Re: Good job
The session with the Joint Committee is available here
198 posts • joined 5 Jan 2010
I watched the episode on parliament TV where the committee questioned Mrs May. It was pretty clear that she had very little clue as to how her own draft bill might work; repeating platitudes and evading questions into details all the way by either offering further clarification in writing later or quoting unnamed experts and businesses as basically agreeing with the bill and its implementation. It was a farce.
The committee appeared to have no teeth and seemed as if they were afraid to dig deeper on vaguely answered questions. So I'm positively surprised that they did flag their concerns in the report.
Mrs May should really lose her job over this (but probably won't). She tried twice to get extensive snooping into law - and failed twice.
Exactly. Just like ditching iOS devices (last year?), this move away from proprietary and increasingly cloud-centric software comes as no surprise at all, except for the rather late realisation. It's a sensible decision, because let's face it: if US agencies wanted the data on Russia that was hoovered by Apple, Google, M$ et all, they would get it. This is quite easily labelled as "in the interest of national security," hence nobody is going to stop that from happening silently.
Other governments, even if they allign themselves closer to the West than the East, should quite frankly do the same.
Facebag / Googhoul / Microsap
Have an upvote for those creative names! Still laughing.
The customer called TalkTalk with regards to issues with his broadband after the breach. Engineer came around, and then again after that, some rogue would-be engineer knew all the details about the visit, including the engineer's name and the customer's account details.
There's several options here:
* engineer leaked data to rogue third party
* call centre shared data with rogue third party
* rogue third party compromised TalkTalk's network and still had live access to the system used to handle engineer visits after the breach
Given TalkTalk's track record, the last option almost seems most likely. In good old TalkTalk tradition, I expect the next major breach to make headlines within a month or two...
"arbitrary detention" on the parts of the UK and Sweden, and called for his immediate release
This makes no sense. He hasn't been detained by the UK or Sweden. He skipped bail and arbitrarily detained himself in the Ecuadorian embassy to avoid facing trial relating to rape allegations.
If the US really wanted him so badly, they would have got him before he holed himself up in his Knightsbridge accommodation. The UK and US are closer allies than the Swedes and the US. He would have been safer going to Sweden. (And I wish he had done so, because he wasted a considerable amount of tax money already.)
Why should the UK (or Sweden) compensate him for anything? He was free to leave the embassy at any time. Yes, he would be properly detained for breaching the conditions of his bail, but that's his own fault.
Do the UN have any information in relation to the US's alleged intentions of bringing him there and the UK and Sweden being accomplices in that plot? If that were true, the UN's decision would make more sense. Otherwise it just doesn't.
Consider a device that's pingable, responds to SNMP and can even accept traffic but despite being online in every monitored way, still fails to route, drops 85% of its packets and kicks you out of the console every 10 seconds - those, my friends, are the ones that causes f**k-ups like this.
Valid point, but it doesn't take so many hours to resolve during daytime! In a scenario like that you'd probably send over the person who can be there quickest (often some junior techie) and instruct them to pull cables of certain colours or with certain labels. Connectivity is already severly affected, there's little risk to make things worse.
They'd shit themselves, but do it, and bang you're back online, because your failover kit is configured properly and takes over in a snap. When reinforcements arrive, they can work out and resolve the issue.
More likely that they did a not-rolling update, indeed. Always a good idea to apply changes to all parts of a redundant infrastructure simultaneously...not.
Or maybe, BT are readers of El Reg's new DevOps column and embrace the concept of automated (and unattended) deployments, and especially failure being a good thing!
About 2 hours after the outage began, @BTCare posted that "Engineers are now on site" (God knows where they had been, but that's another issue), and less than an hour later my Infinity connection is working like a charm again (so were those of other users).
So they determined that the router is faulty and repaired/replaced it within an hour? But it takes them two hours to even get on site? A company of that size doing manual fail-over? Hard to believe.
My money is on human error to do with the purchase of EE (and network changes related to that). But admitting failure is of course becoming increasingly politically incorrect. Attributing failure to others (kit and people) is the way to go.
