* Posts by djack

227 posts • joined 16 Jun 2009

Page:

Security? We haven't heard of it, says hacker magnet VTech

djack

In a previous article about security vulnerabilities, I argued that imposing criminal charges for producing an insecure service or product was counterproductive, but there should be serious consequences for flagrant negligence, especially in how the company responds to the issue.

This is one example of where somebody at 'c' level needs to be facing the beak.

0
0

Ducks, Lord of the Rings, movies and maths: The GCHQ Xmas puzzle solutions revealed

djack

Re: Get on with your job.

This sort of thing could be a very useful way of training the mind and thought patterns. Often thinking about something else let's you gain inspiration about the problem you are actually needing to solve.

Besides, they have already said that the puzzles were designed in people's spare time.

4
0

FTC: Duo bought rights to Android game – then turned it into ad-slinging junkware in an update

djack

How about some actual useful laws that prevent developers and manufacturers from making mandatory detrimental changes to a product after purchase?

(Yes, I'm still bitter that my PS3 had half of it's functionality removed and was then turned into a karaoke machine, with the option of playing some games)

18
0

Speednames 'fesses up, admits customers' emails are borked

djack

Re: Exactly

"Email delivery is unbelievably unreliable and should not be used as a mission critical business tool."

That's almost totally incorrect.

Email is (usually) a extremely reliable transmission method with notification when things go awry. Usually if things just disappear it's because of a fault at the very start of the chain or at the very end - I've seen some mail-servers (not just Exchange) 'successfully' deliver email to a user's mailbox when actually just putting it in the local bit-bucket. This is the email equivalent of the dog shredding your mail after the postie has put it through the door.

When mail disappears in transit, it is usually because some 'intelligent' spam or content filter has taken exception to the message (or error notification) and binned it. This is (IMO) intentional breakage of the system rather than unreliability. It's not the post-office's fault if you deliberately disregard your bills.

If sites or mail servers en-route disappears, then mail will be queued and regularly re-tried. If, after a while (usually several days) delivery is abandoned then an error notification is generated and sent back to the sender.

Mail is designed to be a reliable system. It takes a significant (or extremely unlucky) network and server breakage to just lose mail in transit. What it is not designed to be is instant or even fast. It's a measure of it's success and reliability that many people assume that it is meant to be instant.

If something is business critical, it is likely time-critical and in which case email is not the solution (and should be followed up by a phone call, which is instant) but otherwise it is one of the best methods to communicate in long form.

3
0

Rooting your Android phone? Google’s rumbled you again

djack

Re: To all of you with older phones...

"While I agree with your sentiment I must point out that some custom ROMs, like CyanogenMod, actually don't execute as rooted by default."

Lucky you. I installed CM11 (or maybe 12) on my Galaxy S3 when Samsung stopped issuing updates.

There seemed nothing that I could do to make the Barclays mobile app to not claim my phone was rooted. I know that there were a few settings to try and prevent the detection of the 'root', but none of it did the trick.

1
0
djack
Alert

To all of you with older phones...

Your manufacturer no longer sends out patches for your device. You have two options..

* Continue using your device for financial stuff and have the whole thing compromised exposing all that data to the bad guys.

* Have a secure device but lose the ability to do financial stuff with it.

Bloody typical.

it's not just Google that has this idiotic mindset, banks do that too with their mobile banking apps.

21
3

Stop the music! Booby-trapped song carjacked vehicles – security prof

djack

Re: Bury your head in the sand and it will all go away

"But why would anybody want to hack this?"

Yeah, I encounter that attitude all too often. My usual response is to point out that somewhere nearby there will likely be a bus stop with any glass panels smashed up. I admit I can't understand why people do that and then expand that people do nonsensical things for no sensible reason. At that point, realisation dawns in the other party.

It doesn't really help as nine times out of ten, they won't fix it anyways.

4
0

'No safe level' booze guidelines? Nonsense, thunder stats profs

djack

I know it's not good for me...

... not drinking, that is.

I decided to go 'dry' for the first three weeks of the year and I've surprisingly succeeded without any problems. Apparently you are meant to feel better for it, but I've had more random aches and pains and twinges this past fortnight than ever before.

