* Posts by Diogenes8080

88 publicly visible posts • joined 7 Jul 2020


Singapore may split liability for phishing losses between banks and victims



Some commentators appear to have missed one of the points - the Singaporean paper is saying that the banks do not pick up liability if they have not practiced fsckwittery.

That rather limits their scope for communication, since many of the available media are inherently fsckwitted for financial communication. A PSTN that is open to spoofing? SIMs that can be 'jacked by spinning a tale at the local carrier retail outlet? Active collusion by corrupt staff at any point in the over-extended outsourcing chain? Secret Q&A in an era of criminal e-pending? FFS, that's worse that a moderately weak password.

There are secure means of consumer communication. The banks know them and many of us know them. We simply need an ombudsman that knows them, but that might be too big an ask.

Greater Manchester Police ransomware attack another classic demo of supply chain challenges


Re: Outsourcing

Well, it's a supply chain attack. You can't expect the police (even if they were organised nationally rather than by constabulary) to insource everything.

Whether your supplier is properly equipped to handle your highly critical data, and whether you have the mechanisms and contractual clauses to enforce that handling... that's a much more interesting question. And you want to outsource to a foreign jurisdiction with a notoriously inefficient or partisan judiciary? I can't see how that could possibly go wrong!

Also, both in this breach and several others, we are not being told the name of the breached supplier. Was it the same as in the case of the Met breach?


Meet Honda's latest electric vehicle: A rideable suitcase


Concealed weaponry

But if you pull the handles the right way, a fixed-mount Seburo C27-A folds out. Ideal for rush hour.

Good news for Key Group ransomware victims: Free decryptor out now



" ...they've also seen Key Group use a private Telegram channel for selling and sharing SIM cards, doxing data, and remote access to IP camera servers."

'Millions' of spammy emails with no opt-out? That'll cost you $650K, Experian


Re: CAN-SPAM Act?? hahahahahahaha what a JOKE !

I had the same low opinion of CAN-SPAM (and for the most part still do) but I did note that many of the larger grey mailers do feel obliged to include certain information in their headers. It's just a fig leaf in an intentionally obscure location; the last thing they want are actual delist requests for which they will be fined if they ignore or "forget" the feedback. However, if you are inspecting headers then you can look for those patterns and conditionally deliver their spam. It's a useful technique for senders whose ranges are too big, too dynamic or whose aggregate output is too mixed to block.

I say "conditionally deliver" because by its nature you won't get a consistent view from your recipients. In some cases they actually want some of the spam, but more commonly you will find the grey mailer's own customers mixing transactional and bulk in the same workload. Any internal mass mailing your own organisation commissions from the mailer (without telling you, naturally) is also going to get the same verdict.

So much for CAPTCHA then – bots can complete them quicker than humans


Possibly captchas make mules uneconomic and block the vast majority of spiders that aren't equipped to deal with them?

Just because it's possible for a bot to defeat a captcha does not mean that every ripper and leach comes equipped with the code to do so.

Cumbrian Police accidentally publish all officers' details online


Re: Norfolk and Suffolk police: Victims and witnesses hit by data breach

Just saw that one surfacing and came over to read the Reg comment.

For all 3, surely creating a fictitious Constable Honeypot and slamming the brakes on any outbound mail or upload that mentions him would not be too difficult?

Get your staff's consent before you monitor them, tech inquiry warns


Re: Genuine Question re proxy / web filtering

Although strictly speaking it should not make a difference, I suspect that any practical [1] distinction will fall on the motive for monitoring.

If you only establish user identity after you know that a malicious link has been clicked and that you may need to remediate then that is one thing.

If on the other hand you are deluged with line management requests to establish how much time employee X is home shopping, that is another thing. A specific inquiry comes close to fishing.

1. practical distinction - never mind what this OII says; show me judgements and actual fines

2. some proxies don't track user identity - they simply allow or block depending on the destination category

What would sustainable security even look like?


Re: Nobody is legally responsible, oops

Lots of both, sadly.

On the strategy and design side, excessive focus on constructing line of battle versus scouting elements, inadequate flash testing, neglect of emerging aviation, disgracefully poor shell testing and a battle plan that expected the enemy to stand and fight at a numerical disadvantage.

On the operational side, a lack of practice by the battlecruiser squadron, failure to learn from earlier engagements, failure to fully utilise Room 40 and an emphasis on Grand Fleet Orders over a more practical doctrine that would have improved Beatty's reports and allowed Jellico to give simple immediate instructions to his subordinates. Well, the GFO were his but he was starting with some very poor material.

