* Posts by Andrew Commons

93 posts • joined 22 Dec 2007

Page:

The Internet Society is unhappy about security – pretty much all of it

Andrew Commons

Re: There was never an era where all hats were white

My hair is very white :-)

My comment is based on the lack of success seen in all 'secure coding' initiatives. We see this every month.

While we are obsessed with shiny it will never change.

2
0
Andrew Commons

Security is rubbish

Absolutely. Serious efforts by major organisations have clearly shown that with current technology it will remain so.

Abandon all shiny things and go back to simplicity. We may actually have a chance of improving things, after we have ditched all the 20th century technology we rely on that was built for an era where hats were all White.

7
0

Men overboard! US Navy spills data on 134k sailors

Andrew Commons

Re: Full Disclosure?

Leaks involving seamen is invariably bad news.

8
0

Obama awards honours to Grace Hopper, Margaret Hamilton for computing contributions

Andrew Commons

Maybe you should read this:

https://www.nasa.gov/feature/margaret-hamilton-apollo-software-engineer-awarded-presidential-medal-of-freedom

0
0

The sharks of AI will attack expensive and scarce workers faster than they eat drivers

Andrew Commons

Two points.

First, this relies on the Internet which can be taken away at any time because the technology it is built on is not up to the job. The temptation/motivation to take it away will only be increased by this sort of shift. You would have to be mad....oh.

Second, you can always change the economics...don't pay them as much!

5
0

Silicon Valley's oligarchs got a punch in the head – and that's actually good thing

Andrew Commons

Re: Question?

However they do have other parties and even if they do not rate as credible they probably sucked up enough votes to impact the outcome of this election.

3
1

Adobe Australia drops SaaS tax dodge

Andrew Commons

Laughing all the way to the Bank

I assume the 10% will be added to the purchase price and so will increase the currency conversion charge applied by the Bank/Credit Card handling the transaction....and appear on the Bank's bottom line.

Nice work if you can get it!

3
0

Uncle Sam emits DNS email security guide – now speak your brains

Andrew Commons

The goal of this project is to help organizations

Consumers are still left out in the cold. Until such time we see end-to-end measures wide spread at the consumer level email will still be the playground of the criminals.

2
0

Run a JSON file through multiple parsers and you'll get different results every time

Andrew Commons

Re: The Golden Ant

Mythology maybe...Jason and the Golden...

1
0
Andrew Commons

Re:it's just an arbitrary string after all...

More likely to be a very carefully chosen string particularly when the parser has been identified and it's parsing quirks are known.

Quite a large number of the parsers tested supposedly parsed input they should have rejected. That would be an interesting path to explore if you wanted to inject invalid data into an application.

5
1
Andrew Commons

Welcome to the Internet

Tools such as Nmap rely on implementation differences to fingerprint end points. These implementation differences are invariably fuelled by sloppy specifications - aka RFCs - that use the terminology of RFC2219 (and all too frequently RFC6919) to specify the technology we rely on.

These should be reduced to MUST and MUST NOT before things get any better and even that is probably not going to be sufficient.

I assume tools like nmap will jump on this :-)

10
2

Cloudflare ordered by judge to help unmask two website owners

Andrew Commons

Who Is....

The WhoIs information for the sites leads to WhoIs Privacy Corp domiciled in the Bahamas.

Their web site claims it will protect your identity as the owner of a domain and only reveal it under specific circumstances. These include "To comply with a subpoena or other legal process served upon us.".

I would assume that Elsevier drew a blank here as well if they are now going after Cloudflare.

It is not at all surprising that the domain registration process allows this to happen.

3
0

IBM throws ISP under a bus for Australia's #Censusfail

Andrew Commons

Data security?

I pointed out that the Canadian owned (at the time) NextGen were in the picture in a response to this post:

http://www.theregister.co.uk/2016/08/07/it_analyst_oz_census_data_processed_as_plain_text/

The SSL/TLS connections terminated on their network. They potentially had access to all the responses on their network.

So we have at least two foreign powers having access to the data submitted online.

7
0

Australia's new data breach disclosure laws have a rather floppy definition of 'breach'

Andrew Commons

Being distressed is not sufficient.

"Though individuals may be distressed or otherwise upset at an unauthorised access to or unauthorised disclosure or loss of their personal information, this would not itself be sufficient to require notification unless a reasonable person in the entity’s position would consider that the likely consequences for those individuals would constitute a form of serious harm."

Consider a series of breaches where each one releases some information about an individual, none of these are considered serious enough to report in isolation but taken together they provide enough information to create the risk of 'serious harm'.

They all need to be reported.

The concept of 'notification fatigue' also seems to imply that a large number of breaches are expected to be taking place which increases the aggregate risk issue.

4
0

You've been hacked. What are you liable for?

Andrew Commons

A bit hard on HR..

Disclaimer: I have no HR affiliations.

"and HR and sales departments are the most often hacked because they are the least computer security aware"

HR is also at the pointy end when it comes to receiving legitimate unsolicited emails so they have to be far more aware than the average employee. Fake resumes and expressions of interest are very common vectors for phishing. So this is actually a bit harsh.

4
0

Email security: We CAN fix the tech, but what about the humans?

Andrew Commons

Re: S/Mime

Actually not much will break and if you adopt soft fails initially then this will be further reduced.

Anything and everything on the Internet can be compromised. It's really about building a framework that supports defence in depth and therefore requires multiple compromises to subvert.

Still possible but at some point the effort required and the reduced returns will start to have an effect.

It's all about doing something rather than passively accepting it all. And the tools are there right now.

0
0
Andrew Commons

S/Mime

All companies/corporations must digitally sign their outgoing email. A number (increasing number?) of email clients can handle this. This provides end-to-end integrity and assurance of origin.

Additionally clients need to be able to perform SPF/DKIM checks rather than hoping (in vain) that the ISPs MTA has done this. Companies then need to implement SPF/DKIM for ALL their domains which many companies don't do.

This will make it harder to impersonate legitimate emails but still requires an informed user and appropriate client software support. All the standards already exist and are used go some extent.

0
0

Redback sinks fangs into Aussie's todger AGAIN... second time in five months

Andrew Commons

Black Widow?

I don't think the image is a red back.

2
0

Cosmology is safe and the Universe is one giant version of the Barbican

Andrew Commons

Just go half way?

"...come back around on yourself?"

If I compare images looking North and looking South should I be able to see the front and back of the same distant galaxies if the sphere analogy is valid?

0
0

Apple seeks patent for paper bag - you read that right, a paper bag

Andrew Commons

Re: origami gusset - was Thought for the day

Fabulous. Thank you :-)

3
0
Andrew Commons

Re: Thought for the day

Google

origami gusset

Maybe they will get prior art issues?

1
0
Andrew Commons

On a roll......

"Does "post-consumer" mean it's made of people?"

No, it means it's full of shit.

49
0

National Cyber Security Centre to shift UK to 'active' defence

Andrew Commons

Re: Active Defence?

Well if every nation starts to shoot back, which seems to be the way it is going, that may be the end result.

3
0

Fifty bills for new Oz parliament, nothing much for tech

Andrew Commons

The Word document I assume you are referring to only lists "proposed" legislation so still some doubt. The link to the Current House Bills List found on this page (http://www.aph.gov.au/Parliamentary_Business/Bills_Legislation) is currently blank.

Look forward to the update. This is long overdue.

0
0
Andrew Commons

The horses mouth?

Maybe the Register could approach Alastair MacGibbon to see where the data breach notifications fits in his priorities.

2
0

Our pacemakers are totally secure, says short-sold St Jude

Andrew Commons

Re: Two points

http://www.ebay.com/bhp/medtronic-pacemaker

0
0
Andrew Commons

Faraday cage?

"Once the device is implanted into a patient, wireless communication has an approximate 7-foot range."

Regardless of the sensitivity of the receiver or the strength of the transmitter used by the attacker?

8
0

Hilton hotels' email so much like phishing it fooled its own techies

Andrew Commons

Situation normal then

I get an email every year from a large Australian Domain Registrar asking me to go and verify my contact details.

The ONLY part of the email that actually relates to said registrar is the branding. Everything behind it - including the link behind the text link to 'www.registrar.com' - is not related to the registrar. This includes the email headers. It's all through the mass mailer they have outsourced the job to.

My attempts to talk to them about this lead me to believe that it is legitimate but everything about it screams BEWARE. They see nothing wrong with it.

8
0

Your colleagues will lie to you: An enterprise architect's life

Andrew Commons

Re: And the elephant in the room is...

:-) Up vote.

But seriously...I have seen enough instances where something critical in the enterprise is no longer supported and no one started working on it early enough to put it into forward planning to see this as a real failing in many organisations.

El Reg has an example in this very recent story:

http://www.theregister.co.uk/2016/08/09/metropolitan_police_missed_xp_migration_deadline/

1
1
Andrew Commons

And the elephant in the room is...

Lifecycle management.

Of course if you are a consultant you don't live with the consequences of not having it, well and truly out the door before it all comes apart.

5
0

Networking wonks say lousy planning, not DDOS, caused #Censusfail

Andrew Commons

Timeline

The ABC has a timeline in this story:

http://www.abc.net.au/news/2016-08-10/census-night-how-the-shambles-unfolded/7712964

See brief extract below. Note the line that reads "Fire walls kick in". Where were they before that time? Was this an optional extra?

Intelligence agency called in

August 9, 2016

11:55am

The incident is reported to the Government's Australian Signals Directorate to seek any advice on prevention of further incidents or any intelligence-related threat.

Fire walls kick in

August 9, 2016

4:58pm

Another modest increase in traffic is automatically defended by network fire walls. "Additional measures" are taken to prevent further attempts of this type.

2
0

'Alien megastructure' Tabby's Star: Light is definitely dimming

Andrew Commons

A plain old peculiar

Peculiar variables exist and are documented.

See for example: http://www.starman.co.uk/variables/types/peculiar/pecstars.htm

Do we need to get more complicated than this?

1
5

IT analyst: Oz census data processed as plain text

Andrew Commons

Softlayer

This should be considered in this context?

http://krebsonsecurity.com/2015/10/ibm-runs-worlds-worst-spam-hosting-isp/

1
0
Andrew Commons

More than IBM?

Actually census.abs.gov.au resolves to two IP addresses managed by a Canadian owned company (Nextgen Networks) that does not do web hosting. They do provide connections to Cloud services like AWS...so who else has access to the census data?

0
0

BlackBerry DTEK 50: How badly do you want a secure Android?

Andrew Commons

Re: Fingerprint Snesor ? WTF!!!!

"Also unlike a password, it's _very_ hard to keep your fingerprints a secret as you literally leave them on everything you touch."

And they can be photographed from a distance - I think CCC did that to a German government minister at a press conference not so long ago.

0
0

The Australian Bureau of Statistics has made a hash of the census

Andrew Commons

What is being missed....

Is where the data is going to be as it is collected.

The FQDN census.abs.gov.au resolves to 150.207.169.5 and 150.207.169.8. These are allocated to an ASN apparently assigned to IBM but used by Nextgen Group who provide network and data centre services and, far more interestingly, connection of networks to cloud services. They do not appear to offer hosting and are 70% Canadian owned.

So if you are the ABS and want to collect information from every Australian household in the space of 24 hours (or probably less really) with pretty much a zero tolerance to failure are you likely to have that capability in house? On standby for use once every four years?

If not, then where could you find that short term capability?

It would be a nice raw data set to grab if you were a foreign government.

4
0

Kaspersky so very sorry after suggesting its antivirus will get you laid

Andrew Commons

Shaggy dog story...

Surely a reference to a 'root kit' can be worked into this?

5
0

It's time for a discussion about malvertising

Andrew Commons

A discussion has already occured

On May 15 2014 According to a US Senate investigation, the current state of online advertising endangers the security and privacy of users. You can get the report via this page:

http://www.hsgac.senate.gov/hearings/online-advertising-and-hidden-hazards-to-consumer-security-and-data-privacy

It highlights the problems with the ad networks and the degree to which they are being abused. Unfortunately not much more seems to have come of it.

I have been confronted with an alert from a news web site demanding I turn off my ad blocker along with an alert from my AV software saying it blocked malicious content far too many times to consider dropping my shields.

My solution is to visit diverse news outlets that are reasonably trustworthy along with reliable free sites. In general the free sites are far better quality and actually contain news rather than click bait dressed up as news.

13
0

Osram's Lightify smart bulbs blow a security fuse – isn't anything code audited anymore?

Andrew Commons
Black Helicopters

Re: Why is it

"Also, security is not done well on PCs"

No.. should read "security is not done well".

Our (well some people's) unthinking desire to embrace new and shiny far outstrips our ability to understand and secure it.

This includes collateral damage as well as direct consequences.

7
0

IoT puts assembly language back on the charts

Andrew Commons

Re: Are there chips with no development support?

An old friend of mine refers to C as the "gentleman's assembler".

There are games you can play in assembler such as manually overlaying use once initialisation code and read/write storage such as I/O buffers that I'm not sure you can play with complied languages. If you are really memory constrained you grab at every straw :-)

0
0

Purloined password re-use checker pees in the security soup

Andrew Commons

Re: Once again, it's less of a risk to use a password manager ...

When PINs became unavoidable on credit/debit cards on this big island I reduced said cards to a minimal set where I could remember the PINs. While I was cancelling a card, in a Bank, the young person handling the transaction asked why I was doing this. I explained. They recommended that I use the same PIN on all my cards...it worked for them.

No amount of education seems to change this and the transactional middlemen - both black and white(ish) - do nothing to discourage it because they are making a killing.

1
0
Andrew Commons

It's an obvious attack

I would assume that any 'miscreant' worth their salt was on to this long ago.

2
0

Behold the ROBOT RECTUM... medics' relief

Andrew Commons

Re: Probeur

Can you imagine some of the code?

class Finger extends Anus implements Surprise{}

What would be an appropriate language for this? Squeak perhaps? Regardless it would have to be Tworing complete!

0
0

Oz doctors develop surgical robot designed to operate on your wallet

Andrew Commons

Not unexpected

To quote from the Australian AMA web site: "The AMA has adopted the World Medical Association's (WMA) Declaration of Geneva as a contemporary companion to the 2,500-year-old Hippocratic Oath for doctors to declare their commitment to their profession, their patients, and humanity."

This declaration appears to avoid these statements in the Hippocratic Oath (source Wikipedia):

"I will apply, for the benefit of the sick, all measures which are required, avoiding those twin traps of overtreatment and therapeutic nihilism."

"I will remember that I do not treat a fever chart, a cancerous growth, but a sick human being, whose illness may affect the person's family and economic stability. My responsibility includes these related problems, if I am to care adequately for the sick."

So nothing surprising here then.

2
0

Malware scan stalled misconfigured med software, mid-procedure

Andrew Commons

Re: Why?

A low priority process can bring a system to its knees by getting a lock on a resource that is required by other processes and not letting go of it because it's low priority and not given much processor time.

While there are ways to reduce the impact making it go away completely is non-trivial, as is this problem.

0
0
Andrew Commons

Re: Been there, seen that

I imagine patching and rebooting would also have been problematic as well.

The issue here isn't the AV software as such, it is the blind adherence to its use in an incompatible environment.

There are other ways to mitigate the risks, such as isolation and tight network controls, so it's all solvable.

1
0
Andrew Commons

Re: Medico's expertise

"The surgeon is ipso facto likely to be the smartest person around and therefore probably the one who knows most about ..."

Most of these people are very specialised and know a lot about a fairly limited problem space. Dentists know how to make a fortune out of 32 teeth but I would not bet on them knowing what to do when the lid comes off the computer, or when the bonnet of a modern car is lifted (which is pretty much the same thing nowadays).

They are highly specialised, this does not equate to smart. For example, New Zealander Nigel Richards is the current (I think) French Scrabble champion, he does not speak French (see http://www.theguardian.com/lifeandstyle/2015/jul/21/new-french-scrabble-champion-nigel-richards-doesnt-speak-french ) but he does have a very good memory and really knows how to play scrabble. Many of the med students I knew going through Uni reckoned that all you needed for medicine was the ability to memorise a telephone directory :-)

6
0

You can always rely on the Ancient Ones to cock things up

Andrew Commons

Re: Ah yes....

"we had to get it out of its crate before we could move it further"

Yup...and then you get to the goods lift. Remove all packaging before it stands any chance of getting into it. Press the button for the desired floor, squeeze the bugger into the empty lift ignoring all the alarms and then pray that the doors open on the right floor :-)

Miniaturisation has taken a lot of the excitement out technology.

3
0
Andrew Commons

Re: Ah yes....

"but I heard that her bottom wasn't really worth looking at"

You are obviously far more discriminating than I am. It took four burly wharfies to get her back up again, it was quite some bottom :-)

3
0
Andrew Commons

Re: Ah yes....

Well, if you were part of the flying squad you may have been there when the 'first in the country' VAX 8600 fell over ... physically.

It's not often you get to see the underside of one of those things. :-D

5
0

Page:

Forums