could not be changed; even by root using 'passwd -r files luser'.

The line in /etc/passwd was there but the passwd program was not reading it. Enter truss .. /bin/passwd was quitting before reading the whole file which meant a problem in the file. pwck pointed out wrong number of fields.

And somebody's edit had left a blank line mid-file resulting in later lines not being used.

Managing the Linux kernel at AWS: 'A large team of security experts' dealing with fallout from Spectre, Meltdown flaws

vulture65537

Re: Translation:

No harm in a few more instance types and let the customer choose?

vulture65537

Re: "We take our customer's privacy seriously..."

> Dedicated servers if you are handing PII, including financial transactions.

Then there are your passwords, SSH keys, ASLR variables, CSRF variables etc so even if you have no PII you might want to step up the caution.

Gravitons, Neoverse... you'd be forgiven for thinking AWS's second-gen 64-core Arm server processor was a sci-fi

vulture65537

Re: All Amazon CPU include a integrated microphone as standard

always

https://www.cs.tau.ac.il/~tromer/papers/acoustic-20131218.pdf

In Rust We Trust: Stob gets behind the latest language craze

vulture65537

Re: Do...While

do { ... } while(0) was a tool taught me* in the 1990s for use in C macros.

When you have your code:

if (x) frobulate;

you don't need {} after the if even when frobulate is #define'd as multiple statements of something.

* by the pdksh maintainer Michael R?? er, web search suggests Rendell

That code that could never run? Well, guess what. Now Windows thinks it's Batman

vulture65537

Yes they were.

vulture65537

> warning for anyone ever tempted to insert witty error messages into their code

sudo has an option for "insults" (strange sayings emitted when you enter a wrong password). I maintained sudo for a while in a company which meant download/compile/package when there was a new version. There were a few people so alarmed by the "insults" that they made helpdesk calls to people who didn't know what they were and didn't know how to find out about them. In later releases I made sure the insults were turned off.

examples here: https://grayson.sh/blogs/viewing-and-creating-custom-insults-for-sudo

Before you high-five yourselves for setting up that bug bounty, you've got the staff in place to actually deal with security, right?

vulture65537

Re: Job Postings

> Hiring an infosec person, chucking them in a corner and paying them well will never be a waste of money.

That's exactly a waste of money as you missed out the part where you should take their advice.

UK tech freelancer numbers down for first time in 5 years since IR35 tax reforms hit public sector

vulture65537

> contracts finishing by 28th February 2020

Did they not notice the leap year?

No one would be so scummy as to scam a charity, right? UK orgs find out the hard way

vulture65537

Re: Charities are a fraud

Years ago there was a debate in the newspaper about pay in public v private sectors. Someone defended his public sector pay because of the amount of money he managed (i.e. spent). Another writer said spending money is easy and the hard work in the private sector is earning the profit.

Tearoff of Nottingham: University to lose chunk of IT dept to outsourcing

vulture65537

Re: And this means

> keep the expensive part of the IT organisation

Did Amdahl also make a law of finance ?

'Technical error' threatens Vodafone customers with four-figure roaming fees

vulture65537

Re: "Customers will not be charged"

Vodaphone -> Vodafone

The safest place to save your files is somewhere nobody will ever look

vulture65537

He's been learning from Richard Attenborough. https://www.imdb.com/title/tt0049637/

Former BAE Systems contractor charged with 'damaging disclosure' of UK defence secrets

vulture65537

Re: A common misconeption

I blame the Potato farm.

Father of Unix Ken Thompson checkmated: Old eight-char password is finally cracked

vulture65537

Re: DES

https://www.usenix.org/publications/login/december-2003-volume-28-number-6/end-crypt-passwords-please

December 2003 article on the limitations of old DES crypt()

vulture65537

Re: penetration testing --really?

"early Solaris" meaning as far as part of the Solaris 9 series - really quite recent

Watch out! Andromeda, the giant spiral galaxy colliding with our own Milky Way, has devoured several galaxies before

vulture65537

Re: Let me get this straight ....

> universe is expanding

That applies on large scales. Bringing nearby things together is not prevented (so it's not an excuse why your golf club misses the ball).

Are you who you say you are, sir? You are? That's all fine then

vulture65537

Re: Santander

I had Powergen phone me to say I needed to change my password which included the term "cheating bastards" because of the way they'd used higher estimated bills than actual meter readings.

Fed up with Facebook data slurping? Firefox has a cunning plan

vulture65537

Re: How is it any better than running NoScript

> introducing lumps of code from sources over which its developers have no control

https://www.troyhunt.com/locking-down-your-website-scripts-with-csp-hashes-nonces-and-report-uri/

Divert the power to the shields. 'I'm givin' her all she's got, Captain!'

vulture65537

Have you written your cloudy serverless proposal?

I just love your accent – please, have a new password

vulture65537

https://dilbert.com/strip/1995-11-27

Despite billions in spending, your 'military grade' network will still be leaking data

vulture65537

Re: With All Due Respect to Larry Wall

Your experience is not complete until your boss personally tells you that an unpatched bug does not even exist . This is a bug that you discovered and reported to the vendor 9 years earlier and (after testing the patch) sent a description to a security mailing list that's archived on the web.

You're all set for your long summer vacation. Suddenly a text arrives. It's the CEO. 'Data strategy by Friday plz'

vulture65537

Re: A new idea?

Dear Boss, Refer to quote from Dorothy Parker.

Page: