* Posts by OhForF'

454 publicly visible posts • joined 29 Mar 2022

Page:

Cold comfort to teachers who got paid late, but ERP software rollout had 'unrealistic' timeline

OhForF' Silver badge
Mushroom

Re: Ownership

>Imagine if you sold large capital items eg warships and they turned out to need completely new ammo and battle procedures<

That would be a great opportunity. You get to sell a change request for a couple more mega bucks and you can even argue it doesn't make sense to test the original weapons and might never have to deliver those.

I am pretty sure stuff like that happens with defense contractors as frequently as it does with ERP systems.

Malware that is 'not ransomware' wormed its way through Fujitsu Japan's systems

OhForF' Silver badge

>There is also no evidence to suggest that the malware spread outside of the corporate network and to Fujitsu's customers' environment<

No evidence is not sufficient to rule out the malware made it to someone directly interfacing with Fujitsu's network.

Apparently it is good enough to stop Fujitsu from telling the customers and suppliers to check their systems and what to look for?

Elexon's Insight into UK electricity felled by expired certificate

OhForF' Silver badge
Meh

>an invalid certificate means the connection is not secure, and the data transmitted on it could be modified or stolen<

A day after the expire date the certificate is no longer trusted but most likely still as secure as the day before. If you have trusted that certificate (after vetting it the first time) it is likely safer to trust it than trusting a new certificate issued by some of the CA's that your browser trusts blindly.

Of course trusting it isn't supported by the CA infrastructure as it is formally invalid (and would be in the way of making money with renewals).

Admin took out a call center – and almost their career – with a cut and paste error

OhForF' Silver badge
Devil

Re: mit der Steife unten rechts

While we are discussing german words:

"der Steife" means "the Stiff one" - a nod to the grown up jokes?

Footage of Nigel Farage blowing up Rishi Sunak's Minecraft mansion 'not real'

OhForF' Silver badge
Mushroom

Re: Pretty funny

May i suggest the "domination" game Largo and James Bond played in Never Say Never Again (including the electro shocks up to lethal strength to punish mistakes).

Meta won't train AI on Euro posts after all, as watchdogs put their paws down

OhForF' Silver badge
Pirate

Re: It's illegal, Meta

Meta is paying a lot for his security so police would only be called to collect the remains of your "employees" after they were gunned down by the "security force". Mark would probably be happy to go back to wild west times with less law enforcement as he would be able to get away with way more shenanigans than today.

Oracle Java police start knocking on Fortune 200's doors for first time

OhForF' Silver badge

Re: Why can they even audit your equipment?

See https://www.oracle.com/downloads/licenses/javase-license1.html

<Quote>Oracle may audit an Entity's use of the Programs</Quote>

If you concede to Oracle that you agreed to this or a similar license they have the right to audit you. This won't allow them to ask for unrestricted access and do whatever they please in your systems but outright denying the audit would break the terms of the license agreement. If the oracle audit teams knocks on the door you'd better contact the legal department to ask what you have to allow to be compliant.

OhForF' Silver badge

Re: Larry Ellison

A user of your setup can choose to use Oracle or Postgres at the same cost and you're paying for the license?

To get the users to pay attention you have to make them pay for the license and prominently show the cost next to the selection.

OhForF' Silver badge

Re: You do a deal with the devil....

If that website is connected to the internet it is not just 1M existing users. You'll have to get a licence for every web browser that was ever installed because it could potentially acces the web site.

Microsoft answered Congress' questions on security. Now the White House needs to act

OhForF' Silver badge
Windows

Re: BREAK IT UP

I agree that security can't be separate but has to be present in all parts you might split Micros~1 into. Maybe a better name for a split off entity would be Autentication Services. Currently everybody and their grandma rely on Micros~1 to be the gate keeper for email and documents in the cloud - sometimes helped by 3rd party providers like Okta.

The powers that be prefer outsourcing to Micros~1 rather than taking responsibility for secure operations even after multiple big failures by Micros~1 have been reported - seems to be true both for our company and the US government.

Does anyone have an idea how we can make it clear to them that they can't delegate or outsource accountability?

Uber ex-CSO Joe Sullivan: We need security leaders running to work, not giving up

OhForF' Silver badge
Devil

Re: How credible

Is a conviction not the qualification people in the US look for when choosing the next leader?

UK's Investigatory Powers Bill to become law despite tech world opposition

OhForF' Silver badge

Governments will no doubt figure out they have to help companies authenticate VPN users so only those with proper authorization can connect.

Help! My mouse climbed a wall and now it doesn't work right

OhForF' Silver badge
Trollface

Re: It goes the wrong way!

Did you have a logical reason for the mouse tail (=cable) having to point to the front for the pointer to move the right way?

If Britain is so bothered by China, why do these .gov.uk sites use Chinese ad brokers?