The strange name Malwarebytes suddenly makes a lot of sense.
This will be going to the ECJ sooner rather than later and will be struck down again.
Let's hope so.
Has the "snapshot of SuSE's findings" been edited in any way? Because out of those five points, only one ("high difficulty") seems to be specific to OpenStack. The rest is just talking about private cloud in general terms.
So yeah, sounds like a bit of self-serving PR. OpenStack is quite a messy and constantly evolving affair, so from that point of view I can relate to the criticism of it being highly difficult to implement. Avoiding vendor lock-in is not necessarily a cheap option in the long run. Depends on the use case and scale of the "private cloud" (man I hate this term).
They've had increasing latency and packet loss throughout the day, but since around 2pm it's completely unusable (Infinity, south-west Essex).
Plan B, that is Giffgaff 4G tethering here, works well enough for the most important stuff, though.
...that Windows 8, 8.1 and 10 combined have less than half of Windows 7's market share even though M$ stopped selling new Windows 7 licenses many moons ago and has been forcing Windows 10 down everybody's throat.
Indeed. I wonder what came out of the arrests of a bunch of youths in the aftermath of the "sophisticated cyber attack".
...it's a just a question of time until this ends up before the ECHR. The fundamental right to privacy is thoroughly trampled upon with this bill - for everybody in the UK (and quite possibly outside, because when I use VoIP to call people outside of the UK, and therefore generate one of those obscure ICRs, their privacy is indirectly affected too)
So please, if HM Gov want to go ahead with this, do it quick, before Joe and Jane Public will have their say whether or not we'll stay in the EU. I dearly hope the UK population is not going to vote for leaving the EU as that removes safeguards against their own government (namely European courts).
"As it states. If you are using PGP, Tor, or any of a bunch of other things, you are flagged as a person who is possibly interesting. This reduces the subset of search targets immensely."
It does reduce the group of search targets. But it doesn't exactly help in any way shape or form if - like in recent terror attacks in Europe - it has been established that no encryption whatsoever was used. They figured that out in hindsight. In other words too late. Maybe they had already been focussing too much on encrypted stuff, who knows.
Also, I would expect that encryption in any way shape or form is most commonly used by businesses rather than individuals, especially VPNs. But then again, they may be much more interested in trade secrets than combating terrorism (which has caused a negligible number of deaths in comparison to car accidents, fatal injuries at home and what have you).
"I'd suspect they get quite a bit of extra info when the correspondents do their key lookups and/or verifications against whichever keyserver or directory they are using."
Okay that's a very good point. On the other hand, the recipients I use PGP with have never published their keys. No keyserver comms happening if the key is present (imported by other means) and trusted already.
PGP as such is not chatty and doesn't (have to) contain any metadata. The email (as the most common transport medium) is.
So how the NSA are getting any more metadata and links between participants in a conversation from a PGP message as opposed to a plaintext email is beyond me.
If it's just the old prejudice that everybody who uses encryption has something to hide and/or is naughty, then it's an old hat. Let them log/store all encrypted emails, if they like. There's about the same metadata in them as in plaintext emails. Time to attach PGP encrypted cat pictures and videos to every message. Or hide PGP encrypted stuff in attached pictures (steganography). Or both.
Doesn't really work like that though. Bean counters only care about the here and now. Tomorrow only matters, if you can show them how you are going to save costs then.
Costs related to possible security breaches is something they refuse to hear, because it's - in their minds - hypothetical. "Won't happen to us," is still a very common mind set, not only among bean counters. Costs related to improving security therefore are just that... costs.
The *only* way to change this attitude is to impose hefty fines or criminal proceedings against individuals (somewhere at or close to C-level, or comparable position in the public sector).
As seen here with Talk Talk and other companies, the prospect of losing money is a minor concern. Shares take a short dip (only if a lot of publicity is involved), then recover and it's back to business as usual. In the public sector there are no shareholders. Somebody *might* be in charge, but nobody seems to be accountable.
With that attitude nothing is ever going to change, no matter what kind of figures you come up with.
