* Posts by PrivateCitizen

138 posts • joined 12 Apr 2010

Page:

Doctor Who: Nigel Farage-alike bogey beast terrorises in darkly comic Sleep No More

PrivateCitizen
WTF?

Re: Apart from the chance to offer a gratuitous insult to Farage...

To be fair, I watched it an thought it looked like Nigel as well............

0
2

UK.gov finally promises legally binding broadband service obligation – by 2020

PrivateCitizen

Re: What use is a "right to request"?

That's why there are rural communities with no mains gas, or with cess pits.

In my case it is no mains gas, septic tank waste disposal but close enough to the big lights to get 40mpbs broadband dirt cheap.

The problem is exactly as you have described - the obligation to supply may be there but the service providers just set a rate that keeps it out of reach.

0
0

TalkTalk attack: Lad, 15, cuffed by UK cyber-cops

PrivateCitizen

Re: Are we to believe this is the work of a 15yr old ?

On a serious note, why not?

If the attack was fundamentally an SQLi, then yes - it is pretty easy for a 15 year old to manage that (metasploit + YouTube tutorials + Computer + broadband = pwnage).

The reality is that most times a company gets popped, despite all the claims about how sophisticated the attacks are, it really boils down to a bored kid with a good imagination and access to a computer. Nothing more, nothing less.

18
0

Outlook.com had classic security blunder in authentication engine

PrivateCitizen

Re: Here's a question:

I have to agree - this is EXACTLY what data protection laws are for.

Only if you mean "personal data" rather than "data."

If you ignore this distinction, then things are going wrong.

0
0

'10-second' theoretical hack could jog Fitbits into malware-spreading mode

PrivateCitizen

Re: Phew

I am glad you understood that sentence. It seemed to me that a crucial word or two were missing.

0
0

US Cyber Command floats $460m contract to outsource most of itself

PrivateCitizen
WTF?

Re: not surprising

The military doesn't have a pay scale to afford experienced people, who could be making upwards of $100k per year, rather than the pittance that the US pays service members.

So rather than pay its soldiers well, the decision was made to outsource to a more expensive provider?

Cool.

2
0

Now it's the security industry's turn to be burned by cloud

PrivateCitizen

Re: Why pay

I've always thought WAFs were little more than a nice front end for Mod Security and it seems that Amazon have just come up with a way to monetise it while simultaneously undercutting most WAF providers.

0
0

Top QLD sex shop cops Cryptowall lock; cops flop as state biz popped

PrivateCitizen
Boffin

Get a 2-3TB sata or usb 3.0 disc, and backup all your data there daily.

A reasonable idea as long as A) this is enough and B) you have the time and patience to do this.

A 1TB back up would take around an hour to complete each day and this doesnt include the time required to test the validity etc. If you are a business which pretty much runs on emails, purchase orders and contracts this will probably be enough (especially if you only backup diffs) but if you need to back up any types of content then you might discover 3 TB is insufficient pretty quickly.

I agree it needs to be off-line as if the device is connected at the time the ransomware is running, you can say bye bye to all the backed up data as well.

0
0
PrivateCitizen

Re: Time to move to North Queensland and set up as a general tech

Clearly, there aren't decent ones in the area.

Apparently not and not just for that howler either.

It seems that a number of small businesses have saved $300 on a NAS and $300 on a bit of tech advice to run their backups..... then are whining that their tightfisted approach to what appears to be a business critical system has cost them $1000.

Shocking approach to IT.

0
0

Layabout, sun-blushed techies have pick of IT job market, says survey

PrivateCitizen

Confused

There are quite a few things confusing about this, but then we have to keep in mind that this is KPMG survey so they are skewing it in their own interests.

1) Permanent jobs are not really as much of an indicator of seasonal issues as contractor / temp roles:

That's the finding of a new survey, which revealed that according to a seasonally adjusted index measuring permanent vacancies in the IT sector, demand to fill permanent staffer jobs in the IT market had risen to 64.4 per cent in the dog days of August, up from 62.8 per cent a month earlier.

Permanent roles are long term commitment so if this is true, it isnt really seasonal. Its companies deciding they need more employees for something and will continue to need them for a long time.

2) Contractor jobs are an indicator of seasonal trends:

Meanwhile, demand from Blighty companies to hire temporary techies fell to 58.7 per cent from 59.1 per cent in July.

So in August there was less of a need for a temporary work force to fill gaps.

Seems the headline is a bit assbackwards.

There is a point 3 though.

3) This data is likely to be meaningless. In all likelihood, KPMG searched round the job boards and simply counted the adverts. This means that when (like my current role) it is advertised by 12 different agencies - all with slightly different details - it counts as 12 jobs rather than 1. It also means that some non-existent jobs (posted by unscrupulous or clueless recruiters or hiring companies) get counted when in reality there are none.

The easiest way to tell if demand has outstripped supply is to look at the average salaries and contract rates available. These are still, largely, in line with 2009 figures - and as other posters have said include shopping lists of skills for £35-40k a year.

All of this implies to me, at least, that there isnt enough of a skills shortage for anyone to actually care - it is just a shortage of skilled workers prepared to work for the salary they had when they were unskilled.

6
0

Fiat Chrysler recalls THOUSANDS more cars to swerve hack-my-brakes roadkill

PrivateCitizen

Re: 2FA?

It is 2015. 2FA is now commonplace. Surely, admin for a car can be secured this way?

Hard to think how multi-factor authentication would help this sort of attack.

1
0
PrivateCitizen

Re: There ought to be a moratorium on connecting any wireless systems to the canbus

Unless/until appropriate and uncompromisable security protocols are in place.

Now, if you find such a beast, truly great riches will be yours. I am reasonably sure no such thing exists.

0
0

Company in shambles, marriages ruined. My work here is done, says Ashley Madison CEO

PrivateCitizen

Blunt Swords

If only more CEOs fell on their sword so quickly (or gov't ministers).

The problem is that "falling on his sword" here actually means he will be able to avoid the massive financial pain from the inevitable law suits and other forms of legal action.

Basically he has been able to reap great profits, avoid paying for the security he promised users, scammed gullible men with fake female profiles and jumped ship in time to make it on the life raft.

While I hate the man, I do have to say he has good timing.

2
0

Your security is just dandy, Apple Pay, but here comes Android

PrivateCitizen
Stop

Re: Convenience?

Minor issue but you need to add "place finger on finger print reader" to the phone step so it is 4 steps vs 5 (and if the fingerprint reader has fit, as mine is wont to do, then it adds a few more steps where you retry).

Also, if you have multiple cards you want to pay with, how do you select them in Apple Pay? Wouldnt that add an extra step making it the same?

However, on the whole, this is a solution to a non-existent problem for me, so I wont bother. I am sure lots of people think differently and may bother to install it.

The problem for the vendor is that they have to have technology to support the luddites and the trendy fanbois. I have been to a large number of shops who are unable (or unwilling) to support contactless payment of any sort making this a moot problem.

12
0

Mastercard facial recog-ware will unlock your money using SELFIES

PrivateCitizen
Unhappy

Re: Yet another clueless "security" spokes-head.

Apparently, Bhalla's never seen people use image manipulation software.

Also it indicates that there are many other stages to attack than just the photo session.

Bhalla says the image like other biometric forms will be converted to a format such that a person's photo is neither stored nor transmitted in its normal construction.

So the "verification" aspect isnt actually a photo comparison in the way human eyes would do it. It is likely that the process involves capturing some key data (ratio of distance between eyes and width of mouth or whatever voodoo they want here) and then hashing it to send back for a verification check.

Not only does it open the door for many more attacks on the mobile device and its transmission signal, but it also seems fraught with false negatives at the checkout point.

Sense - I see non here.

9
0

Crowdfunded beg-a-thon to bail out Greece raises 0.003% of target

PrivateCitizen

Re: Per head of population....

as the saying goes, if you owe the bank £100,000, they own you. If you owe the bank £100,000,000,000 you own the bank.

