* Posts by BigBear

34 publicly visible posts • joined 13 Feb 2019

Twitter hackers busted 2FA to access accounts and then reset user passwords


Re: Dodgy

The phone numbers shouldn‘t be stored as plaintext. Although there are probably ways to circumvent that problem, too. It would slow them down a bit.

Raytheon techie who took home radar secrets gets 18 months in the clink in surprise time fraud probe twist


Re: Did he not

He’s fortunate that he failed to wipe his drive, for it set an upper-bound on how many documents he nabbed; it established the classification level of what he copied; his failure likely reduced the severity of one of his charges (he attempted to obstruct justice; he never destroyed evidence) and demonstrated his relative ineptitude and the unlikelihood that he had passed classified docs to bad guys.


Re: What is Raytheon's problem?

Absolutely correct! Taking classified material off-site is generally illegal, unless you are individually authorized to do so, sign the particular documents out, have a secure container in which to transport them that is locked to your body, and have a certified secure facility to which to bring them and store them in an approved safe that is secured to something considered immovable. Barring that, you'd need to be accompanied by armed guards.

The fact that Raytheon allowed any external storage device to function on any PC with access to classified material is a huge breach of national security. Raytheon should be fined $ billions for this.

The fact that their servers logged accesses to classified document is a minimum requirement. The fact that there were no alarms when a single user downloaded many thousands of documents is unacceptable. The fact that Raytheon allowed employees or contractors to leave the premises with any type of external storage device — given that external storage devices actually function on their PCs — is outrageous.

One additional reason why the guy may have gotten such a light sentence is Raytheon's complicity — they made it so easy and their policies and procedures were so lax.

I’m not a lawyer, but there's a principle of causation in law that asks a question or makes a statement that starts with "But for...". Here, it could be, "But for Raytheon's violations of standard DoD security regulations, this document removal could never have happened." That doesn’t change the guy's guilt, but it makes Raytheon guilty as well.


Re: Magnesium

I know nothing of the incident about which you wrote. However, magnesium salts and magnesium alloys do not behave as does pure metallic magnesium, and are almost as light. It would be truly foolish for the US Navy to build any parts of a ship out of pure, or nearly-pure, metallic magnesium — a material that can ignite and be extremely difficult to extinguish.

Web pages a little too style over substance? Behold the Windows 98 CSS file


Re: Bring back win98 UI

I agree about Win2K. Win 7 can easily be made to look very much like WinXP, was much more secure than either, was very stable, and still has a decent UI.

Sophos was gearing up for a private life – then someone remembered the bike scheme


Re: De minimis

It means an insignificant number, but non-zero.


Re: Well that's embarrassing

According to my read of the story, if any one or more individual employees are loaned that much for a bicycle and bike safety equipment (helmet, reflector vest, knee pads, elbow pads, ...), then the rule applies. Most employees may opt for far less. All it takes is one.

Windows 7 will not go gentle into that good night: Ageing OS refuses to shut down


"Operating systems don't just rot or break by themselves ffs"

Have you not noticed over the decades, that for every version of Windows, as its "uptime" increases, it eventually becomes slow, erratic, and generally unstable? In an anthropomorphic way, I sometime say it's getting "tired", "cranky", or "unhappy".

When that happens, it's time to reboot. If you wait too long, Windows hangs or blue-screens on shutdown, requiring a power off. After a reboot, Windows runs better.

Now, why do you suppose this happens, this gradual decay in stability? If your assertion were true, if I didn’t add/remove hw or sw, Windows should run forever, with no decay. But that's not what happens.

I can't tell you why — I could speculate about buffer overruns and stacks being over- or under-pushed or popped, variable scope errors, etc. But, I’m just guessing.

Furthermore, unless hardware-enforced protection of executable portions of files is enabled for all software, your buffer overruns can permanently change software.

Fed-up air safety bods ban A350 pilots from enjoying cockpit coffees


Re: Gobsmacked!

Actually, four times as many door openings — each pilot must open the door again to return to the cockpit.

'Windows Vista' spotted doing a whoopsie over EE's signage


IE 8 shipped with Windows 7

If that's IE 8 and Windows 7, then they never upgraded IE (maybe turned off Window Update?), because IE 8 is what shipped with Windows 7. Vista shipped with IE 7 and supported up to IE 9. Win7 supported up to IE 11.