Naturally, both Jellico and Beatty were promoted.

Microsoft whips up unrest after revealing Azure AD name change


Setting the bar

In all fairness, it's not the worst decision Microsoft have made.

<post your points of derision in detail, please>


Re: Just stop now

Microsoft even get that wrong, to point of having two blue buttons in place of a blue one and a yellow one.

Attorney sues Microsoft for $1.75M, claiming his email has been useless since May


Re: Second email account

You missed out the bit where the IP is dynamically allocated, the DNS is dynamic and the ISP themselves have listed the whole pool in the Spamhaus PBL.

Not that I know the sender, I'm just speculating...

Missing Titan sub likely destroyed in implosion, no survivors


Re: A fitting epitaph

I feel a need to misquote Dickson: "Disturb rather the tiger in his lair than the PA at her workstation, for to you orders and expense claims are things mighty and enduring, but to her..."

BOFH: Good news, everyone – we're in the sausage business


I was assuming that contrary to what Simon told the boss, animals go in the front of the factory and sausages come out the back.

Cunningly camouflaged cable routed around WAN-sized hole in project budget


Re: Weather?

Hot sun is a problem if you need to put a laser link on a steel-frame building. The steel expands as it warms up, which can gently twist the the laser off target. Some sensors don't even work if they are facing a low sun, so the problem only occurs in the early morning or late evening.

Microsoft finally gets around to supporting rar, gz and tar files in Windows


Another reason can be if the original compression used a cypher incompatible with native Windows ZIP. Again, a quick check with 7-Zip shows "oooh, it's written using {squiggle} instead..."

Russian businesses want to party like it's 1959 with 6-day workweek


Schism - yes, but I thought it applied to hard-line Stalinists in the West who would deny any flaw in Soviet methods or policy, even after Ukrainian famine, Ribbentrop-Molotov pact, Hungary, Czechoslovakia, etc...

That Meta GDPR fine is €1.2B. Plus biz must stop sending EU data to US


Re: In tangentially related news...

They don't actually want their pot o' gold?

And if the judgement is for all FB European activity, shouldn't the spoils be shared out pro rata the EU member populations?

Capita looking at a bill of £20M over breach clean-up costs


Re: Capita has taken extensive steps to recover ... the data

If the statement refers to the original response then it could mean "we couldn't trust the data so we had to delete and restore it". Even if the CNC part of the breach only refers to an outsourced cleaning contract, you don't want someone wandering around HQ with a bogus cleaner's lanyard.

But yes, erased information can be restored and compromised information remains irrevocably compromised.

There is certainly a massive lack of transparency as to what went wrong. Personally my bet would be on a subcontractor brought in to administer systems on the cheap, a la Lapsus v Okta.

Boffins think they've decoded mysterious 819-day Mayan calendar


Re: And "most" means?

Try the board game of the same name from Czech Games Edition - it's the only game I know of with working cogs.


Beware - the head priest is allowed to fiddle the calendar!

Chinese company claims it's built batteries so dense they can power electric airplanes


Cracked dilithium

Eject the warp core!

Microsoft goes meteorological in defining cybercrook groups


I thought the Crowdstrike nomenclature was fairly well established. If MS want to get on that stage, they are going to have to earn it by exposing gangs and their methods before other research groups do.In theory they have the exposure and resources to do so. In practice - I'll let Defender latency speak for itself.

Pentagon super-leak suspect cuffed: 21-year-old Air National Guardsman


Re: Why would he have access to any of that stuff?

I just don't believe the sheer stupidity, not just of the leaker but of the idiots who put that security framework together.

It's the sheer scope of the leaks that is mind-boggling. 13 years after the Manning incident we have a junior airman, this time not even an NCO, with access to many, many different areas of intelligence. It looks as if the military are depending on a simple stratified access model written circa 1940. Can't they do attribute-based access control?

Yes, a very senior analyst might need to pull apparently unrelated information from different theatres. For anyone else, even relatively senior officers, the fact that they are requesting top secret data from topics A, B, F, J, N, T, R and Z should start an alarm ringing.

Microsoft, Fortra are this fed up with cyber-gangs abusing Cobalt Strike


Lawyers - Dick, H iv P2 act 4 sc 2

A more serious application of US RICO might ask when seizing a domain why the owner of the infringing domain can never be traced.

Ukrainian cops nab suspects accused of stealing $4.3m from victims across Europe


Re: One positive outcome from their war with Russia

Would not describe those parts of the Kherson and Zaporizhzhia oblasts still occupied as "little". That's the whole of the northern shore of the Sea of Azov.

