* Posts by Andrew Commons

66 posts • joined 22 Dec 2007

Page:

Hilton hotels' email so much like phishing it fooled its own techies

Andrew Commons

Situation normal then

I get an email every year from a large Australian Domain Registrar asking me to go and verify my contact details.

The ONLY part of the email that actually relates to said registrar is the branding. Everything behind it - including the link behind the text link to 'www.registrar.com' - is not related to the registrar. This includes the email headers. It's all through the mass mailer they have outsourced the job to.

My attempts to talk to them about this lead me to believe that it is legitimate but everything about it screams BEWARE. They see nothing wrong with it.

8
0

Your colleagues will lie to you: An enterprise architect's life

Andrew Commons

Re: And the elephant in the room is...

:-) Up vote.

But seriously...I have seen enough instances where something critical in the enterprise is no longer supported and no one started working on it early enough to put it into forward planning to see this as a real failing in many organisations.

El Reg has an example in this very recent story:

http://www.theregister.co.uk/2016/08/09/metropolitan_police_missed_xp_migration_deadline/

1
1
Andrew Commons

And the elephant in the room is...

Lifecycle management.

Of course if you are a consultant you don't live with the consequences of not having it, well and truly out the door before it all comes apart.

5
0

Networking wonks say lousy planning, not DDOS, caused #Censusfail

Andrew Commons

Timeline

The ABC has a timeline in this story:

http://www.abc.net.au/news/2016-08-10/census-night-how-the-shambles-unfolded/7712964

See brief extract below. Note the line that reads "Fire walls kick in". Where were they before that time? Was this an optional extra?

Intelligence agency called in

August 9, 2016

11:55am

The incident is reported to the Government's Australian Signals Directorate to seek any advice on prevention of further incidents or any intelligence-related threat.

Fire walls kick in

August 9, 2016

4:58pm

Another modest increase in traffic is automatically defended by network fire walls. "Additional measures" are taken to prevent further attempts of this type.

2
0

'Alien megastructure' Tabby's Star: Light is definitely dimming

Andrew Commons

A plain old peculiar

Peculiar variables exist and are documented.

See for example: http://www.starman.co.uk/variables/types/peculiar/pecstars.htm

Do we need to get more complicated than this?

1
5

IT analyst: Oz census data processed as plain text

Andrew Commons

Softlayer

This should be considered in this context?

http://krebsonsecurity.com/2015/10/ibm-runs-worlds-worst-spam-hosting-isp/

1
0
Andrew Commons

More than IBM?

Actually census.abs.gov.au resolves to two IP addresses managed by a Canadian owned company (Nextgen Networks) that does not do web hosting. They do provide connections to Cloud services like AWS...so who else has access to the census data?

0
0

BlackBerry DTEK 50: How badly do you want a secure Android?

Andrew Commons

Re: Fingerprint Snesor ? WTF!!!!

"Also unlike a password, it's _very_ hard to keep your fingerprints a secret as you literally leave them on everything you touch."

And they can be photographed from a distance - I think CCC did that to a German government minister at a press conference not so long ago.

0
0

The Australian Bureau of Statistics has made a hash of the census

Andrew Commons

What is being missed....

Is where the data is going to be as it is collected.

The FQDN census.abs.gov.au resolves to 150.207.169.5 and 150.207.169.8. These are allocated to an ASN apparently assigned to IBM but used by Nextgen Group who provide network and data centre services and, far more interestingly, connection of networks to cloud services. They do not appear to offer hosting and are 70% Canadian owned.

So if you are the ABS and want to collect information from every Australian household in the space of 24 hours (or probably less really) with pretty much a zero tolerance to failure are you likely to have that capability in house? On standby for use once every four years?

If not, then where could you find that short term capability?

It would be a nice raw data set to grab if you were a foreign government.

4
0

Kaspersky so very sorry after suggesting its antivirus will get you laid

Andrew Commons

Shaggy dog story...

Surely a reference to a 'root kit' can be worked into this?

5
0

It's time for a discussion about malvertising

Andrew Commons

A discussion has already occured

On May 15 2014 According to a US Senate investigation, the current state of online advertising endangers the security and privacy of users. You can get the report via this page:

http://www.hsgac.senate.gov/hearings/online-advertising-and-hidden-hazards-to-consumer-security-and-data-privacy

It highlights the problems with the ad networks and the degree to which they are being abused. Unfortunately not much more seems to have come of it.

