* Posts by JeffUK

99 posts • joined 28 Sep 2009

Page:

City of birth? Why password questions are a terrible idea

JeffUK

Off the top of my head; assume they do actually have access to a working email account. (Pushing the 'password reset' problem onto the email provider, in effect) But if everyone did this, you'd only need one password anyway...

Log them in by sending a one-time link to that email that sets an authentication cookie. They want to log in again, they click, 'log in' and get a new link via email.

Simples.

0
0
JeffUK

I failed to create an account with a certain UK bank because the required me to provide answers to 3 of 10 'secret questions' and I didn't know/have answers to any of them..

E.g. I don't have a 'Favourite colour' because I'm not 7.

4
0

Never trust a developer who says 'I can fix this in a few minutes'

JeffUK

Re: Trust

As I responded to a complaint of "You only changed one line of code, why did it take so long?"

"Changing one line of code: 3 minutes"

"Changing the right line of code: 3 weeks"

2
0

Robots.txt tells hackers the places you don't want them to look

JeffUK

Re: Yes.

These days it's all in the big blue bin marked 'confidential shredding'... which someone comes every day to wheel out, without anyone checking their ID.....

8
0
JeffUK

Re: It has it's uses

Those pen testers were clearly idiots then.

Besides, since when have penetration tests been 'pass or fail'? Normally they return a long list of recommendations of varying degrees of severity. Do you mean they raised the existence as robots.txt as an issue? if so, what severity issue was it, if it was 'informational' I can see their point...

1
0
JeffUK

Lots of people saying 'Old news', of course it is, but that does beg the question of how so many sites still get it so badly wrong?

One genuine failing in the article is that it doesn't even mention the right solution, which is to use a Robots meta tag within resources you want to hide like

<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">

So the file will be ignored IF a spider finds it, but won't be advertised via the robots.txt file, this only works for HTML resources though.

The bigger 'take away', of course, is the fact that you should never rely on obscurity as your only security; if you don't want files to be accessible; block/control access on the server-side.

0
1

Feds: Bloke 'HACKED PLANE controls' - from his PASSENGER seat

JeffUK

Re: Lemmings !

"On-board avionics are secured through fire-walls " Surely implying that they're separated by software only, and not air-gapped... anything is possible.

2
0

Law changed to allow GCHQ hacking ... just as GCHQ hauled into court for hacking

JeffUK

Re: Read the statement carefully

Only if an act of parliament is passed allowing the TV license man to hack into your PC...

You missed the bit where it says :

enactment” means any enactment, whenever passed or made, contained in—

(a)

an Act of Parliament;

(b)

an Act of the Scottish Parliament;

(c)

a Measure or Act of the National Assembly for Wales;

(d)

an instrument made under any such Act or Measure;

(e)

any other subordinate legislation (within the meaning of the Interpretation Act 1978);

0
0

Hacker 3D prints device that can crack a combo lock in 30 seconds

JeffUK

11:10, to anyone wondering if/when he shows it working.

0
0

Watch: Nasty JPEG pops corporate locks on Windows boxes

JeffUK

Re: Nasty JPG

It's a bit more subtle than that, but not much more. I think it's a nasty script that is also a valid JPEG. so if you check that the use has uploaded a valid JPEG, it works, but it also executes as a valid .aspx.

I think..

0
0

Dating site PAYS cracker for stealing creds

JeffUK

Re: Moving ever on and upward rapidly .......

"That's a nice website you've got here, would be a shame if something was to ... happen to it."

0
0

Instead of public sector non-jobbery, Martha, how about creating REAL entrepreneurs?

JeffUK

Re: Digital

I think, from prolonged observation of the 'digital' tribe, they are talking about what we used to call 'software', normally web applications and mobile applications with some sort of back-end.

The main distinguishing feature of 'digital' over 'software' is that the products have names that are comprised mostly of made up words that sound like real words; and the logos have rounded corners. Very much like the teletubbies.

2
0
JeffUK

Re: I've got an idea - implement it!

As someone said, Joseph Bazalgette became famous for pumping shit OUT of people's homes...

13
0

Popular crypto app uses single-byte XOR and nowt else, hacker says

JeffUK

Re: I've seen worse

I've seen an enterprise-level finance package that 'encrypted' it's passwords using ROT-1

2
0
JeffUK

We read it, but reject the assertion that downvoting your post makes us 'look dumb.' Besides, for the non-technical user trying to hide files from their non-technical friends this encryption scheme is probably sufficient.

9
2

GCHQ: Ensure biz security by STOPPING everyone from TALKING

JeffUK

Good to see el Reg living up to it's famed journalistic integrity... Reporting on what the telegraph said that GCHQ said, rather than bothering to read the report.

On mobile phones, they ACTUALLY said :

“Mobile working offers great business benefit but exposes the organisation to risks that will be challenging to manage. Mobile working extends the corporate security boundary to the user’s location. It is advisable for organisations to establish risk-based policies and procedures that cover all types of mobile devices and flexible working if they are to effectively manage the risks.”