Glad that I get to have a beer tonight

5
0

Nest thermostat owners out in the cold after software update cockup

djack

Wouldn't touch it with a barge pole

It and home automation is all well and good, but not when it relies on servers and services from other people. My house is my castlesecurity domain.

That said, problems are not solely restricted to software. My hardware heating timer control occasionally sticks leaving the house cold.

3
0

Juniper Networks planned upgrade kicks down some services

djack

Of course it's taking so long...

Those back-doors don't write themselves you know!

4
0

Call of Duty terror jabber just mindless banter

djack

Just 'Simple TLS'??

They claim that the PSN chat differs from Whatsapp in that whatsapp provides end to end message encryption whereas the PSN does not. This appears to be based solely on the fact that when they sniffed the PSN traffic they saw it was encrypted and transported using TLS.

They did not claim to bave decrypted this TLS traffic or have any real knowledge of what it was.

Last time I looked at Whatsapp, I'm pretty sure I saw that it too was using TLS for all traffic.

TLS, is just encryption of the transport layer between the client and server. It has no bearing on whether the traffic it carries is further encrypted in an end-to-end manner.

BTW, I have no knowledge on how PSN messaging actually operates but claiming that it does or does not implement certain features based purely on the use of TLS is just as faulty reasoning as that which they are trying to debunk.

2
0

HSBC online customers still in the cold after hours-long lockout

djack

Re: Just say ...

"So much for being called a 'British' bank."

When did it ever claim to be British? Surely the clue is in the name ...

Hongkong and Shanghai Banking Corporation

13
0

Juniper's VPN security hole is proof that govt backdoors are bonkers

djack

So, what has changed?

I'm a little confused. If you know the value of Q, you can decrypt the content of a VPN transmission. Doesn't the fix simply reset Q back to it's previous (presumably) well-known value?

0
0

UK says wider National Insurance number use no longer a no-no

djack

Re: The US..

The NiNo can be used in ID fraud here too and should be protected.

The big problem in the US IIRC is that many organisations used their equivalent (the social security number, or SSN) it as a handy identifier/username.

This allowed for mass linking of different datasets about people and of course many user account databases were improperly secured and 'leaked' people's SSN all over the shop.

No wonder that people are reluctant to give it out nowadays.

10
0

Google's SHA-1 snuff plan is catching up with Microsoft, Mozilla

djack

Re: Technical pedantry

It is being used as a signature for a known piece of data (the certificate). The clear-text is known so the risk isn't brute-forcing the value of the hash as in an attack against a credential database.

The risk is that it is seen that there is a greater potential to create a collision - that is two documents with the same hash value. When a CA signs a certificate, basically they are computing a hash of the claims of the certificate and then encrypting that hash with their private key. So if I manager to create two sets of certificate data - one for, say, yourbank.com and another for mysite.com and manage to arrange things so that these two different documents have the same SHA-1 hash. I send off my request to a CA to sign a cert for mysite.com. I can then use that same digital signature to forge a certificate file for yourbank.com and then use that as part of a man in the middle attack.

1
1
djack

Re: treat it like a self signed cert

Exactly. It's incredibly annoying when you don't know what systems you are dealing with ahead of time or - a real kicker - where it won't let you connect to a management interface in order to fix the problem!

At least make it an option in the advanced configuration screens.

0
0

There's an epidemic of idiots who can't find power switches

djack

Turn them all off

I had one many moons ago with a user over the phone. It became clear that the user had managed to lock the BIOS password necessitating him turn it off and on again. This is where the fun began

Aside from him not knowing if he had a laptop or a desktop - finally realised it was a desktop yet he seemed totally incapable of turning off anything other than his monitor. As the chap had his own office I finally solved it by getting him to turn off every power socket in the room and then back on again.

4
0

Windows' authentication 'flaw' exposed in detail

djack

Re: Have I missed something?

" And there you have it - a perfectly secure computer."

You forgot relocation to the bottom of the Marianas Trench

2
0
djack

Re: A silly(?) question

Krbtgt represents the secret key that underpins the Kerberos infrastructure.

