* Posts by Frank Bitterlich

238 posts • joined 9 Nov 2007

Page:

Guessing valid credit card numbers in six seconds? Priceless

Frank Bitterlich

How does CVV actually work?

I'm still not sure why/how the CVV mechanism makes transactions more secure. I reckon that in most cases where the card number was intercepted while doing a legit CNP transaction (whether it's on the customer's side or the merchant's), or on phishing sites, the CVV number could easily be captured too. But apparenty this isn't the case - or else the whole CVV system would be useless.

I don't know the stats - how many numbers are stolen in POS transactions vs. internet (ard not present) - but I always assumed that the latter would be the bulk of them. Does anybody have more information on this?

3
0

Hull surfers cut off by router attack

Frank Bitterlich

It was...

... Deutsche Telekom, in the library, with a lead pipe Germany, with a Mirai botnet.

http://www.theregister.co.uk/2016/11/28/router_flaw_exploited_in_massive_attack/

6
0
Frank Bitterlich
Mushroom

The root cause...

"We have now identified that the root cause of the problem was a cyber attack..."

No. The root cause lies somewhere between the stupid vulns that are present in so many routers, and the fact that the telco didn't see that coming.

I don't know whether this is the same exploit that brought down large numbers of Deutsche Telekom customers four days earlier, but it doesn't really matter. Checking the routers you sell or lease to your customers against recently reported security problems is something I'd expect from _any_ telco these days.

But you can, of course, adopt that old "Hey, everything's going fine so far - why worry" mentality, whether you're a telco or a person just passing the third level while falling down from a 20-story building. The outlook is about the same.

We're all doomed.

6
0

Deliver-oops! Takeaway pusher's customers burger-ed by hijackers

Frank Bitterlich
Facepalm

The "industry" must be in a sad state...

"We also use industry-leading anti-fraud measures and deploy anomaly detection techniques through machine learning"

Sure. All the red flags were there (recent account change, different far-distanced addresses used on a single day, ...) and still the orders went through.

So what exactly was the machine learning from that? Which anomalies will it actually detect? And which industry are their anti-fraud mechanisms leading?

My take:

a) How to solve a rubik's cube in under 50 moves,

b) Orders from India (or Betelgeuse?)

c) The road construction industry?

How much is in the pot?

6
0

Reg man 0: Japanese electronic toilet 1

Frank Bitterlich
Big Brother

Stop... or Record?

"The stop button is the one with a red square on it, like the stop buttons on every other device in the world."

Funny, I thought it looked more like a "Record" button... and no, I wouldn't be surprised to see it having that feature, too.

22
0

British banks chuck smartphone apps out of Windows

Frank Bitterlich
Thumb Up

Six people...

Funny, at the time of writing this, your post has exactly six upvotes. Wonder what that means...

8
0

Hacker's Mac pwning expedition: 'Help, I've got too many shells!'

Frank Bitterlich
Meh

Quick sum-up...

OK, let's see what we have here...

- Some social engineering

- One spearphishing email

- Lots and lots of "scary" demonstrations of what an attacker can do when they get root. ("OMG, they made my computer SPEAK TO ME!")

Anything new in this documentary? Hardly. Just the same well-known facts: If you can trick one person in handing over an account to an attacker, other accounts fall like dominoes. Duh. But the documentary (or rather, the article of the author/subject) fails to mention that there was hardly any classic "hacking" involved. If you can convice your mark to install malware on their machine, you can just as well try to convince them to hand over their laptop altogether. (You know, for "urgent repairs". Trust me, Apple sent me to pick it up.)

I'd rather like to know whether the people who fell to the social engineering calls were violating the rules, or if the protection/authentication rules of those companies are still not up to date.

One final thing: Both SSNs and credit card numbers are hard to keep secret. But yet they are still used as tokens of authentication, mainly in the US. As long as the majority of the people are content with keeping it this way, nothing will change (except the scope of breaches, which will continue to increase).

6
0

Nokia's great lost smartwatch? #SavedYouALandfill

Frank Bitterlich

Looks like a prototype

From what I can see in this vid (if I can manage to ignore the stupid music), it main features appear to be...:

- Display the phrase "Nothing new here",

- Count steps, and

- "Ring my phone."

Apart from that, the UI seems either unfinished or not very smart.

0
0

Analysts apply Occam's razor to Tesco Bank breach

Frank Bitterlich
Holmes

Not sure how the trojan theory would work out...

... unless we're talking about malware on ATMs. Otherwise it should not be possible to create a cloned card from the information that a trojan on the victim's machine could grab. Much less to get the PIN.

