* Posts by Alan J. Wylie

206 posts • joined 12 Jul 2008

Page:

Bletchley Park Trust vows to shore up insecure website

Alan J. Wylie

I've seen far worse

The "F" grade at SSLLabs is due to the same certificate being hosted on a web server elsewhere (this may be their backend server, they are behind Cloudflare) with SSLv2 and export grade (deliberately weakened) ciphers supported. The certificate has a SHA1 intermediate certificate in the chain, so they will need to update it anyway before the major browsers start giving warnings early in the new year[1]. Doing this will help to mitigate the problem, no need for an entire new web site. They should also be either getting the 2nd server turned off, if it is unused, or better secured if it is their backend server.

[1] https://community.qualys.com/message/35468-sha-1-deprecation-countdown

0
0

Three to appear in court over TalkTalk hack

Alan J. Wylie

I await the headline

"TalkTalk to appear in court over Three hack"

3
0

PoisonTap fools your PC into thinking the whole internet lives in an rPi

Alan J. Wylie

Re: To lock a Linux system down

It only stops *new* modules being loaded. Load any required kernel modules (e.g. usb-storage) first , then lock down.

Perhaps not the right answer for a developer's system, but very useful for e.g. a system in a doctor's surgery, as was mentioned earlier, or a system in a PCI DSS scope.

3
0
Alan J. Wylie

To lock a Linux system down

Adding

echo 1 > /proc/sys/kernel/modules_disabled

to a local boot script will stop any more modules being loaded. Unless the driver for the USB is the same as one used by the system (unlikely) nothing will happen when it's plugged in.

https://www.kernel.org/doc/Documentation/sysctl/kernel.txt

2
1

Microsoft just got its Linux Foundation platinum card, becomes top level member

Alan J. Wylie

Re: Great news!

I'm glad somebody finally got it...I was beginning to worry that I'd been too subtle.

I went to the comments and immediately searched for "embrace". Well played, Sir.

1
1

Adult FriendFinder users get their privates exposed... again – reports

Alan J. Wylie

Interesting passwords

From https://www.leakedsource.com/blog/friendfinder

short:

43: football

59: liverpool

long:

21 equal: youwillneverwalkalone

21 equal: ilovemanchesterunited

(and for the benefit of non-UK readers: You'll Never Walk Alone is the anthem of Liverpool Football Club)

What is it with footballers?

2
1

What should the Red Arrows' new aircraft be?

Alan J. Wylie

Re: Hawker Harrier

VIFF

that is all.

1
0

UK will retaliate against state-sponsored cyber attacks, Chancellor warns

Alan J. Wylie

SPF, DKIM and DMARC - better late than never

He pointed to the recent rollout of software to cut to zero an estimated 50,000 fraudulent emails a day from hackers purporting to be from HMRC offering tax refunds in order to obtain people's bank details.

This blog post from February details the government's move to SPF/DKIM/DMARC. I assume this is what the chancellor is referring to. Since SPF has been generally adopted since about 2009 and DKIM since at least 2012, what on earth have civil servants been doing all that time?

1
0

I've arrived on Mars. Argggh, my back!

Alan J. Wylie

Re: 'simple'solution

<Red Thunder>

Reminds me in some ways of "Welcome to Mars" by James Blish

2
0

'Biggest ever' Linux release

Alan J. Wylie

Wrong way round - it's big *because* it will be LTS

Torvalds says the release looks so substantial it's probably destined for Long Term Support status.

Greg K-H has already announced that he intends 4.9 to be the next long term stable. Linus commented on this in the 4th paragraph of his announcement linked to in the original article: people pushing to get their stuff ready

2
0

Como–D'oh! Infosec duo exploits OCR flaw to nab a website's HTTPS cert

Alan J. Wylie

Re: Trust?

The last paragraph of Comodo's report (linked to by the original article):

Comodo finds it regrettable that some registries choose to offer a port 43 WHOIS service which redacts information for all registrants which even the registry themselves would normally consider to be public. We find it even more regrettable that a sub-set of those registries refuse to consider offering unredacted access to that information even when contractual and/or commercial terms (including binding restrictions on the use of that information) are offered.

6
0

New measurement alert. The Pogba: 1,200Pg = NHS annual budget

Alan J. Wylie

Re: Monty Python reference

Ref the typing speed, was that an African sheep or a European sheep?

