* Posts by JeffUK

108 posts • joined 28 Sep 2009

Page:

Are you a Tory-voting IT contractor? Congrats! Osborne is hiking your taxes

JeffUK

Re: Annoys me sooo much

so.. who's the mug?

1
0

Pan Am Games: Link to our website without permission and we'll sue

JeffUK

Ironic, that theregister tries to impose conditions upon people linking to their website..

"The Register permits any website to link to any of our stories, provided it clearly states its source and does not include the full text of the story on its own site"

Pretty much implying, that they too believe it is within their power to permit (or not) people to link to their site.

0
3

LastPass got hacked: Change your master password NOW

JeffUK

Re: Physical security?

Dd1LctNOwbu1twat3g!

Ok. that's 19.. but easy to remember:

Deep down in Louisiana close to New Orleans ...

The fact you have to use tricks like that, or technology, to 'remember' passwords just proves why we need to find a better option.

0
0
JeffUK

Re: Once again ...

OWASPs Application Security Verification Standard is a good starting point. IT has some weight to it (a lot of people have heard of OWASP) and it's quite pragmatic in its approach.

0
0
JeffUK

Re: My method

Red Lion

The Globe

Hunters Rest

Greengate

or

Watergrove

Am I Close?

1
0
JeffUK

Re: You see...

Nah, get them tattooed on the bottom of your foot; that way you'll almost certainly notice if someone steals them.

0
0
JeffUK

Re: I need to access my accounts ...

One option, off the top of my head: take a piece of paper, write your passwords on it, stick it in your wallet.

That way, you'll know what they all are (primary function), they will be almost completely secure (primary requirement) and you'll know who has access to them, and if/when they've been stolen.

Don't have to be particularly techno-savvy to drive a biro.

2
0
JeffUK

Re: OOH OOH!!! I know what the weak point is

You're basically storing all of your passwords on someone else's computer, using software you have no way of validating, running on servers who's configuration you have no way of validating.

I always get looked at like the internet-age version of a luddite for saying 'maybe some things shouldn't be on the cloud' ... but I'm glad I stuck to my principles on this one.

5
1
JeffUK

There's no guarantee all of your passwords haven't been exposed.

Step 1: Hack the webserver

Step 2: Change the code on the page that shows you your passwords, after they're decrypted to also save them somewhere on the server in plaintext

Step 3: ????

Step 4: Profit!

0
1

City of birth? Why password questions are a terrible idea

JeffUK

Off the top of my head; assume they do actually have access to a working email account. (Pushing the 'password reset' problem onto the email provider, in effect) But if everyone did this, you'd only need one password anyway...

Log them in by sending a one-time link to that email that sets an authentication cookie. They want to log in again, they click, 'log in' and get a new link via email.

Simples.

0
0
JeffUK

I failed to create an account with a certain UK bank because the required me to provide answers to 3 of 10 'secret questions' and I didn't know/have answers to any of them..

E.g. I don't have a 'Favourite colour' because I'm not 7.

4
0

Never trust a developer who says 'I can fix this in a few minutes'

JeffUK

Re: Trust

As I responded to a complaint of "You only changed one line of code, why did it take so long?"

"Changing one line of code: 3 minutes"

"Changing the right line of code: 3 weeks"

3
0

Robots.txt tells hackers the places you don't want them to look

JeffUK

Re: Yes.

These days it's all in the big blue bin marked 'confidential shredding'... which someone comes every day to wheel out, without anyone checking their ID.....

8
0
JeffUK

Re: It has it's uses

Those pen testers were clearly idiots then.

Besides, since when have penetration tests been 'pass or fail'? Normally they return a long list of recommendations of varying degrees of severity. Do you mean they raised the existence as robots.txt as an issue? if so, what severity issue was it, if it was 'informational' I can see their point...

1
0
JeffUK

Lots of people saying 'Old news', of course it is, but that does beg the question of how so many sites still get it so badly wrong?

One genuine failing in the article is that it doesn't even mention the right solution, which is to use a Robots meta tag within resources you want to hide like

<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">

So the file will be ignored IF a spider finds it, but won't be advertised via the robots.txt file, this only works for HTML resources though.

The bigger 'take away', of course, is the fact that you should never rely on obscurity as your only security; if you don't want files to be accessible; block/control access on the server-side.

0
1

Feds: Bloke 'HACKED PLANE controls' – from his PASSENGER seat

JeffUK

Re: Lemmings !

"On-board avionics are secured through fire-walls " Surely implying that they're separated by software only, and not air-gapped... anything is possible.

2
0

Law changed to allow GCHQ hacking ... just as GCHQ hauled into court for hacking

JeffUK

Re: Read the statement carefully

Only if an act of parliament is passed allowing the TV license man to hack into your PC...

