* Posts by Andrew Commons

75 posts • joined 22 Dec 2007

Page:

Cosmology is safe and the Universe is one giant version of the Barbican

Andrew Commons

Just go half way?

"...come back around on yourself?"

If I compare images looking North and looking South should I be able to see the front and back of the same distant galaxies if the sphere analogy is valid?

0
0

Apple seeks patent for paper bag - you read that right, a paper bag

Andrew Commons

Re: origami gusset - was Thought for the day

Fabulous. Thank you :-)

3
0
Andrew Commons

Re: Thought for the day

Google

origami gusset

Maybe they will get prior art issues?

1
0
Andrew Commons

On a roll......

"Does "post-consumer" mean it's made of people?"

No, it means it's full of shit.

49
0

National Cyber Security Centre to shift UK to 'active' defence

Andrew Commons

Re: Active Defence?

Well if every nation starts to shoot back, which seems to be the way it is going, that may be the end result.

3
0

Fifty bills for new Oz parliament, nothing much for tech

Andrew Commons

The Word document I assume you are referring to only lists "proposed" legislation so still some doubt. The link to the Current House Bills List found on this page (http://www.aph.gov.au/Parliamentary_Business/Bills_Legislation) is currently blank.

Look forward to the update. This is long overdue.

0
0
Andrew Commons

The horses mouth?

Maybe the Register could approach Alastair MacGibbon to see where the data breach notifications fits in his priorities.

2
0

Our pacemakers are totally secure, says short-sold St Jude

Andrew Commons

Re: Two points

http://www.ebay.com/bhp/medtronic-pacemaker

0
0
Andrew Commons

Faraday cage?

"Once the device is implanted into a patient, wireless communication has an approximate 7-foot range."

Regardless of the sensitivity of the receiver or the strength of the transmitter used by the attacker?

8
0

Hilton hotels' email so much like phishing it fooled its own techies

Andrew Commons

Situation normal then

I get an email every year from a large Australian Domain Registrar asking me to go and verify my contact details.

The ONLY part of the email that actually relates to said registrar is the branding. Everything behind it - including the link behind the text link to 'www.registrar.com' - is not related to the registrar. This includes the email headers. It's all through the mass mailer they have outsourced the job to.

My attempts to talk to them about this lead me to believe that it is legitimate but everything about it screams BEWARE. They see nothing wrong with it.

8
0

Your colleagues will lie to you: An enterprise architect's life

Andrew Commons

Re: And the elephant in the room is...

:-) Up vote.

But seriously...I have seen enough instances where something critical in the enterprise is no longer supported and no one started working on it early enough to put it into forward planning to see this as a real failing in many organisations.

El Reg has an example in this very recent story:

http://www.theregister.co.uk/2016/08/09/metropolitan_police_missed_xp_migration_deadline/

1
1
Andrew Commons

And the elephant in the room is...

Lifecycle management.

Of course if you are a consultant you don't live with the consequences of not having it, well and truly out the door before it all comes apart.

5
0

Networking wonks say lousy planning, not DDOS, caused #Censusfail

Andrew Commons

Timeline

The ABC has a timeline in this story:

http://www.abc.net.au/news/2016-08-10/census-night-how-the-shambles-unfolded/7712964

See brief extract below. Note the line that reads "Fire walls kick in". Where were they before that time? Was this an optional extra?

Intelligence agency called in

August 9, 2016

11:55am

The incident is reported to the Government's Australian Signals Directorate to seek any advice on prevention of further incidents or any intelligence-related threat.

Fire walls kick in

August 9, 2016

4:58pm

Another modest increase in traffic is automatically defended by network fire walls. "Additional measures" are taken to prevent further attempts of this type.

2
0

'Alien megastructure' Tabby's Star: Light is definitely dimming

Andrew Commons

A plain old peculiar

Peculiar variables exist and are documented.

See for example: http://www.starman.co.uk/variables/types/peculiar/pecstars.htm

Do we need to get more complicated than this?