OhForF' Silver badge

Re: Once again Ad-block is your friend

You want us to stop talking about it and allow councils to continue selling your personal information without further discussion?

US Air Force says AI-controlled F-16 fighter jet has been dogfighting with humans

OhForF' Silver badge

While collateral damage to civilians may not be a major concern you'll still want as close to perfect friend/foe classification. Even if all your air assets are unmanned they might be expensive - avoiding friendly fire is a priority.

Unintended acceleration leads to recall of every Cybertruck produced so far

OhForF' Silver badge
Devil

Anyone have an idea why people working for the man that knows more about manufacturing than anyone else on this planet feel the need to make unaproved changes to aid in the component assembly?

Fire in the Cisco! Networking giant's Duo MFA message logs stolen in phish attack

OhForF' Silver badge

Re: How Do They *KNOW*?

>The stolen logs did not contain any message content, but reportedly did include phone numbers<

As phone numbers are personal information they acknowledged that personal info was exfiltrated.

Rust rustles up fix for 10/10 critical command injection bug on Windows in std lib

OhForF' Silver badge

Re: Not quite

I said an application is only at risk if it uses unsanitized user supplied input as the (up to now insufficient) sanitation provided by Rust won't matter if the application does its own sanitisation.

Currently i can't think of a valid use case where i'd call a batch file with some user supplied argument but if i did i'd probably attempt to check if the input matches the format i expect and display an error message if not before calling the batch file.

OhForF' Silver badge

It is also worth pointing out that the 10/10 rating in the headline is a worst case scenario that is quite unlikely to happen and as RyotaK points out in his report linked in the article shouldn't directly be applied to rust applications.

To be affected an application would have to:

- call external commands

-by way of cmd.exe (either directly or indirectly by trying to execute a .bat or .cmd file [either on purpose or being tricked into it when the programmer doesn't supply the extension of the command])

-using unsanitized user supplied input as the argument for that command call

Another mitigating factor is that most of the application that do all of the above will have the input supplied by the local logged in user that usually has the rights to execute any command in cmd.exe at will and thus doesn't need to exploit a rust program.

It should be exceedingly rare to find a rust program that can be tricked into calling a batch file with an argument supplied by some unauthorized remote attacker.

US legislators propose American Privacy Rights Act - and it looks quite good

OhForF' Silver badge

Re: Flawed

Well even with 10 wholly owned subsidiaries it would add up to only $400M so Facebook will probably consider it small change.

The real question is if they can buy the data from the subsidiary at a pittance and use them for something that makes them much more with Facebook being exempt because the data controller is the subsidiary and the subsidiary being exempt because it has a revenue < $40M.

Rest assured some loophole will be in place when this becomes US law.

Home Depot confirms worker data leak after miscreant dumps info online

OhForF' Silver badge

Don't admit anything not yet proven

Is there a policy lawyers advise companies to follow?

It seems to be the new trend to claim there is no evidence or reason to believe any personal data was accessed when you find unauthorized parties have access to your systems.

Only after a copy of the data ends up on the darknet providing irrevocably proof to the public that it was indeed accessed those companies reluctantly admit it might have happened ...

Techie saved the day and was then criticized for the fix

OhForF' Silver badge
Devil

Re: Locks, only one way to do it right

>a remotely triggered (by support) locked cabinet for cabinet keys access<

So once the router for remote access misbehaves you're back to picking/smashing the lock to open the cabinet housing that router.

Uncle Sam's had it up to here with 'unforgivable' SQL injection flaws

OhForF' Silver badge

Re: "developers allow user-input data to be supplied to a database directly as a SQL command"

Even if you do some validation on the input to stop sql injection you should be using parameterized statements and not build your sql statement as a string containing user supplied values.

I.e. instead of doing something like:

$result = $conn->exec('INSERT INTO Students(firstname, lastname, email) VALUES (' . $firstname . ', ' . $lastname . ', ' .$email .')' );

you use

$stmt = $conn->prepare("INSERT INTO Students (firstname, lastname, email) VALUES (?, ?, ?)");

$stmt->bind_param("sss", $firstname, $lastname, $email);

$stmt->execute();

In the last version it should not be a problem if you have to enroll Little Bobby Tables.

3 million doors open to uninvited guests in keycard exploit

OhForF' Silver badge

Re: Mifare

Acoording to wikipedia Mifare classic was introduced in 1994. It is not really surprising that applications based on 30 years old technology are not secure according to today's standards. IMHO still ok for room doors in hotels but it shouldn't be used to secure something more important.

OhForF' Silver badge
Devil

Re: Any lock is useless if the door is left wide open

>never leave the laptop at a clients premises overnight<

So after leaving the customer's premises did you leave the laptop in the car trunk or in your hotel room when you went for dinner?