You missed the bit where it says :

enactment” means any enactment, whenever passed or made, contained in—

(a)

an Act of Parliament;

(b)

an Act of the Scottish Parliament;

(c)

a Measure or Act of the National Assembly for Wales;

(d)

an instrument made under any such Act or Measure;

(e)

any other subordinate legislation (within the meaning of the Interpretation Act 1978);

0
0

Hacker 3D prints device that can crack a combo lock in 30 seconds

JeffUK

11:10, to anyone wondering if/when he shows it working.

0
0

Watch: Nasty JPEG pops corporate locks on Windows boxes

JeffUK

Re: Nasty JPG

It's a bit more subtle than that, but not much more. I think it's a nasty script that is also a valid JPEG. so if you check that the use has uploaded a valid JPEG, it works, but it also executes as a valid .aspx.

I think..

0
0

Dating site PAYS cracker for stealing creds

JeffUK

Re: Moving ever on and upward rapidly .......

"That's a nice website you've got here, would be a shame if something was to ... happen to it."

0
0

Instead of public sector non-jobbery, Martha, how about creating REAL entrepreneurs?

JeffUK

Re: Digital

I think, from prolonged observation of the 'digital' tribe, they are talking about what we used to call 'software', normally web applications and mobile applications with some sort of back-end.

The main distinguishing feature of 'digital' over 'software' is that the products have names that are comprised mostly of made up words that sound like real words; and the logos have rounded corners. Very much like the teletubbies.

2
0
JeffUK

Re: I've got an idea - implement it!

As someone said, Joseph Bazalgette became famous for pumping shit OUT of people's homes...

13
0

Popular crypto app uses single-byte XOR and nowt else, hacker says

JeffUK

Re: I've seen worse

I've seen an enterprise-level finance package that 'encrypted' it's passwords using ROT-1

2
0
JeffUK

We read it, but reject the assertion that downvoting your post makes us 'look dumb.' Besides, for the non-technical user trying to hide files from their non-technical friends this encryption scheme is probably sufficient.

9
2

GCHQ: Ensure biz security by STOPPING everyone from TALKING

JeffUK

Good to see el Reg living up to it's famed journalistic integrity... Reporting on what the telegraph said that GCHQ said, rather than bothering to read the report.

On mobile phones, they ACTUALLY said :

“Mobile working offers great business benefit but exposes the organisation to risks that will be challenging to manage. Mobile working extends the corporate security boundary to the user’s location. It is advisable for organisations to establish risk-based policies and procedures that cover all types of mobile devices and flexible working if they are to effectively manage the risks.”

8
0

£280k Kickstarter camera trigger campaign crashes and burns

JeffUK

Re: Risk?

As their FAQ says:

"..backers must understand that Kickstarter is not a store. When you back a project, you’re helping to create something new — not ordering something that already exists. There’s a chance something could happen that prevents the creator from being able to finish the project as promised"

Then no, you didn't misunderstand at all.

6
0

What do UK and Iran have in common? Both want to outlaw encrypted apps

JeffUK

Re: Ironic

The problem is, that without scanning all traffic, it's impossible to identify which bits of data are to/from your suspect. If they have a device that you're not aware of; or use a properly encrypted VPN connection to get onto the interweb (or both) how do you find which traffic is from them without reading it first to find out?

0
0

SpaceX in ROCKET HOVERSHIP PRANG: 'Close – but no cigar,' says Musk

JeffUK

Re: Why land on a barge?

Because a barge can move many hundred of miles around the sea to catch stages that finish their burn at different times/places.

More practically there isn't a desert to the east of Florida until you get to the Sahara, and the first stage wouldn't make it that far and have enough fuel to control its descent.

0
0

Most convincing PHISHING pages hoodwink nearly half of you – Google

JeffUK

Re: Hardly surprising

Except when the legitimate domain for the secure site is something like bankname-online.com rather than bankname.com . If the phisher used bankname-secure.com how would a user know the difference?

0
0
JeffUK

Re: Do they check if the data is legitimate?

My record is 2 hours, and I got them to call me back 3 times...

1
0

Frustration with Elite:Dangerous boils over into 'Refund Quest'

JeffUK

YOU GET TO FLY A SPACE SHIP, IT'S FUN!

I can't be only person who cares whether a game is fun first and foremost...

Definitely feel sorry for people who can't play because it's on-line only; but a lot of people seem to be having a tantrum over "BUT I WANTED OFFLINE PLAY" and forgetting to actually enjoy the game....feel even more sorry for them.

6
11

'We're having panic attacks' ... Sony staff and families now threatened in emails

JeffUK

Re: IT industry

LOL

0
0

Drone in NEAR-MISS with passenger jet at Heathrow airport

JeffUK

Do you also propose licensing LIPO Batteries, Brushless Motors, polystyrene and Radio Control transmitters (which can also be used for RC cars/Boats)?

Because if you're not, anyone with YouTube and a hot glue gun could make a 'drone' without a license.

0
2

Two driverless cars stuffed with passengers are ABOUT TO CRASH - who should take the hit?

JeffUK

Re: This is not even a logical question.

In game theory that's called the Minimax Algorithm. Find the 'worst case' outcome of every action, and picking the action with the best 'worst case.'

2
0

Red Bull does NOT give you wings, $13.5m lawsuit says so

JeffUK

Re: Really?

Probably not, the actual complaint seems to be that it doesn't metaphorically 'give you wings' any more than anything else with caffeine in it. rather than the fact it doesn't literally give you wings.

The suit says:

“Even though there is a lack of genuine scientific support for a claim that Red Bull branded energy drinks provide any more benefit to a consumer than a cup of coffee, the Red Bull defendants persistently and pervasively market their product as a superior source of ‘energy’ worthy of a premium price over a cup of coffee or other sources of caffeine.”

1
0

Salesforce: Oh no! Dyre RATs are thirsty for our customers' logins

JeffUK

Re: Motive?

Yep! People have been selling stolen client lists for decades. It would also be a goldmine for social engineering, e.g. If MegaSoft was using salesforce for post-sales support, you could find a user with an open trouble ticket, and send them some malware as a 'fix.' Only the very paranoid would spot that one.

0
0

Get ready: The top-bracket young coders of the 2020s will be mostly GIRLS

JeffUK

What the author is trying to demonstrate, is that he's been asked by an editor to jump on the 'Exam results' bandwagon, so had to make something out of the IT results regardless of whether there's any real story.

0
0

UK data watchdog broke data law, says UK data watchdog

JeffUK

Re: Stop press

"To be fair, public or private seems to be absolute no barrier to being utterly clueless "

Fixed that for you

1
0

British cops cuff 660 suspected paedophiles

JeffUK

They seem to be shy to say how many of those arrested were actually charged, and subsequently convicted of anything.

So this story so far is that 660 people are innocent of any wrongdoing (until proven otherwise)..... which is a bit of a non-story.

2
0

Do YOU work at Microsoft? Um. Are you SURE about that?

JeffUK

To be fair, a lot of the people who call the office claiming to be "Calling From Microsoft" don't actually work for Microsoft either

0
0

'CAPTAIN CYBORG': The wild-eyed prof behind 'machines have become human' claims

JeffUK

Re: So much to do, so little time...

There's an argument that one of the IBM Chess playing supercomputers passed the Turing test. not because it beat Kasparov, but because he was convinced that one particular move had direct human intervention.

0
0

Stephen Fry MADNESS: 'New domain names GENERATE NEW IP NUMBERS'

JeffUK

"Stephen Fry is an English comedian, actor, writer, presenter, and activist" ... Why exactly should we care that he made a mistake about network protocols?

0
0

Vinyl-fetish hipsters might just have a point

JeffUK

Re: Vinyl-fetish hipsters don't have a point

The sound of the 'Degauss' button on a CRT monitor that hasn't been degaussed in years is one of the best sounds in the world :)

0
0

Scariest NSA revelation yet: Spooks are RUBBISH at CIPHERS

JeffUK

Unless I'm sorely mistaken, the NSA were operating in 2001, and quite evidently didn't succeed in protecting anyone from anything.

3
0

Think-tank to infosec: You're doing it wrong

JeffUK

The most interesting question is whether we're building our economy on systems that we have no right to believe will be available to us for as long as we would like.

If Amazon decided that 'cloud' was no longer something they wanted to be involved in and turned all their AWS servers off with the minimum notice; unless one of the other providers made the commercial decision to pick up the slack (And had the capacity) there would be a lot of companies that wouldn't survive, and the people using the services of those companies would struggle for a bit too.

2
0

Most Americans doubt Big Bang, not too sure about evolution, climate change – survey

JeffUK

I'm not so sure on a lot of those

I know that under-using them allows resistant bacteria to survive; I just don't know if over-using them is an issue.

The mental illness one sounds too easy to not be a trick question.. I'd actually be hesitant with that one.

The age of the universe/world, I have no idea if those numbers are correct. I also know that the 'big bang' theory fits all of the observable evidence, but the way that question is worded makes it sound a bit too simplistic for me to say it's absolutely true.

1
0

It may be ILLEGAL to run Heartbleed health checks – IT lawyer

JeffUK

Re: Authorised

Well I can tell you, lots of pen-testing companies don't do due diligence! I don't ever remember a pen testing firm asking me to confirm my identity...

0
0
JeffUK

Re: Authorised

I've always wondered that. e.g. If someone called me asking for a penetration test to be performed on their network, signed all the normal contracts etc. Then turned out to be either someone without the proper authorization, or someone completely unrelated to the company .. Who would be liable! IS there a precedent for this sort of thing?

2
0

Page:

Forums