Re: I did the same by accident...
Name me one Linux admin who hasn't done "rm -rf * " in the wrong directory.
It is a right of passage, and you only do it once - followed by the swearing and then fixing it whilst hiding your tracks ...
Posts by Security nerd #21
14 posts • joined 6 Oct 2020
Fired credit union employee admits: I wiped 21GB of files from company's shared drive in retaliation
The coming of Wi-Fi 6 does not mean it's time to ditch your cabled LAN. Here's why
Thursday 15th July 2021 07:33 GMT
Re: Idea for Firefox
Due to the proliferation of bots on the net these days, a lot of outfits use their CDN services as a security defence layer as well (as the CDNs have the scale to see the troublesome blighters and leverage this in their products). These means the origin addresses are locked down, and you can't go directly.
This doesn't explain the case above routing through lots of different CDN services - that just looks like rubbish network design, or maybe the ISP is taking advantage of other peoples transit ...
Would be so cool if everyone normalized these pesky data leaks, says data-leaking Facebook in leaked memo
Wednesday 21st April 2021 07:41 GMT
People still forgetting the Facebook financial model
The data that was leaked, was scraped "accidently" from Facebook's site. They would have sold it to whoever paid them anyway - that is how they make their millions / billions.
The fact that that someone acquired it for nothing, is bad in Facebook's eyes, so they closed the door on this.
If something is free - you are the product...
And re the above comment about it being creepy - yes Facebook / Google et al tracking & monetisation is insidious - web marketeers give them the data for their customers, and buy their own customers data back in bulk ...meh
Nigerian email scammer sent down for 40 months in the US, ordered to pay back $2.7m to victims
The kids aren't all right: Fall in GCSE compsci students is bad news for employers and Britain's future growth plans
Tuesday 23rd March 2021 14:55 GMT
Full time IT education courses
The main challenge with these IT course, from GCSE, through A level and on towards degree, is that the material being taught is already 3-5 years old, and the world has moved on.
Having spent a few decades in IT, I'm now firmly of the belief that real world experience is far better for anyone wanting a career in IT, and don't set any store in those presenting me with their MSc level qualifications in their CV. What I do find unfortunately is a tendency for new starters to want to go straight in to an IT specialism (such as Cyber Security), without having done the hard miles first on the likes of an IT support desk, or infrastructure teams.
Learn what the users want and need, and how it works, before making the dive in to a specialism folks :)
OVH data centre destroyed by fire in Strasbourg – all services unavailable
Like a challenge in a high profile 'face-of-IT' role? Welcome to the Home Office
HPE urges judge to pick through Deloitte-bashing report it claims demolishes Autonomy founder's defence
Ever felt that a few big tech companies are following you around the internet? That's because ... they are
Thursday 25th February 2021 14:49 GMT
If Akamai went down, it would probably affect everybody (well non China anyway).
The Internet is held together with gaffer tape, and at some point it will break. Although of course its meant to be resilient, but if all the traffic ends up being routed under some road in Africa / India / Basingstoke (delete as appropriate) ....
Advertising companies just make things worse - I'll be glad when 3rd party cookies are fully banned, although not via Google's intended method please.
Apple iOS 14.5 will hide Safari users' IP addresses from Google's Safe Browsing
Friday 12th February 2021 12:30 GMT
Re: Proxying
If It's Apple doing the MITM - they own the browser and the device. They can put whatever certificates they like in to the system, suppress warnings on their "special" certificates, and the average user wouldn't notice.
Thats the truly scary bit. But hey - it's shiny
If a public VPN provider is MITMing the connection, it's the same scenario as the user has just installed the VPN app, and probably ignored the permissions required (which will include the certs etc). Apart from tin foil hat scenarios, the only real reason to use these is to bypass regional restrictions - laudible in a few situations, but only a few ...
Friday 12th February 2021 09:41 GMT
Proxying
Why do they think that proxying a connection is a security improvement ? Just means that they can listen in on any web sessions being carried out (particularly if MITMing the connection) - and that is quite apart from slowing down the user experience as well, whilst you wait for the traffic to go to and from Apple's services ...
No different to believing that your public service VPN company isn't also tracking and monitoring everything you do. If you aren't in control, it's not "secure" ...
A freshly formed English council waves £18m at UK tech industry, asks: Can somebody design and run pretty much everything for us?
Thursday 8th October 2020 14:28 GMT
The £18M figure plucked from the air piqued my interest - so 10 minutes of (insert evil search engine name here) later, I see they've recently signed a £14M contract for organic waste disposal, so perhaps related (it will likely be flushed down the drain after all)
Some interesting information available publicly on what they are current contracted for - with associated mad deals (including 30 year PFI contracts ...)
Verizon: Just 25% of global businesses comply fully with the Payment Card Industry Data Security Standard
Wednesday 7th October 2020 15:24 GMT
Having done a fair few PCI DSS compliance reviews over the last 15 years, I've come to the firm conclusion that the whole point of it is to try and offload the responsibility on to the payment provider (i.e. use their code / servers etc) - not try and do it yourself. Some pretty clever stuff being done these days, with field level iframes etc, to make it entirely transparent to the user.
The PCI standard might have worked in 2004 - but doesn't work in 2020, when using API driven services, fronted by cloud load balancers etc. (Have you ever tried to get a VA scan through Akamai ? ...)
Get down to the basic SAQ-A, and it ends up with "do you have some InfoSec policies", and "Do you sack people" - job done.
What a Hancock-up: Excel spreadsheet blunder blamed after England under-reports 16,000 COVID-19 cases
Tuesday 6th October 2020 11:39 GMT
Whilst bypassing the fact that most accounting organisations & banks rely on Excel to massage / produce their company official financials (so you can really trust what you see - not) - isn't the real elephant in the room the fact that all this data is now stored on x number of laptops, network file shares / Teams / DropBox / Google Drive etc etc
Nice small data exposure to be considered - but I guess that GDPR / DPA has been forgotten about in this strange times