Ordinary card cloning (from manipulated ATMs or POS terminals) is unlikely as well - that wouldn't explain the large number of cases on this one bank.

Occam says: Smells like insider job (possibly at a service provider.)

3
0

Google Pixel pwned in 60 seconds

Frank Bitterlich
Thumb Up

Four seconds...

"It took four seconds for Flash to fall."

On my machine, the average Flash-infested web page takes longer than that to just load. Looks like the Adobe folks are making progress on the optimisation of their stuff. Probably re-assigned a few devs from the safe coding department for that.

Congratulations!

19
0

Add it to the tab: ICO fines another spammer as unpaid bills mount

Frank Bitterlich

Civil law

... and there you have the real problem - and a solution, too: Make data protection violations a criminal offence.

When you're just fining the company, and - like in many cases in the past - the fine just makes up a fraction of the total cost of the spamming operation - nothing will change. That is called a tax, and not a fine.

Increasing the fines won't change anything either: if the fine is too high, the company owners will just fold up their chairs, print out a "Sorry, we're closed" sign for the door, and rent another office for their next operation.

Don't go after the company, go after the individuals (CEO, directors, whatever.)

2
0

Belgian court fines Skype for failing to intercept criminals' calls in 2012

Frank Bitterlich
Facepalm

Flawed arguments...

... on both sides, if you ask me.

The "We're not a service provider" argument doesn't hold, unless Skype were a pure peer-to-peer service, which it wasn't at any time. So they did provide a service.

The "offering services in our country" argument is questionable as well. If anybody who does not employ geo-blocking for any internet service or content is considered providing that "in" every country on this planet, then my blog is probably violating the laws of the Democratic People's Republic of Korea right now.

9
1

EU ruling restricts rights to resell back-up copies of software where originals are damaged, destroyed or lost

Frank Bitterlich

Re: Did I read that right?

The point I tried to make has nothing to do with destroying your own copy; it was about that if you make a "backup copy" yourself, you cannot sell that; but if you download a copy, then you can sell this downloaded copy. And that doesn't make sense.

1
0
Frank Bitterlich
WTF?

Did I read that right?

Not sure if I got this right:

1. An initial acquirer of software [...] can sell on the replacement copy that they download providing they "make any copy in his possession unusable at the time of its resale".

... but:

2. [...] whilst the initial acquirer of software can make their own back up copy [...], they cannot resell the back up software [...].

(My emphasis.)

So, if you make a backup, you can not sell it; but if you download a replacement, you can sell it. Or did I misunderstand this?

Huh?

0
0

Microsoft paid me $650 to scrub Windows 10 from my grandpa's PC, says man

Frank Bitterlich

Re: $650 is nothing to MS

I'm with the chap who received the check – it's not about the money. It's about MS to admit that they've tricked people and pay for the damage they've caused.

Maybe a public apology in the form of a full-page newspaper ad would be nice, too.

39
0

$67M in bitcoin stolen as hacking typhoon lashes Hong Kong's Bitfinex

Frank Bitterlich

Limited?

"...and so limited the scale of the breach..." So, a $67M theft is a "limited breach".

Makes me wonder what an unlimited thaft would have looked like.

I'm pretty ignorant about how BTC works in depth, but I wonder whether this scale of theft would have taken some time to execute, and if so, why there were no systems in place that have raised a red flag somewhere (in the context of "withdrawal limits in place at Bitfinex and many other exchanges were mysteriously bypassed".

0
0

123-Reg goes TITSUP – again

Frank Bitterlich

Some customers...

Twitter @123reg: "Some customers may have experienced issues this morning. For more information, please see our status page here: https://www.123-reg.co.uk/support/system-status/ …"

Would be more helpful if that status page would actually load...

1
0

Harrison Ford's leg, in the Star Wars film, with the Millennium Falcon door

Frank Bitterlich
FAIL

Re: Eh? What?

Apparently your attention span is comparable to that of the guy who was operating the door, because if you had bothered reading the next paragraph, you would have read...:

"The door was remotely operated by another person..."

23
1

Man-in-the-middle biz Blue Coat bought by Symantec: Infosec bods are worried

Frank Bitterlich
Terminator

CA = Critical Infrastructure

Governments, ICANN und other governing bodies have understood a long time ago that some critical infrastructure - like root DNS servers and such - are way too important to let a bunch of companies (many of them with a questionable rap sheet) take control over them.

Maybe it's time to expand the concept to include the certificate authorities. Or, we could continue to let "the market" regulate who does what with their certs and let anybody sell, leak, lose their certs who has enough money to do so. And then let the big browser makes fix this by blocking some root certs; until they find out that you can make some extra money by whitelisting some certs for cash.