I have been confronted with an alert from a news web site demanding I turn off my ad blocker along with an alert from my AV software saying it blocked malicious content far too many times to consider dropping my shields.

My solution is to visit diverse news outlets that are reasonably trustworthy along with reliable free sites. In general the free sites are far better quality and actually contain news rather than click bait dressed up as news.

12
0

Osram's Lightify smart bulbs blow a security fuse – isn't anything code audited anymore?

Andrew Commons
Black Helicopters

Re: Why is it

"Also, security is not done well on PCs"

No.. should read "security is not done well".

Our (well some people's) unthinking desire to embrace new and shiny far outstrips our ability to understand and secure it.

This includes collateral damage as well as direct consequences.

7
0

IoT puts assembly language back on the charts

Andrew Commons

Re: Are there chips with no development support?

An old friend of mine refers to C as the "gentleman's assembler".

There are games you can play in assembler such as manually overlaying use once initialisation code and read/write storage such as I/O buffers that I'm not sure you can play with complied languages. If you are really memory constrained you grab at every straw :-)

0
0

Purloined password re-use checker pees in the security soup

Andrew Commons

Re: Once again, it's less of a risk to use a password manager ...

When PINs became unavoidable on credit/debit cards on this big island I reduced said cards to a minimal set where I could remember the PINs. While I was cancelling a card, in a Bank, the young person handling the transaction asked why I was doing this. I explained. They recommended that I use the same PIN on all my cards...it worked for them.

No amount of education seems to change this and the transactional middlemen - both black and white(ish) - do nothing to discourage it because they are making a killing.

1
0
Andrew Commons

It's an obvious attack

I would assume that any 'miscreant' worth their salt was on to this long ago.

2
0

Behold the ROBOT RECTUM... medics' relief

Andrew Commons

Re: Probeur

Can you imagine some of the code?

class Finger extends Anus implements Surprise{}

What would be an appropriate language for this? Squeak perhaps? Regardless it would have to be Tworing complete!

0
0

Oz doctors develop surgical robot designed to operate on your wallet

Andrew Commons

Not unexpected

To quote from the Australian AMA web site: "The AMA has adopted the World Medical Association's (WMA) Declaration of Geneva as a contemporary companion to the 2,500-year-old Hippocratic Oath for doctors to declare their commitment to their profession, their patients, and humanity."

This declaration appears to avoid these statements in the Hippocratic Oath (source Wikipedia):

"I will apply, for the benefit of the sick, all measures which are required, avoiding those twin traps of overtreatment and therapeutic nihilism."

"I will remember that I do not treat a fever chart, a cancerous growth, but a sick human being, whose illness may affect the person's family and economic stability. My responsibility includes these related problems, if I am to care adequately for the sick."

So nothing surprising here then.

2
0

Malware scan stalled misconfigured med software, mid-procedure

Andrew Commons

Re: Why?

A low priority process can bring a system to its knees by getting a lock on a resource that is required by other processes and not letting go of it because it's low priority and not given much processor time.

While there are ways to reduce the impact making it go away completely is non-trivial, as is this problem.

0
0
Andrew Commons

Re: Been there, seen that

I imagine patching and rebooting would also have been problematic as well.

The issue here isn't the AV software as such, it is the blind adherence to its use in an incompatible environment.

There are other ways to mitigate the risks, such as isolation and tight network controls, so it's all solvable.

1
0
Andrew Commons

Re: Medico's expertise

"The surgeon is ipso facto likely to be the smartest person around and therefore probably the one who knows most about ..."

Most of these people are very specialised and know a lot about a fairly limited problem space. Dentists know how to make a fortune out of 32 teeth but I would not bet on them knowing what to do when the lid comes off the computer, or when the bonnet of a modern car is lifted (which is pretty much the same thing nowadays).

They are highly specialised, this does not equate to smart. For example, New Zealander Nigel Richards is the current (I think) French Scrabble champion, he does not speak French (see http://www.theguardian.com/lifeandstyle/2015/jul/21/new-french-scrabble-champion-nigel-richards-doesnt-speak-french ) but he does have a very good memory and really knows how to play scrabble. Many of the med students I knew going through Uni reckoned that all you needed for medicine was the ability to memorise a telephone directory :-)

6
0

You can always rely on the Ancient Ones to cock things up

Andrew Commons

Re: Ah yes....