Uncle Sam wants to know how big airlines use passenger data

OhForF' Silver badge

I'd love to do a similar review on how the US adminstration and agencies are using the passenger records and other data it gets from Europe. Alas, no way any non US organization will have a chance to get them to show what they do with that data and verify it is only used to keep everyone safe.

Whistleblower raises alarm over UK Nursing and Midwifery Council's DB

OhForF' Silver badge

Re: "Journey of Improvement"

So their "high quality data" has non numeric stuff in a column that should be a unique 10 digit number and the CIO thinks the way to fix this is to enable the analyzing and reporting tools to work with incosistent data?

If that is really true the first thing to do is getting a competent CIO.

Truck-to-truck worm could infect – and disrupt – entire US commercial fleet

OhForF' Silver badge

Re: There's a very simple fix that can't be bypassed

I thought there are already gateways separating actual control systems and stuff like entertainment systems so you can get some data (current speed, rpm, ...) on the entertainment side but not control anything vital?

If so why is the logging device not on the entertainment side?

IBM CEO pay jumps 23% in 2023, average employee gets 7%

OhForF' Silver badge

Re: Interesting because of the legal mess he just landed IBM in.

While i agree hiring quotas are fundamentally a political issue they can although become a legal issue. If the law says you must treat all races/ethnics equally and you refuse to hire someone because your quota for white caucasian males is already filled a judge may rule that you're breaking the law.

Having a different political opinion doesn't allow you to break the laws as they are currently in the books. You can decide you want to be a political activist and ignore the law but then you should be prepared to deal with the consequences (at least the minimum fine as set forth in law).

RISE with SAP plan fails to hit go-live date in West of England council

OhForF' Silver badge

Re: Liability?

It is very unlikely SAP itself is managing the delivery. More than likely it is some consulting agency.

How consultants get away with desigining a solution and managing its delivery for a lot of dosh while not being liable for anything is something i've never understood.

OhForF' Silver badge

>Councils could proactively link together<

They'd have to agree to do things the same way. If my own expierience from continental europe is any indication local fiefdoms will prefer to go bankrupt before giving up the smallest amount of influence.

"Allowing our <insert_vilification_of_choice> neighbours to have a say in how we run things here? Not gonna happen."

UK minister tells telcos to share telegraph poles if they can't lay cable underground

OhForF' Silver badge

Re: They do.

Then the MP should have approaced the minister with a draft of a bill and asked him to introduce it as a public bill - not to get him to publicly ask network providers to do better, pretty please.

Looks like they got enough comlaints to need to be seen to do something before the election but don't care enough to actually work on fixing the problem.

OhForF' Silver badge

Re: They do.

They should HAVE TO. Why are those MPs kicking the can down the road to the minister instead of working on laws that say infrastructure must be shared between providers using fair and reasonable terms?

Developers beware, Microsoft's domain shakeup is coming soon

OhForF' Silver badge
Windows

Re: I seem to have gotten to this planet by mistake. Does anyone here speak English?

If it worked as promoted currently by Micros~1 it would be a great way to filter the marketing stuff (*.microsoft.com) when using their services.

What are the odds that i'll be able to whitelist scripts in my browser for the "user-facing product experiences" *.cloud.microsoft (or even*.microsoft) only and have authentication and services working properly?

I fully expect this attempt at a "reduction in the fragmentation of domains" to work out like attempts at creating one univseral standard for all use cases.

Attacks on UK fiber networks mount: Operators beg govt to step in

OhForF' Silver badge

Getting the police to patrol network cables isn't going to work, they have limited manpower and have to prioritize events with more immediate safety concerns.

Asking for higher fines for those caught shouldn't be necessary as network providers should be able to sue them for damages which should be more than enough of a deterrent. Of course that kind of deterrent only works for those that actually think they will be caught, i.e. are as ineffective as higher fines.

If this is happening often enough network providers will have to invest in security infrastructure and personal and can't just rely on the government to do it for them.

Job interview descended into sweary shouting match, candidate got the gig anyway

OhForF' Silver badge

The MD likely didn't allow senior management to write down anything to avoid an auditable paper trail but still needed them to remember the things that need to be done.

Rapid7 throws JetBrains under the bus for 'uncoordinated vulnerability disclosure'

OhForF' Silver badge

Re: and these are the good guys?

I believe Rapid7 didn't try to dictate anything but were miffed that JetBrains didn't even attempt to coordinate when to disclose that information with them. If JetBrains doesn't bother to talk to Rapid7 about timelines there's not much room for them to complain any details were released to early.

IP address X-posure now a feature on Musk's social media thing

OhForF' Silver badge

Mark I 2 wasn't asking about the video and audio calling features but about the DM direct messaging feature.

They call me 'Growler'. I don't like you. Let's discuss your pay cut

OhForF' Silver badge

When talking directly to the prospective buyer its usually "VIP rates".