Remember those infosec fellas who were cuffed while testing the physical security of a courthouse? The burglary charges have been dropped


Re: State is not county

Why do you think the "building [was] owned by a different party"? Previous El Reg reporting has been rather sloppy by referring to the courthouse's location rather than its judicial level.

I cannot imagine that the state court system would approve of testing of a county courthouse, unless they have an integrated system where county courthouses are also controlled by the state court system. In that case, the sheriff would still be in the wrong. Sheriffs do not control courthouses — judges do.


Re: "...elevating the alignment between security professionals and law enforcement."

Counties are not sovereign in the US. States are sovereign. The state court system set this up. It was a test of the state court's security. Therefore, the break-in was to a state court building, not a county or municipal court building.

It may have happened in the sheriff's physical jurisdiction, but he doesn't get to just make up law as he goes along, as much as he may like to. He had no legitimate authority to arrest those guys as soon as he learned that they had permission from the building's managers — the state court system.

The sheriff was probably upset that he wasn't in the loop, so he threw a tantrum that cost everyone a lot of money. But he has a point. He and the local police should have known what was happening. He just expressed his point in an infantile manner. He should be fined, have to pay everyone's legal expenses, be demoted, and feel lucky if he isn't sued for false arrest.

Internet Society's Vint 'father of the 'net' Cerf dodges dot-org sell-off during public Q&A


Re: What's next?

... or how about .MIL or .EDU ?

Let's have some more alternative facts.


Re: That's irrelevant.

Not at all irrelevant. It does not matter that .org was not meant exclusively for non-profits. What matters is that non-profits, for decades, had no other TLD that fit (that was appropriate to their charter). (Furthermore, for what it's worth, the public probably thinks of the .org TLD as being at least primarily for non-profits.)

If this deal is consummated, it seems likely that all .org domain-holders will have to pay a fortune to keep their TLD, or move to a new one, all because an insider with a conflict of interest was able to pull off a quick and quiet deal before anyone could stop it.

Where’s the public interest? Where’s the governance? Where’s the transparency? Where’s the oversight?

Seagate, WD mull 10-platter HDDs as pitstop before HAMR, MAMR time


Data recovery from failed SSDs vs big HDs

I don’t think SSDs are in the same marketplace. SSDs are for personal computers and big HDs are for big data storage, such as online backup or cloud databases, and would typically be configured with data redundancy through RAID 1, 5, or 6.

How recoverable data is from a failed SSD depends highly on the cause of the failure, just as with HDs, but I’m ignorant of the details.

SSDs make me nervous, too. Do your backups!

Cassini may be dead – but its data shows basic building blocks of life spewing from Enceladus


Water vapor and ice from Enceladus getting to Earth?


Not in any but trace quantities, if that. The solids are recaptured by Enceladus, if I understand correctly. The gases would likely be captured by Saturn's powerful gravity.

To the extent that they are not so captured, the solar wind would carry the gases further away from the Earth, leaving little or nothing just floating about.

Added to that, the Earth is a VERY great distance from Saturn, even when we're on the same side of the solar system. Brownian-motion based dilution goes with volume, which is proportional to distance^3....

Bloody awful: Hell-thcare hackers break into databases of 20m medical test biz patients


HIPAA compliance, anyone?

For Quest Labs, AMCA would (in theory) have had to have signed a Business Associate Agreement, promising to be in full compliance with the US's HIPAA law, which requires, among other things, that all personally-identifiable health information (PHI) be stored and transmitted "securely". The law is not prescriptive, in terms of defining specific techniques for doing so, but does require both physical and electronic security.

While it does not require state-of-the-art security (at crushing expense), anyone reading the regulations would expect that full encryption of data is expected, as well as normal industry best-practices for firewalls, anti-virus protection, two-factor logins, patch management, etc. After all, you're protecting other people's data, not just your corporation's data. The law creates a legal duty to protect that data.

I wonder of AMCA knew that, signed any such agreement, had a clue what HIPAA is, or was HIPAA compliant? Violations of HIPAA can cause you to lose your accreditation, lose your your license, as well as huge fines (Some number of $ per case; multiply by 12 million cases).

