Feeds

* Posts by FrancisT

12 posts • joined 4 Jun 2010

Bugger the jetpack, where's my 21st-century Psion?

FrancisT

Re: "Meanwhile, Linux wasn't ready yet ..."

And that Zaurus morphed into the PC Z1 Netwalker which was an excellent pocket computer, though it was hard to get outside Japan.

Charlie Stross reviewed it here - http://www.antipope.org/charlie/blog-static/2009/10/netwalker.html

0
0

Yellow-bellied journo dons black tie, sees flip side of VMWorld

FrancisT

Fun with Badges

At this year's RSA conference in San Francisco I reached into my bag on day two and pulled out last year's badge by mistake*. I wore it all the time. No one noticed except the marketing droids who wanted to scan my badge to send me spam.

The Badge was a different color. The strap was a different color. The badge said RSA 2012 on it.

No one noticed.

*AT A SECURITY CONFERENCE*

* I just stuffed it in the side pocket of my bag when I left the last time and forgot about it, then this year I stuffed this year's badge into the same pocket when I wanted to go out drinking and not be identified as a security nerd

1
0

Google's Street View cars venture inside TARDIS

FrancisT

Fun fact. Doesn't work with the new "preview" version of maps - https://www.google.com/maps/preview - which turns out to also have a different image of the spot - there's a guy standing by the lampost in the new one that isn't in the standard version

0
0

It's now or never for old sysadmins to learn new tricks

FrancisT

Move to (network) security

Security issues aren't going to go away. In fact in a cloudy, BYOD sort of world they are even more important. I think many sas admins (and particulalry network admins) could usefully move sideways into network security. Exactly how you position yourself (as a MSSP? consultant? in house expert? other...) will vary but there's a crying need for people with clue about security issues and many of the security problems are ones that a regular admin has been handling for years in an intranet/local server environment

0
0

DNSchanger shutdown may kick 300,000 offline on Monday

FrancisT
Stop

A tool to help network admins

If you are running a network, my company - ThreatSTOP - has a tool to help you figure out which computers on the network are infected with DNS Changer.

http://www.threatstop.com/dnschanger

0
0

Malware attack spreads to 5 million pages (and counting)

FrancisT

Easy to block

the two domains direct to 94.100.18.41 and 94.100.18.41/32 respectively. Easy to add to a firewall as a block - although ThreatSTOP subscribers are already protected automatically because these addresses are in all our blocklists now.

1
4

Is Facebook worth more than Google?

FrancisT
FAIL

Google+ will spike FB valuation at least

I just started using Google+ this weekend. I prefer it to FB so far. No it isn't perfect but the circles concept looks like a winner and there's a bunch of other things to like in it. I expect google will implement integration with many other google services (e.g. reader) and the combo will almost certainly be better than FB. I have no loyalty to FB and will almost certainly leave when (if) enough of my FB contacts have moved across. So far about a quarter of my FB friends are on google plus. Most of them are saying the same

If FB loses 25% of its userbase to google+ then that's going to put a hole in the valuation

0
0

IPv6 intro creates spam-filtering nightmare

FrancisT

Not a problem for good IP reputation services

There are a bunch of ways to do this. As I just blogged - http://threatstop.wordpress.com/2011/03/08/ipv6-and-ip-reputation/ - our IP reputation system works just fine with IPv6 /64s (or even /48s or whatever other net block size is required).

0
0

Lame Stuxnet worm 'full of errors', says security consultant

FrancisT
Black Helicopters

It could be deliberate

I can think of at least two reasons why the creators of Stuxnet did not bother with more obfuscation etc.

1) They wanted it to be found because they expected that the Iranians would then form a circular firing squad and/or demoralizing witch hunt. Either of which would drastically hinder the recovery from the outbreak. There is evidence that, combined with a couple of assassinations this has indeed been the case

2) It is misdirection because there is also Stuxnet2 which has not been found and which continues to wreak havoc but that havoc is believed to be caused by Stuxnet. Thus the recovery is hindered because such computer techs as the Iranian nuclear industry has waste their time hunting for the original Stuxnet instead of looking for Stuxnet2

I've got no idea whether either of these reasons are valid but both seem quite plausible, and in the process of thinking through the arguments for those two I've come up with some others. Now I don't say these reasons are correct but I do think the argument isn't as clear cut as the original article suggests.

21
1

Freshly reburied Storm zombies burst up out of graves again

FrancisT
Stop

Getting the right blocklist stops this

Your shadowserver link lists a few of the domains/IPs that should be blocked. Based on that research and some passive DNS work we've done, we can now block the ip addresses of most of the botnet and we're automating the update process so that the blocklist remains current

See my blog post http://threatstop.wordpress.com/2011/01/04/threatstop-blocks-new-waledacstorm-worm-dns/ for more details

0
0

Blackhole your malware

FrancisT
Pirate

Better to block the IP address rather than the name

The problem with blackholing DNS is that many cyber-crooks know about it and they therefore change the domain/subdomain they use frequently. Thus if you just block certain domains - even if you update the domains from malwaredomains.com frequently - you will fail to block the malware for long. A far better approach is to block the IP addresses of the malware providing hosts because typically the crooks use the same host with the same ip address, they just change/add new dns links to it.

As we mentioned on our blog (er yes this is a commercial plug) a few months back - http://threatstop.wordpress.com/2010/05/10/iframe-droppers-and-other-drive-bys-how-threatstop-protects-you/ - we provide our subscribers with frequently updated lists of known bad ip addresses that may be quickly and automatically plugged into the firewall and which block many malware sources. I'd love to say we block all but then you'd know I was a lying marketing droid instead, I believe we stop most of them though but since the crooks unaccountably refuse to give us a list of compromised hosts for us to check against I can't prove it.

MichaelC above would certainly benefit from our system since stats we have analyzed from DShield indicate that about a third of all threat sources change in a week (and about a quarter in less thna 24 hours). Thus by uploading new data once a week he will be missing a significant portion of the threats he thinks he is protecting against.

0
0

Bookeen Cybook Opus e-book reader 2010 edition

FrancisT
Happy

Music not needed

Apart from anything else playing MPs kills the battery life of the reader. Furthermore I don't know about you but I have half a dozen devices that can play music e.g. my phone, a couple of cheapo MP3 players and so on. If I want to listen to music I'll use one of them.

1
0