Odessa was only under threat of occupation in the early days when Mykolaiv looked shaky.

Microsoft uses carrot and stick with Exchange Online admins


Re: Zero-Trust model?

Exactly. Anyone who has been obliged for commercial reasons to accept traffic from a legacy relay knows how miserable that is. The EXO team are merely getting peevish at the amount of tat relayed in from weak customers. The fact that the EXH server software has bugs to exploit is another question.

For those looking for the EXO blog on throttling stale Exchange, it's here:


Capita data centres hit by buttload of outages


This thread may require resurrection.

Microsoft Defender shoots down legit URLs as malicious


Because DZ534539 has already been moved over to the Issue History tab.

That's just low. Especially when the problem isn't fixed because links dating from the incident live period still aren't opening.

It looks as if DZ534548 is solely there to justify moving DZ534539 off of the Active tab.


I don't see DZ534539. I do see DZ534548 for alert URLs that will not work, something that has been happening for the last few days. The URLs normally sort themselves out half a day later, which isn't really what one expects from a security product.

SHEIN has the look of America's next tech-meets-geopolitics fit-up



If your web defences are up for it, Windows browsers look for encrypted traffic to tongdun.net (Alibaba DE, for rightpondian users) that seems to occur from Shein web sessions. I'm talking custom encryption, not just SSL.

The last time I saw anything like that, it was Google Chrome telegraphing home to the Chocolate Factory. Other browsers didn't do that, even when conducting exactly the same searches.

Africa's internet registry has sometimes needed financial assistance to keep operating, could fail, warns ARIN head


Re: Oh look, someting in Africa is being mismanaged.

Well, the Wikipedia page is a hoot: https://en.wikipedia.org/wiki/AFRINIC

An interesting question: if the Mauritian courts are vulnerable to vexatious litigation, what nation should AFRNIC be based in? A number of national African registries seem to favour the Netherlands...

I'll just get my pith helmet with the ostrich feathers, shall I?

Save $7 million on cloud by spending $600k on servers, says 37Signals' David Heinemeier Hansson


And who will move those workloads?

By the time the less agile organisations want to move, there won't be the up-to-date skills available to do the job. There will be a whole new generation of infra managers who have never managed on-prem and won't know the pitfalls. In theory everyone piles back into training, but were do the good instructors with the practical experience come from? Vendor book knowledge isn't the half of it.

And the really lumbering giants won't even know their own workloads in any practical terms. They'll pay exorbitantly to relearn the same old lessons the hard way. These are the sorts of organisations whose costs ultimately get paid for by everyone.

Attackers abuse Microsoft’s 'verified publisher' status to steal data


Re: So truthfully now ...

In truth, I don't think breaching Microsoft's latest assurance scheme * is that big a deal. Any organisation with an open policy (which I believe is still the default even though Microsoft themselves recommend otherwise) is going to see lots of quite well-known, respectable apps washing up on that ole' Enterprise Apps blade with minimal details. The list rapidly becomes a sty in which malevolent actors can hide amongst the clutter.

* Still grateful to El Reg for highlighting this old one from 2019:


It's time to retire 'edge' from our IT vocabulary


Leaving Chiba

But edge is the essential commodity of our profession! You have to have it; St William of Vancouver said so.

ChromeLoader, what took you so long? Malvertising irritant now slings ransomware


Re: Some folks just ask for problems.

Truth, but there are many ways to trick a user. A wiser council might be "should this recipient ever need to receive an ISO attachment?" Exempt your techs and block for everyone else, at least from external sources.

Deluge of of entries to Spamhaus blocklists includes 'various household names'


Re: IT much?

Assuming the problem isn't a difference of opinion over what constitutes spam (and that definition is a spectrum running from valid _recent_ prior relationships through many shades to the clearly criminal) then the reasons a sender can end up on an IP blocklist like Spamhaus are:

- the sender's monitor isn't effective and at some point someone /is/ sending spam via the IP

- the sender's system can be abused to bounce spam back to a spoofed third party

- the IP is shared

- the service provider does harbour and rotate questionable senders, and a block has been escalated

Remember that if Spamhaus or any other major bureau is listing your IP, other system administrators are looking and taking action. I'll happily drop a /16 and accept some collateral damage if it's in the best interest of my recipients.

Twilio customer data exposed after its staffers got phished


Re: Hmmm

And Brian Krebs put the boot in Twilio for lack of MFA nearly 2 years ago to the day:


The many derivatives of the CP/M operating system


Re: Concurrent CP/M and ICL 80286 hardware

MicroLAN. The hardware was full 10-base2 so in theory 10Mbit. I don't know if the cards were up for that, and with the DRS range it wasn't ever a question because the apps and consequent traffic were tiny.