2
0
djack

Have I missed something?

Disclaimer : it's early morning and pre-caffeine.

My reading of the article seems to indicate that there is some new attack. My reading of the blog post describes the established Kerberos attacks (ticket forgery and 'golden ticket'). The new stuff to me are the techniques to help detect such an attack.

Am I missing something?

6
0
djack

No you don't. You do need administration level access to the domain as this is a persistence method but unless your network is air-gapped, physical access to the infrastructure is unlikely to be needed.

4
1

Cisco forgot to install two LEDs in routers

djack

Not Just Cisco

I've got a Dell laptop that has no LEDs on the network port. I'm not sure if it was an error or penny-pinching.

I didn't know about the omission until I was with a client trying to find a live network cable.

7
0

GCHQ Christmas Card asks YOU the questions

djack
Holmes

Massive file size

The JPG is over 500K. Considering that it is just a two colour image on a nonogram board, they could have reduced the file-size to just a few K without losing any content.

Now, the question is were they really that stupid, or is there some other data hidden in the file?

I really can't decide which of the two possibilities is the right one.

9
0

Enraged Brits demand Donald Trump UK ban

djack

Re: The guy is the hard-core Democrat's dream.

@ banalyzer

"On a different note,

Syrian McKellen?"

It works when said out loud

But in case you are still puzzling : Sir Ian McKellen

13
0

Superfish 2.0 worsens: Dell's dodgy security certificate is an unkillable zombie

djack

Service Tag

If memory serves, the service tag does a lot more than identity the model of the machine. It is the serial number and is tied to the original order. You can see all of the spec customisation and Dell presumably can identify the person who ordered the system in the first place.

9
0

Brit cops accused of abusing anti-terror laws to hunt colleague

djack

Re: Entirely too distracted

If memory serves, the cow killers were Northumbria police (a little further north).

6
0

Dev to Mozilla: Please dump ancient Windows install processes

djack

"When some shops have the same username and password for all employees across the board, then, to answer your question, yes."

In which case, you don't need anything else for privilege escalation.

As this issue DOES NOT require access to System32, the whole argument is moot. The issue does require some odd system management practices though

6
0

We turn Sonos PLAY:5 up to 11

djack

Standard Compliance?

Will this thing fit in and play nicely with existing audio equipment on the network? Thought not.

IMO, anyone considering this would be far better off going to their local audio shop and getting a reasonable network aware AV receiver and whatever speakers their budget can afford.

For about the price of one of these things, I ended up with a full 5.1 system with a proper sub that makes film watching audiably pleasurable, uses my existing DLNA media server and control applications and plays Internet radio, Spotify etc.

I don't see the point in paying more for something that (probably) sounds worse, only works with it's own proprietary stuff and has less features .

3
0

Ex-Microsoft craft ale buffs rattle tankard for desktop brewery

djack

Re: Kuerig for home-brew?

There are plenty of books with beer recipies in, so you can do that already.

0
0

ICO 'making enquiries' into bizarre shopper data spill at M&S

djack

The caching will have likely occurred within the M&S application server. It is common to cache common 'rendered' blocks of a built-up dynamic page.

My guess would have been some race condition within the authentication process.

5
0

Job alert: Is this the toughest sysadmin role on Earth? And are you badass enough to do it?

djack

Re: User Friendly

I thought that he stopped writing it a few years back and now just cycles through the archives.

7
0

Search engine can find the VPN that NUCLEAR PLANT boss DIDN'T KNOW was there - report

djack

Re: Experience at the sharp end

There is relatively little at the network level to prevent multiple machines having the same IP address. Indeed, it is often advantageous when it comes to clustering.

On Ethernet, it is possible for machines to independantly have the same IP address. Each ARP request will result in multiple replies reaching the requesting host. Which machine the requestor believes has the IP address depends on the order in which the ARP responses are received.

The warnings you refer to are likely to be the host operating system doing a sanity check before trying to use an IP address.

Whilst there is some protection available on modern enterprise grade switches, this is often not enabled.