And would it be spherical?

3
0

SHA3-256 is quantum-proof, should last BEELLIONS of years, say boffins

Alan J. Wylie

Re: Hash functions

or do some other attack

Obligatory XKCD

7
0

Heads roll as Qihoo 360 moves to end WoSign, StartCom certificate row

Alan J. Wylie

Archived copy of Tyro's blog post about backdated SHA-1 certs

archive.org / bing

we made a decision to implement a temporary workaround to allow our small and medium-sized merchants to continue to transact. We reached out in good faith to certificate authorities to provide a few months runway to resolve this big challenge in a way that had minimal impact on merchants.

1
0

Hubble telescope spies massive 'cannonballs' of fire from dying star

Alan J. Wylie

Ringworld Engineers

It's obviously the Ringworld Meteor Defense System in action

3
0

Mozilla wants woeful WoSign certs off the list

Alan J. Wylie

WoSign has stopped issuing free certificates

https://twitter.com/rmhrisk/status/782838192944713728

https://buy.wosign.com/free/?lan=en

Sorry, due to some security consideration,

WoSign decide to close the free SSL certificate application temporarily. Sept. 29th 2016.

0
0
Alan J. Wylie

Apple's response

https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/lWJ1zdUJPLI

In light of these findings, we are taking action to protect users in an upcoming security update. Apple products will no longer trust the WoSign CA Free SSL Certificate G2 intermediate CA.

0
0
Alan J. Wylie

Interesting messages from Tyro

First, an old announcement about problems with SHA-1:

http://www.newsagencyblog.com.au/2016/06/02/if-you-are-running-windows-xp/

and secondly a blog posting, now deleted, but still in Bing's cache: try this link to archive.org or search Bing for the text below

https://tyro.com/blog/merchant-security-is-tyros-priority/

Merchant security is Tyro’s priority

Sascha Hess

27/09/2016

To summarise: after a SHA-1 to SHA-2 upgrade, some merchants had obsolete Point of Sale systems that were unable to connect. Tyro "reached out in good faith to certificate authorities to provide a few months runway to resolve this big challenge".

0
0
Alan J. Wylie

What about the other browsers?

Unless Google, Apple and Microsoft follow, Mozilla stands to lose market share: users want things that "just work" and if Firefox starts giving error messages, they might move to an alternative.

Chris Siebenmann's blog

2
0

The web is past peak innovation: It's all negative returns from here

Alan J. Wylie

posting using w3m

Just for the hell of it!

4
0

Argos tech team updates iOS app with helpful info on 'eleventy-billion toilet seats'

Alan J. Wylie

Zombie Moore's Law shows hardware is eating software

Alan J. Wylie

The wheel of reincarnation

http://www.catb.org/~esr/jargon/html/W/wheel-of-reincarnation.html

[coined in a paper by T.H. Myer and I.E. Sutherland On the Design of Display Processors, Comm. ACM, Vol. 11, no. 6, June 1968)] Term used to refer to a well-known effect whereby function in a computing system family is migrated out to special-purpose peripheral hardware for speed, then the peripheral evolves toward more computing power as it does its job, then somebody notices that it is inefficient to support two asymmetrical processors in the architecture and folds the function back into the main CPU, at which point the cycle begins again.

Several iterations of this cycle have been observed in graphics-processor design, and at least one or two in communications and floating-point processors. Also known as the Wheel of Life, the Wheel of Samsara, and other variations of the basic Hindu/Buddhist theological idea. See also blitter.

6
0

Lenovo denies claims it plotted with Microsoft to block Linux installs

Alan J. Wylie

Re: "To improve system performance, Lenovo is ... adopting RAID on the SSDs..."

Matthew Garrett's take on this is that Intel's drivers give better power management than Microsoft's and forcing "RAID" mode stops the MS one from binding.

http://mjg59.dreamwidth.org/44694.html

9
1

Luxe cable crimper

Alan J. Wylie

Gillette invented this business model a long time ago

https://en.wikipedia.org/wiki/Razor_and_blades_business_model

Sell the holder cheaply, make your profit out of selling lots of small bits of steel/plastic.

2
0

End all the 'up to' broadband speed bull. Release proper data – LGA

Alan J. Wylie

"local data for local people"

Your *my* wifi now!

