* Posts by vagabondo

513 posts • joined 1 Aug 2008

Page:

X-ray scanners, CCTV cams, hefty machinery ... let's play: VNC Roulette!

vagabondo

Re: Or a simpler (than SSH) solution

@Adam1

>You are basically arguing the merits of security through obscurity there...

The rationale is not so much for security as considerably reducing log-file sizes (and increasing readability), plus taking some load off system resources by sidestepping continuous brute-force onslaughts.

9
0

PC World's cloudy backup failed when exposed to ransomware

vagabondo

Re: Something doesn't add up here...

If the machine was for business use, then the lost data may well have been hundreds of text files (orders, invoices, etc.) or financial data files etc. and only occupied a few hundred MiBs. Not everyone has extensive video collections. I am also told that some lucky people have fibre and reasonable upload speeds.

11
0

FBI backs down against Apple: Feds may be able to crack killer's iPhone without iGiant's help

vagabondo

Re: precedent

@redpawn

Your lose -> loose dysfunction is not dyslexic, just old-fashioned ignorance.

45
3

Microsoft offers Linux certification. Do not adjust your set. This is not an error

vagabondo

Re: When will we see SQL Server on Linux?

When there's not a better alternative on Linux.

4
1

Thanks for playing: New Linux ransomware decrypted, pwns itself

vagabondo

Re: re: Are you listening Window's users?

kryptylomese said:

"I have been using computers since 1978 so I do know a thing or two."

Bloody kids!

[self-confessed boring old fart]

2
0

Third suspect arrested over TalkTalk breach

vagabondo

Re: how?

I am in no way condoning the blatant disregard for the safety of their customer's data by TalkTalk or any one else. I think that severe punishment has been long overdue. Most large organisations, including banks and government departments just don't care. The directors deserve to be barred, as well as the companies facing punitive financial damages. This corporate behaviour is wilful negligence.

However given the information presented in the article, I do not understand how this data loss is sufficient for a victim to have their their "bank account raided", and would appreciate an explanation of how it could be done. Hence the title.

0
0
vagabondo

how?

Could you please explain how a bank account could be raided using the victim,s name,e-mail address, partial credit card details etc?

I can understand that a direct debit might be set up using the victim's bank account name and number. However the bank that receives the money bears the onus of proving the transaction was not fraudulent,not the victim.

Most of the claimed consequential losses that I have read of are the result of phishing e-mail or telephone cons. They rely on publicly available directory data and perhaps an e-mail header. There is no requirement for stolen data even if that would make the fraud logistics a little simpler.

I am in no way supporting TalkTalk. They seem to outsource customer support and invoicing systems on the basis of price,not competence. The real problem is the general attitude among large companies who actively sacrifice privacy and security in the name of "user-friendliness" and glitz. TalkTalk,like many large corporations insist that their customers use security-weak mail servers and web browsers in order to to business with them. There is no reason for them to send mail from a server that does not identify itself correctly (PTR records and HELO responses), or for placing code from third-party domains on their web-sites, or using cross-site scripting for payment processing.

This is all part of a culture of technically incompetent senior decision makers. Just try to complain to a large bank or utility company. The standard response is "We are a large organisation, that pays our experts an lot of money. Therefore we must know more about these things than you, even if you are an engineer".

1
2

TalkTalk: Hackers may have nicked personal, banking info on 4 million Brits

vagabondo

Re: Yet more reason . . .

"Then you fail on the credit check"

Why do you need credit from an ISP? I always use 01 01 1970 when asked for any date (or you could use anyone else's dob that you can remember) apart from to my bank.

0
0
vagabondo

transferred from TT Business to TT Residential

This seemed to happen quite randomly about two years ago. We had one direct debit payment account transferred, but not three others.

If you call TalkTalk Business they will transfer you back, but is similar to transferring from another unrelated supplier and you may have to set up the payment system again. You have to wait about two weeks and fend off the "please don't leave, would you like a discount" call from TT Residential. You will lose any fixed IP addresses (but if you have a technical problem then they get be converted to dynamic anyway -- that's how we discovered we had been transferred).

0
0

Milking cow shot dead by police 'while trying to escape'

vagabondo

Daisy

Methinks a "Daisy" should be a Dairy Shorthorn, or at a push a British Friesian. The pictured bovine looks like a Swiss Brown; so should be a "Gretchen", or maybe "Paquerette".

12
0

Robots.txt tells hackers the places you don't want them to look

vagabondo
Facepalm

I don't understand

Why would a robots.txt list the files/directories that spiders should avoid? Surely it would list the places that spiders are welcome to visit and uses wildcard(s) to disallow everything else?

Or have the other commentards here just got a better sense of irony than me?