6
0

Oi, UK.gov, your Verify system looks like a MASS SPY NETWORK

PrivateCitizen

hmm

I think this is over-reaction vs over-reaction. You took offence at the AC's response to a single statement of your post when it wasnt really a criticism of you.

"Ideals aside, though, I don't see a practical problem with a non-databased plastic card scheme, that was not obligatory but offered benefits. Infact, I hold foreign ID which is more or less like this."

This is evidence you both agree. The crucial bit is that it is voluntary/not-obligatory.

This was the fail of the UK ID card scheme. For it to work, it had to be obligatory for all UK citizens to spend money because they are citizens. As described, it would have created an offence of not-carrying the ID card just to make sure there was no doubt about how obligatory it was.

4
0

THIS TIME we really are ALL DOOMED, famous doomsayer prof says

PrivateCitizen

Matt Ridley

Not sure what the context of Matt Ridley's quote is so there might be some extra data missing but:

Yet not a single bird or mammal that we know of has gone extinct in a tropical rainforest.

Isn't true unless he means within a very specific time frame, which is disingenuous. It also ignores the huge number of endangered species there are within rainforests.

4
3

Buh bye fakers? Amazon tweaks customer product reviews system

PrivateCitizen

Re: Kind of a shame, really...

...because I always thought that the fake reviews were the most fun to read.

Some still will be. Amazon isnt really getting rid of fake reviews, it is getting rid of "unhelpful" ones. There are some out there with genuinely hilarious fake reviews which have been marked helpful dozens of times. These will stay.

If Amazon really wants to overhaul, it should limit the reviews to "verified buyers" only - this will reduce the overall number but cut out the marketing shills who post gushing reviews of tat and the angry people who seem to object to things they "bought elsewhere."

4
0

We stand on the brink of global cyber war, warns encryption guru

PrivateCitizen
Unhappy

Re: Anybody who uses the term "cyber" in this context ...

I have to question anyone touting the party line that the DPRK was actually responsible for the Sony "hack".

Same here. I am a big fan of Bruce (cant spell his surname though) and I count myself as one of the "followers" who regularly read his blog and buy his books.

However, I am at a loss as to what changed his mind on the Sony hack, other than the fact that the company he now works for (Resilient Systems, once called Co3) does a good line in incident response and the fear of Nasty Norks is better for business than "shit happens and on the interwebz a shit can be a big one."

I hope this isnt true though.....

Sadly, nothing in Sanger's NYT article was new, novel or really worth changing your mind over.

2
0

Ex-NSA security bod fanboi: Apple Macs are wide open to malware

PrivateCitizen

EAL7

Out of curiousity, what EAL 7 operating systems are there? I cant find any on the common criteria

portal.

0
0
PrivateCitizen

Re: Bug bounties?

@dogged - I wish I could upvote you more than once.

6
1

Facebook echo chamber: Or, the British media and the election

PrivateCitizen

"widespread dispersion of LSD and MDMA?"

The will either cause cancer or cure it depending on the random Daily Mail headline generator.

12
0

Major London rail station reveals system passwords during TV documentary

PrivateCitizen

Remote Access?

Surely unless this is an account which needs remote access, the broadcast of the PW isnt a problem? If someone breaks in to sit a machine and log in, they've got other security failures to worry about.

And as others have pointed out, the fact it seems to be a shared / generic password means its kind of pointless. So the news here should be "idiots designed IT system" not users posted password.

0
0

Twitter's share price crashed 18% thanks to ONE LONE TWEET

PrivateCitizen
FAIL

Re: Twitter is for TWATS

Unauthorized access to a private URL is prosecutable no matter what you describe it as. Hacking or guessing the URL does not make it legal.

Erm, what?

How do you define a private URL? Is that one which is published on the public web but you dont want people to access yet? Or is it something else?

How do you define authorised access to a public website? Is there something I have to sign up to so that I can visit webpages, or just some webpages - and then only after I've visited can I find out?

Other than that, what?