1
5

IT analyst: Oz census data processed as plain text

Andrew Commons

Softlayer

This should be considered in this context?

http://krebsonsecurity.com/2015/10/ibm-runs-worlds-worst-spam-hosting-isp/

1
0
Andrew Commons

More than IBM?

Actually census.abs.gov.au resolves to two IP addresses managed by a Canadian owned company (Nextgen Networks) that does not do web hosting. They do provide connections to Cloud services like AWS...so who else has access to the census data?

0
0

BlackBerry DTEK 50: How badly do you want a secure Android?

Andrew Commons

Re: Fingerprint Snesor ? WTF!!!!

"Also unlike a password, it's _very_ hard to keep your fingerprints a secret as you literally leave them on everything you touch."

And they can be photographed from a distance - I think CCC did that to a German government minister at a press conference not so long ago.

0
0

The Australian Bureau of Statistics has made a hash of the census

Andrew Commons

What is being missed....

Is where the data is going to be as it is collected.

The FQDN census.abs.gov.au resolves to 150.207.169.5 and 150.207.169.8. These are allocated to an ASN apparently assigned to IBM but used by Nextgen Group who provide network and data centre services and, far more interestingly, connection of networks to cloud services. They do not appear to offer hosting and are 70% Canadian owned.

So if you are the ABS and want to collect information from every Australian household in the space of 24 hours (or probably less really) with pretty much a zero tolerance to failure are you likely to have that capability in house? On standby for use once every four years?

If not, then where could you find that short term capability?

It would be a nice raw data set to grab if you were a foreign government.

4
0

Kaspersky so very sorry after suggesting its antivirus will get you laid

Andrew Commons

Shaggy dog story...

Surely a reference to a 'root kit' can be worked into this?

5
0

It's time for a discussion about malvertising

Andrew Commons

A discussion has already occured

On May 15 2014 According to a US Senate investigation, the current state of online advertising endangers the security and privacy of users. You can get the report via this page:

http://www.hsgac.senate.gov/hearings/online-advertising-and-hidden-hazards-to-consumer-security-and-data-privacy

It highlights the problems with the ad networks and the degree to which they are being abused. Unfortunately not much more seems to have come of it.

I have been confronted with an alert from a news web site demanding I turn off my ad blocker along with an alert from my AV software saying it blocked malicious content far too many times to consider dropping my shields.

My solution is to visit diverse news outlets that are reasonably trustworthy along with reliable free sites. In general the free sites are far better quality and actually contain news rather than click bait dressed up as news.

13
0

Osram's Lightify smart bulbs blow a security fuse – isn't anything code audited anymore?

Andrew Commons
Black Helicopters

Re: Why is it

"Also, security is not done well on PCs"

No.. should read "security is not done well".

Our (well some people's) unthinking desire to embrace new and shiny far outstrips our ability to understand and secure it.

This includes collateral damage as well as direct consequences.

7
0

IoT puts assembly language back on the charts

Andrew Commons

Re: Are there chips with no development support?

An old friend of mine refers to C as the "gentleman's assembler".

There are games you can play in assembler such as manually overlaying use once initialisation code and read/write storage such as I/O buffers that I'm not sure you can play with complied languages. If you are really memory constrained you grab at every straw :-)

0
0

Purloined password re-use checker pees in the security soup

Andrew Commons

Re: Once again, it's less of a risk to use a password manager ...

When PINs became unavoidable on credit/debit cards on this big island I reduced said cards to a minimal set where I could remember the PINs. While I was cancelling a card, in a Bank, the young person handling the transaction asked why I was doing this. I explained. They recommended that I use the same PIN on all my cards...it worked for them.

No amount of education seems to change this and the transactional middlemen - both black and white(ish) - do nothing to discourage it because they are making a killing.

1
0
Andrew Commons

It's an obvious attack

I would assume that any 'miscreant' worth their salt was on to this long ago.

2
0

Behold the ROBOT RECTUM... medics' relief

Andrew Commons

Re: Probeur

Can you imagine some of the code?

class Finger extends Anus implements Surprise{}

What would be an appropriate language for this? Squeak perhaps? Regardless it would have to be Tworing complete!