1
0
djack

Re: Experience at the sharp end

They may have been left in place - whe I was there, the reactor at SXB seemed to trip every week or so.

0
0
djack

Re: Why are industrial control systems designed by babes in the woods?

"It does go some way to highlight the incredibly low priority hardware upgrades get in around nukes"

it is necessarily a lower priority then "it must perform *exactly* to spec". Any change has to undergo a costly and vigorous testing to ensure that, for example, something that previously took, say 2.5ms still takes 2.5ms, no fater no slower.

I was working at a Nuke site when we were migrating the business systems from Novell/Win3.1/Wordperfect to Windows NT Server/NT Workstation/Word. By far the most difficult bit was the word processor. Although the business/admin computer systems did not need to be at spec, new printouts of the site documentation, work orders and such had to look exectly as they did before.

4
0
djack

Re: Having Trident will keep us safe from attack

But Jezzer's* response would be to invite them round for a cup of tea whilst apologising for causing them the trouble of having to blow up the reactor.

I know which one of the two is the bigger deterrent.

* I totally agree with him on most of his policies but his attitudes towards defence scare the hell out of me.

1
9

XcodeGhost attack tapped into dev distaste for Apple's Gatekeeper

djack

The affected developers *have* got a valid developer key.

However, they are so used to using unsigned applications (i.e. produced by hobbyists or just test applications etc for whom the $99 is prohibitive) that they have disabled or routinely ignore the 'unsigned application' warnings when installing the XCode tools.

The binaries that they producecontain the syware but the developers have no idea that this is the case and so get their infected produce signed using their own legitimate app store key.

It's not so much of a case of anyone affected being cheap, more the convenience of a local download and a security system disabled as it is seen as more of a hinderence.

2
1

Doctor Who storms back in fine form with Season 9 opener The Magician's Apprentice

djack

Worried

I'm not sure whether I want the doc to 'exterminate' Davros or the hand mines. Either could work to be honest.

However I have the feeling that this story is going to go the same as most of the big bad storyline - Moffat can't think of a clever solution so they hit the metaphorical reset button and the universe goes back to how it was.

4
0

GCHQ wants to set your passwords. In a good way

djack

Dooesn't quite work for me

I don't agree with the "no mandatory changes" advice. They say to force a change when there has been a compromise. Without complex, time-consuming and expensive monitoring, most people are not going to be able to detect any sort of stealthy compromise. The point of regularly changing passwords is to limit the length of exposure due to an undetected compromise.

Considering you can now do hardware 2FA for less than £30 a head for the lifetime of a key or even less with soft tokens on a mobile device, their time should be better devoted advocating 2FA rather than massaging the stinking corpse of password security.

2
5

'Major' outage at Plusnet borks Brits' browsing, irate folk finger DNS

djack

Re: not DNS, but routing issues

Such a routing failure amkes large amounts of the Internet inaccessible. traffic simply can't get there. Due to the fact that routers attempt to automatically correct around failures, this can mean that some sites are periodically accessible or accessible by one user and not another.

In this case, the DNS servers you were using were one of the parts of the network you couldn't reach (or the PN DNS servers couldn't reach other upstream DNS servers) so it looks to you like it's a DNS problem when the real problem actually lies elsewhere.

In your case, the sites you wre trying to access were in the subset of the network you could actually reach. Lucky you :) - You would have found other sites that were inaccessible.

All the handwaving claiming that chaing DNS servers fixes the issue just muddies the waters.

2
0
djack

Re: Routing or DNS

Yes, but all the insistence that it's a DNS issue won't help most of people's issues, muddies the waters for people trying to troubleshoot on PN's side and may encourage people to fiddle with settings* that they really don't understand, make a mistake and then totally screw up their own connection.

Incorrect diagnosis is almost alwyas counterproductive.

* That said, not using an ISP's DNS servers is almost always a good idea.

1
0
djack

@Andrew Martin 1

Same here, though I think there's been a couple of worse ones ('worse' defined as being unable to reach a work VPN to route around the problem).

Problems are few and far between - they may (like all other mainstream ISPs) have occasional issues with DNS, mail etc but I don't use them services.