9
0

Met Police puts iPads, Windows and Android mobes on trial

PrivateCitizen
Pint

Re: A public service IT project

OT

The cause is corruption and graft (and occasionally good old-fashioned incompetence).

I was always brought up with "graft" meaning working hard..... I actually had to google to learn it also meant corruption.

This left me genuinely surprised so thanks for opening my eyes a touch.

1
0
PrivateCitizen
Unhappy

Outsourcing

"The Met is currently in the process of outsourcing its number of IT staff from 800 down to 100."

Hmmm..... I cant see how this will cause any problems at all...........

1
0

Cross-dressing blokes storm NSA HQ: One shot dead, one hurt

PrivateCitizen

Re: AC @Matt Bryant

" Presumably a regional CT team rather than a specific Lancashire one." - not in the 80s. The regionalisation of the teams came later than that and while GMP may have seconded officers, it was still very much down to force teams until at least the mid 90s, by which time the PIRA threat on the mainland had all but gone.

1
0

New dirt-cheap Chromebooks: Team Google keeps jackboot on throat of PC titans

PrivateCitizen

Re: Yet, still worthless!

The price of that ASUS EeeBook X205 is good, I agree.

However, "much better product" is far from the truth. It is painful to use and Win 8.1 crushes the device. You think you have a real laptop but you actually have something so underpowered it makes you want to cry.

If it wasnt for the fact it doesnt perform as well as a Chromebook for "everyday computing tasks", it would be an excellent purchase.

0
0
PrivateCitizen

Re: Yet, still worthless!

Just to check - cos these are tablets so not directly comparable with a chromebook. I've tried a LINX 7" and it isnt worth £79:

Can you find a windows laptop style device which runs as well as a chromebook (check out the time from power on to doing stuff) for about the same price as a chromebook?

The reason I ask is that the Chromebook replaced all the laptops and desktops in my family as it is significantly easier to use for the tasks people wanted to do - writing emails, letters, websurfing - than the more powerful devices and the form factor is more suitable for this sort of thing than the tablets. (Which remain as the main content "consumption" devices for things like YouTube and Minecraft).

No one in my family - and none of my work colleagues - particularly like the tablet interface for messages much longer than a tweet, so I dont think they would enjoy writing documents on a 7" screen.

4
0
PrivateCitizen

Re: If any of these devices

But I am. I'm an unrepentant geek, I'm running Crouton on one of my Chromebooks, which I find very useful. But I love the fact that I can pick up a Chromebook, open it and use it. And so does the rest of my family. My daughter uses hers all the time.

I agree.

I started off very cynical about the Chromebook, its OS and its purpose in the grand scheme of devices. I was also quite reluctant to use something which wasnt a "proper" OS etc.

However, a guy at work got one and I had a play.

That afternoon I bought one. Everyone in my family loved it to the point where we ended up with three in the house and the laptop and desktop languished un-used except for occasional tasks which needed things the chromebook didn't offer (mostly Photoshop processing of huge RAW image files).

5
0

Jailed Brit con phishes prison, gets bail

PrivateCitizen

Re: Oh, the details

I am not saying it isnt possible to build a site on a phone and SSH in to transfer it.

However, this is a phone which someone managed to smuggle into prison so I assume it isnt a Note4. There isnt really the scope for creating sensible graphics and testing anything is going to be challenging.

So either there was no site and it was purely phishing emails (much easier to spoof, although getting the garbage most GSI type messages include might be a pain in the backside) or he has small enough fingers that spending the time coding wont cripple him.

Which was the RSI bit.

0
0
PrivateCitizen

Re: Oh, the details

I agree.

Did he use the phone to build the site or was that someone else? If he managed to code a phishing site entirely on a phone smuggled into jail, the man is a genius with very small fingers and a future of RSI.

14
0

How a hack on Prince Philip's Prestel account led to UK computer law

PrivateCitizen

Law

Can any one add or enhance my understanding about this:

"which also made making, supplying or obtaining articles for use in computer misuse offences in themselves."

Does that mean things like Hackin9 and nessus / nmap articles or John the ripper are criminal offences now?