"we had to get it out of its crate before we could move it further"

Yup...and then you get to the goods lift. Remove all packaging before it stands any chance of getting into it. Press the button for the desired floor, squeeze the bugger into the empty lift ignoring all the alarms and then pray that the doors open on the right floor :-)

Miniaturisation has taken a lot of the excitement out technology.

3
0
Andrew Commons

Re: Ah yes....

"but I heard that her bottom wasn't really worth looking at"

You are obviously far more discriminating than I am. It took four burly wharfies to get her back up again, it was quite some bottom :-)

3
0
Andrew Commons

Re: Ah yes....

Well, if you were part of the flying squad you may have been there when the 'first in the country' VAX 8600 fell over ... physically.

It's not often you get to see the underside of one of those things. :-D

5
0
Andrew Commons
Coat

Ah yes....

Far too many years ago I was writing some commercial security software for DEC VMS systems. They had a built in account for Field Service, we had some examples in the product where this was referred to as 'Field Circus'... it was suggested by some distributors that this was not a good idea. We agreed and removed it, and then it came back, and then we removed it, and then.... It took a significant search and destroy effort covering every possible library and input to libraries across our development environments to nail it.

So situation normal really :-)

5
0

Auto vulnerability scanners turn up mostly false positives

Andrew Commons

Re: One Concern

And it has now been corrected without any comments making these comments notally inkomprehensibule.

2
0
Andrew Commons

Re: One Concern

It's on the El Reg sliding scale between Mostly and Never....

1
0
Andrew Commons

Re: One Concern

Not really. You have to take into account (a) how aggressive the scanning is, i.e. how willing the customer is to have things really broken, and (b) the context in which the scanning is taking place. If the target (customer) is sensitive then expect high false positive rates. If you are scanning from the outside network edge then internal controls that will mitigate an apparent vulnerability in a multi-stage attack may not be apparent.

It's not black and white.

1
0

C’mon Lenovo. Superfish hooked, but Pokki Start Menu still roaming free

Andrew Commons

You can always try YumCha

I recently roughed out the spec of a workstation - cabinet (it had to fit in a particular location), mother board, cpu (fast i7), memory (32GB) , 3 NICs, ssds and spinning rust, O/S - priced the parts through retail channels and sent out requests for quotes for the built box based on the partial parts list. I ended up with a built and tested box that met my requirements for a price that matched my estimates for the parts alone and it came with a warranty.

The result was cheaper than something equivalent from the major vendors and had no unwanted additions.

This was not cheap end of the market specifications so may not be something tat can be replicated in that space but it is working really well and I'm left wondering why I hadn't tried this before.

0
0

Debian on track to prove binaries' origins

Andrew Commons

I don't think this is what it is all about

"The feat will allow anyone to independently confirm that Debian binaries were built from a reported source package."

Back in about 1983 I managed a small group tasked, amongst other things, with distributing software to hospitals. Part of the QA process I introduced involved taking a release of the source code and a copy of the software used for acceptance testing. The next step was to rebuild the software from the supplied source and compare the results with the acceptance test versions. This was VAX/VMS and the undocumented CHECKSUM command was used for this comparison (CHECKSUM/IMAGE for the curious, it took out timestamps). If the two did not match it was all sent back to the developers with a 'please explain'.

Roll forward 10 years after a period of developing security software for VAX/VMS (see NIST SP 800-6) and I found myself doing something similar but more focused on determining whether the software had been built from code in the source code repository, effectively whether it was built from the approved package. This required a more detailed analysis of the information stored in the executable images and has some similarities to the initiative reported here.

So, I've done some of this stuff and have some idea of where it can come apart.

(1) Change your tool chain (even different version of the same tool chain) or architecture and it will all probably break. The Alpha VMS compiler/linker tools did not dump the same sort of information into the binaries and it largely invalidated the VAX/VMS tools I had developed.

(2) Different build options, even when using the same tool chain and target architecture, will result in functionally equivalent but very different binaries.

(3) Anything you find embedded in an image can obviously be manipulated so even if the same architecture and tool chain and options are used the contextual information must not be trusted without additional verification.

