* Posts by JeffUK

134 posts • joined 28 Sep 2009

Page:

Ducks, Lord of the Rings, movies and maths: The GCHQ Xmas puzzle solutions revealed

JeffUK

I found it interesting that they made it progressively harder to cheat on the puzzles, they could have made it impossible to cheat from the start, but chose not to (brute forcing #2 was made possible when they could have just hashed the answer like they did in #3.. for instance. I took this as a sign that cheating was allowed and did so to get to level 4... then I gave up, because I couldn't work out how to cheat and I hate number sequence puzzles.

0
0

This is why copy'n'paste should be banned from developers' IDEs

JeffUK

Re: It's all about the annual review

Message_First_Word = 'H' + \

'e' + \

'l' + \

'l' + \

'o'

etc. etc.

0
0

Lincolnshire council IT ransomware flingers asked for ... £350

JeffUK

Re: I'm not buying the "0-day exploit" story.

Well; it was a zero-day at some point...

1
0
JeffUK

Re: Zero Day Exploit

I'm guessing the IT service providers, or the AV company told them it was 'It was a zero day, That's why it wasn't stopped' and they have no reason not to believe them.

I've been told that an Excel macro virus was 'A Zero Day' just because the AV signatures didn't pick it up. The AV crowd have realised that if they define 'Zero Day' as 'Anything we miss' they can get away with murder.

0
0

NSA’s top hacking boss explains how to protect your network from his attack squads

JeffUK

He's pretty much just talked through the syllabus of a CEH course... not exactly ground-breaking insights!

0
0

It's 2016 and idiots still use '123456' as their password

JeffUK

Sampling bias

Massive sampling bias here... These are passwords from sites that have been hacked... So only tells you that people use crap passwords for sites that can't be trusted.

Also, these passwords were either A. stored in plaintext, in which case complexity is irrelevant, or B. stored hashed, in which case only easily crackable passwords would be released; skewing the results even further.

ALSO... as all the 'good' passwords are probably unique, they will never be at the top of the list of passwords. So the non-unique passwords will inherently have more people using them.

The more I think about it, the more meaningless this information becomes.

0
0

Trustwave failed to spot casino hackers right under its nose – lawsuit

JeffUK

Re: Budgets, constraints and

Something I've experienced before is security companies giving assurances that they shouldn't give based on the scope of the testing, and not giving adequate caveats.

E.g. testing a web application and not testing the infrastructure yet declaring a web service 'secure.'

0
0

'T-shaped' developers are the new normal

JeffUK

Re: |Hmmm... click bait

Agile: I literally had someone tell me "We don't want all the project management and testing, can't we just use agile?"

Certainly, But you'll want to double your budget for project management and testing...

0
0
JeffUK

Except in the wacky world of "Manufacturing Execution Systems" where enterprise and embedded collide...

0
0
JeffUK

Re: small iterative changes will be the norm

Ha! A more accurate analogy would be building the second, third and fourth floor anyway and papering over any subsequent cracks (or calling them 'features') until it all falls over... then you leave the rubble where it lies and start building again.

0
0

Windows for Warships? Not on our new aircraft carriers, says MoD

JeffUK

Re: Ah joke wallpaper ...

(Except for Johnny Castaway of course)

Just gave me a massive wave of nostalgia, Someone's compiled the whole lot into this youtube vid:

https://www.youtube.com/watch?v=PqXIKeTVcyA

3
0

T'was the night before Christmas, and an industrial control system needed an upgrade

JeffUK

Re: “A less than really sharp manager agreed,”

As per the Dilbert Principle.. the 'less than sharp' people are consistently promoted to management positions where they can do the least amount of damage. sounds like WG's manager is due a promotion.

3
0

Screenshot malware targeted innocent online poker players

JeffUK

I wonder if this was invented by a Criminal mastermind by the name of Rolando ... we will never know.

0
0

Electrician cuts wrong wire and downs 25,000 square foot data centre

JeffUK

We had a few occasions where truck drivers tried to drive off with our forklift drivers still in the trailer unloading... after discussing lots of high-tech and convoluted processes to stop it happening we solved it for £5. By putting a hook on each of the roller-doors in the loading bay.

When the truck comes in, their keys are hung on the hook before the roller-door is opened, leaving the keys hanging 15ft in the air. Then they physically can't get their keys back (or drive off) until the door's closed again.

25
0
JeffUK

Re: opps

Nope, Risk = Impact X Likelihood .. The boss asked for the likelihood of something going wrong, OP assumed that he was aware of the Impact

22
0

Russian nuke plant operator to build on-site data centre

JeffUK

Re: Can't see why nuclear power is a danger for a data center

Presumably it helps provide some measure of guaranteed base load for the reactor. For cloud processing, you could even offer discounted cycles based on excess power generation (Amazon have a 'run X when it's cheap' option.)