"Can't access this or that website with your browser? Try Internet Exploder 16, it accepts more root certs than any other browser!"

10
0

Kraftwerk versus a cheesy copycat: How did the copycat win?

Frank Bitterlich
Thumb Up

What the court did examine, though, ...

... was the amount of damage that Kraftwerk suffered from the use of this two-second sample, and compared that to the constitutional right of artistic freedom. And they ruled that, in this specific case, the latter was more important.

I don't like Pelham's music or the genre as a whole at all, but I tend to agree with the court here. It's a rare example of a "common sense" ruling - compare the interests of both parties and decide which one weighs more.

Another thing missing from this article: The court expressly said that a mandatory compensation might be regulated by legislation in the future. There is no such law currently, so the only thing the court had to decide is whether the original ruling had considered artistic freedom enough; and they ruled that it didn't.

By your line of argument, Andy Warhol should have been sued out of his pants by Campbell's for his soup can picture.

16
1

Are state-sponsored attackers poisoning the statistical well?

Frank Bitterlich
Boffin

This can have grave consequences...

The consequences of this could be immense.

Like, for example, the PR dept having to change their boilerplate "We were breached, but haven't seen any evidence of ID theft, here, have some free 'credit protection' service anyway..." pre-cooked response to any kind of security incident.

Or, "Sir, looks like we need one of these 'firewall' things. Yes, I know, it's just weather data, but the internet said we're being targeted too. Yes, I know two hundred bucks is a lot of money... maybe we can get the gov't to spen 0.0001% more on the data we sell to them..."

0
0

Ted Cruz knows where you live – if you downloaded his app

Frank Bitterlich
Big Brother

Not surprising...

No surprise... after all, how can you call for a ban on encryption when you're using HTTPS when transmitting the data syphoned off your supporters' phones?

3
0

NZ Pastafarians joined in noodly wedlock

Frank Bitterlich

Religious items?

That guy was probably looking for an excuse to order a lasagna every week...

0
0

URL shorteners reveal your trip to strip club, dash to disease clinic – research

Frank Bitterlich
Holmes

Let me see if I get this right...

So,

1. some people publish unsecured content,

2. use an URL shortener on the URL, and

3. believe that this protects the content they published.

Could somebody remind me again why these "researchers" think that the actual vulnerability is in the URL shortener? Just because they fail to keep the long URL "secret"?

Sure, go ahead and encourage stupid internet users to stick the blame on others when they're too dumb to protect their content because they have no clue about the hosting service they're using.

"We have to put our stuff on the internet." -- "Why?" -- "Don't know, the article didn't say that."

2
1

BTC dev: 'Strangling' the blockchain will kill Bitcoin

Frank Bitterlich

Re: re: Paypal

IBAN? IBAN is an account number - not sure what payment scheme you're referring to here. Wire transfer? Direct debit? Both of these are even worse than PayPal.

0
0

French publishers join Swedish 'Block Party' to pester ad refuseniks

Frank Bitterlich
Thumb Up

If you think that's the right solution...

... then good luck with that. If you don't want me to see your "quality journalism" without at the same time accepting you to push in-your-face jumpy noisy annoying ads down my throat, then I might not be part of your target group.

Good luck with those remaining visitors who apparently don't see a correlation between the advertising behaviour and the quality of the "journalistic" content that is trying to sell these ads.

13
2

Facebook Messenger: All your numbers are belong to us

Frank Bitterlich
Big Brother

"We can help you interact with businesses or services..."

Thank you for that kind offer, Mr. Zuckerberg, but I'm all grown up now and have a fully functional web browser, so I don't need your "help" with that.

But I suspect that the trend of companies and organizations thinking that having a Facebook page is more important than a real website will only get worse.

When I repeatedly state that I do not and will not ever have a Facebook account, some people still look at me like some kind of idiot who lives in the past. Good luck, mankind, with that level of ignorance.

30
0

TV streaming stick brings the movies and the network backdoors

Frank Bitterlich
Facepalm

Re: Brute force ...

Do you really think that a company whose idea of security is an 8-digit numeric root password would ever implement anti-bruteforce methods?

2
0

Microsoft encrypts explanation of borked Windows 10 encryption

Frank Bitterlich

Re: Translation follows...

Sure, because as we all know, posting instructions on how to tinker with your registry so that the nagging stops into a large knowledgebase, is way better than to just add a "No, thanks, leave me alone"-Button to the nagware.