For all of the above I think this is not the 'feat' you are looking for.

Given some binaries and a source code package proving the link between the source code and the binaries is non trivial (again I have some form here having been tasked with reverse engineering the source code library that represented the executables currently in production...).

What they are testing is the statement "It should be possible to reproduce, byte for byte, every build of every package in Debian.", this is from the WIKI reference a couple of clicks on from the referenced "report note".

This has very little to do with the claim in this piece. If you have the same source code, and the same tool chain executed with the same options you should be able to prove that you have achieved the same results.

Nothing like the headline statement.

6
1

.Bank hires Symantec to check credentials

Andrew Commons

Here we go again

In the days when SSL was young the Certificate Authorities charged more for 'high assurance' certificates that required a little bit of proof before they were issued. This was all about TRUST.

Roll the clock forward a bit... the Certificate Authorities are now offering certificates with higher assurance that will show up with a green background to prove they can be trusted....trade in your old high assurance certificates for these new green ones.

Fast forward to today...the Certificate Authorities are going to issue certificates to a special domain to prove that they are trusted...trade in your green certificates for these new ones that will really be trustworthy this time.

And tomorrow?

They just keep failing to deliver and then turn around and take more money so they can fail to deliver again.

Nice business model.

2
0

Pity the poor Windows developer: The tools for desktop development are in disarray

Andrew Commons

Situation Normal - (SNAFU,TARFU,SAPFU,FUBAR,....)

This is symptomatic of the software industry over the years. Revolution rather than Evolution.

You have a set of tools that work reasonably well, experience with them has resulted in incremental improvements, defects in new developments are dropping.

<code>

Do While i < Age of Universe

Enter Moses i.0.

'Hey man, look at this new platform, it is sooo cool!'

And the multitudes are amazed and flock like lemmings to this new technology

that has no documentation or tool support but is the FUTURE!!!

Over time experience accumulates and tool support increases.

Loop

</code>

We are doomed.... stick with COBOL :-)

13
0

Australia mandates* cloud use by government agencies

Andrew Commons

Re: Thank goodness we've got the cloud sorted out here in the UK

@dan1980

"Some concerns are removed, some new ones are added but most still remain, albeit slightly changed."

Spot on. And now we are trying to figure out how to manage these concerns through contract management processes instead of through technical controls and we real beginners in this space.

1
0

Today's weather is brought to you by our sponsors

Andrew Commons

Yes, they are there

And already serving malware...the anti-malware software I use started warning me it had blocked content shortly after the ads first appeared.

Maybe our Senate should read the US Senate 14 May 2014 report "Online Advertising and Hidden Hazards to Consumer Security and Data Privacy"

1
0

Delaware pair nabbed for getting saucy atop Mexican eatery

Andrew Commons

Re: Why?

So they can use the headlines of course.

7
0

Help us out readers: How would you sniff and store network traffic?

Andrew Commons

Start simple

"the Learning Centre's WLAN and satellite WAN are both slow"

Latency will be the killer for the satellite WAN and some of this may be reflected in the local WLAN performance if 'local' requests are making it out local environment. DNS would be one candidate I guess.

So start by understanding what traffic is going through the satellite gateway, no need to sniff the traffic yet, just get connection logs if possible from the device itself, this should give you a good idea of what is going on with just src/dest ip and ports.

How you do this will depend on the capabilities of the gateway, best case is very careful use of remote administration access or using the VNC capabilities to get internal administration access otherwise you are facing big time latency - two day round-trip.

1
0

Comet-chasing Rosetta spies SWEATY prey

Andrew Commons

@AC

Of course, the urethra squared law.

2
0
Andrew Commons

Re Bootnote

Surely the rate at which a comet passes water is more properly measured in terms of the concepts expressed in this El Reg piece:

http://www.theregister.co.uk/2014/06/30/most_mammals_finish_peeing_within_21_seconds/

So instead of 'Olympic Swimming Pools' maybe 'Cats urinating per minute'?

5
0

DAMN you El Reg, CALL ME A BOFFIN, demands enraged boffin

Andrew Commons

Re: Reaching out

I always thought that was misspelt and the 'a' should have been a 't'....

1
0

Remember Control Data? The Living Computer Museum wants YOU

Andrew Commons

Re: Memories...

"I got used to programming save/restore points throughout large runs."