8
0

£280k Kickstarter camera trigger campaign crashes and burns

JeffUK

Re: Risk?

As their FAQ says:

"..backers must understand that Kickstarter is not a store. When you back a project, you’re helping to create something new — not ordering something that already exists. There’s a chance something could happen that prevents the creator from being able to finish the project as promised"

Then no, you didn't misunderstand at all.

6
0

What do UK and Iran have in common? Both want to outlaw encrypted apps

JeffUK

Re: Ironic

The problem is, that without scanning all traffic, it's impossible to identify which bits of data are to/from your suspect. If they have a device that you're not aware of; or use a properly encrypted VPN connection to get onto the interweb (or both) how do you find which traffic is from them without reading it first to find out?

0
0

SpaceX in ROCKET HOVERSHIP PRANG: 'Close – but no cigar,' says Musk

JeffUK

Re: Why land on a barge?

Because a barge can move many hundred of miles around the sea to catch stages that finish their burn at different times/places.

More practically there isn't a desert to the east of Florida until you get to the Sahara, and the first stage wouldn't make it that far and have enough fuel to control its descent.

0
0

Most convincing PHISHING pages hoodwink nearly half of you – Google

JeffUK

Re: Hardly surprising

Except when the legitimate domain for the secure site is something like bankname-online.com rather than bankname.com . If the phisher used bankname-secure.com how would a user know the difference?

0
0
JeffUK

Re: Do they check if the data is legitimate?

My record is 2 hours, and I got them to call me back 3 times...

1
0

Frustration with Elite:Dangerous boils over into 'Refund Quest'

JeffUK

YOU GET TO FLY A SPACE SHIP, IT'S FUN!

I can't be only person who cares whether a game is fun first and foremost...

Definitely feel sorry for people who can't play because it's on-line only; but a lot of people seem to be having a tantrum over "BUT I WANTED OFFLINE PLAY" and forgetting to actually enjoy the game....feel even more sorry for them.

6
11

'We're having panic attacks' ... Sony staff and families now threatened in emails

JeffUK

Re: IT industry

LOL

0
0

Drone in NEAR-MISS with passenger jet at Heathrow airport

JeffUK

Do you also propose licensing LIPO Batteries, Brushless Motors, polystyrene and Radio Control transmitters (which can also be used for RC cars/Boats)?

Because if you're not, anyone with YouTube and a hot glue gun could make a 'drone' without a license.

0
2

Two driverless cars stuffed with passengers are ABOUT TO CRASH - who should take the hit?

JeffUK

Re: This is not even a logical question.

In game theory that's called the Minimax Algorithm. Find the 'worst case' outcome of every action, and picking the action with the best 'worst case.'

2
0

Red Bull does NOT give you wings, $13.5m lawsuit says so

JeffUK

Re: Really?

Probably not, the actual complaint seems to be that it doesn't metaphorically 'give you wings' any more than anything else with caffeine in it. rather than the fact it doesn't literally give you wings.

The suit says:

“Even though there is a lack of genuine scientific support for a claim that Red Bull branded energy drinks provide any more benefit to a consumer than a cup of coffee, the Red Bull defendants persistently and pervasively market their product as a superior source of ‘energy’ worthy of a premium price over a cup of coffee or other sources of caffeine.”

1
0

Salesforce: Oh no! Dyre RATs are thirsty for our customers' logins

JeffUK

Re: Motive?

Yep! People have been selling stolen client lists for decades. It would also be a goldmine for social engineering, e.g. If MegaSoft was using salesforce for post-sales support, you could find a user with an open trouble ticket, and send them some malware as a 'fix.' Only the very paranoid would spot that one.

0
0

Get ready: The top-bracket young coders of the 2020s will be mostly GIRLS

JeffUK

What the author is trying to demonstrate, is that he's been asked by an editor to jump on the 'Exam results' bandwagon, so had to make something out of the IT results regardless of whether there's any real story.

0
0

UK data watchdog broke data law, says UK data watchdog

JeffUK

Re: Stop press

"To be fair, public or private seems to be absolute no barrier to being utterly clueless "

Fixed that for you

1
0

British cops cuff 660 suspected paedophiles

JeffUK

They seem to be shy to say how many of those arrested were actually charged, and subsequently convicted of anything.

So this story so far is that 660 people are innocent of any wrongdoing (until proven otherwise)..... which is a bit of a non-story.

2
0

Do YOU work at Microsoft? Um. Are you SURE about that?

JeffUK

To be fair, a lot of the people who call the office claiming to be "Calling From Microsoft" don't actually work for Microsoft either

0
0

'CAPTAIN CYBORG': The wild-eyed prof behind 'machines have become human' claims

JeffUK

Re: So much to do, so little time...

There's an argument that one of the IBM Chess playing supercomputers passed the Turing test. not because it beat Kasparov, but because he was convinced that one particular move had direct human intervention.

0
0

Stephen Fry MADNESS: 'New domain names GENERATE NEW IP NUMBERS'

JeffUK

"Stephen Fry is an English comedian, actor, writer, presenter, and activist" ... Why exactly should we care that he made a mistake about network protocols?

0
0

Vinyl-fetish hipsters might just have a point

JeffUK

Re: Vinyl-fetish hipsters don't have a point

The sound of the 'Degauss' button on a CRT monitor that hasn't been degaussed in years is one of the best sounds in the world :)

0
0

Scariest NSA revelation yet: Spooks are RUBBISH at CIPHERS

JeffUK

Unless I'm sorely mistaken, the NSA were operating in 2001, and quite evidently didn't succeed in protecting anyone from anything.

3
0

Think-tank to infosec: You're doing it wrong

JeffUK

The most interesting question is whether we're building our economy on systems that we have no right to believe will be available to us for as long as we would like.

If Amazon decided that 'cloud' was no longer something they wanted to be involved in and turned all their AWS servers off with the minimum notice; unless one of the other providers made the commercial decision to pick up the slack (And had the capacity) there would be a lot of companies that wouldn't survive, and the people using the services of those companies would struggle for a bit too.

2
0

Most Americans doubt Big Bang, not too sure about evolution, climate change – survey

JeffUK

I'm not so sure on a lot of those

I know that under-using them allows resistant bacteria to survive; I just don't know if over-using them is an issue.

The mental illness one sounds too easy to not be a trick question.. I'd actually be hesitant with that one.

The age of the universe/world, I have no idea if those numbers are correct. I also know that the 'big bang' theory fits all of the observable evidence, but the way that question is worded makes it sound a bit too simplistic for me to say it's absolutely true.

1
0

It may be ILLEGAL to run Heartbleed health checks – IT lawyer

JeffUK

Re: Authorised

Well I can tell you, lots of pen-testing companies don't do due diligence! I don't ever remember a pen testing firm asking me to confirm my identity...

0
0
JeffUK

Re: Authorised

I've always wondered that. e.g. If someone called me asking for a penetration test to be performed on their network, signed all the normal contracts etc. Then turned out to be either someone without the proper authorization, or someone completely unrelated to the company .. Who would be liable! IS there a precedent for this sort of thing?

2
0
JeffUK

Section 3 of the computer misuse act relates to impairing the operation of a computer. I'd have thought section 1 would be more relevant:

"he causes a computer to perform any function with intent to secure access to any program or _data_ held in any computer " Bang to rights imho

0
0

Brit boffins brew up blight-resistant FRANKENSPUD

JeffUK

Re: Can anybody point me at ANYTHING that is not GMO?

Yeah, if someone now used this information to breed a potato with these exact same genes the old fashion way, no-one would have a problem. You could actually have two identical products, one which would be legal to sell and one that would not be legal to sell... that would be an interesting test-case!

1
0

Adobe users' purloined passwords were PATHETIC

JeffUK

Re: Hang on

I was thinking exactly the same. These lists of passwords from sites that have been hacked show that people use rubbish passwords for sites which were subsequently hacked ... showing that they've chosen wisely in using a throwaway password for them.

0
0

Your kids' chances of becoming programmers? ZERO

JeffUK

Re: How it really was

Yeah yeah, you had to walk 10 miles uphill (both ways) to the printer after being beaten to death by the computer salesman, only to find the printer had stolen your car, girlfriend and mother..

Actually that's pretty much my relationship with printers to this day.

1
0
JeffUK

Yeah, It's looking like my generation (born in the early 80s) are the last of a dying breed. When I started work, I knew more about computers than most of the people already working.. and I expected that the new graduates would be able to run rings around me.. but that doesn't seem to be the case.

I think there's an analogy with cars, my dad can change the head gasket on an engine, because in the 70's, if you couldn't, you might as well not bother getting a car, I, on the other hand, just had to google "head gasket" to check it's a real thing...

I can program, because my first computers were equally useless without being able to.

0
0

London Underground cleaners to refuse fingerprint clock-on

JeffUK

Re: Compromise

IANAL but I can think of : Obtaining money by deception. conspiracy to commit fraud. Fraud. Breaches of the health and safety at work act. just of the top of my head.

2
2

Serial killer hack threat to gas pipes, traffic lights, power plants

JeffUK

Re: An attacker therefore just has to wait for a valid user to authenticate

So the attacker sends the 'destroy all humans' command to the device once a minute, for the next year. Repeat the above for 365 devices that are 'only connected to once a year' and you've got plenty to be getting on with!

2
0
JeffUK

Re: Telnet and FTP. Seriously.

Network Security 102 , the meaning of the word 'All'

2
0
JeffUK
Thumb Down

Re: dynamic IP

Nope, sounds like it's coming in over the internet. So you'll get the MAC of the router at the next hop. Not the originating host.

0
0

Page:

Forums