0
0

Oz doctors develop surgical robot designed to operate on your wallet

Andrew Commons

Not unexpected

To quote from the Australian AMA web site: "The AMA has adopted the World Medical Association's (WMA) Declaration of Geneva as a contemporary companion to the 2,500-year-old Hippocratic Oath for doctors to declare their commitment to their profession, their patients, and humanity."

This declaration appears to avoid these statements in the Hippocratic Oath (source Wikipedia):

"I will apply, for the benefit of the sick, all measures which are required, avoiding those twin traps of overtreatment and therapeutic nihilism."

"I will remember that I do not treat a fever chart, a cancerous growth, but a sick human being, whose illness may affect the person's family and economic stability. My responsibility includes these related problems, if I am to care adequately for the sick."

So nothing surprising here then.

2
0

Malware scan stalled misconfigured med software, mid-procedure

Andrew Commons

Re: Why?

A low priority process can bring a system to its knees by getting a lock on a resource that is required by other processes and not letting go of it because it's low priority and not given much processor time.

While there are ways to reduce the impact making it go away completely is non-trivial, as is this problem.

0
0
Andrew Commons

Re: Been there, seen that

I imagine patching and rebooting would also have been problematic as well.

The issue here isn't the AV software as such, it is the blind adherence to its use in an incompatible environment.

There are other ways to mitigate the risks, such as isolation and tight network controls, so it's all solvable.

1
0
Andrew Commons

Re: Medico's expertise

"The surgeon is ipso facto likely to be the smartest person around and therefore probably the one who knows most about ..."

Most of these people are very specialised and know a lot about a fairly limited problem space. Dentists know how to make a fortune out of 32 teeth but I would not bet on them knowing what to do when the lid comes off the computer, or when the bonnet of a modern car is lifted (which is pretty much the same thing nowadays).

They are highly specialised, this does not equate to smart. For example, New Zealander Nigel Richards is the current (I think) French Scrabble champion, he does not speak French (see http://www.theguardian.com/lifeandstyle/2015/jul/21/new-french-scrabble-champion-nigel-richards-doesnt-speak-french ) but he does have a very good memory and really knows how to play scrabble. Many of the med students I knew going through Uni reckoned that all you needed for medicine was the ability to memorise a telephone directory :-)

6
0

You can always rely on the Ancient Ones to cock things up

Andrew Commons

Re: Ah yes....

"we had to get it out of its crate before we could move it further"

Yup...and then you get to the goods lift. Remove all packaging before it stands any chance of getting into it. Press the button for the desired floor, squeeze the bugger into the empty lift ignoring all the alarms and then pray that the doors open on the right floor :-)

Miniaturisation has taken a lot of the excitement out technology.

3
0
Andrew Commons

Re: Ah yes....

"but I heard that her bottom wasn't really worth looking at"

You are obviously far more discriminating than I am. It took four burly wharfies to get her back up again, it was quite some bottom :-)

3
0
Andrew Commons

Re: Ah yes....

Well, if you were part of the flying squad you may have been there when the 'first in the country' VAX 8600 fell over ... physically.

It's not often you get to see the underside of one of those things. :-D

5
0
Andrew Commons
Coat

Ah yes....

Far too many years ago I was writing some commercial security software for DEC VMS systems. They had a built in account for Field Service, we had some examples in the product where this was referred to as 'Field Circus'... it was suggested by some distributors that this was not a good idea. We agreed and removed it, and then it came back, and then we removed it, and then.... It took a significant search and destroy effort covering every possible library and input to libraries across our development environments to nail it.

So situation normal really :-)

5
0

Auto vulnerability scanners turn up mostly false positives

Andrew Commons

Re: One Concern

And it has now been corrected without any comments making these comments notally inkomprehensibule.

2
0
Andrew Commons

Re: One Concern

It's on the El Reg sliding scale between Mostly and Never....

1
0
Andrew Commons

Re: One Concern

Not really. You have to take into account (a) how aggressive the scanning is, i.e. how willing the customer is to have things really broken, and (b) the context in which the scanning is taking place. If the target (customer) is sensitive then expect high false positive rates. If you are scanning from the outside network edge then internal controls that will mitigate an apparent vulnerability in a multi-stage attack may not be apparent.

It's not black and white.

1
0

C’mon Lenovo. Superfish hooked, but Pokki Start Menu still roaming free

Andrew Commons

You can always try YumCha

I recently roughed out the spec of a workstation - cabinet (it had to fit in a particular location), mother board, cpu (fast i7), memory (32GB) , 3 NICs, ssds and spinning rust, O/S - priced the parts through retail channels and sent out requests for quotes for the built box based on the partial parts list. I ended up with a built and tested box that met my requirements for a price that matched my estimates for the parts alone and it came with a warranty.

The result was cheaper than something equivalent from the major vendors and had no unwanted additions.

This was not cheap end of the market specifications so may not be something tat can be replicated in that space but it is working really well and I'm left wondering why I hadn't tried this before.

0
0

Debian on track to prove binaries' origins

Andrew Commons

I don't think this is what it is all about

"The feat will allow anyone to independently confirm that Debian binaries were built from a reported source package."

Back in about 1983 I managed a small group tasked, amongst other things, with distributing software to hospitals. Part of the QA process I introduced involved taking a release of the source code and a copy of the software used for acceptance testing. The next step was to rebuild the software from the supplied source and compare the results with the acceptance test versions. This was VAX/VMS and the undocumented CHECKSUM command was used for this comparison (CHECKSUM/IMAGE for the curious, it took out timestamps). If the two did not match it was all sent back to the developers with a 'please explain'.

Roll forward 10 years after a period of developing security software for VAX/VMS (see NIST SP 800-6) and I found myself doing something similar but more focused on determining whether the software had been built from code in the source code repository, effectively whether it was built from the approved package. This required a more detailed analysis of the information stored in the executable images and has some similarities to the initiative reported here.

So, I've done some of this stuff and have some idea of where it can come apart.

(1) Change your tool chain (even different version of the same tool chain) or architecture and it will all probably break. The Alpha VMS compiler/linker tools did not dump the same sort of information into the binaries and it largely invalidated the VAX/VMS tools I had developed.

(2) Different build options, even when using the same tool chain and target architecture, will result in functionally equivalent but very different binaries.

(3) Anything you find embedded in an image can obviously be manipulated so even if the same architecture and tool chain and options are used the contextual information must not be trusted without additional verification.

For all of the above I think this is not the 'feat' you are looking for.

Given some binaries and a source code package proving the link between the source code and the binaries is non trivial (again I have some form here having been tasked with reverse engineering the source code library that represented the executables currently in production...).

What they are testing is the statement "It should be possible to reproduce, byte for byte, every build of every package in Debian.", this is from the WIKI reference a couple of clicks on from the referenced "report note".

This has very little to do with the claim in this piece. If you have the same source code, and the same tool chain executed with the same options you should be able to prove that you have achieved the same results.

Nothing like the headline statement.

6
1

.Bank hires Symantec to check credentials

Andrew Commons

Here we go again

In the days when SSL was young the Certificate Authorities charged more for 'high assurance' certificates that required a little bit of proof before they were issued. This was all about TRUST.

Roll the clock forward a bit... the Certificate Authorities are now offering certificates with higher assurance that will show up with a green background to prove they can be trusted....trade in your old high assurance certificates for these new green ones.

Fast forward to today...the Certificate Authorities are going to issue certificates to a special domain to prove that they are trusted...trade in your green certificates for these new ones that will really be trustworthy this time.

And tomorrow?

They just keep failing to deliver and then turn around and take more money so they can fail to deliver again.

Nice business model.

2
0

Pity the poor Windows developer: The tools for desktop development are in disarray

Andrew Commons

Situation Normal - (SNAFU,TARFU,SAPFU,FUBAR,....)

This is symptomatic of the software industry over the years. Revolution rather than Evolution.

You have a set of tools that work reasonably well, experience with them has resulted in incremental improvements, defects in new developments are dropping.

<code>

Do While i < Age of Universe

Enter Moses i.0.