I got used to bribes :-D

I wonder what was more effective? I also had to read several boxes (2000 per box I think) of cards in on the high speed card mangler regularly so being on good terms with the operators when working out which bits of compacted card had been read and which ones you had to try and resurrect via duplication was important.

The human element has really gone out of modern computing :-D

0
0
Andrew Commons

Re: Port That Job!

Aaaaahhhh 60-bit registers on the Cybers.

Actually there were two sets of registers - A and X - which were 18 and 60 bits respectively (there may have been B as well which were also 18 bits, in fact I'm pretty sure of it). X for data and A for address...and there were 8 each of them. from memory A0 was just a dumb register, A1-A5 were paired with X1-X5 and loading a value into them (A1-A5) fetched that memory location into the corresponding X register. A6 and A7 were the reverse and loading a value into them wrote the contents of X6 or X7 to memory. This resulted in quite a bit of mental gymnastics to make sure that whatever you needed to get back into memory was in one of the two registers at the right time...which is where the use of a couple of (three?) XOR operations to swap values in registers was a lifesaver.

No hardware stack of course :-)

An interesting architecture.

3
0
Andrew Commons

Re: I'm a museum piece, myself

The Cyber series were rather fun, there was a mean Startrek game on them (or at least the ones I got to play with) and an animated Snoopy that alternated between the circular main console displays. Inside they were a birds-nest of wires.

1
0

The ULTIMATE space geek accessory: Apollo 15's joystick up for sale

Andrew Commons

Because they did.

0
0

550 reasons to buy this book for your beloved: COCKROACHES of Oz

Andrew Commons

Re: Cockroach anecdote

@Anonymous IV

Google "willy cockroach".

Writers seem to be fascinated by the idea.

0
0
Andrew Commons

Re: Cockroaches aren't poisonous, right?

Well that's only one per 14,476 square kms - they do need a lot of space.

0
0

McAfee accused of McSlurping Open Source Vulnerability Database

Andrew Commons

If you read the OSVDB blog post.....

McAfee made 2,219 requests over about 3 days. This is from their web logs. Using Fiddler it looks like a single search request on vulnerability Id would produce 1 entry in the osvdb.org web logs so assume that represents the number of vulnerabilities that were looked up over 3 days...that's 2% of the database of 105,316 vulnerabilities.

I would say that that is probably automated so would breach these terms:

4. Obtaining data from this website in a programmatic fashion (e.g. scraping via enumeration, web robot, crawler, etc) is prohibited. Such activity is likely to trigger security software that will permanently block your IP from accessing the site.

But it doesn't look like an attempt to grab the database.

McSlurp or McBeatUp with sour grapes as a side?

1
0
Andrew Commons

Re: Data quality?

@big_D

Possibly....but a real vulnerability reported in 1902 would be worth searching the database for...but the only way of finding it seems to be starting at 1, then 2, then.... A vulnerability discovered in the Dalton Adding Machine would rewrite computer security history!

2
0
Andrew Commons

Data quality?

From the OSVDB home page:

The project currently covers 105,316 vulnerabilities, spanning 123,155 products from 4,735 researchers, over 112 years.

The vulnerability with Id of 1 is dated 1998-12-25, presumably the 112 years comes from the date of another vulnerability...any idea which one?

1
0

The verdict is in: Samsung to pay Apple $120m chump change, but gets tiny rebate

Andrew Commons

Re: Where would we be if....

Maybe you should read some more:

http://www.nytimes.com/1989/12/20/business/xerox-vs-apple-standard-dashboard-is-at-issue.html?src=pm

Apple licensed the mouse.

5
3
Andrew Commons

Where would we be if....

Xerox PARC patented stuff?

Or maybe they did and just let it slide.

Anyone know?

6
1

A real pot-boiler kicks off Reg man's quid-a-day nosh challenge

Andrew Commons

The problem with the free food angle...

Is that there is probably a far better way of addressing the problem.

Two slices of bread with a bit of egg squashed between them will retail for between 1.50 and 2.00 quid/euros according to a bit of google.

A loaf of bread, a dozen eggs, and thou beside me in the wilderness to get the punters to stop should double the value in a morning....by the end of the week you have started a franchise and world poverty is something you are talking to Gates and Bono about.

0
0

Page:

Forums