0
0

Firefox, Chrome, IE, Safari EXPLOITED to OWN Mac, PCs at Pwn2Own 2015

PrivateCitizen

Re: Dare I say it...

Ah, comprehensive reading. My son needed help with that too at some point - but he was 6 at the time.

This would have been hilarious and cutting if you had actually read the article properly first.

Let's revisit the very first line of the article:

Well done for getting that far, but how about we revisit the third from last paragraph and show some real comprehensive reading:

For his finale, Lee nailed Apple's Safari with a use-after-free (UAF) vulnerability involving an uninitialized stack pointer, and bypassed the sandbox to perform remote code execution on an OS X Mac.

That kind of implies a Mac was pwn'd, dont you think? (and no, I still didnt downvote anyone on this thread)

7
0

'American soldiers, we are coming...' US CENTCOM military in Twitter hijack shame

PrivateCitizen

That is the worst part of this news, in the eyes of the public, CENTCOM has been hacked!

In reality, a script kiddie who may, or may not be associated with Islamic terrorist groups has managed to subvert a pretty weak security control around a publicly accessible social media channel.

As per XKCD, its a bit like someone in a school sprayed graffiti over an Army recruitment poster.

But, the public fear of EVIL CYBER MUSLIMS will mean over-reaction after over-reaction.

3
0

Uber surge pricing kicks in during Sydney siege

PrivateCitizen

Re: Capitalism at its finest

What were they going to do - forbid drivers from entering the city? Impractical, how would they stop them? Or forbid them from charging more? - then how would they get enough drivers to brave the traffic?

How about a third option where Uber disables the surge pricing for emergency situations like this.

That way, drivers who are already in the area can still be paid for taking people out of the area but there is no incentive for the more mercenary, risk-taking types to go back in looking for a quick profit?

I dont think this is something that should be completely algo-decided either - it is a trade off between discouraging drivers to risk themselves (and drive more spectators into the risk area) and providing a service to help people in the area return home. I suspect each incident should be assessed on its own merits.

I wholeheartedly agree that footing the bill for outward journeys is excellent.

0
0

Microsoft pulls a patch and offers PHANTOM FIX for the mess

PrivateCitizen

Re: Well,

"PS, reg staff, WTF have you done to the site????? For the love of god, revert back..."

I agree.

17
0

Kaspersky: That 2 years we took to warn you about Regin ? We had GOOD REASON

PrivateCitizen
Stop

High Profile Announcements

As far as I can see, until "Shellshock", it was pretty normal for AV vendors to do their think, issue detection file updates and provide a bit of protection for end users.

The much maligned McAfee appears to have a detection in place for Regin since 2011 - which predates the trend for high profile DAT file releases - so I suspect a lot of the secrecy around this is simply people dont bother looking through the tedious information pushed out with each detection database release.

0
0

Run Oracle? Want to sleep tonight? Then sort these 113 patches

PrivateCitizen
Alert

Re: Wow 113 Patches

"Oh wait you said quarterly, and across the product range then, so not that many then. How many did Microsoft release in the last 3 months for all their products."

I could be wrong, but a quick check on Technet shows MS issued 9 patches in May, 7 in June and 6 in July so that is 22 in the last three months. The numbering system implies MS has issued 42 in the seven months of this year.

But this overlooks two main issues:

1) issuing lots of patches doesnt necessarily mean your software is dodgy (it could mean you are just much better at finding and patching holes than anyone else).

2) Using MS as the example really is setting the bar low.

0
0

Computing student jailed after failing to hand over crypto keys

PrivateCitizen

Re: @ A K Stiles

"Vague thoughts about if I had anything worth hiding, I'd like a system with 2 passwords where the alpha password lets you in normally, but the beta password 'obliterates' the incriminating stuff whilst allowing access to the innocent but private stuff..."

One of the great parts of truecrypt was the hidden container which allowed you to reveal one password granting access to the outer container but the inner container remained invisible.

AFAIK this technique was able to keep the hidden container from detection using pretty much all current forensic tooling. The final audit findings may reveal more.