Indeed, the main problem is that our elected representatives willfully ignore any facts presented to them. I'm not sure whether or not I want to know why. It draws a gruesome picture of the current state of democracy; I doubt it gets any better if we know the true motivation behind it.
Not going to happen. Ever. (In my house, that is.)
If somebody wants to enter my house, there's three options:
- a family member lets them in
- they have a physical key
- they have to forcefully break in
I will not add an attack surface which can be exploited from virtually anywhere and allow burglars to enter the house as if the door was left open, without any physical trace of forced entry. It'll be a hell of a job to explain that to the plod and the insurance!
...the energy providers' lobbying efforts would have made sure that they are never going to see the light of day. By definition those who sell energy to us cannot have any interest in reducing the amount of energy we use; it would cut into their profits.
But they are being rolled out, so how do the energy providers benefit?
I suspect that we'll soon see variable tariffs (if they don't exist already) whereby prices go up during peak hours such as 5pm, when people are coming home and would prefer their house to be warmer than outside temperatures; early morning hours, when everybody gets up and ready for work; weekends, when most families are at home. Off-peak times are likely going to be charged at very similar prices than before, increasing overall costs. (Temporarily they may be cheaper; just wait 2-3 years and compare again.)
People who don't pay exactly on time will probably see energy supply remotely switched off, likely incurring an excessive admin fee (clicking a button or having the process automated is definitely worth £50 or so per incident, right?)
And switching providers is going to cost serious money too. "Oh you got a Fucking Stupid Meter 2000? Well sorry sir, we need to install a Seriously Dumb Counter 900 instead. That'll be £50 installation fee, but we can waive that if you commit to our overpriced 48 months contract."
Also, I'm expecting really ridiculously creative offers like: If you only use a certain amount of gas/water/electricity, it will come really cheap, but energy used beyond that allowance will be costing two arms and legs. Much like some mobile/landline tariffs out there.
I know I sound upset. That's because I've been debating this subject with EDF for well over 12 months now. So far they have failed to convince me that the smart meter brings more benefits to the customer than the energy provider. Until they succeed (which they won't), a smart meter is not going to happen unless a law forces me to have one. (Right now they are only working with guidelines and lack of nation-wide standard.)
...because the "drive way" is just not the right place for a manned quadcopter.
In all seriousness, though, this makes a lot more sense than autonomous vehicles in the long run.
"at least it'll be on a different subnet from the rest of the LAN, where it shouldn't be able to cause too much chaos"
If you trust your home router to be secure enough. I wouldn't trust any consumer-grade (or even ISP-provided) wireless router much further than I can throw it.
The point being made is, though, that the IoT devices get a better range using 802.11ah than they previously had ("bulky RF antenna may not be required any more"). Pair that with bonkers security of the IoT device itself, and the attacker might just be able to talk directly to it using their wireless kit in the car outside, bypassing your home networks altogether. Your main wireless network may still be out of reach for them - for the time being - but your heating is switched off for good, your smart meter will read 10,000kw/h extra next month nonetheless, the toaster is frying itself and your fridge is spending a lot of money restocking itself from a bunch of local grocery deliveries. And when you leave the house in rage, your alarm system says engaged, but the attackers (and burglars) know it's not...
This may sound exeggerated now, but wait a couple of years. If ignorance towards security prevails (and it will) and people connect all sorts of appliances, this may just be the beginning.
*grabs coat to flee from IoT enabled robots* ;-)
"Yes, the ones in control are the politicians and the Media Barons who decide what we are or, more importantly, are not allowed to read and see."
Just like the BBC doesn't mention yesterday's hearing at all. Not a single word on their website. In fact, they mention NSA and GCHQ and the IPB (in all sorts of spellings) rather rarely. Shocking how little their search produces.
I'm all for raising a new kind of tax for this, too. That way it would finally get appropriate attention in the mainstream media. Too many people care too little, which is the most worrying aspect in all of this snooping.
"We are reviewing this research and will proactively work with other industry partners and major providers to identify possible solutions that could benefit our customers and the industry."