4
0
JeffUK

Re: Whole new level

But there's only one nuclear power plant on site....

2
0

Cyber-terror: How real is the threat? Squirrels are more of a danger

JeffUK

Re: Cyber Warfare vs things that go boom

Someone in the local area took out a major transmission mask with a badly (well?) aimed firework a few years ago... (Google 'Morborne transmitter'))

0
0

Doctor Who: Even the TARDIS key can't unpick the chronolock in Face the Raven

JeffUK

I think they've left themselves an 'out' here.

When the first guy got killed, one of the guards said something like "Don't run,... why do they always run?" implying that running is somehow a bad idea, even though they're facing 'certain death' .. so I wonder if there is a catch in there about it only working if you're scared or some other hand waving ..

we shall see.

0
0

CIA boss uses AOL email – and I hacked it, claims stoner teen

JeffUK

Re: I'm not sure which is funnier...

Pretty sure that sentence could do with a comma! "was motivated by opposition to US Foreign policy, and support for Palestine"

2
0

Here are the God-mode holes that gave TrueCrypt audit the slip

JeffUK

Re: Lateral thinking

Yeah, Although unfortunately this probably falls under the 'conspiracy theory' banner simply because there's no way of proving it either way, I'm tempted to agree with you!

Without other supporting evidence, there's no way of telling the difference between a genuine vulnerability and a cleverly placed backdoor.

6
1

It's alive! Farmer hides neglected, dust-clogged server between walls

JeffUK

Had something similar in a potato store/ pack house: They'd re-lined the inside of their old warehouse with PVC panels. over the top of all of the network points, 3 wireless access points, AND the door leading to the cupboard with the communications rack in.

I just stood there for 5 minutes looking between my site map, and the place in the wall where the door should have been.

1
0

Want your kids to learn coding? Train the darn teachers first

JeffUK

Re: Dunno for teachers, but ...

"or just RTFM and have 2 cents of common sense as an architect." .. ityf 2 cents makes you a Senior Architect

0
0

Virgin Galactic SpaceShipTwo crackup verdict: PILOT ERROR

JeffUK

Re: Seems little margin for error...

Interlocking anything to speed relies on the measuring devices working perfectly. e.g. if you couldn't lower your landing gear unless the plane believed you were under 80kts, and your air speed indicator failed (frozen pitot tube f'rinstance) it would be somewhat inconvenient to have to get out and fix the problem prior to landing.

0
0

Krebs: I know who hacked Ashley Madison

JeffUK

The most popular of the passwords he was able to successfully crack...

0
0

ClearSky: Keeping your premises free of unwanted clouds

JeffUK

Re: "having [..] storage silos is a costly nightmare of managing [..] storage infrastructure"

You have exactly the same problem if you have a centralised data centre. In both scenarios, of course you would keep things local that have a true high-availability requirement. There are, however, lots of other reasons not to want to hand over all your data to a start-up . . .

0
0

Are you a Tory-voting IT contractor? Congrats! Osborne is hiking your taxes

JeffUK

Re: Annoys me sooo much

so.. who's the mug?

1
0

Pan Am Games: Link to our website without permission and we'll sue

JeffUK

Ironic, that theregister tries to impose conditions upon people linking to their website..

"The Register permits any website to link to any of our stories, provided it clearly states its source and does not include the full text of the story on its own site"

Pretty much implying, that they too believe it is within their power to permit (or not) people to link to their site.

0
3

LastPass got hacked: Change your master password NOW

JeffUK

Re: Physical security?

Dd1LctNOwbu1twat3g!

Ok. that's 19.. but easy to remember:

Deep down in Louisiana close to New Orleans ...

The fact you have to use tricks like that, or technology, to 'remember' passwords just proves why we need to find a better option.

0
0
JeffUK

Re: Once again ...

OWASPs Application Security Verification Standard is a good starting point. IT has some weight to it (a lot of people have heard of OWASP) and it's quite pragmatic in its approach.

0
0
JeffUK

Re: My method

Red Lion

The Globe

Hunters Rest

Greengate

or

Watergrove

Am I Close?

1
0
JeffUK

Re: You see...

Nah, get them tattooed on the bottom of your foot; that way you'll almost certainly notice if someone steals them.

0
0
JeffUK

Re: I need to access my accounts ...

One option, off the top of my head: take a piece of paper, write your passwords on it, stick it in your wallet.

That way, you'll know what they all are (primary function), they will be almost completely secure (primary requirement) and you'll know who has access to them, and if/when they've been stolen.

Don't have to be particularly techno-savvy to drive a biro.

2
0
JeffUK

Re: OOH OOH!!! I know what the weak point is

You're basically storing all of your passwords on someone else's computer, using software you have no way of validating, running on servers who's configuration you have no way of validating.