1
0

TrueCrypt considered HARMFUL – downloads, website meddled to warn: 'It's not secure'

PrivateCitizen

TAILS and Sans

Tails has been trying to get rid of Truecrypt for a while now:

https://labs.riseup.net/code/issues/5373 and https://tails.boum.org/blueprint/replace_truecrypt.

Looking at the changelog, zuluCrypt was added as an option on 19 May but the bit about "recent concerns" was added 29 May.

Also, there is a SANS forensics presentation from 2010 which (on slide 23) covers Truecrypt and states "removed at the request of US government" - http://digital-forensics.sans.org/summit-archives/2010/18-lord-cryptanalysis.pdf

0
0
PrivateCitizen

Re: I'm from the government and I'm here to help you.

" It only has 25% of the functionality"

Agreed - Whole Disk Encryption was not the main reason I used truecrypt, and isnt the main reason almost everyone I know used truecrypt.

If if if that was the whole reason, Bitlocker is even a poor alternative for truecrypts WDE.

0
0
PrivateCitizen

Re: Hmm.

TrueCrypt was more than just whole disk encryption.

TrueCrypt provided a tool which allowed users to create portable storage and deniable containers - all in one cross platform bundle.

It will be missed but even if it does return, will anyone ever be able to trust it again?

0
0

Google's Nest halts sales of its fire alarm – because waving your hand switches it off

PrivateCitizen

Re: I haven't had an alarm triggered by toast for 10 years

@Martin an gof

Well said.

0
0

BT caught in data gaffe drama: Whistleblower squeals over alleged email fail

PrivateCitizen

Re: BT has email

Not since the 1990s.

0
0

THOUSANDS of Tesco.com logins and passwords leaked online

PrivateCitizen

Re: Is this Tesco's fault?

"However it wouldn't be difficult to implement two factor authentication, requiring, for example, a pin, birth date, last random digits of the Tesco club-card number etc. to prevent this occurring in the first place."

Not difficult but potentially a nightmare to manage. Distribution, revocation and verification of the second factor is hard enough when companies deal with their employees - Tescos has an elastic user base so there would be a reliance on an externally provided source of the second factor. Apart from anything else, there has to be a decision on how many new customers will go elsewhere when they are told to get the dongle / app / whatever rather than just click and buy.

Then you hit the problem about users needing a second factor for every different site they manage. Or do we have a federated second factor service which instantly throws up issues around being a single point of failure etc.

All tescos needed to do here was have better security controls around how it allowed access. 2FA may have helped but is far from the only answer.

1
0

Twitter-mad twits trade 14 million shares in BANKRUPT zombie biz

PrivateCitizen

Trading

Doesn't this imply that a lot of middlemen (who should have known better from the Q) have made money brokering trades as the stock prices went up and down again?

0
0

Top UK billionaires considerably richer than Chinese ones ... for now

PrivateCitizen
Facepalm

British or not British

Did I misread something?

The subtitle reads

However, note that we didn't say British billionaires there

and while headline does indeed avoid saying British, the first paragraph undoes this with:

A rundown of the richest people in China has revealed that the very wealthiest British billionaires collectively boast more cash than their counterparts in the People's Republic.

So, are the "British" billionaires cohort more cash-rich than the Chinese ones or just the UK billionaire cohort?

1
0

Wait, don't ditch that IT career just yet: UK vacancies hit 5-year high

PrivateCitizen
Stop

Dodgy stats

I wouldn't be too convinced by numbers from CWJobs, jobserve or whatever.

Companies looking to hire seem to push the job out to seven or eight agencies who then all pimp the same job (with slightly different rates) this makes it look like there are a lot more roles than really exist.

A good example was a role in Middlesex i got in my job search email today. Identical job description, identical location, seven different adverts with six different rates (£84 per day difference between highest and lowest). Two of the adverts were from the same agency (Hays in this instance).

All in all, I wouldn't trust any report which counts afvertised jobs on online sites as an indicator of anything - good or bad.

3
0

Page:

Forums