Hold on a minute. Pro-active can't be the right word, sir. The issue was disclosed to you 2 months ago.
I'm sure affected home owners don't give a toss who you work with and to whose benefit that might be. They want you to fix your crap asap so that can feel a little bit safer in their own houses again. I guess.
Yes, zero is indeed a significantly reduced capacity. Trying to log on has been impossible whole day.
"Then HSBC were unable to tell me why my VISA card was rejected [...]"
That's precisely the reason why I got myself an AMEX. HSBC's "fraud detection" seems to be triggered at random. Even if you make regular payments on a monthly basis of the same amount, at the same date, to the same merchant, payments can still eventually end up being flagged as fraudulent and you have to call them to get the card unblocked. Bloody stupid, and quite embarassing if you encounter that in a bricks&mortar store somewhere. Of course HSBC wouldn't get in touch immediately, but give you a call a day or two later.
AMEX on the other hand let the payment go through first, then give you a call immediately afterwards, if they have any concerns. Much better service.
While you have a point, Safe Harbo(u)r was scrapped mainly because government agencies in the US can essentially do whatever they like with the data, and no company (who signs up for Safe Harbo(u)r) could possibly guarantee that the personal data is protected.
The IPB puts the UK at odds with the ECJ's ruling. Lack of oversight, mass surveillance, easier access to (not just meta) data... You indeed would have to question the sanity of policy makers.
Also, mass surveillance evidently didn't help in the Paris attacks. Whether or not other plots were really thwarted, we don't know. We are supposed to believe they did. On the other hand, the FBI admitted just recently that mass surveillance didn't really help (sorry, don't have the source at hand; maybe someone else can add it).
So whatever the agenda of $megacorps might be; the more opposition and publicity the IPB gets, the better.
Whether tiny, small, big or very big "things"... some just shouldn't be connected to the internet at all.
Security standard determined by lowest common demoninator rather than what's necessary to be a useful and reasonably secure standard.
PCI wasn't a particularly strong standard to begin with. Now they're weakening themselves.
It takes about 15 minutes to get a replacement certificate and swap it out. As somebody else suggested above: if they had an incentive, they could do it.
So bottom line is: PCI is weak and has no teeth.
whether those paying bug bounties in fact only want to see the most obvious flaws discovered (the amount paid seems to indicate that).
Admittedly, it's a thin line, but the guy here discovered an already rumoured flaw (IRC tip-off), and by digging a bit deeper, he also revealed the severity and impact while finding other poor practices (passwords) along the way.
Has he possibly crossed a line? Maybe. But then again he didn't take the keys and went on to sell them. Instead it was immediately clear what Facebook needed to do: Fix the flaw, change all passwords, replace the keys he was able to access.
Rather than pestering him, they should have paid a substantial amount to encourage others to do the work for them. If you make their life miserable and pay them with petty cash, you only discourage the most talented white hat hackers to look at your systems, because they can earn more money elsewhere without being hassled.
The black hat hackers on the other hand will be more encouraged, because they can assume that fewer bugs have been discovered, which means potentially bigger loot for them. And that group of hackers will not tell you what they found. Pastebin will.
Of course the same applies to private outfits which are set up for the sole purpose of harassing (cold calling), hoovering up data etc, often hidden in layers of "holdings" and "groups" and practically nada on their balance sheets, or all the entities which keep losing citizens' data.
Turnover alone is a very bad metric to determine fines. But hey, it's a good start, because unless something costs serious money, megacorps will not care.
Freedom of Information Act?
EU, not so sure...
Mine is the one with hundreds of heavily redacted pages in its pockets...
what could possibly go wrong?
Indeed. My Audi is affected. All I got so far from Audi is a letter confirming just that and essentially telling me to sit tight and wait until they have a plan.
In the meantime, the resale value of the car has dropped (not that I don't like the car or want to sell right now, but I have paid more than I should have, given these revelations). Depending on how they intend to go about fixing the issue, the value may drop further (lower MPG, maybe lower BHP, possibly higher taxes based on re-assessed emissions).
