* Posts by Joe Montana

551 posts • joined 12 Mar 2007

Page:

Stop resetting your passwords, says UK govt's spy network

Joe Montana

Poor passwords

The poor passwords people use on systems are partly down to the regular change requirement... People simply won't remember a new random password every month, they will pick something that is easily remembered and/or write it down.

If you don't force them to constantly change their password, they only have one to remember and it becomes much easier to remember a single strong password than a new one every month.

The problem is that people are too unwilling to challenge what they've been told for years

0
0

Microsoft lures top Linux exec from Oracle to Redmond

Joe Montana

Still running

Existing installs would continue running, but new installs could not be activated, security updates could not be installed, some existing installs would declare themselves as pirated and stop working, it would still be a big mess.

1
0
Joe Montana

Familiar...

Not only that, but successive versions of windows and msoffice are significantly different to previous ones that users have to get used to the differences anyway, and most such users will find it no more difficult to switch to mac or a modern linux.

6
1

Apple's fruitless rootless security broken by code that fits in a tweet

Joe Montana

Re: No magic bullet

Having a permission system that tries to prevent the admin from accessing certain files is asinine, and only serves to create a false sense of security. If you can administer the system then you can access anything, if you restrict your level of access then you can't perform your task as admin and you're just a normal user with a limited ability to change specific settings.

Consider that the administrator needs to configure backups, how can the system be backed up if some files can't be read? And even if the running kernel won't let you read them, you can always read them from the backup storage.

Instead of adding extra pointless cruft, just accept that the system administrator has full access to the system, and behave accordingly. If you want data to be private from someone, then ensure it never exists in an unencrypted form on a machine accessible to anyone you don't trust.

0
1

Dodgy software will bork America's F-35 fighters until at least 2019

Joe Montana

Re: What's the problem?

Sell them to the enemy, you get to kill their pilots *and* drain their cash reserves!

12
0

Clear April 12: Windows, Samba to splat curious 'crucial' Badlock bug

Joe Montana

Home Users

Current versions of Windows, even the workstation versions have SMB enabled by default and make it far too difficult to turn it off, so yes home users could well be affected to as they're running an SMB service even if they don't realise it.

3
0

Millions menaced as ransomware-smuggling ads pollute top websites

Joe Montana

Adblockers

You missed installing an ad blocker in the list of ways to prevent such attacks...

The ad networks used by major sites push malware, and yet they still wonder why people run adblockers?

6
0

Oops! Microsoft says its 'Bitcoin ban' was a bug, not a feature

Joe Montana

Not the point

The fact that very few people are buying windows store apps isnt the point, the mere fact that a high profile supplier like microsoft accepts bitcoin at all adds a lot of credibility to bitcoin and encourages others to use it.

2
0

Behold, Microsoft SQL Server on Linux – and a firm screw-you to Oracle

Joe Montana

Re: Too louses

A car can't carry as much load as a 40 ton truck, but for most people's journeys a car with its inferior load carrying capacity is both cheaper and more convenient.

It all depends on what your needs are.

11
0

Poor recruitment processes are causing the great security talent drought

Joe Montana

Re: I'll never get a job in IT

And in what way are your friends and family qualified to judge your ability? People who know nothing about a subject will be impressed by someone who knows only a little more about it than they do.

Your skills sound like you could do low level desktop support, which wouldn't pay very well...

0
0

Intel shows budget Android phone powering big-screen Linux

Joe Montana

Re: "Low-end == 2 Gb"

That largely happened on the Amiga after Commodore went bust, and thus no faster models were coming out...

It also happened because the hardware as fixed, so you could program it directly instead of having to go through multiple performance sapping abstraction layers.

0
0

Alibaba security fail: Brute-force bonanza yields 21m logins

Joe Montana

Re: We need more info as...

Chances are they, like most places, implemented lockouts on an individual account basis. So because the attackers only ever tried one password per username, nothing was ever detected.

5
0

Juniper turns around in 2015, worried about 2016

Joe Montana

Backdoors

Perhaps the recently discovered backdoors will dent their sales going forward... I would certainly think twice about buying anything from them.

0
0

BT dismisses MPs' calls to snap off Openreach as 'wrong-headed'

Joe Montana

Re: New Zealand has done it.

99% of the homes Virgin serve are also served by BT, the problem is for people in areas where there is neither option available.

4
0

Continuum gets some Qualcomm mid-range support

Joe Montana

Linux

Android phones can all do this in theory, it just isn't marketed or packaged in a way users can use it easily.

There's nothing to stop you running a full linux desktop on any android phone, indeed you can install debian inside a chroot with 99% of the same desktop apps you'd have on an x86 system, including X11, VNC and RDP so you could access other systems remotely for any apps which didn't run (or ran too slowly) on the handset itself.

1
1

No, that Linux Keyrings bug isn't in '66 per cent of Android devices'

Joe Montana

Kernel config

Looking at the kernel config, it seems CONFIG_KEYS is turned on automatically by a bunch of other kernel options...

5
0

Juniper nets US Air Force network upgrade

Joe Montana

Backdoors

And how much of their kit will come preinstalled with backdoors?

1
0

El Reg mulls entering Robot Wars arena

Joe Montana

Re: Well what worked best before?

I always found flipping robots to be boring, and once robots gained the ability to turn back over or run upside down a flipper becomes somewhat useless.

I preferred the robots which did serious damage, hypnodisc being probably the best example. Makes for great tv, but obviously becomes expensive for competitors if their robots get completely destroyed.

3
0

Trustwave failed to spot casino hackers right under its nose – lawsuit

Joe Montana

Budgets, constraints and

The problem in infosec is it's all a game of compromise and risk management, and there are no guarantees.

If you hire someone to do a pentest, how in depth do you want them to go? And more importantly, how in depth are you willing to pay them to go? Most companies only want, or are only willing to pay for your typical blind external pentest which basically says "given 2 days and only the ip of your website we couldnt get in through direct vulnerabilities on that ip"... It doesn't account for indirect attacks, or even just pure random luck etc.

Also just because a pentest was conducted at any level doesn't mean the client actually followed the recommendations.. Quite often security compromises are made because of cost or lack of skills etc. Many networks are also not designed with security in mind, so significant improvements would require a massive (and costly) redesign.

And it sounds like this case talks about an incident response job, but again jobs like that are down to budget and scope... When i've done such jobs often the scope (and budget) has been limited to the systems known to be compromised but that's not really enough as systems are usually interconnected and often managed from the same workstations etc. The outcome of most incident response jobs is usually that "your logging isnt good enough to really know what happened" and "we really should look at other systems but there isnt budget for it".

12
1

Confirmed: How to stop Windows 10 forcing itself onto PCs – your essential guide

Joe Montana

Easy?

So Windows is "easy" and Linux is "hard" because users might want to delve into the command line?

Those same people who can't understand a commandline are not going to work out how to make manual registry changes...

1
0

Irked train hackers talk derailment flaws, drop SCADA password list

Joe Montana

Re: Who the fuck ...

Great, as a pentester the domain is usually the first and easiest target to go for on any given network... All it takes is one vulnerable member system and you can almost always compromise the entire domain, and then every member system is owned. By putting everything in the domain you make it MUCH easier - far greater chance of finding the one vulnerable system you need, and much easier to access everything else (irrespective of how well hardened it is) once you have domain admin.

1
0

UK ISP Sky to make smut an opt-in service from 2016

Joe Montana

Re: Ambivalent

I don't know about Sky specifically, but the adult content filter on several mobile networks blocks more than just porn...

The one on EE seems to block "hacking" related sites, so i had to request that it be unblocked on my work phone (i work in network security and need to read about exploits and security flaws).

The one on three seems to do some kind of SSL interception which downgrades SSL connections to using RC4 encryption (tested by connecting to google both with and without the adult filter on), and this completely breaks any connections to hosts which don't support RC4 at all, so i had to turn this off just to access my email.

4
0

No £160m for you: BT to receive termination notice from Cornwall before Christmas

Joe Montana

Re: Outsourcing

Because outsourcing is done inappropriately and/or badly...

Outsourcing is often promoted as the answer to everything, and there are potential economies of scale and improvements to be had by letting specialists handle what they're best at, while freeing them from having to deal with anything else.

For instance your company may run a couple of databases, but not enough to employ a full time DBA, instead you have a general IT guy also manages the databases. If outsourcing is done properly, you can ensure that a full time highly experienced DBA manages your database, and since your databases are quite small he can manage databases for several clients.

2
0

Are second-hand MoD IPv4 addresses being used in invoice scams?

Joe Montana

Re: Hamachi

And this is fine if your just using those ranges internally at a single organisation...

But what about when you try to merge organisations together, and/or use VPN links?

Our company VPN will often conflict with the address space being used on other networks.

0
0

Still running IE10? Not for long, says Microsoft

Joe Montana

Re: How many corporate pages will break

Microsoft should be obliged because they actively encouraged their customers to get themselves locked in.

4
4

Many UK ecommerce sites allow ‘password’ for logins – report

Joe Montana

How are they used?

Sites which implement a complex password policy are usually acting too self important, and irritating their users...

If you guess my password for wickes or whatever online retailer then so what? You can see my previous orders, you can't even place a new order. Why would i go to the effort of using a strong password for such a site?

Plus you have no idea how such a site stores your password, it might not be stored securely and could easily be leaked.

I always used to use a stupid and easily remembered (but probably not easy to guess) password for such sites where i didn't really care, only now that some have password policies i can no longer use it everywhere and now i have different ones which i continuously forget.

0
0

Tardy TalkTalk advertised for a new infosec officer 1 week ago

Joe Montana

Deep rooted problems...

Most companies have severe security problems, most corporate networks are horrendously insecure and basically an accident waiting to happen.

Yet companies do nothing about it, they bury their heads in the sand... They assume that because they have not yet become the subject of a high profile breach that they must be secure. Even when they do hire competent infosec people, those people are usually completely hamstrung.

The quote on yesterday's article was great:

"Complacency is the biggest enemy of security, just because things 'have always been done a certain way' doesn't mean it remains the most effective way. "

Most companies are complacent, they are happy to make the same stupid mistakes because "everyone else is doing it", they assume they are secure because they haven't been (that they're aware of) hacked yet but the reality is that they've just been lucky and/or aren't worth targeting.

2
0

TalkTalk CEO admits security fail, says hacker emailed ransom demand

Joe Montana

Lack of PCI compliance?

The ssl checker indicates they are not pci compliant purely because of their cert being sha-1 signed, but many cert authorities still provide such certs for the time being, and there are plenty of old certs out there too.

As for other aspects of the standard, just requiring strong encryption isn't enough, you have to actually be using it properly. Encryption is pointless if the key is held on the same host, and the data cant be used if it cant be decrypted.

Many implementations comply with the standard by encrypting the data, but then provide a way to access it therefore bypassing the encryption... Many of the people who assess PCI compliance are just box tickers and have no understanding of the actual technology, so if you store your data on an encrypted volume thats automounted at boot that will often be sufficient to pass but in reality has not improved your security at all because anyone who compromises the host will be able to access the data anyway.

1
0

Self-driving vehicles might be autonomous but insurance pay-outs probably won't be

Joe Montana

Enjoy driving

Perhaps we don't "enjoy" driving in traffic, but many of us prefer it to other forms of transport...

Many people suffer from motion sickness, and generally (at least in my case) you don't feel sick when you're in control of the motion.

Even if i was rich enough to afford a chauffeur to drive me everywhere, i would still choose to drive for this reason... Although i would probably pay a chauffeur to act more like a valet and take care of the car when i'm not driving it.

1
0

Microsoft now awfully pushy with Windows 10 on Win 7, 8 PCs – Reg readers hit back

Joe Montana

Critical server?

Just what exactly was someone doing using windows 8.1 home as a critical business server in the first place?

3
0

Happy birthday, Amiga: The 'other' home computer turns 30

Joe Montana

Hardware reference manual...

It was the encouragement in the manual to actually learn about the system and experiment with it that started a lot of people's careers off... One of the key things was the instructions showing you how to make copies of your workbench disks, and then telling you to experiment with the copies and if you break it really badly just make a fresh copy.

This is how you need to introduce youngsters to computers, it encourages people to learn and experiment. Nowadays the opposite is true, you have systems which actively discourage learning and experimenting (e.g. hiding system files and giving scary warnings about breaking things)... Introducing the young to systems like this makes them scared of trying anything... We now have a whole generation who stay within the confines of the limited interfaces provided to them, panic when anything goes wrong and have absolutely no understanding about how everything works.

2
0

GOOGLE GMAIL ATE MY LINUX: Gobbled email enrages Torvalds

Joe Montana

Unusual content

The kind of mails Linus receives will be relatively unusual compared to the average gmail user, and the filtering is probably based on learning what kind of mails people usually receive and don't mark as spam.

0
0

RC4 crypto: Get RID of it already, say boffins

Joe Montana

Slow updates

It's widely used because lots of companies are stuck with obsolete software that doesn't support anything else, or are forced to comply with some kind of standard or certification that hasn't been updated... There's various software out there that has a "FIPS mode" and i've seen a few cases where this basically meant turning off TLS 1.1 or higher.

1
0

Account at HSBC? BAD LUCK, no iPhone bonk-banking for you

Joe Montana

Sounds like you want a BT Phonecard!

1
0

Someone at Subway is a serious security nerd

Joe Montana

Theatre

The certificate pinning makes a lot of sense, as you really can't trust CAs these days... The anti reverse engineering stuff is just stupid, as the article points out it just slows someone down slightly but doesn't actually prevent them from doing anything.

Knowing how something works doesn't make it insecure unless the design is fundamentally flawed. Everyone has access to the source code for Linux, and yet many highly secure devices are Linux based. And if your application is so flawed that someone who understands how it works can do nasty things then i don't want to be using it at all.

I would much rather fully understand what im using, or at the very least know that i have access to do so should i desire, and that others who's abilities i respect have already looked. I don't want to be using a black box full of security holes just waiting for the first blackhat to find and privately exploit them.

0
0

Apple snuggles closer to IPv6

Joe Montana

Re: Workaround for routers?

Most people have routers supplied and configured by their ISPs, if the ISP supplies a router configured for v6 then users will use it without even realising (very common in the US).

The problem is that very few ISPs in the UK support v6 at all, and the few that do are small ones which attract tech savvy customers anyway.

Amongst business it's even worse, virtually everyone simply ignores v6, and those very few that might consider implementing v6 find that they're stuck with ISPs who don't support it anyway.

It's different in the US primarily because the government requires that all government sites are dual stack and that any company supplying the government support and use v6. Without being forced, business users will never bother using it at all.

4
0

Brit teen who unleashed 'biggest ever distributed denial-of-service blast' walks free from court

Joe Montana

They're not specific about exactly what "indecent images of children" were, they might have been of very young kids or they might have been of people barely younger than the defendant himself. Keep in mind he was 16 at the time the images were found, and 13 at the time he started committing the crimes he is accused of...

"indecent images of children" could mean images of 15 year olds, who could be less than a year younger than him. It's during their teens that most people first develop an interest in sex, and it's perfectly normal for people to be sexually interested in others within a year or two of their own age. It's also possible he may have collected images of 13 year olds when he himself was 13 etc...

Given the lenient sentencing, it's likely the images were fairly close in age to the defendant and although technically illegal, a 16yr old looking at images of a 15yr old is very different from a 40yr old looking at those same images.

6
0

Vodafone hikes prices to 37.5p/min – and lets angry customers flee

Joe Montana

Re: It must be a money winner because

It's possible to play a recorded message (ie one way sound) without answering, this is how the ringing and other error tones are transmitted but it can be used for anything. If they cared about customers it would be done this way...

0
0

United Airlines accounts open to mass lock-outs

Joe Montana

Account lockouts

This is an EXTREMELY common problem, because most security manuals say you should lock accounts after several unsuccessful attempts and many commonly available products provide no other options for blocking or alerting on brute force attempts.

This fails for two reasons, not only the deliberate denial of service that can be performed by intentionally entering wrong passwords but also because it completely fails to take into account the methodologies employed by real hackers. In most cases, a specific account is not the target - hackers just want *any* accounts and in some instances, as many accounts as possible... So rather than try thousands of passwords against a single account, they try a small subset of common passwords against many accounts - an attack which would not trigger an account lockout response.

4
0

Sysadmins rebel over GUI-free install for Windows Server 2016

Joe Montana

Re: Growing up is tough

"If an SMB doesn' thave the talent internally then if they've got any sense they'll outsource."

This has been one of the biggest problems for years... MS have promoted windows as point and click, simple for someone with no experience to operate... And that's exactly what happened.

Only the marketing is misleading, while someone without experience can get a windows box limping along it will be horribly insecure and unstable, and this is exactly what's happened and is one of the biggest reasons why most companies encounter so many problems.

10
1
Joe Montana

The point...

Yes, GUIs don't belong on servers... But MS have been saying the exact opposite of this for years and have managed to convince far too many people that having a GUI on a server should even be mandatory.

4
0

EXT4 filesystem can EAT ALL YOUR DATA

Joe Montana

RAID0?

Surely anyone who's using RAID0 doesn't really care about the integrity of their data in the first place?

27
1

New Windows 10 Build 10122 aims to fix file association hijacking

Joe Montana

Re: Now if they could just turn display of file extensions back on…

It looks at the file header to determine what it is... Executables for all modern operating systems have standard headers that include information like what architecture the binary is for, what shared libraries it requires etc. Most data file types also include similar headers, and on unix you have a command called "file" which will query this information and determine what a file is based on its contents, entirely independent of its name.

On windows icons can be embedded into executables, but this is not the case on linux. Unless an executable has been explicitly assigned an icon (which wont be the case for something you just downloaded) it will have a generic executable icon. Real documents will also have the standard icon assigned to documents of that type, so you won't be able to download an executable that has a pdf icon and open it by accident.

Another feature on unix is file permissions, where freshly downloaded files won't have the executable permission by default. Windows has file permissions too, but seems to default to giving the execute permission to everything. You can also mount drives with the noexec flag so that execute permissions will be totally ignored (useful for removable media).

4
0

GDS monopoly leaves UK.gov at risk of IT cock-ups, warns report

Joe Montana

Bespoke code?

The government's requirements are generally unique, there is only one government per country as opposed to thousands of companies...

Besides that, "building inhouse" is not a bad thing as it ensures the platform is wholly owned and controlled by the government, and not beholden to a third party.

As for the extent to which they build things themselves, it's not like they're building everything from scratch - they will take a collection of existing technologies, integrate them together and apply whatever unique customisations are required for the task at hand.

If they had gone to one of the traditional outsourcing companies they would still have ended up with a bespoke system, but one which they don't own or control and are beholden to the supplier for, plus it would probably build from much more expensive base components and still have very significant customisations on top.

0
0

Virgin Media goes TITSUP, RUINS Tuesday evening

Joe Montana

Outage

My cable was down for a couple of hours in the evening, because i work from home and internet access is very important for that i also have an adsl line which remained up so i simply switched to that...

I did however check the virgin status page, which claimed there was no problem with broadband in my area, so the problem here is one of miscommunication. Most people upon seeing there is no problem with the service will assume their own equipment is at fault and waste time trying to troubleshoot it.

What they should have done is updated the status page, and changed the recorded message to indicate there is a problem.

Outages happen, we're not paying for five nines of uptime so most users will understand and wait for it to come back up, and not waste the time of the helpdesk staff who can't actually do anything about it anyway.

5
0

Europe could be drowned in 'worthless pop culture' thanks to EU copyright plans

Joe Montana

Languages

If the content is of no interest to someone outside of the local country then it doesn't matter if it's available in those other countries, since noone will buy it anyway.

Polish content is a niche item outside of poland for instance, but what this will do is make it easier for those people who do want niche content to get it, for instance there are many polish in the uk who would want to access polish content.

The idea of artificially limiting distribution is ridiculous, and is just pure greed/arrogance on the part of the distributors. Modern technology makes it trivially easy to distribute content worldwide and i'm glad the EU is making a stand against artificial distribution restrictions.

13
1

'Tech' City hasn't got proper broadband and it's like BT doesn't CARE

Joe Montana

Business lines

Basically if you can afford the rent to setup your business in such an area, you should be probably be paying for a business class internet service too and that means dedicated fibre leased lines, not home user oriented FTTC.

There will be very few residential properties in such areas, hence why it's not viable to connect up home user services.

If you want to cheap out on internet access, get a cheaper office too... Infact, if your business is tech oriented you will probably be better off getting a very cheap office and spending the savings on good connectivity.

5
0

Ugly Microsoft code NUKED Bing and Yahoo! – report

Joe Montana

Re: Dodgy Microsoft Code

524 days uptime is nothing, 4 figures is not uncommon for non windows boxes (unix, vms, netware, routers etc) and its quite telling that you used a linux box to protect the windows box from attack... your linux box probably had the same or higher uptime than the windows box behind it.

6
1

Ofcom mulls selling UK govt's IPv4 cache amid IPv6 rollout flak

Joe Montana

Re: Does anyone actually use IPv6

We use IPv6 at work, and VPN is one of the biggest reasons...

Quite often our internal IPv4 space overlaps with that of customers, peoples home networks or things like public wifi, which can cause quite severe problems when your running VPN links.

1
0
Joe Montana

Re: IPv6

Physical line yes, telephone service over that physical line no... Split that out too and let us choose not to have it. "line rental" currently covers not only the physical line.

0
1

Page:

Forums