7
1

Microsoft thinks time crystals may be viable after all

Alan J. Wylie

Re: YBMM

Rule 34?

0
0

Intel pulls out hard cash to gobble virtual CPU upstart Soft Machines

Alan J. Wylie

Re: Transmeta

One of their vice-presidents was previously Executive Vice President at Transmeta: http://www.softmachines.com/john-ohara-horsley/

2
0
Alan J. Wylie

Transmeta

Reminds me of Transmeta and their Code Morphing Software: another company from Santa Clara that never reached profitability.

3
0

Typo made Air Asia X flight land at Melbourne instead of Malaysia

Alan J. Wylie

On the subject of typos

Instead of entering 15109.8 east (i.e. 15˚ 19.8' east)

That should be 151˚ east

11
0

Publishing military officers' names 'creates Islamic State hitlist'

Alan J. Wylie

"For security reasons we're apparently not supposed to say who they are."

But you did!

http://www.theregister.co.uk/2016/06/30/first_f_35b_joint_strike_fighter_lands_uk/

9
0

Lindsay Lohan's Grand Theft Auto V cartoon case kicked out of court

Alan J. Wylie

Original model whose image was used for the artwork

http://www.dailydot.com/gaming/gtav-grand-theft-auto-girl-bikini-model/

It's Shelby Welinder whose photo was used for the artwork

10
0

London's Francis Crick Institute will house 1,250 cancer-fighting boffins

Alan J. Wylie

Rosalind Franklin

Sir Francis Crick, a British molecular biologist who discovered the structure of DNA, along with his colleague James Watson

Don't forget Rosalind Franklin

17
1

OpenSSL 1.1.0 is out

Alan J. Wylie

Oops.

In the Changelog

https://www.openssl.org/news/changelog.html

*) Add support for Dual EC DRBG from SP800-90. Update DRBG algorithm test and POST to handle Dual EC cases.

[Steve Henson]

damn, that's a bug in the CHANGES file

0
0

Sealed with an XSS: Popular vulnerabilities probed

Alan J. Wylie

Obligatory XKCD

https://xkcd.com/327/

3
0

No, the VCR is not about to die. It died years ago. Now it's VHS/DVD combo boxes' turn

Alan J. Wylie

Philips Video 2000

https://en.wikipedia.org/wiki/Video_2000

I briefly contracted to PYE TVT in on Coldhams Lane, Cambridge in 1984 (a real-time video editing suite for the 1986 Mexico World cup). Pye was a sub-division of Philips and the company shop sold Video 2000 recorders at a substantial discount, so there was a significant number in the area. Later I heard tales of the stock management system of e.g. Dixons sending equal numbers of cassettes to each branch, and the manager of the Cambridge branch having to call around to get them sent on to his.

1
0

Microbe drives tropical butterfly species to a male-killing frenzy

Alan J. Wylie

Then we can start on genetically engineering a version that affects humans in order to be one step closer to triggering a zombie apocalypse

We already know of infections that cause an increase in risky behaviour[1]. The plot of the 1977 science fiction short story The Screwfly Solution[2] is based on a disease that causes increased male violence towards women,

[1]

https://en.wikipedia.org/wiki/Behavior-altering_parasites_and_parasitoids

[2]https://en.wikipedia.org/wiki/The_Screwfly_Solution

1
0

CloudFlare probes mystery interception of site traffic across India

Alan J. Wylie

"conducting infection of host headers"

conducting infection of host headers

Perhaps "conducting inspection"?

2
0

Wannabe Prime Minister Andrea Leadsom thinks all websites should be rated – just like movies

Alan J. Wylie

Better than watching paint dry: https://en.wikipedia.org/wiki/Spider_trap.

And would the spider respect robots.txt?

1
0

ICO smacks lying spammers

Alan J. Wylie

CHANGE AND SAVE LTD Company number 08995065

https://beta.companieshouse.gov.uk/company/08995065

2
0

A trip to the Twilight Zone with a support guy called Iron Maiden

Alan J. Wylie

Nobody called Lady Mondegreen though?

It's Friday afternoon - I'll get my anorak.