'Hey man, look at this new platform, it is sooo cool!'

And the multitudes are amazed and flock like lemmings to this new technology

that has no documentation or tool support but is the FUTURE!!!

Over time experience accumulates and tool support increases.

Loop

</code>

We are doomed.... stick with COBOL :-)

13
0

Australia mandates* cloud use by government agencies

Andrew Commons

Re: Thank goodness we've got the cloud sorted out here in the UK

@dan1980

"Some concerns are removed, some new ones are added but most still remain, albeit slightly changed."

Spot on. And now we are trying to figure out how to manage these concerns through contract management processes instead of through technical controls and we real beginners in this space.

1
0

Today's weather is brought to you by our sponsors

Andrew Commons

Yes, they are there

And already serving malware...the anti-malware software I use started warning me it had blocked content shortly after the ads first appeared.

Maybe our Senate should read the US Senate 14 May 2014 report "Online Advertising and Hidden Hazards to Consumer Security and Data Privacy"

1
0

Delaware pair nabbed for getting saucy atop Mexican eatery

Andrew Commons

Re: Why?

So they can use the headlines of course.

7
0

Help us out readers: How would you sniff and store network traffic?

Andrew Commons

Start simple

"the Learning Centre's WLAN and satellite WAN are both slow"

Latency will be the killer for the satellite WAN and some of this may be reflected in the local WLAN performance if 'local' requests are making it out local environment. DNS would be one candidate I guess.

So start by understanding what traffic is going through the satellite gateway, no need to sniff the traffic yet, just get connection logs if possible from the device itself, this should give you a good idea of what is going on with just src/dest ip and ports.

How you do this will depend on the capabilities of the gateway, best case is very careful use of remote administration access or using the VNC capabilities to get internal administration access otherwise you are facing big time latency - two day round-trip.

1
0

Comet-chasing Rosetta spies SWEATY prey

Andrew Commons

@AC

Of course, the urethra squared law.

2
0
Andrew Commons

Re Bootnote

Surely the rate at which a comet passes water is more properly measured in terms of the concepts expressed in this El Reg piece:

http://www.theregister.co.uk/2014/06/30/most_mammals_finish_peeing_within_21_seconds/

So instead of 'Olympic Swimming Pools' maybe 'Cats urinating per minute'?

5
0

DAMN you El Reg, CALL ME A BOFFIN, demands enraged boffin

Andrew Commons

Re: Reaching out

I always thought that was misspelt and the 'a' should have been a 't'....

1
0

Remember Control Data? The Living Computer Museum wants YOU

Andrew Commons

Re: Memories...

"I got used to programming save/restore points throughout large runs."

I got used to bribes :-D

I wonder what was more effective? I also had to read several boxes (2000 per box I think) of cards in on the high speed card mangler regularly so being on good terms with the operators when working out which bits of compacted card had been read and which ones you had to try and resurrect via duplication was important.

The human element has really gone out of modern computing :-D

0
0
Andrew Commons

Re: Port That Job!

Aaaaahhhh 60-bit registers on the Cybers.

Actually there were two sets of registers - A and X - which were 18 and 60 bits respectively (there may have been B as well which were also 18 bits, in fact I'm pretty sure of it). X for data and A for address...and there were 8 each of them. from memory A0 was just a dumb register, A1-A5 were paired with X1-X5 and loading a value into them (A1-A5) fetched that memory location into the corresponding X register. A6 and A7 were the reverse and loading a value into them wrote the contents of X6 or X7 to memory. This resulted in quite a bit of mental gymnastics to make sure that whatever you needed to get back into memory was in one of the two registers at the right time...which is where the use of a couple of (three?) XOR operations to swap values in registers was a lifesaver.

No hardware stack of course :-)

An interesting architecture.

3
0
Andrew Commons

Re: I'm a museum piece, myself

The Cyber series were rather fun, there was a mean Startrek game on them (or at least the ones I got to play with) and an animated Snoopy that alternated between the circular main console displays. Inside they were a birds-nest of wires.

1
0

Page:

Forums