0
0

HSBC COO ‘profoundly apologises’ for online outage

Frank Bitterlich

Re: Likely causes....

Well, that list is roughly equivalent to saying "The problem must be either hardware, software, or human error." Not wrong, but useless.

5
0

City of London cops in Christmas karaoke crackdown shocker

Frank Bitterlich
Terminator

Costing money? How?

So, we're talking about tracks that are not available for purchase. Which makes me wonder how "... would still have been costing the legitimate music companies money ..." could be working. Other than general "home taping kills music" arguments.

Oh, and I call BS on the "legitimate" attribute.

19
0

WhatsApp laid bare: Info-sucking app's innards probed

Frank Bitterlich
WTF?

What's the point?

The article says:

This data included WhatsApp phone numbers, WhatsApp phone call establishment metadata and date-time stamps, as well as WhatsApp phone call duration metadata and associated date-time stamps. They also were able to acquire WhatsApp's phone call voice codec (Opus) and WhatsApp's relay server IP addresses used during the calls.

So, this "collecting" phone numbers, call duration and other stuff is clearly what WhatsApp needs to make the call.

Don't know exactly what the article is about. Somebody has looked into WhatsApp traffic and fails to find someone with their hand in the cookie jar?

24
0

You want a 6% Google Tax? Get lost, German copyright bods told

Frank Bitterlich

Re: cry me a river....

The remedy is clear: 1) do it like Spain, add extra legislation making it lillegal/impossible for publishers to opt out; and 2) make it illegal for aggregators like Google to opt out as a consequence as well.

(Optional: 3) make it illegal for the users to not read an article taxed in this way.)

After all, it's called a "tax" for a reason.

And, some simple math:

6-11 % fee x 19-21 % VAT: Nice extra money for the state. But that, of course, has nothing to do with anything.

3
1

iCloud phishing attack hooks 39 iOS apps and WeChat

Frank Bitterlich
Facepalm

I need the list of affected apps...

... just to compile a personal blacklist of app developers whose apps I'll never use or download again.

Because if their devs are so utterly clueless, their apps are dangerous even without this compromise.

@TeeZee: God help us. We really are truly f...ed. Indeed.

3
0

Class action launched against Facebook over biometric slurpage

Frank Bitterlich

This time, it's not just a matter of changing the ToS

In similar cases, Facebook et.al. usually just amend their ToS to effectively state that all your stuff belongs to them, and that by using the system, you agree to that.

But this time it's about data of other people - non-users - that they ingest and process. This means that just adding an "I agree" button will not work this time. They'll probably try to add words to the smallprint that the user (=uploader) has to obtain consent from all people in the pics, which is (a) ridiculous and (b) probably not defendable as due diligence.

This will be an interesting case...

10
0

Anonymous UK 'leader' fined for revealing ID of rape complainant

Frank Bitterlich
Headmaster

Re: Anon Leader

Wouldn't that be an oxymoron, rather than a tautology?

You know, as in "... Anonymous member Malcolm Blackman, 48, ..."

11
0

ICO probes NHS clinic's data blunder that exposed HIV+ status of 800 patients

Frank Bitterlich
FAIL

Sure, "human error"...

Once again, the blame will be on the individual making the copy-and-paste mistake. Or maybe their immediate supervisor.

And nobody will ask the really important questions. Like, why the hell are they using desktop email programs send out newsletters? And why do they have no safeguards in place (like leak prevention rules on their mailserver) to prevent this? They are working in the most privacy-sensitive medicine branch, why don't they have management-level data protection people? Or if they have them, what kind of qualification do they have?

But of course it's much easier to fire some secretary for "not following the rules."

16
0

Microsoft backports data slurp to Windows 7 and 8 via patches

Frank Bitterlich
Terminator

Newspeak...

"Customer experience" => Data grabbing

consent.exe => "No need for you to consent, it's all in the EULA."

"By applying this service, you can add benefits..." => "That's benefits for us, not for you, of course."

Hardcoding the host address: "Preventing us from siphoning you usage data? Ha ha, nice try."

The MS legal department must be bored, so they're trying to pick a fight with various data protection agencies.

21
0

Ads watchdog slams Mind Candy for upselling subscriptions to kids

Frank Bitterlich
Devil

Good to read that they are considering...

... to remove the word "now" from the ads. Now the world is safe again.

4
0

Směrť Špionam! BAN Windows 10, it SPIES too much, exclaim Russians

Frank Bitterlich
Coat

In Russia, ....

In America, you download operating system.

In Russia, operating system uploads you.

(Yeeees, I know, that one was predictable.)