I always get looked at like the internet-age version of a luddite for saying 'maybe some things shouldn't be on the cloud' ... but I'm glad I stuck to my principles on this one.

5
1
JeffUK

There's no guarantee all of your passwords haven't been exposed.

Step 1: Hack the webserver

Step 2: Change the code on the page that shows you your passwords, after they're decrypted to also save them somewhere on the server in plaintext

Step 3: ????

Step 4: Profit!

0
1

City of birth? Why password questions are a terrible idea

JeffUK

Off the top of my head; assume they do actually have access to a working email account. (Pushing the 'password reset' problem onto the email provider, in effect) But if everyone did this, you'd only need one password anyway...

Log them in by sending a one-time link to that email that sets an authentication cookie. They want to log in again, they click, 'log in' and get a new link via email.

Simples.

0
0
JeffUK

I failed to create an account with a certain UK bank because the required me to provide answers to 3 of 10 'secret questions' and I didn't know/have answers to any of them..

E.g. I don't have a 'Favourite colour' because I'm not 7.

4
0

Never trust a developer who says 'I can fix this in a few minutes'

JeffUK

Re: Trust

As I responded to a complaint of "You only changed one line of code, why did it take so long?"

"Changing one line of code: 3 minutes"

"Changing the right line of code: 3 weeks"

3
0

Robots.txt tells hackers the places you don't want them to look

JeffUK

Re: Yes.

These days it's all in the big blue bin marked 'confidential shredding'... which someone comes every day to wheel out, without anyone checking their ID.....

8
0
JeffUK

Re: It has it's uses

Those pen testers were clearly idiots then.

Besides, since when have penetration tests been 'pass or fail'? Normally they return a long list of recommendations of varying degrees of severity. Do you mean they raised the existence as robots.txt as an issue? if so, what severity issue was it, if it was 'informational' I can see their point...

1
0
JeffUK

Lots of people saying 'Old news', of course it is, but that does beg the question of how so many sites still get it so badly wrong?

One genuine failing in the article is that it doesn't even mention the right solution, which is to use a Robots meta tag within resources you want to hide like

<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">

So the file will be ignored IF a spider finds it, but won't be advertised via the robots.txt file, this only works for HTML resources though.

The bigger 'take away', of course, is the fact that you should never rely on obscurity as your only security; if you don't want files to be accessible; block/control access on the server-side.

0
1

Feds: Bloke 'HACKED PLANE controls' – from his PASSENGER seat

JeffUK

Re: Lemmings !

"On-board avionics are secured through fire-walls " Surely implying that they're separated by software only, and not air-gapped... anything is possible.

2
0

Law changed to allow GCHQ hacking ... just as GCHQ hauled into court for hacking

JeffUK

Re: Read the statement carefully

Only if an act of parliament is passed allowing the TV license man to hack into your PC...

You missed the bit where it says :

enactment” means any enactment, whenever passed or made, contained in—

(a)

an Act of Parliament;

(b)

an Act of the Scottish Parliament;

(c)

a Measure or Act of the National Assembly for Wales;

(d)

an instrument made under any such Act or Measure;

(e)

any other subordinate legislation (within the meaning of the Interpretation Act 1978);

0
0

Hacker 3D prints device that can crack a combo lock in 30 seconds

JeffUK

11:10, to anyone wondering if/when he shows it working.

0
0

Watch: Nasty JPEG pops corporate locks on Windows boxes

JeffUK

Re: Nasty JPG

It's a bit more subtle than that, but not much more. I think it's a nasty script that is also a valid JPEG. so if you check that the use has uploaded a valid JPEG, it works, but it also executes as a valid .aspx.

I think..

0
0

Dating site PAYS cracker for stealing creds

JeffUK

Re: Moving ever on and upward rapidly .......

"That's a nice website you've got here, would be a shame if something was to ... happen to it."

0
0

Instead of public sector non-jobbery, Martha, how about creating REAL entrepreneurs?

JeffUK

Re: Digital

I think, from prolonged observation of the 'digital' tribe, they are talking about what we used to call 'software', normally web applications and mobile applications with some sort of back-end.

The main distinguishing feature of 'digital' over 'software' is that the products have names that are comprised mostly of made up words that sound like real words; and the logos have rounded corners. Very much like the teletubbies.

2
0
JeffUK

Re: I've got an idea - implement it!

As someone said, Joseph Bazalgette became famous for pumping shit OUT of people's homes...

13
0

Popular crypto app uses single-byte XOR and nowt else, hacker says

JeffUK

Re: I've seen worse

I've seen an enterprise-level finance package that 'encrypted' it's passwords using ROT-1

2
0

Page:

Forums