0
1

So what would the economic effect of leaving the EU be?

vagabondo

Re: stupid fonctionnaires

The problem is the relative importance of the EU Commission, and the distance between our Commissioners and the electorate. I can think of two remedies:

An "EU Office" with a Secretary of State in the UK Cabinet, responsible for the UK government's position in Brussels, and answerable to UK parliaments.

or

Making the EU Commission subservient to the EU Parliament.

0
0

'Hackers racked up $$$$s via the Android Play Store, and Google won't pay me back'

vagabondo

Re: The real story

But even if a client-side compromise, was it effected via an app from (approved by) Play Store?

1
0

Radio 4 and Dr K on programming languages: Full of Java Kool-Aid

vagabondo

Re: This is exactly the problem

"More or Less" on R4 and the World Service manages to be both populist and interesting/entertaining for the numerate listeners.

Once upon a time the odd programme that mentioned radio, sound recording or music production used to be able to produce an actual BBC engineer. Now all the technical "experts" seem to be journalists who get their technical education from Apple and Google's sales literature and press releases. The biographical pieces about STEM people are often OK, but they are about the subject's personal lives and careers rather than the STEM itself.

2
0
vagabondo

Re: miss

@ Forget It

Especially because the programme was espousing Java as the enabler/reason of/for dynamic web pages. I could not understand whether they were talking about stuff like Tomcat or thought that Java and Javascript were related.

0
0

You want disruption? Try this: Uber office raided again, staff cuffed

vagabondo

Re: Benefit of the Guilds

@damworker

Are you pehaps confusing/conflating taxis (hackney cabs, which can ply for hire and charge via a meter) and mini-cabs (private hire cars, that respond to a pre-booked journey)?

0
0

Smart meters are a ‘costly mistake’ that'll add BILLIONS to bills

vagabondo

Re: More Smart meter fail?

Putting gas meters up poles? That sounds like a fully qualified government tech project!

2
0
vagabondo

Re: And just this morning, something else that's fishy

That was nearly OK until you mentioned the "cloud" word.

4
0
vagabondo
Facepalm

Re: IT disasters...

"It's not sufficient to simply sit around not doing any IT projects, just because a few don't work out."

a few! a few -- realy only a few?

16
1

Millions of voters are missing: It’s another #GovtDigiShambles

vagabondo

@Irongut

I live in Scotland too. The letter that you got, if the same as mine and my friends' (Galloway and Glasgow) was sent one to each residential property with a description of the registrations that had been migrated to the IVR, with a request for anyone whose details were incorrect or missing to fix it using the new system. Most of this should have been cleaned up on the old system last year with the high voter turnout for the referendum. However at least two MSPs (incuding Cabinet Secretary Alex Neil) were lost in the process.

http://www.thenational.scot/politics/risk-to-votes-as-scottish-minister-finds-he-is-missing-from-electoral-register.935

@ Fink-Nottle

The Electoral Commission stuff is reserved to the UK Government, so slights to the SNP or Scottish Government are misplaced.

0
1
vagabondo

Re: NI numbers?

I, and everyone that I know got our NI numbers when we left school or got to school-leaving age. Apart from some who came from other countries as adults nd had to apply for a NI number/card (employers used to buy stamps at the Post Office and stick them in their employees' cards, which required regular renewing as they filled up) before starting work.

When the physical card was done away with the name associated with my NI number inexplicably changed to that of a similarly named cousin. At various times I haave spent hours neganged otiating with clerks to correct their records, but throughout my life the name on some govt records has spontaeously changed to the wrong one with occassional cross-contamination. This causes enormous inconvenience when a (local) govt office gets the wrong name and absolutely insists that I provide identification with the name on their records, but not the one on my passport, NHS card, bank account etc.

Sorry for that, but I get really pissed off about it. When an inconsistency occurs in data sets it should either be investigated and fixed, or flagged and left; not just changed according to the toss of a coin.

2
0

NHS England has some sneaky plans for Care.data acceleration

vagabondo

Re: The price of failing to cooperate...

I do not live in England, but aren't invites to routine screening, vaccination, etc. sent out by your general practice?

4
0

LOHAN chap serves up 'tenner a week' e-cookbook

vagabondo
Thumb Up

Recommended ...

... reading for teenagers being left or sent off to fend for themselves. Excellent advice in this epub. Maybe a second edition with a few pictures would be good.

2
0

Home Office splashed £35m trying to escape e-Borders contract

vagabondo

Re: A confidential arbitration process

@arrbee

The description of PFI missed the bit about the PFI contrcting consortia including banks, who borrow the money from the Bank of England at considerably less than market rates. Thus the whole scheme is an accounting sleight of hand to transfer public funds to private, while moving the cost of capital projects from one arbitary ledger column to another.

3
0

Sick of Chrome vs Firefox? Check out these 3 NEW browsers

vagabondo

Re: Lynx, anyone?