AI to fix UK Civil Service's bureaucratic bungling, deputy PM bets

OhForF' Silver badge
Devil

LLM says no

So instead of "computer says no" we'll get "LLM says no" but it won't be a simple no but a 3 page long essay why the citizen's submission can't be processed.

Great times, we can probably just use that essay and a LLM and a prompt like "write a legal statement that states why this breaks the law" and keep their law department and a judge busy for half a year.

Meta's pay-or-consent model hides 'massive illegal data processing ops': lawsuit

OhForF' Silver badge

Re: basically proposing you pay it in order to enjoy your fundamental rights under EU law

It doesn't. There is no fundamental right to a business model where service consumrs pay with their data either.

Cybercrims: When we hit IT, they sometimes pay, but when we hit OT... jackpot

OhForF' Silver badge

"Isolated" VPNs need constant vigilance

Those operational networks usually start out as an isolated VPN and devices on that network can only communicate on that network with the systems directly controling the operation.

After a while managers in the back office decide they need direct acces to the operational data and reports of the current opreation from their PC. The shift mangers in charge of the operational part want to be able to use those PC's in the operational network to access the ERP system and email and ...

Unless some CISO steps in the IT and network guys are not in a position to say no to managements requests. Before long you'll be able to use a PC in that isolated op's network to surf the Web and are one wrong click away from installing malware.

Even if the network is still isolated you'd need to have tight access controls. Let's say the third party technician in charge of maintenance of machines on the op network is connected with his laptop and decides to use his cell phone's internet connection to access some stream or surf the web at the same time.

I'd bet a lot of those OT cybersecurity incidents happened even though they believed they were safe as their OT network was segmented off.

Texas judge turns out the lights on federal survey of cryptominers' energy consumption

OhForF' Silver badge

According to the EIA the average US price for energy over all sectors was 12.41 cents per kilowatthour in Dec 2023. The average for industrial power consumers was 7.66 cents/kWh and according to your own research Riot Platforms paid a lot less with 3.5 cents/kWh. So much for the crypto miners argument "as long as we pay for the energy we should be allowed to do what we want with it".

In my opinion there should be a law that limits any rebates for big energy consumers to 25% of the residental consumer price. If you can't compete with that discount it is probably better to let someone else do it or not do it at all.

Uncle Sam tells nosy nations to keep their hands off Americans' personal data

OhForF' Silver badge

Why is it legal to collect this information (in bulk)?

FTFY

Mamas, don't let your babies grow up to be coders, Jensen Huang warns

OhForF' Silver badge

>"The technology divide has been completely closed."<

Dunning Kruger in full effect?

If you don't know how to interpret the code the LLM comes up with how will you spot it when it provides something that is likely according to the training data but still wrong?

Google Maps leads German tourists to week-long survival saga in Australian swamp

OhForF' Silver badge

Shortest route ...

Even with perfect mapping data shortest route setting is doing incredibly stupid things like having you leave the highway and drive alongside it stopping at traffic lights until you re-enter the highway at the next driveway. Technically the routing is correct as it is some 20 metres shorter and the GPS was asked to provide the "shortest route". Activating that setting should come with a warning.

Apple makes it official: No Home Screen web apps in European Union

OhForF' Silver badge

Security and safety guarantee?

If sensitive data is leaked by an app i installed from their store will Apple pay for any resulting damages and a premium for not fulfilling their promises of security or will they simply point to the application developer as the culprit?

If i pay for something in the app store and it turns out to be a scam will Apple reimburse me for the full amount or tell me to take it up with the scammer?

"Trust us, we're keeping you secure and safe by monitoring all the apps in the store" is not a meaningful security guarantee.

HP CEO pay for 2023 = 270,315 printer cartridges

OhForF' Silver badge

Re: AI PC no defined use case

Micros~1 seems to be convinced the use case for AI is user assistance.

Expect Clippy on steroids - as helpful as the original Clippy (in other words: getting in the way of work done) but using enough resources to slow down your PC enough to force you to upgrade to new hardware to keep HP and other manufacturers in business.

US regulators crack down on AI playing doctor in healthcare

OhForF' Silver badge

All insurance is a bet?

>All insurance is a bet. When you buy it, you are betting that the paid premiums will be lower than the possible bill for catastrophic health events.<

I hope and expect to be on the money loosing side of that bet and still pay for health insurance. As long as most of the money i 'loose' on that bet is used to pay for the treatments of those that 'won' their bet that is great.

The problem starts when a big part of the difference of all paid premiums and costs for treatment is used to bolster shareholder's accounts.

Drowning in code: The ever-growing problem of ever-growing codebases

OhForF' Silver badge
Devil

Re: Thank you Liam

Most modern systems design regarding performance seems to be done with the premise Moore's law will half the time the endless loop needs to finish every year.

Page: