Feeds

* Posts by Andrew Commons

33 posts • joined 22 Dec 2007

Delaware pair nabbed for getting saucy atop Mexican eatery

Andrew Commons

Re: Why?

So they can use the headlines of course.

7
0

Help us out readers: How would you sniff and store network traffic?

Andrew Commons

Start simple

"the Learning Centre's WLAN and satellite WAN are both slow"

Latency will be the killer for the satellite WAN and some of this may be reflected in the local WLAN performance if 'local' requests are making it out local environment. DNS would be one candidate I guess.

So start by understanding what traffic is going through the satellite gateway, no need to sniff the traffic yet, just get connection logs if possible from the device itself, this should give you a good idea of what is going on with just src/dest ip and ports.

How you do this will depend on the capabilities of the gateway, best case is very careful use of remote administration access or using the VNC capabilities to get internal administration access otherwise you are facing big time latency - two day round-trip.

1
0

Comet-chasing Rosetta spies SWEATY prey

Andrew Commons

@AC

Of course, the urethra squared law.

2
0
Andrew Commons

Re Bootnote

Surely the rate at which a comet passes water is more properly measured in terms of the concepts expressed in this El Reg piece:

http://www.theregister.co.uk/2014/06/30/most_mammals_finish_peeing_within_21_seconds/

So instead of 'Olympic Swimming Pools' maybe 'Cats urinating per minute'?

5
0

DAMN you El Reg, CALL ME A BOFFIN, demands enraged boffin

Andrew Commons

Re: Reaching out

I always thought that was misspelt and the 'a' should have been a 't'....

1
0

Remember Control Data? The Living Computer Museum wants YOU

Andrew Commons

Re: Memories...

"I got used to programming save/restore points throughout large runs."

I got used to bribes :-D

I wonder what was more effective? I also had to read several boxes (2000 per box I think) of cards in on the high speed card mangler regularly so being on good terms with the operators when working out which bits of compacted card had been read and which ones you had to try and resurrect via duplication was important.

The human element has really gone out of modern computing :-D

0
0
Andrew Commons

Re: Port That Job!

Aaaaahhhh 60-bit registers on the Cybers.

Actually there were two sets of registers - A and X - which were 18 and 60 bits respectively (there may have been B as well which were also 18 bits, in fact I'm pretty sure of it). X for data and A for address...and there were 8 each of them. from memory A0 was just a dumb register, A1-A5 were paired with X1-X5 and loading a value into them (A1-A5) fetched that memory location into the corresponding X register. A6 and A7 were the reverse and loading a value into them wrote the contents of X6 or X7 to memory. This resulted in quite a bit of mental gymnastics to make sure that whatever you needed to get back into memory was in one of the two registers at the right time...which is where the use of a couple of (three?) XOR operations to swap values in registers was a lifesaver.

No hardware stack of course :-)

An interesting architecture.

3
0
Andrew Commons

Re: I'm a museum piece, myself

The Cyber series were rather fun, there was a mean Startrek game on them (or at least the ones I got to play with) and an animated Snoopy that alternated between the circular main console displays. Inside they were a birds-nest of wires.

1
0

The ULTIMATE space geek accessory: Apollo 15's joystick up for sale

Andrew Commons

Because they did.

0
0

550 reasons to buy this book for your beloved: COCKROACHES of Oz

Andrew Commons

Re: Cockroach anecdote

@Anonymous IV

Google "willy cockroach".

Writers seem to be fascinated by the idea.

0
0
Andrew Commons

Re: Cockroaches aren't poisonous, right?

Well that's only one per 14,476 square kms - they do need a lot of space.

0
0

McAfee accused of McSlurping Open Source Vulnerability Database

Andrew Commons

If you read the OSVDB blog post.....

McAfee made 2,219 requests over about 3 days. This is from their web logs. Using Fiddler it looks like a single search request on vulnerability Id would produce 1 entry in the osvdb.org web logs so assume that represents the number of vulnerabilities that were looked up over 3 days...that's 2% of the database of 105,316 vulnerabilities.

I would say that that is probably automated so would breach these terms:

4. Obtaining data from this website in a programmatic fashion (e.g. scraping via enumeration, web robot, crawler, etc) is prohibited. Such activity is likely to trigger security software that will permanently block your IP from accessing the site.

But it doesn't look like an attempt to grab the database.

McSlurp or McBeatUp with sour grapes as a side?

1
0
Andrew Commons

Re: Data quality?

@big_D

Possibly....but a real vulnerability reported in 1902 would be worth searching the database for...but the only way of finding it seems to be starting at 1, then 2, then.... A vulnerability discovered in the Dalton Adding Machine would rewrite computer security history!

2
0
Andrew Commons

Data quality?

From the OSVDB home page:

The project currently covers 105,316 vulnerabilities, spanning 123,155 products from 4,735 researchers, over 112 years.

The vulnerability with Id of 1 is dated 1998-12-25, presumably the 112 years comes from the date of another vulnerability...any idea which one?

1
0

The verdict is in: Samsung to pay Apple $120m chump change, but gets tiny rebate

Andrew Commons

Re: Where would we be if....

Maybe you should read some more:

http://www.nytimes.com/1989/12/20/business/xerox-vs-apple-standard-dashboard-is-at-issue.html?src=pm

Apple licensed the mouse.

5
3
Andrew Commons

Where would we be if....

Xerox PARC patented stuff?

Or maybe they did and just let it slide.

Anyone know?

6
1

A real pot-boiler kicks off Reg man's quid-a-day nosh challenge

Andrew Commons

The problem with the free food angle...

Is that there is probably a far better way of addressing the problem.

Two slices of bread with a bit of egg squashed between them will retail for between 1.50 and 2.00 quid/euros according to a bit of google.

A loaf of bread, a dozen eggs, and thou beside me in the wilderness to get the punters to stop should double the value in a morning....by the end of the week you have started a franchise and world poverty is something you are talking to Gates and Bono about.

0
0
Andrew Commons

Re: Try harder!

I've had nettles served as a component of a soup in an expensive noshery, I've actually picked the nettles used. It's not a 'Wow' experience, more novelty, but not at all unpleasant.

Fruit from trees on private land were fair game when I was a young lad...the practice was called 'scrumping'.

Shellfish are a great resource if you have access to someone who actually knows what isn't going to kill you. Collecting them helps pass the time between snacks as well.

Mushrooms were a part of my diet in the 50's and 60's, collected on the vast grass expanses of airfields.

0
0
Andrew Commons

Re: The rotters at work

I'm not sure what the price of beer in the UK is anymore but I imagine that 5 quid for a pint of really good beer would not be unheard of.

Now make it last a week.

0
0
Andrew Commons

Try harder!

Have a look at this:

http://www.bbc.com/news/business-22263706

And check out Jack Monroe in the Guardian.

You can also look for road kill while collecting the wood and maybe throw bits of wood at the wild life - something that used to be quite effective once upon a time here in the realm of Vulture South :-)

cheers

Andrew

3
0

Anatomy of OpenSSL's Heartbleed: Just four bytes trigger horror bug

Andrew Commons

There are a lot of comments here...

...so this may have been covered already. Apologies if it has.

Some poor guy is now being pilloried as being responsible for this because he 'commited' it. The real culprit is the QA process that lead up to that commit. Name them.

That's all.

1
0

Ethical hacker backer hacked, warns of email ransack

Andrew Commons

Ethical Hacking <> Any Idea of Governance

Amusing.

They may be certified to hack you but they have no $%$^ idea how to protect you.

Cloud comes with a whole range of risks that are very difficult to address. They obviously did not employ their own 'skills' on their own Cloud provider.

Or maybe they did...which gives you a lot of confidence in their 'certified' graduates.

3
1

A potted history of cloud computing

Andrew Commons

Re: What about financial security/

MegaUpload - Kim DotCom - if I have the references correct.

You should have no confidence it it is 'freemium' and limited confidence otherwise. They can be located anywhere and you probably don't have the $$$$'s to chase them if they decide to dump you.

0
0
Andrew Commons

@boltar Re: Oh the security....

The resources required are in this case related to the effort dedicated to governance. This doesn't really correlate with the complexity of individual systems but will be correlated with the complexity of the systems run across the organisation and the impact of a compromise of those systems.

Looking at it from a different perspective, Email may be (relatively) simple (ever configured sendmail?) but the contents of email will be very sensitive. This warrants a high level of governance.

So the simplicity of the technology is trumped by the sensitivity of the information it maintains.

2
1
Andrew Commons

@Mike Pellat Re: Oh the security....

It comes down to whos contract is being executed. If it is the service providers then what you say is very true. If, on the other hand, it is your contract in your jurisdiction then you may have a leg to stand on. But if it is a big provider you are probably signing their contract.

0
0
Andrew Commons

Oh the security....

"Some mission-critical enterprise apps will not lend themselves to cloudification and security concerns for some will trump cost considerations. But why would you not use cloud versions of software such as CRM, email, billing and office apps?"

This is all from a very jaundiced security perspective, and it is only scratching the surface.

Due Dilligence.

A good starting point is probably ISO27K certification to verify that the controls are documented and then SOC1 and SOC2 certification to verify that the controls are being operated effectively. Map this to a not uncommon scenario where the 'service provider' you are dealing with is using compute infrastructure from a second party who is, in turn, using physical facilities from a third party. The physical guys may have heard about SOC1 and may well have ongoing certification because it's good for business, the layer up may have heard of ISO27K and are likely to be getting certification 'any time now' but a SOC2 will bring a wrinkle to their brow. The organisation that your business wants to deal with is looking at you blankly on all fronts.

Stop that or you will go blind.

Are you getting on top of your network/system/application/user/admin/.... monitoring? Have a SIEM and starting to get some value out of it? Factored that into your Cloud solution? So you have events arriving via syslog or you are polling using WMI to get a view of your assets that is comparable to that which you get with on-premise solutions? Dream on.

Dependence on exposed services.

Calling web services or doing other fancy stuff with DNS resolution on public DNS servers? Are you factoring in the risk of these services being compromised? The more entangled you get from an infrastructure perspective with your cloud service provider the greater the likelihood that you will have to start looking at these issues.

Human resources.

Disgruntled employees. Is it a concern for you within your organisation, how do you deal with them? How do all the potential organisations in your supply chain deal with them (see Due Dilligence).

Procurement.

There are some interesting challenges here. Is the cloud provider signing a contract with you are are you signing a contract with them, if the latter then you are going to have very little control. The whole due dilligence here will also be way beyond your procurement folk and concepts like data sovereignty are going to take a lot of explaining. If you are also moving into an environment where date breaches can attract serious penalties (like here in the land of Vulture South) then you have to try and factor that into the contractual arrangements.

Contract Management.

So you have a contract. Fabulous. Has anyone seriously seen all the clauses in the contract managed and enforced? Have you estimated how much effort that will take given that you have lost visibility of a lot of things that are important?

Conclusions...

"CRM, email, billing and office apps". These are all probably significant if you have data breach legislation.

Is it really worth the effort?

6
0

Malware-flinging Linksys vulnerability confirmed as a HNAP1 bug

Andrew Commons

Since June last year

I have seen GET /HNAP1/ HTTP/1.1 requests dropped at my (personal) edge servers. It ramped up in December last year.

So it has been known for quite a while?

1
0

Devs angrily dismiss Absolute Computrace rootkit accusation

Andrew Commons

Do you ever really know what you are buying?

I found out about the embedded Computrace application late last year. I checked up on one vendor and found that they didn't hide the fact that this was part of their package, they just didn't broadcast it.

Haven't read the small print, but this should be in the large print on any product that you are purchasing. It falls right into the sort of embedded capability that the Snowden leaks revealed and really begs the question as to who is funding this.

Would be really interesting to see an analysis of what it can potentially do.

12
0

The Sons of Khan and the Pascal Spring

Andrew Commons
Thumb Up

Your slip is showing...

Well your age anyway :-)

0
0

Laptop facial recognition defeated by Photoshop

Andrew Commons

No progress then....

The German magazine c'T demonstrated the same thing in 2002 (an English translation of the report is not hard to find with Google).

0
0

Memo to Microsoft: Enough with the SKUed Windows

Andrew Commons

Money, Money, Money!

The price of software is based on what the market will bear. Different segments of the market will bear different prices - e.g. consumer -v- corporate - and have different buying patterns - eg. single unit -v- volume.

Problem: How to extract maximum revenue across the entire market?

Answer: Pitch different 'versions' with different prices at each identified segment of the market with careful feature selection to minimise uptake of lower priced versions in segments targeted for higher priced versions.

0
0

What if computers went back to the '70s too?

Andrew Commons

@Chris

"... the most CISC ever..."

Actually the VAXen were microprogrammed beasts and at the core you had a RISC processor. You could, at one time, buy some software from DEC to roll your own microcode. So instead of having all these macros in RISC assembler to perform common operations they just appeared as part of the micro-coded instruction set.

0
0

Sequence diagramming that's fit for purpose

Andrew Commons

Are they fit for any purpose?

A sequence diagram usually only represents one path, out of many, through a use case. They don't handle exceptions very well and they don't handle message content particularly well.

All of this is evident in the examples given.

Why not use BPMN - Activity diagrams ++ - instead?

cheers

0
0