This works back to Quest Labs, too, as they handed over the data that included the PHI. Quest is responsible for ensuring that they choose a vendor that is HIPAA-compliant, signing an appropriate Business Associate Agreement, and monitoring their compliance.

Truth, Justice, and the American Huawei: Chinese tech giant tries to convince US court ban is unconstitutional


Re: Go Pound Sand

Maelstorm's argument is exactly correct. US law — and the US Constitution, under the Foreign Policy umbrella — gives the Executive Branch wide latitude in the area of national security, so long as there is some “rational basis” for it. It further grants the Legislative Branch authority to codify “rationally based” solutions to national security concerns identified by Executive Branch agencies, such as the FBI, CIA, or NSA. Maelstorm's argument is part of that rational basis.

I doubt that the Court will require any concrete evidence that Huawei has engaged in any suspect behavior. The most that the Court might require is the sworn testimony by appropriate experts that Huawei is, by the nature of the Chinese government, controlled by the Chinese government which, by policy and historic precedent, uses technology for spying and technology theft and, therefore, Huawei might be forced to insert “backdoors” or other security vulnerabilities into its products for use by the Chinese government.

The Court is extremely unlikely to require any proof to support the testimony of previous Chinese spying or of Chinese government control over Chinese companies, as that would require disclosure of Classified information, including sources and methods.

Other than knowing that the legislation’s “rational basis” was derived from consultations with intelligence agencies, the Court could legitimately simply accept the legislation without further testimony, based on Congress’ inherent authority, and thus dismiss the lawsuit.

Sinister secret backdoor found in networking gear perfect for government espionage: The Chinese are – oh no, wait, it's Cisco again


Re: "they do not favour the Americans"

I'm not favoring US coercion or any other unseemly behavior, and specifically not NSA backdoors, which I clearly stated. Perhaps I'm naive, but I doubt that Cisco installs backdoors at the NSA's request. Nevertheless, better the NSA than the PRC. The PRC is more evil than you might imagine — far more so than the US.

And yes, I am speaking for what benefits the US, specifically. Our allies can always build their own networking equipment. If that's not economical for them, they're still better off with Cisco than Huawei.


"they do not favour the Americans"

@Anonymous Coward

"they do not favour the Americans"

Perhaps I'm just stupid (and I'm setting myself up). How do "they do not favour the Americans"?

Are we still talking about networking gear?

Remember, Huawei stubbornly refused to remove their telnet backdoor until Vodafone made a huge stink about it. Cisco issued fixes for their problems immediately.

I'm willing to assume that Cisco does not intend their equipment to have backdoors. I expect, given its Chinese government connections, that Huawei does intend its equipment to have backdoors.

Even if Cisco equipment has NSA-supported backdoors, that's the United States NSA, not the Peoples' Republic of China — a major threat to, if not enemy of, the United States. I don't like having either scarfing up our data. But the former is far better than the latter. Encryption is the way to go.


Re: Keys


"the Allies would have eventually won without them since Germany was incredibly resource-constrained and couldn't have sustained the war long-term"

Much of the reason for Germany's resource constraints was the strategic bombing of the Romanian oil fields and the German ball-bearing factories that only USAF long-range bombers could reach. Furthermore, while the USSR was like an unstoppable tank that may have been able to roll over Germany — even without US help, I believe that in such a case, the Soviets might well have kept rolling right through Europe as well, as the "spoils of war". (Probably would have left Britain alone, however.)

That would hardly be "winning" WW II. The allies needed the US to ensure that Europe remained free from the Nazis and the USSR. Probably the stupidest, most arrogant decision Hitler ever made was to invade the USSR, turning that prodigious, relentless war machine into its enemy.

While the US populace is embarrassingly ignorant in its widespread belief that the US "won" WW II in Europe. I disagree that the USSR "won" it either (or you Europeans wouldn't have liked the results). The war would have taken far longer, both Germany and the Soviets were working on atomic weapons — no one knows what would have happened had the US not entered the European theatre.