So it could be the case that keeping the car costs me more money than it did before, and selling it will lose me money too. Between a rock and a hard place.
The affair cannot possibly be concluded before all owners of affected cars know what exactly VW/Audi plan to do to fix it (how and to which effect), and compensate owners one way or another.
So exactly one years ago, gov publishes this:
(Especially section "World-leading digital and coding")
Now, interest in coding is considered a warning sign for kids to become cyber crims. Well, looks like the government has done their best to criminalise the young generation then. Well done, morons.
/me wonders if politicians (and by extension all sorts of agencies) *ever* think before they open their cake holes these days...
that roads are always dry and straight, and the sun is shining?
Despite all the progress being made (which is fantastic!), I think there's still a very long way to go until an autonomous car can outsmart a reasonably experienced driver. Tricky road conditions cause a lot of accidents. At least in Blighty you can encounter tricky road conditions even on dry, straight roads and excellent weather! (Some councils make sure of that by not spending any money where it's urgently needed.)
"No matter how badly you are treated, you are a professional person and should do what an honourable and decent professional person would do, which is to take responsibility."
I disagree. The key is "effective immediately" and "walked off the premises". You are in no obligation (and have little incentive) to do them a favour at that point. Your contract ended before you even reached the front door.
They decided that his job and responsibility would end right there and then. No handover, no exit interview, no retainer, nothing. They take responsibility and bear the consequences.
Yes you can, well sort of. You need to run the software, but you can prevent it from doing anything to your config. https://github.com/letsencrypt/letsencrypt
A bit down the page it says you should use ./letsencrypt-auto certonly --standalone [...]
That will seemingly not install anything. Only fetches the cert for you to do with as you please, from my understanding. (I wouldn't let some random tool meddle with my config either, but there'd always be backups and "diff" to trace the exact changes it made; plus it's open source, so probably not that hard to work out what it does)
Make things opt-in only. You want my data? You must first get my consent. End of.
To the regulators: Before you tackle anything else, start with making tracking cookies illegal in the EU, unless consent is explicitly obtained in plain English (or other appropriate language).
There's absolutely no justification why Farcebook, Twatter, Google and a whole slew of other advertisers should be allowed to record my activity on unrelated sites. It's not my problem that the webmasters think they need "like" buttons for every conceivable "social" media outfit.
In the meantime, I'll use blockers for those, but I shouldn't be forced to use tools to get some level of privacy.
Nuisance Call Blocker Ltd, Poole, according to Companies House has a total worth of £0.01 and is allegedly dormant since 2013. Annual return is 10 months overdue, accounts 2 months overdue.
Didn't bother to check the other outfit. Probably similar.
"The hotel chain is also keeping quiet about the number of people or credit card records exposed at a result of the breach."
The standard answer to this is obviously: "a very small number of customers"
If thieves are going for copper, it may be a good time to roll out that promised superfast fibre.
Mine's the one with empty pockets, promised.
Now I understand why we had to wait so long for this episode! How the heck do you invent such names? You're a genius! *still laughing*
"rather than all those innocents who don't even have a connection"
Hey, are you suggesting that they don't deserve the added national security that this bill is supposed to provide? Of course they should be paying up, too.
(Mine is the one with trainers in its pockets.)
Yes really. Imagine all ISPs being blunt about it:
"Dear valued customer. As you have certainly heard in the news, our government now requires us to store all your Internet Connection Records. This sounds very opaque, and indeed it is. We will essentially be recording each and every move you make online so that law enforcement and selected third parties can retrospectively trace each of your steps. Naturally, the storage facilities which enable this enormous volume of data to be collected need to be paid for; the government has chosen to put the burden on us, and by extension on you.
Consequently, the price of your broadband connection will increase by 25%, effective next year."
This would hopefully create some awareness. At the moment it seems that Joe and Jane Public don't care at all. That'll change when it starts to cost money and they know why.
which will make the UK "inadequate" as far as EU privacy and data protection rules go, both AWS and Azure should maybe look for a location in Switzerland instead.