8
0

Linux Foundation wants open source projects to show you their steenking badges

Frank Bitterlich
Alien

GPL == security?

... criteria being considered include whether the project is under an explicit open source license ...

OK, so choosing the right license will contribute to the security of my product?

Wow, I didn't know it was that easy...

3
0

Don't fight the cistern: Voda takes the plunge with plumbers’ parking app

Frank Bitterlich
Big Brother

Combine the useful with the creepy...

... as in "Combine an app that shows free parking spaces with a gadget that sniffs around in your car's data and your driving habits." None of the users will question whey these two things need to be combined or even understand that they are constantly being monitored.

I just wonder why the OBD-II gadget doesn't feature a CCTV camera and voice recorder.

4
0

Microsoft Edge web browser: A well-presented mea culpa

Frank Bitterlich
Big Brother

Re: "It's worth turning on the (potentially) privacy-invading Cortana for that feature alone."

The most interesting part:

"AutoSearch and Search Suggestions in Internet Explorer automatically sends the information you type into the browser address bar to your default search provider [...] as you type each character. In Microsoft Edge, this feature automatically sends this information to Bing even if you have selected another default search provider."

Why?

21
0

Did speeding American manhole cover beat Sputnik into space? Top boffin speaks to El Reg

Frank Bitterlich

Re: Sounds like a job for:

... or xkcd's "What If?" blog.

9
0

GCHQ: Security software? We'll soon see about THAT

Frank Bitterlich
Big Brother

The definition of "security"

So, some security agencies are trying to disable security software in order to keep us all secure (from whatever threat of the day may be). And some of these security software companies apparently don't need to be fought/hacked/persuaded for unclear (read: obvious) reasons.

Seems to me that there are a number of different definitions of "security" out there.

"I go down to Speaker's Corner I'm thunderstruck [...] Two men say they're Jesus – one of them must be wrong..."

6
0

Obama issues HTTPS-only order to US Federal sysadmins

Frank Bitterlich

Just to clarify one thing...

Ordering all federal website to use HTTPS does _not_ mean they want to ensure the users' privacy. It just means that since they have the data anyway (they're running the servers, after all), they just want to make sure that nobody _else_ gets to listen in too.

While still a good thing for users (and encouragement for other sites to go the same way), just don't be fooled into thinking that this will make your traffic more secure against official US snooping.

I know, for most readers of this comment this is obvious - but not for the general public. The just see the shiny lock icon or green address bar and think they're "safe."

1
2

Secure web? That'll cost you, thanks to Mozilla's HTTPS plan

Frank Bitterlich
FAIL

This site is best viewed...

... with any browser other than Firefox.

Will be fun to see these statements popping up again just like in the old days.

Oh, and good luck trying to upgrade all these appliances with their built-in webservers to support HTTPS.

13
1

'Logjam' crypto bug could be how the NSA cracked VPNs

Frank Bitterlich

"Export" grade...

See... and you thought prohibiting the export of <del>working</del> strong encryption in the 1990s would never pay off...

2
0

Security bods gagged using DMCA on eve of wireless key vuln reveal

Frank Bitterlich

Re: Man up

The DMCA is a rather large piece of regulation. It contains both the takedown notice mechanism (the Online Copyright Infringement Liability Limitation Act, which I guess is what you're referring to) and the WIPO Copyright and Performances and Phonograms Treaties Implemention Act, which makes it illegal (criminal) to circumvent copy-protection measures and such. There is no "DMCA order" involved here; it's just that the attorneys are threatening that what IOActive plans to do would be a criminal act.

That's the way I understand this whole issue.

8
1

Apple Watch WRISTJOB SHORTAGE: It's down to BAD VIBES

Frank Bitterlich
WTF?

Obsolete? Upgrade?

Looks like Apple didn't send a batch of free watches to The Reg or iFixit. That would explain the weird arguments like "not offering an upgrade program". What was the last watch you bought that comes with a way to "upgrade" it? Or which smartphone, even (other than upgrading the software)?

And sure, if you can't upgrade it, it must be "obsolete" in 10 years. "Unlike most watches", of course. Who makes that stuff up? Any digital watch technology is outdated after 10 years (oh, and mechanical watch technology too, btw.) Would you call a chronograph built 20 years ago "obsolete" and toss it into the trash? Because you can't "upgrade" it? OTOH, Apple's watch is more closely related to a smartphone than to a watch, and of course you can (hardware-)upgrade smartphones. Right?

Reg, your Apple-bashing is funny up to a certain point, but at some point it's enough already.

2
15

Page:

Forums