The US contributed vast amounts of cash, engineering, and manufacturing capacity to build equipment at an unprecedented rate; the British contributed unequalled intelligence, code-breaking, radar, and world-class deception techniques. Both contributed brilliant generals to plan and coordinate battle plans. France and other occupied countries contributed critical intelligence and brave resistance fighters who sabotaged German equipment and critical infrastructure. The USSR contributed its own large manufacturing capacity and seemingly endless population of soldiers willing to sacrifice for the homeland. Blood is not all that counts, however. Every country contributed in important ways. The key countries were each critically important.

Had the USSR remained a German ally, the allies could not have prevailed. Thank goodness that Hitler was a madman.

On an earlier topic: The US and Soviet troops arrived at the outskirts of Berlin roughly simultaneously. The USSR was understandably eager to seek revenge and happily sacrifice its men to capture the city. The US was all too willing to stand by and let the Soviets do the dirty work, then negotiate our way into getting more than 50% of Berlin as Western territory.

While the Soviets were engaged in savage street-by-street battles in Berlin, the US was rounding up German scientists and engineers and offering them safe passage to the US, easy permanent resident status, government jobs, etc. It was brilliant, as you Brits, would say.


Re: Keys

@Gene Cash

I assume that you're referring to your mandatory US History class which, by definition, would not include anything European. It's very unfortunate that yours was so limited. I graduated from high school 46 years ago and was fortunate enough to attend a well-funded public high school. Our US History class started several centuries before our Revolutionary War but, unfortunately, reached only to the start of WW II before the school year was over.

At that time, our school did not offer any world or European history classes, but that was pretty typical. My parents both lived through the depression and WW II, so I've spent considerable time learning about WW II on my own — it's truly fascinating and gut-wrenching.

Hey, those warrantless smartphone searches at the US border? Unconstitutional, yeah? Civil-rights warriors ask court to settle this


Re: As a non citizen..Nothing new. Its always been that way. Everywhere

@Someone Else:

Jo Me is including September 11, 2001.

From me 2U: Quantum has finally joined the NVMe fabric array party



Still looks like a decent system with good options and scale. Questions are actual (benchmarked) speed, pricing, warranty, reliability...

Amazon Prime Air flight crashes in Texas after 6,000ft nosedive


Re: Age?

27 year-old plane design. Without knowing the tail number, you don't know when this plane was built — it could have been built last month (I believe they're still building them).

Do we know that this particular plane is not used regularly, or is this just a common pattern for cargo planes? The NTSB is much better these days about revealing partial information as it becomes available, rather than waiting until a comprehensive report can be made.

Accused hacker Lauri Love loses legal bid to reclaim seized IT gear


Re: Does he not have a point?

I think you may be spot on. He probably has actual personal information on there (numbers of Swiss bank accounts holding profits from his hacking? /s), mixed with hacked data. The judge is dismissing this possibility out of hand, it seems. Or, he may be bluffing and simply wants to get back the valuable hacked data.

The problem is, as you say, separating the two. If you give back the hardware, complete with not-yet-cracked encrypted data, you're giving him the spoils of his hacking, to sell or whatever, without even knowing what you've done. If you (the police) know that certain data is stolen, you could delete it (securely) from the drive prior to its return. You could delete everything that's encrypted, but that may include his personal data. Doing all of this could be extremely time-consuming, depending on how the files/folders are named and organized — or intentionally disorganized.

If HE were to assist in this effort (provably identifying hacked vs personal data), he'd be admitting to — and providing evidence of — his crimes, so he's not about to do that.

Furthermore, if the police were to return even wiped drives, he could later (at criminal trial) try to claim that the copies were not authentic. Without the original, how do they prove otherwise? In theory, they could give him *new* hard drives with only non-hacked data copied to them (fat chance!).

The judge's decision (www.judiciary.uk/wp-content/uploads/2019/02/lauri-love-v-nca.pdf) says that at least one of the computers was seized while it was powered on and he was logged in. The police attempted to copy the drives' data "live". That's the computer where the judge said an "encryption process cut in to the devices themselves". That system had a TrueCrypt volume. I presume that the TrueCrypt process held the TrueCrypt volume locked, preventing it from being copied as a single file.

According to that document, the police obtained what they claim to be quite a lot of readily-identifiable hacked data. Whether that assertion is based on reading the data or just filenames is another question.