Complete with Specialix paddles supporting up to 16 users on RS-232 to dumb terminals, I imagine.

As Comart was about the size of large microwave oven (but heavier), it would be left on an office side bench with the paddle trailing underneath. Needless to say, that became a complete rats' nest rather quickly.

Share your experience: How does your organization introduce new systems?


Re: The Weakest Link

The survey omits two favourites, "we've just bought them so go support their tech" (I wonder why the business was for sale in the first place?) and the truly worrying "we've just bought them for their tech". And that is without going through the "two CIOs enter, one CIO leaves" which normally accompanies mergers and, I hear, can be quite traumatic.

FTC carpet bombs industry with letters warning that fake reviews will be punished


Three word post

"falsely claiming an endorsement by a third party; misrepresenting that an endorser is an actual user, a current user, or a recent user; continuing to use an endorsement without good reason to believe that the endorser continues to subscribe to the views presented; misrepresenting that an endorsement represents the experience, views, or opinions of users or purported users; using an endorsement to make deceptive performance claims"

lying, or

"failing to disclose an unexpected material connection with an endorser; and misrepresenting that the experience of endorsers represents consumers' typical or ordinary experience."


Nine floors underground, Oracle's Israel data centre can 'withstand a rocket, a missile or even a car bomb'


Re: Car bomb?

It isn't a proper continuity site unless it can withstand a near miss from a 1MT warhead.

US school districts blame Amazon for nationwide bus driver shortage


Re: Bus drivers...

I have it on good authority that the traditional solution is to keep a rabbit and a revolver in the glove box and to scream at the children as soon as they do anything out of line. Untidy hair completes the intimidating image.

UK Ministry of Defence apologises – again – after another major email blunder in Afghanistan


Re: "the Afghan Relocation and Assistance Policy (Arap) team"

Joking aside, that comment might frame the problem with the West's policy in Afghanistan over the last 15 years rather well.


Timing unclear

BBC story clarifies that Wallace was not aware of leak of 55 names when he announced disciplining of an official for the leak of 250+ names. However, it is not clear in what order those breaches occurred. It could still be the same chump responsible for both. Investigation of 250+ leak may have led to second discovery.

ARAP covers a problem that did not exist two months ago so was probably thrown together using whatever and whoever was available.

Am still not impressed by any mail system that accepts a very large number of recipients for a single message, regardless of address mode.

Thatcher-era ICL mainframe fingered for failure to pay out over £1bn in UK pensions


Pennywise and pound-simple

Makes you wonder if the "small group of specialists" was being progressively diverted to tackle a rising number of fraud cases, leading to a backlog of queries. They couldn't recruit more? Now the department owes GBP 1B, with an additional 15k cases reckoned untraceable and data on the deceased deleted after 4 years due to convenient data protection.

The oldest cases go back to 1985, so it sounds as if the problem really is procedural rather than due to a coding error. I suppose there is some excellent reason why on retirement the NICS record of a taxpayer could not just be copied over to the DWP in a "thats-all-folks" file. Give it the data and a VME box will happily chomp through a lot of complex rules, batch or interactive.

Microsoft Exchange Autodiscover protocol found leaking hundreds of thousands of credentials


The obvious

So how about a list of relevant Autodiscover domains that don't belong to Guardicore, and some idea of who owns them?

This is one exploit that should be relatively easy to trace. At the very least it might shine some light on the practices of the domain registration industry.

Intuit branches out into email marketing by splashing $12bn on Mailchimp acquisition


Re: Yes, that's exactly what I need

Then drop the ranges indicated by https://mxtoolbox.com/SuperTool.aspx?action=mx%3amcsv.net&run=toolpage and remember that they will include all of the Mandrill space which is notionally transactional. In practice RSG's toleration for bulk from those blocks has varied over the years. Any commentards managing mailservers for others would be better advised to conditionally deliver (i.e. place in junk) with a prior policy announcement to recipients.

For those suggesting / requesting free services, my experience is that any sort of entry level / taster service will be abused.

In other news, Scurvy Monkey are renaming themselves. The damage to simian-themed poo-slinging brands appears to be irreparable. Did I just muddle that last sentence?

Council culture: Software test leads to absurd local planning SNAFU


Re: this process could cost the council £8,000 in taxpayer funds.

So the council received legal advice that a legal advisor would need to charge £8k of legal fees to reverse the inadvertent publication of test data. Unless the maligned system automatically poked records into other systems, I suspect that the council received advice from a local outside body.