5
0

The best way to find oxygen on Mars? Friggin LASERS, of course

Alan J. Wylie

Not a green laser.

http://www.msl-chemcam.com/index.php?menu=inc&page_consult=textes&rubrique=86&titre_url=ChemCam

The green color of the laser depicted above is for illustrative purposes

4
0

Telia engineer error to blame for massive net outage

Alan J. Wylie

Cloudflare post-mortem on the Jun 20th incident

Also mentions one on the 17th

https://blog.cloudflare.com/a-post-mortem-on-this-mornings-incident/

0
0

Astroboffins discover rapid 'electric winds' blowing on Venus

Alan J. Wylie
Coffee/keyboard

"It's amazing and shocking,"

Groan.

2
0

Belgian brewery lays 3.2km beer pipeline

Alan J. Wylie

Even better than the vinegar pipeline over the A38(M)

http://www.cbrd.co.uk/motorway/a38m

End of an era as HP factory closes

[Reminisces] - 20+ years ago I worked on the functional specification for the lane control system on the A38(M).

1
0

Picture this: Live 'net congestion maps for sysadmins

Alan J. Wylie

Smokeping

There are already many SmokePing graphs out there, e.g. a quick google for "smokeping linx" returns

http://saturn.retrosnub.co.uk/cgi-bin/smokeping.cgi?target=london.be

which leads to

http://saturn.retrosnub.co.uk/cgi-bin/smokeping.cgi?target=london

0
0

MITRE fighter says CVE delays are no laughing matter, names bug ROFL in branding protest

Alan J. Wylie

Several people have recently left the CVE Editorial Board

Casper Dik

Matt Bishop

Panos Kampanakis

Gene Spafford

Casper and Spaf are, of course, very well known names.

2
0

Gillian Anderson: The next James Jane Bond?

Alan J. Wylie

Charlie Stross

The Jennifer Morgue

Spoiler alert: to say any more would be giving far too much away.

Loose lips sink ships.

8
0

Google still faces legal spat with SEO biz that claimed it was wiped from web

Alan J. Wylie

central London?

a company with five global offices including one in central London

http://www.eventuresworldwide.com/pages/contact-inquiries/contact-us

United Kingdom: 90 Long Acre, Covent Garden, London, WC2E 9RZ

http://www.regus.co.uk/locations/office-space/london-covent-garden

Again: 90 Long Acre, Covent Garden, London, WC2E 9RZ

http://www.regus.co.uk/products/virtual-offices/index.aspx

Virtual offices

A business address in the right place and a local contact number answered in your company name can make all the difference in business.

Our professional teams will manage your calls and handle your mail. You get a choice of prestigious addresses for your business and use of all Regus Business Centres worldwide.

2
0

Nuisance caller fined a quarter of a million pounds by the ICO

Alan J. Wylie

Re: Add

The Insolvency Commissioner's blog today has an interesting post on the subject:

Insolvency law – why rogue directors trying to avoid fines face a rocky ride

(some snippets)

The job of the insolvency practitioner is to review the conduct of a company’s directors before the business became insolvent. That investigation can look at the directors’ action as much as six years before the insolvency, and even further if there are criminal claims.

Following the review, the insolvency practitioner will prepare a director report which is to be filed with the Insolvency Services, and if the report demonstrates unfit conduct, the director can face serious sanctions:

...

Up to ten years imprisonment, a fine or both:

* Fraudulent trading ...

Up to 7 years imprisonment, a fine or both:

* Fraud in anticipation of winding up ...

8
0

Popular cache Squid skids as hacker pops lid

Alan J. Wylie

The bug has been fixed in an official release

A patch has been produced for daily versions but not yet distributed for regular builds, according to researchers.

It's Bug 4501, fixed in 3.5.18

http://bazaar.launchpad.net/~squid/squid/3.5/view/head:/ChangeLog

Changes to squid-3.5.19 (09 May 2016):

- Regression Bug 4515: interception proxy hangs

Changes to squid-3.5.18 (06 May 2016):

- Bug 4510: stale comment about 32KB limit on shared memory cache entries

- Bug 4509: EUI compile error on NetBSD

- Bug 4501: HTTP/1.1: normalize Host header

- Bug 4498: URL-unescape the login-info after extraction from URI

- Bug 4455: SegFault from ESIInclude::Start

- Prevent Squid forcing -b 2048 into the arguments for sslcrtd_program

- Fix TLS/SSL server handshake alert handling

3
0

Page:

Forums