Also w3m is useful.

0
0

Linux kernel dev has gone well and truly corporate – report

vagabondo

Re: Snowballing

"... wasn't Minix based on a microkernel? Also GNU Hurd?"

Minix was a macrokernel design, based on Unix principles. But Hurd was/is a microkernel design. Minix3 is microkernel.

@Oninoshiko and @Lusty

I do not remember Linus T misusing the term microkernel. The main reason that the GNU community adopted the Linux kernel over the the more elegant microkernel designs was efficiency and availability. The performance of micro versus macrokernels remains problematic. When Microsoft announced NT, they claimed it woulduse a Carnegie-Mellon style microkernel, but actually used a macrokernel design. The MSliterature/press releases were a source of cofusion for much of the less technical technical press.

The converse of micro iis macro, and of monolithic is modular. The very early Linux kernels were moolithic macrokernels. When a kerneel wascompiled, the required drivers were compiled in. It did not take very long for modulesto be introduced, when at build time the essential hardware drivers and filesystems could be selected to be built-in, and the merely desirable to be compiledas autoloading modules.

6
0

UK air traffic mega cockup: BOTH server channels failed - report

vagabondo

Re: Just "193 Atomic Functions"?

I do not think that they are talking about database transactions here.

From the article:

"All of the operational roles performed within the London Area Control have a unique identifier known as an Atomic Function".

Together with th mention of "signing off" and unused station, I understtod that "active Atomic Functions" was related to the number of ATCs logged in. Other information about operator mis-keying while logging out might point to a poorly programmed log-out sequence that permits the operator to be apparently logged out without releasinf their "Atomic Function" token.

Just my guess.

0
0

Fraudsters make bank as exec wires $17 MEELLION to China

vagabondo
FAIL

Why don't

people at least routinely use e.g. GPG signing for important email? And take notice when the sig fails.

0
0

'Privacy is DAMAGING to PROGRESS' says Irish big data whitepaper

vagabondo
Flame

"boffins" or PHBs?

From the description given in this article, this does not seem to have much to do with boffinry and a lot to do with PHBs in sharkskin suts.

5
0

Internet lobs $$$s at dev of crucial GPG tool after he runs short of cash

vagabondo

How to donate

Apologies if my reader missed it (I have found the new layout considerably less "accessible" than the old one.), but I would have appreciated donation details (or links to} in the article.

Credit card: https://gnupg.org/donate/index.html

or

Bank transfer, tax certificate, etc: https://www.wauland.de/en/donation.html#61

4
0

Trouble comes in threes: Yet ANOTHER Flash 0-day vuln patch looming

vagabondo

Re: bbc.co.uk

Chromium + Pepper-flash + AdBlock + Ghostery + ScriptBlock

Works for me with iPlayer and STVplayer, etc.

1
0

UK watchdog grills big biz: So HOW do you use their 'consumer data'?

vagabondo

enforcement action

So is this "consultation" just an excuse to avoid/procrastinate on the previous decision to take action against the unfair use of fonsumers' data?

3
0

Wikileaks: We DO NOT approve of OUR secret stuff being LEAKED

vagabondo

sour grapes ?

I suspect that this is realy partof Wikileaks PR, just reminding/bringing the wider world's attention to the inherent insecurity of "free" communications services. The story has been widely published, and maybe prodded some non-techies to think about the advisability of secure comms.

1
2

Turn your head and cough (up your details), HealthCare.Gov has sprung a leak!

vagabondo

Re: Ad networks? On healthcare.gov?

It's not much worsethan the NHS exhorting their patients to use Facebook and Twitter. My current bête noir is the NHS giving my phone number to a telephone sales company on the pretext of outsourcing appointment reminders. I'm afraid that monetization and insecure data harvesting is ingrained in all branches of what should be public service.

4
0

HTTPS bent into the next super-cookies by researcher

vagabondo

301 redirect...

But. That is a server-side "solution". It does not protec the client from a malicious web-site. This "super cookie" problem requires a client-side solution.

If this was a cookie, it should only be readable by the server that set it. However this flag seems to be readable by any contactedserver. This looks like a flaw in either the protocolor its implementation.

7
0

Want to have your server pwned? Easy: Run PHP

vagabondo

Surely the first/routine port of call is to apply the security patches. Version upgrades are primarily to add new features.

This article's failure to understand how security issues are routinely addressed in the OSS world leads me to doubt its usefulness about anything. Is it really about selling W3 Tech's products?

4
4

Hackers pop German steel mill, wreck furnace

vagabondo
Boffin

Re: Is there something missing?

Just switching off a furnace full of molten metal and you get a massive slug of scrap metal wrapped in a fire-brick jacket. It takes a long time to remove the solidified metaland build a new furnace.

6
0

YEAR of the PENGUIN: A Linux mobile in 2015?

vagabondo
Unhappy

Re: There's always someone

Yup! This is year-end time and HMRC insist that Corporation Tax returns have to be made using a version of Adobe Acrobat Readerthat is only available for some versions of MS and Apple OSs. So much for the Cabinet Offices "open standards".

11
1

Terror bomb victims demanding Iran's .ir will appeal US ruling

vagabondo
Headmaster

Re: Can we have .com & .gov then please

".us" is the ccTLD that belongs to the USA.

1
0

HORRIFIED Amazon retailers fear GOING BUST after 1p pricing cockup

vagabondo

Re: Hang on

But once you have paid and left the store the article is yours It is then up to the supermarket to sort out the problem with the price gun. In this instance the retailer has outsourced pricing to RepricerExpress and the shelf-stacking and checkout to Amazon.. Once the goodsare paid for and despatched, the retailer should be looking at their business model, especially w.r.t. price management.

Why does any algorithm allow the selling price to be less than the purchase price withoiut oversight?

5
0
vagabondo

Re: Shurely

"much less functionality (the more complex, the greater chance of a cockup) much less functionality (the more complex, the greater chance of a cockup) "

Complexity does not necessarily lead to funcionality and vice versa.

4
1

Was ist das? Eine neue Suse Linux Enterprise? Ausgezeichnet!

vagabondo

Re: GNU

@Trevor

Just keep reciting "Lennhart is mortal". The universe is eternal (relatively) and resilient. One day both systemd a nd pulse-audio will succumb to "The Unix Way" as proclaimed by those eternal heros -- Ken Thompson and Dennis Ritchie.

Herr Poettering is just Red Hats version of Novell's Miguel de Icaza. Eventually his ideas will also be spewed out and carefully stepped around. Anyway how old is he? He can't survive much longer than me, the future is safe from both of us.

2
2
vagabondo

GNU

Well I liked using a set of text files and a shell script to shovel processes into firebox too. But systemd is licensed as GPL or LGPL just the same as those init scripts, and neither came from the GNU project. You will have to think up another reason to prefer init.

2
3

Shellshock over SMTP attacks mean you can now ignore your email

vagabondo

Are there any mail transfer agents or clients that would try to execute, as opposed to read a mail header?

2
1

Microsoft, Docker bid to bring Linux-y containers to Windows: What YOU need to know

vagabondo

Re: zzzzz, Virtuozzo did this many years ago

... and on Linux FreeVSD preceded Virtuozzo. Container-type technology has been in development since chroot (change root) in pre-BSD Unix in the 1970s, so precedes Solaris, Microsoft, FreeBSD and Linux.

2
0

Shellshock: 'Larger scale attack' on its way, warn securo-bods

vagabondo

Re: The problem is...

"Ok, critical web server with CGI+bash vulnerability I can understand..."

Can someone please explain a scenario where a production web server would need CGI plus any shell? I just cannot envision the need for a web server to run under an account with a login or shell, or for a CGI program to have to call a shell. If admins need a CLI shell for maintenance then the shell could be made executable only by the "wheel" group or equivalent (maybe "users" on a shared hosting platform, but certainly not mysql, wwwrun, etc.).

1
0

SHELLSHOCKED: Fortune 1000 outfits Bash out batches of patches

vagabondo

Re: Fortune 1000 overlords SHELLSHOCKED into Bash patch batch

"you really don't want to get notified every time one of packages that's installed "

That's not the point. We keep all of our critical systems on stable, long-term tested software versions, except we apply security patches automatically within 24 hours of their release. These are normally backports, and do not push our software to the latest packages. This is a standard feature of serious distributions and is trivial to implement. The risk of a security patch tacking a system down is trivial compared to the potential consequences of leaving a known vulnerability open.

0
0
vagabondo

@AC re: MS consultants

" Microsoft consultancies are having a very busy week "

Do you know any Microsoft consultants that offer a credible no-bugs guarantee? Or even a SLA that specifies security patches within 5 days of discovery?

7
1

Bash bug: Shellshocked yet? You will be ... when this goes WORM

vagabondo

Re: Oh $!#t.

"So we all OSX users are screwed?"

Depends. A security patch may have been applied without upgrading the bash version. I do not use OSX, so do not know how their security patch policy works.

On my systems (openSUSE):

$ env x='() { :;}; echo "vulnerable"' bash -c 'echo "hello"'

vulnerable

hello

-- sorry about the extra line-feeds added by El Reg.

and

$ env x='() { :;}; echo "vulnerable"' bash -c 'echo "hello"'

bash: warning: x: ignoring function definition attempt

bash: error importing function definition for `x'

hello

6
0

Page:

Forums