Support has always been pretty good on the occasion I've had to use it and will quickly go off-script and provide actual help when they realise you know the difference between an IP packet and a box of teabags.

3
0
djack

not DNS, but routing issues

It was NOT a DNS issue but some routing SNAFU.

However the problem stopped access to the DNS servers people were using - changing their DNS settings to point to some other server allowed thenm to resolve the address of a site that was reachable therefore the belief that the issue was DNS.

4
0

Jolla chief quits: Fawning Putin lickspittles to take over?

djack

Re: Errr

What is so wrong?

Looked about right to my fuzzy memory.

- A former 770, N810, N900 owner

0
0

Microsoft backports data slurp to Windows 7 and 8 via patches

djack
Facepalm

Re: nsatc.net

D'oh! I resolved just about everything else - never noticed that.

Good spot.

The resolved IP address in Brazil is for settings-win.data.microsoft.com

1
0
djack

Calling all conspiracy theorists..

settings-win.data.microsoft.com resolves to onesettings-db5.metron.live.com.nsatc.net

Guess which three letters will get the tim-foil hatters all riled up ;)

Hmm.

http://nsatc.net/ produces the standard Ubuntu Apache landing page.

Double Hm.

IP address is 191.232.139.253 which looks to be in Brazil.

What are the South American data protection laws like?

1
2

NCA targeted by Lizard Squad in apparent DDoS revenge attack

djack

Non-event for NCA

If the NCA have similar arrangements to their predecessor (SOCA) then the web site is hosted by an ISP totally unrelated to any of their other networks. It's only value to them is for PR, it is a convenient place to publish press releases.

4
0

Death to DRM, we'll kill it in a decade, chants EFF

djack

Re: People slowly realise how much of a problem it is

"Wouldn't that just cause transnationals to bail out of the EU"

No. They wouldn't abandons Uchida a massive market.. and if being anti-consumer, anti-security and total lock-out freaks is more important to them than trading with the European then we're better off without them.

It's the same argument as paying bankers massive bonuses and letting Starbucks and Amazon get away without paying tax. They may threaten to move away but they are almost certainly not going to abandon the market and profits here and if they do.. good riddance, there are plenty of local people who will do the job.

6
0

It's enough to get your back up: Eight dual-bay SOHO NAS boxes

djack

Re: RAID-0 FFS?

"If you have to have a backup in any case, what is the point of RAID in a normal home environment?"

RAID is for fault tolerance, backup is for disaster recovery.

Disks are relatively unreliable things and will break sooner or later. RAID gives you a bit of breathing space. Hopefully when a disk breaks, you will be able to get hold of a replacement and slot it into the array with little or no downtime or performance loss. Just relying on a backup may involve days of downtime waiting for drives to be delivered and restored.

Even though she has no idea what I'm babbling about, RADI (and UPS) are vital components for a high Wife Acceptance Factor. Indeed, the ability to play crappy rom-com films at a moment's notice (while I'm away) is pretty much business critical.

0
0

Someone at Subway is a serious security nerd

djack

Re: Subway devs employ security by design

"Security is fine where appropriate, and banks should definitely do this stuff, but ordering a sandwich just doesn't justify this"

I'm not even sure that banks should be doing some of the checks that they do. Such as rooted device checking. I was given the choice of running a stock firmware with known vulnerabilities (updates no longer being produced by the manufacturer) and being able to use my bank's app, or running an updated custom firmware that my bank deems to be insecure.

13
0

Make Adama proud: Connect your Things wisely, cadet

djack

Re: Admiral Adama

Adama was the commander of the only remaining Battlestar warship. It was used in a previous war with the 'Cylons' (a robot like race) and Galactica was due to be moth-balled as a museum piece. As such it was not retro-fitted with up to date kit that was networked together and with a central mainframe for efficiency. Adama, as a veteran himself distrusted such intercommunication between devices. His distrust was dismissed as being anachronistic and paranoid.

Sure enough, the Cylons returned, compromised the mainframe and pretty much instantly disabled/destroyed the entire defence system apart from Galactica.

11
0

Page:

Forums