The document also states that the police found two TrueCrypt volumes. They claim that they know the contents of one of them in detail (without saying that they decrypted it) and it is hacked data. (I wonder if that TrueCrypt volume was already open with its password when his home was raided.) The other TrueCrypt volume apparently has unknown content.

He may also have used an OS-based encrypted file system to encrypt drives on each system, turning them into bricks unless you can boot up and log in. The document from the judge suggests that the police have a lot of seemingly hacked data, but also suggests that they've been stymied elsewhere and seek assistance from US law enforcement specialists. I seriously doubt anyone in the US is going to give the UK a bunch of supercomputer time to crack this guy's drives or TrueCrypt volume. I've seen nothing to suggest that he did anything nefarious with that hacked data.


Re: "the suspect machine, once acquired, is never powered on."

"Acquisition of computer" (i.e., seizure) versus "acquisition of data" (ideally, perfect forensic copying of data without interference from local operating system): two different concepts being conflated, it may seem.

But perhaps you intentionally changed concepts — but, if I may nitpick with your writing style, neglected to highlighted it — given that you linked to that fascinating story about the Silk Road case where "live" data copying may have been necessary. It is always very risky; you can always check to see if EFS is enabled on the drive [in Windows, that is]). In the Silk Road case, it was presumably useful to seize the machine powered up at least to capture images of the screen as it was in mid-chat to verify identity.

Power-on (boot) passwords in those days (< 2013) were usually easy to defeat, sometimes requiring the use of a pin jumper or perhaps advice from the computer manufacturer. It depends on whose BIOS is involved or whether there's UEFI (don't recall when that rolled in).

Nowadays, "smart" criminals will want to use UEFI boot drives, boot passwords, and encrypted file systems. If such a system is seized by law enforcement powered on and kept powered on, they have a chance to perform an unencrypted copy of all disks (that could be challenged in court, perhaps). If such a system is not powered on when seized, their forensic copy will be an entirely encrypted disk image — good luck with that.


Re: Something not ringing true here ...

One would hope than anyone doing forensic analysis would know to disable any type of autoplay system, but alas, you never know...

White House and FCC announce big, broken solutions to America's pitiful broadband


Re: Need a new new deal (Don't hold your breath)

I agree with most of your comment, but your US history is way off. The construction of the US Interstate Highway system had nothing to do with the New Deal. Yes, the New Deal did include quite a few large infrastructure projects such as major bridges and dams (e.g. the Hoover Dam), many of which are still in use.

However, the Interstate Highway system was built mostly in the 1950s and 1960s. The rationale was officially economic growth, but it was secretly designed to support large, heavy, mobile ICBMs and the landing, if necessary, of B-52s and other large military jets — so it was also a Cold War asset.

Use an 8-char Windows NTLM password? Don't. Every single one can be cracked in under 2.5hrs


Re: The Usual Response...

I'm very familiar with 2- or 3-year old thumb drives — even those made in the USA by the best manufacturers — either becoming completely unreadable (looks like unformatted media) or having random data corruption inside files. They are simply not a reliable archive medium.


Re: The Usual Response...

"Let's face it; everyone who has a short password likely started out with a longer one but all the retyping got old fast."

Not to mention being locked out of online access by your bank or credit card company until you call them. I'm getting older and my touch-typing of even real words isn't that reliable unless I watch my fingers. Thankfully, some sites now allow you to display the characters you type — presumably for when you are confident that no one will be able to see your display.

First they came for Equifax and we did nothing because America. Now they are coming for back-end systems and we're...


No fines or criminal penalties? Why is data online? Where's the outrage?

After the innumerable such breaches, why aren't there large civil and painful criminal penalties for failure to adequately secure such data? There should be an expectation of "best practices" when dealing with such data. If you can't afford to do it, then you are in the wrong business.

Why is the data even on the Internet continuously? The server on which the data resides could be kept offline except during periods when data transfers occur. All data on the server should be fully encrypted, not just hashed. The public should be outraged every time this happens. There's no longer any excuse.


Re: Blackface?

That's not blackface — that's just a ski mask (to keep the face warm on a sub-zero [Fahrenheit] ski slope), like bank or jewelry store robbers sometimes wear to hide their identity. Sometimes they use a stocking, but stockings are not as effective and they probably reduce your vision considerably.